Appendix to Part 1236 - Prudential Management and Operations Standards
12:10.0.2.2.28.0.1.6.5 :
Appendix to Part 1236 - Prudential Management and Operations
Standards
The following provisions constitute the prudential management
and operations standards established pursuant to 12 U.S.C.
4513b(a).
General Responsibilities of the Board of Directors and Senior
Management
The following provisions address the general responsibilities of
the boards of directors and senior management of the regulated
entities as they relate to the matters addressed by each of the
Standards. The descriptions are not a comprehensive listing of the
responsibilities of either the boards or senior management, each of
whom have additional duties and responsibilities to those described
in these Standards.
Responsibilities of the Board of Directors
1. With respect to the subject matter addressed by each
Standard, the board of directors is responsible for adopting
business strategies and policies that are appropriate for the
particular subject matter. The board should review all such
strategies and policies periodically. It should review and approve
all major strategies and policies at least annually and make any
revisions that are necessary to ensure that such strategies and
policies remain consistent with the entity's overall business
plan.
2. The board of directors is responsible for overseeing
management of the regulated entity, which includes ensuring that
management includes personnel who are appropriately trained and
competent to oversee the operation of the regulated entity as it
relates to the functions and requirements addressed by each
Standard, and that management implements the policies set forth by
the board.
3. The board of directors is responsible for remaining informed
about the operations and condition of the regulated entity,
including operating consistently with the Standards, and senior
management's implementation of the strategies and policies
established by the board of directors.
4. The board of directors must remain sufficiently informed
about the nature and level of the regulated entity's overall risk
exposures, including market, credit, and counterparty risk, so that
it can understand the possible short- and long-term effects of
those exposures on the financial health of the regulated entity,
including the possible short- and long-term consequences to
earnings, liquidity, and economic value. The board of directors
should: establish the regulated entity's risk tolerances and should
provide management with clear guidance regarding the level of
acceptable risks; review the regulated entity's entire market risk
management framework, including policies and entity-wide risk
limits at least annually; oversee the adequacy of the actions taken
by senior management to identify, measure, manage, and control the
regulated entity's risk exposures; and ensure that management takes
appropriate corrective measures whenever market risk limit
violations or breaches occur.
Responsibilities of Senior Management
5. With respect to the subject matter addressed by each
Standard, senior management is responsible for developing the
policies, procedures and practices that are necessary to implement
the business strategies and policies adopted by the board of
directors. Senior management should ensure that such items are
clearly written, sufficiently detailed, and are followed by all
personnel. Senior management also should ensure that the regulated
entity has personnel who are appropriately trained and competent to
carry out their respective functions and that all delegated
responsibilities are performed.
6. Senior management should ensure that the regulated entity has
adequate resources, systems and controls available to execute
effectively the entity's business strategies, policies and
procedures, including operating consistently with each of the
Standards.
7. Senior management should provide the board of directors with
periodic reports relating to the regulated entity's condition and
performance, including the subject matter addressed by each of the
Standards, that are sufficiently detailed to allow the board of
directors to remain fully informed about the business of the
regulated entity.
8. Senior management should regularly review and discuss with
the board of directors information regarding the regulated entity's
risk exposures that is sufficient in detail and timeliness to
permit the board of directors to understand and assess the
performance of management in identifying and managing the various
risks to which the regulated entity is exposed.
Responsibilities of the Board of Directors and Senior Management
9. The board of directors and senior management should conduct
themselves in such a manner as to promote high ethical standards
and a culture of compliance throughout the organization.
10. The board of directors and senior management should ensure
that the regulated entity's overall risk profile is aligned with
its mission objectives.
Standard 1 - Internal Controls and Information Systems
Responsibilities of the Board of Directors
1. Regarding internal controls and information systems, the
board of directors of each regulated entity should adopt
appropriate policies, ensure personnel are appropriately trained
and competent, approve and periodically review overall business
strategies, approve the organizational structure, and assess the
adequacy of senior management's oversight of this function.
