money plant growing


Regulatory developments for foreign banking organizations

Year three of Enhanced Prudential Standards

Foreign banking organizations are responding to regulatory challenges, including running combined CUSO and IHCs within the current global/parent operating model.

December 21, 2018 | Financial services

Key regulatory developments

The key milestone of July 1, 2016, is more than two years passed for foreign banking organizations (FBOs) to establish US intermediate holding companies (IHCs) and to implement the Enhanced Prudential Standards (EPS) established by the Federal Reserve Board (FRB). Much progress has been made across the impacted institutions and capabilities and processes put in place are transitioning to business as usual. Some institutions face challenges in targeted areas as running the combined US Operations (CUSO) and the IHCs within the current global/parent operating model. Larger questions remain over the sustainability and profitability of IHC business models given US regulatory landscape developments for US regional players, etc., and the impact of future FBO tailoring.

Tailoring Proposal

On October 31, 2018, the FRB proposed tailoring the EPS for large, domestic banking institutions. According to Chairman Jay Powell, this approach reflects the spirit of the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA)1 by prescribing “materially less stringent requirements on firms with less risk, while maintaining the most stringent requirements for firms that pose the greatest risks to the financial system and our economy.”2

The proposed framework includes two proposals: one issued exclusively by the FRB, and another issued jointly with the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC).3 The proposals apply to all domestic bank holding companies (BHCs) and non-insurance, non-commercial savings and loan holding companies (SLHCs) with more than $100 billion in total consolidated assets. The proposals do not apply to FBOs or any IHCs of an FBO. The FRB has indicated that it plans to “develop a separate proposal relating to [FBOs] and their US operations.”4

Supervisory Priorities

November 2018, the FRB issued its inaugural Supervision and Regulation Summary, targeting semi-annual distribution.5 The report highlights issues and forward-looking supervisory concerns across its institutions—including the large banking organization portfolio and the Large Institution Supervision Coordinating Committee (LISCC) portfolio across US BHCs, US banks, and FBOs. The feedback for the FBOs is reported across the LISCC feedback and the Large Foreign Banking Organization (LFBO) feedback. “Large financial institutions are in sound financial condition. Capital levels are strong and much higher than before the financial crisis. Recent stress test results show that the capital levels of large firms after a hypothetical severe global recession would remain above regulatory minimums.”6 The focus for 2019 across the portfolios remains under the banner of the four supervisory pillars: Capital, liquidity, governance and controls, and recovery and resolution planning. For the FBOs, the FRB outlined its supervisory priorities for 2019 across the LISCC and LFBO portfolios.

New Rating System applicable for IHCs

On November 2, 2018, the FRB finalized and adopted a new rating system for large financial institutions (LFIs).7 The new rating system applies to various types of domestic and foreign firms including) US IHCs of FBOs. The new rating system aligns with the LFI supervisory program that focuses on capital, liquidity, and effectiveness of governance and controls. These rating assignments remain confidential. The rating system issues component ratings for the following areas:

  1. Capital planning and positions
  2. Liquidity risk management and positions
  3. Governance and controls

Challenges going forward and select IHC-related focus areas

As FBOs enter the last half of year three of their IHC operations, they continue to have a number of regulatory reform, operating model and internal sustainability challenges.

Global/US operating model

  • Calibrating the desirable balance between global/parent and CUSO priorities and considerations when developing the US focused and enabled governance and operating model—factoring in opportunities for offshoring, nearshoring, and centralizing of operations across global businesses. The regulators’ expectations are that the US will not be utilized solely as a “booking point.”
  • Balancing capability to “right-size” the governance and control environment as regulators look at outcomes and accountability for the IHC boards and senior management. Measures of ineffectiveness could manifest in risk management failures, controls weaknesses, trading mishaps, compliance violations, and quality of regulatory reporting.

US Managed View/Transfer Pricing

  • Developing a transparent business strategy within a US-managed view—defining what is originated, booked, or risk managed—with risk limits, triggers, and financials that can be explained across the CUSO and IHC.
  • Building monitoring of asset shifts between IHC and US branch and parent/non-US affiliates that permit financial and non-financial views.
  • Focus on the transparency of this monitoring and its implications to parent/CUSO boards and senior management by facilitating awareness and oversight of business operating models that affect risk measures and financials (e.g., revenue transfer/cost allocation and risk transfer).

Issue management

  • Sustaining regional management capabilities for self-identifying, remediating, and monitoring risk and compliance issues within the three lines of defense model.
  • Addressing supervisory issues in timely, holistic, and sustainable ways across risk management, liquidity, Comprehensive Capital Adequacy Review (CCAR), and governance and controls. It will be important to scale reporting in key areas within CUSO and between CUSO and parent/affiliates on topics such as booking model/transfer pricing, regulatory reporting, vendor management, and compliance.
  • Calibrating and prioritizing outstanding remediation efforts to demonstrate that appropriate governance and oversight is provided by the board and CUSO management (with appropriate escalation to the parent).
  • Demonstrating a focus on sustainability and monitoring outcomes for strong governance and risk management.
  • Building a structure of identification, remediation, and monitoring for transparent oversight recognizing financial and non-financial risk impacts across CUSO.

