12 CFR Appendix B to Part 44 - Enhanced Minimum Standards for Compliance Programs

Appendix B to Part 44 - Enhanced Minimum Standards for Compliance Programs
I. Overview

Section 44.20(c) requires certain banking entities to establish, maintain, and enforce an enhanced compliance program that includes the requirements and standards in this Appendix as well as the minimum written policies and procedures, internal controls, management framework, independent testing, training, and recordkeeping provisions outlined in § 44.20. This Appendix sets forth additional minimum standards with respect to the establishment, oversight, maintenance, and enforcement by these banking entities of an enhanced internal compliance program for ensuring and monitoring compliance with the prohibitions and restrictions on proprietary trading and covered fund activities and investments set forth in section 13 of the BHC Act and this part.

a. This compliance program must:

1. Be reasonably designed to identify, document, monitor, and report the permitted trading and covered fund activities and investments of the banking entity; identify, monitor and promptly address the risks of these covered activities and investments and potential areas of noncompliance; and prevent activities or investments prohibited by, or that do not comply with, section 13 of the BHC Act and this part;

2. Establish and enforce appropriate limits on the covered activities and investments of the banking entity, including limits on the size, scope, complexity, and risks of the individual activities or investments consistent with the requirements of section 13 of the BHC Act and this part;

3. Subject the effectiveness of the compliance program to periodic independent review and testing, and ensure that the entity's internal audit, corporate compliance and internal control functions involved in review and testing are effective and independent;

4. Make senior management, and others as appropriate, accountable for the effective implementation of the compliance program, and ensure that the board of directors and chief executive officer (or equivalent) of the banking entity review the effectiveness of the compliance program; and

5. Facilitate supervision and examination by the Agencies of the banking entity's permitted trading and covered fund activities and investments.

II. Enhanced Compliance Program

a. Proprietary Trading Activities. A banking entity must establish, maintain and enforce a compliance program that includes written policies and procedures that are appropriate for the types, size, and complexity of, and risks associated with, its permitted trading activities. The compliance program may be tailored to the types of trading activities conducted by the banking entity, and must include a detailed description of controls established by the banking entity to reasonably ensure that its trading activities are conducted in accordance with the requirements and limitations applicable to those trading activities under section 13 of the BHC Act and this part, and provide for appropriate revision of the compliance program before expansion of the trading activities of the banking entity. A banking entity must devote adequate resources and use knowledgeable personnel in conducting, supervising and managing its trading activities, and promote consistency, independence and rigor in implementing its risk controls and compliance efforts. The compliance program must be updated with a frequency sufficient to account for changes in the activities of the banking entity, results of independent testing of the program, identification of weaknesses in the program, and changes in legal, regulatory or other requirements.

1. Trading Desks: The banking entity must have written policies and procedures governing each trading desk that include a description of:

i. The process for identifying, authorizing and documenting financial instruments each trading desk may purchase or sell, with separate documentation for market making-related activities conducted in reliance on § 44.4(b) and for hedging activity conducted in reliance on § 44.5;

ii. A mapping for each trading desk to the division, business line, or other organizational structure that is responsible for managing and overseeing the trading desk's activities;

iii. The mission (i.e., the type of trading activity, such as market-making, trading in sovereign debt, etc.) and strategy (i.e., methods for conducting authorized trading activities) of each trading desk;

iv. The activities that the trading desk is authorized to conduct, including (i) authorized instruments and products, and (ii) authorized hedging strategies, techniques and instruments;

v. The types and amount of risks allocated by the banking entity to each trading desk to implement the mission and strategy of the trading desk, including an enumeration of material risks resulting from the activities in which the trading desk is authorized to engage (including but not limited to price risks, such as basis, volatility and correlation risks, as well as counterparty credit risk). Risk assessments must take into account both the risks inherent in the trading activity and the strength and effectiveness of controls designed to mitigate those risks;

vi. How the risks allocated to each trading desk will be measured;

vii. Why the allocated risks levels are appropriate to the activities authorized for the trading desk;

viii. The limits on the holding period of, and the risk associated with, financial instruments under the responsibility of the trading desk;

ix. The process for setting new or revised limits, as well as escalation procedures for granting exceptions to any limits or to any policies or procedures governing the desk, the analysis that will be required to support revising limits or granting exceptions, and the process for independently reviewing and documenting those exceptions and the underlying analysis;

x. The process for identifying, documenting and approving new products, trading strategies, and hedging strategies;

xi. The types of clients, customers, and counterparties with whom the trading desk may trade; and

xii. The compensation arrangements, including incentive arrangements, for employees associated with the trading desk, which may not be designed to reward or incentivize prohibited proprietary trading or excessive or imprudent risk-taking.