Responsibilities of Senior Management
2. Regarding internal controls and information systems, senior
management should implement strategies and policies approved by the
board of directors, establish appropriate policies, monitor the
adequacy and effectiveness of this function, and ensure personnel
are appropriately trained and competent. The organizational
structure should clearly assign responsibility, authority, and
reporting relationships.
Responsibilities of the Board of Directors and Senior Management
3. Regarding internal controls and information systems, both the
board of directors and senior management should promote high
ethical standards, create a culture that emphasizes the importance
of this function, and promptly address any issues in need of
remediation.
Framework
4. The regulated entity should have an adequate and effective
system of internal controls, which should include a board approved
organizational structure that clearly assigns responsibilities,
authority, and reporting relationships, and establishes an
appropriate segregation of duties that ensures that personnel are
not assigned conflicting responsibilities.
5. The regulated entity should establish appropriate internal
control policies and should monitor the adequacy and effectiveness
of its internal controls and information systems on an ongoing
basis through a formal self-assessment process.
6. The regulated entity should have an organizational culture
that emphasizes and demonstrates to personnel at all levels the
importance of internal controls.
7. The regulated entity should address promptly any violations,
findings, weaknesses, deficiencies, and other issues in need of
remediation relating to the internal control systems.
Risk Recognition and Assessment
8. A regulated entity should have an effective risk assessment
process that ensures that management recognizes and continually
assesses all material risks, including credit risk, market risk,
interest rate risk, liquidity risk, and operational risk.
Control Activities and Segregation of Duties
9. A regulated entity should have an effective internal control
system that defines control activities at every business level.
10. A regulated entity's control activities should include:
a. Board of directors and senior management reviews of progress
toward goals and objectives;
b. Appropriate activity controls for each business unit;
c. Physical controls to protect property and other assets and
limit access to property and systems;
d. Procedures for monitoring compliance with exposure limits and
follow-up on non-compliance;
e. A system of approvals and authorizations for transactions
over certain limits; and
f. A system for verification and reconciliation of
transactions.
Information and Communication
11. A regulated entity should have information systems that
provide relevant, accurate and timely information and data.
12. A regulated entity should have secure information systems
that are supported by adequate contingency arrangements.
13. A regulated entity should have effective channels of
communication to ensure that all personnel understand and adhere to
policies and procedures affecting their duties and
responsibilities.
Monitoring Activities and Correcting Deficiencies
14. A regulated entity should monitor the overall effectiveness
of its internal controls and key risks on an ongoing basis and
ensure that business units and internal and external audit conduct
periodic evaluations.
15. Internal control deficiencies should be reported to senior
management and the board of directors on a timely basis and
addressed promptly.
Applicable Laws, Regulations, and Policies
16. A regulated entity should comply with all applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins) governing internal controls and information systems.
Standard 2 - Independence and Adequacy of Internal Audit Systems
Audit Committee
1. A regulated entity's board of directors should have an audit
committee that exercises proper oversight and adopts appropriate
policies and procedures designed to ensure the independence of the
internal audit function. The audit committee should ensure that the
internal audit department includes personnel who are appropriately
trained and competent to oversee the internal audit function.
2. The board of directors should review and approve the audit
committee charter at least every three years.
3. The audit committee of the board of directors is responsible
for monitoring and evaluating the effectiveness of the regulated
entity's internal audit function.
4. Issues reported by the internal audit department to the audit
committee should be promptly addressed and satisfactorily
resolved.
Internal Audit Function
5. A regulated entity should have an internal audit function
that provides for adequate testing of the system of internal
controls.
6. A regulated entity should have an independent and objective
internal audit department that reports directly to the audit
committee of the board of directors.
7. A regulated entity's internal audit department should be
adequately staffed with properly trained and competent
personnel.
8. The internal audit department should conduct risk-based
audits.
