The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal R eserve Bank NEW Y O R K , N.Y. AREA CODE FACSIMILE N e w Yo r k 1 0 0 4 5 -0 0 0 1 212 212 of 720-6375 720-3742 C h e s t e r B. F e l d b e r g E x e c u t iv e V ic e P r e s i d e n t f\l-10*)$3 May 10, 1995 Evaluating the Risk Management and Internal Controls of Securities and Derivative Contracts Used in Nontradina Activities To the Chief Executive Officer of Each Second District State Member Bank, Bank Holding Company, and U.S. Branch and Agency of a Foreign Banking Organization The Federal Reserve System has issued supervisory guidance for its examiners in a supervisory letter, SR 95-17, entitled, "Evaluating the Risk Management and Internal Controls of Securities and Derivative Contracts Used in Nontrading Activities". The letter, a copy of which is attached, is designed to complement the Federal Reserve's December 1993 supervisory letter, SR 93-69, on the evaluation of risk management and internal controls in trading activities. The new letter reiterates and supplements existing guidance and directives on both investment and end-user activities presented in various supervisory letters and examination manuals. The guidance in SR 95-17 consists of two parts. The first part highlights key elements of a sound risk management process in the context of both investment and end-user activities. The second part is an appendix that details specific sound practices for managing the credit, market, liquidity, operational and legal risks of an institution's investment and end-user activities. Over the past year, we have carefully reviewed several situations in which banking companies have experienced losses in their nontrading derivatives and securities activities, and we have observed a number of common problems and pitfalls. We would especially highlight the following areas of potential vulnerability: FEDERAL RESERVE BANK OF NEW YORK 2 May 10, 1995 1. Where the bank has relied on a single employee's expertise to engage in complex derivatives and securities activities, and senior management, immediate supervisors, back office staff and internal control personnel lacked sufficient knowledge and experience to understand and control the level of risk taking; 2. Where the bank has relied on investment policies or transaction authorities that were not specific with respect to acceptable levels of market risk, leverage, and market liquidity, such as an investment policy that defined permissible investments solely in terms of maturity and credit quality, and therefore did not reflect the availability of financial instruments with greater loss potential from market and liquidity risks than many traditional bank investments. 3. Where the bank has lacked the accounting policies, management information systems and procedures to obtain periodic market valuations of instruments or portfolios that would have enabled the bank to recognize losses in a timely manner, to prevent loss deferral through extensions of maturity or other alteration of contract terms, and to detect the use of complex instruments to mask unusual or large market risk positions. 4. Where the bank has effectively sold optionality (i.e., has written financial or other options) embedded in complex derivatives or securities transactions without adequate knowledge and risk management systems to understand the option and market liquidity risks associated with the transactions. In each of these areas, the letter provides a description of sound banking practices that address these pitfalls. Financial innovation is one of the strengths of the U.S. financial system, and banking institutions, as dealers, investors and end-users, have benefitted greatly over the last 25 years from broad latitude to create and use new financial instruments and new financial management techniques. Thus, the FEDERAL RESERVE BANK OF NEW YORK 3 May 10, 1995 cautions given in the attached document should not be construed as discouraging the use of innovative or complex financial products. To the contrary, prudent management by each financial market participant of its securities and derivatives activities is in the long-run interest of all market participants. That means that banking companies need to take special care with products that are innovative or complex. The Federal Reserve Bank of New York is interested in your comments and questions on the attached letter or on other supervisory matters related to capital markets activities. Additional information about the management of securities and derivative positions can be found in the Federal Reserve's Trading Activities Manual. Please direct any questions concerning this letter to Christine M. Cumming, Senior Vice President (212-720-1830), Kausar Hamdani, Assistant Vice President (212-720-8258), or Brian Peters, Supervising Examiner (212-720-2715). Yours sincerely, Chester B. Feldberg Executive Vice President W83 BOARD OF GOVERNORS O F THE FEDERAL RESERVE SYSTEM WASHWGTON. D. C. 20551 SR 95-17 (SUP) D tV SIO N OF BANUNG S U FB tV B IO N AND REGULATION March 28, 1995 TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK SUBJECT: Evaluating the Risk Management and Internal Controls of Securities and Derivative Contracts Used in Nontrading Activities SR 93-69 on "Risk Management and Internal Controls for Trading Activities of Banking Organizations" highlighted the key elements of a sound risk management process and emphasized the importance of applying them to the trading and derivatives activities of banking institutions. It also provided examiners guidance on evaluating the risk management process and internal controls of trading activities. This document provides similar guidance on evaluating the risk management practices used by banking institutions in acquiring and managing securities and off-balance-sheet (OBS) derivative contracts for nontrading purposes. Traditionally, these "nontrading" activities have been termed investment activities in the case of securities and end-user activities for OBS derivative contracts. Institutions should ensure that they employ sound risk management practices consistently across these varying product categories regardless of legal characteristics or nomenclature. Scope of "Nontrading1 Activities and Guidance 1 This guidance specifically targets the risk management practices of state member banks and Edge Act corporations engaged in banking. The basic principles also apply to bank holding companies, which should manage and control aggregate risk exposures on a consolidated basis, while recognizing legal distinctions and possible obstacles to cash movements among subsidiaries.1 More generally, the principles advanced here set forth fundamental risk management practices that are relevant to most portfolio management endeavors. Institutions should review the applicability of these principles in providing trust and investment management services. 