You are on page 1of 1672

Commercial Bank


Division of Banking Supervision and Regulation

Commercial Bank
Fourth Printing, March 1994 Inquiries or comments relating to the contents of this
manual should be addressed to:
Director, Division of Banking Supervision
and Regulation
Board of Governors of the Federal Reserve System
Washington, D.C. 20551

Copies of this manual may be obtained from:

Publications Fulfillment
Mail Stop 127
Board of Governors of the Federal Reserve System
Washington, D.C. 20551

The manual is updated twice a year.

For information about ordering manuals and updates,
please call 202-452-3244.
Commercial Bank Examination Manual
Supplement 31—April 2009

Summary of Changes ized daylight overdrafts. The section also

includes a discussion of adjusting net debit caps
and other changes dealing with daylight over-
Section 3020.1
drafts. For more information on the PSR policy
This section, ‘‘Assessment of Capital Adequacy,’’ changes see the Board’s December 19, 2008,
was revised to include a reference to the guid- press release. See also 73 Fed. Reg. 79109,
ance issued in SR-09-1, ‘‘Application of the December 24, 2008.
Market-Risk Rule in Bank Holding Companies
and State Member Banks.’’ This guidance assists
banks in assessing market risk, but primarily Sections 5017.1, 5017.2, and 5017.3
ensures that banks apply the market-risk rule (12
CFR 208, appendix E) appropriately and consis- These new sections, ‘‘Internal Controls—
tently. The market-risk rule emphasizes the need Procedures, Processes, and Systems (Required
for appropriate stress testing and independent Absences from Sensitive Positions),’’ have been
market-risk management commensurate with the created to assist examiners in evaluating internal
organization’s risk profiles. Banking organiza- controls policies that pertain to procedures,
tions are to periodically reassess and adjust their processes, and systems. The sections provide a
market-risk management programs to account brief discussion on internal controls, which are
for changing firm strategies, market develop- the processes developed by a bank’s board and
ments, organizational incentive structures, and senior management that ensure the institution
evolving risk-management techniques. Specifi- (1) operates effectively and efficiently, (2) cre-
cally, SR-09-1 discusses (1) the core require- ates reliable financial reports, and (3) complies
ments of the market-risk rule, (2) the market- with applicable laws and regulations.
risk rule capital computational requirements, In particular, the sections discuss requiring
and (3) the communication and Federal Reserve absences for two consecutive weeks per year of
requirements in order for a bank to use its the bank’s employees that hold sensitive posi-
value-at-risk measurement models. tions. Examples of sensitive activities include
trading and wire transfer operations, back-office
responsibilities, executing transactions, signing
Section 4125.1 authority, and accessing the books and records
of the banking organization. Individuals who
This section, ‘‘Payment System Risk and Elec- can influence or cause such activities to occur
tronic Funds Transfer Activities,’’ has been should be absent for the minimum period, and
revised to update the information on the differ- the absence should, under all circumstances, be
ent types of payment systems such as the Clear- of sufficient duration to allow all pending trans-
ing House Interbank Payment System (CHIPS), actions (those that the absent employee was
automated clearinghouse (ACH), and Fedwire responsible for initiating or processing) to clear,
Securities Services. On December 19, 2008, the and to provide for an independent monitoring of
Board adopted major revisions to the ‘‘Federal those transactions. See SR-96-27.
Reserve Policy on Payment System Risk’’ (PSR
policy). Revisions were made to part II of the
PSR policy involving intraday credit policies. Sections 7040.1, 7040.2, 7040.3, and
This section includes this revised guidance, 7040.4
which is designed to improve intraday liquidity
management and payment flows for the banking The sections, ‘‘International—Country Risk and
system, while also helping to mitigate the credit Transfer Risk,’’ include the guidance issued in
exposures to the Federal Reserve Banks from SR-08-12, ‘‘Revisions to the Guide to the Inter-
daylight overdrafts. The PSR policy adopts a agency Country Exposure Review Committee
new approach that explicitly recognizes the role (ICERC) Process’’ and its attachments. The new
of the central bank in providing intraday bal- guidance discusses the November 2008 changes
ances and credit to healthy depository institu- to the ICERC country rating process, whose
tions predominately through zero fee collateral- main feature is the rating of countries only when

Commercial Bank Examination Manual April 2009

Page 1
Supplement 31—April 2009

in default. Default occurs when a country is not time), arrearages, forced restructuring, or roll-
complying with its external debt-service obliga- overs. The Federal Reserve and the other bank-
tions or is unable to service the existing loan ing agencies have also eliminated the following
according to its terms (as evidenced by the rating categories: Other Transfer Risk Problems,
failure to pay principal and interest fully and on Weak, Moderately Strong, and Strong.


Remove Insert

Table of Contents, pages 1-2 Table of Contents, pages 1-2

3020.1, pages 1-2 3020.1, pages 1-2

pages 7-10.2 pages 7-10.2

4060.1, pages 1-2 4060.1, pages 1-2

pages 7-8.3 pages 7-8.3

4125.1, pages 1-22 4125.1, pages 1-23

5017.1, pages 1-2

5017.2, page 1

5017.3, page 1

6010.1, pages 1-2 6010.1, pages 1-2

7000.0, page 1 7000.0, page 1

7010.1, pages 1-2 7010.1, pages 1-2

pages, 19-20 pages, 19-20

7040.1, pages 1-7 7040.1, pages 1-7

7040.2, pages 1-2 7040.2, page 1

7040.3, pages 1-8 7040.3, pages 1-7

7040.4, pages 1-2 7040.4, pages 1-2

Subject Index, pages 1-19 Subject Index, pages 1-20

April 2009 Commercial Bank Examination Manual

Page 2
Commercial Bank Examination Manual
Supplement 30—October 2008

Summary of Changes prevention, and mitigation of identity theft

(implementation of an Identity Theft Prevention
Section 3020.1 Program); and (3) duties of credit and debit card
issuers regarding changes of address. The joint
The section ‘‘Assessment of Capital Adequacy’’ rules and guidelines were effective on January 1,
is revised to reference (1) the Board staff’s 2008. The date for mandatory compliance with
October 12, 2007, legal interpretation regarding the rule was November 1, 2008. The sections
the risk-based capital treatment of asset-backed have been revised to incorporate the rule’s
commercial paper (ABCP) liquidity facilities provisions that focus on a financial institution’s
and (2) the Board staff’s August 21, 2007, legal safety and soundness (in particular, item 2
interpretation regarding the appropriate risk- above). The examination objectives, examina-
based capital risk weight to be applied to certain tion procedures, and internal control question-
collateralized loans of cash. naire have been revised to incorporate the rule
and its guidelines. See also the October 10,
2008, letter (SR-08-7/CA 08-10) and its
Section 4030.1 interagency-generated attachments.

The section on ‘‘Asset Securitization’’ is revised

to (1) indicate that a banking organization may Section 4150.1
risk weight the credit equivalent amount of an
eligible ABCP liquidity facility by looking The section on the ‘‘Review of Regulatory
through to the underlying assets of the ABCP Reports’’ was revised significantly to include a
conduit and (2) reference the aforementioned more current discussion of the institution’s gen-
Board staff’s October 12, 2007, legal eral and specific responsibilities, and the exam-
interpretation. iner’s review responsibilities, with regard to
regulatory financial reports and refilings submit-
ted to the Federal Reserve and other federal
Sections 4060.1–4060.4 agencies, such as the Securities and Exchange
Commission and the U.S. Department of the
The sections on ‘‘Information Technology’’ have Treasury. Many of the reports’ general instruc-
been revised to incorporate the November 9, tions and descriptions have been revised and
2007, adoption of the interagency rules, ‘‘Iden- made current, including those pertaining to the
tity Theft Red Flags and Address Discrepancies submission of the bank Call Report. The section
Under the Fair and Accurate Credit Transactions clarifies the various monetary deposit transac-
Act of 2003,’’ (the FACT Act) and guidelines tion reporting categories applicable to deposi-
issued by the federal financial institution regu- tory institutions, as found in the Federal
latory agencies and the Federal Trade Commis- Reserve’s ‘‘Reserve Requirements of Deposi-
sion. The rule and guidelines implement sec- tory Institutions’’ (Regulation D). The report
tions 114 and 315 of the FACT Act. (For the titles and descriptions of domestic and interna-
Federal Reserve Board’s rule, implementing tional transactions and activities that are to be
section 315, see Part 222—Fair Credit Report- reported have been updated. In addition, a list-
ing (Regulation V and its appendix J). The rule ing of U. S. Department of Treasury reports—
and guidelines address three elements: (1) duties reports that are applicable to institutions regu-
of users of credit reports regarding address lated and supervised by the Federal Reserve
discrepancies; (2) duties regarding the detection, Board—has been updated.

Commercial Bank Examination Manual October 2008

Page 1
Supplement 30—October 2008


Remove Insert

Table of Contents, pages 1–2 Table of Contents, pages 1–2

1000.1, pages 1–2 1000.1, pages 1–2

1010.1, pages 1–2 1010.1, pages 1–2

pages 29–30 pages 29–30

2020.1, pages 1–2 2020.1, pages 1–2

pages 8.11–10 pages 8.11–10

2040.1, pages 1–2 2040.1, pages 1–2

pages 5–6 pages 5–6
pages 8.1–8.2 pages 8.1–8.2

3010.1, pages 1–4 3010.1, pages 1–4

3010.3, pages 1–2 3010.3, pages 1–2

3020.1, pages 1–4 3020.1, pages 1–4

pages 7–10.2 pages 7–10.2
pages 37–38 pages 37–38

4030.1, pages 1–4 4030.1, pages 1–4

pages 19–22.2 pages 19–22.2

4060.1, pages 1–2 4060.1, pages 1–2

pages 7–8 pages 7–8.3

4060.2, page 1 4060.2, page 1

4060.3, pages 1–2 4060.3, pages 1–2

4060.4, pages 1–4 4060.4, pages 1–5

4090.3, pages 1–2 4090.3, pages 1–2

4128.1, pages 1–2 4128.1, pages 1–2

pages 15–16 pages 15–16

4140.1, pages 1–2 4140.1, pages 1–2

4150.1, pages 1–9 4150.1, pages 1–11

7030.3, pages 1–6 7030.3, pages 1–7

Subject Index, pages 1–19 Subject Index, pages 1–19

October 2008 Commercial Bank Examination Manual

Page 2
Commercial Bank Examination Manual
Supplement 29—April 2008

Summary of Changes FDIC’s changes. For example, see footnote 4

(See also the May 2006 supplement 25).
Section 1000.1
Section 5020.1
This section, ‘‘Examination Strategy and Risk-
Focused Supervision,’’ has been revised to The section on ‘‘The Overall Conclusions
(1) state that under section 11(a)(1) of the Fed- Regarding Condition of the Bank’’ has been
eral Reserve Act, examiners and supervisory revised to refer to SR-07-19, ‘‘Confidentiality
staff have the authority to examine at their Provisions in Third-Party Agreements,’’ and to
discretion the accounts, books, and affairs of delete superseded SR-98-21. The listing of
each member bank and to require such state- examples of off-balance-sheet activities that a
ments and reports as it may deem necessary; bank may be engaged in, and the various risks
(2) include the use of standard terminology in that a bank may be exposed to, have been
examination reporting for matters that require updated and expanded. Reference is added for
the Board’s attention; and (3) provide a discus- the Uniform Financial Institutions Rating Sys-
sion of the prohibition on the release of tem (the CAMELS rating system).
confidential information and any agreements
that would authorize the release of this informa-
tion. (See SR-07-19 and SR-97-17; also 72 Section 6000.1
Fed. Reg. 17, 798.)
The ‘‘Commercial Bank Report of Examina-
tion’’ section has been revised to include changes
Sections 1010.1 to the Federal Reserve’s examination report’s
instructions for the use of standardized termi-
This section on ‘‘Internal Control and Audit nology that may involve the ‘‘Matters Requiring
Function, Oversight, and Outsourcing’’ was Board Attention’’ report page or section. To
revised to include the provisions of the FDIC’s improve the consistency and clarity of written
November 2005 rule change to Part 363 (12 CFR communications, the Federal Reserve’s staff
363) (effective December 28, 2005). The changes will use the standard terminology and defini-
increased the asset threshold from $500 million tions to differentiate among (1) Matters Requir-
to $1 billion or more for internal control ing Immediate Attention, (2) Matters Requiring
assessments by the institution’s management and Attention, and (3) Observations. (See SR-08-01,
its external auditors. For institutions having ‘‘Communication of Examination/Inspection
between $500 million and $1 billion in assets, the Findings.’’) Other limited general and technical
requirements for audit committees’ indepen- changes have been made to the examination
dence and composition were eased to require a report’s instructions to allow for ‘‘continuous
majority, rather than all, of the outside audit flow’’ reporting format. References to several
committee members to be independent of Supervision and Regulation letters and other
management. Previously, similar revisions to references have been added, while others were
section 1010.1 were made for some of the deleted as either being superseded or cancelled.


Remove Insert

1000.1, pages 1–10.1 1000.1, pages 1–10.2

pages 17–18 pages 17–18

1010.1, pages 1–6.1 1010.1, pages 1–6.2

2010.1, pages 1–3 2010.1, pages 1–3

Commercial Bank Examination Manual April 2008

Page 1
Supplement 29—April 2008

Remove Insert

2020.1, pages 1–2 2020.1, pages 1–2

pages 15–16 pages 15–16
pages 25–28 pages 25–28

3020.1, pages 1–2 3020.1, pages 1–2

pages 5–6 pages 5–6

4043.1, pages 1–2 4043.1, pages 1–2

pages 21–22 pages 21–22

4170.1, pages 1–9 4170.1, pages 1–9

5020.1, pages 1–6 5020.1, pages 1–6

6000.1, pages 1–16, 16.1–16.2

6000.1, pages 1–36
pages 17–36

7010.1, pages 1–26 7010.1, pages 1–26

7100.1, pages 1–4 7100.1, pages 1–4

pages 11–14 pages 11–14

Subject Index, pages 1–19 Subject Index, pages 1–19

April 2008 Commercial Bank Examination Manual

Page 2
Commercial Bank Examination Manual
Supplement 28—October 2007

Summary of Changes holding companies and their nonbank subsidiar-

ies. (See SR-07-1 and its attachments.)
Section 1000.1
This section, ‘‘Examination Strategy and Risk- Section 2135.1
Focused Supervision,’’ has been revised to
accommodate changes to the ‘‘Examination- This new section, ‘‘Subprime Mortgage Lend-
Frequency Guidelines for State Member Banks’’ ing,’’ sets forth the June 29, 2007, interagency
subsection. The changes resulted from an interim Statement on Subprime Mortgage Lending that
rule, effective April 10, 2007, that was jointly was issued by the agencies. The subprime state-
issued by the Federal Reserve Board and the ment was developed and issued to address is-
other federal bank regulatory agencies (the agen- sues and questions related to certain adjustable-
cies). The interim rule implemented (1) section rate mortgage (ARM) products marketed to
605 of the Financial Services Regulatory Relief subprime borrowers. The statement applies to
Act of 2006 (FSRRA) and (2) Public Law all banks and their subsidiaries as well as to
109-473 (to be codified at 12 USC 1820(d)). The bank holding companies and their nonbank
interim rule was adopted as final, without change, subsidiaries.
on September 11, 2007. (See 72 Fed. Reg. The subprime statement emphasizes the need
54347, September 25, 2007.) for institutions to have prudent underwriting
The rule permits federally insured depository standards and to provide consumers with clear
institutions that have up to $500 million in total and balanced information so that both the insti-
assets and that meet certain other criteria to tution and consumers can assess the risks arising
qualify for an 18-month (rather than a 12- from certain ARM products that have dis-
month) on-site examination cycle. Before the counted or low introductory rates. The statement
enactment of FSRRA, only insured depository is focused on these types of ARMs and uses the
institutions that had less than $250 million in interagency Expanded Guidance for Subprime
total assets were eligible for an 18-month on-site Lending issued in 2001 in order to determine
examination cycle. The rule specifies, consistent subprime-borrower characteristics. Although the
with current practice, that a small insured statement is focused on subprime borrowers, the
depository institution meets the statutory ‘‘well principles in the statement are also relevant to
managed’’ criteria for an 18-month examination ARM products offered to nonsubprime borrow-
cycle if the institution, besides having a ers. (See SR-07-12 and its attachment.)
CAMELS composite rating of 1 or 2, received a
rating of 1 or 2 for the management component
of the CAMELS rating at its most recent exami- Sections 3030.1–3030.4
nation. (See SR-07-8 and its attachment, 72 Fed.
Reg. 17798.) These new sections, ‘‘Assessing Risk-Based
Capital—Direct-Credit Substitutes Extended to
Asset-Backed Commercial Paper Programs,’’
Sections 2103.2–2103.4 consist of interagency guidance issued in March
2005. That guidance was based on the Board’s
These updated sections provide the examination adoption of the November 29, 2001, amended
objectives, examination procedures, and internal risk-based capital standards. The standards
control questionnaire for section 2103.1, ‘‘Con- established a new capital framework for bank-
centrations in Commercial Real Estate Lending, ing organizations engaged in securitization
Sound Risk-Management Practices’’ (added in activities. The interagency guidance clarifies
the May 2007 update to this manual). Section how banking organizations are to use the
2103.1 set forth the December 6, 2006, super- internal ratings they assign to asset pools
visory guidance that was jointly issued by the purchased by their asset-backed commercial
agencies. The guidance was effective December paper (ABCP) programs in order to
12, 2006, and is applicable to state member appropriately risk-weight any direct-credit
banks; it is also broadly applicable to bank substitutes (for example, guarantees) that are

Commercial Bank Examination Manual October 2007

Page 1
Supplement 28—October 2007

extended to such programs. Examination objec- CSFTs.’’ Such transactions typically are con-
tives, examination procedures, and an internal ducted by a limited number of large financial
control questionnaire are included. institutions. (See SR-07-05 and 72 Fed. Reg.
The guidance provides an analytical frame- 1372, January 11, 2007.)
work for assessing the broad risk characteristics
of direct-credit substitutes that a banking orga-
nization provides to an ABCP program it spon- Section 6010.1
sors. Specific information is provided on evalu-
ating direct-credit substitutes issued in the form This section, ‘‘Other Types of Examinations,’’
of program-wide credit enhancements. (See SR- has been revised to discuss the responsibilities
05-6.) Reserve Bank staff have in the examination and
supervision of, and the reporting for, an institu-
tion’s compliance with the Government Securi-
Section 4033.1 ties Act. Reserve Bank staff should report only
those findings derived from the examinations of
This new section, ‘‘Elevated-Risk Complex government securities broker or dealer opera-
Structured Finance Activities,’’ sets forth the tions of state member banks, branches, or agen-
January 11, 2007, Interagency Statement on cies subject to Federal Reserve supervision. A
Sound Practices Concerning Elevated Risk Com- Reserve Bank’s staff is required to report sepa-
plex Structured Finance Activities. This super- rately (to designated Board staff) the results of
visory guidance addresses risk-management prin- their reviews of government securities broker-
ciples that should help institutions to identify, dealer activities (and such broker-dealer’s related
evaluate, and manage the heightened legal and custodial activities). The optional reporting form,
reputational risks that may arise from their Summary Report of Examination of Govern-
involvement in complex structured financing ment Securities Broker-Dealer and Custodial
transactions (CSFTs). The guidance is focused Activities, may be used for this purpose. See the
on those CSFTs that may present heightened specific examination guidance and procedures in
levels of legal or reputational risk to an institu- SR-06-8, SR-93-40, and SR-87-37. (See also
tion and are thus defined as ‘‘elevated-risk SR-94-5, SR-90-1, and SR-88-26.)


Remove Insert

Table of Contents, pages 1–2 Table of Contents, pages 1–2

1000.1, pages 1–4, 4.1–4.4 1000.1, pages 1–4, 4.1–4.4

2030.1, pages 1–6 2030.1, pages 1–6

2060.1, pages 1–4 2060.1, pages 1–4

2090.1, pages 1–2 2090.1, pages 1–2

pages 7–8 pages 7–8

2103.2, page 1

2103.3, pages 1–3

2103.4, pages 1–2

2135.1, pages 1–6

October 2007 Commercial Bank Examination Manual

Page 2
Supplement 28—October 2007

Remove Insert

3030.1, pages 1–10

3030.2, pages 1–2

3030.3, pages 1–13

3030.4, page 1

4020.1, pages 1–2, 2.1–2.2 4020.1, pages 1–2, 2.1–2.2

4033.1, pages 1–6

4090.1, pages 1–2 4090.1, pages 1–2

6010.1, pages 1–3 6010.1, pages 1–3

Subject Index, pages 1–19 Subject Index, pages 1–19

Commercial Bank Examination Manual October 2007

Page 3
Commercial Bank Examination Manual
Supplement 27—May 2007

Summary of Changes Lease Losses (ALLL). (See SR-06-17.) The

guidance updates the 1993 Interagency Guid-
ance on the ALLL (SR-93-70). The revised
Sections 2010.3, 2040.3, and 4150.1
policy statement emphasizes that each institu-
The ‘‘Due from Banks (Examination Proce- tion is responsible for developing, maintaining,
dures),’’ ‘‘Loan Portfolio Management (Exami- and documenting a comprehensive, systematic,
nation Procedures),’’ and ‘‘Review of Regula- and consistently applied process for determin-
tory Reports’’ sections were revised as the result ing the amounts of the ALLL and the provision
of the Financial Services Relief Act of 2006 for loan and lease losses. Each institution
(Relief Act) and the Board’s December 6, 2006, should ensure that the adequate controls are in
approval of an interim rule amendment of Regu- place to consistently determine the appropriate
lation O (effective December 11, 2006). The balance of the ALLL in accordance with
Relief Act eliminated certain statutory reporting (1) GAAP, (2) the institution’s stated policies
and disclosure requirements pertaining to insider and procedures, and (3) management’s best
lending by federally insured financial institutions. judgment and relevant supervisory guidance.
Sections 215.9, 215.10, and Subpart B of Regu- The policy emphasizes also that an institution
lation O were deleted as a result of the rule’s should provide reasonable support and docu-
changes. (See 71 Fed. Reg. 71,472, December mentation of its ALLL estimates, including
11, 2006.) The Board approved the final rule for adjustments to the allowance for qualitative or
this amendment without change on May 25, environmental factors and unallocated portions
2007 (effective July 2, 2007). (See 72 Fed. Reg. of the allowance.
30,470, June 1, 2007.)
Section 2103.1
Sections 2043.1, 2043.2, 2043.3, and
A new section, ‘‘Concentrations in Com-
mercial Real Estate Lending, Sound Risk-
These new ‘‘Nontraditional Mortgages— Management Practices,’’ sets forth the
Associated Risks’’ sections have been devel- December 6, 2006, interagency supervisory
oped based on the September 29, 2006, Inter- guidance, which was issued jointly by the
agency Guidance on Nontraditional Mortgage Federal Reserve and the other federal bank
Product Risks. (See SR-06-15.) The guidance regulatory agencies. The guidance, effective
addresses both the risk-management and con- December 12, 2006, is applicable to state
sumer disclosure practices that institutions (for member banks.
this manual, state member banks and their The guidance was developed to reinforce
subsidiaries) should employ to effectively man- sound risk-management practices for institu-
age the risks associated with closed-end residen- tions with high and increasing concentrations of
tial mortgage loan products that allow borrowers commercial real estate loans on their balance
to defer payment of principal and, sometimes, sheets. An institution’s strong risk-management
interest. Examination objectives, examination practices and its maintenance of appropriate
procedures, and an internal control question- levels of capital are important elements of a
naire are provided, which should be used when sound commercial real estate (CRE) lending
conducting an examination of a bank that is program, particularly when an institution has a
engaged in such lending activities. concentration in CRE or a CRE lending strategy
leading to a concentration.
The guidance applies to concentrations in
Section 2070.1 CRE loans sensitive to the cyclicality of CRE
markets. For purposes of this guidance, CRE
This ‘‘Allowance for Loan and Lease Losses’’ loans include loans where repayment is depen-
section has been fully revised to incorporate dent on the rental income or the sale or refinanc-
the December 13, 2006, Interagency Policy ing of the real estate held as collateral. The
Statement on the Allowance for Loan and guidance does not apply to owner-occupied

Commercial Bank Examination Manual May 2007

Page 1
Supplement 27—May 2007

loans and loans where real estate is taken as a sors a single-employer defined benefit postre-
secondary source of repayment or through an tirement plan, such as a pension plan or health
abundance of caution. care plan, must recognize the overfunded or
The guidance notes that risk characteristics underfunded status of each such plan as an asset
vary among CRE loans secured by different or a liability on its balance sheet with corre-
property types. A manageable level of CRE sponding adjustments recognized as accumu-
concentration risk will vary depending on the lated other comprehensive income (AOCI). The
portfolio risk characteristics and the quality of agencies’ interim decision conveys that banking
risk-management processes. The guidance, there- organizations are to exclude from regulatory
fore, does not establish a CRE concentration capital any amounts recorded in AOCI that have
limit that applies to all institutions. Rather, the resulted from their adoption and application of
guidance encourages institutions to perform on- FAS 158.
going risk assessments to identify and monitor
CRE concentrations.
The guidance provides numerical indicators Sections 2000.4, 2130.3, 4060.1, 4060.4,
as supervisory monitoring criteria to identify 4063.4, 4128.1, 4128.3, and 5020.1
institutions that may have CRE concentrations
that warrant greater supervisory scrutiny. The These sections ‘‘Cash Accounts (Internal
monitoring criteria should serve as a starting Control Questionnaire),’’ ‘‘Consumer Credit,’’
point for a dialogue between the supervisory ‘‘Information Technology’’ (including the
staff and an institution’s management about the internal control questionnaire), ‘‘Electronic
level and nature of the institution’s CRE con- Banking (Internal Control Questionnaire),’’
centration risk. (See SR-07-1 and its ‘‘Private-Banking Activities,’’ (including the
attachments.) examination procedures), and ‘‘Overall Conclu-
sions Regarding Condition of the Bank,’’ have
been amended for the revised Suspicious Activ-
Section 3020.1 ity Report by Depository Institutions (SAR-
DI) form. The Federal Reserve, along with the
The ‘‘Assessment of Capital Adequacy’’ section other federal financial institutions regulatory
was revised to include an interim interagency agencies and the Financial Crimes Enforce-
decision on the impact of the Financial Account- ment Network (FinCEN), proposed revisions to
ing Standards Board’s issuance of its September this form and the instructions in order to
2006 Statement of Financial Accounting Stan- (1) enhance their clarity, (2) allow for joint fil-
dards No. 158 (FAS 158), ‘‘Employers Account- ings of suspicious activity reports, and
ing for Defined Benefit Pension and Other (3) improve the usefulness of the SAR-DI form
Postretirement Plans.’’ The decision was to law enforcement authorities. The new form’s
announced in a December 14, 2006, joint press implementation date has not been determined.
release, which was issued by the Federal Reserve Banking organizations subject to SAR filing
Board and the other federal banking and thrift should continue using the existing SAR-DI
regulatory agencies (the agencies). FAS 158 format. (See 72 Fed. Reg. 23,891, May 1,
provides that a banking organization that spon- 2007.)


