Full text of Federal Reserve Bank of New York Circulars : Evaluating the Risk Management and Internal Controls of Securities and Derivative Contacts Used in Nontrade Activities

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

Federal R eserve Bank
NEW

Y O R K , N.Y.
AREA CODE
FACSIMILE

N e w Yo r k

1 0 0 4 5 -0 0 0 1

212
212

of

720-6375
720-3742

C h e s t e r B. F e l d b e r g
E x e c u t iv e V ic e P r e s i d e n t

f\l-10*)$3
May 10, 1995

Evaluating the Risk Management and Internal Controls
of Securities and Derivative Contracts Used in Nontradina Activities

To the Chief Executive Officer of Each Second District State Member Bank,
Bank Holding Company, and U.S. Branch and Agency of a Foreign Banking
Organization

The Federal Reserve System has issued supervisory guidance for its
examiners in a supervisory letter, SR 95-17, entitled, "Evaluating the Risk
Management and Internal Controls of Securities and Derivative Contracts Used in
Nontrading Activities". The letter, a copy of which is attached, is designed to
complement the Federal Reserve's December 1993 supervisory letter, SR 93-69,
on the evaluation of risk management and internal controls in trading activities.
The new letter reiterates and supplements existing guidance and directives on both
investment and end-user activities presented in various supervisory letters and
examination manuals.
The guidance in SR 95-17 consists of two parts. The first part
highlights key elements of a sound risk management process in the context of both
investment and end-user activities. The second part is an appendix that details
specific sound practices for managing the credit, market, liquidity, operational and
legal risks of an institution's investment and end-user activities.
Over the past year, we have carefully reviewed several situations in
which banking companies have experienced losses in their nontrading derivatives
and securities activities, and we have observed a number of common problems and
pitfalls. We would especially highlight the following areas of potential vulnerability:




FEDERAL RESERVE BANK OF NEW YORK

2

May 10, 1995

1.

Where the bank has relied on a single employee's expertise to engage
in complex derivatives and securities activities, and senior
management, immediate supervisors, back office staff and internal
control personnel lacked sufficient knowledge and experience to
understand and control the level of risk taking;

2.

Where the bank has relied on investment policies or transaction
authorities that were not specific with respect to acceptable levels of
market risk, leverage, and market liquidity, such as an investment
policy that defined permissible investments solely in terms of maturity
and credit quality, and therefore did not reflect the availability of
financial instruments with greater loss potential from market and
liquidity risks than many traditional bank investments.

3.

Where the bank has lacked the accounting policies, management
information systems and procedures to obtain periodic market
valuations of instruments or portfolios that would have enabled the
bank to recognize losses in a timely manner, to prevent loss deferral
through extensions of maturity or other alteration of contract terms,
and to detect the use of complex instruments to mask unusual or large
market risk positions.

4.

Where the bank has effectively sold optionality (i.e., has written
financial or other options) embedded in complex derivatives or
securities transactions without adequate knowledge and risk
management systems to understand the option and market liquidity
risks associated with the transactions.

In each of these areas, the letter provides a description of sound banking practices
that address these pitfalls.
Financial innovation is one of the strengths of the U.S. financial
system, and banking institutions, as dealers, investors and end-users, have
benefitted greatly over the last 25 years from broad latitude to create and use new
financial instruments and new financial management techniques. Thus, the




FEDERAL RESERVE BANK OF NEW YORK

3

May 10, 1995

cautions given in the attached document should not be construed as discouraging
the use of innovative or complex financial products. To the contrary, prudent
management by each financial market participant of its securities and derivatives
activities is in the long-run interest of all market participants. That means that
banking companies need to take special care with products that are innovative or
complex.
The Federal Reserve Bank of New York is interested in your comments
and questions on the attached letter or on other supervisory matters related to
capital markets activities. Additional information about the management of
securities and derivative positions can be found in the Federal Reserve's Trading
Activities Manual. Please direct any questions concerning this letter to
Christine M. Cumming, Senior Vice President (212-720-1830), Kausar Hamdani,
Assistant Vice President (212-720-8258), or Brian Peters, Supervising Examiner
(212-720-2715).




Yours sincerely,

Chester B. Feldberg
Executive Vice President

W83

BOARD OF GOVERNORS
O F THE

FEDERAL RESERVE SYSTEM
WASHWGTON. D. C. 20551

SR 95-17 (SUP)
D tV SIO N OF BANUNG
S U FB tV B IO N AND REGULATION

March 28, 1995

TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK

SUBJECT:

Evaluating the Risk Management and Internal Controls of Securities and
Derivative Contracts Used in Nontrading Activities

SR 93-69 on "Risk Management and Internal Controls for Trading Activities
of Banking Organizations" highlighted the key elements of a sound risk management process
and emphasized the importance of applying them to the trading and derivatives activities of
banking institutions. It also provided examiners guidance on evaluating the risk management
process and internal controls of trading activities. This document provides similar guidance
on evaluating the risk management practices used by banking institutions in acquiring and
managing securities and off-balance-sheet (OBS) derivative contracts for nontrading
purposes. Traditionally, these "nontrading" activities have been termed investment activities
in the case of securities and end-user activities for OBS derivative contracts. Institutions
should ensure that they employ sound risk management practices consistently across these
varying product categories regardless of legal characteristics or nomenclature.
Scope of "Nontrading1 Activities and Guidance
1
This guidance specifically targets the risk management practices of state
member banks and Edge Act corporations engaged in banking. The basic principles also
apply to bank holding companies, which should manage and control aggregate risk exposures
on a consolidated basis, while recognizing legal distinctions and possible obstacles to cash
movements among subsidiaries.1 More generally, the principles advanced here set forth
fundamental risk management practices that are relevant to most portfolio management
endeavors. Institutions should review the applicability of these principles in providing trust
and investment management services.