1 The basic principles set forth in this guidance should also be incorporated into the policies of U.S. branches and agencies of foreign banks with appropriate adaptations to reflect the facts that: 1) those offices are an integral part of a foreign bank which should be managing its risks on a consolidated basis and recognizing possible obstacles to cash movements among branches, and 2) the foreign bank is subject to overall supervision by its home authorities. -2- For the purpose of this guidance, an institution’s nontrading activities involve the use of securities (both available for sale and held to maturity) and OBS derivative contracts to achieve earnings and risk management objectives that involve longer time horizons than typically associated with trading activities. Nontrading activities involve the full array of cash securities, money market instruments, and OBS derivative contracts.2 Cash securities include fixed- and floating-rate notes and bonds, structured notes, mortgage pass-through and other asset-backed securities, and mortgage derivative products. OBS derivative contracts include swaps, futures and options. Overview of Guidance This guidance reiterates and supplements existing guidance and directives on the use of these instruments for nontrading purposes as provided in various supervisory letters and examination manuals.3 It identifies basic factors that examiners should consider in evaluating the four key elements of a sound risk management process: I. Active board and senior management oversight; II. Adequate risk management policies and limits; III. Appropriate risk measurement and reporting systems; and, IV. Comprehensive internal controls. The appendix to this guidance identifies important policy considerations related to specific risks and should receive special attention. It contains specific guidance for evaluating an 2 In general terms, derivatives are financial contracts whose value derives from the value of one or more underlying assets, interest rates, exchange rates, commodities, or financial or commodity indexes. 3 Existing policies and examiner guidance on various supervisory topics applicable to securities and off-balance sheet instruments can be found in various chapters of the Commercial Bank Examination Manual, the Bank Holding Company Supervision Manual, the Trust Activities Examination Manual, the Merchant and Investment Bank Examination Manual, and the Trading Activities Examination Manual, as well as in various supervision and regulation (SR) letters, including SR 90-16 on the "Implementation of Examination Guidelines for the Review of Asset Securitization Activities," SR 90-41 on "Interest Rate Risk," SR 91-4 on "Inspections of Investment Adviser Subsidiaries of Bank Holding Companies," SR 92-1 on "Supervisory Policy Statement on Securities Activities," and SR 9369 on "Risk Management and Internal Controls for Trading Activities". Examiners of U.S. branches and agencies of foreign banks should take the principles included in these guidelines into consideration in accordance with the procedures set forth in the Examination Manual for Branches and Agencies of Foreign Banking Organizations. -3- institution’s management of each of the risks involved in these activities, including credit, market, liquidity, operating and legal risks. In evaluating an institution’s risk management process, examiners should consider the nature and size of its holdings. Examiner judgment plays a key role in assessing the adequacy of an institution’s risk management process for securities and derivative contracts. Examiners should focus particular attention on evaluating an institution’s understanding of the risks involved in the instruments it holds. Regardless of any responsibility, legal or otherwise, assumed by a dealer or counterparty regarding a transaction, the acquiring institution is ultimately responsible for understanding and managing the risks of the transactions into which it enters. Failure of an institution to understand adequately the risks involved in its securities or derivative positions, either through the lack of internal expertise or inadequate outside advice, constitutes an unsafe and unsound banking practice. As with all risk-bearing activities, institutions should fully support the risk exposures of nontrading activities with adequate capital. Banking organizations should ensure that their capital positions are sufficiently strong to support all the risks associated with these activities on a fully consolidated basis and should maintain adequate capital in all affiliated entities engaged in these activities. In evaluating the adequacy of an institution’s capital, examiners should consider any unrecognized net depreciation or appreciation in an institution’s securities and derivative holdings.4 I. Board of Directors and Senior Management Oversight Active oversight by the institution’s board of directors and relevant senior management is critical to a sound risk management process. Examiners should ensure that these individuals are aware of their responsibilities and that they adequately perform their appropriate roles in overseeing and managing the risks associated with nontrading activities involving securities and derivative instruments. Board of Directors. The board of directors has the ultimate responsibility for the level of risk taken by the institution. Accordingly, the board should approve overall business strategies and significant policies that govern risk taking, including those involving securities and derivative contracts. In particular, policies identifying managerial oversight and articulating risk tolerances and exposure limits of these activities should be approved by the board of directors. The board should also monitor actively the performance and risk profile of the institution and its various securities and derivative portfolios. Directors should 4 For further guidance, examiners should refer to SR 93-72 on "Guidance on the Capital Treatment and Other Issues Relating to the Financial Accounting Standards Board Statement No. 115, Accounting for Certain Investments in Debt and Equity Securities." -4- review periodically information that is sufficient in detail and timeliness to allow them to understand and assess the credit, market and liquidity risks facing the institution as a whole and its securities and derivative positions in particular. Such reviews should be conducted at least quarterly and more frequently where the institution holds significant positions in complex instruments. In addition, the board should periodically reevaluate the institution’s business strategies and significant risk management policies and procedures, placing special emphasis on the institution’s financial objectives and risk tolerances. The minutes of board meetings and accompanying reports and presentation materials should clearly demonstrate the board’s fulfillment of these basic responsibilities. The appendix provides guidance on the types of objectives, risk tolerances, limits and reports that directors should consider. The board of directors should also conduct and encourage discussions between its members and senior management, as well as between senior management and others in the institution, regarding the institution’s risk management process and risk exposures. Although it is not essential for board members to have detailed technical knowledge of these activities, if they do not, it is incumbent upon them to ensure that they have adequate access to independent legal and professional advice regarding the institution’s securities and derivative holdings and strategies. The familiarity, technical knowledge, and awareness of directors and senior management should be commensurate with the level and nature of an institution’s securities and derivative positions. Senior Management. Senior management is responsible for ensuring that there are adequate policies and procedures for conducting nontrading securities and derivative activities on both a long-range and day-to-day basis. Management should maintain clear lines of authority and responsibility for acquiring instruments and managing risk, appropriate limits on risk taking, adequate systems for measuring risk, acceptable standards for valuing positions and measuring performance, effective internal controls, and a comprehensive risk reporting and risk management review process. In order to provide adequate oversight, management should fully understand the institution’s risk profile, including that of its securities and derivative activities. Examiners should review the reports to senior management and evaluate whether they provide both good summary information and sufficient detail to enable management to assess the sensitivity of securities and