2. Description of risks and risk management processes: The compliance program for the banking entity must include a comprehensive description of the risk management program for the trading activity of the banking entity. The compliance program must also include a description of the governance, approval, reporting, escalation, review and other processes the banking entity will use to reasonably ensure that trading activity is conducted in compliance with section 13 of the BHC Act and this part. Trading activity in similar financial instruments should be subject to similar governance, limits, testing, controls, and review, unless the banking entity specifically determines to establish different limits or processes and documents those differences. Descriptions must include, at a minimum, the following elements:

i. A description of the supervisory and risk management structure governing all trading activity, including a description of processes for initial and senior-level review of new products and new strategies;

ii. A description of the process for developing, documenting, testing, approving and reviewing all models used for valuing, identifying and monitoring the risks of trading activity and related positions, including the process for periodic independent testing of the reliability and accuracy of those models;

iii. A description of the process for developing, documenting, testing, approving and reviewing the limits established for each trading desk;

iv. A description of the process by which a security may be purchased or sold pursuant to the liquidity management plan, including the process for authorizing and monitoring such activity to ensure compliance with the banking entity's liquidity management plan and the restrictions on liquidity management activities in this part;

v. A description of the management review process, including escalation procedures, for approving any temporary exceptions or permanent adjustments to limits on the activities, positions, strategies, or risks associated with each trading desk; and

vi. The role of the audit, compliance, risk management and other relevant units for conducting independent testing of trading and hedging activities, techniques and strategies.

3. Authorized risks, instruments, and products. The banking entity must implement and enforce limits and internal controls for each trading desk that are reasonably designed to ensure that trading activity is conducted in conformance with section 13 of the BHC Act and this part and with the banking entity's written policies and procedures. The banking entity must establish and enforce risk limits appropriate for the activity of each trading desk. These limits should be based on probabilistic and non-probabilistic measures of potential loss (e.g., Value-at-Risk and notional exposure, respectively), and measured under normal and stress market conditions. At a minimum, these internal controls must monitor, establish and enforce limits on:

i. The financial instruments (including, at a minimum, by type and exposure) that the trading desk may trade;

ii. The types and levels of risks that may be taken by each trading desk; and

iii. The types of hedging instruments used, hedging strategies employed, and the amount of risk effectively hedged.

4. Hedging policies and procedures. The banking entity must establish, maintain, and enforce written policies and procedures regarding the use of risk-mitigating hedging instruments and strategies that, at a minimum, describe:

i. The positions, techniques and strategies that each trading desk may use to hedge the risk of its positions;

ii. The manner in which the banking entity will identify the risks arising in connection with and related to the individual or aggregated positions, contracts or other holdings of the banking entity that are to be hedged and determine that those risks have been properly and effectively hedged;

iii. The level of the organization at which hedging activity and management will occur;

iv. The manner in which hedging strategies will be monitored and the personnel responsible for such monitoring;

v. The risk management processes used to control unhedged or residual risks; and

vi. The process for developing, documenting, testing, approving and reviewing all hedging positions, techniques and strategies permitted for each trading desk and for the banking entity in reliance on § 44.5.

5. Analysis and quantitative measurements. The banking entity must perform robust analysis and quantitative measurement of its trading activities that is reasonably designed to ensure that the trading activity of each trading desk is consistent with the banking entity's compliance program; monitor and assist in the identification of potential and actual prohibited proprietary trading activity; and prevent the occurrence of prohibited proprietary trading. Analysis and models used to determine, measure and limit risk must be rigorously tested and be reviewed by management responsible for trading activity to ensure that trading activities, limits, strategies, and hedging activities do not understate the risk and exposure to the banking entity or allow prohibited proprietary trading. This review should include periodic and independent back-testing and revision of activities, limits, strategies and hedging as appropriate to contain risk and ensure compliance. In addition to the quantitative measurements reported by any banking entity subject to Appendix A to this part, each banking entity must develop and implement, to the extent appropriate to facilitate compliance with this part, additional quantitative measurements specifically tailored to the particular risks, practices, and strategies of its trading desks. The banking entity's analysis and quantitative measurements must incorporate the quantitative measurements reported by the banking entity pursuant to Appendix A (if applicable) and include, at a minimum, the following:

i. Internal controls and written policies and procedures reasonably designed to ensure the accuracy and integrity of quantitative measurements;

ii. Ongoing, timely monitoring and review of calculated quantitative measurements;

iii. The establishment of numerical thresholds and appropriate trading measures for each trading desk and heightened review of trading activity not consistent with those thresholds to ensure compliance with section 13 of the BHC Act and this part, including analysis of the measurement results or other information, appropriate escalation procedures, and documentation related to the review; and

iv. Immediate review and compliance investigation of the trading desk's activities, escalation to senior management with oversight responsibilities for the applicable trading desk, timely notification to the OCC, appropriate remedial action (e.g., divesting of impermissible positions, cessation of impermissible activity, disciplinary actions), and documentation of the investigation findings and remedial action taken when quantitative measurements or other information, considered together with the facts and circumstances, or findings of internal audit, independent testing or other review suggest a reasonable likelihood that the trading desk has violated any part of section 13 of the BHC Act or this part.