1
The basic principles set forth in this guidance should also be incorporated into the
policies of U.S. branches and agencies of foreign banks with appropriate adaptations to
reflect the facts that: 1) those offices are an integral part of a foreign bank which should be
managing its risks on a consolidated basis and recognizing possible obstacles to cash
movements among branches, and 2) the foreign bank is subject to overall supervision by its
home authorities.




-2-

For the purpose of this guidance, an institution’s nontrading activities involve
the use of securities (both available for sale and held to maturity) and OBS derivative
contracts to achieve earnings and risk management objectives that involve longer time
horizons than typically associated with trading activities. Nontrading activities involve the
full array of cash securities, money market instruments, and OBS derivative contracts.2
Cash securities include fixed- and floating-rate notes and bonds, structured notes, mortgage
pass-through and other asset-backed securities, and mortgage derivative products. OBS
derivative contracts include swaps, futures and options.
Overview of Guidance
This guidance reiterates and supplements existing guidance and directives on
the use of these instruments for nontrading purposes as provided in various supervisory
letters and examination manuals.3 It identifies basic factors that examiners should consider in
evaluating the four key elements of a sound risk management process:
I.

Active board and senior management oversight;

II.

Adequate risk management policies and limits;

III.

Appropriate risk measurement and reporting systems; and,

IV.

Comprehensive internal controls.

The appendix to this guidance identifies important policy considerations related to specific
risks and should receive special attention. It contains specific guidance for evaluating an
2 In general terms, derivatives are financial contracts whose value derives from the
value of one or more underlying assets, interest rates, exchange rates, commodities, or
financial or commodity indexes.
3 Existing policies and examiner guidance on various supervisory topics applicable to
securities and off-balance sheet instruments can be found in various chapters of the
Commercial Bank Examination Manual, the Bank Holding Company Supervision Manual, the
Trust Activities Examination Manual, the Merchant and Investment Bank Examination
Manual, and the Trading Activities Examination Manual, as well as in various supervision
and regulation (SR) letters, including SR 90-16 on the "Implementation of Examination
Guidelines for the Review of Asset Securitization Activities," SR 90-41 on "Interest Rate
Risk," SR 91-4 on "Inspections of Investment Adviser Subsidiaries of Bank Holding
Companies," SR 92-1 on "Supervisory Policy Statement on Securities Activities," and SR 9369 on "Risk Management and Internal Controls for Trading Activities". Examiners of U.S.
branches and agencies of foreign banks should take the principles included in these guidelines
into consideration in accordance with the procedures set forth in the Examination Manual for
Branches and Agencies of Foreign Banking Organizations.




-3-

institution’s management of each of the risks involved in these activities, including credit,
market, liquidity, operating and legal risks.
In evaluating an institution’s risk management process, examiners should
consider the nature and size of its holdings. Examiner judgment plays a key role in assessing
the adequacy of an institution’s risk management process for securities and derivative
contracts. Examiners should focus particular attention on evaluating an institution’s
understanding of the risks involved in the instruments it holds. Regardless of any
responsibility, legal or otherwise, assumed by a dealer or counterparty regarding a
transaction, the acquiring institution is ultimately responsible for understanding and managing
the risks of the transactions into which it enters. Failure of an institution to understand
adequately the risks involved in its securities or derivative positions, either through the lack
of internal expertise or inadequate outside advice, constitutes an unsafe and unsound banking
practice.
As with all risk-bearing activities, institutions should fully support the risk
exposures of nontrading activities with adequate capital. Banking organizations should
ensure that their capital positions are sufficiently strong to support all the risks associated
with these activities on a fully consolidated basis and should maintain adequate capital in all
affiliated entities engaged in these activities. In evaluating the adequacy of an institution’s
capital, examiners should consider any unrecognized net depreciation or appreciation in an
institution’s securities and derivative holdings.4

I.

Board of Directors and Senior Management Oversight

Active oversight by the institution’s board of directors and relevant senior
management is critical to a sound risk management process. Examiners should ensure that
these individuals are aware of their responsibilities and that they adequately perform their
appropriate roles in overseeing and managing the risks associated with nontrading activities
involving securities and derivative instruments.
Board of Directors. The board of directors has the ultimate responsibility for
the level of risk taken by the institution. Accordingly, the board should approve overall
business strategies and significant policies that govern risk taking, including those involving
securities and derivative contracts. In particular, policies identifying managerial oversight
and articulating risk tolerances and exposure limits of these activities should be approved by
the board of directors. The board should also monitor actively the performance and risk
profile of the institution and its various securities and derivative portfolios. Directors should

4
For further guidance, examiners should refer to SR 93-72 on "Guidance on the
Capital Treatment and Other Issues Relating to the Financial Accounting Standards Board
Statement No. 115, Accounting for Certain Investments in Debt and Equity Securities."