CUSO Management Reporting Transparency

  • Enhancing consistency and flexibility in Management Information Systems (MIS)/reporting views, emphasizing CUSO/IHC/branch dimensions and sustainability of existing regulatory reporting processes for the branch to IHC within an overall data governance model and approach.

US Regulatory Compliance

  • Continuing to build awareness and knowledge of the existing regulatory requirements and their potential impacts on operating models, staffing, systems, and processes. There is currently significant pressure on regulatory change and broader change processes, particularly as management appointments change over time.
  • Addressing outstanding issues and challenges for operational sustainability.
  • Developing and reinforcing an end-to-end compliance framework throughout CUSO.
  • Re-assessing current anti-money laundering/financial crime compliance programs in light of current regulatory actions.
  • Evaluating controls on end to end basis, both from a first/second line distinction but also across preventative and detective controls for compliance and operational issues (booking operational issues vis a vis strategic booking model perspectives).

Third-party management

  • Concerns in this area primarily relate to outsourcing risk, with a focus on whether a firm’s due diligence covers how well material vendors manage their own risks (including cyber risk).
  • An emerging focus is whether such due diligence also covers how well vendors manage their own third-party risk (i.e., 'fourth-party risk')—particularly for cyber. However, supervisory expectations on this topic are still in the early stages of debate and development.
  • Given changes to business operating models, the formation of service companies, and changes due to efficiency, effectiveness, and costs, evaluation of non-financial risks is a near-term concern for US regulators.

Regulatory reporting

  • Sustaining controls, and data and regulatory reporting processes.
  • Building monitoring that is cross-business and cross-functional that highlights areas of concern that need additional focus.
  • Addressing issues that may surface that span a wide variety of topics, including: US GAAP, data quality, data sourcing, change management, training, automation of processes, internal governance and MIS reporting, regulatory requirements knowledge, and adherence to compliance requirements (e.g., Regulation Y, Regulation W, Regulation D).

Governance and three lines of defense effectiveness

  • Understanding and balancing expectations highlighted in finalized and proposed guidance for:
    1. The new rating system for large financial institutions (finalized November 2018)8
    2. Board effectiveness (proposed August 2017)9
    3. Risk management and three lines of defense (proposed January 2018)10

Resolution plan

  • Maintaining momentum on resolution plans and operational continuity through regulatory timelines and feedback across the US and FBO institutions.

FBO focus areas and action items

To achieve business as usual and moving towards sustainability, there are a number of focus areas that for IHC boards and senior executives can consider focusing on for FBOs (and their CUSOs and IHCs) regarding EPS compliance for 2018/2019:

Business strategy and booking models

  • Reassess the sustainability and global impact of the US business strategy and booking models across IHC/branches. Identify markets and business lines in US operations that will continue to be profitable to support the IHC.
  • Evaluate business models linked to strategic planning and the linkage to parent bank plans for US operations. Evolve booking practices for IHC activities and branch activities.
  • Improve the rationale and documentation for what is originated, booked, and risk-managed from CUSO. Understand inbound/outbound business flows (beyond intercompany processes through CUSO wide views).
  • Continue to focus on transparency and awareness of FBO CUSO/IHC/branches business models. Analyze US branch vs. IHC vs. parent/affiliates to derive a senior management view across strategy, risk, and financial dimensions.
  • Given US Tax Reform evaluate booking model optimization opportunities in the US.
  • Given pressure points from US, UK, and Asia-Pacific regulatory agencies on booking model, evaluate appropriate control framework and approach for distinguishing approach for CUSO/IHC branches on booking practices and the appropriateness of controls across preventative and detective controls (across the three lines of defense).

Governance and three lines of defense

  • Demonstrate the ability to operate autonomously in the US, with a clear delegation of authority from the parent.
  • Fine tune the operating model for the IHC board, CUSO management, business line management, and the three lines of defense, with clearly outlined roles and responsibilities across business lines, control functions, compliance, and internal audit (across Regulation YY and related safety and soundness requirements).
  • First line of defense (Business) effectiveness of newly implemented or changed processes, review, validation, and testing of the second line (Risk and Compliance) and third line (Internal Audit) of defense and integration with escalation to the IHC board.

Regulatory change and portfolio management

  • Confirm capabilities for sustainable compliance with EPS and additional pending safety and soundness regulations.
  • Monitor and analyze additional proposed and final rules applicable to the IHC/CUSO (including regulatory guidance).
  • Connect the dots across regulatory change (e.g., understand expectations for capabilities across the four supervisory areas–capital, liquidity, governance and controls, and resolution planning).
  • Monitor the regulatory landscape and the impact of the current legislative landscape and changes as a result of regulatory agency focus areas including tailoring, proposed rule-making, and supervisory guidance.

Internal MIS and regulatory reporting effectiveness

  • Improve the capability to compare available data against peer groups and validate data quality within data governance routines.
  • Review internal reporting/MIS on an end-to-end basis to support the governance model for issue escalation, risk monitoring, challenge, and review.
  • Implement data governance and close data quality gaps within the FBO/parent approach within the overall parent bank context across internal and regulatory reporting.

