';


Title 12 Part 1236

Title 12 → Chapter XII → Subchapter B → Part 1236

Electronic Code of Federal Regulations e-CFR

Title 12 Part 1236

e-CFR data is current as of November 19, 2018

Title 12Chapter XIISubchapter B → Part 1236


Title 12: Banks and Banking


PART 1236—PRUDENTIAL MANAGEMENT AND OPERATIONS STANDARDS


Contents
§1236.1   Purpose.
§1236.2   Definitions.
§1236.3   Prudential standards as guidelines.
§1236.4   Failure to meet a standard; corrective plans.
§1236.5   Failure to submit a corrective plan; noncompliance.
Appendix to Part 1236—Prudential Management and Operations Standards

Authority: 12 U.S.C. 4511, 4513(a) and (f), 4513b, and 4526.

Source: 77 FR 33959, June 8, 2012, unless otherwise noted.

return arrow Back to Top

§1236.1   Purpose.

This part establishes the prudential management and operations standards that are required by 12 U.S.C. 4513b and the processes by which FHFA can notify a regulated entity of its failure to operate in accordance with the standards and can direct the entity to take corrective action. This part further specifies the possible consequences for any regulated entity that fails to operate in accordance with the standards or otherwise fails to comply with this part.

return arrow Back to Top

§1236.2   Definitions.

Unless otherwise indicated, terms used in this part have the meanings that they have in the Federal Housing Enterprises Financial Safety and Soundness Act, 12 U.S.C. 4501 et seq., or the Federal Home Loan Bank Act, 12 U.S.C. 1421 et seq.

Extraordinary growth—(1) For purposes of 12 U.S.C. 4513b(b)(3)(C), means:

(i) With respect to a Bank, growth of non-advance assets in excess of 30 percent over the six calendar quarter period preceding the date on which FHFA notified the Bank that it was required to submit a corrective plan; and

(ii) With respect to an Enterprise, quarterly non-annualized growth of assets in excess of 7.5 percent in any calendar quarter during the six calendar quarter period preceding the date on which FHFA notified the Enterprise that it was required to submit a corrective plan.

(2) For purposes of calculating an increase in assets, assets acquired through merger or acquisition approved by FHFA are not to be included.

Standards means any one or more of the prudential management and operations standards established by the Director pursuant to 12 U.S.C. 4513b(a), as modified from time to time pursuant to §1236.3(b), including the introductory statement of general responsibilities of boards of directors and senior management of the regulated entities.

[77 FR 33959, June 8, 2012, as amended at 78 FR 2324, Jan. 11, 2013; 80 FR 72336, Nov. 19, 2015]

return arrow Back to Top

§1236.3   Prudential standards as guidelines.

(a) The Standards constitute the prudential management and operations standards required by 12 U.S.C. 4513b.

(b) The Standards have been adopted as guidelines, as authorized by 12 U.S.C. 4513b(a), and the Director may modify, revoke, or add to the Standards, or any one or more of them, at any time by order or notice.

(c) In the case of a direct conflict between a Standard and an FHFA regulation, when it is not possible to comply with both the Standard and the FHFA regulation, the regulation shall control.

(d) Failure to meet any Standard may constitute an unsafe and unsound practice for purposes of the enforcement provisions of 12 U.S.C. chapter 46, subchapter III.

return arrow Back to Top

§1236.4   Failure to meet a standard; corrective plans.

(a) Determination. FHFA may, based upon an examination, inspection or any other information, determine that a regulated entity has failed to meet one or more of the Standards.

(b) Submission of corrective plan. If FHFA determines that a regulated entity has failed to meet any Standard, FHFA may require the entity to submit a corrective plan, in which case FHFA shall, by written notice, inform the regulated entity of that determination and the requirement to submit a corrective plan.

(c) Corrective plans—(1) Contents of plan. A corrective plan shall describe the actions the regulated entity will take to correct its failure to meet any one or more of the Standards, and the time within which each action will be taken.