-4-

review periodically information that is sufficient in detail and timeliness to allow them to
understand and assess the credit, market and liquidity risks facing the institution as a whole
and its securities and derivative positions in particular. Such reviews should be conducted at
least quarterly and more frequently where the institution holds significant positions in
complex instruments. In addition, the board should periodically reevaluate the institution’s
business strategies and significant risk management policies and procedures, placing special
emphasis on the institution’s financial objectives and risk tolerances. The minutes of board
meetings and accompanying reports and presentation materials should clearly demonstrate the
board’s fulfillment of these basic responsibilities. The appendix provides guidance on the
types of objectives, risk tolerances, limits and reports that directors should consider.
The board of directors should also conduct and encourage discussions between
its members and senior management, as well as between senior management and others in
the institution, regarding the institution’s risk management process and risk exposures.
Although it is not essential for board members to have detailed technical knowledge of these
activities, if they do not, it is incumbent upon them to ensure that they have adequate access
to independent legal and professional advice regarding the institution’s securities and
derivative holdings and strategies. The familiarity, technical knowledge, and awareness of
directors and senior management should be commensurate with the level and nature of an
institution’s securities and derivative positions.
Senior Management. Senior management is responsible for ensuring that
there are adequate policies and procedures for conducting nontrading securities and derivative
activities on both a long-range and day-to-day basis. Management should maintain clear
lines of authority and responsibility for acquiring instruments and managing risk, appropriate
limits on risk taking, adequate systems for measuring risk, acceptable standards for valuing
positions and measuring performance, effective internal controls, and a comprehensive risk
reporting and risk management review process. In order to provide adequate oversight,
management should fully understand the institution’s risk profile, including that of its
securities and derivative activities. Examiners should review the reports to senior
management and evaluate whether they provide both good summary information and
sufficient detail to enable management to assess the sensitivity of securities and derivative
holdings to changes in credit quality, market prices and rates, liquidity conditions and other
important risk factors. As part of its oversight responsibilities, senior management should
review periodically the organization’s risk management procedures to ensure that they remain
appropriate and sound. Senior management also should encourage and participate in active
discussions with members of the board and with risk management staff regarding risk
measurement, reporting and management procedures.
Management should ensure that nontrading securities and derivative activities
are conducted by competent staff with technical knowledge and experience consistent with the
nature and scope of the institution’s activities. There should be sufficient depth in staff
resources to manage these activities if key personnel are not available. Management should




-5-

also ensure that there are sufficient back-office and financial control resources to effectively
manage and control risks.
Independence in Managing Risks. To avoid possible conflicts of interest,
the process of measuring, monitoring, and controlling risks should be managed as
independently as practicable from those individuals who have the authority to initiate
transactions. The nature and extent of this independence should be commensurate with the
size and complexity of an institution’s securities and derivative activities. Institutions with
large and complex balance sheets, or with significant holdings of complex instruments, would
be expected to have risk managers or risk management functions fully independent of the
individuals who have the authority to conduct transactions. Institutions with less complex
holdings should ensure that there is some mechanism for independently reviewing both the
level of risk exposures created by securities and derivative holdings and the adequacy of the
process used in managing those exposures. Depending on the size and nature of the
institution, such a mechanism may reside either in the management structure or in a board
committee. Regardless of size and sophistication, institutions should ensure that back-office,
settlement, and transaction reconciliation responsibilities are conducted and managed by
personnel who are independent of those initiating risk taking positions.

II.

Policies and Procedures for Acquiring and Managing Securities and Derivative
Instruments

Institutions should maintain written policies and procedures that clearly outline
their approach for managing securities and derivative instruments. Such policies should be
consistent with the organization’s broader business strategies, capital adequacy, technical
expertise, and general willingness to take risk. They should identify relevant objectives,
constraints, and guidelines for both acquiring instruments and managing portfolios. In doing
so, policies should establish a logical framework for limiting the various risks involved in an
institution’s securities and derivative holdings. Policies should clearly delineate lines of
responsibility and authority over securities and derivative activities. They should also
provide for the systematic review of products new to the firm. Examiners should evaluate
the adequacy of an institution’s risk management policies and procedures in relation to its
size, sophistication and the scope of its activities.
Specifying Objectives. Institutions can use securities and derivative
instruments for several primary and complementary purposes.5 Banking organizations should
articulate clearly these objectives and identify the types of securities and derivative contracts
to be used for achieving diem. Objectives also should be identified at the appropriate

5
Such purposes include, but are not limited to, generating earnings, creating funding
opportunities, providing liquidity, hedging risk exposures, taking risk positions, modifying
and managing risk profiles, managing tax liabilities, and meeting pledging requirements.




-6-

portfolio and institutional levels. These objectives should guide the acquisition of individual
instruments and should provide benchmarks for evaluating periodically the performance and
effectiveness of an institution’s holdings, strategies and programs. Wherever multiple
objectives are involved, management should identify the hierarchy of potentially conflicting
objectives.
Identifying Constraints. Guidelines and Limits. An institution’s policies
should articulate clearly the organization’s risk tolerance by identifying its willingness to take
the credit, market, and liquidity risks involved in holding securities and derivative contracts.
A statement of authorized instruments and activities is an important vehicle for
communicating these risk tolerances. This statement should clearly identify permissible
instruments or instrument types and the purposes or objectives for which the institution may
use them. The statement also should identify permissible credit quality, market risk
sensitivity and liquidity characteristics of the instruments and portfolios used in nontrading
activities. For example, in the case of market risk, policies should address the permissible
degree of price sensitivity and/or effective maturity volatility, taking into account an
instrument’s or portfolio’s option and leverage characteristics. Specifications of permissible
risk characteristics should be consistent with the institution’s overall credit, market, and
liquidity risk limits and constraints and should help delineate a clear set of institutional limits
for use in acquiring specific instruments and managing portfolios. Such limits can be
specified either as guidelines within the overall policies or in management operating
procedures. The appendix provides further guidance on the types of constraints and limits an
institution might use in managing the credit, market and liquidity risk of securities and
derivative contracts.
Limits should be set to guide acquisition and ongoing management decisions,
control exposures, and initiate discussion within the organization about apparent opportunities
and risks. Although procedures for establishing limits and for operating within them may
vary among institutions, examiners should determine whether the organization enforces its
policies and procedures through a clearly identified system of risk limits. Positions that
exceed established limits should receive the prompt attention of appropriate management and
should be resolved according to approved policies.
Limits should implement the overall risk tolerances and constraints articulated
in general policy statements. Depending on the nature of an institution’s holdings and its
general sophistication, limits can be identified with individual business units, portfolios,
instrument types or specific instruments. The level of detail of risk limits should reflect the
characteristics of the institution’s holdings including the types of risk to which the institution
is exposed. Regardless of their specific form or level of aggregation, limits should be
consistent with the institution’s overall approach to managing various types of risks. They
should also be integrated to the fullest extent possible with institution-wide limits on the same
risks as they arise in other activities of the firm. The appendix to this guidance presents
specific examiner considerations in evaluating the policies and limits used in managing each
of the various types of risks involved in nontrading securities and derivative activities.