6. Other Compliance Matters. In addition to the requirements specified above, the banking entity's compliance program must:

i. Identify activities of each trading desk that will be conducted in reliance on exemptions contained in §§ 44.4 through 44.6, including an explanation of:

A. How and where in the organization the activity occurs; and

B. Which exemption is being relied on and how the activity meets the specific requirements for reliance on the applicable exemption;

ii. Include an explanation of the process for documenting, approving and reviewing actions taken pursuant to the liquidity management plan, where in the organization this activity occurs, the securities permissible for liquidity management, the process for ensuring that liquidity management activities are not conducted for the purpose of prohibited proprietary trading, and the process for ensuring that securities purchased as part of the liquidity management plan are highly liquid and conform to the requirements of this part;

iii. Describe how the banking entity monitors for and prohibits potential or actual material exposure to high-risk assets or high-risk trading strategies presented by each trading desk that relies on the exemptions contained in §§ 44.3(d)(3), and 44.4 through 44.6, which must take into account potential or actual exposure to:

A. Assets whose values cannot be externally priced or, where valuation is reliant on pricing models, whose model inputs cannot be externally validated;

B. Assets whose changes in value cannot be adequately mitigated by effective hedging;

C. New products with rapid growth, including those that do not have a market history;

D. Assets or strategies that include significant embedded leverage;

E. Assets or strategies that have demonstrated significant historical volatility;

F. Assets or strategies for which the application of capital and liquidity standards would not adequately account for the risk; and

G. Assets or strategies that result in large and significant concentrations to sectors, risk factors, or counterparties;

iv. Establish responsibility for compliance with the reporting and recordkeeping requirements of subpart B and § 44.20; and

v. Establish policies for monitoring and prohibiting potential or actual material conflicts of interest between the banking entity and its clients, customers, or counterparties.

7. Remediation of violations. The banking entity's compliance program must be reasonably designed and established to effectively monitor and identify for further analysis any trading activity that may indicate potential violations of section 13 of the BHC Act and this part and to prevent actual violations of section 13 of the BHC Act and this part. The compliance program must describe procedures for identifying and remedying violations of section 13 of the BHC Act and this part, and must include, at a minimum, a requirement to promptly document, address and remedy any violation of section 13 of the BHC Act or this part, and document all proposed and actual remediation efforts. The compliance program must include specific written policies and procedures that are reasonably designed to assess the extent to which any activity indicates that modification to the banking entity's compliance program is warranted and to ensure that appropriate modifications are implemented. The written policies and procedures must provide for prompt notification to appropriate management, including senior management and the board of directors, of any material weakness or significant deficiencies in the design or implementation of the compliance program of the banking entity.

b. Covered Fund Activities or Investments. A banking entity must establish, maintain and enforce a compliance program that includes written policies and procedures that are appropriate for the types, size, complexity and risks of the covered fund and related activities conducted and investments made, by the banking entity.

1. Identification of covered funds. The banking entity's compliance program must provide a process, which must include appropriate management review and independent testing, for identifying and documenting covered funds that each unit within the banking entity's organization sponsors or organizes and offers, and covered funds in which each such unit invests. In addition to the documentation requirements for covered funds, as specified under § 44.20(e), the documentation must include information that identifies all pools that the banking entity sponsors or has an interest in and the type of exemption from the Commodity Exchange Act (whether or not the pool relies on section 4.7 of the regulations under the Commodity Exchange Act), and the amount of ownership interest the banking entity has in those pools.

2. Identification of covered fund activities and investments. The banking entity's compliance program must identify, document and map each unit within the organization that is permitted to acquire or hold an interest in any covered fund or sponsor any covered fund and map each unit to the division, business line, or other organizational structure that will be responsible for managing and overseeing that unit's activities and investments.