derivative holdings to changes in credit quality, market prices and rates, liquidity conditions and other important risk factors. As part of its oversight responsibilities, senior management should review periodically the organization’s risk management procedures to ensure that they remain appropriate and sound. Senior management also should encourage and participate in active discussions with members of the board and with risk management staff regarding risk measurement, reporting and management procedures. Management should ensure that nontrading securities and derivative activities are conducted by competent staff with technical knowledge and experience consistent with the nature and scope of the institution’s activities. There should be sufficient depth in staff resources to manage these activities if key personnel are not available. Management should -5- also ensure that there are sufficient back-office and financial control resources to effectively manage and control risks. Independence in Managing Risks. To avoid possible conflicts of interest, the process of measuring, monitoring, and controlling risks should be managed as independently as practicable from those individuals who have the authority to initiate transactions. The nature and extent of this independence should be commensurate with the size and complexity of an institution’s securities and derivative activities. Institutions with large and complex balance sheets, or with significant holdings of complex instruments, would be expected to have risk managers or risk management functions fully independent of the individuals who have the authority to conduct transactions. Institutions with less complex holdings should ensure that there is some mechanism for independently reviewing both the level of risk exposures created by securities and derivative holdings and the adequacy of the process used in managing those exposures. Depending on the size and nature of the institution, such a mechanism may reside either in the management structure or in a board committee. Regardless of size and sophistication, institutions should ensure that back-office, settlement, and transaction reconciliation responsibilities are conducted and managed by personnel who are independent of those initiating risk taking positions. II. Policies and Procedures for Acquiring and Managing Securities and Derivative Instruments Institutions should maintain written policies and procedures that clearly outline their approach for managing securities and derivative instruments. Such policies should be consistent with the organization’s broader business strategies, capital adequacy, technical expertise, and general willingness to take risk. They should identify relevant objectives, constraints, and guidelines for both acquiring instruments and managing portfolios. In doing so, policies should establish a logical framework for limiting the various risks involved in an institution’s securities and derivative holdings. Policies should clearly delineate lines of responsibility and authority over securities and derivative activities. They should also provide for the systematic review of products new to the firm. Examiners should evaluate the adequacy of an institution’s risk management policies and procedures in relation to its size, sophistication and the scope of its activities. Specifying Objectives. Institutions can use securities and derivative instruments for several primary and complementary purposes.5 Banking organizations should articulate clearly these objectives and identify the types of securities and derivative contracts to be used for achieving diem. Objectives also should be identified at the appropriate 5 Such purposes include, but are not limited to, generating earnings, creating funding opportunities, providing liquidity, hedging risk exposures, taking risk positions, modifying and managing risk profiles, managing tax liabilities, and meeting pledging requirements. -6- portfolio and institutional levels. These objectives should guide the acquisition of individual instruments and should provide benchmarks for evaluating periodically the performance and effectiveness of an institution’s holdings, strategies and programs. Wherever multiple objectives are involved, management should identify the hierarchy of potentially conflicting objectives. Identifying Constraints. Guidelines and Limits. An institution’s policies should articulate clearly the organization’s risk tolerance by identifying its willingness to take the credit, market, and liquidity risks involved in holding securities and derivative contracts. A statement of authorized instruments and activities is an important vehicle for communicating these risk tolerances. This statement should clearly identify permissible instruments or instrument types and the purposes or objectives for which the institution may use them. The statement also should identify permissible credit quality, market risk sensitivity and liquidity characteristics of the instruments and portfolios used in nontrading activities. For example, in the case of market risk, policies should address the permissible degree of price sensitivity and/or effective maturity volatility, taking into account an instrument’s or portfolio’s option and leverage characteristics. Specifications of permissible risk characteristics should be consistent with the institution’s overall credit, market, and liquidity risk limits and constraints and should help delineate a clear set of institutional limits for use in acquiring specific instruments and managing portfolios. Such limits can be specified either as guidelines within the overall policies or in management operating procedures. The appendix provides further guidance on the types of constraints and limits an institution might use in managing the credit, market and liquidity risk of securities and derivative contracts. Limits should be set to guide acquisition and ongoing management decisions, control exposures, and initiate discussion within the organization about apparent opportunities and risks. Although procedures for establishing limits and for operating within them may vary among institutions, examiners should determine whether the organization enforces its policies and procedures through a clearly identified system of risk limits. Positions that exceed established limits should receive the prompt attention of appropriate management and should be resolved according to approved policies. Limits should implement the overall risk tolerances and constraints articulated in general policy statements. Depending on the nature of an institution’s holdings and its general sophistication, limits can be identified with individual business units, portfolios, instrument types or specific instruments. The level of detail of risk limits should reflect the characteristics of the institution’s holdings including the types of risk to which the institution is exposed. Regardless of their specific form or level of aggregation, limits should be consistent with the institution’s overall approach to managing various types of risks. They should also be integrated to the fullest extent possible with institution-wide limits on the same risks as they arise in other activities of the firm. The appendix to this guidance presents specific examiner considerations in evaluating the policies and limits used in managing each of the various types of risks involved in nontrading securities and derivative activities. -7- New Product Review. An institution’s policies should also provide for effective review of products being considered that would be new to the firm. An institution should not acquire a meaningful position in a new instrument until senior management and all relevant personnel (including those in internal control, legal, accounting, and auditing functions) understand