-7-

New Product Review. An institution’s policies should also provide for
effective review of products being considered that would be new to the firm. An institution
should not acquire a meaningful position in a new instrument until senior management and all
relevant personnel (including those in internal control, legal, accounting, and auditing
functions) understand the product and can integrate it into the institution’s risk measurement
and control systems. An institution’s policies should define the terms "new product" and
"meaningful position" consistent with its size, complexity and sophistication. Institutions
should not be hesitant to define an instrument as a "new" product. Small changes in
payment formulas or other terms of relatively simple and standard products can greatly alter
their risk profiles and justify the designation of an instrument as a "new" product. New
product reviews should analyze all of the relevant risks involved in an instrument and should
assess the reasonableness of the product or activity in achieving specified objectives. New
product reviews also should include a description of the relevant accounting guidelines, and
identify the procedures for measuring, monitoring and controlling the risks involved.
Accounting. The accounting systems and procedures used for public and
regulatory reporting purposes are critically important to enhancing the transparency of an
institution’s risk profile. Accordingly, an institution’s policies should provide clear
guidelines regarding the accounting for all securities and derivative holdings. This treatment
should be consistent with specified objectives and with the institution’s regulatory
requirements. Institutions should ensure that they categorize each cash or derivative contract
for accounting purposes consistent with appropriate accounting policies and requirements.
Furthermore, the accounting for nontrading securities and OBS derivative contracts should
reflect the economic substance of the transactions.6 Where instruments are used for hedging
purposes, the hedging rationale and performance criteria should be well documented.
Management should reassess these classifications periodically to ensure that they remain
appropriate.7

6 As set forth in the February 1992 Federal Financial Institutions Examination
Council (FFIEC) Supervisory Policy Statement on Securities Activities (SR 92-1),
inappropriate accounting practices include "adjusted trading." Adjusted trading involves the
sale of an instrument at a price above the prevailing market value and the simultaneous
purchase and booking of an instrument at a price greater than its market value.
7 Reporting requirements for bank and bank holding company regulatory reports are
set forth in the Reports of Condition and Income ("Call Report") for banks and the FR Y-9C
for bank holding companies.




-8 -

III.

Risk Measurement. Monitoring Systems and Management Review

Clear procedures for measuring and monitoring risks are the foundation of a
sound risk management process. Examiners should ensure that an institution sufficiently
integrates these functions into its ongoing management process and that relevant personnel
recognize their role and understand the instruments held.
Risk Measurement. An institution’s system for measuring the credit, market,
liquidity and other risks involved in cash and derivative contracts should be as comprehensive
and accurate as practicable. The degree of comprehensiveness should be commensurate with
the nature of the institution’s holdings and risk exposures. Exposures to each type of risk
(i.e., credit, market, liquidity) should be aggregated across securities and derivative contracts
and integrated with similar exposures arising from lending and other business activities to
obtain the institution’s overall risk profile.
Examiners should evaluate whether the risk measures and the risk
measurement process are sufficiently robust to reflect accurately the different types of risks
facing the institution. Institutions should establish clear risk measurement standards for both
the acquisition and on-going management of securities and derivative positions. Risk
measurement standards should provide a common framework for limiting and monitoring
risks and should be understood by relevant personnel at all levels of the institution—
ffom
individual managers to the board of directors.
Acquisition standards: Institutions conducting securities and derivative
activities should have the capacity to evaluate the risks of instruments prior to acquisition.
Before executing any transaction, an institution should evaluate the instrument to ensure that
it meets the various objectives, risk tolerances and guidelines identified by the institution’s
policies. Evaluations of the credit, market and liquidity risk exposures should be clearly and
adequately documented for each acquisition. Such documentation should be appropriate for
the nature and type of instrument. Relatively simple instruments would be expected to
require less documentation than instruments with significant leverage or option
characteristics.
Institutions with significant securities and derivative activities are expected
either to conduct their own in-house pre-acquisition analyses or make use of specific third
party analyses that are independent of the seller or counterparty. Analyses provided by the
originating dealer or counterparty should be used only when there is a clearly defined
investment advisory relationship. Less active institutions with relatively uncomplicated
holdings may use risk analyses provided by the dealer only to the extent that the analyses is
derived using standard industry calculators and market conventions. Such analyses must
comprehensively depict the potential risks involved in the acquisition and should be
accompanied by documentation that sufficiently demonstrates that the acquirer understands
fully both the analyses and the nature of the institution’s relationship with the provider of that




-9-

analyses. Notwithstanding information and analyses obtained from outside sources,
management is ultimately responsible for understanding the nature and risk profiles of the
institution’s securities and derivative holdings.
It is a prudent practice to obtain and compare price quotes and risk analyses
from more than one dealer prior to acquisition. In doing so, institutions should ensure that
they clearly understand the responsibilities of any outside parties that provide analysis and
price quotes. With regard to analyses and price quotes provided by dealers, institutions
should assume that each party deals at arm’s length for its own account unless there is a
written agreement stating the contrary. Institutions should exercise caution in situations in
which dealers limit the institution’s ability to show securities or derivative contract proposals
to other dealers in order to receive comparative price quotes or risk analyses. As a general
sound practice, unless the dealer or counterparty is also acting under a specific investment
advisory relationship, an investor or end-user should not acquire an instrument or enter into a
transaction if its fair value or the analyses required to assess its risk cannot be determined
through a means that is independent of the originating dealer or counterparty.
Portfolio Management Standards: Institutions should periodically review the
performance and effectiveness of instruments, portfolios, and institutional programs and
strategies. Such review should be conducted no less frequently than quarterly and should
evaluate the extent to which the institution’s securities and derivative holdings meet the
various objectives, risk tolerances and guidelines established by the institution’s policies.8
Institutions with large or highly complex holdings should conduct such reviews more
frequently.
For internal measurement purposes, effective measurement of the credit,
market and liquidity risks of many securities and derivative contracts requires mark-to-market
valuations.9 Accordingly, the periodic revaluation of securities and derivative holdings is an
integral pan of an effective risk measurement system. These periodic revaluations should be
fully documented. Where available, actual market prices should be used. For less liquid or
complex instruments, institutions with only limited holdings may use properly documented
periodic prices and analyses provided by dealers or counterparties. More active institutions
should conduct periodic revaluations and portfolio analyses using either their own in-house
capabilities or outside party analytical systems that are independent of sellers or

