Last month, the Office of the Comptroller of the Currency (the “OCC”) issued a revised handbook on regulatory reporting by federally chartered banks (the “Reporting Handbook”).1 The Reporting Handbook applies to national banks, federal savings associations and federal branches and agencies of foreign banking organizations, which are collectively referred to as “banks” for purposes of this Legal Update. This is the first revision to the OCC’s handbook for regulatory reporting since 1990.
Each bank must file several types of regulatory reports with the OCC, including with respect to the bank’s financial condition, the results of its operations and risk exposure.2 One of the most common regulatory reports is the quarterly Consolidated Reports of Condition and Income (“call report”), which banking regulators, including the OCC, use to assess a bank’s financial condition. The accuracy of the information in regulatory reports, particularly in call reports, is important because reports often are used by regulators to make supervisory determinations and may be made publicly available to investors, depositors and creditors.
The Reporting Handbook conveys extensive new guidance on the OCC’s expectations for how banks will manage the risks associated with regulatory reporting and when a bank will be required to file an amended report. While the Reporting Handbook is supervisory guidance that lacks the force of law, banks should review it closely to understand the framework that examiners will use to evaluate their operations, particularly with respect to risk management.3
In this Legal Update, we summarize the highlights in the Reporting Handbook.
The prior version of reporting handbook contained a brief section addressing when a bank would be required to file amended regulatory reports. That section contained low thresholds at which the OCC would presume a significant error existed on a call report, but also deferred to securities law cases for the criteria of determining whether an error was material to other types of regulatory reporting.4
The Reporting Handbook replaces the prior approach with a significantly more detailed section on amended reports. The new section uses one set of criteria to assess errors on all types of reports and does not contain absolute thresholds. The new section indicates that OCC examiners will use quantitative and qualitative analyses to determine whether an error is material, and will be guided by accounting standards when making that determination.
The new section also indicates that amendments may need to be made to earlier reports and that a bank may proactively decide to amend a report, even if the OCC has not required any amendments. The new section directs examiners to consider the root cause of errors and their materiality when evaluating further action against a bank and defers to the OCC's guidance for civil money penalties for the determination of whether the OCC will invoke its authority under 12 U.S.C. § 1818(i) for call report-related violations.
The prior version of the reporting handbook contained a brief section that indicated banks should have an efficient internal control program to ensure that regulatory reports are accurate and filed on time. Reflecting the OCC’s ever-increasing focus on risk management, the Reporting Handbook contains extensive discussions on the risk categories implicated by regulatory reporting and the appropriate type of risk management system that a bank should adopt.
The section on risk management categories is familiar to those who have read recent OCC handbooks and indicates that operational, compliance, strategic and reputation risks are the primary risk categories associated with regulatory reporting. While other categories may arise in reporting, these clearly are the areas on which the OCC is most focused.
The section on appropriate risk management systems states that a bank should implement an appropriate risk management system for regulatory reporting that is commensurate with its size, complexity and scope of operations. The new section also explains that a bank's board of directors should establish an appropriate governance structure to “foster an environment that prioritizes compliance with applicable regulatory reporting requirements,” which typically includes board review of information regarding regulatory reporting.
The Reporting Handbook indicates that a sound risk management system will include appropriate internal controls and information systems for regulatory reporting, and the bank’s risk management practices should include appropriate change management for affected processes and systems related to new or updated regulatory reporting requirements. Further, internal controls for regulatory reporting generally should include separation of duties, dual controls, independent reconcilements and data quality standards.
The Reporting Handbook lists the elements that the OCC will expect to see in a bank’s policies and procedures for regulatory reporting and states that effective governance includes separate designations of responsibility for the preparation of reports and the review of reports for accuracy and compliance issues. The OCC also expects banks to maintain appropriate work papers and other records to support and document the information in filed reports and to integrate regulatory reporting into the three lines of defense (i.e., quality control and assurance by the second line or an independent third party and audit by the third line or an external auditor).
Finally, the OCC notes that some banks use third parties to assist with the preparation, review and filing of regulatory reports or in aspects of these activities. For example, a bank may use a third party to perform quality control or quality assurance reviews. A bank may also engage a third party to perform an audit of the bank’s regulatory reporting processes. These third-party relationships should be included in the bank’s overall third-party risk management processes.
Banks generally are familiar with their reporting requirements. However, there are dozens of potentially applicable filings, and the report instructions often are dozens or hundreds of pages long. Further, report preparation typically involves complex analysis and determinations by business, accounting and legal personnel. This frequently results in questions from banks regarding the applicability of various reporting requirements, which also can implicate late-reporting concerns, and interpretation of instructions. These inquiries often require collaboration between outside counsel, internal counsel and consultants to assist banks in conducting retrospective report reviews and uplifting of reporting risk management programs. Banks therefore should consider how their current reporting programs stand up to the OCC’s new supervisory expectations, particularly if a bank has recently entered new lines of business or grown significantly in size.
For more information about any of the issues raised in this Legal Update, please reach out to any of the authors listed above or your regular Mayer Brown contact.
1 OCC, Bull. 2021-44 (Sept. 22, 2021), https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-44.html.
3 12 C.F.R. pt. 4, subpt. F, app. A (statement clarifying the role of supervisory guidance); see also, 12 C.F.R. § 7.2010 (“refer to OCC published guidance for additional information regarding responsibilities of directors”).
4 The Reporting Handbook omits discussion of several types of securities law-related reports that were addressed in the prior handbook and does not address a bank’s reporting obligations under Part 363 of the rules of the Federal Deposit Insurance Corporation. These reporting obligations continue to apply to banks unless otherwise indicated by the relevant regulatory authority.