EXAMINATIONS AND INSPECTIONS—Risk-Focused Supervision Policy for Small Shell Bank Holding Companies

This policy sets forth a framework for applying risk-focused supervision concepts to small shell bank holding companies (SSBHCs).¹ It was developed in the interest of increasing the effectiveness of Federal Reserve supervisory activities, while enhancing interagency coordination and reducing regulatory burden on banking organizations. In recent years, changes to statutory frequency requirements for bank examinations, enhancements to off-site monitoring procedures, and the implementation of risk-focused examination practices have made it possible to focus supervisory activities more effectively on SSBHCs exhibiting the greatest degree of risk. Accordingly, the Federal Reserve is adopting a risk-focused supervision program for SSBHCs that tailors supervisory activities for these companies based on an assessment of their reported condition and activities and the condition of their bank subsidiaries. Based on these assessments, Reserve Banks will be required to develop a strategy for addressing the supervisory issues related to each organization. For companies where significant risk factors are present, Reserve Banks must consider a range of supervisory responses, including informational requests and management interviews, visitations or advisory visits, as well as on-site target and full-scope inspection activities. The program is to be implemented as soon as practical, but should be fully operational by November 30, 1997. With the implementation of this program, the Board is rescinding for SSBHCs the bank holding company inspection scope and frequency requirements of S-2493, “Examination Frequency and Communicating with Directors” (at 3-1531).

Under this program, Reserve Banks should perform a risk assessment for each SSBHC at least once during each “supervisory cycle.” For each company, its supervisory cycle will be determined by the examination frequency mandated for the lead subsidiary bank. The purpose of this risk assessment is to determine whether the risk profile of the SSBHC has weakened, the company is having an adverse effect on the subsidiary bank(s), or there are violations of law or regulation warranting further review. As described more fully below, where the risk assessment does not raise significant supervisory concerns, the assessment would serve as the basis for assigning a final BOPEC rating for the company. The risk assessment should be completed within 45 days of receipt of the lead bank’s full-scope examination report. While risk assessments will be driven in most cases by the conclusions expressed in the current examination reports for subsidiary banks, they should also incorporate information from other sources available at the Reserve Bank, such as regulatory financial reports, previous inspection reports, and surveillance reports. The preparation of risk assessments should not routinely require requests for additional information from the company. Risk assessments should include reviews of the following areas:

In the process of conducting the risk assessment Reserve Banks should pay special attention to bank examination report findings pertaining to possible violations of law or inappropriate transactions. In addition, changes in the organizational structure, management, or ownership of the company should be assessed to determine whether these may be cause for concern. The use of automated analytical tools and screens to perform the required financial analysis will normally suffice. When this review discloses no material supervisory concerns, the risk assessment should be used to assign a final rating to the company.

If no unusual supervisory issues or concerns are identified by the risk assessment, no special follow-up with the company is necessary. However, all companies should continue to be monitored under existing surveillance and monitoring programs aimed at identifying significant changes in a company’s condition, performance, or compliance profile that may prompt further review. Such changes may include (1) a material decline in the earnings performance or capital position of a bank subsidiary; (2) significant changes in management or ownership; (3) a large increase in outstanding debt; (4) new or expanded activities that may pose additional risk; (5) rapid growth; (6) questionable insider or intercompany transactions; (7) less than satisfactory SEER or other performance factors for the subsidiary bank(s); or (8) information suggesting less-than-satisfactory compliance with regulatory orders and other requirements imposed in connection with the granting of any application or other request. When these or other changes raise supervisory concerns, the risk assessment should be updated using the methods discussed below.

When a risk assessment is prepared in conjunction with the review of an examination report for a bank rated satisfactory or better, but supervisory concerns such as those listed above preclude the immediate assignment of a satisfactory BOPEC rating, a strategy for addressing those concerns must be developed and documented as part of the risk assessment. The strategy would typically require gathering additional information from the bank regulator or the company, either written or verbal. Where supervisory concerns are not satisfactorily addressed through off-site measures, a number of remedies should be considered, including visitations, targeted reviews of internal processes and specific transactions, or broader inspections encompassing a review of more significant financial and managerial issues, processes, or reporting systems. The specific timing of these activities is not prescribed by this policy; however, the on-site activity should be conducted as soon as possible following the off-site review, given that it is required only in situations when supervisory concerns have surfaced.

A full-scope on-site inspection should be conducted the first time that the risk-assessment preliminarily supports the assignment of a BOPEC rating of 3 or worse, or a management rating of less than satisfactory. Typically, this would occur when a significant subsidiary bank’s CAMELS composite or management component is assigned a rating of 3, 4, or 5. In such a case, an inspection is deemed necessary to ensure that sufficient information is available to develop an effective supervisory strategy. The purpose of the inspection is (1) to confirm the Reserve Bank’s understanding of the SSBHC’s financial condition, activities, and management oversight of the bank, as well as whether violations of law or regulation or inappropriate intercompany transactions have occurred; (2) to determine the extent to which any of these factors is having an adverse effect on the bank(s); (3) to identify steps the holding company should take to strengthen its subsidiary bank(s); and (4) to assign a BOPEC rating to the company. Based on these inspection results and information available prior to the inspection, and in consultation with the bank’s federal and state supervisory authority(ies), the Reserve Bank should develop a supervisory strategy for dealing with the company.

In situations where the company and management are adversely affecting the bank, the strategy should contemplate enforcement activities that are coordinated with those of the bank’s federal or state regulator(s), a clear delineation of the actions and reports expected of holding company management, and plans for additional supervisory activities, either on-site or off-site. The Reserve Bank should designate a primary contact responsible for monitoring the company’s condition and updating the risk assessment and supervisory strategy.

In situations where the bank holding company is neither contributing to the bank’s problems nor in a position to serve as a source of strength, a typical supervisory strategy would be to maintain an open dialogue with the bank’s primary regulator(s) and to review relevant regulatory reports.

When a risk assessment discloses no supervisory concerns, or when an existing 3, 4, or 5 BOPEC rating is reaffirmed through the risk assessment, a brief letter detailing this overall conclusion and the SSBHC’s BOPEC rating should be forwarded to the company. A prototype of such a letter is attached.

When more detailed off-site reviews are performed or on-site targets or visitations are conducted, Reserve Banks may also communicate the scope of these activities, relevant findings, and supervisory recommendations to the company in a letter. Alternatively, the findings can be conveyed to the company in a more structured report similar to the existing bank holding company inspection report. When full-scope inspections are conducted, use of existing bank holding company report pages is mandatory; however, the only pages required to be completed are the examiner’s comments, scope, analysis of financial factors, and the confidential pages. The use of any other page (including financial data pages) should be limited to situations where its presentation is useful for supporting conclusions or recommendations.

With regard to correspondence and reports to satisfactorily rated SSBHCs, it is generally appropriate for commissioned, non-officer personnel who are designated as the primary contact or portfolio manager for such companies to have signing authority. Reports and other official communications to problem and deteriorating companies require an officer’s signature.

Effective January 1, 1997, the Uniform Financial Institutions Rating System (CAMELS) was amended specifically to require the evaluation of risk-management systems both in the overall management rating and in the individual financial components. By definition, financial and management activities at SSBHCs are conducted in the subsidiary banks and the risk-management process of the company is essentially the same as that of the bank(s). Accordingly, no separate risk-management rating will be required of SSBHCs.

Consistent with long-standing Federal Reserve policy, an initial full-scope, on-site inspection of a newly formed SSBHC should be conducted within the first 12 to 18 months of operations. Thereafter, risk assessments should be performed in accordance with this policy. S-2587, attachment A; Nov. 3, 1997.