8 For example, the performance of instruments and portfolios used to meet taxadvantaged earnings objectives should be evaluated to ensure that they meet the necessary
credit rating, market sensitivity and liquidity characteristics established for this objective.
9 The Reports of Condition and Income ("Call Report") requires quarterly reporting
of the fair value of all securities holdings.




-10-

counterparties. Institutions should recognize that indicative price quotes and model
revaluations may differ from the values at which transactions can be executed.
Stress Testing: Analyzing the credit, market and liquidity risk of individual
instruments, portfolios, and the entire institution under a variety of unusual and stressful
conditions is an important aspect of the risk measurement process. Management should seek
to identify the types of situations, or the combinations of credit and market events, that could
produce substantial losses or liquidity problems. Since institutions typically manage
nontrading securities and derivative contracts with consideration to the institution’s
consolidated exposures, management should review the effect of stress situations on an
institution-wide basis. Stress tests should evaluate changes in market conditions, including
alternatives in the underlying assumptions used to value instruments.
Stress tests should not be limited to quantitative exercises that compute
potential losses or gains, but should also include qualitative analyses of the tools available to
management to deal with various scenarios. Contingency plans outlining operating
procedures and lines of communication, both formal and informal, are important products of
such qualitative analyses.
The appropriate extent and sophistication of an institution’s stress testing
depends heavily on the scope and nature of its securities and derivative holdings and on its
ability to limit the effect of adverse events. Institutions holding securities or derivative
contracts with complex credit, market or liquidity risk profiles should have an established
regime of stress testing. Examiners should consider the circumstances at each institution
when evaluating the adequacy or need for stress testing procedures.
Risk Reporting. An accurate, informative, and timely management
information system is essential. Examiners should evaluate the adequacy of an institution’s
monitoring and reporting of the risks, returns, and overall performance of security and
derivative activities to senior management and the board of directors. The frequency of
reporting should provide the responsible individuals with adequate information to judge the
changing nature of the institution’s risk profile and to evaluate compliance with stated policy
objectives and constraints.
Management reports should translate measured risks from technical and
quantitative formats to those that can be easily read and understood by senior managers and
directors, who may not have specialized and technical knowledge of all financial instruments
used by the institution. Institutions should ensure that they use a common conceptual
framework for measuring and limiting risks in reports to senior managers and directors.
Such reports should include the periodic assessment of the performance of appropriate
instruments or portfolios in meeting their stated objective(s) subject to the relevant constraints
and risk tolerances.




-11-

Management Evaluation and Review. Management should regularly review
the institution’s approach and process for managing risks. This includes regularly assessing
the methodologies, models, and assumptions used to measure risks and to limit exposures.
Proper documentation of the elements used in measuring risks is essential for conducting
meaningful reviews. Limits should be compared to actual exposures. Such reviews should
also consider whether existing measures of exposure and limits are appropriate in view of the
institution’s holdings, past performance and current capital position.
The frequency of the reviews should reflect the nature of an institution’s
holdings and the pace of market innovations in measuring and managing risks. At a
minimum, institutions with significant activities involving complex cash or derivative
contracts should review the underlying methodologies of the models they use at least
annually— more often as market conditions dictate— ensure they are appropriate and
and
to
consistent. Reviews by external auditors or other qualified outside parties, such as
consultants with expertise in highly technical models and risk management techniques, may
often supplement these internal evaluations. Institutions depending on outside parties to
provide various risk measurement capabilities should ensure that the institution has personnel
with the necessary expertise to identify and evaluate the important assumptions incorporated
in the risk measurement methodologies it uses.

IV.

Comprehensive Internal Controls and Audit Procedures

An institution’s risk management process should be an extension of its overall
structure of internal controls. Properly structured, a system of internal controls should
promote effective and efficient operations, reliable financial and regulatory reporting, and
compliance with relevant laws, regulations, and institutional policies. In determining
whether internal controls meet those objectives, examiners should consider the general
control environment of the organization; the process for identifying, analyzing and managing
risk; the adequacy of management information systems; and adherence to control activities
such as approvals, confirmations and reconciliations.
Assessing the adequacy of internal controls involves a process of
understanding, documenting, evaluating and testing an institution’s internal control system.
This assessment should include product reviews that start with an analysis of the
organizational structure of securities and derivative activities. Duties should be separated
between personnel initiating transactions and personnel overseeing back office operations,
internal controls and the management of risk exposures.
Examiners should conduct in-depth reviews of the internal controls of all key
activities involving securities and derivative contracts. For example, for transaction
recording and processing, examiners should evaluate and assess adherence to the written
policies and procedures for recording transactions. They should also analyze the transaction




