SAFETY AND SOUNDNESS—Interagency Statement on Sound Practices Concerning Elevated-Risk Complex Structured Finance Activities

Financial markets have grown rapidly over the past decade, and innovations in financial instruments have facilitated the structuring of cash flows and allocation of risk among creditors, borrowers, and investors in more efficient ways. Financial derivatives for market and credit risk, asset-backed securities with customized cash flow features, specialized financial conduits that manage pools of assets and other types of structured finance transactions serve important business purposes, such as diversifying risks, allocating cash flows, and reducing cost of capital. As a result, structured finance transactions now are an essential part of U.S. and international capital markets. Financial institutions have played and continue to play an active and important role in the development of structured finance products and markets, including the market for the more complex variations of structured finance products.

When a financial institution participates in a complex structured finance transaction (CSFT), it bears the usual market, credit, and operational risks associated with the transaction. In some circumstances, a financial institution also may face heightened legal or reputational risks due to its involvement in a CSFT. For example, in some circumstances, a financial institution may face heightened legal or reputational risk if a customer’s regulatory, tax, or accounting treatment for a CSFT, or disclosures to investors concerning the CSFT in the customer’s public filings or financial statements, do not comply with applicable laws, regulations, or accounting principles. In deed, in some instances, CSFTs have been used to misrepresent a customer’s financial condition to investors, regulatory authorities, and others. In these situations, investors have been harmed, and financial institutions have incurred significant legal and reputational exposure. In addition to legal risk, reputational risk poses a significant threat to financial institutions because the nature of their business requires them to maintain the confidence of customers, creditors, and the general marketplace.

The Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Securities and Exchange Commission (the agencies) have long expected financial institutions to develop and maintain robust control infrastructures that enable them to identify, evaluate, and address the risks associated with their business activities. Financial institutions also must conduct their activities in accordance with applicable statutes and regulations.

The agencies are issuing this statement to describe the types of risk-management principles that we believe may help a financial institution to identify CSFTs that may pose heightened legal or reputational risks to the institution (elevated-risk CSFTs) and to evaluate, manage, and address these risks within the institution’s internal control framework.

Structured finance transactions encompass a broad array of products with varying levels of complexity. Most structured finance transactions, such as standard public mortgage-backed securities transactions, public securitizations of retail credit cards, asset-backed commercial paper conduit transactions, and hedging-type transactions involving “plain vanilla” derivatives and collateralized loan obligations, are familiar to participants in the financial markets, and these vehicles have a well-established track record. These transactions typically would not be considered CSFTs for the purpose of this statement.

Because this statement focuses on sound practices related to CSFTs that may create heightened legal or reputational risks—transactions that typically are conducted by a limited number of large financial institutions—it will not affect or apply to the vast majority of financial institutions, including most small institutions. As in all cases, a financial institution should tailor its internal controls so that they are appropriate in light of the nature, scope, complexity, and risks of its activities. Thus, for example, an institution that is actively involved in structuring and offering CSFTs that may create heightened legal or reputational risk for the institution should have a more formalized and detailed control framework than an institution that participates in these types of transactions less frequently. The internal controls and procedures discussed in this statement are not all-inclusive, and, in appropriate circumstances, an institution may find that other controls, policies, or procedures are appropriate in light of its particular CSFT activities.

Because many of the core elements of an effective control infrastructure are the same regardless of the business line involved, this statement draws heavily on controls and procedures that the agencies previously have found to be effective in assisting a financial institution to manage and control risks and identifies ways in which these controls and procedures can be effectively applied to elevated-risk CSFTs. Although this statement highlights some of the most significant risks associated with elevated-risk CSFTs, it is not intended to present a full exposition of all risks associated with these transactions. Financial institutions are encouraged to refer to other supervisory guidance prepared by the agencies for further information concerning market, credit, operational, legal, and reputational risks as well as internal audit and other appropriate internal controls.