Remove Insert

Table of Contents, pages 1–2 Table of Contents, pages 1–2

2000.4, pages 1–2 2000.4, pages 1–2

2010.3, pages 1–2 2010.3, pages 1–2

May 2007 Commercial Bank Examination Manual

Page 2
Supplement 27—May 2007

Remove Insert

2040.1, pages 1–2 2040.1, pages 1–2

pages 15–16 pages 15–16, 16.1

2040.3, pages 1–2 2040.3, pages 1–2

pages 7–10 pages 7–10

2043.1, pages 1–10

2043.2, page 1

2043.3, pages 1–3

2043.4, pages 1–4

2070.1, pages 1–12 2070.1, pages 1–15

2072.1, pages 1–2 2072.1, pages 1–2

2103.1, pages 1–5

2130.3, pages 1–2 2130.3, pages 1–2

pages 5–6 pages 5–6

2133.1, pages 1–2 2133.1, pages 1–2

pages 5–6 pages 5–6

3020.1, pages 1–2 3020.1, pages 1–2

pages 57–59 pages 57–60

4040.1, pages 1–2

4040.1, pages 1–2
pages 13–23

4060.1, pages 1–2 4060.1, pages 1–2

pages 5–6 pages 5–6

4060.4, pages 1–4 4060.4, pages 1–4

4063.4, pages 1–2 4063.4, pages 1–2

4128.1, pages 1–6 4128.1, pages 1–6

pages 9–16 pages 9–16

4128.3, pages 1–2 4128.3, pages 1–2

4150.1, pages 1–6, 6.1 4150.1, pages 1–6, 6.1

5020.1, pages 1–2 5020.1, pages 1–2

pages 5–9 pages 5–9

Subject Index, pages 1–18 Subject Index, pages 1–19

Commercial Bank Examination Manual May 2007

Page 3
Commercial Bank Examination Manual
Supplement 26—November 2006

Summary of Changes ated with excessive reliance on such deposits.

The advisory provides guidance on prudent risk
Sections 2040.1 and 2040.3 identification and the management for these
types of funding. (See SR-01-14.) The exami-
These ‘‘Loan Portfolio Management’’ sections nation objectives and procedures were revised to
have been revised to incorporate a May 22, incorporate the advisory’s guidance.
2006, Board staff interpretation of Regulation O
pertaining to the use of bank-owned or bank-
issued credit cards by bank insiders for the Section 3020.1
bank’s business purposes. The interpretation is
also concerned with the extension of credit This section, ‘‘Assessment of Capital Adequacy,’’
provisions and the market-terms requirement of was revised to incorporate a general discussion
Regulation O when a bank insider uses the of the risk-based capital treatment of securities-
bank-owned or bank-issued credit card to acquire lending transactions (see 12 CFR 208, appendix
goods and services for personal purposes. The A, section III.D.1.c). Included is a brief sum-
examination procedures have been revised to mary of the Board’s February 6, 2006, revision
include the provisions of this interpretation. of the Board’s market-risk measure (effective on
February 22, 2006). The revision reduced the
capital requirements for certain cash-
Sections 3000.1, 3000.2, and 3000.3 collateralized securities-borrowing transactions
of state member banks that adopt the market-
The ‘‘Deposit Accounts’’ sections have been risk rule. The action aligns the capital require-
revised to include a brief overview of the ments for those transactions with the risk
Federal Deposit Insurance Corporation’s involved. It provides a capital treatment for state
(FDIC’s) Deposit Insurance System. FDIC’s member banks that is more in line with the
deposit insurance coverage was amended by the capital treatment that applies to their domestic
issuance of its March 23, 2006, interim final and foreign competitors. (See Regulation H, 12
rules (effective on April 1, 2006). These interim CFR 208, appendix E, and 71 Fed. Reg. 8,932,
rules implemented certain provisions of (1) the February 22, 2006.)
Federal Deposit Insurance Reform Act of 2005 In addition, the revised section includes dis-
and (2) the Federal Deposit Insurance Reform cussions of the May 14, 2003, and August 15,
Conforming Amendments Act of 2005. (See 71 2006, Board interpretations that were issued in
Fed. Reg. 14,629.) For deposit accounts, the response to separate inquiries received from the
FDIC’s interim rules provided for (1) inflation same bank. The May 14, 2003, interpretation
(cost-of-living) adjustments to increase the stan- concerns an inquiry regarding the risk-based
dard maximum deposit insurance amount capital treatment of certain European agency
(SMDIA) of $100,000 on a five-year cycle, securities-lending arrangements that the bank
beginning on April 1, 2010; (2) an increase in had acquired. For these transactions (the cash-
the FDIC’s SMDIA from $100,000 to $250,000 collateral transactions), the bank, acting as agent
for certain individual retirement accounts, which for its clients, lends its clients’ securities and
includes future cost-of-living adjustments; and receives cash collateral in return. It then rein-
(3) per-participant FDIC pass-through deposit vests the cash collateral in a reverse repurchase
insurance coverage for employee benefit agreement for which it receives securities col-
accounts. (See 12 CFR 330.) The FDIC’s lateral in return. For the cash-collateral transac-
increased insurance coverage of individual tions, the bank indemnifies its client against the
retirement accounts also applies to eligible risk of default by both the securities borrower
deferred compensation plan accounts. and the reverse repurchase counterparty.
The ‘‘Deposit Accounts’’ sections also were The August 15, 2006, interpretation was also
revised to incorporate the May 11, 2001, Joint issued in regard to the risk-based capital treat-
Agency Advisory on Brokered and Rate- ment of certain other securities-lending transac-
Sensitive Deposits issued by the federal banking tions. For these transactions, the bank, acting as
agencies to highlight the potential risks associ- agent for clients, lends its clients’ securities and

Commercial Bank Examination Manual November 2006

Page 1
Supplement 26—November 2006

receives liquid securities collateral in return (the the asset-quality test for determining the eligi-
securities-collateral transactions). The bank indi- bility or ineligibility of an ABCP liquidity
cated that the liquid securities collateral was to facility and the resulting risk-based capital treat-
include government agency, government- ment of such a facility for banks. The guidance
sponsored entity, corporate debt or equity, or also re-emphasizes that the primary function of
asset-backed or mortgage-backed securities. The an eligible ABCP liquidity facility should be to
bank stated that in the event that the borrower provide liquidity—not credit enhancement. An
defaulted, the bank would be in a position to eligible liquidity facility must have an asset-
terminate a securities-collateral transaction and quality test that precludes funding against assets
sell the collateral in order to purchase securities that are (1) 90 days or more past due, (2) in
to replace the securities that were originally lent. default, or (3) below investment grade, imply-
The bank’s exposure would be limited to the ing that the institution providing the ABCP
difference between the purchase price of replace- liquidity facility should not be exposed to the
ment securities and the market value of the credit risk associated with such assets. The
securities collateral. The bank requested that it interagency statement indicates that an ABCP
receive risk-based capital treatment similar to liquidity facility will meet the asset-quality test
that which the Board had approved and extended if, at all times throughout the transaction the
to the bank in its letter dated May 14, 2003 (the (1) liquidity provider has access to certain types
prior approval). of acceptable credit enhancements that support
The Board, using its reservation of authority, the liquidity facility and (2) notional amount of
again determined that under its current risk- such credit enhancements exceeds the amount of
based capital guidelines the capital charge for underlying assets that are 90 days or more past
this specific type of securities-lending arrange- due, defaulted, or below investment grade, that
ment would exceed the amount of economic risk the liquidity provider may be obligated to fund
posed to the bank, which would result in capital under the facility. (See SR-05-13.)
charges that would be significantly out of pro-
portion to the risk. Referencing the prior
approval, the Board approved the August 15, Section 4063.1
2006, exception to its risk-based capital guide-
lines. The bank, which had adopted the market- The section ‘‘Electronic Banking’’ was revised
risk rule, will compute its regulatory capital for to incorporate a brief reference to the August 15,
these transactions using a loan-equivalent meth- 2006, Interagency Questions and Answers
odology in accordance with the prior approval. (Q&As) for the October 2005 Interagency Guid-
In so doing, the bank will assign the risk weight ance on Authentication in an Internet Banking
of the counterparty to the exposure amount of all Environment. (See SR-06-13 and SR-05-19.)
such transactions with the counterparty. The The Q&As were designed to assist financial
bank must calculate the exposure amount as the institutions and their technology service provid-
sum of its current unsecured exposure on its ers in conforming to the scope, risk assessments,
portfolio of transactions with the counterparty, timing, and other issues addressed in the Octo-
plus an add-on amount for potential future ber 2005 guidance that becomes effective at
exposure. This estimated exposure is to be year-end 2006. The section notes, again, that
calculated using the bank’s VaR model to deter- single-factor authentication, as the only control
mine the capital charge for the securities- mechanism, is inadequate for high-risk transac-
collateral transactions, subject to the certain tions involving access to customer information
specified conditions. or the movement of funds to other parties.

Section 4030.1 Sections 4133.1 and 4133.3

The section titled ‘‘Asset Securitization’’ has These ‘‘Prompt Corrective Action’’ sections
been revised to incorporate the August 4, 2005, include several changes to more closely align
Interagency Guidance on the Eligibility of Asset- the content to the Board’s prompt-corrective-
Backed Commercial Paper Liquidity Facilities action (PCA) rules. Minor technical amend-
and the Resulting Risk-Based Capital Treat- ments that were previously made to the rules
ment. The guidance clarifies the application of (effective on October 1, 1998) are also included.

November 2006 Commercial Bank Examination Manual

Page 2
Supplement 26—November 2006

For example, the definition of total assets was Revisions to Uniform Standards of Professional
revised to allow the Federal Reserve the option Appraisal Practice (USPAP), issued by the fed-
of using period-end rather than average total eral banking agencies. Under the appraisal regu-
assets for determining the PCA categories within lations, institutions must ensure that their
the rules. (See 63 Fed. Reg. 37,630, and 12 CFR appraisals supporting federally related transac-
208, subpart D.) The section now includes tions adhere to USPAP. The interagency state-
examination procedures for evaluating compli- ment provides an overview of the USPAP revi-
ance with the PCA rules. sions and the ramifications of these revisions to
regulated institutions. The 2006 USPAP, effec-
tive July 1, 2006, incorporates certain prominent
Sections 4140.1, 4140.2, 4140.3, and revisions made by the Appraisal Standards
4140.4 Board. These revisions include a new Scope of
Work Rule and the deletion of the Departure
The ‘‘Real Estate Appraisals and Evaluations’’ Rule and some of its associated terminology.
sections have been revised to incorporate the (See SR-06-9.)
June 22, 2006, interagency statement, The 2006


Remove Insert

1000.1, pages 1–2 1000.1, pages 1–2

pages 4.1–4.4 pages 4.1–4.4

2040.1, pages 1–2 2040.1, pages 1–2

pages 21–22 pages 21–22, 22.1–22.2

2040.3, pages 1–2 2040.3, pages 1–2, 2.1

page 9 pages 9–10

3000.1, pages 1–12 3000.1, pages 1–15

3000.2, page 1 3000.2, page 1

3000.3, pages 1–7 3000.3, pages 1–7

3020.1, pages 1–2 3020.1, pages 1–2

pages 7–10, 10.1–10.2 pages 7–10, 10.1–10.2
pages 53–56 pages 53–59

4030.1, pages 1–2 4030.1, pages 1–2

pages 19–22 pages 19–22, 22.1–22.2

4063.1, pages 1–10 4063.1, pages 1–10

4133.1, pages 1–9 4133.1, pages 1–9

4133.3, page 1

4140.1, pages 1–14 4140.1, pages 1–15

Commercial Bank Examination Manual November 2006

Page 3
Supplement 26—November 2006

Remove Insert

4140.2, page 1 4140.2, page 1

4140.3, pages 1–2 4140.3, pages 1–2

4140.4, pages 1–2 4140.4, pages 1–2

Subject Index, pages 1–18 Subject Index, pages 1–18

November 2006 Commercial Bank Examination Manual

Page 4
JOBNAME: No Job Name PAGE: 1 SESS: 175 OUTPUT: Mon Jun 5 11:41:57 2006

Commercial Bank Examination Manual

Supplement 25—May 2006

Summary Of Changes accountant and a client enter into an agreement

of indemnity, directly or through an affiliate that
Section 1000.1 seeks to assure the accountant immunity from
liability for the accountant’s own negligent acts,
This revised section, ‘‘Examination Strategy and whether they are acts of omission or commis-
Risk-Focused Examinations,’’ reaffirms the defi- sion. (See SR-06-4.)
nition of the responsible Reserve Bank (RRB)
and specifies the RRB’s responsibilities for
conducting inter-District examination and super- Section 1015.1
vision activities for a banking organization. The
section highlights and clarifies the role of the This new section, ‘‘Conflict-of-Interest Rules
RRB with respect to inter-District and local for Examiners,’’ has been developed to inform
Reserve Bank coordination of banking exami- Federal Reserve System examiners of the Sys-
nation and supervision activities. (See SR-05- tem’s policies on maintaining an independent
27/CA-05-11.) appearance by avoiding conflicts of interest.
Examiners must comply with statutory prohibi-
tions and adhere to the System’s rules on con-
flicts of interest, which are intended to ensure
Sections 1010.1, 1010.2, 1010.3, 1010.4,
the examiners’ objectivity and integrity. The
and A.1010.1
statutory prohibition (18 USC 213) on accepting
The sections titled ‘‘Internal Control and Audit any loan or gratuity from any bank under
Function, Oversight, and Outsourcing’’ have examination is discussed. The limited easing of
been revised to incorporate the February 9, examiner borrowing restrictions on obtaining
2006, Interagency Advisory on the Unsafe and credit cards and certain home mortgage loans is
Unsound Use of Limitation of Liability Provi- also discussed; the easing of these restrictions
sions in External Audit Engagement Letters. resulted from the implementation of the Preserv-
The advisory informs financial institutions that ing Independence of Financial Institution
it is unsafe and unsound to enter into external Examinations Act of 2003 (18 USC 212–213).
audit contracts (that is, engagement letters) for (See SR-05-2.) The special post-employment
the performance of auditing or attestation ser- restrictions of the Intelligence Reform and Ter-
vices when the contracts (1) indemnify the rorism Prevention Act of 2004 are also reviewed.
external auditor against all claims made by third The Board implemented these restrictions in its
parties, (2) hold harmless or release the external November 17, 2005, rule (effective December
auditor from liability for claims or potential 17, 2005). (See 12 CFR 263 and 264 and
claims that might be asserted by the client SR-05-26.)
financial institution (other than claims for puni-
tive damages), or (3) limit the remedies avail-
able to the client financial institution (other than Section 1020.1
punitive damages). Such limits on external
auditors’ liability weaken the auditor’s indepen- The ‘‘Federal Reserve System Bank Watch List
dence and performance, thus reducing the super- and Surveillance Programs’’ section has been
visory agency’s ability to rely on the auditor’s substantially revised to reflect the Federal
work. The examination objectives, examination Reserve’s replacement of the former SEER (the
procedures, and internal control questionnaire System to Estimate Examination Ratings) sur-
incorporate certain key provisions of the advi- veillance models with a new econometric frame-
sory. Section A.1010.1 provides examples of work, referred to as the Supervision and Regu-
unsafe and unsound limitation-of-liability pro- lation Statistical Assessment of Bank Risk
visions, and it discusses frequently asked ques- model, or SR-SABR. The SR-SABR model
tions and answers that were posed to the Secu- assigns a two-component surveillance rating to
rities and Exchange Commission (Office of the each bank. The first component is the current
Chief Accountant). The answers confirm that an composite CAMELS rating assigned to the bank.
accountant (auditor) is not independent when an The second component is a letter (A, B, C, D, or

Commercial Bank Examination Manual May 2006

Page 1
JOBNAME: No Job Name PAGE: 2 SESS: 176 OUTPUT: Tue Jun 13 11:46:25 2006

Supplement 25—May 2006

F) that reflects the model’s assessment of the of the other assets’’ threshold for the reporting
relative strength or weakness of a bank com- of the cash surrender value of life insurance
pared with other institutions within the same assets in the bank Call Report, FFIEC 031,
CAMELS rating category. The section describes Schedule RC-F item 5, other assets. As of
the new model, details the screening thresholds March 31, 2006, this item must be used to report
for SR-SABR within the State Member Bank the cash surrender value of all life insurance
Watch List program, and updates the watch list assets.
follow-up procedures. (See SR-06-2.)

Sections 4050.1 and 4128.1

Sections 2015.1, 2015.2, 2015.3, and
2015.4 Two sections, ‘‘Bank-Related Organizations’’
and ‘‘Private-Banking Activities,’’ were revised
The new ‘‘Interbank Liabilities’’ sections set to incorporate the Board’s March 15, 2006,
forth supervisory guidance that is based on approval of an amendment to Regulation K. The
Regulation F (12 CFR 206), which was devel- amendment incorporates (by reference) section
oped under the authority of section 23 of the 208.63 of Regulation H into sections 211.5 and
Federal Reserve Act (12 USC 371b-2). The 211.24 of Regulation K. As a result, Edge and
Board established standards to limit the risks agreement corporations and other foreign bank-
posed by exposure of insured depository insti- ing organizations (that is, Federal Reserve–
tutions to other depository institutions with which supervised U.S. branches, agencies, and repre-
they do business, referred to as correspondents. sentative offices of foreign banks) must establish
Regulation F applies to FDIC-insured banks, and maintain procedures reasonably designed to
savings associations, and branches of foreign ensure and monitor their compliance with the
banks (referred to collectively as banks). Banks Bank Secrecy Act and related regulations. (See
are generally required to have in place internal SR-06-7.)
policies and procedures to evaluate and control
the exposure to their correspondents. Regulation
F specifies a general ‘‘limit,’’ stated in terms of Sections 4128.1, 4128.2, and 4128.3
the exposed bank’s capital, for overnight credit
exposure to an individual correspondent. A bank The ‘‘Private-Banking Activities’’ section has
should also ordinarily limit its credit exposure to been further revised to discuss certain borrow-
an individual correspondent to an amount equal ing mechanisms that nonresident-alien custom-
to not more than 25 percent of the exposed ers may establish to keep their financial assets in
bank’s total capital, unless the bank can demon- the United States so those assets can be used as
strate that its correspondent is at least ‘‘adequately operating capital for businesses they own and
capitalized,’’ for which no capital limit is speci- operate in their home countries. Private bankers
fied. A bank is required to establish and follow need to maintain, in the United States, adequate
its own internal policies and procedures for customer-due-diligence information on such
exposure to all correspondents, regardless of nonresident-alien customers and their primary
its capital level. The rule was effective on business interests so that the customer’s home-
December 19, 1992; the Board made technical country government can identify who owns the
amendments to the rule on September 3, 2003 assets. Examination procedures for private-
(effective September 10, 2003). Examination banking activities (section 4128.3) have also
objectives, examination procedures, and an been added.
internal control questionnaire are included. (See
Section 5020.1
Section 4042.3 The ‘‘Overall Conclusions Regarding Condition
of the Bank’’ section was revised to incorporate
The accounting considerations within the the January 20, 2006, Interagency Guidance on
‘‘Operational Risk Assessment’’ subsection Sharing Suspicious Activity Reports with Head
(examination procedure 3b) were revised to Offices and Controlling Companies. The guid-
remove the reference to ‘‘in excess of 25 percent ance confirms that (1) a U.S. branch or agency of

May 2006 Commercial Bank Examination Manual

Page 2
JOBNAME: No Job Name PAGE: 3 SESS: 175 OUTPUT: Mon Jun 5 11:41:57 2006

Supplement 25—May 2006

a foreign bank may disclose a Suspicious companies, whether domestic or foreign. Bank-
Activity Report (SAR) to its head office outside ing organizations must maintain appropriate
the United States and (2) a U.S. bank or savings arrangements for the protection of confidential-
association may disclose a SAR to controlling ity of SARs. (See SR-06-01.)


Remove Insert

Table of Contents, pages 1–2 Table of Contents, pages 1–2

1000.1, pages 1–2 1000.1, pages 1–2

pages 9–10 pages 9–10, 10.1
pages 15–16 pages 15–16

1010.1, pages 1–2 1010.1, pages 1–2

pages 7–8 pages 7–8, 8.1
pages 27–32 pages 27–36

1010.2, page 1 1010.2, page 1

1010.3, pages 1–2 1010.3, pages 1–3

1010.4, pages 1–2 1010.4, pages 1–2

pages 5–6 pages 5–6

1015.1, pages 1–3

1020.1, pages 1–4 1020.1, pages 1–4

2010.1, pages 1–2 2010.1, pages 1–2

2015.1, pages 1–7

2015.2, page 1

2015.3, pages 1–2

2015.4, pages 1–2

2020.1, pages 1–2 2020.1, pages 1–2

page 8.11 page 8.11

4042.1, pages 1–2 4042.1, pages 1–2

pages 17–18 pages 17–18
pages 21–22 pages 21–22

4042.3, pages 1–2

4042.3, pages 1–2
pages 5–6
pages 5–6

Commercial Bank Examination Manual May 2006

Page 3
JOBNAME: No Job Name PAGE: 4 SESS: 175 OUTPUT: Mon Jun 5 11:41:57 2006

Supplement 25—May 2006

Remove Insert

4042.4, pages 1–2 4042.4, pages 1–2

page 5 page 5

4050.1, pages 1–2 4050.1, pages 1–2

pages 13–14, 14.1–14.4 pages 13–14, 14.1–14.5

4060.1, pages 1–2 4060.1, pages 1–2

pages 5–6 pages 5–6

4063.1, pages 1–2 4063.1, pages 1–2

pages 5–10 pages 5–10

4063.3, pages 1–2 4063.3, pages 1–2

4090.1, pages 1–2 4090.1, pages 1–2

4128.1, pages 1–15 4128.1, pages 1–16

4128.2, page 1 4128.2, page 1

4128.3, pages 1–2

5020.1, pages 1–2 5020.1, pages 1–2

pages 7–8 pages 7–9

A.1010.1, pages 1–2 A.1010.1, pages 1–2, 2.1

page 9 pages 9–11

Subject Index, pages 1–17 Subject Index, pages 1–18

May 2006 Commercial Bank Examination Manual

Page 4
Commercial Bank Examination Manual
Supplement 24—November 2005


Section number Description of the change

2040.1, The ‘‘Loan Portfolio Management’’ section has been revised to incorporate
2040.2, the May 3, 2005, Interagency Advisory on Accounting and Reporting for
2040.3, Commitments to Originate and Sell Mortgage Loans, which was issued by
2040.4 the Federal Reserve and the other federal supervisory agencies (the agen-
cies).1 The advisory provides guidance on the appropriate accounting and
reporting for both derivative loan commitments (commitments to originate
mortgage loans that will be held for resale) and forward loan-sales
commitments (commitments to sell mortgage loans). When accounting and
reporting for derivative loan commitments, institutions are expected to use
generally accepted accounting principles (GAAP). Institutions must also
correctly report derivative loan commitments in accordance with the Call
Report instructions and forms. (See SR-05-10.) The examination objectives,
examination procedures, and internal control questionnaire have been
revised to incorporate this interagency advisory.

2090.1, The section ‘‘Real Estate Loans’’ has been revised to include the May 16,
2090.2, 2005, Interagency Credit Risk Management Guidance for Home Equity
2090.3, Lending. The agencies issued the guidance to promote a greater focus on
2090.4 sound risk-management practices at financial institutions that have home
equity lending programs, including open-end home equity lines of credit and
closed-end home equity loans. The agencies expressed concern that some
institutions’ credit-risk management practices for home equity lending had
not kept pace with the product’s rapid growth and the easing of underwriting
standards for products having higher embedded risk. The guidance highlights
the sound risk-management practices an institution should follow to align the
growth with the risk within its home equity portfolio. The guidance should
also be considered in the context of existing regulations and supervisory
guidelines. (See SR-05-11 and its attachment.) The examination objectives,
examination procedures, and internal control questionnaire were revised to
incorporate the interagency guidance.

3000.1 The ‘‘Deposit Accounts’’ section has been revised to update the statutory and
regulatory provisions for a bank soliciting, acquiring, renewing, or rolling
over brokered deposits, as those provisions are stated in section 29 of the
Federal Deposit Insurance Act (12 USC 1831f) and section 337.6 of the
Federal Deposit Insurance Corporation’s brokered-deposit rule (12 CFR
337.6). Section 3000.1 defines and discusses the three capitalization status
levels for banks: well capitalized, adequately capitalized, or undercapital-
ized. These levels determine the extent to which banks may engage in
brokered-deposit activities. These definitions are the same as those found in
the prompt-corrective-action rules of the FDIC and the Federal Reserve
Board. (See 12 CFR 325.103 and 12 CFR 208.43.)

1. The Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit
Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration.

Commercial Bank Examination Manual November 2005

Page 1
Supplement 24—November 2005

Section number Description of the change

4042.1, The ‘‘Purchase and Risk Management of Life Insurance’’ section has been
4042.2, revised to include appendix C, Interagency Interpretations of the Interagency
4042.3, Statement on the Purchase and Risk Management of Life Insurance (the
4042.4 interpretations). The interpretations have been developed to clarify a variety
of matters, including financial reporting, credit-exposure limits, concentra-
tion limits, and the appropriate methods for calculating the amount of
insurance an institution may purchase.