the product and can integrate it into the institution’s risk measurement and control systems. An institution’s policies should define the terms "new product" and "meaningful position" consistent with its size, complexity and sophistication. Institutions should not be hesitant to define an instrument as a "new" product. Small changes in payment formulas or other terms of relatively simple and standard products can greatly alter their risk profiles and justify the designation of an instrument as a "new" product. New product reviews should analyze all of the relevant risks involved in an instrument and should assess the reasonableness of the product or activity in achieving specified objectives. New product reviews also should include a description of the relevant accounting guidelines, and identify the procedures for measuring, monitoring and controlling the risks involved. Accounting. The accounting systems and procedures used for public and regulatory reporting purposes are critically important to enhancing the transparency of an institution’s risk profile. Accordingly, an institution’s policies should provide clear guidelines regarding the accounting for all securities and derivative holdings. This treatment should be consistent with specified objectives and with the institution’s regulatory requirements. Institutions should ensure that they categorize each cash or derivative contract for accounting purposes consistent with appropriate accounting policies and requirements. Furthermore, the accounting for nontrading securities and OBS derivative contracts should reflect the economic substance of the transactions.6 Where instruments are used for hedging purposes, the hedging rationale and performance criteria should be well documented. Management should reassess these classifications periodically to ensure that they remain appropriate.7 6 As set forth in the February 1992 Federal Financial Institutions Examination Council (FFIEC) Supervisory Policy Statement on Securities Activities (SR 92-1), inappropriate accounting practices include "adjusted trading." Adjusted trading involves the sale of an instrument at a price above the prevailing market value and the simultaneous purchase and booking of an instrument at a price greater than its market value. 7 Reporting requirements for bank and bank holding company regulatory reports are set forth in the Reports of Condition and Income ("Call Report") for banks and the FR Y-9C for bank holding companies. -8 - III. Risk Measurement. Monitoring Systems and Management Review Clear procedures for measuring and monitoring risks are the foundation of a sound risk management process. Examiners should ensure that an institution sufficiently integrates these functions into its ongoing management process and that relevant personnel recognize their role and understand the instruments held. Risk Measurement. An institution’s system for measuring the credit, market, liquidity and other risks involved in cash and derivative contracts should be as comprehensive and accurate as practicable. The degree of comprehensiveness should be commensurate with the nature of the institution’s holdings and risk exposures. Exposures to each type of risk (i.e., credit, market, liquidity) should be aggregated across securities and derivative contracts and integrated with similar exposures arising from lending and other business activities to obtain the institution’s overall risk profile. Examiners should evaluate whether the risk measures and the risk measurement process are sufficiently robust to reflect accurately the different types of risks facing the institution. Institutions should establish clear risk measurement standards for both the acquisition and on-going management of securities and derivative positions. Risk measurement standards should provide a common framework for limiting and monitoring risks and should be understood by relevant personnel at all levels of the institution— ffom individual managers to the board of directors. Acquisition standards: Institutions conducting securities and derivative activities should have the capacity to evaluate the risks of instruments prior to acquisition. Before executing any transaction, an institution should evaluate the instrument to ensure that it meets the various objectives, risk tolerances and guidelines identified by the institution’s policies. Evaluations of the credit, market and liquidity risk exposures should be clearly and adequately documented for each acquisition. Such documentation should be appropriate for the nature and type of instrument. Relatively simple instruments would be expected to require less documentation than instruments with significant leverage or option characteristics. Institutions with significant securities and derivative activities are expected either to conduct their own in-house pre-acquisition analyses or make use of specific third party analyses that are independent of the seller or counterparty. Analyses provided by the originating dealer or counterparty should be used only when there is a clearly defined investment advisory relationship. Less active institutions with relatively uncomplicated holdings may use risk analyses provided by the dealer only to the extent that the analyses is derived using standard industry calculators and market conventions. Such analyses must comprehensively depict the potential risks involved in the acquisition and should be accompanied by documentation that sufficiently demonstrates that the acquirer understands fully both the analyses and the nature of the institution’s relationship with the provider of that -9- analyses. Notwithstanding information and analyses obtained from outside sources, management is ultimately responsible for understanding the nature and risk profiles of the institution’s securities and derivative holdings. It is a prudent practice to obtain and compare price quotes and risk analyses from more than one dealer prior to acquisition. In doing so, institutions should ensure that they clearly understand the responsibilities of any outside parties that provide analysis and price quotes. With regard to analyses and price quotes provided by dealers, institutions should assume that each party deals at arm’s length for its own account unless there is a written agreement stating the contrary. Institutions should exercise caution in situations in which dealers limit the institution’s ability to show securities or derivative contract proposals to other dealers in order to receive comparative price quotes or risk analyses. As a general sound practice, unless the dealer or counterparty is also acting under a specific investment advisory relationship, an investor or end-user should not acquire an instrument or enter into a transaction if its fair value or the analyses required to assess its risk cannot be determined through a means that is independent of the originating dealer or counterparty. Portfolio Management Standards: Institutions should periodically review the performance and effectiveness of instruments, portfolios, and institutional programs and strategies. Such review should be conducted no less frequently than quarterly and should evaluate the extent to which the institution’s securities and derivative holdings meet the various objectives, risk tolerances and guidelines established by the institution’s policies.8 Institutions with large or highly complex holdings should conduct such reviews more frequently. For internal measurement purposes, effective measurement of the credit, market and liquidity risks of many securities and derivative contracts requires mark-to-market valuations.9 Accordingly, the periodic revaluation of securities and derivative holdings is an integral pan of an effective risk measurement system. These periodic revaluations should be fully documented. Where available, actual market prices should be used. For less liquid or complex instruments, institutions with only limited holdings may use properly documented periodic prices and analyses provided by dealers or counterparties. More active institutions should conduct periodic revaluations and portfolio analyses using either their own in-house capabilities or outside party analytical systems that are independent of sellers or 8 For example, the performance of instruments and portfolios used to meet taxadvantaged earnings objectives should be evaluated to ensure that they meet the necessary credit rating, market sensitivity and liquidity characteristics established for this objective. 