9. The internal audit department should conduct adequate testing
and review of internal control and information systems.
10. The internal audit department should determine whether
violations, findings, weaknesses and other issues reported by
regulators, external auditors, and others have been promptly
addressed.
Applicable Laws, Regulations, and Policies
11. A regulated entity should comply with applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins) governing the independence and adequacy of internal
audit systems.
Standard 3 - Management of Market Risk Exposure Responsibilities of
the Board of Directors
1. Regarding the overall management of market risk exposure, the
board of directors should remain sufficiently informed about the
nature and level of the regulated entity's market risk exposures.
At least annually, the board should review the entire market risk
framework, including policies and risk limits, and provide an
assessment of compliance.
2. Regarding the policies, practices and procedures surrounding
the management of market risk, the board of directors should
approve all major strategies and policies relating to the
management of market risk, ensure all major strategies and policies
are consistent with the overall business plan, establish and
communicate a market risk tolerance, and ensure appropriate
corrective measures are taken when market risk limit violations or
breaches occur.
3. The board, or a board appointed committee, should oversee the
adequacy of actions taken by senior management to identify,
measure, manage, and control market risk exposures, ensure market
risk policies establish lines of authority and responsibility, and
review risk exposures on a periodic basis.
Responsibilities of Senior Management
4. Regarding the overall management of market risk exposure,
senior management should provide sufficient and timely information
to the board of directors, ensure personnel are appropriately
trained and competent, ensure adequate systems and resources are
available to manage and control market risk, report any breaches to
the board of directors (or the appropriate board committee), and
take appropriate remedial action.
5. Regarding the policies, practices, and procedures surrounding
market risk exposure, senior management should ensure market risk
policies and procedures are clearly written, sufficiently detailed,
and followed. Approved policies and procedures should include clear
market risk limits and lines of authority for managing market
risk.
Market Risk Strategy
6. A regulated entity should have a clearly defined and
well-documented strategy for managing market risk, which must be
consistent with its overall business plan, must enable the
regulated entity to identify, manage, monitor, and control the
regulated entity's risk exposures on a business unit and an
enterprise-wide basis, and must ensure that the lines of authority
and responsibility for managing market risk and monitoring market
risk limits are clearly identified. The strategy should specify a
target account, or target accounts, for managing market risk
(e.g., specify whether the objective is to control risk to
earnings, net portfolio value, or some other target, or some
combination of targets), and, if a market risk limit is breached,
should require that the breach be reported to the board of
directors, or the appropriate board committee, and that appropriate
remedial action, including any ordered by the board of directors,
should be taken.
7. Management should ensure that the board of directors is made
aware of the advantages and disadvantages of the regulated entity's
chosen market risk management strategy, as well as those of
alternative strategies, so that the board of directors can make an
informed judgment about the relative efficacy of the different
strategies.
8. A Bank's strategy for managing market risk should take into
account the importance of maintaining the market value of equity of
member stock commensurate with the par value of that stock so that
the Bank is able to redeem and repurchase member stock at par
value.
9. A regulated entity should comply with all applicable laws,
regulations, and supervisory guidance, (e.g., advisory
bulletins) governing the independence and adequacy of the
management of market risk exposure.
Standard 4 - Management of Market Risk - Measurement Systems, Risk
Limits, Stress Testing, and Monitoring and Reporting Risk
Measurement Systems
1. A regulated entity should have a risk measurement system (a
model or models) that capture(s) all material sources of market
risk and provide(s) meaningful and timely measures of the regulated
entity's risk exposures, as well as personnel who are appropriately
trained and competent to operate and oversee the risk measurement
system.
2. The risk measurement system should be capable of estimating
the effect of changes in interest rates and other key risk factors
on the regulated entity's earnings and market value of equity over
a range of scenarios.
3. The measurement system should be capable of valuing all
financial assets and liabilities in the regulated entity's
portfolio.