Three new supporting sections provide examination objectives, examination

procedures, and an internal control questionnaire. The new sections are
based on the Interagency Statement on the Purchase and Risk Management
of Life Insurance. (See SR-04-19 and its attachment.)

4128.1 The ‘‘Private-Banking Activities’’ section has been revised to include

general and specific references to the relevant supervisory guidance in the
June 2005 Federal Financial Institutions Examination Council’s Bank
Secrecy Act/Anti–Money Laundering Examination Manual. (See SR-05-12
and its attachments.)

4140.1 The section ‘‘Real Estate Appraisals and Evaluations’’ has been revised to
include a summary description of the interagency responses to questions on
both the agencies’ appraisal regulations and the October 2003 interagency
statement titled Independent Appraisal and Evaluation Functions. The
agencies’ March 22, 2005, interpretive responses address common questions
on the requirements of the appraisal regulations and the October 2003
interagency statement. (See SR-05-5 and its attachment.) The section has
also been revised to include a summary of the September 8, 2005,
interagency interpretive responses to frequently asked questions that were
issued jointly to help regulated institutions comply with the agencies’
appraisal regulation and real estate lending requirements when financing
residential construction in a tract development. (See SR-05-14 and its

6003.1 A new section, ‘‘Community Bank Examination Report,’’ provides the

examiner with guidance on preparing examination reports for community
banks. Developments in technology, the expansion of financial services, and
a risk-focused approach to examinations necessitated a need for increased
flexibility when organizing and structuring the content of the community
bank examination report. Examiners may use certain content headings,
which follow a continuous-flow reporting format, or they may use a
separate-report-page format. The reporting instructions distinguish between
mandatory content (when warranted by the bank’s condition or circum-
stances) and optional content. The examiner has discretion in the arrange-
ment of certain content. Subject to certain limitations, the examiner may
customize and streamline the examination report to better focus on the
examiner’s findings involving matters of risk that have a significant impact
on the bank’s overall financial condition. This guidance applies only to the
preparation of community bank examination reports. (See SR-01-19.)

November 2005 Commercial Bank Examination Manual

Page 2
Supplement 24—November 2005


Remove Insert

Table of Contents, pages 1–2 Table of Contents, pages 1–2

2040.1, pages 1–2 2040.1, pages 1–2

pages 21–24, 24.1–24.2, 25–28 pages 21–39

2040.2, page 1 2040.2, page 1

2040.3, pages 1–4 2040.3, pages 1–4

pages 7–9 pages 7–9

2040.4, pages 1–4 2040.4, pages 1–4

2090.1, pages 1–2 2090.1, pages 1–2

pages 15–18 pages 15–25

2090.2, page 1 2090.2, page 1

2090.3, pages 1–3 2090.3, pages 1–5

2090.4, pages 1–3 2090.4, pages 1–5

2100.1, pages 1–4 2100.1, pages 1–4

3000.1, pages 1–2 3000.1, pages 1–2

pages 4.1–4.2, 5–9 pages 5–12

3020.1, pages 55–56 3020.1, pages 55–56

4042.1, pages 1–2 4042.1, pages 1–2

page 21 pages 21–25

4042.2, page 1

4042.3, pages 1–7

4042.4, pages 1–5

4128.1, pages 1–15 4128.1, pages 1–15

4140.1, pages 1–2 4140.1, pages 1–2

pages 13–14 pages 13–14

6003.1, pages 1–39

Subject Index, pages 1–17 Subject Index, pages 1–17

Commercial Bank Examination Manual November 2005

Page 3
Commercial Bank Examination Manual
Supplement 23—May 2005


Section number Description of the change

1000.1, The ‘‘Examination Strategy and Risk-Focused Examinations’’ and the

4030.1 ‘‘Asset Securitization’’ sections have been updated to add references to the
new bank holding company RFI/C(D) rating system, which became effective
January 1, 2005. (See SR-04-18.)

2130.1, The ‘‘Consumer Credit’’ sections have been revised to discuss various types,
2130.3, characteristics, and fee structures of a bank’s ad hoc and automatic overdraft
2130.4 programs. Section 2130.1 includes the February 18, 2005, interagency Joint
Guidance on Overdraft Protection Programs that addresses the agencies’
concerns about the potentially misleading implementation, marketing, and
disclosure practices associated with the operation of these programs.
Financial institutions are encouraged to review their overdraft-protection
programs to make certain that their marketing and communications do not
mislead consumers or encourage irresponsible consumer financial behavior
that could increase the institution’s risk. The guidance also addresses the
safety-and-soundness considerations, risk-based capital treatment, and legal
risks associated with overdraft-protection programs. (See SR-05-3/CA-05-
2.) The examination procedures and the internal control questionnaire have
been updated to incorporate this guidance. (See also the summary for
sections 3000.1 and 3000.3.)
The consumer credit examination procedures have also been updated to
include references to and guidance on the Suspicious Activity Report (SAR)
and the Bank Secrecy Act (BSA) compliance program. (See sections
208.62–63 of the Board’s Regulation H (12 CFR 208.62–63) and SR-04-8.)

2210.1 The ‘‘Other Assets and Other Liabilities’’ section has been updated to
coincide with current accounting guidance and the instructions for the bank
Call Report. The section discusses the current examination focus, concerns,
and procedures for other assets and other liabilities, as well as their current
categories and composition. The section includes the accounting treatment
for bank-owned life insurance (BOLI) and an improved discussion of
deferred tax assets and deferred tax liabilities (including the risk-based
capital limitation on their inclusion in tier 1 capital). For more information
on BOLI, see SR-04-4 and SR-04-19.

3000.1, Two of the ‘‘Deposit Accounts’’ sections have been revised to include the
3000.3 February 18, 2005, interagency Joint Guidance on Overdraft Protection
Programs that was issued to assist banks in the responsible disclosure and
administration of their overdraft-protection services. The policy states that
banks should establish and monitor written policies and procedures for ad
hoc, automated, or other overdraft-protection programs. A bank’s policies
and procedures should be adequate to address the credit, operational, and
other risks associated with these types of programs. (See SR-05-3/CA-05-2
and the summary for the 2130 sections.) The examination procedures have
been revised to incorporate this supervisory guidance.

Commercial Bank Examination Manual May 2005

Page 1
Supplement 23—May 2005

Section number Description of the change

3015.1 A new section, ‘‘Deferred Compensation Agreements,’’ has been added to

the ‘‘Liabilities and Capital’’ chapter. The section provides guidance from
the February 11, 2004, Interagency Advisory on Accounting for Deferred
Compensation Agreements and Bank-Owned Life Insurance. The advisory
was issued because the agencies, through the examination process, identified
many institutions that had incorrectly accounted for obligations under a type
of deferred compensation agreement commonly referred to as a revenue-
neutral plan or an indexed retirement plan. The advisory informs institutions
that they need to review their accounting for deferred compensation
agreements to ensure that the agreements have been appropriately measured
and reported. (See SR-04-4 and SR-04-19.)

4042.1 A new section, ‘‘Purchase and Risk Management of Bank-Owned Life

Insurance,’’ provides the text of the December 7, 2004, Interagency
Statement on the Purchase and Risk Management of Life Insurance. The
statement discusses the safety-and-soundness and risk-management implica-
tions of purchases and holdings of life insurance by banks. The agencies
issued the guidance because they were concerned that some institutions may
not have an adequate understanding of the risks associated with BOLI,
including its liquidity, operational, reputational, and compliance/legal risks.
Further, institutions may have committed a significant amount of capital to
BOLI holdings without properly assessing the associated risks. When an
institution is planning to acquire BOLI that will result in an aggregate cash
surrender value in excess of 25 percent of its tier 1 capital plus the allowance
for loan and lease losses, the agencies expect the institution to obtain the
prior approval of its board of directors or its designated board committee.
The guidance addresses the need for institutions to conduct comprehensive
pre- and post-purchase analyses of BOLI, including its unique characteris-
tics, risks, and rewards. Institutions are expected to have comprehensive
risk-management processes for their BOLI purchases and holdings; these
processes should be consistent with safe and sound banking practices. (See
SR-04-4 and SR-04-19.)

4043.1 The ‘‘Insurance Sales Activities and Consumer Protection in Sales of

Insurance’’ section has been revised to include the following references:

• the recently updated discussion on tying arrangements (section 2040.1)

• the new BOLI supervisory guidance (section 4042.1)

4050.1 The ‘‘Bank-Related Organizations’’ section has been revised to incorporate

the U.S. Department of the Treasury’s regulation regarding foreign corre-
spondent accounts. The regulation became effective October 28, 2002. (See
31 CFR 103.177 (amended as of December 24, 2002) and 103.185.) The
regulation implemented sections 313 and 319(b) of the USA Patriot Act. A
covered financial institution (CFI) is prohibited from establishing, maintain-
ing, administering, or managing a correspondent account in the United States
for, or on behalf of, a foreign shell bank (a foreign bank that has no physical
presence in the United States or other jurisdictions) that is not affiliated
(1) with a U.S.-domiciled financial institution or (2) with a foreign bank that
maintains a physical presence in the United States or a foreign country and
is supervised by its home-country banking authority. A CFI that maintains

May 2005 Commercial Bank Examination Manual

Page 2
Supplement 23—May 2005

Section number Description of the change

a correspondent account for a foreign bank in the United States must

maintain records in the United States identifying the owners of the foreign
bank. (See SR-03-17 and the attached October 2003 Bank Secrecy Act
Examination Procedures for Correspondent Accounts for Foreign Shell
Banks; Recordkeeping and Termination of Correspondent Accounts for
Foreign Banks. See also SR-01-29.)

4060.1, The ‘‘Information Technology’’ sections have been revised to include the
4060.2, Board’s December 16, 2004, adoption of rule changes (effective July 1,
4060.3, 2005) that implement section 216 of the Fair and Accurate Credit Transac-
4060.4 tions Act of 2003 and that amend the Interagency Guidelines Establishing
Information Security Standards. (See the Board’s December 21, 2004, press
release.) To address the risks associated with identity theft, financial
institutions are required to make modest adjustments to their information
security programs to develop, implement, maintain, and monitor, as part of
their existing information security program, appropriate measures to prop-
erly dispose of consumer and customer information derived from credit
reports (information maintained in paper-based or electronic form). Each
financial institution must contractually require its service providers to
develop appropriate measures for the proper disposal of the institution’s
consumer and customer information and, when warranted, monitor its
service providers to confirm that they have satisfied their contractual
The sections have also been revised to include the Board’s March 21,
2005, adoption of Jointly Issued Interagency Guidance on Response Pro-
grams for Unauthorized Access to Customer Information and Customer
Notice. (See the Board’s March 23, 2005, press release.) Financial institu-
tions are to develop and implement a response program designed to address
incidents of unauthorized access to sensitive customer information, main-
tained by the institution or its service provider, that could result in substantial
harm or inconvenience to the customer. Each financial institution has the
flexibility to design a risk-based response program tailored to the size,
complexity, and nature of its operations. Customer notice is a key feature of
an institution’s response program. (See Regulation H, appendix D-2,
supplement A (12 CFR 208, appendix D-2, supplement A).) The examina-
tion objectives, examination procedures, and internal control questionnaire
have been updated to incorporate or reference these rule changes and the
interagency guidance.

4063.4 The ‘‘Electronic Banking: Internal Control Questionnaire’’ has been updated
to include the following references:

• SR-03-12 (and the attached July 2003 SAR form)

• the Board’s Regulation H requirements for suspicious-activity reporting
(12 CFR 208.62)
• the Board’s Regulation H requirements for the BSA compliance program
(12 CFR 208.63)

See also SR-04-8 and the attached May 24, 2004, Interagency Advisory—
Federal Court Reaffirms Protections for Financial Institutions Filing Suspi-
cious Activity Reports.

Commercial Bank Examination Manual May 2005

Page 3
Supplement 23—May 2005

Section number Description of the change

4128.1 The ‘‘Private Banking’’ section has been revised to incorporate new and
enhanced statutory requirements of the USA Patriot Act. The requirements
are designed to prevent, detect, and prosecute money laundering and
terrorism. For banking organizations, the act’s provisions are implemented
through regulations issued by the U.S. Department of the Treasury (31 CFR
103). Section 326 of the Patriot Act (codified in the BSA at 31 USC 5318(l))
requires financial institutions to have customer identification programs, that
is, programs to collect and maintain certain records and documentation on
customers. Institutions should also develop and use identity verification
procedures to ensure the identity of their customers. SR-04-13 describes the
BSA examination procedures for customer identification programs; examin-
ers should follow these procedures when evaluating an institution’s compli-
ance with the regulation. (See also SR-03-17 and SR-01-29.) Relevant
interagency interpretive guidance, in a question-and-answer format, addresses
the customer identification rules. (See SR-05-9.)

4150.1 The ‘‘Review of Regulatory Reports’’ section has been revised to discuss the
termination of the Federal Reserve’s Regulatory Reports Monitoring Pro-
gram. A less formal program will continue at the Reserve Banks. (See

5020.1 The ‘‘Overall Conclusions Regarding Condition of the Bank’’ section has
been revised to include guidance on a bank’s use of the SAR form and the
filing of a SAR with the Department of the Treasury’s Financial Crimes
Enforcement Network (FinCEN). A bank’s record-retention requirements for
documentation supporting a SAR are also discussed. (See section 208.62 of
the Board’s Regulation H (12 CFR 206.62) and SR-04-8.)
In addition, the section has been revised to include the February 28, 2005,
Interagency Advisory on the Confidentiality of the Supervisory Rating and
Other Nonpublic Supervisory Information. The advisory reminds banking
organizations of the statutory prohibitions on the disclosure of supervisory
ratings and other confidential supervisory information to third parties. (See

7000.0 The ‘‘International’’ section has been revised to convey an overview of the
examination focus for international banking transactions and activities. The
discussion of other examination topics and Federal Reserve System and
FFIEC examination manuals has been updated for those international areas
that may be need to be reviewed during a bank examination.

7000.1 The former ‘‘International—General Introduction’’ section has been renamed

‘‘International—Examination Overview and Strategy.’’ The revised title
better reflects the content of the sections that follow, which provide the
examination and supervisory guidance for international transactions, activi-
ties, and international banking. References and other section titles were also

May 2005 Commercial Bank Examination Manual

Page 4
Supplement 23—May 2005


Remove Insert

Table of Contents, pages 1–2 Table of Contents, pages 1–2

1000.1, pages 1–2 1000.1, pages 1–2

pages 7–8 pages 7–8

2130.1, pages 1–4 2130.1, pages 1–4, 4.1–4.3

pages 9–10 pages 9–10

2130.3, pages 1–6 2130.3, pages 1–6, 6.1

2130.4, pages 1–5 2130.4, pages 1–5

2210.1, pages 1–3 2210.1, pages 1–5

3000.1, pages 1–2 3000.1, pages 1–2

pages 7–8 pages 7–8

3000.3, pages 1–6 3000.3, pages 1–7

3015.1, pages 1–7

4030.1, pages 1–2 4030.1, pages 1–2

pages 25–26 pages 25–26

4042.1, pages 1–21

4043.1, pages 1–2 4043.1, pages 1–2

pages 5–6 pages 5–6
pages 15–18 pages 15–18

4050.1, pages 1–2 4050.1, pages 1–2

pages 14.1–14.4 pages 14.1–14.4

4060.1, pages 1–20 4060.1, pages 1–20, 20.1–20.6

pages 29–36 pages 29–38

4060.2, page 1 4060.2, page 1

4060.3, pages 1–2 4060.3, pages 1–2

4060.4, pages 1–4 4060.4, pages 1–4

4063.4, pages 1–4 4063.4, pages 1–4

4128.1, pages 1–14 4128.1, pages 1–15

4150.1, pages 1–2 4150.1, pages 1–2

5020.1, pages 1–6 5020.1, pages 1–8

Commercial Bank Examination Manual May 2005

Page 5
Supplement 23—May 2005

Remove Insert

7000.0, page 1 7000.0, page 1

7000.1, pages 1–3 7000.1, pages 1–3

Subject Index, pages 1–16 Subject Index, pages 1–17

May 2005 Commercial Bank Examination Manual

Page 6
Commercial Bank Examination Manual
Supplement 22—November 2004


Section number Description of the change

1000.1 The ‘‘Examination Strategy and Risk-Focused Examinations’’ section incor-

porates a May 2004 recommended-practices document promulgated by the
interagency State-Federal Working Group. The working group consists of
state bank commissioners and senior officials from the Federal Reserve and
the Federal Deposit Insurance Corporation.1 The recommended practices
highlight the importance of communication and coordination between state
and federal banking agencies in the planning and execution of supervisory
activities over state-chartered banking organizations. The recommended
practices are the common courtesies and practices examination and super-
visory staff are to follow in the implementation and execution of their
agencies’ supervisory activities. These recommended practices further rein-
force the long-standing commitment of federal and state banking supervisors
to provide efficient, effective, and seamless oversight of state banks of all
sizes. The practices apply to institutions that operate in a single state or in
more than one state. (See SR-04-12.)

2020.1, The ‘‘Investment Securities and End-User Activities’’ section has been
2020.3 updated to include the revised Uniform Agreement on the Classification of
Assets and Appraisal of Securities Held by Banks and Thrifts (the uniform
agreement) that was jointly issued by the federal banking and thrift agencies
(the agencies) on June 15, 2004. The revised uniform agreement amends the
1938 classification of securities agreement (the 1938 accord), which was
revised on July 15, 1949, and May 7, 1979. The uniform agreement sets forth
the definitions of the classification categories and the specific examination
procedures and information for classifying bank assets, including securities.
The classification of loans in the uniform agreement was not changed by the
June 2004 revision. The revised uniform agreement addresses, among other
items, the treatment of rating differences, multiple security ratings, and split
or partially rated securities. It also eliminates the automatic classification for
sub-investment-grade debt securities. (See SR-04-9.) The examination pro-
cedures were also revised to incorporate the supervisory guidance provided
in the revised uniform agreement.

2040.1, The ‘‘Loan Portfolio Management’’ section has been revised to incorporate
2040.2, a detailed discussion on tying arrangements. Section 106 of the Bank
2040.3 Holding Company Act Amendments of 1970 generally prohibits a bank from
conditioning the availability or price of one product or service (the tying
product, or the desired product) on a requirement that a customer obtain
another product or service (the tied product) from the bank or an affiliate of
the bank. Section 106 prevents banks from using their market power over
certain products (specifically credit) to gain an unfair competitive advantage
in other products.

1. The source for the recommended-practices document is the November 14, 1996, Nationwide State and Federal Supervisory
Agreement (the agreement) to enhance the overall state-federal coordinated supervision program for state-chartered banks. The
agreement provides for the supervision of state-chartered banks that have interstate branches. (See SR-96-33.)

Commercial Bank Examination Manual November 2004

Page 1
Supplement 22—November 2004

Section number Description of the change

Section 106 also prohibits a bank from conditioning the availability or price
of one product on a requirement that a customer (1) provide another product
to the bank or an affiliate of the bank or (2) not obtain another product from
a competitor of the bank or from a competitor of an affiliate of the bank. For
example, the statute prohibits a bank from requiring that a prospective
borrower purchase homeowners’ insurance from the bank or an affiliate of
the bank to obtain a mortgage loan from the bank. Section 106 contains
several exceptions to its general prohibitions, and it authorizes the Board to
grant, by regulation or order, additional exceptions from the prohibitions
when the Board determines an exception ‘‘will not be contrary to the
purposes’’ of the statute.

Under the federal banking laws, a subsidiary of a bank is considered to be

part of the bank for most supervisory and regulatory purposes. Therefore, the
restrictions in section 106 generally apply to tying arrangements imposed by
a subsidiary of a bank in the same manner that the statute applies to the
parent bank itself. Thus, a subsidiary of a bank is generally prohibited from
conditioning the availability or price of a product on the customer’s purchase
of another product from the subsidiary, its parent bank, or any affiliate of its
parent bank. Section 106 generally does not apply to tying arrangements
imposed by a nonbank affiliate of a bank.

In addition to the regulatory prohibitions and exceptions, this section

includes the Board or Board staff interpretations on tying arrangements,
including those issued on August 18, 2003, and February 2, 2004. These two
interpretations state that bank customers that receive securities-based credit
can be required to hold their pledged securities as collateral at an account of
a bank holding company’s or bank’s broker-dealer affiliate. The examination
objectives and examination procedures have also been revised to address
tying arrangements.

3000.1, The ‘‘Deposit Accounts’’ section has been revised to incorporate the June 15,
3000.2, 2004, interagency advisory ‘‘Guidance on Accepting Accounts from Foreign
3000.3, Governments, Foreign Embassies, and Foreign Political Figures.’’ The
3000.4 advisory was issued by the federal banking and thrift agencies (the agencies)
and the U.S. Department of the Treasury’s Financial Crimes Enforcement
Network (FinCEN). The advisory was issued in response to inquiries the
agencies and FinCEN received on whether financial institutions should do
business and establish account relationships with the foreign customers cited
in the advisory. Banking organizations are advised that the decision to accept
or reject such foreign-account relationships is theirs alone to make. Financial
institutions are to be aware that there are varying degrees of risk associated
with these accounts, depending on the customer and the nature of the
services provided. Institutions should take appropriate steps to manage these
risks, consistent with sound practices and applicable anti-money-laundering
laws and regulations. (See SR-04-10.) The examination objectives, exami-
nation procedures, and internal control questionnaire were also revised to
incorporate the advisory’s supervisory guidance.

3020.1, The ‘‘Assessment of Capital Adequacy’’ section has been updated to include
3020.3 provisions of a final rule revision pertaining to a bank’s risk-based capital
requirements for asset-backed commercial paper (ABCP) programs. The

November 2004 Commercial Bank Examination Manual

Page 2
Supplement 22—November 2004

Section number Description of the change

Board approved the rule changes on July 17, 2004 (effective September 30,
2004). See appendix A of Regulation H (12 CFR 208, appendix A).

In January 2003, the Financial Accounting Standards Board (FASB) issued

FASB Interpretation No. 46, ‘‘Consolidation of Variable Interest Entities’’
(FIN 46). FIN 46 required, for the first time, the consolidation of variable
interest entities (VIEs) onto the balance sheets of companies deemed to be
the primary beneficiaries of those entities. In December 2003, FASB revised
FIN 46 as FIN 46-R. (The interpretation (FIN 46 or FIN 46-R) was effective
for reporting periods that ended as early as December 15, 2003. However,
there are various effective dates, which are determined on the basis of the
nature, size, and type of business entity.) FIN 46-R requires the consolidation
of many ABCP programs onto the balance sheets of banking organizations.

Under the Board’s revised risk-based capital rule, a bank that qualifies as a
primary beneficiary and must consolidate an ABCP program that is defined
as a variable interest entity under generally accepted accounting principles
may exclude the consolidated ABCP program’s assets from risk-weighted
assets provided that it is the sponsor of the program. Banks must also hold
risk-based capital against eligible ABCP liquidity facilities with an original
maturity of one year or less that provide liquidity support to ABCP by
applying a new 10 percent credit-conversion factor to such facilities. Eligible
ABCP liquidity facilities with an original maturity exceeding one year
remain subject to the rule’s current 50 percent credit-conversion factor.
Ineligible liquidity facilities are treated as direct-credit substitutes or
recourse obligations, which are subject to a 100 percent credit-conversion
factor. When calculating the bank’s tier 1 and total capital, any associated
minority interests must also be excluded from tier 1 capital. The examination
procedures were also revised to incorporate the revised risk-based capital

4030.1, The ‘‘Asset Securitization’’ section has been revised to incorporate the
4030.2, Board’s July 17, 2004, approval (effective September 30, 2004) of a final
4030.3, rule to the risk-based capital requirements for ABCP programs and their
4030.4 liquidity facilities. For more details, see the summary for section 3020.1. The
examination objectives, examination procedures, and internal control ques-
tionnaire were also revised to incorporate the revised rule for ABCP

4125.1, The ‘‘Payment System Risk and Electronic Funds Transfer Activities’’
4125.3 section incorporates the Board’s September 22, 2004, changes to its Policy
on Payments System Risk (the PSR policy). (See 69 Fed. Reg. 57917,
September 28, 2004, and 69 Fed. Reg. 69926, December 1, 2004.) Effective
July 20, 2006, the PSR policy requires Reserve Banks (1) to release interest
and redemption payments on securities issued by government-sponsored
enterprises (GSEs) and certain international organizations (institutions for
which the Reserve Banks act as fiscal agents but whose securities are not
obligations of, or fully guaranteed as to principal and interest by, the United
States) only if the issuer’s Federal Reserve account contains sufficient funds
to cover them and (2) to align the treatment of the general corporate account
activity of GSEs and certain international organizations with the treatment of

Commercial Bank Examination Manual November 2004

Page 3
Supplement 22—November 2004

Section number Description of the change

the activity of other account holders that do not have regular access to the
discount window and those account holders not eligible for intraday credit.
The examination procedures have also been updated to incorporate the
revisions to the Board’s PSR policy.


Remove Insert

1000.1, pages 1–4, 4.1–4.3 1000.1, pages 1–4, 4.1–4.4

2020.1, pages 1–2 2020.1, pages 1–2

pages 5–8, 8.1–8.9 pages 5–8, 8.1–8.11

2020.3, pages 1–4, 4.1 2020.3, pages 1–4, 4.1

2040.1, pages 1–2 2040.1, pages 1–2

pages 8.1–8.3 pages 8.1–8.7

2040.2, page 1 2040.2, page 1

2040.3, pages 1–2 2040.3, pages 1–2

pages 5–8 pages 5–9

3000.1, pages 1–4, 4.1 3000.1, pages 1–4, 4.1–4.2

3000.2, page 1 3000.2, page 1

3000.3, pages 1–6 3000.3, pages 1–6

3000.4, pages 1–6 3000.4, pages 1–6

3020.1, pages 1–10 3020.1, pages 1–10, 10.1–10.2

pages 21–51 pages 21–56

3020.3, pages 1–4 3020.3, pages 1–4

4030.1, pages 1–4 4030.1, pages 1–4

pages 18.1–18.6, 19–28 pages 19–37

4030.2, page 1 4030.2, page 1

4030.3, pages 1–3 4030.3, pages 1–3

4030.4, page 1 4030.4, pages 1–2

4125.1, pages 1–21 4125.1, pages 1–22

November 2004 Commercial Bank Examination Manual

Page 4
Supplement 22—November 2004

Remove Insert

4125.3, pages 1–2 4125.3, pages 1–2

Subject Index, pages 1–16 Subject Index, pages 1–16

Commercial Bank Examination Manual November 2004

Page 5
Commercial Bank Examination Manual
Supplement 21—May 2004


Section number Description of the change

1010.1 This revised section on internal control and audit function, oversight, and
outsourcing incorporates a brief overview of the joint final rules adopted by
the Board and the other federal bank and thrift regulatory agencies. (See the
Board’s August 8, 2003, press release.) Section 36 of the Federal Deposit
Insurance Act, as implemented by 12 CFR 363, governs the agencies’
authority to take disciplinary actions against independent accountants and
accounting firms that perform audit and attestation services required by the
act. Attestation services address management’s assertions concerning inter-
nal controls over financial reporting. An insured depository institution must
include the accountant’s audit and attestation reports in its annual report. The
joint final rules established the practices and procedures under which the
agencies can, for good cause, remove, suspend, or bar an accountant or firm
from performing audit and attestation services for federally insured deposi-
tory institutions with assets of $500 million or more. The rules became
effective October 1, 2003.