9 The Reports of Condition and Income ("Call Report") requires quarterly reporting of the fair value of all securities holdings. -10- counterparties. Institutions should recognize that indicative price quotes and model revaluations may differ from the values at which transactions can be executed. Stress Testing: Analyzing the credit, market and liquidity risk of individual instruments, portfolios, and the entire institution under a variety of unusual and stressful conditions is an important aspect of the risk measurement process. Management should seek to identify the types of situations, or the combinations of credit and market events, that could produce substantial losses or liquidity problems. Since institutions typically manage nontrading securities and derivative contracts with consideration to the institution’s consolidated exposures, management should review the effect of stress situations on an institution-wide basis. Stress tests should evaluate changes in market conditions, including alternatives in the underlying assumptions used to value instruments. Stress tests should not be limited to quantitative exercises that compute potential losses or gains, but should also include qualitative analyses of the tools available to management to deal with various scenarios. Contingency plans outlining operating procedures and lines of communication, both formal and informal, are important products of such qualitative analyses. The appropriate extent and sophistication of an institution’s stress testing depends heavily on the scope and nature of its securities and derivative holdings and on its ability to limit the effect of adverse events. Institutions holding securities or derivative contracts with complex credit, market or liquidity risk profiles should have an established regime of stress testing. Examiners should consider the circumstances at each institution when evaluating the adequacy or need for stress testing procedures. Risk Reporting. An accurate, informative, and timely management information system is essential. Examiners should evaluate the adequacy of an institution’s monitoring and reporting of the risks, returns, and overall performance of security and derivative activities to senior management and the board of directors. The frequency of reporting should provide the responsible individuals with adequate information to judge the changing nature of the institution’s risk profile and to evaluate compliance with stated policy objectives and constraints. Management reports should translate measured risks from technical and quantitative formats to those that can be easily read and understood by senior managers and directors, who may not have specialized and technical knowledge of all financial instruments used by the institution. Institutions should ensure that they use a common conceptual framework for measuring and limiting risks in reports to senior managers and directors. Such reports should include the periodic assessment of the performance of appropriate instruments or portfolios in meeting their stated objective(s) subject to the relevant constraints and risk tolerances. -11- Management Evaluation and Review. Management should regularly review the institution’s approach and process for managing risks. This includes regularly assessing the methodologies, models, and assumptions used to measure risks and to limit exposures. Proper documentation of the elements used in measuring risks is essential for conducting meaningful reviews. Limits should be compared to actual exposures. Such reviews should also consider whether existing measures of exposure and limits are appropriate in view of the institution’s holdings, past performance and current capital position. The frequency of the reviews should reflect the nature of an institution’s holdings and the pace of market innovations in measuring and managing risks. At a minimum, institutions with significant activities involving complex cash or derivative contracts should review the underlying methodologies of the models they use at least annually— more often as market conditions dictate— ensure they are appropriate and and to consistent. Reviews by external auditors or other qualified outside parties, such as consultants with expertise in highly technical models and risk management techniques, may often supplement these internal evaluations. Institutions depending on outside parties to provide various risk measurement capabilities should ensure that the institution has personnel with the necessary expertise to identify and evaluate the important assumptions incorporated in the risk measurement methodologies it uses. IV. Comprehensive Internal Controls and Audit Procedures An institution’s risk management process should be an extension of its overall structure of internal controls. Properly structured, a system of internal controls should promote effective and efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations, and institutional policies. In determining whether internal controls meet those objectives, examiners should consider the general control environment of the organization; the process for identifying, analyzing and managing risk; the adequacy of management information systems; and adherence to control activities such as approvals, confirmations and reconciliations. Assessing the adequacy of internal controls involves a process of understanding, documenting, evaluating and testing an institution’s internal control system. This assessment should include product reviews that start with an analysis of the organizational structure of securities and derivative activities. Duties should be separated between personnel initiating transactions and personnel overseeing back office operations, internal controls and the management of risk exposures. Examiners should conduct in-depth reviews of the internal controls of all key activities involving securities and derivative contracts. For example, for transaction recording and processing, examiners should evaluate and assess adherence to the written policies and procedures for recording transactions. They should also analyze the transaction -12- processing cycle to ensure the integrity and accuracy of the institution’s records and management reports. Examiners should review all significant internal controls associated with the management of the credit, market, liquidity, operational and legal risks involved in securities and derivative holdings. The examiner should appraise the frequency, scope, and findings of any independent internal and external auditors. This appraisal should include an evaluation of the ability of those auditors to review the institution’s securities and derivative activities. Where applicable, internal auditors should audit and test the risk management process and internal controls periodically. The depth and frequency of internal audits should increase if weaknesses and significant issues exist or if portfolio structures, modeling methodologies, or the overall risk profile of the institution have changed. In reviewing the management of the risks of nontrading securities and derivative activities, internal auditors