4. The measurement system should address all material sources of
market risk including repricing risk, yield curve risk, basis risk,
and options risk.
5. Management should ensure the integrity and timeliness of the
data inputs used to measure the regulated entity's market risk
exposures, and should ensure that assumptions and parameters are
reasonable and properly documented.
6. The measurement system's methodologies, assumptions, and
parameters should be thoroughly documented, understood by
management, and reviewed on a regular basis.
7. A regulated entity's market risk model should be upgraded
periodically to incorporate advances in risk modeling
technology.
8. A regulated entity should have a documented approval process
for model changes that requires model changes to be authorized by a
party independent of the party making the change.
9. A regulated entity should ensure that its models are
independently validated on a regular basis.
Risk Limits
10. Risk limits should be consistent with the regulated entity's
strategy for managing interest rate risk and should take into
account the financial condition of the regulated entity, including
its capital position.
11. Risk limits should address the potential impact of changes
in market interest rates on net interest income, net income, and
the regulated entity's market value of equity.
Stress Testing
12. A regulated entity should conduct stress tests on a regular
basis for a variety of institution-specific and market-wide stress
scenarios to identify potential vulnerabilities and to ensure that
exposures are consistent with the regulated entity's tolerance for
risk.
13. A regulated entity should use stress test outcomes to adjust
its market risk management strategies, policies, and positions and
to develop effective contingency plans.
14. Special consideration should be given to ensuring that
complex financial instruments, including instruments with complex
option features, are properly valued under stress scenarios and
that the risks associated with options exposures are properly
understood.
15. Management should ensure that the regulated entity's board
of directors or a committee thereof considers the results of stress
tests when establishing and reviewing its strategies, policies, and
limits for managing and controlling interest rate risk.
16. The board of directors and senior management should review
periodically the design of stress tests to ensure that they
encompass the kinds of market conditions under which the regulated
entity's positions and strategies would be most vulnerable.
Monitoring and Reporting
17. A regulated entity should have an adequate management
information system for reporting market risk exposures.
18. The board of directors, senior management, and the
appropriate line managers should be provided with regular,
accurate, informative, and timely market risk reports.
Applicable Laws, Regulations, and Policies
19. A regulated entity should comply with all applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins) governing the management of market risk.
Standard 5 - Adequacy and Maintenance of Liquidity and Reserves
Responsibilities of the Board of Directors
1. Regarding the adequacy and maintenance of liquidity and
reserves, the board of directors should review (at least annually)
all major strategies and policies governing this area, approve
appropriate revisions to such strategies and policies, and ensure
senior management are appropriately trained to effectively manage
liquidity.
Responsibilities of Senior Management
2. Regarding the adequacy and maintenance of liquidity and
reserves, senior management should develop strategies, policies,
and practices to manage liquidity risk, ensure personnel are
appropriately trained and competent, and provide the board of
directors with periodic reports on the regulated entity's liquidity
position.
Policies, Practices, and Procedures
3. A regulated entity should establish a liquidity management
framework that ensures it maintains sufficient liquidity to
withstand a range of stressful events.
4. A regulated entity should articulate a liquidity risk
tolerance that is appropriate for its business strategy and its
mission goals and objectives.
5. A regulated entity should have a sound process for
identifying, measuring, monitoring, controlling, and reporting its
liquidity position and its liquidity risk exposures.
6. A regulated entity should establish a funding strategy that
provides effective diversification in the sources and tenor of
funding.
7. A regulated entity should conduct stress tests on a regular
basis for a variety of institution-specific and market-wide stress
scenarios to identify sources of potential liquidity strain and to
ensure that current exposures remain in accordance with each
regulated entity's established liquidity risk tolerance.
8. A regulated entity should use stress test outcomes to adjust
its liquidity management strategies, policies, and positions and to
develop effective contingency plans.