Sustainable training and awareness across a parent, affiliates, and CUSO

  • Continue building awareness and training regarding the US regulatory environment over the long term, and align new processes align with parent perspectives and changes. Avoid “revisionist history.”

Integration of capital planning process into the CUSO process

  • Work through lessons learned and year three improvements; also, calibrate top-down versus bottom-up business planning.
  • Advance toward the sustainability of the attestation/certification framework, data and controls, CCAR “business as usual” operating model, and modeling and validation processes across the three lines of defense.

Liquidity planning and stress testing

  • Focus on operational sustainability for end-to-end liquidity processes that link business-as-usual, stress, recovery, and resolution frameworks with appropriate infrastructure upgrades for flexibility in data, controls, reporting, and governance.

Resolution planning in the spotlight

  • Calibrate resolution strategy to FBO guidance. Align the IHC board and CUSO governance processes. Prepare for credible/not credible determinations, with an eye toward US BHC 2019 proposed guidance.
  • Implement operational capabilities that were outlined in guidance across financials, collateral, risk management, reporting and monitor guidance provided to the US BHCs.

Strategic remediation and issue identification

  • Build end-to-end remediation that is strategic, holistic that positions the organization for future growth and sustainability.
  • Link regulatory requirements and expectations for revised/new processes, capital planning, and stress testing, resolution planning, liquidity, governance, risk management and controls, and data quality. Link controls to streamline monitoring and testing, enabling an environment of self-identification and improvement.

Implementation of a risk management framework within a parent model

  • Drive challenge and decision rights for the US CRO in implementing the CUSO Risk Management Framework within a global model (risk governance, strategy, decisions rights, escalation, and risk tolerances across the risk hierarchy).
  • Build end to end views across financial and non-financial risk for CUSO within the business and operating model. Focus on effectiveness and end to end focus of non-financial risks: vendor management, cybersecurity, information security, compliance, and operational.
  • Calibrate risk policies for the parent and CUSO dimensions to enable the IHC board and CUSO management team to provide governance and day-to-day management for the risks within CUSO.

Each firm should evaluate the areas of focus and prioritize their improvement and sustainability efforts based on areas most impactful to their risk and operating profile in those efforts can help you achieve smoother sailing in the years ahead for expansion and refinement with fewer regulatory constraints.


1 The EGRRCPA was signed into law on May 24. It increased the asset threshold for a banking organization to be designated as a systemically important financial institution (“SIFI”) from $50 billion to $100 immediately after enactment with a further increase 18 months after enactment.
2 Chairman Jerome Powell, Opening Statement on Proposals to Modify Enhanced Prudential Standards for Large Banking Organizations (Oct. 31, 2018), available at
3 Board of Governors of the Federal Reserve System, Prudential Standards for Large Bank Holding Companies and Savings and Loan Holding Companies (Oct. 31, 2018), available at (hereinafter the “FRB Proposal”).
Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Proposed Changes to Applicability Thresholds for Regulatory Capital and Liquidity Requirements (Oct. 31, 2018), available at (hereinafter the “Interagency Proposal”).
4 "Interagency Proposal," page 17 (footnote 18).
5 Board of Governors of the Federal Reserve System, “Supervision and Regulation Report,” (November 2018), available at
6 “Supervision and Regulation Report,” page 13.
Board of Governors of the Federal Reserve System, “Federal Reserve Board finalizes new supervisory rating system for large financial institutions,” (November 2, 2018), available at
Deloitte, “New rating system for large financial institutions,” available at
8 Ibid.
9 Board of Governors of the Federal Reserve System, “Federal Reserve Board requests comment on proposed guidance that would clarify Board's supervisory expectations related to risk management for large financial institutions,” (January 4, 2018), available at
Deloitte, “A new age for governance,” available at
10 Board of Governors of the Federal Reserve System, “Federal Reserve Board invites public comment on two proposals; corporate governance and rating system for large financial institution,” (August 3, 2017), available at
Deloitte, “FRB proposes new supervisory expectations for management,” available at



Irena Gecas-McCarthy
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP


David M. Wright
Managing director 
Deloitte Risk and Financial
Deloitte & Touche LLP


Matthew Dunn
Managing director
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP


Craig R. Brown
Managing director
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP


Michele Crish
Managing director
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP


Monica Lalani
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP


Marjorie Forestal
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP


Ken Lamar
Independent senior advisor
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP


Richard Rosenthal
Senior manager
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP


Kyle Cooke
Senior consultant
Deloitte Center for Regulatory Strategy, Americas

Deloitte & Touche LLP

Marco Kim
Senior consultant
Deloitte Center for Regulatory Strategy, Americas

Deloitte & Touche LLP

Aaron Bhardwaj
Senior manager
Deloitte Risk and Financial Advisory

Deloitte & Touche LLP

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States, and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see to learn more about our global network of member firms.

Copyright © 2018 Deloitte Development LLC. All rights reserved.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?