-12-

processing cycle to ensure the integrity and accuracy of the institution’s records and
management reports. Examiners should review all significant internal controls associated
with the management of the credit, market, liquidity, operational and legal risks involved in
securities and derivative holdings.
The examiner should appraise the frequency, scope, and findings of any
independent internal and external auditors. This appraisal should include an evaluation of the
ability of those auditors to review the institution’s securities and derivative activities. Where
applicable, internal auditors should audit and test the risk management process and internal
controls periodically. The depth and frequency of internal audits should increase if
weaknesses and significant issues exist or if portfolio structures, modeling methodologies, or
the overall risk profile of the institution have changed.
In reviewing the management of the risks of nontrading securities and
derivative activities, internal auditors should thoroughly evaluate the effectiveness of internal
controls used for measuring, reporting and limiting risks. Internal auditors should also
evaluate compliance with risk limits and the reliability and timeliness of information reported
to the institution’s senior management and board of directors. Internal auditors should also
evaluate the independence and overall effectiveness of the institution’s risk management
process. The level of confidence that examiners place in an institution’s audit programs, the
nature of the audit findings and management’s response to those findings will influence the
scope of the current examination of securities and derivative activities.
Examiners should pay special attention to significant changes in the nature of
instruments acquired, risk measurement methodologies, limits, and internal controls that have
occurred since the last examination. Significant changes in earnings from securities and
derivative contracts, in the size of positions or in the value at risk associated with these
activities should also receive attention during the examination.

Conclusion
The foregoing discussion identified, in broad terms, the key elements of a
sound risk management system for acquiring and managing securities and derivative
contracts. The appendix presents important guidance for evaluating specific risks—
credit,
market, liquidity, operating and legal-that institutions encounter in conducting nontrading
securities and derivative activities.
These guidelines, including those in the appendix, are intended to help
examiners, the management and boards of directors of institutions evaluate the adequacy of
the risk management process as it applies to the use of securities and derivative contracts in a
nontrading environment. However, the nature of these activities and the broad range of
circumstances in which these instruments are used by banking organizations requires




-13-

examiners to apply substantial judgment in their evaluation of management procedures. In
the final analysis, examiners must determine whether the institution’s use of securities and
derivatives represents a prudent activity in light of the purposes for which they are used.
management’s ability to evaluate and control risks, and the capital position of the institution.
They should also ensure that depository institutions adopt adequate policies related to
securities and derivative transactions, and that all levels of management provide sufficient
oversight of the risk management process.
For additional information about the management of securities and derivative
positions, examiners can consult the Federal Reserve’s Trading Activities Manual and
appropriate sections of its Commercial Bank Examination Manual. Questions regarding these
practices should be directed to Jim Embersit (202-452-5249) or Derek Young (202-4522960).

Richard Spillenkothen
Director

Cross Reference: SR 93-69




-14-

Appendix
Considerations in Evaluating the Management of the
Credit. Market. Liquidity. Operating and Legal Risks
of Nontrading Securities and Derivative Activities.

This appendix highlights specific considerations in evaluating the key elements
of sound risk management systems as they relate to the management of the various risks
involved in an institution’s use of securities and derivative contracts for nontrading activities.
These risks include credit, market, liquidity, operating and legal risks.

Credit Risk
Broadly defined, credit risk is the risk that an issuer or counterparty will fail
to perform on an obligation to the institution. The policies of an institution should recognize
credit risk as a significant risk faced by the institution’s securities and derivative activities.
Accordingly, policies should identify credit risk constraints, risk tolerances and limits at the
appropriate instrument, portfolio and institutional level. In doing so, institutions should
ensure that credit risk constraints are clearly associated with specified objectives. For
example, credit risk constraints and guidelines should be defined for instruments used to meet
pledging requirements, to generate tax-advantaged income, to hedge positions, to generate
temporary income or any other specifically defined objective.
As a matter of general policy, an institution should not acquire securities or
derivative contracts until it has assessed the creditworthiness of the issuer or counterparty and
determined that the risk exposure conforms with its policies. The credit risk arising from
these positions should be incorporated into the overall credit risk profile of the institution to
the fullest extent possible. As a matter of policy, the board of directors and responsible
senior management should be informed of the institution’s total credit risk exposures of the
institution regularly, and no less frequently than quarterly.
In managing their credit risk institutions also should consider settlement and
pre-settlement credit risk. The selection of dealers, investment bankers and brokers is
particularly important in effectively managing these risks. An institution’s policies should
identify criteria for selecting these organizations and should list all approved firms. The
approval process should include a review of each firm’s financial statements and an
evaluation of its ability to honor its commitments. An inquiry into the general reputation of
the dealer is also appropriate. The board of directors, or a committee thereof, should set
limits on the amounts and types of transactions authorized for each fum. They should also




-15-

periodically review and reconfirm the list of authorized dealers, investment bankers, and
brokers. For further guidance examiners should consult the February 1992 Federal Financial
Institutions Examination Council (FFIEC) Supervisory Policy Statement on Securities
Activities included in SR 92-1.
An institution’s credit policies should also include guidelines on the quality and
quantity of each type of security that may held. Policies should also provide credit risk
diversification and concentration limits. Such limits may define concentrations as those to a
single or related issuer or counterparty, in a geographical area, or in obligations with similar
characteristics.
Sound credit risk management requires that credit limits be developed by
personnel who are independent of the acquisition function. In authorizing issuer and
counterparty credit lines, these personnel should use standards that are consistent with those
used for other activities conducted within the institution, and with the organization’s over-all
policies and consolidated exposures. In assessing the credit worthiness of other
organizations, institutions should not rely solely on outside sources, such as standardized
ratings provided by independent rating agencies, but should also perform their own analysis
of a counterparty’s or issuer’s financial strength. In addition, examiners should review the
credit approval process to ensure that the credit risks of specific products are adequately
identified and that credit approval procedures are followed for all transactions.
For most cash instruments, credit exposure is measured as the current carrying
value. In the case of many derivative contracts, especially those traded in OTC markets,
credit exposure is measured as the replacement cost of the position, plus an estimate of the
institution’s potential future exposure to changes in the replacement value of that position in
response to market price changes. Replacement costs of derivative contracts should be
determined using current market prices or generally accepted approaches for estimating the
present value of future payments required under each contract, at current market rates.
The measurement of potential future credit risk exposure for derivative
contracts is more subjective than the measurement of current exposure and is primarily a
function of the time remaining to maturity, the number of exchanges of principal, and the
expected volatility of the price, rate, or index underlying the contract. Potential future
exposure can be measured using an institution’s own simulations or, more simply, through
the use of "add-ons" such as those included in the Federal Reserve’s risk-based capital
guidelines. Regardless of method, examiners should evaluate the reasonableness of the
assumptions underlying the institution’s risk measure.
For derivative contracts and certain types of cash transactions, master
agreements (including netting agreements) and various credit enhancements (such as collateral
or third-party guarantees) can reduce settlement, issuer and counterparty credit risk. In such
cases, an institution’s credit exposures should reflect these risk-reducing features only to the