3. Explanation of compliance. The banking entity's compliance program must explain how:

i. The banking entity monitors for and prohibits potential or actual material conflicts of interest between the banking entity and its clients, customers, or counterparties related to its covered fund activities and investments;

ii. The banking entity monitors for and prohibits potential or actual transactions or activities that may threaten the safety and soundness of the banking entity related to its covered fund activities and investments; and

iii. The banking entity monitors for and prohibits potential or actual material exposure to high-risk assets or high-risk trading strategies presented by its covered fund activities and investments, taking into account potential or actual exposure to:

A. Assets whose values cannot be externally priced or, where valuation is reliant on pricing models, whose model inputs cannot be externally validated;

B. Assets whose changes in values cannot be adequately mitigated by effective hedging;

C. New products with rapid growth, including those that do not have a market history;

D. Assets or strategies that include significant embedded leverage;

E. Assets or strategies that have demonstrated significant historical volatility;

F. Assets or strategies for which the application of capital and liquidity standards would not adequately account for the risk; and

G. Assets or strategies that expose the banking entity to large and significant concentrations with respect to sectors, risk factors, or counterparties;

4. Description and documentation of covered fund activities and investments. For each organizational unit engaged in covered fund activities and investments, the banking entity's compliance program must document:

i. The covered fund activities and investments that the unit is authorized to conduct;

ii. The banking entity's plan for actively seeking unaffiliated investors to ensure that any investment by the banking entity conforms to the limits contained in § 44.12 or registered in compliance with the securities laws and thereby exempt from those limits within the time periods allotted in§ 44.12; and

iii. How it complies with the requirements of subpart C.

5. Internal Controls. A banking entity must establish, maintain, and enforce internal controls that are reasonably designed to ensure that its covered fund activities or investments comply with the requirements of section 13 of the BHC Act and this part and are appropriate given the limits on risk established by the banking entity. These written internal controls must be reasonably designed and established to effectively monitor and identify for further analysis any covered fund activity or investment that may indicate potential violations of section 13 of the BHC Act or this part. The internal controls must, at a minimum require:

i. Monitoring and limiting the banking entity's individual and aggregate investments in covered funds;

ii. Monitoring the amount and timing of seed capital investments for compliance with the limitations under subpart C (including but not limited to the redemption, sale or disposition requirements) of § 44.12, and the effectiveness of efforts to seek unaffiliated investors to ensure compliance with those limits;

iii. Calculating the individual and aggregate levels of ownership interests in one or more covered fund required by § 44.12;

iv. Attributing the appropriate instruments to the individual and aggregate ownership interest calculations above;

v. Making disclosures to prospective and actual investors in any covered fund organized and offered or sponsored by the banking entity, as provided under § 44.11(a)(8);

vi. Monitoring for and preventing any relationship or transaction between the banking entity and a covered fund that is prohibited under § 44.14, including where the banking entity has been designated as the sponsor, investment manager, investment adviser, or commodity trading advisor to a covered fund by another banking entity; and

vii. Appropriate management review and supervision across legal entities of the banking entity to ensure that services and products provided by all affiliated entities comply with the limitation on services and products contained in § 44.14.

6. Remediation of violations. The banking entity's compliance program must be reasonably designed and established to effectively monitor and identify for further analysis any covered fund activity or investment that may indicate potential violations of section 13 of the BHC Act or this part and to prevent actual violations of section 13 of the BHC Act and this part. The banking entity's compliance program must describe procedures for identifying and remedying violations of section 13 of the BHC Act and this part, and must include, at a minimum, a requirement to promptly document, address and remedy any violation of section 13 of the BHC Act or this part, including § 44.21, and document all proposed and actual remediation efforts. The compliance program must include specific written policies and procedures that are reasonably designed to assess the extent to which any activity or investment indicates that modification to the banking entity's compliance program is warranted and to ensure that appropriate modifications are implemented. The written policies and procedures must provide for prompt notification to appropriate management, including senior management and the board of directors, of any material weakness or significant deficiencies in the design or implementation of the compliance program of the banking entity.

III. Responsibility and Accountability for the Compliance Program

a. A banking entity must establish, maintain, and enforce a governance and management framework to manage its business and employees with a view to preventing violations of section 13 of the BHC Act and this part. A banking entity must have an appropriate management framework reasonably designed to ensure that: appropriate personnel are responsible and accountable for the effective implementation and enforcement of the compliance program; a clear reporting line with a chain of responsibility is delineated; and the compliance program is reviewed periodically by senior management. The board of directors (or equivalent governance body) and senior management should have the appropriate authority and access to personnel and information within the organizations as well as appropriate resources to conduct their oversight activities effectively.

1. Corporate governance. The banking entity must adopt a written compliance program approved by the board of directors, an appropriate committee of the board, or equivalent governance body, and senior management.