(2) Filing deadline—(i) In general. A regulated entity must file a written corrective plan with FHFA within thirty (30) calendar days of being notified by FHFA of its failure to meet a Standard and need to file a corrective plan, unless FHFA notifies the regulated entity in writing that the plan must be filed within a different time period.

(ii) Other plans. If a regulated entity must file a capital restoration plan submitted pursuant to 12 U.S.C. 4622, it may submit the corrective plan required under this section as part of the capital restoration plan, subject to the deadline in paragraph (c)(2)(i) of this section. If a regulated entity currently is operating under a cease-and-desist order entered into pursuant to 12 U.S.C. 4631 or 4632, or a formal or informal agreement, or must file a response to a report of examination or report of inspection, it may, with the permission of FHFA, submit the corrective plan required under this section as part of the regulated entity's compliance with that order, agreement or response, subject to the deadline in paragraph (c)(2)(i) of this section, but the corrective plan would not become a part of the order, agreement, or response.

(d) Amendment of corrective plan. A regulated entity that is operating in accordance with an approved corrective plan may submit a written request to FHFA to amend the plan as necessary to reflect any changes in circumstance. Until such time that FHFA approves a proposed amendment, the regulated entity must continue to operate in accordance with the terms of the corrective plan as previously approved.

(e) Review of corrective plans and amendments. Within thirty (30) calendar days of receiving a corrective plan or proposed amendment to a plan, FHFA will notify the regulated entity in writing of its decision on the plan, will direct the regulated entity to submit additional information, or will notify the regulated entity in writing that FHFA has established a different deadline.

return arrow Back to Top

§1236.5   Failure to submit a corrective plan; noncompliance.

(a) Remedies. If a regulated entity fails to submit an acceptable corrective plan under §1236.4(b), or fails in any material respect to implement or otherwise comply with an approved corrective plan, FHFA shall order the regulated entity to correct that deficiency, and may:

(1) Prohibit the regulated entity from increasing its average total assets, as defined in 12 U.S.C. 4516(b)(4), for any calendar quarter over its average total assets for the preceding calendar quarter, or may otherwise restrict the rate at which the average total assets of the regulated entity may increase from one calendar quarter to another;

(2) Prohibit the regulated entity from paying dividends;

(3) Prohibit the regulated entity from redeeming or repurchasing capital stock;

(4) Require the regulated entity to maintain or increase its level of retained earnings;

(5) Require an Enterprise to increase its ratio of core capital to assets, or require a Bank to increase its ratio of total capital, as defined in 12 U.S.C. 1426(a)(5), to assets; or

(6) Require the regulated entity to take any other action that the Director determines will better carry out the purposes of the statute by bringing the regulated entity into conformance with the Standards.

(b) Extraordinary growth. If a regulated entity that has failed to submit an acceptable corrective plan or has failed in any material respect to implement or otherwise comply with an approved corrective plan, also has experienced extraordinary growth, FHFA shall impose at least one of the sanctions listed in paragraph (a) of this section, consistently with the requirements of 12 U.S.C. 4513b(b)(3).

(c) Orders—(1) Notice. Except as provided in paragraph (c)(4) of this section, FHFA will notify a regulated entity in writing of its intent to issue an order requiring the regulated entity to correct its failure to submit or its failure in any material respect to implement or otherwise comply with an approved corrective plan. Any such notice will include:

(i) A statement that the regulated entity has failed to submit a corrective plan under §1236.4, or has not implemented or otherwise has not complied in any material respect with an approved plan;

(ii) A description of any sanctions that FHFA intends to impose and, in the case of the mandatory sanctions required by 12 U.S.C. 4513b(b)(3), a statement that FHFA believes that the regulated entity has experienced extraordinary growth; and

(iii) The proposed date when any sanctions would become effective or the proposed date for completion of any required actions.