2040.1, Two of the loan portfolio management sections were revised to provide
2040.3, references to accounting pronouncements that apply to mortgage banking
A.2040.3 transactions and activities and that are consistent with the bank call report
instructions. Comprehensive mortgage banking examination procedures are
provided in the new section A.2040.3 (in the appendix to the manual). The
comprehensive procedures address the examination, supervisory, and valu-
ation concerns discussed in the following guidance: the February 25, 2003,
Interagency Advisory on Mortgage Banking; SR-03-4, ‘‘Risk Management
and Valuation of Mortgage Servicing Assets Arising from Mortgage Bank-
ing Activities’’; the mortgage banking examination modules; and many of
the mortgage banking inspection (examination) procedures found in section
3070.0 of the Bank Holding Company Supervision Manual.

2070.1 This section on the allowance for loan and lease losses (ALLL) was revised
to include references to updated accounting guidance, SR-04-5, and the
March 1, 2004, interagency Update on Accounting for Loan and Lease
Losses. The interagency update covers recent developments in accounting,
current sources of generally accepted accounting principles, and supervisory
guidance that applies to the ALLL. Other SR-letters associated with the
supervisory guidance for the ALLL are referenced. (See also section 2072.1.)

2100.1, The section on real estate construction loans and the respective internal
2100.4 control questionnaire were revised to incorporate the October 27, 2003,
interagency statement on Independent Appraisal and Evaluation Functions
and, to a limited extent, the supervisory guidance in SR-03-18. (See the
summary for section 4140.1 below.)

4050.1 The section on bank-related organizations was revised to include brief

definitions and descriptions of the limited activities and services authorized
in Regulation K for foreign bank offices and organizations (that is, foreign
bank branches, agencies, commercial lending companies, representative

Commercial Bank Examination Manual May 2004

Page 1
Supplement 21—May 2004

Section number Description of the change

offices, and correspondent banks). For the purposes of sections 23A and 23B
of the Federal Reserve Act, the definition of affiliate was also clarified and
expanded on the basis of the provisions of the Board’s Regulation W.

4140.1, The section on real estate appraisals and evaluations and the respective
4140.3, examination procedures and internal control questionnaire were revised to
4140.4 reference and incorporate the October 27, 2003, interagency statement on
Independent Appraisal and Evaluation Functions. A banking institution’s
board of directors is responsible for reviewing and adopting policies and
procedures that establish and maintain an effective, independent real estate
appraisal and evaluation program (the program) for all of its lending
functions. Concerns about the independence of appraisals and evaluations
arise from the risk that improperly prepared appraisals may undermine the
integrity of credit-underwriting processes.
An institution’s lending functions should not have undue influence that
might compromise the program’s independence. Institutions may not use an
appraisal prepared by an individual who was selected or engaged by a
borrower. Likewise, institutions may not use ‘‘readdressed appraisals’’—
appraisal reports that are altered by the appraiser to replace any references to
the original client with the institution’s name. Altering an appraisal report in
a manner that conceals the original client or intended users of the appraisal
is misleading and violates the agencies’ appraisal regulations and the
Uniform Standards of Professional Appraisal Practice (USPAP). (See SR-

4180.1, These new sections discuss the January 5, 2004, Interagency Policy on
4180.2, Banks/Thrifts Providing Financial Support to Funds Advised by the Banking
4180.3, Organization or Its Affiliates. The policy alerts banking organizations,
4180.4 including their boards of directors and senior management, to the safety-
and-soundness implications of and the legal impediments to a bank provid-
ing financial support to investment funds advised by the bank, its subsidi-
aries, or affiliates (that is, an affiliated investment fund).
The interagency policy emphasizes the following three core principles. A
bank should not—

• inappropriately place its resources and reputation at risk for the benefit
of affiliated investment funds’ investors and creditors;
• violate the limits and requirements in Federal Reserve Act sections 23A
and 23B and Regulation W, other applicable legal requirements, or any
special supervisory condition imposed by the agencies; or
• create an expectation that the bank will prop up the advised fund (or

In addition, bank-affiliated investment advisers are encouraged to establish

alternative sources of financial support to avoid seeking support from
affiliated banks. A bank’s investment advisory services can pose material
risks to the bank’s liquidity, earnings, capital, and reputation and can harm
investors, if the risks are not effectively controlled. Bank management is
expected to notify and consult with its appropriate federal banking agency
before (or, in an emergency, immediately after) providing material financial
support to an affiliated investment fund. (See SR-04-1.) Examination

May 2004 Commercial Bank Examination Manual

Page 2
Supplement 21—May 2004

Section number Description of the change

objectives, examination procedures, and an internal control questionnaire

have been provided to address the supervisory concerns set forth in the


Remove Insert

Table of Contents, pages 1–2 Table of Contents, pages 1–2

1010.1, pages 1–6 1010.1, pages 1–6, 6.1

2040.1, pages 1–2 2040.1, pages 1–2

pages 5–6, 6.1–6.3, 7–8 pages 5–8, 8.1–8.3
pages 21–24 pages 21–24, 24.1–24.2

2040.3, pages 1–8 2040.3, pages 1–8

2070.1, pages 1–2 2070.1, pages 1–2

2090.1, pages 1–2 2090.1, pages 1–2

pages 15–18 pages 15–18

2090.4, pages 1–3 2090.4, pages 1–3

2100.1, pages 1–2 2100.1, pages 1–2

pages 5–6 pages 5–6, 6.1

2100.4, pages 1–5 2100.4, pages 1–5

3020.1, pages 1–4, 4.1 3020.1, pages 1–4, 4.1

pages 13–14 pages 13–14
pages 25–28 pages 25–28
pages 32.1–32.3, 33–34 pages 32.1–32.2, 33–34, 34.1

4030.1, pages 5–6 4030.1, pages 5–6

4050.1, pages 1–2 4050.1,pages 1–2, 2.1

pages 13–14, 14.1–14.3 pages 13–14, 14.1–14.4

4140.1, pages 1–2 4140.1, pages 1–2, 2.1

pages 11–12 pages 11–14

4140.3, pages 1–2 4140.3, pages 1–2

4140.4, pages 1–2 4140.4, pages 1–2

4180.1, pages 1–2

Commercial Bank Examination Manual May 2004

Page 3
Supplement 21—May 2004

Remove Insert

4180.2, page 1

4180.3, page 1

4180.4, page 1

A.2040.3, pages 1–20

Subject Index, pages 1–15 Subject Index, pages 1–16

May 2004 Commercial Bank Examination Manual

Page 4

The bank examination process is the Federal • preparing workpapers that support examina-
Reserve’s fact-finding arm in discharging its tion reports and aid in evaluating the work
regulatory and supervisory responsibilities. The performed; and
essential objectives of an examination are (1) to • using objective criteria as a basis for the
provide an objective evaluation of a bank’s overall conclusion, and for the resulting com-
soundness and compliance with banking laws ments and criticism, regarding the condition
and regulations, (2) to permit the Federal Reserve and quality of the bank and its management.
to appraise the quality of management and
directors, and (3) to identify those areas where The examiner-in-charge must properly plan
corrective action is required to strengthen the and organize the examination before work be-
bank, improve the quality of its performance, gins. Initial decisions concerning examination
and enable it to comply with applicable laws, scope can usually be made based on the nature
rulings, and regulations. of the bank’s operations; its size; the past
To accomplish these objectives, the examiner experience of the examiner-in-charge with the
should evaluate the prudency of the bank’s bank; information in the previous examination
practices, the bank’s adherence to laws and report, including the condition of the bank at
regulations, the adequacy of the bank’s liquidity that examination; communications with the bank
and capital, the quality of the bank’s assets and between examinations; and analysis from the
earnings, the nature of the bank’s operations, Uniform Bank Performance Report. The plan-
and the adequacy of the bank’s internal control ning of work and preexamination procedures are
and internal audit. The scope of an examination covered in the Examination Planning section of
may cover every phase of banking activity, or it this manual.
may concentrate on specific areas that deserve Examiners should view the manual as a work-
greater emphasis because of their potential effect ing tool rather than as a reference manual. In
on a bank’s soundness. most sections of the manual, examination pro-
cedures and internal control questionnaires are
provided to form the basis for the examination
of a bank. These procedures should lead to
consistent and objective examinations of
ABOUT THIS MANUAL varying scopes. The bank’s condition is dis-
The goal of the Commercial Bank Examination closed by the performance of examination pro-
Manual is to organize and formalize longstand- cedures, including review of internal controls
ing examination objectives and procedures that and audit function, and the evaluation of the
provide guidance to the examiner, and to en- results therefrom, not by the examiner’s judg-
hance the quality and consistent application of ment alone.
examination procedures. The manual provides For larger banks, additional examination pro-
specific guidelines for— cedures need to be incorporated into the process
to effectively examine those institutions’ com-
• determining the scope of an examination; plex organizational reporting and accounting
systems. Conversely, some of the procedures
• determining the procedures to be used in
contained in this manual do not apply to smaller-
examining all areas of a bank, including
sized banks. Additionally, state laws and local
those procedures that may lead to the early
characteristics necessitate supplemental proce-
detection of trends that, if continued, might
dures. For example, specific procedures relating
result in a deterioration in the condition of a
to various types of agricultural lending have not
been developed in this manual. Similarly, state
• evaluating the adequacy of the bank’s written banking laws must be considered when applying
policies and procedures, the degree of com- the procedures to various areas, such as lending,
pliance with them, and the adequacy of its capital adequacy, and pledging requirements.
internal controls; When modifying the procedures, the examiner-
• evaluating the work performed by internal and in-charge is responsible for determining that the
external auditors; examination objectives are met and that the
• evaluating the performance and activities of examination meets the needs of the individual
management and the board of directors; bank.

Commercial Bank Examination Manual March 1994

Page 1

The manual is also intended to guide exam- Sections in each part are made up of four
iners in their efforts to encourage banks to subsections, where applicable. They are—
develop written policies and related procedures
in all areas where none exist, and to correct • an overview
situations where there are deficiencies in or a • examination objectives
lack of compliance with existing procedures. To • examination procedures
aid the examiner, this manual includes topics • internal control questionnaire
such as loan portfolio management, investment
portfolio management, asset and liability man- The overviews, for the most part, summarize
agement, earnings analysis, capital analysis, and the respective topics. This information is ex-
service area analysis. A section on the appraisal panded on and reinforced through the Federal
of bank management guides the examiner in Reserve’s educational programs and the exam-
assembling and evaluating information from all iner’s experience on the job.
other manual sections and helps uncover incon- The examination objectives describe the goals
sistencies in the application of bank policies that should be of primary interest to the exam-
among various management groups. Examiners iner. Two of the objectives determine the scope
should be able to increase the level of profes- of the examination for the specific area of
sionalism and the soundness of the banking examination interest. They are (1) the evaluation
system by encouraging all banks to follow the of the system of internal control and of bank
best practices that currently exist in the bank- policies, practices, and procedures, and (2) the
ing industry. In no case, however, should this evaluation of the scope and adequacy of the
approach discourage the development and audit function. Other common objectives are to
implementation of conceptually sound and determine compliance with laws, regulations,
innovative practices by individual banks. and rulings, and to determine the need for
Although this manual is designed to provide corrective action.
guidance to the examiner in planning and con- The examination procedures include proce-
ducting bank examinations, it should not be dures to be performed during a full-scope,
considered a legal reference. Questions concern- comprehensive examination. In some instances
ing the applicability of and compliance with not all of the procedures apply to all banks;
federal laws and regulations should be referred examiners may exercise some flexibility depend-
to appropriate legal counsel. In addition, the ing on the particular characteristics of the bank
manual should not be viewed as a comprehen- under examination. The materiality and signifi-
sive training guide. Separate training programs cance of a given area of bank operations are the
provide more detailed instructions to assist the examiner’s primary considerations in deciding
examiner in better understanding banking oper- the scope of the examination and the procedures
ations and applying examination procedures. to be performed. Examiner flexibility results in
examinations tailored to fit the operations of the
HOW TO USE THIS MANUAL The evaluation of a bank’s internal control
environment should encompass a review of the
Organization internal audit activities and the implementation
of selected internal control questionnaires (ICQs),
The Commercial Bank Examination Manual is which set forth standards for operational con-
divided into nine major parts, each set off by a trol. Due to the difference between an examina-
divider tab: tion and an audit, it is not contemplated that all
ICQs will be implemented in any one examina-
• Part 1000—Examination Planning tion. The body of ICQs used during the course
• Part 2000—Assets of the examination should be made up of three
• Part 3000—Liabilities and Capital elements: (1) those mandated for all examina-
• Part 4000—Other Examination Areas tions, (2) those selected by the examiner-in-
• Part 5000—Assessment of the Bank charge based upon experience, knowledge of
• Part 6000—Federal Reserve Examinations problems within the bank, and perception of
• Part 7000—International risk, and (3) those that focus on areas where
• Part 8000—Statutes and Regulations on-site evaluation of operational control appears
• Appendix warranted in light of the results of the examina-

March 1994 Commercial Bank Examination Manual

Page 2

tion of internal audit activities. In addition to less of the number of subsections within a
serving as a guide during on-site evaluations, particular section.
the ICQs can be used in the appraisal of opera- The appendix sections begin with the letter A,
tional audit techniques in banks where the scope followed by the number of the section to which
of internal auditing includes such consider- the item relates. For example, the Supplement
ations. The ICQ steps marked with an asterisk on Internal Auditing for the Internal Control
require substantiation by observation or testing; section is numbered A.1010.1. Should the
they are considered to be fundamental to any Internal Control section have more than one
control program regardless of the size of the appendix item, the numbering would appear as
institution. These steps should be incorporated A.1010.1, A.1010.2, etc.
in management control programs in smaller
banks to compensate for the absence of internal
auditing. Updates
Following the main parts are a listing of
statutes and regulations administered by the Beginning with the March 1994 reprint of the
Federal Reserve and an appendix that includes Commercial Bank Examination Manual, all man-
various forms, checklists, statements, and guide- ual pages are dated March 1994. Succeeding
lines, which provide the examiner with addi- updates will be dated the month and year in
tional information regarding certain topics. which they are issued. There is an effective date
at the top of the first page of each subsection that
shows the last time that subsection was updated.
Numbering System The manual is usually updated in the spring
and fall of each year; special supplements are
The manual is arranged using a numbering issued as needed. On the back of the title page is
system based on the manual’s sections and a checklist so you can record when an update
subsections. For example, the overview subsec- has been filed. For this manual to be most
tion of the Internal Control section is numbered useful, it is essential that updated pages be filed
1010.1. 1010 is the section number for Internal as soon as possible. If you have any questions
Control, and .1 is the number for the overview. about receiving updates, please contact Publica-
The examination objectives subsection for that tions Services, Mail Stop 127, Board of Gover-
section is numbered 1010.2, and so on. Subsec- nors of the Federal Reserve System, Washing-
tions are always numbered consecutively regard- ton, D.C. 20551; 202-452-3244.

Commercial Bank Examination Manual March 1994

Page 3
Table of Contents
Section Section


1000 Examination Strategy and 3000 Deposit Accounts
Risk-Focused Examinations 3010 Borrowed Funds
1010 Internal Control and Audit Function, 3012 Complex Wholesale Borrowings
Oversight, and Outsourcing 3015 Deferred Compensation
1015 Conflict-of-Interest Rules for Agreements
Examiners 3020 Assessment of Capital
1020 Federal Reserve System Bank Watch Adequacy
List and Surveillance Programs 3030 Assessing Risk-Based Capital—
1030 Workpapers Direct-Credit Substitutes
Extended to ABCP Programs

2000 Cash Accounts
2010 Due from Banks
2015 Interbank Liabilities 4000 [Reserved]
2020 Investment Securities and 4010 Analytical Review and
End-User Activities Income and Expense
2030 Bank Dealer Activities 4020 Asset/Liability Management
2040 Loan Portfolio Management 4030 Asset Securitization
2043 Nontraditional Mortgages— 4033 Elevated-Risk Complex Structured
Associated Risks Finance Activities
2050 Concentrations of Credit 4040 Management of Insurable Risks
2060 Classification of Credits 4042 Purchase and Risk Management
2070 Allowance for Loan and of Life Insurance
Lease Losses 4043 Insurance Sales Activities and
2072 ALLL Methodologies and Consumer Protection in Sales
Documentation of Insurance
2080 Commercial and Industrial Loans 4050 Bank-Related Organizations
2082 Loan-Sampling Program for 4060 Information Technology
Certain Community Banks 4063 Electronic Banking
2090 Real Estate Loans 4070 Dividends
2100 Real Estate Construction Loans 4080 Employee Benefit Trusts
2103 Concentrations in Commercial Real 4090 Interest-Rate Risk Management
Estate Lending, Sound Risk- 4100 Litigation and Other Legal
Management Practices Matters; Examination-
2110 Floor-Plan Loans Related Subsequent Events
2115 Leveraged Financing 4110 Contingent Claims from Off-
2120 Direct Financing Leases Balance-Sheet Credit
2130 Consumer Credit Activities
2133 Subprime Lending 4120 Other Non-Ledger Control
2135 Subprime Mortgage Lending Accounts
2140 Agricultural Loans 4125 Payment System Risk and
2150 Energy Lending—Production Loans Electronic Funds Transfer
2160 Asset-Based Lending Activities
2170 Securities Broker and Dealer Loans 4128 Private-Banking Activities
2180 Factoring 4130 Private Placements
2190 Bank Premises and Equipment 4133 Prompt Corrective Action
2200 Other Real Estate Owned 4140 Real Estate Appraisals and
2210 Other Assets and Other Liabilities Evaluations

Commercial Bank Examination Manual April 2009

Page 1
Table of Contents

Section Section

4150 Review of Regulatory Reports 7110 International—Purchases, Sales,

4160 Sale of Uninsured Nondeposit Trading, Swaps, Rentals, and
Debt Obligations on Bank Options of LDC Assets
4170 Retail Sales of Nondeposit
Investment Products 8000 STATUTES AND
4180 Investment-Funds Support REGULATIONS
4200 Fiduciary Activities
8000 Statutes and Regulations
5000 ASSESSMENT OF THE Administered by the
BANK Federal Reserve
5000 Duties and Responsibilities
of Directors APPENDIX
5010 Management Assessment
5017 Internal Control—Procedures, A.1010.1 Internal Control: Supplement
Processes, and Systems (Required on Internal Auditing
Absences from Sensitive Positions) A.2000.1 Cash Accounts: Financial
5020 Overall Conclusions Regarding Recordkeeping and Reporting
Condition of the Bank Regulations—Examination
5030 Meetings with Board of Procedures
Directors A.2040.3 Comprehensive Mortgage
5040 Formal and Informal Corrective Banking Examination
Actions Procedures
A.5020.1 Overall Conclusions Regarding
6000 FEDERAL RESERVE Condition of the Bank:
EXAMINATIONS Uniform Financial Institutions
Rating System
6000 Instructions for the Report
of Examination
6003 Community Bank Examination INDEX
6010 Other Types of Examinations Subject Index
7000 International—Examination
Overview and Strategy
7010 International—Glossary
7020 International—Loan Portfolio
7030 International—Loans and Current
Account Advances
7040 International—Country Risk and
Transfer Risk
7050 International—Financing
Foreign Receivables
7060 International—Banker’s Acceptances
7070 International—Due from Banks–
7080 International—Letters of Credit
7090 International—Guarantees Issued
7100 International—Foreign Exchange

April 2009 Commercial Bank Examination Manual

Page 2
Examination Strategy and Risk-Focused Examinations
Effective date October 2008 Section 1000.1

EXAMINATION AND Federal Reserve supervisory initiative or action.

SUPERVISORY AUTHORITY AND Banking organizations that have entered into
CONFIDENTIALITY PROVISIONS agreements containing such confidentiality pro-
visions are subject to legal risk. (See SR- 07-19.)
The Federal Reserve System’s statutory exami-
nation authority permits examiners to review all
books and records maintained by a financial EXAMINATION-FREQUENCY
institution that is subject to the Federal Reserve’s GUIDELINES FOR STATE
supervision. This authority extends to all docu- MEMBER BANKS
ments.1 Section 11(a)(1) of the Federal Reserve
Act provides that the Board has the authority to The Federal Reserve is required to conduct a
examine, at its discretion, the accounts, books, full-scope, on-site examination of every insured
and affairs of each member bank and to require member bank at least once during each 12-month
such statements and reports as it may deem period, with the exception that certain small
necessary. institutions can be examined once during each
Federal Reserve supervisory staff (includes the 18-month period. The 18-month examination
examination staff), therefore, may review all period can be applied to those banks that—
books and records of a banking organization that
is subject to Federal Reserve supervision. 1a In • have total assets of less than $500 million; 1d
addition, under the Board’s Rules Regarding the • are well capitalized;
Availability of Information, banking organiza- • were assigned a management rating of 1 or 2
tions are prohibited from disclosing confidential by the Federal Reserve as part of the bank’s
supervisory information without prior written rating under the Uniform Financial Institu-
permission of the Board’s General Counsel. 1b tions Rating System;
Confidential supervisory information is defined • were assigned a composite CAMELS rating of
to include any information related to the 1 or 2 by the Federal Reserve at their most
examination of a banking organization. 1c Board recent examination;
staff have taken the position that identification of • are not subject to a formal enforcement pro-
information requested by, or provided to, super- ceeding or action; and
visory staff—including the fact that an exami- • have not had a change in control during the
nation has taken or will take place—is related to preceding 12-month period in which a full-
an examination and falls within the definition of scope, on-site examination would have been
confidential supervisory information. It is con- required but for the above exceptions.
trary to Federal Reserve regulation and policy for
agreements to contain confidentiality provisions (See section 208.64 of Regulation H and 72 Fed.
that (1) restrict the banking organization from Reg. 17798, April 10, 2007, and 72 Fed. Reg.
providing information to Federal Reserve super- 54347, September 25, 2007.) The exceptions do
visory staff; 1 (2) require or permit, without the not limit the authority of the Federal Reserve to
prior approval of the Federal Reserve, the examine any insured member bank as frequently
banking organization to disclose to a counter- as deemed necessary. (See also SR-07-8 and
party that any information will be or was SR-97-8.)
provided to Federal Reserve supervisory staff; or
(3) require or permit, without the prior approval
of the Federal Reserve, the banking organization 1d. Based on jointly issued interim rules (effective April
to inform a counterparty of a current or upcoming 10, 2007) issued by the Federal Reserve Board (Board), the
Federal Deposit Insurance Corporation (FDIC), the Office of
Federal Reserve examination or any nonpublic the Comptroller of the Currency (OCC), and the Office of
Thrift Supervision (OTS). The interim rule was adopted as
1. SR-97-17 details the procedure supervisory staff should final, without change, on September 11, 2007. (See 72 Fed.
follow if a banking organization declines to provide informa- Reg. 54347, September 25, 2007.) The interim rules imple-
tion asserting a claim of legal privilege. mented section 605 of the Financial Services Regulatory
1a. Supervisory staff include individuals who are on and/or Relief Act of 2006 (FSRRA) and Public Law 109-473.
off site. Previously, the 18-month examination cycle was available
1b. 12 CFR 261.20(g). only for institutions that had total assets of $250 million or
1c. 12 CFR 261.2(c)(1)(i). less.

