Title 12

SECTION 252.144

252.144 Risk-management and risk-committee requirements for foreign banking organizations with total consolidated assets of $100 billion or more but combined U.S. assets of less than $100 billion.

§ 252.144 Risk-management and risk-committee requirements for foreign banking organizations with total consolidated assets of $100 billion or more but combined U.S. assets of less than $100 billion.

(a) Risk-management and risk-committee requirements for foreign banking organizations with combined U.S. assets of less than $50 billion - (1) U.S. risk committee certification. A foreign banking organization with average combined U.S. assets of less than $50 billion must, on an annual basis, certify to the Board that it maintains a committee of its global board of directors (or equivalent thereof), on a standalone basis or as part of its enterprise-wide risk committee (or equivalent thereof) that:

(i) Oversees the risk-management policies of the combined U.S. operations of the foreign banking organization; and

(ii) Includes at least one member having experience in identifying, assessing, and managing risk exposures of large, complex firms.

(2) Timing of certification. The certification required under paragraph (a) of this section must be filed on an annual basis with the Board concurrently with the FR Y-7.

(b) Risk-management and risk-committee requirements for foreign banking organizations with combined U.S. assets of $50 billion or more but less than $100 billion - (1) U.S. risk committee - (i) General. A foreign banking organization subject to this this subpart and with average combined U.S. assets of $50 billion or more must maintain a U.S. risk committee that approves and periodically reviews the risk-management policies of the combined U.S. operations of the foreign banking organization and oversees the risk-management framework of such combined U.S. operations.

(ii) Risk-management framework. The foreign banking organization's risk-management framework for its combined U.S. operations must be commensurate with the structure, risk profile, complexity, activities, and size of its combined U.S. operations and consistent with its enterprise-wide risk management policies. The framework must include:

(A) Policies and procedures establishing risk-management governance, risk-management procedures, and risk-control infrastructure for the combined U.S. operations of the foreign banking organization; and

(B) Processes and systems for implementing and monitoring compliance with such policies and procedures, including:

(1) Processes and systems for identifying and reporting risks and risk-management deficiencies, including regarding emerging risks, on a combined U.S. operations basis and ensuring effective and timely implementation of actions to address emerging risks and risk-management deficiencies;

(2) Processes and systems for establishing managerial and employee responsibility for risk management of the combined U.S. operations;

(3) Processes and systems for ensuring the independence of the risk-management function of the combined U.S. operations; and

(4) Processes and systems to integrate risk management and associated controls with management goals and the compensation structure of the combined U.S. operations.

(iii) Placement of the U.S. risk committee. (A) A foreign banking organization that conducts its operations in the United States solely through a U.S. intermediate holding company must maintain its U.S. risk committee as a committee of the board of directors of its U.S. intermediate holding company (or equivalent thereof).

(B) A foreign banking organization that conducts its operations through U.S. branches or U.S. agencies (in addition to through its U.S. intermediate holding company, if any) may maintain its U.S. risk committee either:

(1) As a committee of the global board of directors (or equivalent thereof), on a standalone basis or as a joint committee with its enterprise-wide risk committee (or equivalent thereof); or

(2) As a committee of the board of directors of its U.S. intermediate holding company (or equivalent thereof), on a standalone basis or as a joint committee with the risk committee of its U.S. intermediate holding company required pursuant to § 252.147(e)(3).

(iv) Corporate governance requirements. The U.S. risk committee must meet at least quarterly and otherwise as needed, and must fully document and maintain records of its proceedings, including risk-management decisions.

(v) Minimum member requirements. The U.S. risk committee must:

(A) Include at least one member having experience in identifying, assessing, and managing risk exposures of large, complex financial firms; and

(B) Have at least one member who:

(1) Is not an officer or employee of the foreign banking organization or its affiliates and has not been an officer or employee of the foreign banking organization or its affiliates during the previous three years; and

(2) Is not a member of the immediate family, as defined in 12 CFR 225.41(b)(3), of a person who is, or has been within the last three years, an executive officer, as defined in 12 CFR 215.2(e)(1) of the foreign banking organization or its affiliates.

(2) [Reserved]

(c) U.S. chief risk officer - (1) General. A foreign banking organization with average combined U.S. assets of $50 billion or more but less than $100 billion or its U.S. intermediate holding company, if any, must appoint a U.S. chief risk officer with experience in identifying, assessing, and managing risk exposures of large, complex financial firms.

(2) Responsibilities. (i) The U.S. chief risk officer is responsible for overseeing:

(A) The measurement, aggregation, and monitoring of risks undertaken by the combined U.S. operations;

(B) The implementation of and ongoing compliance with the policies and procedures for the foreign banking organization's combined U.S. operations set forth in paragraph (b)(1)(ii)(A) of this section and the development and implementation of processes and systems set forth in paragraph (b)(1)(ii)(B) of this section; and

(C) The management of risks and risk controls within the parameters of the risk-control framework for the combined U.S. operations, and the monitoring and testing of such risk controls.

(ii) The U.S. chief risk officer is responsible for reporting risks and risk-management deficiencies of the combined U.S. operations, and resolving such risk-management deficiencies in a timely manner.

(3) Corporate governance and reporting. The U.S. chief risk officer must:

(i) Receive compensation and other incentives consistent with providing an objective assessment of the risks taken by the combined U.S. operations of the foreign banking organization;

(ii) Be employed by and located in the U.S. branch, U.S. agency, U.S. intermediate holding company, if any, or another U.S. subsidiary;

(iii) Report directly to the U.S. risk committee and the global chief risk officer or equivalent management official (or officials) of the foreign banking organization who is responsible for overseeing, on an enterprise-wide basis, the implementation of and compliance with policies and procedures relating to risk-management governance, practices, and risk controls of the foreign banking organization unless the Board approves an alternative reporting structure based on circumstances specific to the foreign banking organization;

(iv) Regularly provide information to the U.S. risk committee, global chief risk officer, and the Board regarding the nature of and changes to material risks undertaken by the foreign banking organization's combined U.S. operations, including risk-management deficiencies and emerging risks, and how such risks relate to the global operations of the foreign banking organization; and

(v) Meet regularly and as needed with the Board to assess compliance with the requirements of this section.

(d) Responsibilities of the foreign banking organization. The foreign banking organization must take appropriate measures to ensure that its combined U.S. operations implement the risk-management policies overseen by the U.S. risk committee described in paragraph (a) or (b) of this section, and its combined U.S. operations provide sufficient information to the U.S. risk committee to enable the U.S. risk committee to carry out the responsibilities of this subpart.

(e) Noncompliance with this section. If a foreign banking organization does not satisfy the requirements of this section, the Board may impose requirements, conditions, or restrictions relating to the activities or business operations of the combined U.S. operations of the foreign banking organization. The Board will coordinate with any relevant State or Federal regulator in the implementation of such requirements, conditions, or restrictions. If the Board determines to impose one or more requirements, conditions, or restrictions under this paragraph, the Board will notify the organization before it applies any requirement, condition, or restriction, and describe the basis for imposing such requirement, condition, or restriction. Within 14 calendar days of receipt of a notification under this paragraph, the organization may request in writing that the Board reconsider the requirement, condition, or restriction. The Board will respond in writing to the organization's request for reconsideration prior to applying the requirement, condition, or restriction.

[84 FR 59110, Nov. 1, 2019]