9. A regulated entity should have a formal contingency funding
plan that clearly sets out the strategies for addressing liquidity
shortfalls in emergencies. Where practical, contingent funding
sources should be tested or drawn on periodically to assess their
reliability and operational soundness.
10. A regulated entity should maintain adequate reserves of
liquid assets, including adequate reserves of unencumbered,
marketable securities that can be liquidated to meet unexpected
needs.
Applicable Laws, Regulations, and Policies
11. A regulated entity should comply with all applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins) governing the adequacy and maintenance of liquidity and
reserves.
Standard 6 - Management of Asset and Investment Portfolio Growth
Responsibilities of the Board of Directors and Senior Management
1. Regarding the management of asset and investment portfolio
growth, the board of directors is responsible for overseeing the
management of growth in these areas, ensuring senior management are
appropriately trained and competent, establishing policies
governing the regulated entity's assets and investment growth, with
prudential limits on the growth of mortgages and mortgage-backed
securities, and reviewing policies at least annually.
2. Regarding the management of asset and investment portfolio
growth, senior management should adhere to board-approved policies
governing growth in these areas, and ensure personnel are
appropriately trained and competent to manage the growth.
Risk Measurement, Monitoring, and Control
3. A regulated entity should manage its asset growth and
investment growth in a prudent manner that is consistent with the
regulated entity's business strategy, board-approved policies, risk
tolerances, and safe and sound operations, and should establish
prudential limits on the growth of its portfolios of mortgage loans
and mortgage backed securities.
4. A regulated entity should manage asset growth and investment
growth in a way that is compatible with mission goals and
objectives.
5. A regulated entity should manage investments and acquisition
of assets in a way that complies with all applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins).
Standard 7 - Investments and Acquisitions of Assets
Responsibilities of the Board of Directors and Senior Management
1. The board of directors is responsible for overseeing the
regulated entity's investments and acquisition of other assets,
ensuring senior management are appropriately trained and competent,
and establishing, approving and periodically reviewing policies and
procedures governing investments and acquisitions of other
assets.
Policies, Practices, and Procedures
2. A regulated entity should have a board-approved investment
policy that establishes clear and explicit guidelines that are
appropriate to the regulated entity's mission and objectives. The
investment policy should establish the regulated entity's
investment objectives, risk tolerances, investment constraints, and
policies and procedures for selecting investments.
3. A regulated entity should have a board-approved policy
governing acquisitions of major categories of assets other than
investments. The policy should establish clear and explicit
guidelines for asset acquisitions that are appropriate to the
regulated entity's mission and objectives.
4. A regulated entity should manage investments and acquisitions
of assets prudently and in a manner that is consistent with mission
goals and objectives.
5. Each Bank's investment policies and acquisition of assets
should take into account the importance of maintaining the market
value of member stock commensurate with the par value of that stock
so that the Bank is able to redeem and repurchase member stock at
par value at all times.
6. A regulated entity should manage investments and acquisitions
of assets in a way that complies with all applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins).
Standard 8 - Overall Risk Management Processes Responsibilities of
the Board of Directors
1. Regarding overall risk management processes, the board of
directors is responsible for overseeing the process, ensuring
senior management are appropriately trained and competent, ensuring
processes are in place to identify, manage, monitor and control
risk exposures (this function may be delegated to a board appointed
committee), approving all major risk limits, and ensuring incentive
compensation measures for senior management capture a full range of
risks.
Responsibilities of the Board and Senior Management
2. Regarding overall risk management processes, the board of
directors and senior management should establish and sustain a
culture that promotes effective risk management. This culture
includes timely, accurate and informative risk reports, alignment
of the regulated entity's overall risk profile with its mission
objectives, and the annual review of comprehensive self-assessments
of material risks.
Independent Risk Management Function
3. A regulated entity should have an independent risk management
function, or unit, with responsibility for risk measurement and
risk monitoring, including monitoring and enforcement of risk
limits.
4. The chief risk officer should head the risk management
function.
