3-1579.291

SAFETY AND SOUNDNESS—Interagency Guidance on Credit Risk Review Systems

Introduction

The Interagency Guidelines Establishing Standards for Safety and Soundness (guidelines)¹ underscore the critical importance of credit risk review and set safety and soundness standards for insured depository institutions to establish a system for independent, ongoing credit risk review, and for appropriate communication to their management and boards of directors.² This guidance, which aligns with the guidelines, is appropriate for all institutions³ and describes a broad set of practices that can be used either within a dedicated unit or across multiple units throughout an institution to form a credit risk review system that is consistent with safe and sound lending practices. This guidance outlines principles that an institution should consider in developing and maintaining an effective credit risk review system.

Overview of Credit Risk Review Systems

The nature of credit risk review systems⁴ varies based on an institution’s size, complexity, loan types, risk profile, and risk-management practices. For example, in smaller or less complex institutions, a credit risk review system may include qualified members of the staff, including loan officers, other officers, or directors, who are independent of the credits being assessed. In larger or more complex institutions, a credit risk review system may include components of a dedicated credit risk review function that are independent of the institution’s lending function.⁵ A credit risk review system may also include various responsibilities assigned to credit underwriting, loan administration, a problem loan workout group, or other organizational units of an institution. Among other responsibilities, these groups may administer the internal problem loan reporting process, maintain the integrity of the credit risk rating process, confirm that timely and appropriate changes are made to risk ratings, and support the quality of information used to estimate the allowance for credit losses (ACL) or the allowance for loan and lease losses (ALLL), as applicable. Additionally, some or all of the credit risk review function may be performed by a qualified third party.

Regardless of the structure, an effective credit risk review system accomplishes the following objectives:

Promptly identifies loans with actual and potential credit weaknesses so that timely action can be taken to strengthen credit quality and minimize losses.
Appropriately validates and, if necessary, adjusts risk ratings, especially for those loans with potential or well-defined credit weaknesses that may jeopardize repayment.
Identifies relevant trends that affect the quality of the loan portfolio and highlights segments of those portfolios that are potential problem areas.
Assesses the adequacy of and adherence to internal credit policies and loan administration procedures and monitors compliance with applicable laws and regulations.
Evaluates the activities of lending personnel and management, including compliance with lending policies and the quality of their loan approval, monitoring, and risk assessment.
Provides management and the board of directors with an objective, independent, and timely assessment of the overall quality of the loan portfolio.
Provides management with accurate and timely credit quality information for financial and regulatory reporting purposes, including the determination of an appropriate ACL or ALLL, as applicable.

Credit Risk Rating (or Grading) Framework

The foundation for any effective credit risk review system is accurate and timely risk ratings to assess credit quality and identify or confirm problem loans. An effective credit risk rating framework includes the monitoring of individual loans and retail credit portfolios, or segments thereof, with similar risk characteristics. An effective framework also provides important information on the collectibility of each portfolio for use in the determination of an appropriate ACL or ALLL, as applicable. Further, an effective framework generally places primary reliance on the lending staff to assign accurate and timely risk ratings and identify emerging loan problems. However, given the importance of the credit risk rating framework, the lending personnel’s assignment of risk ratings is typically subject to review by qualified and independent: (i) peers, managers, or loan committee(s); (ii) part-time or full-time employee(s); (iii) internal departments staffed with credit review specialists; or (iv) external credit review consultants. A risk rating review that is independent of the lending function and approval process can provide a more objective assessment of credit quality.⁶

An effective credit risk rating framework includes the following attributes:

A formal credit risk rating system in which the ratings reflect the risk of default and credit losses, and for which a written description of the credit risk framework is maintained, including a discussion of the factors used to assign appropriate risk ratings to individual loans and retail credit portfolios, or segments thereof, with similar risk characteristics.⁷
Identification or grouping of loans that warrant the special attention of management or other designated “watch lists” of loans that management is more closely monitoring.⁸
Clear explanation of why particular loans warrant the special attention of management or have received an adverse risk rating.
Evaluation of the effectiveness of approved workout plans.
A method for communicating direct, periodic, and timely information to the institution’s senior management and the board of directors or appropriate board committee on the status of loans identified as warranting special attention or adverse classification, and the actions taken by management to strengthen the credit quality of those loans.
Evaluation of the institution’s historical loss experience for each of the groups of loans with similar risk characteristics into which it has segmented its loan portfolio.⁹

Elements of an Effective Credit Risk Review System

An effective credit risk review system starts with a written credit risk review policy¹⁰ that is reviewed and typically approved at least annually by the institution’s board of directors or appropriate board committee to evidence its support of, and commitment to, maintaining an effective system. Effective policies include a description of the overall risk rating framework and establish responsibilities for loan review based on the portfolio being assessed. An effective credit risk review policy addresses the following elements, described in more detail below: the qualifications and independence of credit risk review personnel; the frequency, scope, and depth of reviews; the review of findings and follow-up; and communication and distribution of results.

