FBO industry landscape in year four of Enhanced Prudential Standards

November 13, 2019 | Financial services

Whether the challenge is to increase the maturity of risk management and governance or to rationalize organizational structures and business operations across the Intermediate Holding Company (IHC) and/or branch network of their combined US operations (CUSO), FBOs are likely experiencing a journey that is far more challenging than the one encountered by other parts of their global organizations.

On October 10, 2019, the Federal Reserve Board (FRB) finalized the EPS tailoring rule, granting some institutions with lower risk profiles relief from the more burdensome aspects of capital, stress testing, liquidity, and other requirements.¹ However, the core expectation of achieving a self-sufficient and regionally focused organization remains, as does the requirement for FBOs with US non branch assets above $50 billion to form IHCs. Moreover, while the hard-and-fast rules for EPS (as well as resolution planning) may have been relaxed for many organizations, supervisors appear to be maintaining a clear, consistent, and strong focus on risk management fundamentals and governance over the US operations.

Key considerations for FBOs in 2020—and beyond

Now that regulatory expectations for FBOs are more settled and stable (although still somewhat in transition as a result of tailoring), FBOs might want to re-evaluate their business models and operations, taking a fresh look at where they are best positioned to succeed in the US marketplace capitalizing on their unique ability to serve clients as part of a global network. This includes evaluating how the current regulatory and market landscape might call for certain businesses to be de-emphasized or cast off in favor of other areas that offer greater competitive advantage and the ability to successfully meet regulatory expectations for safety, soundness, and being "well managed."

A refreshed business strategy goes hand in hand with the ongoing work to achieve a sustainably transformed regional operation that meets regulatory expectations while achieving business goals. When EPS took effect in July 2016, Deloitte noted that the go-live date was not a "finish line," but rather that FBOs and their IHCs should see it as Mile 13 of a marathon.² We also noted that large FBOs would need to demonstrate the ability to govern and manage risk for their CUSO on a self-sufficient and sustainable basis, and that success would come down to how the US Management and the US IHC board of directors (BoD) work through key issues and decisions such as budget approvals, capital planning, and crisis management—as well as how they navigate shareholders, the parent organization, and the parameters between global consolidated efficiency and a regional legal entity focus.

Now, in year four of EPS, several ongoing challenges continue to require attention from IHC BoDs and senior management as FBOs strive to meet expectations and transform their business and operating models efficiently and effectively. Here are several key considerations FBOs should be mindful of in 2020 and beyond.

Regulatory focus areas for FBOs. Supervisory Reports from the FRB and the Office of the Comptroller of the Currency (OCC) highlight issues and forward-looking supervisory concerns across FBOs.³ According to a May 2019 FRB report, "Large financial institutions are in sound financial condition. Capital levels are strong and much higher than before the financial crisis. Recent stress test results show that the capital levels of large firms after a hypothetical severe global recession would remain above regulatory minimums."

Although the FRB appears satisfied with institutions’ financial condition, it has a wide-ranging agenda for ensuring that governance and risk management are satisfactory. In 2019, the focus across the portfolios comprised four supervisory pillars:

• Capital
• Liquidity
• Governance and controls
• Recovery and resolution planning

The key supervisory priorities are:

• Liquidity buffer and contingency funding plan
• Operational & cyber resilience
• Risk reporting
• Use of artificial intelligence (AI) for fraud and BSA/AML detection
• Compliance metrics
• Loss estimation methodologies and governance for residential mortgage and commercial real estate portfolios
• Governance of the capital planning process
• Recovery and resolution planning

Assessing and unwinding in a controlled manner. Institutions receiving relief due to tailoring should evaluate how changes in standards should be factored into the medium-term strategies for their US operations. They should unwind their related supporting regulatory infrastructure in a measured manner, and only if the underlying capability is not essential for good governance or risk management. Also, they should ensure that the fundamental risk management that intersects with these areas is not unintentionally degraded, and that unnecessary rework is avoided. It is important to note that despite relief in the rules applied to institutions, the intensity of examiner scrutiny, and level of expectations appears to have lightened only modestly, and may actually have increased in certain areas for some of the more systemic firms. Regardless of which new tailoring category a firm finds itself in, examiner scrutiny of the basic blocking and tackling of risk management and related capabilities is unlikely to lighten appreciably in the near future.