(2) Response to notice. A regulated entity may file a written response to a notice of intent to issue an order, which must be delivered to FHFA within fourteen (14) calendar days of the date of the notice, unless FHFA determines that a different time period is appropriate in light of the safety and soundness of the regulated entity or other relevant circumstances. The response should include:

(i) An explanation why the regulated entity believes that the action proposed by FHFA is not an appropriate exercise of discretion;

(ii) Any recommended modification of the proposed order; and

(iii) Any other relevant information, mitigating circumstances, documentation or other evidence in support of the position of the regulated entity regarding the proposed order.

(3) Failure to file response. A regulated entity's failure to file a written response within the specified time period will constitute a waiver of the opportunity to respond and will constitute consent to issuance of the order.

(4) Immediate issuance of final order. FHFA may issue an order requiring a regulated entity immediately to take actions to correct a Standards deficiency or to take or refrain from taking other actions pursuant to paragraph (a) of this section. Within fourteen (14) calendar days of the issuance of an order under this paragraph, or other time period specified by FHFA, a regulated entity may submit a written appeal of the order to FHFA. FHFA will respond in writing to a timely filed appeal within sixty (60) days after receiving the appeal. During this period, the order will remain in effect unless FHFA stays the effectiveness of the order.

(d) Request for modification or rescission of order. A regulated entity subject to an order under this part may submit a written request to FHFA for an amendment to the order to reflect a change in circumstance. Unless otherwise ordered by FHFA, the order shall continue in place while such a request is pending before FHFA.

(e) Agency review and determination. FHFA will respond in writing within thirty (30) days after receiving a response or amendment request, unless FHFA notifies the regulated entity in writing that it will respond within a different time period. After considering a regulated entity's response or amendment request, FHFA may:

(1) Issue the order as proposed or in modified form;

(2) Determine not to issue the order and instead issue a different order; or

(3) Seek additional information or clarification of the response from the regulated entity, or any other relevant source.

return arrow Back to Top

Appendix to Part 1236—Prudential Management and Operations Standards

The following provisions constitute the prudential management and operations standards established pursuant to 12 U.S.C. 4513b(a).

General Responsibilities of the Board of Directors and Senior Management

The following provisions address the general responsibilities of the boards of directors and senior management of the regulated entities as they relate to the matters addressed by each of the Standards. The descriptions are not a comprehensive listing of the responsibilities of either the boards or senior management, each of whom have additional duties and responsibilities to those described in these Standards.

Responsibilities of the Board of Directors

1. With respect to the subject matter addressed by each Standard, the board of directors is responsible for adopting business strategies and policies that are appropriate for the particular subject matter. The board should review all such strategies and policies periodically. It should review and approve all major strategies and policies at least annually and make any revisions that are necessary to ensure that such strategies and policies remain consistent with the entity's overall business plan.

2. The board of directors is responsible for overseeing management of the regulated entity, which includes ensuring that management includes personnel who are appropriately trained and competent to oversee the operation of the regulated entity as it relates to the functions and requirements addressed by each Standard, and that management implements the policies set forth by the board.

3. The board of directors is responsible for remaining informed about the operations and condition of the regulated entity, including operating consistently with the Standards, and senior management's implementation of the strategies and policies established by the board of directors.

4. The board of directors must remain sufficiently informed about the nature and level of the regulated entity's overall risk exposures, including market, credit, and counterparty risk, so that it can understand the possible short- and long-term effects of those exposures on the financial health of the regulated entity, including the possible short- and long-term consequences to earnings, liquidity, and economic value. The board of directors should: establish the regulated entity's risk tolerances and should provide management with clear guidance regarding the level of acceptable risks; review the regulated entity's entire market risk management framework, including policies and entity-wide risk limits at least annually; oversee the adequacy of the actions taken by senior management to identify, measure, manage, and control the regulated entity's risk exposures; and ensure that management takes appropriate corrective measures whenever market risk limit violations or breaches occur.