This statement does not create any private rights of action, and does not alter or expand the legal duties and obligations that a financial institution may have to a customer, its shareholders, or other third parties under applicable law. At the same time, adherence to the principles discussed in this statement would not necessarily insulate a financial institution from regulatory action or any liability the institution may have to third parties under applicable law.

A financial institution that engages in CSFTs should maintain a set of formal, written, firm-wide policies and procedures that are designed to allow the institution to identify, evaluate, assess, document, and control the full range of credit, market, operational, legal, and reputational risks associated with these transactions. These policies may be developed specifically for CSFTs or included in the set of broader policies governing the institution generally. A financial institution operating in foreign jurisdictions may tailor its policies and procedures as appropriate to account for, and comply with, the applicable laws, regulations and standards of those jurisdictions.

A financial institution’s policies and procedures should establish a clear framework for the review and approval of individual CSFTs. These policies and procedures should set forth the responsibilities of the personnel involved in the origination, structuring, trading, review, approval, documentation, verification, and execution of CSFTs. Financial institutions may find it helpful to incorporate the review of new CSFTs into their existing new product policies. In this regard, a financial institution should define what constitutes a “new” complex structured finance product and establish a control process for the approval of such new products. In determining whether a CSFT is new, a financial institution may consider a variety of factors, including whether it contains structural or pricing variations from existing products, whether the product is targeted at a new class of customers, whether it is designed to address a new need of customers, whether it raises significant new legal, compliance, or regulatory issues, and whether it or the manner in which it would be offered would materially deviate from standard market practices. An institution’s policies should require new complex structured finance products to receive the approval of all relevant control areas that are independent of the profit center before the product is offered to customers.

As part of its transaction and new-product approval controls, a financial institution should establish and maintain policies, procedures, and systems to identify elevated-risk CSFTs. Because of the potential risks they present to the institution, transactions or new products identified as elevated-risk CSFTs should be subject to heightened reviews during the institution’s transaction or new-product approval processes. Examples of transactions that an institution may determine warrant this additional scrutiny are those that (either individually or collectively) appear to the institution during the ordinary course of its transaction approval or new-product approval process to—

The examples listed previously are provided for illustrative purposes only, and the policies and procedures established by financial institutions may differ in how they seek to identify elevated-risk CSFTs. The goal of each institution’s policies and procedures, however, should remain the same—to identify those CSFTs that warrant additional scrutiny in the transaction or new-product approval process due to concerns regarding legal or reputational risks.

Financial institutions that structure or market, act as an advisor to a customer regarding, or otherwise play a substantial role in a transaction may have more information concerning the customer’s business purpose for the transaction and any special accounting, tax, or financial-disclosure issues raised by the transaction than institutions that play a more limited role. Thus, the ability of a financial institution to identify the risks associated with an elevated-risk CSFT may differ depending on its role.

Having developed a process to identify elevated-risk CSFTs, a financial institution should implement policies and procedures to conduct a heightened level of due diligence for these transactions. The financial institution should design these policies and procedures to allow personnel at an appropriate level to understand and evaluate the potential legal or reputational risks presented by the transaction to the institution and to manage and address any heightened legal or reputational risks ultimately found to exist with the transaction.

If a CSFT is identified as an elevated-risk CSFT, the institution should carefully evaluate and take appropriate steps to address the risks presented by the transaction with a particular focus on those issues identified as potentially creating heightened levels of legal or reputational risk for the institution. In general, a financial institution should conduct the level and amount of due diligence for an elevated-risk CSFT that is commensurate with the level of risks identified. A financial institution that structures or markets an elevated-risk CSFT to a customer, or that acts as an advisor to a customer or investors concerning an elevated-risk CSFT, may have additional responsibilities under the federal securities laws, the Internal Revenue Code, state fiduciary laws, or other laws or regulations and, thus, may have greater legal- and reputational-risk exposure with respect to an elevated-risk CSFT than a financial institution that acts only as a counterparty for the transaction. Accordingly, a financial institution may need to exercise a higher degree of care in conducting its due diligence when the institution structures or markets an elevated-risk CSFT or acts as an advisor concerning such a transaction than when the institution plays a more limited role in the transaction.