Commercial Bank Examination Manual October 2008

Page 1
1000.1 Examination Strategy and Risk-Focused Examinations

Alternate-Year Examination Program When communicating and coordinating with

other agencies, examination and supervisory
The frequency of examination may also be staff should follow the common courtesies and
affected by the alternate-year examination pro- recommended practices identified in the May
gram. Under the alternate-year examination pro- 2004 document. The recommended practices
gram, those banks that qualify are examined in reinforce the long-standing commitment of fed-
alternate examination cycles by the Reserve eral and state banking supervisors to provide
Bank and the state. Thus, a particular bank efficient, effective, and seamless oversight of
would be examined by the Reserve Bank in one state banks of all sizes, whether those institu-
examination cycle, the state in the next, and so tions operate in a single state or more than one
on. Any bank may be removed from the pro- state. The recommended practices also
gram and examined at any time by either agency, minimize, to the fullest extent possible, the
and either agency can meet with a bank’s regulatory burden placed on state-chartered
management or board of directors or initiate banks—thus further supporting and fostering a
supervisory action whenever deemed necessary. seamless supervisory process. (See SR-04-12.)
Banks that are ineligible for an alternate-year
examination are those institutions that are in
excess of $10 billion in assets and are rated a Recommended Practices for State
composite 3 or worse. De novo banks are also Banking Departments, the FDIC, and
ineligible until they are rated 1 or 2 for two the Federal Reserve
consecutive examinations after they have com-
menced operations. Also, a bank that undergoes 1. State and federal banking agencies should
a change in control must be examined by the take steps to ensure that all staff responsible
Federal Reserve within 12 months of the change for the supervision and examination of state-
in control. chartered banks are familiar with the prin-
ciples contained in the agreement. State and
federal banking agencies should ensure that
adherence to the principles in the agreement
SUPERVISION OF is communicated as a priority within their
STATE-CHARTERED BANKS respective agencies at all levels of staff—
ranging from the field examiners to the
In May 2004, the State-Federal Working Group, officers in charge of supervision and to state
an interagency group of state bank commission- bank commissioners.
ers and senior officials from the Federal Reserve 2. Home-state supervisors should make every
and the Federal Deposit Insurance Corporation effort to communicate and coordinate with
(FDIC), developed a recommended-practices host-state supervisors as an important part
document designed to reiterate and reaffirm the of supervising multistate banks as specified
need for a commonsense approach for collabo- in the Nationwide Cooperative Agreement
rating with states in the supervision of state- executed by the state banking departments
chartered banking organizations.2 The recom- and recognized by the federal agencies in
mended practices highlight the importance of the agreement.
communication and coordination between state 3. State and federal banking agencies should
and federal banking agencies in the planning consider inviting one another to participate
and execution of supervisory activities. in regional examiner training programs
and/or seminars to discuss emerging issues
2. The source for the recommended practices is the Novem- and challenges observed in the banking
ber 14, 1996, Nationwide State and Federal Supervisory industry.
Agreement (the agreement) to enhance the overall state- 4. Federal and state banking departments
federal coordinated supervision program for state-chartered should maintain and share current lists
banks. The agreement established a set of core principles to
promote coordination in the supervision of all interstate banks, of their staff members designated as
with particular emphasis on complex or larger (for example, PCPs (primary contact persons) for their
$1 billion or more of assets) institutions. (See SR-96-33.) institutions.
These principles are equally applicable and important when
supervisors from federal and state banking agencies are
5. PCPs and EICs (examiners-in-charge) from
communicating and coordinating the supervision of state- the state banking department(s) and federal
chartered banks operating within a single state. agencies should discuss and prepare super-

October 2008 Commercial Bank Examination Manual

Page 2
Examination Strategy and Risk-Focused Examinations 1000.1

visory plans at least once during the exami- supervisory conclusions or proposed
nation cycle, and more frequently as appro- actions should only be communicated to
priate for institutions of greater size or bank management, the bank board of direc-
complexity or that are troubled. The agen- tors, or other bank staff after such matters
cies should discuss and communicate have been fully vetted within and between
changes to the plan as they may evolve over the federal banking agency and home-state
the examination cycle. The supervisory plans banking department. The vetting process
should be comprehensive, including exami- should, to the fullest extent possible, adhere
nation plans, off-site monitoring, follow-up to the exit meeting and examination report
or target reviews, supervisory actions, etc., issuance time frames specified in the agree-
as applicable. ment. All parties should make every effort
6. The PCPs from the home-state banking to expedite the process in order to deliver
department and federal banking agencies timely exam findings and efficient regula-
should make every effort to share reports tory oversight.
that their individual agencies have produced 12. When differences between the agencies arise
through their off-site monitoring program or on important matters, such as examination
through targeted supervisory activities. conclusions or proposed supervisory action,
7. State and federal banking agencies should senior management from the home-state
notify one another as early as possible if banking department and the appropriate
their agency cannot conduct a supervisory federal banking agency should communi-
event (e.g., examination) that was previ- cate to try to resolve the differences. In the
ously agreed upon—or if the agency intends event that the state and federal banking
to provide fewer examiners/resources than agency cannot reach agreement on impor-
originally planned. tant matters affecting the supervised institu-
8. Meetings with bank management and direc- tion, the respective agencies should coordi-
tors should involve both the appropriate staff nate the communication of those differences
in the home-state banking department and in to the management or board of directors of
the responsible federal banking agency the supervised institution, including the tim-
whenever possible. If a joint meeting is not ing thereof and how the differing views will
possible or appropriate (for example, the be presented.
bank arranges the meeting with one agency
only), the other agency (the home-state
banking department or the responsible EXAMINATION OF INSURED
federal banking agency as applicable) should DEPOSITORY INSTITUTIONS
be informed of the meeting. BEFORE THEY BECOME OR
9. The home-state and responsible federal MERGE INTO STATE MEMBER
agency should make every effort to issue a BANKS
joint exam report in the 45-day time frame
identified in the agreement. If circum- Premembership examinations of state nonmem-
stances prevent adherence to time frames ber banks, national banks, and savings associa-
identified in the agreement, the state and tions seeking to convert to state-membership
federal agencies should coordinate closely status will not be required if the bank or savings
and consider benchmarks or timing require- association seeking membership meets the cri-
ments that may apply to the other agency. teria for ‘‘eligible bank,’’ as defined in section
10. All corrective-action plans (for example, 208.2(e) of Regulation H.2a Additionally,
memoranda of understanding, cease-and-
desist orders) should be jointly discussed,
coordinated, and executed to the fullest 2a. ‘‘Eligible bank’’ is defined to mean a member bank that
(1) is well capitalized; (2) has a composite CAMELS rating of
extent possible among all examination par- 1 or 2; (3) has a CRA rating of Outstanding or Satisfactory;
ties involved. Also, all information on the (4) has a rating of 1 or 2 as of its most recent consumer
institution’s corrective-action plan and compliance examination; and (5) has no major unresolved
progress made toward implementing the supervisory issues outstanding, as determined by the Board or
appropriate Federal Reserve Bank in its discretion. A major
plan should be shared. unresolved supervisory issue could also arise from significant
11. To ensure that messages to management are trust or fiduciary activities that are found to be conducted in a
consistent to the fullest extent possible, less-than-satisfactory manner.

Commercial Bank Examination Manual April 2008

Page 3
1000.1 Examination Strategy and Risk-Focused Examinations

examinations of state nonmember banks, national an examination is waived, the Reserve Bank
banks, and savings associations seeking to merge should prepare and maintain documentation sup-
into a state member bank will not be required so porting its decision.
long as the state member bank, on an existing In all circumstances, each Reserve Bank is
and pro forma basis, meets the criteria for responsible for ensuring that the examination-
eligible bank. frequency time frames established by Federal
For those institutions not subject to a premem- Reserve policy and section 111 of the Federal
bership or premerger examination, risk assess- Deposit Insurance Corporation Improvement Act
ments and supervisory strategies should be com- (FDICIA) are adhered to. When the statutory
pleted no later than 30 days after the conversion deadline for an examination of a depository
or merger. To the extent issues or concerns arise, institution seeking membership is approaching
targeted or, if warranted, full-scope examina- or has passed, a Federal Reserve examination of
tions of the converted or merged institution the institution should be conducted as soon as
should be conducted as soon as possible after practicable after the institution becomes a state
the conversion or merger. For a state member member bank. (See SR-98-28.)
bank that was formerly a savings association or
that acquired a savings association, the risk
assessment and supervisory strategy should pay OBJECTIVES OF THE
particular attention to activities conducted by a
service corporation subsidiary that may not be
permissible activities for a state member bank. The Federal Reserve is committed to ensuring
Premembership or premerger examinations that the supervisory process for all institutions
should generally be conducted for an insured under its purview meets the following objectives:
depository institution that does not meet the
criteria for eligible bank. Consistent with a • Provides flexible and responsive supervision.
risk-focused approach, these examinations can The supervisory process is dynamic and
be targeted, as appropriate, to the identified area forward-looking, so it responds to technologi-
(or areas) of weakness. The Reserve Bank may, cal advances, product innovation, and new
in its discretion, waive the examination require- risk-management systems and techniques, as
ment if it is determined that conducting an well as to changes in the condition of an
examination would be (1) inconsistent with a individual financial institution and to market
risk-focused approach or (2) unlikely to provide developments.
information that would assist materially in evalu- • Fosters consistency, coordination, and com-
ating the statutory and regulatory factors that the munication among the appropriate supervi-
Federal Reserve is required to consider in acting sors. Seamless supervision, which reduces
on the membership or merger application.2b If regulatory burden and duplication, is pro-
moted. The supervisory process uses exam-
If a bank has not yet received compliance or CRA ratings iner resources effectively by using the institu-
from a bank regulatory authority, the Federal Reserve Board
will look to the bank’s holding company to determine whether
tion’s internal and external risk-assessment
the bank’s application should receive expedited processing. If and -monitoring systems; making appropriate
the bank’s holding company meets the criteria for expedited use of joint and alternating examinations; and
processing under section 225.14(c) of Regulation Y, the tailoring supervisory activities to an institu-
bank’s membership or branch application will be eligible for
expedited processing. Banks that (1) have not yet received
tion’s condition, risk profile, and unique
compliance or CRA ratings and (2) either are not owned by a characteristics.
bank holding company or are owned by a bank holding • Promotes the safety and soundness of finan-
company that does not meet the criteria for expedited process- cial institutions. The supervisory process
ing are not eligible for expedited treatment.
2b. Since membership in the Federal Reserve System does
effectively evaluates the safety and soundness
not confer deposit insurance, the membership applications do of banking institutions, including the assess-
not include the requirements of the Community Reinvestment ment of risk-management systems, financial
Act (CRA). Nevertheless, a less-than-satisfactory CRA rating, condition, and compliance with laws and
especially if it reflects a chronic record of weak CRA
performance, would presumably reflect poorly upon the abili-
ties of the institution’s management. Consequently, a deter-
mination of whether or not to conduct a premembership CRA
examination should be based on a risk-focused assessment of being only one of the factors considered from a risk-focused
the issues involved, with an institution’s CRA performance perspective.

April 2008 Commercial Bank Examination Manual

Page 4
Examination Strategy and Risk-Focused Examinations 1000.1

• Provides a comprehensive assessment of the Compliance with Laws and

institution. The supervisory process integrates Regulations
specialty areas (for example, information tech-
nology systems, trust, capital markets, and
Compliance with relevant laws and regulations
consumer compliance) and functional risk
should be assessed at every examination. The
assessments and reviews, in cooperation with
steps taken to complete these assessments will
interested supervisors, into a comprehensive
vary depending on the circumstances of the
assessment of the institution.
institution subject to review. When an institu-
tion has a history of satisfactory compliance
with relevant laws and regulations or has an
effective compliance function, only a relatively
RISK-FOCUSED EXAMINATIONS limited degree of transaction testing need be
conducted to assess compliance. At institutions
Historically, examinations relied significantly with a less satisfactory compliance record or
on transaction-testing procedures when assess- that lack a compliance function, more-extensive
ing a bank’s condition and verifying its adher- review will be necessary.
ence to internal policies, procedures, and con-
trols. In a highly dynamic banking market,
however, transaction testing by itself is not
sufficient for ensuring the continued safe and Changes in the General Character of a
sound operation of a banking organization. Bank’s Business
Evolving financial instruments and markets have
enabled banking organizations to rapidly repo- In conjunction with assessing overall compli-
sition their portfolio risk exposures. Therefore, ance with relevant laws and regulations, exam-
periodic assessments of the condition of a finan- iners should review for compliance with the
cial institution that are based on transaction requirements of Regulation H, which sets forth
testing alone cannot keep pace with the moment- the requirements for membership of state-
to-moment changes occurring in financial risk chartered banks in the Federal Reserve System
profiles. and imposes certain conditions of membership
on applicant banks. Under the regulation, a
To ensure that institutions have in place the
member bank must ‘‘at all times conduct its
processes necessary to identify, measure, moni-
business and exercise its powers with due regard
tor, and control risk exposures, examinations
to safety and soundness’’ and ‘‘may not, without
have increasingly emphasized evaluating the
the permission of the Board, cause or permit any
appropriateness of these processes, evolving
change in the general character of its business or
away from a high degree of transaction testing.
in the scope of the corporate powers it exercises
Under a risk-focused examination approach, the
at the time of admission to membership.’’ (See
degree of transaction testing should be reduced
SR-02-9 and section 208.3(d)(1) and (2) of
when internal risk-management processes are
Regulation H (12 CFR 208.3(d)(1) and (2)).)
determined to be adequate or when risks are
minimal. However, when risk-management pro- State member banks must receive the prior
cesses or internal controls are considered inap- approval of the Board before making any sig-
propriate, such as by an inadequate segregation nificant change in business plans. The trend
of duties or when on-site testing determines toward more-diverse, more-complex, and, at
processes to be lacking, additional transaction times, riskier activities at some banks has raised
testing must be performed. Testing should be the importance of this prior-approval requirement.
sufficient to fully assess the degree of risk Changes in the general character of a bank’s
exposure in a particular function or activity. In business would include, for example, becoming
addition, if an examiner believes that a banking a primarily Internet-focused or Internet-only
organization’s management is being less than operation, or concentrating solely on subprime
candid, has provided false or misleading infor- lending or leasing activities. Depending on how
mation, or has omitted material information, they are conducted and managed, these activi-
then substantial on-site transaction testing should ties can present novel risks for banking organi-
be performed. zations and may also present risks to the deposit
insurance fund. In many cases, these activities
involve aggressive growth plans and may give

Commercial Bank Examination Manual April 2008

Page 4.1
1000.1 Examination Strategy and Risk-Focused Examinations

rise to significant financial, managerial, and A state member bank that desires to establish a
other supervisory issues. new branch facility may be eligible for expe-
In applications for membership in the Fed- dited processing of its application by the Reserve
eral Reserve System, careful consideration is Bank if it is an eligible bank, as defined in
given to a bank’s proposed business plan to section 208.2(e) of Regulation H.
ensure, at a minimum, that appropriate finan- A member bank may also choose to submit an
cial and managerial standards are met. application that encompasses multiple branches
Likewise, the other federal banking agencies that it proposes to establish within one year of
consider a bank’s business plan when they the approval date. Unless notification is waived,
review applications for federal deposit insur- the bank must notify the appropriate Reserve
ance, in the case of the Federal Deposit Insur- Bank within 30 days of opening any branch
ance Corporation (FDIC), or applications for a approved under a consolidated application.
national bank or federal thrift charter, in the Although banks are not required to open an
case of the Office of the Comptroller of the Cur- approved branch, approvals remain valid for one
rency (OCC) or the Office of Thrift Supervi- year. During this period, the Board or the
sion (OTS). The OCC, the FDIC, and the OTS appropriate Reserve Bank may notify the bank
have been conditioning their approvals of appli- that in its judgment, based on reports of condi-
cations on a requirement that, during the first tion, examinations, or other information, there
three years of operations, the bank or thrift has been a change in the bank’s condition,
provides prior notice or obtains prior approval financial or otherwise, that warrants reconsid-
of any proposed significant deviations or eration of the approval. (See Regulation H,
changes from its original operating plan. Rather section 208.6(d).)
than use similar commitments, the Federal Insured depository institutions that intend to
Reserve has relied on the provisions of Regula- close branches must comply with the require-
tion H to address situations in which a state ments detailed in section 42 of the Federal
member bank proposes to materially change its Deposit Insurance Act (the FDI Act) (12 USC
core business plan. 1831r-1). Section 42(e) requires that banks pro-
Federal Reserve supervisors will be monitor- vide 90 days’ notice to both customers and, in
ing changes in the general character of a state the case of insured state member banks, the
member bank’s business as part of the Federal Federal Reserve Board, before the date of the
Reserve’s normal supervisory process to ensure proposed branch closings. The notice must
compliance with the requirements of Regula- include a detailed statement of the reasons for
tion H and with safe and sound banking the decision to close the branch and statistical
practices. This review should be conducted at and other information in support of those stated
least annually by the Reserve Bank. A reasons. A similar notice to customers must be
significant change in a bank’s business plan posted in a conspicuous manner on the premises
without the Board’s prior approval would be of the branch to be closed, at least 30 days
considered a violation of Regulation H and before the proposed closing. There are addi-
would be addressed through follow-up tional notice, meeting, and consultation require-
supervisory action. ments for proposed branch closings by interstate
banks in low- or moderate-income areas. Finally,
the law requires each insured depository insti-
Branches tution to adopt policies for branch closings. (See
the revised joint policy statement concerning
When reviewing domestic-branch applications, insured depository institutions’ branch-closing
the guidelines in section 208.6(b) of Regulation notices and policies, effective June 29, 1999,2c
H are followed. The Board reviews the financial Federal Reserve Regulatory Service, 3–1503.5.)
condition and management of the applying bank, Examiners and supervisors need to be mindful
the adequacy of the bank’s capital and its future of the section 42 statutory requirements and this
earning prospects, the convenience and needs of joint policy.
the community to be served, CRA and Regula- Section 208.6(f) of Regulation H states that
tion BB performance for those branches that a branch relocation, defined as a movement that
will be accepting deposits, and whether the
bank’s investment in premises for the branch is
consistent with section 208.21 of Regulation H. 2c. See also 64 Fed. Reg. 34844.

April 2008 Commercial Bank Examination Manual

Page 4.2
Examination Strategy and Risk-Focused Examinations 1000.1

occurs within the immediate neighborhood Minimum Statewide Loan-to-Deposit

and does not substantially affect the nature of Ratios
the branch’s business or customers served, is
not considered a branch closing. Section Section 109 sets forth a process to test compli-
208.2(c)(2)(ii) of Regulation H states (in one of ance with the statutory requirements. First, a
six exclusions) that a branch does not include an bank’s statewide loan-to-deposit ratio2d is com-
office of an affiliated or unaffiliated institution pared with the host-state loan-to-deposit ratio2e
that provides services to customers of the for banks in a particular state. If the bank’s
member bank on behalf of the member bank, so statewide loan-to-deposit ratio is at least one-
long as the institution is not ‘‘established or half of the published host-state loan-to-deposit
operated’’ by the bank. For example, a bank ratio, then it has complied with section 109. A
could contract with an unaffiliated or affiliated second step is conducted if a bank’s statewide
institution to receive deposits; cash and issue loan-to-deposit ratio is less than one-half of the
checks, drafts, and money orders; change published ratio for that state or if data are not
money; and receive payments of existing available at the bank to conduct the first step.
indebtedness without becoming a branch of that The second step involves determining whether
bank. The bank could also (1) have no owner- the bank is reasonably helping to meet the credit
ship or leasehold interest in the institution’s needs of the communities served by its interstate
offices, (2) have no employees who work for the branches. If a bank fails both of these steps, it
institution, and (3) not exercise any authority or has violated section 109 and is subject to
control over the institution’s employees or sanctions.
methods of operation.

Prohibition on Branches Being AND INTERNAL CONTROLS
Established Primarily for Deposit
Production The Federal Reserve has always placed signifi-
cant supervisory emphasis on the adequacy of
Section 109 of the Riegle-Neal Interstate Bank- an institution’s management of risk, including
ing and Branching Efficiency Act of 1994 (the its system of internal controls, when assessing
Interstate Act) (12 USC 1835a) prohibits any the condition of an organization. An institu-
bank from establishing or acquiring a branch or tion’s failure to establish a management struc-
branches outside of its home state primarily for ture that adequately identifies, measures, moni-
the purpose of deposit production. In 1997, the tors, and controls the risks involved in its
banking agencies published a joint final rule various products and lines of business has long
implementing section 109. (See 62 Fed. Reg. been considered unsafe and unsound conduct.
47728, September 10, 1997.) Section 106 of the Principles of sound management should apply to
Gramm-Leach-Bliley Act of 1999 expanded the the entire spectrum of risks facing a banking
coverage of section 109 of the Interstate Act to institution, including, but not limited to, credit,
include any branch of a bank controlled by an market, liquidity, operational, legal, and reputa-
out-of-state bank holding company. On June 6, tional risk. (See SR-97-24 and SR-97-25.)
2002, the Board and the other banking agen-
cies published an amendment to their joint final • Credit risk arises from the potential that a
rule (effective October 1, 2002) to conform the borrower or counterparty will fail to perform
uniform rule to section 109. (See 67 Fed. Reg. on an obligation.
38844.) The amendment expands the regula- • Market risk is the risk to a financial institu-
tory prohibition against interstate branches be- tion’s condition resulting from adverse move-
ing used as deposit-production offices to include ments in market rates or prices, such as
any bank or branch of a bank controlled by an
out-of-state bank holding company, including a 2d. The statewide loan-to-deposit ratio relates to an indi-
bank consisting only of a main office. (See vidual bank and is the ratio of a bank’s loans to its deposits in
Regulation H, section 208.7(b)(2).) a particular state where the bank has interstate branches.
2e. The host-state loan-to-deposit ratio is the ratio of total
loans in a state to total deposits from the state for all banks that
have that state as their home state. For state-chartered banks,
the home state is the state where the bank was chartered.

Commercial Bank Examination Manual April 2008

Page 4.3
1000.1 Examination Strategy and Risk-Focused Examinations

interest rates, foreign-exchange rates, or equity and the level of risk that it accepts. For smaller
prices. institutions engaged solely in traditional bank-
• Liquidity risk is the potential that an institu- ing activities and whose senior managers and
tion will be unable to meet its obligations as directors are actively involved in the details of
they come due because of an inability to day-to-day operations, relatively basic risk-
liquidate assets or obtain adequate funding management systems may be adequate. How-
(referred to as ‘‘funding liquidity risk’’), or the ever, large, multinational organizations will
potential that the institution cannot easily require far more elaborate and formal risk-
unwind or offset specific exposures without management systems to address their broader
significantly lowering market prices because and typically more-complex range of financial
of inadequate market depth or market disrup- activities, and to provide senior managers and
tions (referred to as ‘‘market liquidity risk’’). directors with the information they need to
• Operational risk arises from the potential that monitor and direct day-to-day activities. In
inadequate information systems, operational addition to the banking organization’s market
problems, breaches in internal controls, fraud, and credit risks, risk-management systems should
or unforeseen catastrophes will result in encompass the organization’s trust and fiduciary
unexpected losses. activities, including investment advisory ser-
• Legal risk arises from the potential that unen- vices, mutual funds, and securities lending.
forceable contracts, lawsuits, or adverse judg-
ments can disrupt or otherwise negatively
affect the operations or condition of a banking Active Board and Senior Management
organization. Oversight
• Reputational risk is the potential that negative
publicity regarding an institution’s business When assessing the quality of the oversight by
practices, whether true or not, will cause a boards of directors and senior management,
decline in the customer base, costly litigation, examiners should consider whether the institu-
or revenue reductions. tion follows policies and practices such as those
described below:
In practice, an institution’s business activities
present various combinations and concentra- • The board and senior management have iden-
tions of these risks, depending on the nature and tified and have a clear understanding and
scope of the particular activity. The following working knowledge of the types of risks
discussion provides guidelines for determining inherent in the institution’s activities, and they
the quality of bank management’s formal or make appropriate efforts to remain informed
informal systems for identifying, measuring, about these risks as financial markets, risk-
and containing these risks. management practices, and the institution’s
activities evolve.
• The board has reviewed and approved appro-
Elements of Risk Management priate policies to limit risks inherent in the
institution’s lending, investing, trading, trust,
When evaluating the quality of risk management fiduciary, and other significant activities or
as part of the evaluation of the overall quality of products.
management, examiners should consider find-
ings relating to the following elements of a • The board and management are sufficiently
sound risk-management system: familiar with and are using adequate record-
keeping and reporting systems to measure and
• active board and senior management oversight monitor the major sources of risk to the
• adequate policies, procedures, and limits organization.
• adequate risk-measurement, risk-monitoring, • The board periodically reviews and approves
and management information systems risk-exposure limits to conform with any
• comprehensive internal controls changes in the institution’s strategies, reviews
new products, and reacts to changes in market
Adequate risk-management programs can vary conditions.
considerably in sophistication, depending on the • Management ensures that its lines of business
size and complexity of the banking organization are managed and staffed by personnel whose

April 2008 Commercial Bank Examination Manual

Page 4.4
Examination Strategy and Risk-Focused Examinations 1000.1

knowledge, experience, and expertise is con- Adequate Risk Monitoring and

sistent with the nature and scope of the Management Information Systems
banking organization’s activities.
• Management ensures that the depth of staff When assessing the adequacy of an institution’s
resources is sufficient to operate and soundly risk measurement and monitoring, as well as its
manage the institution’s activities, and ensures management reports and information systems,
that employees have the integrity, ethical examiners should consider whether these condi-
values, and competence that are consistent tions exist:
with a prudent management philosophy and
operating style. • The institution’s risk-monitoring practices and
• Management at all levels provides adequate reports address all of its material risks.
supervision of the day-to-day activities of • Key assumptions, data sources, and proce-
officers and employees, including manage- dures used in measuring and monitoring risk
ment supervision of senior officers or heads of are appropriate and adequately documented,
business lines. and are tested for reliability on an ongoing
• Management is able to respond to risks that basis.
may arise from changes in the competitive • Reports and other forms of communication
environment or from innovations in markets are consistent with the banking organization’s
in which the organization is active. activities; are structured to monitor exposures
• Before embarking on new activities or intro- and compliance with established limits, goals,
ducing new products, management identifies or objectives; and, as appropriate, compare
and reviews all risks associated with the actual versus expected performance.
activities or products and ensures that the • Reports to management or to the institution’s
infrastructure and internal controls necessary directors are accurate and timely, and contain
to manage the related risks are in place. sufficient information for decision makers to
identify any adverse trends and to evaluate
adequately the level of risk faced by the
Adequate Policies, Procedures, and Limits institution.
Examiners should consider the following when
evaluating the adequacy of a banking organiza-
tion’s policies, procedures, and limits:
Adequate Internal Controls
When evaluating the adequacy of a financial
• The institution’s policies, procedures, and institution’s internal controls and audit proce-
limits provide for adequate identification, dures, examiners should consider whether these
measurement, monitoring, and control of the conditions are met:
risks posed by its lending, investing, trading,
trust, fiduciary, and other significant activities. • The system of internal controls is appropri-
• The policies, procedures, and limits are ate to the type and level of risks posed by
consistent with management’s experience level, the nature and scope of the organization’s
the institution’s stated goals and objectives, activities.
and the overall financial strength of the
organization. • The institution’s organizational structure
• Policies clearly delineate accountability and establishes clear lines of authority and respon-
lines of authority across the institution’s sibility for monitoring adherence to policies,
activities. procedures, and limits.
• Policies provide for the review of new activi- • Reporting lines for the control areas are inde-
ties to ensure that the financial institution has pendent from the business lines, and there is
the necessary infrastructures to identify, moni- adequate separation of duties throughout the
tor, and control risks associated with an activ- organization—such as duties relating to trad-
ity before it is initiated. ing, custodial, and back-office activities.
• Official organizational structures reflect actual
operating practices.
• Financial, operational, and regulatory reports
are reliable, accurate, and timely, and, when

Commercial Bank Examination Manual April 2008

Page 5
1000.1 Examination Strategy and Risk-Focused Examinations

applicable, exceptions are noted and promptly (2) an understanding of the bank’s regulatory
investigated. compliance practices, and (3) its management
• Adequate procedures exist for ensuring information systems and internal and/or external
compliance with applicable laws and audit function. In addition, Reserve Banks should
regulations. contact the state banking regulator to determine
• Internal audit or other control-review prac- whether it has any special areas of concern that
tices provide for independence and objectivity. examiners should focus on.
• Internal controls and information systems are
adequately tested and reviewed. The coverage
of, procedures for, and findings and responses Reliance on Internal Risk
to audits and review tests are adequately
documented. Identified material weaknesses
are given appropriate and timely high-level
attention, and management’s actions to address As previously discussed in the subsection ‘‘Risk-
material weaknesses are objectively verified Management Processes and Internal Controls,’’
and reviewed. the entire spectrum of risks facing an institution
• The institution’s audit committee or board should be considered when assessing a bank’s
of directors reviews the effectiveness of inter- risk portfolio. Internal audit, loan-review, and
nal audits and other control-review activities compliance functions are integral to a bank’s
regularly. own assessment of its risk profile. If applicable,
it may be beneficial to discuss with the bank’s
external auditor the results of its most recent
audit for the bank. Such a discussion gives the
RISK-FOCUSED SUPERVISION OF examiner the opportunity to review the external
COMMUNITY BANKS auditor’s frequency, scope, and reliance on
internal audit findings. Examiners should con-
Understanding the Bank sider the adequacy of these functions in deter-
mining the risk profile of the bank, and be alert
The risk-focused supervision process for com-
to opportunities to reduce regulatory burden by
munity banks involves a continuous assessment
testing rather than duplicating the work of inter-
of the bank, which leads to an understanding of
nal and external audit functions. See the subsec-
the bank that enables examiners to tailor their
tion ‘‘Risk-Focused Examinations’’ for a discus-
examination to the bank’s risk profile. In addi-
sion on transaction testing.
tion to examination reports and correspondence
files, each Reserve Bank maintains various sur-
veillance reports that identify outliers when a
bank is compared to its peer group. Review of Preparation of a Scope Memorandum
this information helps examiners identify a
bank’s strengths and vulnerabilities, and is the An integral product in the risk-focused method-
foundation for determining the examination ology, the scope memorandum identifies the
activities to be conducted. central objectives of the examination. The memo-
Contact with the organization is encouraged randum also ensures that the examination strat-
to improve the examiners’ understanding of the egy is communicated to appropriate examina-
institution and the market in which it operates. A tion staff, which is of key importance, as the
pre-examination interview or visit should be scope will likely vary from examination to
conducted as a part of each examination. This examination. Examination procedures should be
meeting gives examiners the opportunity to tailored to the characteristics of each bank,
learn about any changes in bank management keeping in mind its size, complexity, and risk
and changes to the bank’s policies, strategic profile. Procedures should be completed to the
direction, management information systems, and degree necessary to determine whether the
other activities. During this meeing, particular bank’s management understands and adequately
emphasis should be placed on learning about the controls the levels and types of risk that are
bank’s new products or new markets it may assumed. In addition, the scope memorandum
have entered. The pre-examination interview or should address the general banking environ-
visit also provides examiners with (1) manage- ment, economic conditions, and any changes
ment’s view of local economic conditions, foreseen by bank management that could affect

April 2008 Commercial Bank Examination Manual

Page 6
Examination Strategy and Risk-Focused Examinations 1000.1

the bank’s condition. Some of the key factors each module to be emphasized during the
that should be addressed in the scope memoran- examination process. In addition, any supple-
dum are described below. mental modules used should be discussed.