Cautious optimism—understanding the tailoring rule and navigating the web of thresholds. Institutions will need to understand the thresholds that apply to their FBO and then monitor them holistically going forward, not only as part of business as usual but also as part of new business/new product analysis (as appropriate) and as part of overall strategy for the CUSO. Substantial training/awareness will likely be necessary on an ongoing basis for the US and parent-level executives. Also, transition timetables will need to be monitored carefully. Regular reporting capabilities will need to be leveraged for regulatory reporting (to report on the underlying data); they also will be needed for internal monitoring. Last but not least, monitoring of thresholds will need to coincide with business and risk metrics on an ongoing basis.

Branch liquidity rules—impact to be determined. In its proposal, the FRB requested comments on whether standardized liquidity requirements should be imposed on the US branches and agencies of FBOs, and what approaches to use.⁴ For years, the FRB has discussed addressing this risk by proposing the application of standardized liquidity requirements to the branches and agencies of foreign banks, which would reduce the incentive to shift assets to branches from IHCs. Since the time the IHC requirements were put in place, branch assets have actually grown as a percentage of foreign bank activities in the United States, with the US branches and agencies of foreign banks now roughly twice as reliant on short-term wholesale funding as are the US IHCs.⁵

The FRB’s decision on imposing liquidity requirements on branches and agencies is still outstanding. In his statement, FRB Vice Chair for Supervision Randal Quarles stated that the FRB "will be focusing its attention in the coming months on the question of branch liquidity requirements." The FRB is planning to continue the dialogue with peer bank supervisors in other jurisdictions.⁶

Increase in transparency. Both FRB Vice Chair for Supervision Randal Quarles and Comptroller Joseph Otting have stated their goals of increasing transparency within the regulatory system. This represents another step for regulators to strengthen transparency in regulation and supervision, which could provide a forward look into focus areas for supervision and examination.

Global/US operating model. Firms should strike a balance between global and CUSO, with offshoring, nearshoring, remote booking, and centralizing all creating challenges for a CUSO-enabled governance and operating model. Many FBOs are struggling with parent dynamics to safeguard that the United States is not used only as a "booking point" within larger global cost and efficiency plays. Also, some FBOs are still having difficulty meeting governance expectations as regulators look at outcomes (e.g., risk management failures, controls weaknesses, trading mishaps, compliance violations and issues, and quality of regulatory reporting) as measures of the effectiveness of the governance and control environment.

Booking model and US-managed view. Institutions are wrestling with the issue of transparent business strategy within a US-managed view—defining what is originated, booked, or risk-managed—with risk limits, triggers, and financials that can be explained across CUSO/IHC. In particular, there is sensitivity to booking choices between the US branches and operating subsidiaries (particularly under BHC or IHC).

Another issue is transparency to parent boards/US risk committees and senior management regarding how the business operating model, transfer pricing, and service level agreements affect risk and financials. In addition, many FBOs that are part of global systemically important banks (G-SIBs) feel the pressure of home/host country regulator requests and expectations in responding to questions about the US and cross-border booking practices and governance.

Operational risk and issue management. Firms should sustain regional management capabilities for self-identifying, remediating, and monitoring risk and operational issues within the three lines of defense (LOD) model. They should also maintain the ability to build a sustainable self-improvement process to prioritize operational breaks, operational issues, and risks across all three lines. A specific focus area is management of controls and rationalization across different risk parameters and implementation of governance, risk, and compliance (GRC) tools to manage risk assessments and controls. Another key focus area is operational risk and identification of CUSO-related themes that are holistic across and within business units and controls functions. Institutions should calibrate and prioritize outstanding remediation efforts to demonstrate that appropriate governance and oversight is provided by the IHC board and CUSO management regarding escalation to the parent.

There is also a need for focused remediation that is not delayed or cut by parent-only views; institutions need CUSO governance and escalation to drive discussions with the parent. Finally, FBOs will need to demonstrate strong outcomes or prove their structure was not an impediment to strong governance and risk management.