To appropriately understand and evaluate the potential legal and reputational risks associated with an elevated-risk CSFT that a financial institution has identified, the institution may find it useful or necessary to obtain additional information from the customer or to obtain specialized advice from qualified in-house or outside accounting, tax, legal, or other professionals. As with any transaction, an institution should obtain satisfactory responses to its material questions and concerns prior to consummation of a transaction.

In conducting its due diligence for an elevated-risk CSFT, a financial institution should independently analyze the potential risks to the institution from both the transaction and the institution’s overall relationship with the customer. Institutions should not conclude that a transaction identified as being an elevated-risk CSFT involves minimal or manageable risks solely because another financial institution will participate in the transaction or because of the size or sophistication of the customer or counterparty. Moreover, a financial institution should carefully consider whether it would be appropriate to rely on opinions or analyses prepared by or for the customer concerning any significant accounting, tax, or legal issues associated with an elevated-risk CSFT.

A financial institution’s policies and procedures should provide that CSFTs identified as having elevated legal or reputational risk are reviewed and approved by appropriate levels of control and management personnel. The designated approval process for such CSFTs should include representatives from the relevant business line(s) and/or client management, as well as from appropriate control areas that are independent of the business line(s) involved in the transaction. The personnel responsible for approving an elevated-risk CSFT on behalf of a financial institution should have sufficient experience, training, and stature within the organization to evaluate the legal and reputational risks, as well as the credit, market, and operational risks to the institution.

The institution’s control framework should have procedures to deliver the necessary or appropriate information to the personnel responsible for reviewing or approving an elevated-risk CSFT to allow them to properly perform their duties. Such information may include, for example, the material terms of the transaction, a summary of the institution’s relationship with the customer, and a discussion of the significant legal, reputational, credit, market and operational risks presented by the transaction. Some institutions have established a senior management committee that is designed to involve experienced business executives and senior representatives from all of the relevant control functions within the financial institution (including such groups as independent risk management, tax, accounting, policy, legal, compliance, and financial control) in the oversight and approval of those elevated-risk CSFTs that are identified by the institution’s personnel as requiring senior management review and approval due to the potential risks associated with the transactions. While this type of management committee may not be appropriate for all financial institutions, a financial institution should establish processes that assist the institution in consistently managing the review and approval of elevated-risk CSFTs on a firm-wide basis.

If, after evaluating an elevated-risk CSFT, the financial institution determines that its participation in the CSFT would create significant legal or reputational risks for the institution, the institution should take appropriate steps to address those risks. Such actions may include declining to participate in the transaction, or conditioning its participation upon the receipt of representations or assurances from the customer that reasonably address the heightened legal or reputational risks presented by the transaction. Any representations or assurances provided by a customer should be obtained before a transaction is executed and be received from, or approved by, an appropriate level of the customer’s management. A financial institution should decline to participate in an elevated-risk CSFT if, after conducting appropriate due diligence and taking appropriate steps to address the risks from the transaction, the institution determines that the transaction presents unacceptable risk to the institution or would result in a violation of applicable laws, regulations, or accounting principles.

The documentation that financial institutions use to support CSFTs is often highly customized for individual transactions and negotiated with the customer. Careful generation, collection, and retention of documents associated with elevated-risk CSFTs are important control mechanisms that may help an institution monitor and manage the legal, reputational, operational, market, and credit risks associated with the transactions. In addition, sound documentation practices may help reduce unwarranted exposure to the financial institution’s reputation.