Preliminary Risk Assessment Summary of Loan Review

A summary of the risks associated with the On the basis of the preliminary risk assessment,
bank’s activities should be based on a review of the anticipated loan coverage should be detailed
all available sources of information on the bank, in the scope memorandum. In addition to stating
including, but not limited to, prior examination the percentage of commercial and commercial
reports, surveillance reports, correspondence real estate loans to be reviewed, the scope
files, and audit reports. The scope memorandum memorandum should identify which specialty
should include a preliminary assessment of the loan reference modules of the general loan
bank’s condition and major risk areas that will module are to be completed. The memorandum
be evaluated through the examination process. should specify activities within the general loan
For detailed discussion of risk assessments and module to be reviewed as well as the depth of
risk matrices, see the subsection ‘‘Risk-Focused any specialty reviews.
Supervision of Large, Complex Institutions.’’

Summary of Pre-Examination Meeting Job Staffing

The staffing for the examination should be
The results of the pre-examination meeting
detailed. Particular emphasis should be placed
should be summarized. Meeting results that
on ensuring that appropriate personnel are
affect examination coverage should be
assigned to the high-risk areas identified in the
bank’s risk assessment.

Summary of Audit and Internal Control

Environment Examination Modules

A summary of the scope and adequacy of the Standardized electronic community bank exami-
audit environment should be prepared, which nation modules have been developed and
may result in a modification of the examination designed to define common objectives for the
procedures initially expected to be performed. review of important activities within institutions
Activities that receive sufficient coverage by the and to assist in the documentation of examina-
bank’s audit system can be tested through the tion work. It is expected that full-scope exami-
examination process. Certain examination nations will use these modules.
procedures could be eliminated if their audit The modules establish a three-tiered approach
and internal control areas are deemed for the review of a bank’s activities: The first
satisfactory. tier is the core analysis, the second tier is the
expanded review, and the final tier is the impact
analysis. The core analysis includes a number of
Summary of Examination Procedures decision factors that should be considered col-
lectively, as well as individually, when evaluat-
As discussed below, examination modules have ing the potential risk to the bank. To help the
been developed for the significant areas reviewed examiner determine whether risks are adequately
during an examination. The modules are catego- managed, the core analysis section contains a
rized as primary or supplemental. The primary list of procedures that may be considered for
modules must be included in each examination. implementation. Once the relevant procedures
However, procedures within the primary mod- are performed, the examiner should document
ules can be eliminated or enhanced based on the conclusions in the core analysis decision factors.
risk assessment or the adequacy of the audit and When significant deficiencies or weaknesses are
internal control environment. The scope memo- noted in the core analysis review, the examiner
randum should specifically detail the areas within is required to complete the expanded analysis

Commercial Bank Examination Manual April 2008

Page 7
1000.1 Examination Strategy and Risk-Focused Examinations

for those decision factors that present the great- are implemented differently: The process for
est degree of risk for the bank. However, if the complex institutions relies more heavily on a
risks are properly managed, the examiner can central point of contact and detailed risk assess-
conclude the review. ments and supervisory plans before the on-site
The expanded analysis provides guidance for examination or inspection. In comparison, for
determining if weaknesses are material to the small or noncomplex institutions and commu-
bank’s condition and if they are adequately nity banks, risk assessments and examination
managed. If the risks are material or inad- activities may be adequately described in the
equately managed, the examiner is directed to scope memorandum.
perform an impact analysis to assess the finan-
cial impact to the bank and whether any enforce-
ment action is necessary. Key Elements
The use of the modules should be tailored to
the characteristics of each bank based on its size, To meet the supervisory objectives discussed
complexity, and risk profile. As a result, the previously and to respond to the characteristics
extent to which each module should be com- of large institutions, the framework for risk-
pleted will vary from bank to bank. The indi- focused supervision of large complex institu-
vidual procedures presented for each level are tions contains the following key elements:
meant only to serve as a guide for answering the
decision factors. Not every procedure requires • Designation of a central point of contact.
an individual response, and not every procedure Large institutions typically have operations in
may be applicable at every community bank. several jurisdictions, multiple charters, and
Examiners should continue to use their discre- diverse product lines. Consequently, the
tion when excluding any items as unnecessary in supervisory program requires that a ‘‘central
their evaluation of decision factors. point of contact’’ be designated for each
institution to facilitate coordination and com-
munication among the numerous regulators
and specialty areas.
RISK-FOCUSED SUPERVISION OF • Review of functional activities. Large institu-
LARGE COMPLEX INSTITUTIONS tions are generally structured along business
lines or functions, and some activities are
The Federal Reserve recognizes a difference in managed on a centralized basis. As a result, a
the supervisory requirements for community single type of risk may cross several legal
banks and large complex banking organizations entities. Therefore, the supervisory program
(LCBOs). The complexity of financial products, incorporates assessments along functional lines
sophistication of risk-management systems to evaluate risk exposure and its impact on
(including audit and internal controls), manage- safety and soundness. These functional reviews
ment structure, and geographic dispersion of will be integrated into the risk assessments
operations are but a few of the areas in which for specific legal entities and used to support
large institutions may be distinguished from the supervisory ratings for individual legal
community banks. While close coordination entities.3
with state banking departments, the Office of the • Focus on risk-management processes. Large
Comptroller of the Currency (OCC), and the institutions generally have highly developed
Federal Deposit Insurance Corporation (FDIC) risk-management systems, such as internal
is important for fostering consistency among audit, loan review, and compliance. The
banking supervisors and reducing the regulatory supervisory program emphasizes each institu-
burden for community banks, it is critical for tion’s responsibility to be the principal source
large complex banking organizations. for detecting and deterring abusive and
The examination approaches for both large unsound practices through adequate internal
complex institutions and community banks are controls and operating procedures. The pro-
risk-focused processes that rely on an under-
standing of the institution, the performance of 3. When functions are located entirely in legal entities that
are not primarily supervised by the Federal Reserve, the
risk assessments, the development of a supervi- results of supervisory activities conducted by the primary
sory plan, and examination procedures tailored regulator will be used to the extent possible to avoid duplica-
to the risk profile. However, the two approaches tion of activities.

April 2008 Commercial Bank Examination Manual

Page 8
Examination Strategy and Risk-Focused Examinations 1000.1

gram incorporates an approach that focuses on tions with consolidated assets less than
and evaluates the institution’s risk-management $1 billion.
systems, yet retains transaction testing and Nonbank subsidiaries of large complex domes-
supervisory rating systems, such as the tic institutions are covered by the supervisory
CAMELS, bank holding company RFI/C(D), program. These institutions include nonbank
and ROCA rating systems. This diagnostic subsidiaries of the parent bank holding company
perspective is more dynamic and forward and those of the subsidiary state member banks;
looking because it provides insight into how the significant branch operations, primarily
effectively an institution is managing its foreign branches, of state member banks; and
operations and how well it is positioned to subsidiary foreign banks of the holding com-
meet future business challenges. pany. The level of supervisory activity to
• Tailoring of supervisory activities. Large be conducted for nonbank subsidiaries and for-
institutions are unique, but all possess the eign branches and subsidiaries of domestic
ability to quickly change their risk profiles. To institutions should be based on their individual
deliver effective supervision, the supervisory risk levels relative to the consolidated organiza-
program incorporates an approach that tailors tion or the state member bank. The risk associ-
supervisory activities to the risk profile of an ated with significant nonbank subsidiaries or
institution. By concentrating on an institu- branches should be identified as part of the
tion’s major risk areas, examiners can achieve consolidated risk-assessment process. The scope
a more relevant and penetrating understanding of Edge Act corporation examinations should
of the institution’s condition. also be determined through the risk-assessment
• Emphasis on ongoing supervision. Large process. In addition, specialty areas should be
institutions face a rapidly changing environ- included in the planning process in relation to
ment. Therefore, the supervisory program their perceived level of risk to the consoli-
emphasizes ongoing supervision through dated organization or to any state member bank
increased planning and off-site monitoring. subsidiary.
Ongoing supervision allows for timely adjust-
ments to the supervisory strategy as con-
ditions change within the institution and Coordination of Supervisory
economy. Activities
Many large complex institutions have interstate
Covered Institutions operations; therefore, close cooperation with the
other federal and state banking agencies is
For purposes of the risk-focused supervision critical. To facilitate coordination between the
framework, large complex institutions generally Federal Reserve and other regulators, District
have (1) a functional management structure, Reserve Banks have been assigned roles and
(2) a broad array of products, (3) operations that responsibilities that reflect their status as either
span multiple supervisory jurisdictions, and the responsible Reserve Bank (RRB) with the
(4) consolidated assets of $1 billion or more.4 central point of contact or the local Reserve
These institutions may be state member banks, Bank (LRB).
bank holding companies (including their non- The RRB is accountable for all aspects of the
bank and foreign subsidiaries), and branches supervision of a fully consolidated banking
and agencies of foreign banking organizations. organization, which includes the supervision of
However, if an institution with consolidated all the institution’s subsidiaries and affiliates
assets totaling $1 billion or more does not have (domestic, foreign, and Edge corporations) for
these characteristics, the supervisory process which the Federal Reserve has supervisory over-
adopted for community banks may be more sight responsibility. The RRB is generally
appropriate. Conversely, the complex-institution expected to work with LRBs in conducting
process may be appropriate for some organiza- examinations and other supervisory activities,
particularly where significant banking opera-
tions are conducted in a local District. Thus, for
4. Large institutions are defined differently in other regu-
state member banks, the LRB has an important
latory guidance for regulatory reports and examination role in the supervision of that subsidiary. How-
mandates. ever, the RRB retains authority and accountabil-

Commercial Bank Examination Manual April 2008

Page 9
1000.1 Examination Strategy and Risk-Focused Examinations

ity for the results of all examinations and reviews Sharing of RRB Duties
that an LRB may perform on its behalf. See
SR-05-27/CA-05-11. To take advantage of opportunities to enhance
supervisory effectiveness or efficiency, an RRB
is encouraged to arrange for the LRB to under-
Responsible Reserve Bank take on its behalf certain examinations or other
supervisory activities. For example, an LRB
In general, the RRB for a banking institution has may have relationships with local representa-
been the Reserve Bank in the District where the tives of the institution or local supervisors;
banking operations of the organization are prin- leveraging these relationships may facilitate com-
cipally conducted. For domestic banking insti- munication and reduce costs. Additionally, LRBs
tutions, the RRB typically will be the Reserve may provide specialty examination resources—in
Bank District where the head office of the top- the case of CRA examinations, LRB staff often
tier institution is located and where its overall provide valuable insights into local communities
strategic direction is established and overseen. and lending institutions that should be factored
For foreign banking institutions, the RRB typi- into the CRA assessment. When other Reserve
cally will be the Reserve Bank District where Bank Districts conduct examinations and other
the Federal Reserve has the most direct involve- supervisory activities for the RRB, substantial
ment in the day-to-day supervision of the U.S. reliance should be placed on the conclusions and
banking operations of the institution. ratings recommended by the participating Reserve
When necessary, the Board’s Division of Bank(s).
Banking Supervision and Regulation (BS&R), in The RRB retains authority and accountability
consultation with the Division of Consumer and for the results of all examinations and reviews
Community Affairs (C&CA), may designate an performed on its behalf and, therefore, must
RRB when the general principles set forth above work closely with LRB examination teams to
could impede the ability of the Federal Reserve ensure that examination scopes and conclusions
to perform its functions under law, do not result are consistent with the supervisory approach and
in an efficient allocation of supervisory resources, message applied across the consolidated organi-
or are otherwise not appropriate. zation. If an LRB identifies major issues in the
course of directly conducting supervisory activi-
ties on behalf of an RRB, those issues should be
Duties of RRBs brought to the attention of the RRB in a timely
The RRB develops the consolidated risk assess- If an RRB arranges for an LRB to conduct
ment and supervisory plan and ensures that the supervisory activities on its behalf, the LRB is
scope and timing of planned activities con- responsible for the costs of performing the
ducted by participating Districts and agencies activities. If the LRB is unable to fulfill the
pursuant to the plan are appropriate, given the request from the RRB to perform the specified
consolidated risk assessment. The RRB desig- activities, the RRB should seek System assis-
nates the central point of contact or lead exam- tance, if needed, by contacting Board staff or
iner and ensures that all safety-and-soundness, using other established procedures for coordi-
information technology, trust, consumer compli- nating resources.
ance, Community Reinvestment Act (CRA), and In general, LRBs are responsible for the direct
other specialty examinations, inspections, and supervision of state member banks located in
visitations are conducted and appropriately coor- their district. LRBs and host states will not
dinated within the System and with other regu- routinely examine branches of state member
lators. In addition, the RRB manages all formal banks or issue separate ratings and reports of
communications with the foreign and domestic examination. Similar to the relationship between
supervised entity, including the the communica- the RRBs and LRBs, home-state supervisors6
tion of supervisory assessments, ratings, and
remedial actions.5 6. The State/Federal Supervisory Protocol and Agreement
established definitions for home and host states. The home-
state supervisor is defined as the state that issued the charter.
5. See SR-97-24, ‘‘Risk-Focused Framework for Supervi- It will act on behalf of itself and all host-state supervisors
sion of Large Complex Institutions,’’ and SR-96-33, ‘‘State/ (states into which the bank branches) and will be the single
Federal Protocol and Nationwide Supervisory Agreement.’’ state contact for a particular institution.

April 2008 Commercial Bank Examination Manual

Page 10
Examination Strategy and Risk-Focused Examinations 1000.1

will coordinate the activities of all state banking A dedicated supervisory team composed of
departments and will be the state’s principal individuals with specialized skills based upon
source of contact with federal banking agencies the organization’s particular business lines and
and with the bank itself. Also, host states will risk profile will be assigned to each institution.
not unilaterally examine branches of interstate This full-time, dedicated cadre will be supple-
banks. Close coordination among the Reserve mented by other specialized System staff, as
Banks and other appropriate regulators for each necessary, to participate in examinations and
organization is critical to ensure a consistent, targeted reviews.
risk-focused approach to supervision. In addition to designing and executing the
supervisory strategy for an organization, the
central point of contact is responsible for man-
aging the supervisory team. The supervisory
Central Point of Contact and team’s major responsibilities are to maintain a
Supervisory Teams high level of knowledge of the banking organi-
zation and to ensure that supervisory strategies
A central point of contact is critical to fulfilling and priorities are consistent with the identified
the objectives of seamless, risk-focused super- risks and institutional profile.
vision. The RRB should designate a central
point of contact for each large complex institu-
tion it supervises. Generally, all activities and Sharing of Information
duties of other areas within the Federal Reserve,
as well as those conducted with other supervi- To further promote seamless, risk-focused
sors, should be coordinated through this contact. supervision, information related to a specific
The central point of contact should— institution should be provided, as appropriate, to
other interested supervisors. The information to
• be knowledgeable, on an ongoing basis, about be shared includes the products described in the
the institution’s financial condition, manage- ‘‘Process and Products’’ subsection. However,
ment structure, strategic plan and direction, sharing these products with the institution itself
and overall operations; should be carefully evaluated on a case-by-case
• remain up-to-date on the condition of the basis.
assigned institution and be knowledgeable
regarding all supervisory activities; monitor-
ing and surveillance information; applications Confidentiality Provisions in
issues; capital-markets activities; meetings Agreements that Prevent or Restrict
with management; and enforcement issues, if Notification to the Federal Reserve
• ensure that the objective of seamless, risk- The Federal Reserve has stated and clarified its
focused supervision is achieved for each expectations regarding confidentiality provi-
institution and that the supervisory products sions that are contained in agreements between a
described later are prepared in a timely banking organization and its counterparties (for
manner; example, mutual funds, hedge funds, and other
• ensure appropriate follow-up and tracking of trading counterparties) or other third parties. It is
supervisory concerns, corrective actions, or contrary to Federal Reserve’s regulations and
other matters that come to light through policy for agreements to contain confidentiality
ongoing communications or surveillance; and provisions that (1) restrict the banking organi-
• participate in the examination process, as zation from providing information to Federal
needed, to ensure consistency with the insti- Reserve supervisory staff; 6a (2) require or per-
tution’s supervisory plan and to ensure effec- mit, without the prior approval of the Federal
tive allocation of resources, including coordi- Reserve, the banking organization to disclose to
nation of on-site efforts with specialty a counterparty that any information will be or
examination areas and other supervisors, as was provided to Federal Reserve supervisory
appropriate, and to facilitate requests for
information from the institution, whenever 6a. Supervisory staff include individuals that are on and/or
possible. off site.

Commercial Bank Examination Manual April 2008

Page 10.1
1000.1 Examination Strategy and Risk-Focused Examinations

staff; or (3) require or permit, without the prior

approval of the Federal Reserve, the banking
organization to inform a counterparty of a cur-
rent or upcoming Federal Reserve examination
or any nonpublic Federal Reserve supervisory
initiative or action. Banking organizations that
have entered, or enter, into agreements contain-
ing such confidentiality provisions are subject to
legal risk. (See SR-07-19 and SR-97-17.) For
information on the restrictions pertaining to the
very limited disclosure of confidential supervi-
sory ratings and other nonpublic supervisory
information, see SR-05-4, SR-96-26, and SR-
88-37. See also section 5020.1.

Functional Approach and Targeted

Traditionally, the examination process has been
driven largely by a legal-entity approach to
banking companies. The basis for risk-focused
supervision of large complex institutions relies
more heavily on a functional, business-line ap-
proach to supervising institutions, while effec-
tively integrating the functional approach into
the legal-entity assessment.
The functional approach focuses principally
on the key business activities (for example,
lending, Treasury, retail banking) rather than
on reviewing the legal entity and its balance
sheet. This approach does not mean that the
responsibility for a legal-entity assessment is
ignored, nor should the Federal Reserve perform
examinations of institutions that other regula-
tors are primarily responsible for supervising.7
Rather, Federal Reserve examiners should inte-
grate the findings of a functional review into the
legal-entity assessment and coordinate closely
with the primary regulator to gather sufficient
information to form an assessment of the con-
solidated organization. Nonetheless, in some
cases, effective supervision of the consoli-
dated organization may require Federal Reserve
examiners to perform process reviews and pos-
sibly transaction testing at all levels of the
Functional risk-focused supervision is to be
achieved by—

7. For U.S. banks owned by FBOs, it is particularly

important to review the U.S. bank on a legal-entity basis and
to review the risk exposure to the U.S. bank of its parent
foreign bank since U.S. supervisory authorities do not super-
vise or regulate the parent bank.

April 2008 Commercial Bank Examination Manual

Page 10.2
Examination Strategy and Risk-Focused Examinations 1000.1

• planning and conducting joint examinations Process and Products

with the primary regulator in areas of mutual
interest, such as nondeposit investment prod- The risk-focused methodology for the supervi-
ucts, interest-rate risk, liquidity, and mergers sion program for large, complex institutions
and acquisitions; reflects a continuous and dynamic process. The
• leveraging off, or working from, the work methodology consists of six steps, each of
performed by the primary regulator and the which uses certain written products to facilitate
work performed by the institution’s internal communication and coordination.
and external auditors by reviewing and using
their workpapers and conclusions to avoid
duplication of effort and to lessen the burden Table 1—Steps and Products
on the institution;
• reviewing reports of examinations and other Steps Products
communications to the institution issued by
other supervisors; and 1. Understanding the 1. Institutional
• conducting a series of functional reviews or institution overview
targeted examinations of business lines, rel-
evant risk areas, or areas of significant super- 2. Assessing the 2. Risk matrix
visory concern during the supervisory cycle. institution’s risk 3. Risk assessment
Functional reviews and targeted examinations 3. Planning and 4. Supervisory plan
are increasingly necessary to evaluate the scheduling 5. Examination
relevant risk exposure of a large, complex supervisory program
institution and the effectiveness of related activities
risk-management systems.
4. Defining examina- 6. Scope
The relevant findings of functional reviews or tion activities memorandum
targeted examinations should be— 7. Entry letter

• incorporated into the annual summary super- 5. Performing 8. Functional

visory report, with follow-up on deficiencies examination examination
noted in the functional reviews or targeted procedures modules
examinations; 6. Reporting the 9. Examination
• conveyed to the institution’s management dur- findings report(s)
ing a close-out or exit meeting with the
relevant area’s line management; and
The focus of the products should be on fully
• communicated in a formal written report to achieving a risk-focused, seamless, and coordi-
the institution’s management or board of nated supervisory process, not simply on com-
directors when significant weaknesses are pleting the products. The content and format of
detected or when the finding results in a the products are flexible and should be adapted
downgrade of any rating component. to correspond to the supervisory practices of the
agencies involved and to the structure and com-
The functional approach to risk assessments plexity of the institution.
and to planning supervisory activities should
include a review of the parent company and its
significant nonbank subsidiaries. However, the
level of supervisory review should be appropri- Understanding the Institution
ate to the risk profile of the parent company or
its nonbank subsidiary in relation to the consoli- The starting point for risk-focused supervision is
dated organization. Intercompany transactions developing an understanding of the institution.
should continue to be reviewed as part of the This step is critical to tailoring the supervision
examination procedures performed to ensure program to meet the characteristics of the orga-
that these transactions comply with laws and nization and to adjusting that program on an
regulations and do not pose safety-and-soundness ongoing basis as circumstances change. Further-
concerns. more, understanding the Federal Reserve’s

