OCC Proposes To Raise Threshold For Applying Guidelines Establishing Heightened Standards For Certain Large Financial Institutions

The OCC published a proposed rule amending its guidelines relating to heightened standards for certain OCC-supervised institutions—insured national banks, insured federal savings associations, and insured federal branches of foreign banks—to increase the applicable threshold from $50 billion in average total consolidated assets to $700 billion. The guidelines set forth heightened standards for the design and implementation of an institution's risk governance framework and for a board of directors in overseeing that framework.

The proposal to raise the threshold would free up most large institutions to use a risk governance framework that is best suited to their banking organization, rather than one that merely fits the OCC's uniform, prescriptive standards. Among the recent proposals by the OCC to relieve administrative compliance burdens for banks, the proposed amendments to the guidelines would arguably be the most significant change to date: it would result in a 1,300% increase in assets that trigger standards that can be interpreted in almost any way the OCC chooses.

Comments on the OCC's proposal are due March 2, 2026.

Key Takeaways

• More freedom for innovative solutions. The OCC boldly states that it supports efforts by financial institutions to use new technologies and techniques in a safe and sound manner to identify and manage risks, and it expects the proposal to facilitate innovation in risk management practices. While financial institutions have been exploring the use of artificial intelligence as a compliance tool for many years, the proposal would allow institutions below the new threshold to invest further in developing innovative solutions to risk management.
• Risk management expectations are unchanged. While the proposal shifts from applying uniform, prescriptive standards to a broad set of large institutions to allowing a number of institutions to adopt more tailored approaches, the OCC indicates that it expects newly excluded institutions to continue to maintain robust risk governance and management practices. In addition, other supervisory standards, such as the Fed's Enhanced Prudential Standards (EPS), which apply to certain Fed-supervised institutions with $100 billion or more in total assets, may still apply. It remains to be seen whether the Fed will rethink its asset thresholds as well.
• Refocus on risk-based supervision. The proposal continues a trend among the financial banking agencies to move supervisory resources from examining operational processes to material financial risks to supervised institutions and costs to the banking system.

OCC Guidelines on Heightened Standards

In the wake of the 2008 financial crisis, the OCC introduced a program of heightened expectations for the governance and risk management practices of large financial institutions, which were formalized in guidelines codified at Appendix D to the OCC's safety and soundness standards regulations. The guidelines currently apply to "covered banks," which are insured national banks, insured federal savings associations, and insured federal branches of foreign banks with any of the following:

• average total consolidated assets equal to or greater than $50 billion;
• average total consolidated assets less than $50 billion if that bank's parent company controls at least one covered bank; or
• average total consolidated assets less than $50 billion if the OCC determines such bank's operations are highly complex or otherwise present a heightened risk.

The guidelines establish prescriptive standards related to a covered bank's risk governance framework and oversight role of its board. Under the guidelines, a covered bank should have a formal, written risk governance framework, based on a written statement of its risk appetite, governing its "three lines of defense" (front line units, independent risk management, and internal audit) and specify the risk management roles and responsibilities the framework should require of these lines. The guidelines also provide that a covered bank's board should have an active oversight role, including review and approval of the risk governance framework and any changes to the framework, the risk appetite statement, and a talent management program.

Relief for Most Large Banks

The proposed amendments to the guidelines would change the definition of "covered bank" to raise the threshold so that it would apply to only the eight or so largest and most complex institutions, while retaining the authority to apply the guidelines to excluded banks if the OCC determines that a bank's operations are highly complex or otherwise present a heightened risk, which OCC noted would be a "high threshold that only will be crossed in extraordinary circumstances."

The proposal would allow newly excluded institutions to design and implement risk governance frameworks and risk management processes that are tailored to their individual size, complexity, and risk profile. The OCC indicated that this includes the embrace of new technologies and techniques to manage risk in more efficient and effective ways. The proposal would also allow excluded institutions to use financial resources for other purposes and their boards to refocus on core responsibilities, such as overseeing the execution of the bank's strategy.

Questions to Consider

The OCC invites feedback on over 30 questions concerning the guidelines, signaling both an openness to input on how to balance prescriptive expectations with giving institutions sufficient flexibility to establish risk governance and management practices that are best suited to their organization and the potential for future changes to the guidelines. Among the OCC's questions are whether the OCC should rescind the guidelines and reissue them as supervisory guidance—the violation or noncompliance of which the OCC may not criticize through the issuance of matters requiring attention or base an enforcement action—and whether the OCC should remove or adjust duplicative standards contained in the Fed's EPS.

Our Take

With the proposal, the OCC continues to lead the federal banking agencies in promoting a risk-based approach to better bank supervision. While Fed Vice Chair for Supervision Michelle Bowman indicated that the Fed will soon publish a proposed rule similar to the OCC and FDIC's joint proposal to codify stricter standards for the issuance of matters requiring attention and the definition of "unsafe or unsound practice" for enforcement actions, many of the Fed's requirements, such as its EPS, supervisory stress test rule, and capital planning requirements, still apply to institutions with $100 billion or more in total assets.

In addition, it remains to be seen whether newly excluded institutions would leave their existing risk management processes in place, or opt for a wholesale replacement with an AI-driven compliance approach. Although the proposed amendments to the guidelines support innovation in risk management practices, a conversion to a sophisticated, real-time and predictive system may be difficult to undo should a future administration change supervisory approaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.