-16-

extent that the agreements and recourse provisions are legally enforceable in all relevant
jurisdictions. This legal enforceability should extend to any insolvency proceedings of the
counterparty. Institutions should be prepared to demonstrate sufficient due diligence in
evaluating the enforceability of these contracts.
In reviewing credit exposures, examiners should consider the extent to which
positions exceed credit limits and whether exceptions are resolved according to the
institution’s adopted policies and procedures. Examiners should also evaluate whether the
institution’s reports adequately provide all personnel involved in the acquisition and
management of financial instruments with relevant, accurate, and timely information about
the credit exposures and approved credit lines.

Market Risk
Market risk is the exposure of an institution’s financial condition to adverse
movements in the market rates or prices of its holdings before such holdings can be
liquidated or expeditiously offset. It is measured by assessing the effect of changing rates
and/or prices on either the earnings or economic value of an individual instrument, a
portfolio or the entire institution. Although many banking institutions focus on carrying
values and reported earnings when assessing market risk at the institutional level, other
measures focusing on total returns and changes in economic or fair values better reflect the
potential market risk exposure of institutions, portfolios and individual instruments.
Changes in fair values and total returns directly measure the effect of market movements on
the economic value of an institution’s capital and provide significant insights as to their
ultimate effects on the institution’s long term earnings. Institutions should manage and
control their market risks using both an earnings and an economic value approach and at
least on an economic or fair value basis.
When evaluating capital adequacy, examiners should consider the effect of
changes in market rates and prices on the economic value of the institution by evaluating any
unrealized losses in an institution’s securities or derivative positions. This evaluation should
assess the ability of the institution to hold its positions and function as a going concern if
recognition of unrealized losses would significantly affect the institution’s capital ratios.
Examiners also should consider the impact that liquidating positions with unrealized losses
may have on the institution’s prompt corrective action capital category.
Market risk limits should be established for both the acquisition and ongoing
management of an institution’s securities and derivative holdings and, as appropriate, should
address exposures for individual instruments, instrument types and portfolios. These limits
should be integrated fully with limits established for the entire institution. At the institutional
level, the board of directors should approve market risk exposure limits in terms of specific
percentage changes in the economic value of capital and in the projected earnings of the




-17-

institution under various market scenarios. Similar and complementary limits on the
volatility of prices or fair value should be established at the appropriate instrument, product
type, and portfolio levels based on the institution’s willingness to accept market risk. Limits
on the variability of effective maturities may also be desirable for certain types of
instruments or portfolios.
The federal bank regulatory agencies have established price and effective
maturity standards for mortgage derivative products based on specified scenarios.1
0
Institutions should ensure that they meet these regulatory requirements and should employ
similar techniques in controlling the exposures of other cash securities and to all derivative
contracts—
especially for instruments involving explicit or embedded options. The scenarios
specified for assessing the market risk of these products should be sufficiently rigorous to
capture all meaningful effects of any options. For example, in assessing interest rate risk,
scenarios such as 100, 200 and 300 basis point parallel shifts in yield curves should be
considered as well as appropriate non-parallel shifts in structure to evaluate potential basis,
volatility and yield curve risks.
Accurately measuring an institution’s market risk requires timely information
about the current carrying and market values of its securities and derivative holdings.
Accordingly, institutions should have market risk measurement systems commensurate with
the size and nature of these holdings. Institutions with significant holdings of highly complex
instruments should ensure that they have independent means to value their positions.
Institutions employing internal models should have adequate procedures to validate the
models and to periodically review all elements of the modeling process including its
assumptions and risk measurement techniques. Institutions relying on third parties for
market risk measurement systems and analyses should ensure that they fully understand the
assumptions and techniques utilized.
Institutions should evaluate and report to their boards of directors the market
risk exposures of their securities and derivative positions on a regular basis and not less
frequently than each quarter. These evaluations should assess trends in aggregate market risk
exposure and the performance of portfolios in terms of established objectives and risk
constraints. They also should identify compliance with board approved limits and identify

1
0
Under the February 1992 Federal Financial Institutions Examination Council
(FFIEC) Supervisory Policy Statement on Securities Activities (SR 92-1) banks are required
to test mortgage derivative products upon acquisition and periodically, thereafter, to
determine if the instrument’s market risk characteristics qualify for categorization as "highrisk" mortgage derivative products. The criteria used involves a maximum average life test
and a price volatility test and average life extension/tests under rising and falling interest rate
scenarios. For further guidance, examiners should refer to SR 92-1 and SR 94-25 (which
discusses the effect of FASB 115 on the "high risk" test).