Responsibilities of Senior Management

5. With respect to the subject matter addressed by each Standard, senior management is responsible for developing the policies, procedures and practices that are necessary to implement the business strategies and policies adopted by the board of directors. Senior management should ensure that such items are clearly written, sufficiently detailed, and are followed by all personnel. Senior management also should ensure that the regulated entity has personnel who are appropriately trained and competent to carry out their respective functions and that all delegated responsibilities are performed.

6. Senior management should ensure that the regulated entity has adequate resources, systems and controls available to execute effectively the entity's business strategies, policies and procedures, including operating consistently with each of the Standards.

7. Senior management should provide the board of directors with periodic reports relating to the regulated entity's condition and performance, including the subject matter addressed by each of the Standards, that are sufficiently detailed to allow the board of directors to remain fully informed about the business of the regulated entity.

8. Senior management should regularly review and discuss with the board of directors information regarding the regulated entity's risk exposures that is sufficient in detail and timeliness to permit the board of directors to understand and assess the performance of management in identifying and managing the various risks to which the regulated entity is exposed.

Responsibilities of the Board of Directors and Senior Management

9. The board of directors and senior management should conduct themselves in such a manner as to promote high ethical standards and a culture of compliance throughout the organization.

10. The board of directors and senior management should ensure that the regulated entity's overall risk profile is aligned with its mission objectives.

Standard 1—Internal Controls and Information Systems

Responsibilities of the Board of Directors

1. Regarding internal controls and information systems, the board of directors of each regulated entity should adopt appropriate policies, ensure personnel are appropriately trained and competent, approve and periodically review overall business strategies, approve the organizational structure, and assess the adequacy of senior management's oversight of this function.

Responsibilities of Senior Management

2. Regarding internal controls and information systems, senior management should implement strategies and policies approved by the board of directors, establish appropriate policies, monitor the adequacy and effectiveness of this function, and ensure personnel are appropriately trained and competent. The organizational structure should clearly assign responsibility, authority, and reporting relationships.

Responsibilities of the Board of Directors and Senior Management

3. Regarding internal controls and information systems, both the board of directors and senior management should promote high ethical standards, create a culture that emphasizes the importance of this function, and promptly address any issues in need of remediation.

Framework

4. The regulated entity should have an adequate and effective system of internal controls, which should include a board approved organizational structure that clearly assigns responsibilities, authority, and reporting relationships, and establishes an appropriate segregation of duties that ensures that personnel are not assigned conflicting responsibilities.

5. The regulated entity should establish appropriate internal control policies and should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.

6. The regulated entity should have an organizational culture that emphasizes and demonstrates to personnel at all levels the importance of internal controls.

7. The regulated entity should address promptly any violations, findings, weaknesses, deficiencies, and other issues in need of remediation relating to the internal control systems.

Risk Recognition and Assessment

8. A regulated entity should have an effective risk assessment process that ensures that management recognizes and continually assesses all material risks, including credit risk, market risk, interest rate risk, liquidity risk, and operational risk.

Control Activities and Segregation of Duties

9. A regulated entity should have an effective internal control system that defines control activities at every business level.

10. A regulated entity's control activities should include:

a. Board of directors and senior management reviews of progress toward goals and objectives;

b. Appropriate activity controls for each business unit;

c. Physical controls to protect property and other assets and limit access to property and systems;

d. Procedures for monitoring compliance with exposure limits and follow-up on non-compliance;

e. A system of approvals and authorizations for transactions over certain limits; and

f. A system for verification and reconciliation of transactions.

Information and Communication

11. A regulated entity should have information systems that provide relevant, accurate and timely information and data.

12. A regulated entity should have secure information systems that are supported by adequate contingency arrangements.

13. A regulated entity should have effective channels of communication to ensure that all personnel understand and adhere to policies and procedures affecting their duties and responsibilities.

Monitoring Activities and Correcting Deficiencies

14. A regulated entity should monitor the overall effectiveness of its internal controls and key risks on an ongoing basis and ensure that business units and internal and external audit conduct periodic evaluations.

