MVA White Collar Defense, Investigations, and Regulatory Advice Blog

On October 21, 2024, the Office of the Comptroller of the Currency (OCC) finalized revisions to its Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches at 12 CFR Part 30, Appendix E (Revised Guidelines). The Revised Guidelines continue the regulatory trend following the 2023 bank failures of lowering the threshold at which financial institutions become subject to requirements aimed at promoting their resiliency—in this case, from $250 billion to $100 billion in average consolidated assets (Covered Banks). This will result in Covered Banks in the $100 billion to under $250 billion range having to develop and annually review recovery plans for the first time since 2018. Moreover, all Covered Banks will be subject to new requirements to test their plans and incorporate non-financial risk, with standards that differ from those applicable to resolution plans under the Federal Deposit Insurance Corporation’s (FDIC) recently finalized rule for insured depository institutions (IDI Rule) and Section 165(d) of the Dodd-Frank Act (165(d) Plans). As a result, Covered Banks of all sizes will need to reexamine and update their recovery planning processes. These changes are effective as of January 1, 2025, and are subject to staggered compliance dates.

Background

The original Guidelines were issued on September 26, 2016, in response to the 2008 financial crisis. The OCC issued the Guidelines under the view that advance recovery planning would reduce the risk of bank failure and enable banks to effectively deal with severe stress events and return to a position of strength following such events. The Guidelines require Covered Banks to have a recovery plan in place that includes qualitative risk indicators reflecting the Covered Bank’s vulnerabilities, options the Covered Bank could implement in the event of severe stress, and an assessment and description of how these options would impact the Covered Bank. The original Guidelines applied to banks with consolidated assets of $50 billion or more, but in 2018 this threshold was raised to $250 billion based on the OCC’s view that larger, more complex banks presented a greater systemic risk to the financial system and would benefit most from recovery planning.

On July 3, 2024, the OCC proposed revisions to the Guidelines, which the Revised Guidelines adopt largely without change, as described below.

Lowered $100 Billion Threshold

In adopting this change from its proposal, the OCC noted that the March 2023 bank failures, which impacted banks in the $100 billion to under $250 billion threshold, underscored the importance of recovery plans for banks of this size to address contagion effects and systemic risks. The Revised Guidelines also change the definition of a “Covered Bank” to clarify that the “average total consolidated assets” criterion is based on the average of the “total assets” line of the institution’s call report over the four most recent consecutive quarters, not the “average total consolidated assets” line. The OCC reserved the authority to apply the Revised Guidelines to banks under the $100 billion threshold if it determines that the bank is highly complex or otherwise presents a heightened risk that warrants application of the Revised Guidelines.

While the lowered threshold will result in additional required documentation for Covered Banks in the $100 billion to under $250 billion range, banks of this size are subject to similar requirements under the IDI Rule and can leverage the information from their submissions to the FDIC to meet certain of the OCC’s requirements.  For example, under the IDI Rule, IDIs must submit information on franchise components that could be separated from the institution in stress, which may overlap with recovery options or be developed through the same analysis. 

Incorporation of Testing Standard

The Revised Guidelines require a Covered Bank to conduct testing at least annually, and following any significant changes to the plan made in response to a material event. While Covered Banks must also conduct testing in connection with their resolution planning, the testing required by the OCC is different because the Revised Guidelines state it should validate the effectiveness of the recovery plan. By contrast, the testing required by the FDIC under the IDI Rule and the FDIC and the Board of Governors of the Federal Reserve System under their guidance related to 165(d) Plans is focused on testing of the capabilities underlying the plan.

The OCC declined to revise the testing standard from validation to a capabilities assessment in response to comments on the proposal requesting alignment with the resolution planning standard. However, it did clarify in the preamble that by “validation,” it expects a Covered Bank to confirm through testing that the plan can accomplish its intended goals, which would not require execution of a recovery option. The OCC also updated other elements of the testing requirement in the Revised Guidelines in response to comments. Based on feedback that a Covered Bank may not be able to validate the effectiveness of all required elements of the plan—for example, the bank’s organizational and legal entity structure—the Revised Guidelines state that a Covered Bank only must “consider” each required element in its testing. In response to comments, the OCC also incorporated into the Revised Guidelines its expectation that testing will be risk-based and appropriate for the bank’s size, risk profile, activities, and complexity.

The preamble provides some insight into the OCC’s expectations regarding testing—for example, that a Covered Bank may simulate severe non-financial and financial stress scenarios and that testing should include ensuring triggers are appropriately tailored to the bank’s particular vulnerabilities and will effectively provide timely notice of severe stress. However, the OCC’s determination not to provide a more prescriptive testing standard or align it to the resolution planning standards will likely leave specific expectations to be developed through its engagement with, and feedback to, the Covered Banks as they develop and conduct testing.

Clarification of Role of Non-Financial and Strategic Risk

The Revised Guidelines add an explicit requirement for a Covered Bank to consider both financial risk and non-financial risk, including operational and strategic risk, in its recovery plan.  The preamble indicates this requirement is based on the OCC’s experience that Covered Banks have generally been successful in considering and addressing financial risks in their recovery plans, but have been less consistent in addressing non-financial risks. The Revised Guidelines also implement conforming changes to the definitions of “recovery” and “trigger” and to the required recovery plan elements of “trigger” and “impact assessment.”

As a result, Covered Banks will need to include within their suite of triggers specific triggers that are aimed at indicating non-financial stress. This is a change even for the current Covered Banks, as the trigger guidance relevant to 165(d) Plans is largely focused on capital and liquidity metrics. Even where operational and strategic risk are implemented into existing early warning indicators or other metrics that do not lead to activation of the recovery plan, Covered Banks will need to consider whether these metrics are sufficient and ensure their protocols result in appropriate escalation of a breach for consideration of corrective action. The OCC noted in the preamble in response to comments that the Revised Guidelines give Covered Banks discretion to differentiate between responses to breaches of financial or non-financial triggers and that the breach of a non-financial trigger may not necessitate execution of a specific recovery option. 

The addition of a requirement to consider non-financial risk follows recent focus by the OCC on operational risk, which the OCC described as “elevated” in its Semiannual Risk Perspectives released in June 2024.  Acting Comptroller of the Currency Michael Hsu has spoken repeatedly about operational risk in 2024—in particular, the expanding threat of disruption due to growth in technology and third party services—and the OCC has previewed it is working on an advance notice of proposed rulemaking on operational resilience standards for critical operations.

Effective Date and Compliance

The Revised Guidelines become effective on January 1, 2025, with staggered compliance dates, which the OCC extended by 6 months for the testing provisions only in response to comments. As of the effective date, banks that are currently Covered Banks will have 12 months to amend their recovery plans to address non-financial risks, and 18 months to comply with the new testing provisions. Banks that are not currently Covered Banks, but will become Covered Banks on or after the effective date, will have 12 months to develop a recovery plan, and 24 months to comply with the testing provisions.

New Covered Banks will need this time to develop their plans while existing Covered Banks will need to examine all aspects of their recovery plans due to the broad directive to consider non-financial risk. The additional time to comply with the testing requirement will also be necessary as Covered Banks are simultaneously working through the IDI Rule’s testing components and considering the testing and validation of resilience capabilities likely to be a part of the OCC’s upcoming advance notice of proposed rulemaking.