should thoroughly evaluate the effectiveness of internal controls used for measuring, reporting and limiting risks. Internal auditors should also evaluate compliance with risk limits and the reliability and timeliness of information reported to the institution’s senior management and board of directors. Internal auditors should also evaluate the independence and overall effectiveness of the institution’s risk management process. The level of confidence that examiners place in an institution’s audit programs, the nature of the audit findings and management’s response to those findings will influence the scope of the current examination of securities and derivative activities. Examiners should pay special attention to significant changes in the nature of instruments acquired, risk measurement methodologies, limits, and internal controls that have occurred since the last examination. Significant changes in earnings from securities and derivative contracts, in the size of positions or in the value at risk associated with these activities should also receive attention during the examination. Conclusion The foregoing discussion identified, in broad terms, the key elements of a sound risk management system for acquiring and managing securities and derivative contracts. The appendix presents important guidance for evaluating specific risks— credit, market, liquidity, operating and legal-that institutions encounter in conducting nontrading securities and derivative activities. These guidelines, including those in the appendix, are intended to help examiners, the management and boards of directors of institutions evaluate the adequacy of the risk management process as it applies to the use of securities and derivative contracts in a nontrading environment. However, the nature of these activities and the broad range of circumstances in which these instruments are used by banking organizations requires -13- examiners to apply substantial judgment in their evaluation of management procedures. In the final analysis, examiners must determine whether the institution’s use of securities and derivatives represents a prudent activity in light of the purposes for which they are used. management’s ability to evaluate and control risks, and the capital position of the institution. They should also ensure that depository institutions adopt adequate policies related to securities and derivative transactions, and that all levels of management provide sufficient oversight of the risk management process. For additional information about the management of securities and derivative positions, examiners can consult the Federal Reserve’s Trading Activities Manual and appropriate sections of its Commercial Bank Examination Manual. Questions regarding these practices should be directed to Jim Embersit (202-452-5249) or Derek Young (202-4522960). Richard Spillenkothen Director Cross Reference: SR 93-69 -14- Appendix Considerations in Evaluating the Management of the Credit. Market. Liquidity. Operating and Legal Risks of Nontrading Securities and Derivative Activities. This appendix highlights specific considerations in evaluating the key elements of sound risk management systems as they relate to the management of the various risks involved in an institution’s use of securities and derivative contracts for nontrading activities. These risks include credit, market, liquidity, operating and legal risks. Credit Risk Broadly defined, credit risk is the risk that an issuer or counterparty will fail to perform on an obligation to the institution. The policies of an institution should recognize credit risk as a significant risk faced by the institution’s securities and derivative activities. Accordingly, policies should identify credit risk constraints, risk tolerances and limits at the appropriate instrument, portfolio and institutional level. In doing so, institutions should ensure that credit risk constraints are clearly associated with specified objectives. For example, credit risk constraints and guidelines should be defined for instruments used to meet pledging requirements, to generate tax-advantaged income, to hedge positions, to generate temporary income or any other specifically defined objective. As a matter of general policy, an institution should not acquire securities or derivative contracts until it has assessed the creditworthiness of the issuer or counterparty and determined that the risk exposure conforms with its policies. The credit risk arising from these positions should be incorporated into the overall credit risk profile of the institution to the fullest extent possible. As a matter of policy, the board of directors and responsible senior management should be informed of the institution’s total credit risk exposures of the institution regularly, and no less frequently than quarterly. In managing their credit risk institutions also should consider settlement and pre-settlement credit risk. The selection of dealers, investment bankers and brokers is particularly important in effectively managing these risks. An institution’s policies should identify criteria for selecting these organizations and should list all approved firms. The approval process should include a review of each firm’s financial statements and an evaluation of its ability to honor its commitments. An inquiry into the general reputation of the dealer is also appropriate. The board of directors, or a committee thereof, should set limits on the amounts and types of transactions authorized for each fum. They should also -15- periodically review and reconfirm the list of authorized dealers, investment bankers, and brokers. For further guidance examiners should consult the February 1992 Federal Financial Institutions Examination Council (FFIEC) Supervisory Policy Statement on Securities Activities included in SR 92-1. An institution’s credit policies should also include guidelines on the quality and quantity of each type of security that may held. Policies should also provide credit risk diversification and concentration limits. Such limits may define concentrations as those to a single or related issuer or counterparty, in a geographical area, or in obligations with similar characteristics. Sound credit risk management requires that credit limits be developed by personnel who are independent of the acquisition function. In authorizing issuer and counterparty credit lines, these personnel should use standards that are consistent with those used for other activities conducted within the institution, and with the organization’s over-all policies and consolidated exposures. In assessing the credit worthiness of other organizations, institutions should not rely solely on outside sources, such as standardized ratings provided by independent rating agencies, but should also perform their own analysis of a counterparty’s or issuer’s financial strength. In addition, examiners should review the credit approval process to ensure that the credit risks of specific products are adequately identified and that credit approval procedures are followed for all transactions. For most cash instruments, credit exposure is measured as the current carrying value. In the case of many derivative contracts, especially those traded in OTC markets, credit exposure is measured as the replacement cost of the position, plus an estimate of the institution’s potential future exposure to changes in the replacement value of that position in response to market price changes. Replacement costs of derivative contracts should be determined using current market prices or generally accepted approaches for estimating the present value of future payments required under each contract, at current market rates. The measurement of potential future credit risk exposure for derivative contracts is more subjective than the