2. Management procedures. The banking entity must establish, maintain, and enforce a governance framework that is reasonably designed to achieve compliance with section 13 of the BHC Act and this part, which, at a minimum, provides for:

i. The designation of appropriate senior management or committee of senior management with authority to carry out the management responsibilities of the banking entity for each trading desk and for each organizational unit engaged in covered fund activities;

ii. Written procedures addressing the management of the activities of the banking entity that are reasonably designed to achieve compliance with section 13 of the BHC Act and this part, including:

A. A description of the management system, including the titles, qualifications, and locations of managers and the specific responsibilities of each person with respect to the banking entity's activities governed by section 13 of the BHC Act and this part; and

B. Procedures for determining compensation arrangements for traders engaged in underwriting or market making-related activities under § 44.4 or risk-mitigating hedging activities under § 44.5 so that such compensation arrangements are designed not to reward or incentivize prohibited proprietary trading and appropriately balance risk and financial results in a manner that does not encourage employees to expose the banking entity to excessive or imprudent risk.

3. Business line managers. Managers with responsibility for one or more trading desks of the banking entity are accountable for the effective implementation and enforcement of the compliance program with respect to the applicable trading desk(s).

4. Board of directors, or similar corporate body, and senior management. The board of directors, or similar corporate body, and senior management are responsible for setting and communicating an appropriate culture of compliance with section 13 of the BHC Act and this part and ensuring that appropriate policies regarding the management of trading activities and covered fund activities or investments are adopted to comply with section 13 of the BHC Act and this part. The board of directors or similar corporate body (such as a designated committee of the board or an equivalent governance body) must ensure that senior management is fully capable, qualified, and properly motivated to manage compliance with this part in light of the organization's business activities and the expectations of the board of directors. The board of directors or similar corporate body must also ensure that senior management has established appropriate incentives and adequate resources to support compliance with this part, including the implementation of a compliance program meeting the requirements of this appendix into management goals and compensation structures across the banking entity.

5. Senior management. Senior management is responsible for implementing and enforcing the approved compliance program. Senior management must also ensure that effective corrective action is taken when failures in compliance with section 13 of the BHC Act and this part are identified. Senior management and control personnel charged with overseeing compliance with section 13 of the BHC Act and this part should review the compliance program for the banking entity periodically and report to the board, or an appropriate committee thereof, on the effectiveness of the compliance program and compliance matters with a frequency appropriate to the size, scope, and risk profile of the banking entity's trading activities and covered fund activities or investments, which shall be at least annually.

6. CEO attestation. Based on a review by the CEO of the banking entity, the CEO of the banking entity must, annually, attest in writing to the OCC that the banking entity has in place processes to establish, maintain, enforce, review, test and modify the compliance program established under this Appendix and § 44.20 of this part in a manner reasonably designed to achieve compliance with section 13 of the BHC Act and this part. In the case of a U.S. branch or agency of a foreign banking entity, the attestation may be provided for the entire U.S. operations of the foreign banking entity by the senior management officer of the United States operations of the foreign banking entity who is located in the United States.

IV. Independent Testing

a. Independent testing must occur with a frequency appropriate to the size, scope, and risk profile of the banking entity's trading and covered fund activities or investments, which shall be at least annually. This independent testing must include an evaluation of:

1. The overall adequacy and effectiveness of the banking entity's compliance program, including an analysis of the extent to which the program contains all the required elements of this appendix;

2. The effectiveness of the banking entity's internal controls, including an analysis and documentation of instances in which such internal controls have been breached, and how such breaches were addressed and resolved; and

3. The effectiveness of the banking entity's management procedures.

b. A banking entity must ensure that independent testing regarding the effectiveness of the banking entity's compliance program is conducted by a qualified independent party, such as the banking entity's internal audit department, compliance personnel or risk managers independent of the organizational unit being tested, outside auditors, consultants, or other qualified independent parties. A banking entity must promptly take appropriate action to remedy any significant deficiencies or material weaknesses in its compliance program and to terminate any violations of section 13 of the BHC Act or this part.

V. Training

Banking entities must provide adequate training to personnel and managers of the banking entity engaged in activities or investments governed by section 13 of the BHC Act or this part, as well as other appropriate supervisory, risk, independent testing, and audit personnel, in order to effectively implement and enforce the compliance program. This training should occur with a frequency appropriate to the size and the risk profile of the banking entity's trading activities and covered fund activities or investments.

VI. Recordkeeping

Banking entities must create and retain records sufficient to demonstrate compliance and support the operations and effectiveness of the compliance program. A banking entity must retain these records for a period that is no less than 5 years or such longer period as required by the OCC in a form that allows it to promptly produce such records to the OCC on request.