15. Internal control deficiencies should be reported to senior management and the board of directors on a timely basis and addressed promptly.

Applicable Laws, Regulations, and Policies

16. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing internal controls and information systems.

Standard 2—Independence and Adequacy of Internal Audit Systems

Audit Committee

1. A regulated entity's board of directors should have an audit committee that exercises proper oversight and adopts appropriate policies and procedures designed to ensure the independence of the internal audit function. The audit committee should ensure that the internal audit department includes personnel who are appropriately trained and competent to oversee the internal audit function.

2. The board of directors should review and approve the audit committee charter at least every three years.

3. The audit committee of the board of directors is responsible for monitoring and evaluating the effectiveness of the regulated entity's internal audit function.

4. Issues reported by the internal audit department to the audit committee should be promptly addressed and satisfactorily resolved.

Internal Audit Function

5. A regulated entity should have an internal audit function that provides for adequate testing of the system of internal controls.

6. A regulated entity should have an independent and objective internal audit department that reports directly to the audit committee of the board of directors.

7. A regulated entity's internal audit department should be adequately staffed with properly trained and competent personnel.

8. The internal audit department should conduct risk-based audits.

9. The internal audit department should conduct adequate testing and review of internal control and information systems.

10. The internal audit department should determine whether violations, findings, weaknesses and other issues reported by regulators, external auditors, and others have been promptly addressed.

Applicable Laws, Regulations, and Policies

11. A regulated entity should comply with applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the independence and adequacy of internal audit systems.

Standard 3—Management of Market Risk Exposure

Responsibilities of the Board of Directors

1. Regarding the overall management of market risk exposure, the board of directors should remain sufficiently informed about the nature and level of the regulated entity's market risk exposures. At least annually, the board should review the entire market risk framework, including policies and risk limits, and provide an assessment of compliance.

2. Regarding the policies, practices and procedures surrounding the management of market risk, the board of directors should approve all major strategies and policies relating to the management of market risk, ensure all major strategies and policies are consistent with the overall business plan, establish and communicate a market risk tolerance, and ensure appropriate corrective measures are taken when market risk limit violations or breaches occur.

3. The board, or a board appointed committee, should oversee the adequacy of actions taken by senior management to identify, measure, manage, and control market risk exposures, ensure market risk policies establish lines of authority and responsibility, and review risk exposures on a periodic basis.

Responsibilities of Senior Management

4. Regarding the overall management of market risk exposure, senior management should provide sufficient and timely information to the board of directors, ensure personnel are appropriately trained and competent, ensure adequate systems and resources are available to manage and control market risk, report any breaches to the board of directors (or the appropriate board committee), and take appropriate remedial action.

5. Regarding the policies, practices, and procedures surrounding market risk exposure, senior management should ensure market risk policies and procedures are clearly written, sufficiently detailed, and followed. Approved policies and procedures should include clear market risk limits and lines of authority for managing market risk.

Market Risk Strategy

6. A regulated entity should have a clearly defined and well-documented strategy for managing market risk, which must be consistent with its overall business plan, must enable the regulated entity to identify, manage, monitor, and control the regulated entity's risk exposures on a business unit and an enterprise-wide basis, and must ensure that the lines of authority and responsibility for managing market risk and monitoring market risk limits are clearly identified. The strategy should specify a target account, or target accounts, for managing market risk (e.g., specify whether the objective is to control risk to earnings, net portfolio value, or some other target, or some combination of targets), and, if a market risk limit is breached, should require that the breach be reported to the board of directors, or the appropriate board committee, and that appropriate remedial action, including any ordered by the board of directors, should be taken.

7. Management should ensure that the board of directors is made aware of the advantages and disadvantages of the regulated entity's chosen market risk management strategy, as well as those of alternative strategies, so that the board of directors can make an informed judgment about the relative efficacy of the different strategies.