Qualifications of Credit Risk Review Personnel

An effective credit risk review function is staffed with personnel who are qualified based on their level of education, experience, and extent of formal credit training. Qualified personnel are knowledgeable in both sound lending practices and the institution’s lending guidelines for the types of loans offered by the institution. The level of experience and expertise for all personnel involved in the credit risk review process is expected to be commensurate with the nature of the risk and complexity of the portfolios. In addition, qualified credit risk review personnel possess knowledge of relevant laws, regulations, and supervisory guidance.

Independence of Credit Risk Review Personnel

An effective credit risk review system incorporates both the initial identification of emerging problem loans by loan officers and other line staff, and an assessment of loans by personnel independent of the credit approval process. Placing primary responsibility on loan officers, risk officers, and line staff is important for continuous portfolio analysis and prompt identification and reporting of problem loans. Because of frequent contact with borrowers, loan officers and line staff can usually identify potential problems before they become apparent to others. However, institutions should be careful to avoid over-reliance on loan officers and line staff for identification of problem loans. An independent assessment of risk is achieved when personnel who perform the loan review do not have control over the loan and are not part of or influenced by individuals associated with the loan approval process.

While a larger institution may establish a separate department staffed with credit review specialists, cost and volume considerations may not justify such a system in a smaller institution. For example, in the review process, smaller institutions may use an independent committee of outside directors or qualified members of the staff, including loan officers, other officers, or directors, who are not involved with originating or approving the specific credits being assessed and whose compensation is not influenced by the assigned risk ratings. Whether or not the institution has a dedicated credit risk review department, it is prudent for the credit risk review function to report directly to the institution’s board of directors or a committee thereof, consistent with safety and soundness standards. Senior management may be responsible for appropriate administrative functions provided such an arrangement does not compromise the independence of the credit risk review function.

The institution’s board of directors, or a committee thereof, may outsource the credit risk review function to an independent third party.¹¹ However, the responsibility for maintaining a sound credit risk review system remains with the institution’s board of directors. In any case, institution personnel who are independent from the lending function typically assess risks, develop the credit risk review plan, and verify appropriate follow-up of findings. Outsourcing of the credit risk review function to the institution’s external auditor may raise additional independence considerations.¹²

Frequency of Reviews

An effective credit risk review system provides for review and evaluation of an institution’s significant loans, loan products, or groups of loans typically annually, on renewal, or more frequently when internal or external factors indicate a potential for deteriorating credit quality or the existence of one or more other risk factors. The credit risk review function can also provide useful continual feedback on the effectiveness of the lending process in order to identify any emerging problems. Ongoing or periodic review of an institution’s loan portfolio is particularly important to the estimation of ACLs or the ALLL because loss expectations may change as the credit quality of a 1oan changes. Use of key risk indicators or performance metrics by credit risk review management can support adjustments to the frequency and scope of reviews.

Scope of Reviews

Comprehensive and effective reviews cover all segments of the loan portfolio that pose significant credit risk or concentrations, and other loans that meet certain institution-specific criteria. A properly designed scope considers the current market conditions or other external factors that may affect a borrower’s current or future ability to repay the loan. Establishment of an appropriate review scope also helps ensure that the sample of loans selected for review, or portfolio segments selected for review, is representative of the portfolio as a whole and provides reasonable assurance that any credit quality deterioration or unfavorable trends are identified. An effective credit risk review function also considers industry standards for credit risk review coverage consistent with the institution’s size, complexity, loan types, risk profile, and risk-management practices and helps to verify whether the review scope is appropriate. The institution’s board of directors or appropriate board committee typically approves the scope of the credit risk review on an annual basis or whenever significant interim changes are made in order to adequately assess the quality of the current portfolio. An effective scope of credit risk review is risk-based and typically includes:

loans over a predetermined size;
a sufficient sample of smaller loans, new loans, and new loan products;
loans with higher risk indicators, such as low credit scores, high credit lines, or those credits approved as exceptions to policy;
segments of loan portfolios, including retail, with similar risk characteristics such as those related to borrower risk (e.g., credit history), transaction risk (e.g., product and/or collateral type), or other risk factors as appropriate;
segments of the loan portfolio experiencing rapid growth;
exposures from non-lending activities that also pose credit risk;
past due, nonaccrual, renewed, and restructured loans;
loans previously adversely classified and loans designated as warranting the special attention of the institution’s management;¹³
loans to insiders or related parties;
loans to affiliates; and
loans constituting concentrations of credit risk and other loans affected by common repayment factors.

Depth of Transaction or Portfolio Reviews

Loans and portfolio segments selected for review are typically evaluated for:

credit quality, soundness of underwriting and risk identification, borrower performance, and adequacy of the sources of repayment;
- o
  
  when applicable, this evaluation includes the appropriateness of automated underwriting and credit scoring, including prudent use of overrides, as well as the effectiveness of account management strategies, collections, and portfolio management activities in managing credit risk;
reasonableness of assumptions;
creditworthiness of guarantors or sponsors;
sufficiency of credit and collateral documentation;
proper lien perfection;
proper approvals consistent with internal policies;
adherence to loan agreement covenants;
adequacy of, and compliance with, internal policies and procedures (such as those related to nonaccrual and classification or risk rating policies), laws, and regulations;
the appropriateness of credit loss estimation for those credits with significant weaknesses including the reasonableness of assumptions used, and the timeliness of charge-offs; and
the accuracy of risk ratings and the appropriateness and timeliness of the identification of problem loans by loan officers.

Review of Findings and Follow-Up

An important activity of an effective credit risk review system is the discussion of the review findings, including all noted deficiencies, identified weaknesses, and any existing or planned corrective actions (including time frames for correction) with appropriate loan officers, department managers, and senior management. An effective system includes processes for all noted deficiencies and weaknesses that remain unresolved beyond the scheduled time frames for correction to be promptly reported to senior management and the board of directors or appropriate board committee.

It is important to resolve risk rating differences between loan officers and loan review personnel according to a pre-arranged process. That process may include formal appeals procedures and arbitration by an independent party or may require default to the assigned classification or risk rating that indicates lower credit quality. If credit risk review personnel conclude that a loan or loan portfolio is of a lower credit quality than is perceived by the portfolio management staff, the lower classification or risk rating typically prevails unless internal parties identify additional information sufficient to obtain the concurrence of the independent reviewer or arbiter on the higher credit quality classification or risk rating.

Communication and Distribution of Results

Personnel involved in the credit risk review process typically prepare a list of all loans (and portfolio segments) reviewed, the date of review, and a summary analysis that substantiates the risk ratings assigned to the loans reviewed. Effective communication also typically involves providing results of the credit risk reviews to the board of directors or appropriate board committee quarterly.¹⁴ Comprehensive reporting includes comparative trends that identify significant changes in the overall quality of the loan portfolio, the adequacy of, and adherence to, internal policies and procedures, the quality of underwriting and risk identification, compliance with laws and regulations, and management’s response to substantive criticisms or recommendations. Such comprehensive reporting provides the board of directors or appropriate board committee with insight into the portfolio and the responsiveness of management and facilitates timely corrective action of deficiencies.

Interagency guidance of May 11, 2020 (SR-20-13).

12 CFR part 30, appendix A (OCC); 12 CFR part 208, appendix D-1 (Board); and 12 CFR part 364, appendix A (FDIC). Part 723 of NCUA Rules and Regulations.

For foreign banking organization branches, agencies, or subsidiaries not operating under single governance in the United States, the U.S. risk committee would serve in the role of the board of directors for purposes of this guidance.

For purposes of this guidance, regulated institutions are those supervised by the following agencies: The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC), hereafter referred to as the “agencies.”