Commercial Bank Examination Manual May 2000

Page 11
1000.1 Examination Strategy and Risk-Focused Examinations

supervisory role in relation to an institution and supervisory findings. General types of informa-
its affiliates is essential. tion that may be valuable to present in the
Through increased emphasis on planning and overview include—
monitoring, supervisory activities can focus on
the significant risks to the institution and on • a brief description of the organizational
related supervisory concerns. The technological structure;
and market developments within the financial • a summary of the organization’s business
sector and the speed with which an institution’s strategies as well as changes in key business
financial condition and risk profile can change lines, growth areas, new products, etc., since
make it critical for supervisors to keep abreast of the prior review;
events and changes in risk exposure and strat- • key issues for the organization, either from
egy. Accordingly, the central point of contact for external or internal factors;
each large, complex institution should review • an overview of management;
certain information on an ongoing basis and • a brief analysis of the consolidated financial
prepare an institution overview that will com- condition and trends;
municate his or her understanding of that • a description of the future prospects of the
institution. organization;
Information generated by the Federal Reserve, • descriptions of internal and external audit;
other supervisory agencies, the institution, and • a summary of supervisory activity performed
public organizations may assist the central point since the last review; and
of contact in forming and maintaining an ongo- • considerations for conducting future
ing understanding of the institution’s risk profile examinations.
and current condition. In addition, the central
point of contact should hold periodic discus-
sions with the institution’s management to cover,
among other topics, credit-market conditions, Assessing the Institution’s Risks
new products, divestitures, mergers and acqui-
sitions, and the results of any recently completed To focus supervisory activities on the areas of
internal and external audits. When other agen- greatest risk to an institution, the central point of
cies have supervisory responsibilities for the contact should perform a risk assessment. The
organization, joint discussions should be risk assessment highlights both the strengths and
considered. vulnerabilities of an institution and provides a
The principal risk-focused supervisory tools foundation for determining the supervisory
and documents, including an institutional over- activities to be conducted. Further, the assess-
view, risk matrix, and risk assessment for the ment should apply to the entire spectrum of risks
organization, should be current. Accordingly, facing an institution (as previously discussed in
the central point of contact should distill and the subsection ‘‘Risk-Management Processes and
incorporate significant new information into Internal Controls’’).
these documents at least quarterly. Factors such An institution’s business activities present
as emerging risks; new products; and significant various combinations and concentrations of the
changes in business strategy, management, con- noted risks depending on the nature and scope of
dition, or ownership may warrant more frequent the particular activity. Therefore, when conduct-
updates. In general, the more dynamic the orga- ing the risk assessment, consideration must be
nization’s operations and risks, the more fre- given to the institution’s overall risk environ-
quently the central point of contact should ment, the reliability of its internal risk manage-
update the risk assessment, strategies, and plans. ment, the adequacy of its information technol-
ogy systems, and the risks associated with each
of its significant business activities.
Preparation of the Institutional Overview
The institutional overview should contain a Assessment of the Overall Risk
concise executive summary that demonstrates Environment
an understanding of the institution’s present
condition and its current and prospective risk The starting point in the risk-assessment process
profiles, as well as highlights key issues and past is an evaluation of the institution’s risk tolerance

May 2000 Commercial Bank Examination Manual

Page 12
Examination Strategy and Risk-Focused Examinations 1000.1

and of management’s perception of the organi- trading systems. Accordingly, the institution’s
zation’s strengths and weaknesses. This evalua- risk assessment must consider the adequacy of
tion should entail discussions with management its information technology systems.
and review of supporting documents, strategic
plans, and policy statements. In general, man-
agement is expected to have a clear understand- Preparation of the Risk Matrix
ing of both the institution’s markets and the
general banking environment, as well as how A risk matrix is used to identify significant
these factors affect the institution. activities, the type and level of inherent risks in
The institution should have a clearly defined these activities, and the adequacy of risk man-
risk-management structure, which may be for- agement over these activities, as well as to
mal or informal, centralized or decentralized. determine composite-risk assessments for each
However, the greater the risk assumed by the of these activities and the overall institution. A
institution, the more sophisticated its risk- risk matrix can be developed for the consoli-
management system should be. Regardless of dated organization, for a separate affiliate, or
the approach, the types and levels of risk an along functional business lines. The matrix is a
institution is willing to accept should reflect its flexible tool that documents the process fol-
risk appetite, as determined by the board of lowed to assess the overall risk of an institution
directors. and is a basis for preparation of the narrative
To assess the overall risk environment, the risk assessment.
central point of contact should make a prelimi- Activities and their significance can be iden-
nary evaluation of the institution’s internal risk tified by reviewing information from the insti-
management, considering the adequacy of its tution, the Reserve Bank, or other supervisors.
internal audit, loan-review, and compliance func- After the significant activities are identified, the
tions. External audits also provide important type and level of risk inherent in them should be
information on the institution’s risk profile and determined. Types of risk may be categorized as
condition, which may be used in the risk previously described or by using categories
assessment. defined either by the institution or other super-
In addition, the central point of contact should visory agencies. If the institution uses risk
review risk assessments developed by the inter- categories that differ from those defined by the
nal audit department for significant lines of supervisory agencies, the examiner should deter-
business, and compare those results with the mine if all relevant types of risk are appropri-
supervisory risk assessment. Management’s abil- ately captured. If risks are appropriately cap-
ity to aggregate risks on a global basis should tured by the institution, the examiner should use
also be evaluated. This preliminary evaluation the categories identified by the institution.
can be used when developing the scope of For the identified functions or activities, the
examination activities to determine the level of inherent risk involved in that activity should be
examiner reliance on the institution’s internal described as high, moderate, or low for each
risk management. type of risk associated with that type of activity.
Risk-monitoring activities must be supported The following definitions apply:
by management information systems that pro-
vide senior managers and directors with timely • High inherent risk exists when the activity is
and reliable reports on the financial condition, significant or positions are large in relation to
operating performance, and risk exposure of the the institution’s resources or its peer group,
consolidated organization. These systems must when the number of transactions is substan-
also provide managers engaged in the day-to- tial, or when the nature of the activity is
day management of the organization’s activities inherently more complex than normal. Thus,
with regular and sufficiently detailed reports for the activity potentially could result in a sig-
their areas of responsibility. Moreover, in most nificant and harmful loss to the organization.
large, complex institutions, management infor- • Moderate inherent risk exists when positions
mation systems not only provide reporting sys- are average in relation to the institution’s
tems, but also support a broad range of business resources or its peer group, when the volume
decisions through sophisticated risk-management of transactions is average, and when the
and decision-making tools such as credit- activity is more typical or traditional. Thus,
scoring and asset/liability models and automated while the activity potentially could result in a

Commercial Bank Examination Manual May 2000

Page 13
1000.1 Examination Strategy and Risk-Focused Examinations

loss to the organization, the loss could be • Acceptable risk management indicates that the
absorbed by the organization in the normal institution’s risk-management systems,
course of business. although largely effective, may be lacking to
• Low inherent risk exists when the volume, some modest degree. It reflects an ability to
size, or nature of the activity is such that even cope successfully with existing and foresee-
if the internal controls have weaknesses, the able exposure that may arise in carrying out
risk of loss is remote, or, if a loss were to the institution’s business plan. While the
occur, it would have little negative impact on institution may have some minor risk-
the institution’s overall financial condition. management weaknesses, these problems have
been recognized and are being addressed.
This risk-assessment is made without consider- Overall, board and senior management over-
ing management processes and controls; those sight, policies and limits, risk-monitoring pro-
factors are considered when evaluating the cedures, reports, and management information
adequacy of the institution’s risk-management systems are considered effective in maintain-
systems. ing a safe and sound institution. Risks are
generally being controlled in a manner that
does not require more than normal supervi-
Assessing Adequacy of Risk Management sory attention.
• Weak risk management indicates risk-
When assessing the adequacy of an institution’s management systems that are lacking in
risk-management systems for identified func- important ways and, therefore, are a cause for
tions or activities, the focus should be on find- more than normal supervisory attention. The
ings related to the key elements of a sound risk- internal control system may be lacking in
management system: active board and senior important respects, particularly as indicated
management oversight; adequate policies, pro- by continued control exceptions or by the
cedures, and limits; adequate risk-management, failure to adhere to written policies and pro-
monitoring, and management information sys- cedures. The deficiencies associated in these
tems; and comprehensive internal controls. systems could have adverse effects on the
(These elements are described in the earlier safety and soundness of the institution or
subsection ‘‘Elements of Risk Management.’’) could lead to a material misstatement of its
Taking these key elements into account, the financial statements if corrective actions are
contact should assess the relative strength of the not taken.
risk-management processes and controls for each
identified function or activity. Relative strength The composite risk for each significant activ-
should be characterized as strong, acceptable, or ity is determined by balancing the overall level
weak as defined below: of inherent risk of the activity with the overall
strength of risk-management systems for that
• Strong risk management indicates that man- activity. For example, commercial real estate
agement effectively identifies and controls all loans usually will be determined to be inherently
major types of risk posed by the relevant high risk. However, the probability and the
activity or function. The board and manage- magnitude of possible loss may be reduced by
ment participate in managing risk and ensure having very conservative underwriting stan-
that appropriate policies and limits exist, which dards, effective credit administration, strong
the board understands, reviews, and approves. internal loan review, and a good early warning
Policies and limits are supported by risk- system. Consequently, after accounting for these
monitoring procedures, reports, and manage- mitigating factors, the overall risk profile and
ment information systems that provide the level of supervisory concern associated with
necessary information and analysis to make commercial real estate loans may be moderate.
timely and appropriate responses to changing To facilitate consistency in the preparation of
conditions. Internal controls and audit proce- the risk matrix, general definitions of the com-
dures are appropriate to the size and activities posite level of risk for significant activities are
of the institution. There are few exceptions to provided as follows:
established policies and procedures, and none
of these exceptions would likely lead to a • A high composite risk generally would be
significant loss to the organization. assigned to an activity in which the risk-

May 2000 Commercial Bank Examination Manual

Page 14
Examination Strategy and Risk-Focused Examinations 1000.1

management system does not significantly serving as a platform for developing the super-
mitigate the high inherent risk of the activity. visory plan.
Thus, the activity could potentially result in a The format and content of the written risk
financial loss that would have a significant assessment are flexible and should be tailored to
negative impact on the organization’s overall the individual institution. The risk assessment
condition, in some cases, even when the reflects the dynamics of the institution; there-
systems are considered strong. For an activity fore, it should consider the institution’s evolving
with moderate inherent risk, a risk-management business strategies and be amended as signifi-
system that has significant weaknesses could cant changes in the risk profile occur. Input from
result in a high composite risk assessment other affected supervisors and specialty units
because management appears to have an should be included to ensure that all the institu-
insufficient understanding of the risk and tion’s significant risks are identified. The risk
uncertain capacity to anticipate and respond to assessment should—
changing conditions.
• A moderate composite risk generally would • include an overall risk assessment of the
be assigned to an activity with moderate organization;
inherent risk, which the risk-management sys- • describe the types of risk (credit, market,
tems appropriately mitigate. For an activity liquidity, reputational, operational, legal) and
with low inherent risk, significant weaknesses their level (high, moderate, low) and direction
in the risk-management system may result in a (increasing, stable, decreasing);
moderate composite risk assessment. On the • identify all major functions, business lines,
other hand, a strong risk-management system activities, products, and legal entities from
may reduce the risks of an inherently high-risk which significant risks emanate, as well as the
activity so that any potential financial loss key issues that could affect the risk profile;
from the activity would have only a moderate • consider the relationship between the likeli-
negative impact on the financial condition of hood of an adverse event and its potential
the organization. impact on an institution; and
• describe the institution’s risk-management sys-
• A low composite risk generally would be tems. Reviews and risk assessments per-
assigned to an activity that has low inherent formed by internal and external auditors should
risks. An activity with moderate inherent risk be discussed, as should the institution’s ability
may be assessed a low composite risk when to take on and manage risk prospectively.
internal controls and risk-management sys-
tems are strong, and when they effectively The central point of contact should attempt to
mitigate much of the risk. identify the cause of unfavorable trends, not just
report the symptoms. The risk assessment should
Once the composite risk assessment of each reflect a thorough analysis that leads to conclu-
identified significant activity or function is com- sions about the institution’s risk profile, rather
pleted, an overall composite risk assessment than just reiterating the facts.
should be made for off-site analytical and plan-
ning purposes. This assessment is the final step
in the development of the risk matrix, and the
evaluation of the overall composite risk is Planning and Scheduling Supervisory
incorporated into the written risk assessment. Activities
The supervisory plan forms a bridge between
the institution’s risk assessment, which identi-
Preparation of the Risk Assessment fies significant risks and supervisory concerns,
and the supervisory activities to be conducted.
A written risk assessment is used as an internal In developing the supervisory plan and exami-
supervisory planning tool and to facilitate com- nation schedule, the central point of contact
munication with other supervisors. The goal is should minimize disruption to the institution
to develop a document that presents a compre- and, whenever possible, avoid duplicative
hensive, risk-focused view of the institution, examination efforts and requesting similar infor-
delineating the areas of supervisory concern and mation from the other supervisors.

Commercial Bank Examination Manual May 2006

Page 15
1000.1 Examination Strategy and Risk-Focused Examinations

The institution’s organizational structure and • coordinating examinations of different

complexity are significant considerations when disciplines;
planning the specific supervisory activities to be • determining compliance with, or the potential
conducted. Additionally, interstate banking and for, supervisory action;
branching activities have implications for plan- • balancing mandated requirements with the
ning on-site and off-site review. The scope and objectives of the plan;
location of on-site work for interstate banking • providing general logistical information (for
operations will depend upon the significance exammple, a timetable of supervisory activi-
and risk profile of local operations, the location ties, the participants, and expected resource
of the supervised entity’s major functions, and requirements); and
the degree of its centralization. The bulk of • assessing the extent to which internal and
safety-and-soundness examinations for branches external audit, internal loan review, compli-
of an interstate bank would likely be conducted ance, and other risk-management systems will
at the head office or regional offices, supple- be tested and relied upon.
mented by periodic reviews of branch opera-
tions and internal controls. The supervisory plan Generally, the planning horizon to be covered
should reflect the need to coordinate these is 18 months for domestic institutions.8 The
reviews of branch operations with other overall supervisory objectives and basic frame-
supervisors. work need to be outlined by midyear to facilitate
preliminary discussions with other supervisors
and to coincide with planning for the Federal
Preparation of the Supervisory Plan Reserve’s annual scheduling conferences. The
plan should be finalized by the end of the year,
A comprehensive supervisory plan should be for execution in the following year.
developed annually, and reviewed and revised at
least quarterly to reflect any significant new
information or emerging banking trends or risks.
The supervisory plan and any revisions should
Preparation of the Examination Program
be periodically discussed with representatives of
the principal regulators of major affiliates to The examination program should provide a
reconfirm their agreement on the overall plan for comprehensive schedule of examination activi-
coordinating its implementation, when warranted. ties for the entire organization and aid in the
The plan should demonstrate that both the coordination and communication of responsibili-
supervisory concerns identified through the risk- ties for supervisory activities. An examination
assessment process and the deficiencies noted in program provides a comprehensive listing of all
the previous examination are being or will be examination activities to be conducted at an
addressed. To the extent that the institution’s institution for the given planning horizon. To
risk-management systems are adequate, the level prepare a complete examination program and
of supervisory activity may be adjusted. The reflect the institution’s current conditions and
plan should generally address all supervisory activities, and the activities of other supervisors,
activities to be conducted, the scope of those the central point of contact needs to be the focal
activities (full or targeted), the objectives of point for communications on a particular insti-
those activities (for example, review of specific tution. The role includes any communications
business lines, products, support functions, legal with the Federal Reserve, the institution’s man-
entities), and specific concerns regarding those agement, and other supervisors. The examina-
activities, if any. Consideration should be given tion program generally incorporates the follow-
to— ing logistical elements:
• prioritizing supervisory resources on areas of • a schedule of activities, period, and resource
higher risk; estimates for planned projects
• pooling examiner resources to reduce the
regulatory burden on institutions as well as
examination redundancies; 8. The examination plans and assessments of condition of
• maximizing the use of examiners who are U.S. operations that are used for FBO supervision use a
located where the activity is being conducted; 12-month period.

May 2006 Commercial Bank Examination Manual

Page 16
Examination Strategy and Risk-Focused Examinations 1000.1

• an identification of the agencies conducting • a statement of the objectives;

and participating in the supervisory activity • an overview of the activities and risks to be
(when there are joint supervisors, indicate the evaluated;
lead agency and the agency responsible for a
• the level of reliance on internal risk-
particular activity) and resources committed
management systems and internal or external
by all participants to the area(s) under review
audit findings;
• the planned product for communicating find-
ings (indicate whether it will be a formal • a description of the procedures that are to be
report or supervisory memorandum) performed, indicating any sampling process to
• the need for special examiner skills and the be used and the level of transaction testing,
extent of participation of individuals from when appropriate;
specialty functions • identification of the procedures that are
expected to be performed off-site; and
• a description of how the findings of targeted
reviews, if any, will be used on the current
Defining Examination Activities examination.
Scope Memorandum
The scope memorandum is an integral product
in the risk-focused methodology because it iden- Entry Letter
tifies the key objectives of the on-site examina-
tion. The focus of on-site examination activities, The entry letter should be tailored to fit the
identified in the scope memorandum, follow a specific character and profile of the institution to
top-down approach that includes a review of the be examined and the scope of the activities to be
organization’s internal risk-management sys- performed. Thus, effective use of entry letters
tems and an appropriate level of transaction depends on the planning and scoping of a
testing. The risk-focused methodology is flex- risk-focused examination. To eliminate duplica-
ible regarding the amount of on-site transaction tion and minimize the regulatory burden on an
testing used. Although the focus of the exami- institution, entry letters should not request
nation is on the institution’s processes, an information that is regularly provided to desig-
appropriate level of transaction testing and asset nated central points of contact or that is avail-
review will be necessary to verify the integrity able within each Federal Reserve Bank. When
of internal systems. needed for examinations of larger or more
After the areas to be reviewed have been complex organizations, the entry letter should
identified in the supervisory plan, a scope memo- be supplemented by requests for information on
randum should be prepared that documents spe- specialty activities. The specific items selected
cific objectives for the projected examinations. for inclusion in the entry letter should meet the
This document is of key importance, as the following guidelines:
scope of the examination will likely vary from
year to year. Thus, it is necessary to identify the • reflect risk-focused supervision objectives and
specific areas chosen for review and the extent the examination scope
of those reviews. The scope memorandum will • facilitate efficiency in the examination process
help ensure that the supervisory plan for the and lessen the burden on financial institutions
institution is executed and will communicate the • limit, to the extent possible, requests for
specific examination objectives to the examina- special management reports
tion staff.
• eliminate items used for audit-type procedures
The scope memorandum should be tailored to (for example, verifications)
the size, complexity, and current rating of the
institution subject to review. For large but less- • distinguish between information to be mailed
complex institutions, the scope memorandum to the examiner-in-charge for off-site exami-
may be combined with the supervisory plan or nation procedures and information to be held
the risk assessment. The scope memorandum at the institution for on-site procedures
should define the objectives of the examination, • allow management sufficient lead time to
and generally should include— prepare the requested information

Commercial Bank Examination Manual April 2008

Page 17
1000.1 Examination Strategy and Risk-Focused Examinations

Examination Procedures • retail banking activities

• payments system risk
Examination procedures should be tailored to
the characteristics of each institution, keeping in
mind size, complexity, and risk profile. They Reporting the Findings
should focus on developing appropriate docu-
mentation to adequately assess management’s At least annually, a comprehensive summary
ability to identify, measure, monitor, and control supervisory report should be prepared that sup-
risks. Procedures should be completed to the ports the organization’s assigned ratings and
degree necessary to determine whether the encompasses the results of the entire supervi-
institution’s management understands and sory cycle. This report should (1) convey the
adequately controls the levels and types of risks Federal Reserve’s view of the condition of the
that are assumed. For transaction testing, the organization and its key risk-management pro-
volume of loans to be tested should be adjusted cesses, (2) communicate the composite supervi-
according to management’s ability to accurately sory ratings, (3) discuss each of the major
identify problems and potential problem credits business risks, (4) summarize the supervisory
and to measure, monitor, and control the insti- activities conducted during the supervisory cycle
tution’s exposure to overall credit risk. Like- and the resulting findings, and (5) assess the
wise, the level of transaction testing for compli- effectiveness of any corrective actions taken by
ance with laws and regulations should take into the organization. This report will satisfy super-
account the effectiveness of management sys- visory and legal requirements for a full-scope
tems to monitor, evaluate, and ensure compli- examination. Reserve Bank management, as
ance with applicable laws and regulations. well as Board officials, when warranted, will
During the supervisory cycle, the 10 func- meet with the organization’s board of directors
tional areas listed below will be evaluated in to present and discuss the contents of the report
most full-scope examinations. To evaluate these and the Federal Reserve’s assessment of the
functional areas, procedures need to be tailored condition of the organization. (See SR-99-15.)
to fit the risk assessment that was prepared for
the institution and the scope memorandum that
was prepared for the examination. These func-
tional areas represent the primary business Minimum Timing Standards for
activities and functions of large complex insti- Examination Report Completion
tutions as well as common sources of significant
risk to them. Additionally, other areas of signifi- Examination reports issued by the Federal
cant sources of risk to an institution or areas that Reserve must be completed and filed within a
are central to the examination assignment will maximum of 60 calendar days, commencing
need to be evaluated. The functional areas with the day following the examiner’s exit
include the following: meeting. This standard applies to reports for all
banks, regardless of the complexity of the orga-
• loan portfolio analysis nization. Additionally, for instructions with a
• Treasury activities CAMELS composite rating of 3, 4, or 5, Reserve
• trading and capital-markets activities Banks are encouraged to adopt an internal target
• internal controls and audit of 45 calendar days for processing and filing
• supervisory ratings reports. In cases where reports are issued jointly
• information systems with other agencies, this standard may be
• fiduciary activities extended at the discretion of senior management
• private banking at the Reserve Bank. (See SR-93-4.)

April 2008 Commercial Bank Examination Manual

Page 18
Internal Control and Audit Function,
Oversight, and Outsourcing
Effective date October 2008 Section 1010.1

This section sets forth the principal aspects of process: control environment, risk assessment,
effective internal control and audit and discusses control activities, information and communica-
some pertinent points relative to the internal tion, and monitoring activities. The effective
control questionnaires (ICQs). It assists the functioning of these components, which is
examiner in understanding and evaluating the brought about by an institution’s board of direc-
objectives of and the work performed by inter- tors, management, and other personnel, is essen-
nal and external auditors. It also sets forth the tial to achieving the internal control objectives.
general criteria the examiner should consider to This description of internal control is consistent
determine if the work of internal and external with the Committee of Sponsoring Organiza-
auditors can be relied on in the performance of tions of the Treadway Commission (COSO)
the examination. To the extent that audit records report Internal Control—Integrated Framework.
can be relied on, they should be used to com- In addition, under the COSO framework, finan-
plete the ICQs implemented during the exami- cial reporting is defined in terms of published
nation. In most cases, only those questions not financial statements, which, for these purposes,
fully supported by audit records would require encompass financial statements prepared in
the examiner to perform a detailed review of the accordance with generally accepted accounting
area in question. principles and regulatory reports (such as the
Effective internal control is a foundation for Reports of Condition and Income). Institutions
the safe and sound operation of a financial are encouraged to evaluate their internal control
institution. The board of directors and senior against the COSO framework.
managers of an institution are responsible for
ensuring that the system of internal control is
effective. Their responsibility cannot be del-
egated to others within or outside the organiza- AUDIT COMMITTEE OVERSIGHT
tion. An internal audit function is an important
element of an effective system of internal con- Internal and external auditors will not feel free
trol. When properly structured and conducted, to assess the bank’s operations if their indepen-
internal audit provides directors and senior man- dence is compromised. This can sometimes
agement with vital information about the condi- happen when internal and external auditors
tion of the system of internal control, and it report solely to senior management instead of to
identifies weaknesses so that management can the board of directors.
take prompt, remedial action. Examiners are to
The independence of internal and external
review an institution’s internal audit function
auditors is increased when they report to an
and recommend improvements if needed. In
independent audit committee (one made up of
addition, under the Interagency Guidelines
external directors who are not members of the
Establishing Standards for Safety and Sound-
bank’s management). The auditors’ indepen-
ness,1 pursuant to section 39 of the Federal
dence is enhanced when the audit committee
Deposit Insurance Act (FDI Act) (12 USC
takes an active role in approving the internal and
1831p-1), each institution is required to have an
external audit scope and plan.
internal audit function that is appropriate to its
size and the nature and scope of its activities. The role of the independent audit committee
In summary, internal control is a process is growing in importance. The audit commit-
designed to provide reasonable assurance that tee’s duties may include (1) overseeing the
the institution will achieve the following objec- internal audit function; (2) approving or recom-
tives: efficient and effective operations, includ- mending the appointment of external auditors
ing safeguarding of assets; reliable financial and the scope of external audits and other
reporting; and compliance with applicable laws services; (3) providing the opportunity for audi-
and regulations. Internal control consists of five tors to meet and discuss findings apart from
components that are a part of the management management; (4) reviewing with management
and external auditors the year-end financial
1. For state member banks, see appendix D-1 to 12 CFR statements; and (5) meeting with regulatory
208. authorities.

Commercial Bank Examination Manual October 2008

Page 1
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

Public Company Accounting and remain appropriate in light of the organiza-

Oversight Board tion’s size, operations, and resources. Further-
more, a banking organization’s policies and
The Sarbanes-Oxley Act of 2002 (the act) procedures for corporate governance, internal
became law on July 30, 2002 (Pub. L. No. controls, and auditing will be assessed during
107-204). The act addresses weaknesses in cor- the supervisory process, and supervisory action
porate governance and the accounting and may be taken if there are deficiencies or weak-
auditing professions and includes provisions nesses in these areas that are inconsistent with
addressing audits, financial reporting and disclo- sound corporate-governance practices or safety-
sure, conflicts of interest, and corporate gover- and-soundness considerations.
nance at publicly owned companies. The act,
among other things, requires public companies
to have an audit committee made entirely of DISCIPLINARY ACTIONS
independent directors. Publicly owned banking AGAINST ACCOUNTANTS AND
organizations that are listed on the New York ACCOUNTING FIRMS
Stock Exchange (NYSE) and Nasdaq must
also comply with those exchanges’ listing
requirements, which include audit committee SERVICES
The act also established a Public Company Section 36 of the Federal Deposit Insurance Act
Accounting Oversight Board (PCAOB) that has (the FDI Act) authorizes the federal bank and
the authority to set and enforce auditing, attes- thrift regulatory agencies (the agencies)3 to take
tation, quality-control, and ethics (including disciplinary actions against independent public
independence) standards for auditors of public accountants and accounting firms that perform
companies (subject to Securities and Exchange audit services covered by the act’s provisions.
Commission (SEC) review). (See SR-02-20.) Section 36, as implemented by part 363 of the
Accounting firms that conduct audits of public FDIC’s rules (12 CFR 363), requires that each
companies (registered accounting firms) must federally insured depository institution with total
register with the PCAOB and be subject to its assets of $500 million or more obtain an audit of
supervision. The PCAOB is also empowered to its financial statements and a management re-
inspect the auditing operations of public account- port. Institutions with assets of $1 billion or
ing firms that audit public companies as well as more must provide an attestation on manage-
impose disciplinary and remedial sanctions for ment’s assertions concerning internal controls
violations of its rules, securities laws, and pro- over financial reporting that is performed by an
fessional auditing and accounting standards. independent public accountant (the accountant).
(See The respective insured depository institution
In May 2003, the Federal Reserve, the Office must include the accountant’s audit and attesta-
of the Comptroller of the Currency, and the tion reports in its annual report, as required. See
Office of Thrift Supervision announced that they the section on ‘‘Legal Requirements Affecting
did not expect to take actions to apply the Banks and the Audit Function.’’
corporate-governance and other requirements of The agencies amended their rules, pursuant to
the Sarbanes-Oxley Act generally to nonpublic section 36, that set forth the practices and pro-
banking organizations that are not otherwise cedures to implement their authority to remove,
subject to them.2 (See SR-03-08.) Nonpublic suspend, or debar, for good cause, 3a an accoun-
banking organizations are encouraged to peri- tant or firm from performing audit and attesta-
odically review their policies and procedures
relating to corporate-governance and auditing
3. The Board of Governors of the Federal Reserve System,
matters. This review should ensure that such the Office of the Comptroller of the Currency, the Federal
policies and procedures are consistent with appli- Deposit Insurance Corporation, and the Office of Thrift
cable law, regulations, and supervisory guidance Supervision. The Board approved its rules on August 6, 2003
(press release of August 8, 2003). The rules became effective
October 1, 2003.
2. Some aspects of the auditor-independence rules estab- 3a. The rules provide that certain violations of law, negli-
lished by the Sarbanes-Oxley Act apply to all federally gent conduct, reckless violations of professional standards, or
insured depository institutions with $500 million or more in lack of qualifications to perform auditing services may be
total assets. See part 363 of the FDIC’s regulations. considered good cause.