8. A Bank's strategy for managing market risk should take into account the importance of maintaining the market value of equity of member stock commensurate with the par value of that stock so that the Bank is able to redeem and repurchase member stock at par value.

9. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance, (e.g., advisory bulletins) governing the independence and adequacy of the management of market risk exposure.

Standard 4—Management of Market Risk—Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting

Risk Measurement Systems

1. A regulated entity should have a risk measurement system (a model or models) that capture(s) all material sources of market risk and provide(s) meaningful and timely measures of the regulated entity's risk exposures, as well as personnel who are appropriately trained and competent to operate and oversee the risk measurement system.

2. The risk measurement system should be capable of estimating the effect of changes in interest rates and other key risk factors on the regulated entity's earnings and market value of equity over a range of scenarios.

3. The measurement system should be capable of valuing all financial assets and liabilities in the regulated entity's portfolio.

4. The measurement system should address all material sources of market risk including repricing risk, yield curve risk, basis risk, and options risk.

5. Management should ensure the integrity and timeliness of the data inputs used to measure the regulated entity's market risk exposures, and should ensure that assumptions and parameters are reasonable and properly documented.

6. The measurement system's methodologies, assumptions, and parameters should be thoroughly documented, understood by management, and reviewed on a regular basis.

7. A regulated entity's market risk model should be upgraded periodically to incorporate advances in risk modeling technology.

8. A regulated entity should have a documented approval process for model changes that requires model changes to be authorized by a party independent of the party making the change.

9. A regulated entity should ensure that its models are independently validated on a regular basis.

Risk Limits

10. Risk limits should be consistent with the regulated entity's strategy for managing interest rate risk and should take into account the financial condition of the regulated entity, including its capital position.

11. Risk limits should address the potential impact of changes in market interest rates on net interest income, net income, and the regulated entity's market value of equity.

Stress Testing

12. A regulated entity should conduct stress tests on a regular basis for a variety of institution-specific and market-wide stress scenarios to identify potential vulnerabilities and to ensure that exposures are consistent with the regulated entity's tolerance for risk.

13. A regulated entity should use stress test outcomes to adjust its market risk management strategies, policies, and positions and to develop effective contingency plans.

14. Special consideration should be given to ensuring that complex financial instruments, including instruments with complex option features, are properly valued under stress scenarios and that the risks associated with options exposures are properly understood.

15. Management should ensure that the regulated entity's board of directors or a committee thereof considers the results of stress tests when establishing and reviewing its strategies, policies, and limits for managing and controlling interest rate risk.

16. The board of directors and senior management should review periodically the design of stress tests to ensure that they encompass the kinds of market conditions under which the regulated entity's positions and strategies would be most vulnerable.

Monitoring and Reporting

17. A regulated entity should have an adequate management information system for reporting market risk exposures.

18. The board of directors, senior management, and the appropriate line managers should be provided with regular, accurate, informative, and timely market risk reports.

Applicable Laws, Regulations, and Policies

19. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the management of market risk.

Standard 5—Adequacy and Maintenance of Liquidity and Reserves

Responsibilities of the Board of Directors

1. Regarding the adequacy and maintenance of liquidity and reserves, the board of directors should review (at least annually) all major strategies and policies governing this area, approve appropriate revisions to such strategies and policies, and ensure senior management are appropriately trained to effectively manage liquidity.

Responsibilities of Senior Management

2. Regarding the adequacy and maintenance of liquidity and reserves, senior management should develop strategies, policies, and practices to manage liquidity risk, ensure personnel are appropriately trained and competent, and provide the board of directors with periodic reports on the regulated entity's liquidity position.

Policies, Practices, and Procedures

3. A regulated entity should establish a liquidity management framework that ensures it maintains sufficient liquidity to withstand a range of stressful events.

4. A regulated entity should articulate a liquidity risk tolerance that is appropriate for its business strategy and its mission goals and objectives.