⁴

The credit risk review function is not intended to be performed by an institution’s internal audit function. However, as discussed in the agencies’ March 2003 Interagency Policy Statement on the Internal Audit Function and its Outsourcing (2003 policy statement), some institutions coordinate the internal audit function with several risk monitoring functions, such as the credit risk review function. The 2003 policy statement states that coordination of credit risk review with the internal audit function can facilitate the reporting of material risk and control issues to the audit committee, increase the overall effectiveness of these monitoring functions, better utilize available resources, and enhance the institution’s ability to comprehensively manage risk. However, an effective internal audit function maintains the ability to independently audit the credit risk review function. (The NCUA was not an issuing agency of the 2003 policy statement.)

⁵

Credit risk review may be referred to as loan review, credit review, asset quality review, or another name as chosen by an institution. The role of, expectations for, and scope of credit risk review as discussed in this document are distinct from the roles, expectations, and scope of work performed by other groups within an institution that are also responsible for monitoring, managing, and reporting credit risk. Examples may be those involved with lending functions, independent risk management, loan work outs, and accounting. Each institution indicates in its own policies and procedures the specific roles and responsibilities of these different groups, including separation of duties. A credit risk review unit, or individuals serving in that role, can rely on information provided by other units in developing its own independent assessment of credit risk in loan portfolios, but the credit risk review unit critically evaluates such information to maintain its own view, as opposed to relying exclusively on such information.

⁶

Small or rural institutions that have few resources or employees may adopt modified credit risk review procedures and methods to achieve a proper degree of independence. For example, in the review process, such an institution may use qualified members of the staff, including loan officers, other officers, or directors, who are not involved with originating or approving the specific credits being assessed and whose compensation is not influenced by the assigned risk ratings. It is appropriate to employ such modified procedures when more robust procedures and methods are impractical. Institution management and the board, or a board committee, should have reasonable confidence that the personnel chosen will be able to conduct reviews with the needed independence despite their position within the loan function.

⁷

A bank or savings association may have a credit risk rating framework that differs from the framework for loan classifications used by the federal banking agencies. Such banks and savings associations should maintain documentation that translates their risk ratings into the regulatory classification framework used by the federal banking agencies. This documentation will enable examiners to reconcile the totals for the various loan classifications or risk ratings under the institution’s system to the federal banking agencies’ categories contained in the Uniform Agreement on the Classification and Appraisal of Securities Held by Depository Institutions Attachment 1—Classification Definitions (OCC: OCC Bulletin 2013-28; Board: SR Letter 13-18; and FDIC: FIL-51-2013). The NCUA does not require credit unions to adopt a uniform regulatory classification system. Risk rating guidance for credit unions is set forth in NCUA letters to credit unions 10-CU-02, “Current Risks in Business Lending and Sound Risk Management Practices,” issued January 2010 and 10-CU-03, “Concentration Risk,” issued March 2010. See also the Commercial and Member Business Loans section of the NCUA Examiner’s Guide (Commercial and Member Business Loans, Credit Risk Rating Systems) and the preamble to 1 CFR parts 701, 723, and 741 Member Business Loans; Commercial Lending: Proposed Rule July 2015.

⁸

In addition to loans designated as “watch list,” this identification typically includes loans rated special mention, substandard, doubtful, or loss.

⁹

In particular, institutions with large and complex loan portfolios typically maintain records of their historical loss experience for credits in each of the categories in their risk rating framework. For banks and savings associations, these categories are either those used by, or those that can be translated into those used by, the federal banking agencies.

¹⁰

See 12 CFR part 30, appendix A (OCC); 12 CFR part 208, appendix D-1 (Board); and 12 CFR part 364 appendix A (FDIC). See also 12 CFR part 723 (NCUA).

¹¹

For supervisory guidance related to outside service providers, refer to SR letter 13-19/CA letter 13-21, “Guidance on Managing Outsourcing Risk,” issued by the Board on December 5, 2013; FIL-44-2008, “Guidance for Managing Third-Party Risk,” issued by the FDIC on June 6, 2008; and OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued by the OCC on October 30, 2013. For credit unions, refer to NCUA letters to credit unions 01-CU-20 “Due Diligence over Third Party Service Providers,” issued November 2001 and 07-CU-13 “Evaluating Third Party Relationships,” issued December 2007.

¹²

See footnote 4.

¹³

See footnote 8.

¹⁴

An effective credit risk review system provides for informing the board of directors or appropriate board committee more frequently than quarterly when material adverse trends are noted. When an institution conducts loan file reviews less frequently than quarterly, the board or appropriate board committee will typically receive results on other credit risk review activities quarterly.