-18-

any exceptions to established standards. Examiners should ensure that institutions have
mechanisms to detect and adequately address exceptions to limits and guidelines. Examiners
should also determine if management reports on market risk appropriately address potential
exposures to basis risk, yield curve changes and other factors pertinent to the institution’s
holdings. In this connection, examiners should assess an institution’s compliance with
broader guidance for managing interest rate risk in a consolidated organization, including that
detailed in the Commercial Bank Examination Manual.
Complex and illiquid instruments can often involve greater market risk than
broadly traded, more liquid securities. Oftentimes, this higher potential market risk arising
from illiquidity is not captured by standardized financial modeling techniques. Such risk is
particularly acute for instruments that are highly leveraged or that are designed to benefit
from specific, narrowly defined market shifts. If market prices or rates do not move as
expected, the demand for such instruments can evaporate. Where examiners encounter such
instruments, they should review the adequacy with which the institution has assessed its
potential market risks. If the risks from these instruments are material, the institution should
have a well-documented process of stress testing their value and liquidity assumptions under
a variety of market scenarios.

Liquidity Risk
Banks face two types of liquidity risk in their securities and derivative
activities: those related to specific products or markets and those related to the general
funding of the bank’s activities. The former, market liquidity risk, is the risk that an
institution cannot easily unwind or offset a particular position at or near the previous market
price because of inadequate market depth or because of disruptions in the marketplace.
Funding liquidity risk is the risk that the bank will be unable to meet its payment obligations
on settlement dates. Since neither type of liquidity risk is unique to securities and derivative
activities, management should evaluate these risks in the broader context of the institution’s
overall liquidity.
In specifying permissible securities and derivative instruments for
accomplishing established objectives, institutions should ensure that they take into account the
size, depth and liquidity of the market for those instruments and the effect that such
characteristics may have on achieving the objective. The market liquidity of certain types of
instruments may make them entirely inappropriate for achieving certain objectives.
Moreover, institutions should ensure that they consider the effects that market risk can have
on the liquidity of different types of instruments. For example, some government agency
securities may have embedded options that make them highly illiquid during periods of
market volatility and stress, despite their high credit rating. Accordingly, institutions should
articulate clearly the market liquidity characteristics of instruments to be used in
accomplishing institutional objectives.




-19-

The funding risk of an institution becomes a more important consideration
when its unrealized losses are material and, therefore, should be a factor in evaluating capital
adequacy. Institutions with weak liquidity positions are more likely to be forced to recognize
these losses and to suffer declines in their accounting and regulatory capital. In extreme
cases, these effects could force supervisors to take prompt corrective actions.
Examiners should assess whether the institution adequately considers the
potential liquidity risks associated with the liquidation of securities or the early termination of
derivative contracts. Many forms of standardized contracts for derivative transactions allow
counterparties to request collateral or to terminate their contracts early if the institution
experiences an adverse credit event or a deterioration in its financial condition. In addition,
under situations of market stress, customers may ask for the early termination of some
contracts within the context of the dealer’s market making activities. In such circumstances,
an institution that owes money on derivative transactions may be required to deliver collateral
or settle a contract early and possibly at a time when the institution may face other funding
and liquidity pressures. Early terminations may also open additional, unintended, market
positions. Management and directors should be aware of these potential liquidity risks and
should address them in the institution’s liquidity plan and in the broader context of the
institution’s liquidity management process. In their reviews, examiners should consider the
extent to which such potential obligations could present liquidity risks to the institution.

Operational Risk and Legal Risk
Operating risk is the risk that deficiencies in information systems or internal
controls will result in unexpected loss. Some specific sources of operating risk that can
result in unexpected losses include inadequate procedures, human error, system failure or
fraud. Inaccurately assessing or controlling operating risks is one of the more likely sources
of problems facing institutions involved in securities and derivative activities.
Adequate internal controls are the first line of defense in controlling the
operating risks involved in an institution’s securities and derivatives activities. Of particular
importance are internal controls that ensure the separation of duties and supervision of
persons executing transactions from those responsible for processing contracts, confirming
transactions, controlling various clearing accounts, approving the accounting methodology or
entries, and performing revaluations.
Institutions should have approved policies that specify documentation
requirements for transactions and formal procedures for saving and safeguarding important
documents that are consistent with legal requirements and internal policies. Relevant
personnel should fully understand the requirements. Examiners should also consider the
extent to which institutions evaluate and control operating risks through the use of internal
audits, stress testing, contingency planning, and other managerial and analytical techniques.




-20-

An institution’s operating policies should establish appropriate procedures to
obtain and maintain possession or control of instruments purchased. Institutions should also
ensure that transactions consummated orally are confirmed as soon as possible. Banking
organizations should, to the extent possible, seek diversification with regard to the firms used
for safekeeping arrangements in order to avoid concentrations of assets or other types of
risk.1
1
Legal risk is the risk that contracts are not legally enforceable or documented
correctly. Legal risks should be limited and managed through policies developed by the
institution’s legal counsel. At a minimum, there should be guidelines and processes in place
to ensure the enforceability of counterparty agreements. Examiners should determine
whether an institution is adequately evaluating the enforceability of its agreements before
individual transactions are consummated. Institutions should also ensure that the
counterparty has sufficient authority to enter into the transaction and that the terms of the
agreement are legally sound. Institutions should further ascertain that their netting
agreements are adequately documented, "that they have been executed properly, and that they
are enforceable in all relevant jurisdictions. Institutions should have knowledge of relevant
tax laws and interpretations governing the use of these instruments.
An institution’s policies should also provide guidelines for conflicts of interest
for employees who are directly involved in purchasing and selling securities for the
institution from securities dealers. These guidelines should ensure that all directors, officers
and employees act in the best interest of the institution. The board of directors may wish to
adopt polices prohibiting these employees from engaging in personal securities transactions
with these same securities firms without the specific prior board approval. The board of
directors may also wish to adopt a policy applicable to directors, officers, and employees
restricting or prohibiting the receipt of gifts, gratuities, or travel expenses from approved
securities dealer firms and their personnel.




n Examiners should refer to SR 95-3 for further guidance on safekeeping.