5. A regulated entity should have a sound process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and its liquidity risk exposures.

6. A regulated entity should establish a funding strategy that provides effective diversification in the sources and tenor of funding.

7. A regulated entity should conduct stress tests on a regular basis for a variety of institution-specific and market-wide stress scenarios to identify sources of potential liquidity strain and to ensure that current exposures remain in accordance with each regulated entity's established liquidity risk tolerance.

8. A regulated entity should use stress test outcomes to adjust its liquidity management strategies, policies, and positions and to develop effective contingency plans.

9. A regulated entity should have a formal contingency funding plan that clearly sets out the strategies for addressing liquidity shortfalls in emergencies. Where practical, contingent funding sources should be tested or drawn on periodically to assess their reliability and operational soundness.

10. A regulated entity should maintain adequate reserves of liquid assets, including adequate reserves of unencumbered, marketable securities that can be liquidated to meet unexpected needs.

Applicable Laws, Regulations, and Policies

11. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the adequacy and maintenance of liquidity and reserves.

Standard 6—Management of Asset and Investment Portfolio Growth

Responsibilities of the Board of Directors and Senior Management

1. Regarding the management of asset and investment portfolio growth, the board of directors is responsible for overseeing the management of growth in these areas, ensuring senior management are appropriately trained and competent, establishing policies governing the regulated entity's assets and investment growth, with prudential limits on the growth of mortgages and mortgage-backed securities, and reviewing policies at least annually.

2. Regarding the management of asset and investment portfolio growth, senior management should adhere to board-approved policies governing growth in these areas, and ensure personnel are appropriately trained and competent to manage the growth.

Risk Measurement, Monitoring, and Control

3. A regulated entity should manage its asset growth and investment growth in a prudent manner that is consistent with the regulated entity's business strategy, board-approved policies, risk tolerances, and safe and sound operations, and should establish prudential limits on the growth of its portfolios of mortgage loans and mortgage backed securities.

4. A regulated entity should manage asset growth and investment growth in a way that is compatible with mission goals and objectives.

5. A regulated entity should manage investments and acquisition of assets in a way that complies with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins).

Standard 7—Investments and Acquisitions of Assets

Responsibilities of the Board of Directors and Senior Management

1. The board of directors is responsible for overseeing the regulated entity's investments and acquisition of other assets, ensuring senior management are appropriately trained and competent, and establishing, approving and periodically reviewing policies and procedures governing investments and acquisitions of other assets.

Policies, Practices, and Procedures

2. A regulated entity should have a board-approved investment policy that establishes clear and explicit guidelines that are appropriate to the regulated entity's mission and objectives. The investment policy should establish the regulated entity's investment objectives, risk tolerances, investment constraints, and policies and procedures for selecting investments.

3. A regulated entity should have a board-approved policy governing acquisitions of major categories of assets other than investments. The policy should establish clear and explicit guidelines for asset acquisitions that are appropriate to the regulated entity's mission and objectives.

4. A regulated entity should manage investments and acquisitions of assets prudently and in a manner that is consistent with mission goals and objectives.

5. Each Bank's investment policies and acquisition of assets should take into account the importance of maintaining the market value of member stock commensurate with the par value of that stock so that the Bank is able to redeem and repurchase member stock at par value at all times.

6. A regulated entity should manage investments and acquisitions of assets in a way that complies with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins).

Standard 8—Overall Risk Management Processes

Responsibilities of the Board of Directors

1. Regarding overall risk management processes, the board of directors is responsible for overseeing the process, ensuring senior management are appropriately trained and competent, ensuring processes are in place to identify, manage, monitor and control risk exposures (this function may be delegated to a board appointed committee), approving all major risk limits, and ensuring incentive compensation measures for senior management capture a full range of risks.

Responsibilities of the Board and Senior Management

2. Regarding overall risk management processes, the board of directors and senior management should establish and sustain a culture that promotes effective risk management. This culture includes timely, accurate and informative risk reports, alignment of the regulated entity's overall risk profile with its mission objectives, and the annual review of comprehensive self-assessments of material risks.