measurement of current exposure and is primarily a function of the time remaining to maturity, the number of exchanges of principal, and the expected volatility of the price, rate, or index underlying the contract. Potential future exposure can be measured using an institution’s own simulations or, more simply, through the use of "add-ons" such as those included in the Federal Reserve’s risk-based capital guidelines. Regardless of method, examiners should evaluate the reasonableness of the assumptions underlying the institution’s risk measure. For derivative contracts and certain types of cash transactions, master agreements (including netting agreements) and various credit enhancements (such as collateral or third-party guarantees) can reduce settlement, issuer and counterparty credit risk. In such cases, an institution’s credit exposures should reflect these risk-reducing features only to the -16- extent that the agreements and recourse provisions are legally enforceable in all relevant jurisdictions. This legal enforceability should extend to any insolvency proceedings of the counterparty. Institutions should be prepared to demonstrate sufficient due diligence in evaluating the enforceability of these contracts. In reviewing credit exposures, examiners should consider the extent to which positions exceed credit limits and whether exceptions are resolved according to the institution’s adopted policies and procedures. Examiners should also evaluate whether the institution’s reports adequately provide all personnel involved in the acquisition and management of financial instruments with relevant, accurate, and timely information about the credit exposures and approved credit lines. Market Risk Market risk is the exposure of an institution’s financial condition to adverse movements in the market rates or prices of its holdings before such holdings can be liquidated or expeditiously offset. It is measured by assessing the effect of changing rates and/or prices on either the earnings or economic value of an individual instrument, a portfolio or the entire institution. Although many banking institutions focus on carrying values and reported earnings when assessing market risk at the institutional level, other measures focusing on total returns and changes in economic or fair values better reflect the potential market risk exposure of institutions, portfolios and individual instruments. Changes in fair values and total returns directly measure the effect of market movements on the economic value of an institution’s capital and provide significant insights as to their ultimate effects on the institution’s long term earnings. Institutions should manage and control their market risks using both an earnings and an economic value approach and at least on an economic or fair value basis. When evaluating capital adequacy, examiners should consider the effect of changes in market rates and prices on the economic value of the institution by evaluating any unrealized losses in an institution’s securities or derivative positions. This evaluation should assess the ability of the institution to hold its positions and function as a going concern if recognition of unrealized losses would significantly affect the institution’s capital ratios. Examiners also should consider the impact that liquidating positions with unrealized losses may have on the institution’s prompt corrective action capital category. Market risk limits should be established for both the acquisition and ongoing management of an institution’s securities and derivative holdings and, as appropriate, should address exposures for individual instruments, instrument types and portfolios. These limits should be integrated fully with limits established for the entire institution. At the institutional level, the board of directors should approve market risk exposure limits in terms of specific percentage changes in the economic value of capital and in the projected earnings of the -17- institution under various market scenarios. Similar and complementary limits on the volatility of prices or fair value should be established at the appropriate instrument, product type, and portfolio levels based on the institution’s willingness to accept market risk. Limits on the variability of effective maturities may also be desirable for certain types of instruments or portfolios. The federal bank regulatory agencies have established price and effective maturity standards for mortgage derivative products based on specified scenarios.1 0 Institutions should ensure that they meet these regulatory requirements and should employ similar techniques in controlling the exposures of other cash securities and to all derivative contracts— especially for instruments involving explicit or embedded options. The scenarios specified for assessing the market risk of these products should be sufficiently rigorous to capture all meaningful effects of any options. For example, in assessing interest rate risk, scenarios such as 100, 200 and 300 basis point parallel shifts in yield curves should be considered as well as appropriate non-parallel shifts in structure to evaluate potential basis, volatility and yield curve risks. Accurately measuring an institution’s market risk requires timely information about the current carrying and market values of its securities and derivative holdings. Accordingly, institutions should have market risk measurement systems commensurate with the size and nature of these holdings. Institutions with significant holdings of highly complex instruments should ensure that they have independent means to value their positions. Institutions employing internal models should have adequate procedures to validate the models and to periodically review all elements of the modeling process including its assumptions and risk measurement techniques. Institutions relying on third parties for market risk measurement systems and analyses should ensure that they fully understand the assumptions and techniques utilized. Institutions should evaluate and report to their boards of directors the market risk exposures of their securities and derivative positions on a regular basis and not less frequently than each quarter. These evaluations should assess trends in aggregate market risk exposure and the performance of portfolios in terms of established objectives and risk constraints. They also should identify compliance with board approved limits and identify 1 0 Under the February 1992 Federal Financial Institutions Examination Council (FFIEC) Supervisory Policy Statement on Securities Activities (SR 92-1) banks are required to test mortgage derivative products upon acquisition and periodically, thereafter, to determine if the instrument’s market risk characteristics qualify for categorization as "highrisk" mortgage derivative products. The criteria used involves a maximum average life test and a price volatility test and average life extension/tests under rising and falling interest rate scenarios. For further guidance, examiners should refer to SR 92-1 and SR 94-25 (which discusses the effect of FASB 115 on the "high risk" test). -18- any exceptions to established standards. Examiners should ensure that institutions have mechanisms to detect and adequately address exceptions to limits and guidelines. Examiners should also determine if management reports on market risk appropriately address potential exposures to basis risk, yield curve changes and other factors pertinent to the institution’s holdings. In this connection, examiners should assess an institution’s compliance with broader guidance for managing interest rate risk in a consolidated organization, including that detailed in the Commercial Bank Examination Manual. Complex and illiquid instruments can often involve greater market risk than broadly traded, more