A financial institution should create and collect sufficient documentation to allow the institution to—

When an institution’s policies and procedures require an elevated-risk CSFT to be submitted for approval to senior management, the institution should maintain the transaction-related documentation provided to senior management as well as other documentation, such as minutes of the relevant senior management committee, that reflect senior management’s approval (or disapproval) of the transaction, any conditions imposed by senior management, and the factors considered in taking such action. The institution should retain documents created for elevated-risk CSFTs in accordance with its record retention policies and procedures as well as applicable statutes and regulations.

The board and senior management of a financial institution also should establish a “tone at the top” through both actions and formalized policies that sends a strong message throughout the financial institution about the importance of compliance with the law and overall good business ethics. The board and senior management should strive to create a firm-wide corporate culture that is sensitive to ethical or legal issues as well as the potential risks to the financial institution that may arise from unethical or illegal behavior. This kind of culture coupled with appropriate procedures should reinforce business-line ownership of risk identification, and encourage personnel to move ethical or legal concerns regarding elevated-risk CSFTs to appropriate levels of management. In appropriate circumstances, financial institutions may also need to consider implementing mechanisms to protect personnel by permitting the confidential disclosure of concerns. As in other areas of financial institution management, compensation and incentive plans should be structured, in the context of elevated-risk CSFTs, so that they provide personnel with appropriate incentives to have due regard for the legal-, ethical-, and reputational-risk interests of the institution.

A financial institution’s policies and procedures should provide for the appropriate levels of management and the board of directors to receive sufficient information and reports concerning the institution’s elevated-risk CSFTs to perform their oversight functions.

The events of recent years evidence the need for an effective oversight and review program for elevated-risk CSFTs. A financial institution’s program should provide for periodic independent reviews of its CSFT activities to verify and monitor that its policies and controls relating to elevated-risk CSFTs are being implemented effectively and that elevated-risk CSFTs are accurately identified and received proper approvals. These independent reviews should be performed by appropriately qualified audit, compliance, or other personnel in a manner consistent with the institution’s overall framework for compliance monitoring, which should include consideration of issues such as the independence of reviewing personnel from the business line. Such monitoring may include more frequent assessments of the risk arising from elevated-risk CSFTs, both individually and within the context of the overall customer relationship, and the results of this monitoring should be provided to an appropriate level of management in the financial institution.

The internal audit department of any financial institution is integral to its defense against fraud, unauthorized risk taking and damage to the financial institution’s reputation. The internal audit department of a financial institution should regularly audit the financial institution’s adherence to its own control procedures relating to elevated-risk CSFTs, and further assess the adequacy of its policies and procedures related to elevated-risk CSFTs. Internal audit should periodically validate that business lines and individual employees are complying with the financial institution’s standards for elevated-risk CSFTs and appropriately identifying any exceptions. This validation should include transaction testing for elevated-risk CSFTs.

An institution should identify relevant personnel who may need specialized training regarding CSFTs to be able to effectively perform their oversight and review responsibilities. Appropriate training on the financial institution’s policies and procedures for handling elevated-risk CSFTs is critical. Financial institution personnel involved in CSFTs should be familiar with the institution’s policies and procedures concerning elevated-risk CSFTs, including the processes established by the institution for identification and approval of elevated-risk CSFTs and new complex structured finance products and for the elevation of concerns regarding transactions or products to appropriate levels of management. Financial institution personnel involved in CSFTs should be trained to identify and properly handle elevated-risk CSFTs that may result in a violation of law.

Structured finance products have become an essential and important part of the U.S. and international capital markets, and financial institutions have played an important role in the development of structured finance markets. In some instances, however, CSFTs have been used to misrepresent a customer’s financial condition to investors and others, and financial institutions involved in these transactions have sustained significant legal and reputational harm. In light of the potential legal and reputational risks associated with CSFTs, a financial institution should have effective risk-management and internal control systems that are designed to allow the institution to identify elevated-risk CSFTs, to evaluate, manage, and address the risks arising from such transactions, and to conduct those activities in compliance with applicable law.