5. The chief risk officer should report directly to the chief
executive officer and the risk committee of the board of
directors.
6. The risk management function should have adequate resources,
including a well-trained and capable staff.
Risk Measurement, Monitoring, and Control
7. A regulated entity should measure, monitor, and control its
overall risk exposures, reviewing market, credit, liquidity, and
operational risk exposures on both a business unit (or business
segment) and enterprise-wide basis.
8. A regulated entity should have the risk management systems to
generate, at an appropriate frequency, the information needed to
manage risk. Such systems should include systems for market,
credit, operational, and liquidity risk analysis, asset and
liability management, regulatory reporting, and performance
measurement.
9. A regulated entity should have a comprehensive set of risk
limits and monitoring procedures to ensure that risk exposures
remain within established risk limits, and a mechanism for
reporting violations and breaches of risk limits to senior
management and the board of directors.
10. A regulated entity should ensure that it has sufficient
controls around risk measurement models to ensure the completeness,
accuracy, and timeliness of risk information.
11. A regulated entity should have adequate and well-tested
disaster recovery and business resumption plans for all major
systems and have remote facilitates to limit the impact of
disruptive events.
Applicable Laws, Regulations, and Policies
12. A regulated entity should comply with all applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins) governing the management of risk.
Standard 9 - Management of Credit and Counterparty Risk
Responsibilities of the Board of Directors and Senior Management
1. Regarding the management of credit and counterparty risk, the
board of directors and senior management are responsible for
ensuring that the regulated entity has appropriate policies,
procedures, and systems that cover all aspects of credit
administration, including credit pricing, underwriting, credit
limits, collateral standards, and collateral valuation procedures.
This should also include derivatives and the use of clearing
houses. They are also responsible for ensuring personnel are
appropriately trained, competent, and equipped with the necessary
tools, procedures and systems to assess risk.
2. Senior management should provide the board of directors with
regular briefings and reports on credit exposures.
Policies, Procedures, Controls, and Systems
3. A regulated entity should have policies that limit
concentrations of credit risk and systems to identify
concentrations of credit risk.
4. A regulated entity should establish prudential limits to
restrict exposures to a single counterparty that are appropriate to
its business model.
5. A regulated entity should establish prudential limits to
restrict exposures to groups of related counterparties that are
appropriate to its business model.
6. A regulated entity should have policies, procedures, and
systems for evaluating credit risk that will enable it to make
informed credit decisions.
7. A regulated entity should have policies, procedures, and
systems for evaluating credit risk that will enable it to ensure
that claims are legally enforceable.
8. A regulated entity should have policies and procedures for
addressing problem credits.
9. A regulated entity should have an ongoing credit review
program that includes stress testing and scenario analysis.
Applicable Laws, Regulations, and Policies
10. A regulated entity should manage credit and counterparty
risk in a way that complies with applicable laws, regulations, and
supervisory guidance (e.g., advisory bulletins).
Standard 10 - Maintenance of Adequate Records
1. A regulated entity should maintain financial records in
compliance with Generally Accepted Accounting Principles (GAAP),
FHFA guidelines, and applicable laws and regulations.
2. A regulated entity should ensure that assets are safeguarded
and financial and operational information is timely and
reliable.
3. A regulated entity should have a records retention program
consistent with laws and corporate policies, including accounting
policies, as well as personnel that are appropriately trained and
competent to oversee and implement the records management plan.
4. A regulated entity, with oversight from the board of
directors, should conduct a review and approval of the records
retention program and records retention schedule for all types of
records at least once every two years.
5. A regulated entity should ensure that reporting errors are
detected and corrected in a timely manner.
6. A regulated entity should comply with all applicable laws,
regulations, and supervisory guidance (e.g., advisory
bulletins) governing the maintenance of adequate records.
[77 FR 33959, June 8, 2012, as amended at 80 FR 72336, Nov. 19,
2015]