liquid securities. Oftentimes, this higher potential market risk arising from illiquidity is not captured by standardized financial modeling techniques. Such risk is particularly acute for instruments that are highly leveraged or that are designed to benefit from specific, narrowly defined market shifts. If market prices or rates do not move as expected, the demand for such instruments can evaporate. Where examiners encounter such instruments, they should review the adequacy with which the institution has assessed its potential market risks. If the risks from these instruments are material, the institution should have a well-documented process of stress testing their value and liquidity assumptions under a variety of market scenarios. Liquidity Risk Banks face two types of liquidity risk in their securities and derivative activities: those related to specific products or markets and those related to the general funding of the bank’s activities. The former, market liquidity risk, is the risk that an institution cannot easily unwind or offset a particular position at or near the previous market price because of inadequate market depth or because of disruptions in the marketplace. Funding liquidity risk is the risk that the bank will be unable to meet its payment obligations on settlement dates. Since neither type of liquidity risk is unique to securities and derivative activities, management should evaluate these risks in the broader context of the institution’s overall liquidity. In specifying permissible securities and derivative instruments for accomplishing established objectives, institutions should ensure that they take into account the size, depth and liquidity of the market for those instruments and the effect that such characteristics may have on achieving the objective. The market liquidity of certain types of instruments may make them entirely inappropriate for achieving certain objectives. Moreover, institutions should ensure that they consider the effects that market risk can have on the liquidity of different types of instruments. For example, some government agency securities may have embedded options that make them highly illiquid during periods of market volatility and stress, despite their high credit rating. Accordingly, institutions should articulate clearly the market liquidity characteristics of instruments to be used in accomplishing institutional objectives. -19- The funding risk of an institution becomes a more important consideration when its unrealized losses are material and, therefore, should be a factor in evaluating capital adequacy. Institutions with weak liquidity positions are more likely to be forced to recognize these losses and to suffer declines in their accounting and regulatory capital. In extreme cases, these effects could force supervisors to take prompt corrective actions. Examiners should assess whether the institution adequately considers the potential liquidity risks associated with the liquidation of securities or the early termination of derivative contracts. Many forms of standardized contracts for derivative transactions allow counterparties to request collateral or to terminate their contracts early if the institution experiences an adverse credit event or a deterioration in its financial condition. In addition, under situations of market stress, customers may ask for the early termination of some contracts within the context of the dealer’s market making activities. In such circumstances, an institution that owes money on derivative transactions may be required to deliver collateral or settle a contract early and possibly at a time when the institution may face other funding and liquidity pressures. Early terminations may also open additional, unintended, market positions. Management and directors should be aware of these potential liquidity risks and should address them in the institution’s liquidity plan and in the broader context of the institution’s liquidity management process. In their reviews, examiners should consider the extent to which such potential obligations could present liquidity risks to the institution. Operational Risk and Legal Risk Operating risk is the risk that deficiencies in information systems or internal controls will result in unexpected loss. Some specific sources of operating risk that can result in unexpected losses include inadequate procedures, human error, system failure or fraud. Inaccurately assessing or controlling operating risks is one of the more likely sources of problems facing institutions involved in securities and derivative activities. Adequate internal controls are the first line of defense in controlling the operating risks involved in an institution’s securities and derivatives activities. Of particular importance are internal controls that ensure the separation of duties and supervision of persons executing transactions from those responsible for processing contracts, confirming transactions, controlling various clearing accounts, approving the accounting methodology or entries, and performing revaluations. Institutions should have approved policies that specify documentation requirements for transactions and formal procedures for saving and safeguarding important documents that are consistent with legal requirements and internal policies. Relevant personnel should fully understand the requirements. Examiners should also consider the extent to which institutions evaluate and control operating risks through the use of internal audits, stress testing, contingency planning, and other managerial and analytical techniques. -20- An institution’s operating policies should establish appropriate procedures to obtain and maintain possession or control of instruments purchased. Institutions should also ensure that transactions consummated orally are confirmed as soon as possible. Banking organizations should, to the extent possible, seek diversification with regard to the firms used for safekeeping arrangements in order to avoid concentrations of assets or other types of risk.1 1 Legal risk is the risk that contracts are not legally enforceable or documented correctly. Legal risks should be limited and managed through policies developed by the institution’s legal counsel. At a minimum, there should be guidelines and processes in place to ensure the enforceability of counterparty agreements. Examiners should determine whether an institution is adequately evaluating the enforceability of its agreements before individual transactions are consummated. Institutions should also ensure that the counterparty has sufficient authority to enter into the transaction and that the terms of the agreement are legally sound. Institutions should further ascertain that their netting agreements are adequately documented, "that they have been executed properly, and that they are enforceable in all relevant jurisdictions. Institutions should have knowledge of relevant tax laws and interpretations governing the use of these instruments. An institution’s policies should also provide guidelines for conflicts of interest for employees who are directly involved in purchasing and selling securities for the institution from securities dealers. These guidelines should ensure that all directors, officers and employees act in the best interest of the institution. The board of directors may wish to adopt polices prohibiting these employees from engaging in personal securities transactions with these same securities firms without the specific prior board approval. The board of directors may also wish to adopt a policy applicable to directors, officers, and employees restricting or prohibiting the receipt of gifts, gratuities, or travel expenses from approved securities dealer firms and their personnel. n Examiners should refer to SR 95-3 for further guidance on safekeeping.