CUSO management reporting transparency. Institutions need consistent and flexible management information systems (MIS)/reporting views emphasizing CUSO/IHC/branch dimensions, along with sustainability of existing regulatory reporting processes for branch-to-branch and branch-to-subsidiary within an overall data governance model and approach.

US regulatory compliance. With significant pressure on regulatory change and broader change processes, firms should continue building awareness and knowledge of the existing regulatory requirements related to operating model, staffing, systems, and processes. Institutions need the ability to maintain a sustainable end-to-end compliance program within CUSO, as part of a broader parent approach.

Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance implementation has resurfaced as a significant challenge for businesses attempting to scale their operations while meeting their BSA/AML regulatory requirements. More broadly, a specific issue is evaluating controls on an end-to-end basis, not only from a first-/second-line distinction, but also across preventative and detective controls for compliance and operational issues.

Third-party management and vendor risk management. First and foremost, firms should maintain a CUSO view related to outsourcing risk, with a focus on whether a firm’s due diligence covers how well vendors manage their own risks. This "fourth-party" risk (particularly cyber risk), is an emerging focus area, although supervisory expectations are still in the early stages of debate and development.

Evaluation of non-financial risks is of near-term concern for the US regulators given changes in the business operating model and formation of service companies, as well as changes driven by cost efficiency concerns. For outsourcing risk, the definition of "vendor" is intended to be broad and to span the full range of service providers. Inventorying vendors and conducting vendor risk assessments is essential and drives monitoring, intensity of due diligence, and controls testing.

MIS/regulatory reporting and data governance. Institutions need the ability to meet regulatory reporting expectations for access to source information and underlying data. FBOs have generally relied upon their parent risk data aggregation (BCBS 239) programs for data governance. However, there is continued and sustained pressure on the US and FBO Large Institution Supervision Coordinating Committees and large financial institutions to improve their data quality for management and regulatory reporting, with a greater focus on infrastructure and transparency of enterprise-wide data and legal entity views. Institutions face many challenges in reacting to information requests that are CUSO-wide while information is aligned to the legal entity or business-aligned. Challenges have typically been linked to the lack of:

• Governance structure that enforces accountability, measures data quality, and allocates resources to address data and financial reporting challenges
• Accountability of data owners (i.e., business lines)
• Firm-wide data integrity and quality assurance programs that include requirements related to management information systems (MIS), financial reporting, and regulatory compliance
• Effective change management infrastructure
• Firm-wide data programs that include policies for creating and maintaining standard data and account definitions
• Firm-wide integrated accounting, risk, and data repositories

Governance and three lines of defense effectiveness. Firms need to understand, and balance expectations highlighted in finalized and proposed guidance for: a new rating system for large financial institutions (finalized November 2018); board effectiveness (proposed August 2017); and risk management and three lines of defense (proposed January 2018). Also, there is a resurgence of questions related to global/matrix reporting, decision rights, and the balance between parent/US influence—particularly as global operating models change, new businesses are launched, and parent directives influence the US operations. Key issues include: accountability of IHC BoD/risk committee and escalation to the parent; accountability impact on individual performance evaluations and compensation; and confirmation of risk management and governance capabilities.

Operational and business resiliency. Institutions need the ability to understand and support the linkages across recovery, business continuity, and crisis management, with a governance overlay by the parent and IHC BoD. Cybersecurity—and the ability to recover from cyberattacks or breaches—is currently a supervisory topic across regulatory agencies.⁷ Remediation activities coming out of the horizontal examinations will need to keep pace with emerging risk across all regulators.

Institutions will need the ability to incorporate lessons learned from current incidents and refine parent/ CUSO protocols. Key focus areas are: building improved CUSO resiliency through informed technology and infrastructure decision making and linking parent and CUSO leads and committees for technology, resiliency, business continuity, cybersecurity, and information security.

Resolution planning. There is a need to maintain momentum on resolution plans and the related mandates for operational continuity through resolution. Operational continuity and crisis management efforts for going concerns can be leveraged to help comply with regulatory timelines and mandates.

Setting priorities

Each firm should evaluate its focus areas and prioritize its improvement and sustainability efforts based on which areas are likely to have the biggest impact on its risk and operating profile. In the years ahead, prioritizing those high-impact efforts can lead to smoother expansion and refinement with fewer regulatory constraints.