Independent Risk Management Function

3. A regulated entity should have an independent risk management function, or unit, with responsibility for risk measurement and risk monitoring, including monitoring and enforcement of risk limits.

4. The chief risk officer should head the risk management function.

5. The chief risk officer should report directly to the chief executive officer and the risk committee of the board of directors.

6. The risk management function should have adequate resources, including a well-trained and capable staff.

Risk Measurement, Monitoring, and Control

7. A regulated entity should measure, monitor, and control its overall risk exposures, reviewing market, credit, liquidity, and operational risk exposures on both a business unit (or business segment) and enterprise-wide basis.

8. A regulated entity should have the risk management systems to generate, at an appropriate frequency, the information needed to manage risk. Such systems should include systems for market, credit, operational, and liquidity risk analysis, asset and liability management, regulatory reporting, and performance measurement.

9. A regulated entity should have a comprehensive set of risk limits and monitoring procedures to ensure that risk exposures remain within established risk limits, and a mechanism for reporting violations and breaches of risk limits to senior management and the board of directors.

10. A regulated entity should ensure that it has sufficient controls around risk measurement models to ensure the completeness, accuracy, and timeliness of risk information.

11. A regulated entity should have adequate and well-tested disaster recovery and business resumption plans for all major systems and have remote facilitates to limit the impact of disruptive events.

Applicable Laws, Regulations, and Policies

12. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the management of risk.

Standard 9—Management of Credit and Counterparty Risk

Responsibilities of the Board of Directors and Senior Management

1. Regarding the management of credit and counterparty risk, the board of directors and senior management are responsible for ensuring that the regulated entity has appropriate policies, procedures, and systems that cover all aspects of credit administration, including credit pricing, underwriting, credit limits, collateral standards, and collateral valuation procedures. This should also include derivatives and the use of clearing houses. They are also responsible for ensuring personnel are appropriately trained, competent, and equipped with the necessary tools, procedures and systems to assess risk.

2. Senior management should provide the board of directors with regular briefings and reports on credit exposures.

Policies, Procedures, Controls, and Systems

3. A regulated entity should have policies that limit concentrations of credit risk and systems to identify concentrations of credit risk.

4. A regulated entity should establish prudential limits to restrict exposures to a single counterparty that are appropriate to its business model.

5. A regulated entity should establish prudential limits to restrict exposures to groups of related counterparties that are appropriate to its business model.

6. A regulated entity should have policies, procedures, and systems for evaluating credit risk that will enable it to make informed credit decisions.

7. A regulated entity should have policies, procedures, and systems for evaluating credit risk that will enable it to ensure that claims are legally enforceable.

8. A regulated entity should have policies and procedures for addressing problem credits.

9. A regulated entity should have an ongoing credit review program that includes stress testing and scenario analysis.

Applicable Laws, Regulations, and Policies

10. A regulated entity should manage credit and counterparty risk in a way that complies with applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins).

Standard 10—Maintenance of Adequate Records

1. A regulated entity should maintain financial records in compliance with Generally Accepted Accounting Principles (GAAP), FHFA guidelines, and applicable laws and regulations.

2. A regulated entity should ensure that assets are safeguarded and financial and operational information is timely and reliable.

3. A regulated entity should have a records retention program consistent with laws and corporate policies, including accounting policies, as well as personnel that are appropriately trained and competent to oversee and implement the records management plan.

4. A regulated entity, with oversight from the board of directors, should conduct a review and approval of the records retention program and records retention schedule for all types of records at least once every two years.

5. A regulated entity should ensure that reporting errors are detected and corrected in a timely manner.

6. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the maintenance of adequate records.

[77 FR 33959, June 8, 2012, as amended at 80 FR 72336, Nov. 19, 2015]

return arrow Back to Top