October 2008 Commercial Bank Examination Manual

Page 2
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

tion services for insured depository institutions of subjective judgment because attributes such
with assets of $500 million or more.3 b Immedi- as intelligence, knowledge, and attitude are
ate suspensions are permitted in limited circum- relevant. Thus, the examiner should be alert for
stances. Also, an accountant or accounting firm indications that employees have failed so sub-
is prohibited from performing audit services for stantially to perform their duties that a serious
the covered institution if an authorized agency question is raised concerning their abilities.
has taken such a disciplinary action against the
accountant or firm, or if the SEC or the PCAOB Independent performance. If employees who
has taken certain disciplinary action against the have access to assets also have access to the
accountant or firm. related accounting records or perform
The amended rules reflect the agencies’ related review operations (or immediately super-
increasing concern about the quality of audits vise the activities of other employees who main-
and internal controls for financial reporting at tain the records or perform the review opera-
insured depository institutions. The rules empha- tions), they may be able to both perpetrate and
size the importance of maintaining high quality conceal defalcations. Therefore, duties con-
in the audits of federally insured depository cerned with the custody of assets are incompat-
institutions’ financial position and in the attes- ible with recordkeeping duties for those assets,
tations of management assessments. and duties concerned with the performance of
activities are incompatible with the authoriza-
tion or review of those activities.
OBJECTIVES OF INTERNAL In judging the independence of a person, the
CONTROL examiner must avoid looking at that person as
an individual and presuming the way in which
In general, good internal control exists when no that individual would respond in a given situa-
one is in a position to make significant errors or tion. For example, an individual may be the sole
perpetrate significant irregularities without timely check signer and an assistant may prepare
detection. Therefore, a system of internal con- monthly bank reconcilement. If the assistant
trol should include those procedures necessary appears to be a competent person, it may seem
to ensure timely detection of failure of account- that an independent reconcilement would be
ability, and such procedures should be per- performed and anything amiss would be
formed by competent persons who have no reported. Such judgments are potentially erro-
incompatible duties. The following standards neous. There exist no established tests by which
are encompassed within the description of inter- the psychological and economic independence
nal control: of an individual in a given situation can be
judged. The position must be evaluated, not the
Existence of procedures. Existence of prescribed person. If the position in which the person acts
internal control procedures is necessary but not is not an independent one in itself, then the work
sufficient for effective internal control. Pre- should not be presumed to be independent,
scribed procedures that are not actually per- regardless of the apparent competence of the
formed do nothing to establish control. Conse- person in question. In the example cited above,
quently, the examiner must give thoughtful the function performed by the assistant should
attention not only to the prescribed set of pro- be viewed as if it were performed by the
cedures but also to the practices actually fol- supervisor. Hence, incompatible duties are
lowed. This attention can be accomplished present in that situation.
through inquiry, observation, testing, or a com-
bination thereof.

Competent performance. For internal control to PROCEDURES FOR COMPLETING

be effective, the required procedures must be ICQs
performed by competent persons. Evaluation of
competence undoubtedly requires some degree The implementation of selected ICQs and the
evaluation of internal audit activities provide a
3b. See the Federal Reserve’s rules on disciplinary actions
basis for determining the adequacy of the bank’s
against public accountants and accounting firms at 12 CFR control environment. To reach conclusions
263.94 and 12 CFR 263, subpart J. required by the questionnaires, the examiner

Commercial Bank Examination Manual April 2008

Page 3
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

assigned to review a given internal control develop a plan to obtain the necessary informa-
routine or area of bank operations should use any tion efficiently. Such a plan would normally
source of information necessary to ensure a full avoid a direct question-and-answer session with
understanding of the prescribed system, includ- bank officers. A suggested approach to comple-
ing any potential weaknesses. Only when the tion of the ICQ is to—
examiner completely understands the bank’s
system can an assessment and evaluation be • become familiar with the ICQ,
made of the effects of internal controls on the • review related internal audit procedures,
examination. reports, and responses,
To reach conclusions concerning a specific • review any written documentation of a bank’s
section of an ICQ, the examiner should document system of controls,
and review the bank’s operating systems and • find out what the department does and what
procedures by consulting all available sources of the functions of personnel within the depart-
information and discussing them with appropri- ment are through conversations with appropri-
ate bank personnel. Sources of information might ate individuals, and
include organization charts, procedural manuals, • answer as many individual questions as pos-
operating instructions, job specifications, direc- sible from information gained in the preceding
tives to employees, and other similar sources of steps and fill in the remaining questions by
information. Also, the examiner should not direct inquiry.
overlook potential sources such as job descrip-
tions, flow charts, and other documentation in the An effective way to begin an on-site review of
internal audit workpapers. A primary objective in internal control is to identify the various key
the review of the system is to efficiently reach a functions applicable to the area under review.
conclusion about the overall adequacy of existing For each position identified, the following ques-
controls. Any existing source of information that tions should then be asked:
will enable the examiner to quickly gain an
understanding of the procedures in effect should • Is this a critical position? That is, can a person
be used in order to minimize the time required to in this position either make a significant error
formulate the conclusions. The review should be that will affect the recording of transactions or
documented in an organized manner through the perpetrate material irregularities of some type?
use of narrative descriptions, flow charts, or other • If an error is made or an irregularity is
diagrams. If a system is properly docu- perpetrated, what is the probability that nor-
mented, the documentation will provide a ready mal routines will disclose it on a timely basis?
reference for any examiner performing work That is, what controls exist that would prevent
in the area, and it often may be carried forward or detect significant errors or the perpetration
for future examinations, which will save of significant irregularities?
time. • What are the specific opportunities open to the
Although narrative descriptions can often pro- individual to conceal any irregularity, and are
vide an adequate explanation of systems of there any mitigating controls that will reduce
internal control, especially in less complex situ- or eliminate these opportunities?
ations, they may have certain drawbacks, such
as the following: Although all employees within an organiza-
tion may be subject to control, not all have
• They may be cumbersome and too lengthy. financial responsibilities that can influence the
• They may be unclear or poorly written. accuracy of the accounting and financial records
• Related points may be difficult to integrate. or have access to assets. The examiner should be
• Annual changes may be awkward to record. primarily concerned with those positions that
have the ability to influence the records and that
To overcome these problems, the examiner have access to assets. Once those positions have
should consider using flow charts, which reduce been identified, the examiners must exercise
narrative descriptions to a picture. Flow charts their professional knowledge of bank operations
often reduce a complex situation to an easily to visualize the possibilities open to any person
understandable sequence of interrelated steps. holding a particular position. The question is not
In obtaining and substantiating the answers to whether the individual is honest, but rather
the questions in the ICQ, the examiner should whether situations exist that might permit an

April 2008 Commercial Bank Examination Manual

Page 4
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

error to be concealed. By directing attention to asterisk to indicate that they require substantia-
such situations, an examiner will also consider tion through observation or testing. Those ques-
situations that may permit unintentional errors tions are deemed so critical that substantiation
to remain undetected. by inquiry is not sufficient. For those questions
The evaluation of internal control should substantiated through testing, the nature and
include consideration of other existing account- extent of the test performed should be indicated
ing and administrative controls or other circum- adjacent to the applicable step in the ICQ.
stances that might counteract or mitigate an The examiner should be alert for deviations
apparent weakness or impair an established by bank personnel from established policies,
control. Controls that mitigate an apparent weak- practices, and procedures. This applies not only
ness may be a formal part of the bank’s operat- to questions marked with an asterisk but also to
ing system, such as budget procedures that every question in the ICQ. Examples of such
include a careful comparison of budgeted and deviations include situations when (1) instruc-
actual amounts by competent management per- tions and directives are frequently not revised to
sonnel. Mitigating controls also may be infor- reflect current practices, (2) employees find
mal. For example, in small banks, management shortcuts for performing their tasks, (3) changes
may be sufficiently involved in daily operations in organization and activities may influence
to know the purpose and reasonableness of all operating procedures in unexpected ways, or
expense disbursements. That knowledge, coupled (4) employees’ duties may be rotated in ways
with the responsibility for signing checks, may that have not been previously considered. These
make irregularities by nonmanagement person- and other circumstances may serve to modify or
nel unlikely, even if disbursements are other- otherwise change prescribed procedures, thus
wise under the control of only one person. giving the examiner an inadequate basis for
When reviewing internal controls, an essential evaluating internal control.
part of the examination is being alert to Sometimes, when a substantial portion of the
indications that adverse circumstances may exist. accounting work is accomplished by computer,
Adverse circumstances may lead employees or the procedures are so different from conven-
officers into courses of action they normally tional accounting methods that the principles
would not pursue. An adverse circumstance to discussed here seem inapplicable. Care should
which the examiner should be especially alert be taken to resist drawing this conclusion. This
exists when the personal financial interests of key discussion of internal control and its evaluation
officers or employees depend directly on oper- is purposely stated in terms sufficiently general
ating results or financial condition. Although the to apply to any system. Perpetration of defalca-
review of internal control does not place the tions requires direct or indirect access to appro-
examiner in the role of an investigator or priate documents or accounting records. As
detective, an alert attitude toward possible such, perpetration requires the involvement of
conflicts of interest should be maintained people and, under any system, computerized or
throughout the examination. Also, offices staffed not, there will be persons who have access to
by members of the same family, branches assets and records. Those with access may
completely dominated by a strong personality, or include computer operators, programmers, and
departments in which supervisors rely unduly on their supervisors and other related personnel.
their assis-tants require special alertness on the The final question in each section of the ICQ
part of the examiner. Those circumstances and requires a composite evaluation of existing
other similar ones should be considered in internal controls in the applicable area of the
preparing the ICQ. It is not the formality of the bank. The examiner should base that evaluation
particular factor that is of importance but rather on answers to the preceding questions within the
its effect on the overall operation under review. section, the review and observation of the sys-
Circumstances that may affect answers to the tems and controls within the bank, and discus-
basic questions should be noted along sion with appropriate bank personnel.
with conclusions concerning their effect on the The composite evaluation does, however,
examination. require some degree of subjective judgment.
The ICQs were designed so that answers The examiner should use all information avail-
could be substantiated by (1) inquiry to bank able to formulate an overall evaluation, fully
personnel, (2) observation, or (3) testing. How- realizing that a high degree of professional
ever, certain questions are marked with an judgment is required.

Commercial Bank Examination Manual April 2008

Page 5
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

Applying the ICQ to Different of a calendar quarter, the institution is to use the
Situations Call Report for the quarter end immediately
preceding the end of the fiscal year.
The ICQs are general enough to apply to a wide
range of systems, so not all sections or questions
will apply to every situation, depending on Institutions with $500 Million or
factors such as bank size, complexity and type More but Less Than $1 Billion in
of operations, and organizational structure. When
completing the ICQs, the examiner should
Total Assets
include a brief comment stating the reason a
The regulations require these institutions to file
section or question is not applicable to the
an annual report with the FDIC that must
specific situation.
include the following:
For large banking institutions or when mul-
tiple locations of a bank are being examined, it
• Audited comparative annual financial state-
may be necessary to design supplements to the
ICQs to adequately review all phases of the
• The independent public accountant’s report on
bank’s operations and related internal controls.
the audited financial statements;
Because certain functions described in this
• A management report (comprising its state-
manual may be performed by several depart-
ments and assessments) that is signed by the
ments in some banks, it also may be necessary to
chief executive officer and chief accounting or
redesign a particular section of the ICQ so that
chief financial officer. The report should
each department receives appropriate consider-
ation. Conversely, functions described in several
— A statement of management’s responsibili-
different sections of this handbook may be
ties for:
performed in a single department in smaller
banks. If the ICQ is adapted to fit a specific • preparing the annual financial state-
situation, care should be taken to ensure that its ments;
scope and intent are not modified. That requires • establishing and maintaining an ad-
professional judgment in interpreting and expand- equate internal control structure over
ing the generalized material. Any such modifi- financial reporting;
cations should be completely documented and • complying with the laws and regulations
filed in the workpapers. relating to safety and soundness that are
designated by the FDIC and the appro-
priate federal banking agency; and
LEGAL REQUIREMENTS — An assessment by management of the
AFFECTING BANKS AND THE institution’s compliance with the desig-
AUDIT FUNCTION nated laws and regulations during the
fiscal year.
The Federal Deposit Insurance Corporation Im-
provement Act of 1991 amended section 36 of If the institution is a public company or a
the FDI Act (12 USC 1831m). Since then, the subsidiary of a public company that would be
FDIC has made various revisions to its rules at subject to the provisions of section 404 of the
Part 363 (12 CFR 363) and guidelines. When Sarbanes-Oxley Act (Section 404), it must
specific reports are required to be submitted to comply with the requirement to file other reports
the FDIC to comply with the provisions of issued by the independent accountant as set forth
compliance with Part 363, the institution must in section 363.4(c) (12 CFR 363.4(c)). The
also submit the report to the appropriate federal institutions must provide a copy of the indepen-
banking agency and any appropriate state dent accountant’s report to the FDIC on the audit
supervisor. of internal control over financial reporting that is
For the purposes of determining the applica- required by section 404 with the FDIC within 15
bility of this rule, an institution should use total days after receipt. The institutions also are
assets as reported on its most recent Report of encouraged to submit a copy of management’s
Condition (the Call Report), the date that coin- section 404 report on internal control over
cides with the end of the preceding fiscal year. If financial reporting together with the independent
the fiscal year ends on a date other than the end public accountant’s internal control report.

April 2008 Commercial Bank Examination Manual

Page 6
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

Institutions with $1 Billion or More regulatory reporting purposes. Each institution

in Total Assets is to have an independent public accountant
perform an audit who reports on the institution’s
Section 36 of the FDI Act and Part 363 of the annual financial statements in accordance with
FDIC’s regulations required insured depository generally accepted auditing standards and sec-
institutions with a least $1 billion in total assets tion 37 of the FDI Act (12 USC 1831n). The
to file an annual report that must include the scope of the audit engagement must be sufficient
following: to permit the accountant to determine and report
whether the financial statements are presented
• Audited comparative annual financial state- fairly and in accordance with generally accepted
ments; accounting principles. The audit is to be per-
formed using procedures that will objectively
• The independent public accountant’s report on
determine the accuracy of management’s asser-
the audited financial statements;
tions on compliance with safety-and-soundness
• A management report that contains: laws and regulations (12 USC 1831m
— A statement of management’s responsibili- (b)(2)(A)(iii)),
ties for: Each institution must file with the FDIC two
• Preparing the annual financial statements; copies of the annual report within 90 days after
• Establishing and maintaining an ad- the end of its fiscal year. Notwithstanding the
equate internal control structure over 90-day filing period, each institution must file a
financial reporting; copy of each audit and attestation report issued
• Complying with the laws and regula- by its independent accountant within 15 days of
tions relating to safety and soundness their receipt.
that are designated by the FDIC and the In addition, each institution is required to file
appropriate federal banking agency; and a copy of any management letter, qualification,
— Assessments by management of: or any other report issued by its independent
• the effectiveness of the institution’s public accountant with the FDIC within 15 days
internal control structure and procedures of receipt of such letter or report. See section
over financial reporting as of the end of 363.4(c) (12 CFR 363.4(c)).
the fiscal year (12 USC Each institution is required to establish an
1831m(b)(2)(B)(i); and audit committee of its board of directors. The
• the institution’s compliance with safety duties of the audit committee include reviewing
and soundness laws and regulations dur- with management and the independent public
ing the year (12 USC 1831n(b)(2)(B)(ii)); accountant the basis for, and the results of, the
and annual independent audit reports and the insti-
• The independent public accountant’s attesta- tution’s respective reporting requirements. Each
tion report—the independent public accoun- institution with total assets of $1 billion or more,
tant is to examine, attest to, and report sepa- as of the beginning of the fiscal year, is required
rately in an attestation report, on the assertions to have an audit committee, the members of
by management’s concerning the institution’s which must be outside directors who are inde-
internal control structure and procedures for pendent of the institution’s management. Insti-
financial reporting (12 USC 1831m(c)). The tutions with total assets of $500 million, but less
attestation is to be made in accordance with than $1 billion or more, as of the beginning of
generally accepted standards for attestation the fiscal year, must have an audit committee,
engagements. the members of which are outside directors, the
majority of whom must be independent of the
institution’s management.
For insured institutions having total assets of
Other Requirements—Institutions with more than $3 billion, the audit committee must
$500 Million or More in Total Assets (1) have members with banking or related finan-
cial management expertise, (2) have access to
Financial reporting encompasses, for the pur- outside legal counsel, and (3) not include any
poses of Part 363, both financial statements large customers of the institution. The audit
prepared in accordance with generally accepted committee also may be required to satisfy other
accounting principles and those prepared for audit committee membership criteria (12 USC

Commercial Bank Examination Manual April 2008

Page 6.1
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

831m (g)(1)(c)) and section 363.5(b) (12 CFR vices’’ (hereafter collectively referred to as out-
363.5(b)). sourcing). Typical outsourcing arrangements are
Any covered institution with a composite more fully described below.
CAMELS rating of 1 or 2 may file the two Outsourcing may be beneficial to an institu-
above-mentioned reports through its parent hold- tion if it is properly structured, carefully con-
ing company on a consolidated basis. The Guide- ducted, and prudently managed. However, the
lines and Interpretations (appendix A to Part structure, scope, and management of some
363) provide that one of the duties of a covered internal audit outsourcing arrangements may not
institution’s audit committee should include contribute to the institution’s safety and sound-
oversight of the internal audit function and its ness. Furthermore, arrangements with outsourc-
operations. (See SR-96-4.) ing vendors should not leave directors and
senior management with the erroneous impres-
sion that they have been relieved of their respon-
INTERAGENCY POLICY sibility for maintaining an effective system of
STATEMENT ON THE INTERNAL internal control and for overseeing the internal
AUDIT FUNCTION AND ITS audit function.
The Federal Reserve and other federal banking
agencies3 c (the agencies) adopted on March 17,
Internal Audit Function (Part I)
2003, an interagency policy statement address-
ing the internal audit function and its outsourc- Board and Senior Management
ing. The policy statement revises and replaces Responsibilities
the former 1997 policy statement and incorpo-
rates recent developments in internal auditing. The board of directors and senior management
In addition, the revised policy incorporates guid-
ance on the independence of accountants who
provide institutions with both internal and
external audit services in light of the Sarbanes-
Oxley Act of 2002 (the act) and associated SEC
The act prohibits an accounting firm from
acting as the external auditor of a public com-
pany during the same period that the firm
provides internal audit services to the company.
The policy statement discusses the applicability
of this prohibition to institutions that are public
companies, to insured depository institutions
with assets of $500 million or more that are
subject to the annual audit and reporting require-
ments of section 36 of the FDI Act, and to
nonpublic institutions that are not subject to
section 36.
The statement recognizes that many institu-
tions have engaged independent public account-
ing firms and other outside professionals (out-
sourcing vendors) to perform work that
traditionally has been done by internal auditors.
These arrangements are often called ‘‘internal
audit outsourcing,’’ ‘‘internal audit assistance,’’
‘‘audit co-sourcing,’’ and ‘‘extended audit ser-

3c. The Board of Governors of the Federal Reserve Sys-

tem, the Federal Deposit Insurance Corporation, the Office of
the Comptroller of the Currency, and the Office of Thrift

April 2008 Commercial Bank Examination Manual

Page 6.2
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

are responsible for having an effective system of audit function addresses the risks of and meets
internal control and an effective internal audit the demands posed by the institution’s current
function in place at their institution. They are and planned activities. To accomplish this
also responsible for ensuring that the importance objective, directors should consider whether
of internal control is understood and respected their institution’s internal audit activities are
throughout the institution. This overall respon- conducted in accordance with professional stan-
sibility cannot be delegated to anyone else. They dards, such as the Institute of Internal Auditors’
may, however, delegate the design, implementa- (IIA) Standards for the Professional Practice of
tion, and monitoring of specific internal controls Internal Auditing. These standards address inde-
to lower-level management and delegate the pendence, professional proficiency, scope of
testing and assessment of internal controls to work, performance of audit work, management
others. Accordingly, directors and senior man- of internal audit, and quality-assurance reviews.
agement should have reasonable assurance that Furthermore, directors and senior management
the system of internal control prevents or detects should ensure that the following matters are
significant inaccurate, incomplete, or unautho- reflected in their institution’s internal audit
rized transactions; deficiencies in the safeguard- function.
ing of assets; unreliable financial reporting
(which includes regulatory reporting); and Structure. Careful thought should be given to
deviations from laws, regulations, and the insti- the placement of the audit function in the
tution’s policies.4 institution’s management structure. The internal
Some institutions have chosen to rely on audit function should be positioned so that the
so-called management self-assessments or con- board has confidence that the internal audit
trol self-assessments, wherein business-line man- function will perform its duties with impartiality
agers and their staff evaluate the performance of and not be unduly influenced by managers of
internal controls within their purview. Such day-to-day operations. The audit committee,5
reviews help to underscore management’s using objective criteria it has established, should
responsibility for internal control, but they are oversee the internal audit function and evaluate
not impartial. Directors and members of senior its performance.6 The audit committee should
management who rely too much on these reviews assign responsibility for the internal audit func-
may not learn of control weaknesses until they tion to a member of management (that is, the
have become costly problems, particularly if manager of internal audit or internal audit man-
directors are not intimately familiar with the ager) who understands the function and has no
institution’s operations. Therefore, institutions responsibility for operating the system of inter-
generally should also have their internal controls nal control. The ideal organizational arrange-
tested and evaluated by units without business- ment is for this manager to report directly and
line responsibilities, such as internal audit solely to the audit committee regarding both
groups. audit issues and administrative matters, for exam-
Directors should be confident that the internal ple, resources, budget, appraisals, and compen-
sation. Institutions are encouraged to consider
the IIA’s Practice Advisory 2060-2: Relation-
4. As noted above, under section 36 of the FDI Act, as
implemented by part 363 of the FDIC’s regulations (12 CFR
363), FDIC-insured depository institutions with total assets of 5. Depository institutions subject to section 36 of the FDI
$500 million or more must submit an annual management Act and part 363 of the FDIC’s regulations must maintain
report signed by the chief executive officer (CEO) and chief independent audit committees (i.e., consisting of directors
accounting or chief financial officer. This report must contain who are not members of management). Consistent with the
(1) a statement of management’s responsibilities for preparing 1999 Interagency Policy Statement on External Auditing
the institution’s annual financial statements, for establishing Programs of Banks and Savings Associations, the agencies
and maintaining an adequate internal control structure and also encourage the board of directors of each depository
procedures for financial reporting, and for complying with institution that is not otherwise required to do so to establish
designated laws and regulations relating to safety and sound- an audit committee consisting entirely of outside directors.
ness, including management’s assessment of the institution’s Where the term audit committee is used in this policy
compliance with those laws and regulations, and (2) for an statement, the board of directors may fulfill the audit commit-
institution with total assets of $1 billion or more at the tee responsibilities if the institution is not subject to an audit
beginning of the institution’s most recent fiscal year, an committee requirement. See Fed. Reg., September 28, 1999
assessment by management of the effectiveness of such (64 FR 52,319).
internal control structure and procedures as of the end of such 6. For example, the performance criteria could include the
fiscal year. (See 12 CFR 363.2(b) and 70 Fed. Reg. 71,232, timeliness of each completed audit, a comparison of overall
Nov. 28, 2005.) performance to plan, and other measures.

Commercial Bank Examination Manual May 2006

Page 7
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

ship with the Audit Committee, which provides monitoring functions.

more guidance on the roles and relationships In structuring the reporting hierarchy, the
between the audit committee and the internal board should weigh the risk of diminished
audit manager. independence against the benefit of reduced
Many institutions place the manager of inter- administrative burden in adopting a dual report-
nal audit under a dual reporting arrangement: ing organizational structure. The audit commit-
the manager is functionally accountable to the tee should document its consideration of this
audit committee on issues discovered by the risk and mitigating controls. The IIA’s Practice
internal audit function, while reporting to another Advisory 1110-2: Chief Audit Executive Report-
senior manager on administrative matters. Under ing Lines provides additional guidance regard-
a dual reporting relationship, the board should ing functional and administrative reporting lines.
consider the potential for diminished objectivity
on the part of the internal audit manager with Management, staffing, and audit quality. In
respect to audits concerning the executive to managing the internal audit function, the man-
whom he or she reports. For example, a manager ager of internal audit is responsible for control
of internal audit who reports to the chief finan- risk assessments, audit plans, audit programs,
cial officer (CFO) for performance appraisal, and audit reports.
salary, and approval of department budgets may
approach audits of the accounting and treasury • A control risk assessment (or risk-assessment
operations controlled by the CFO with less methodology) documents the internal audi-
objectivity than if the manager were to report to tor’s understanding of the institution’s signifi-
the chief executive officer. Thus, the chief finan- cant business activities and their associated
cial officer, controller, or other similar officer risks. These assessments typically analyze the
should ideally be excluded from overseeing the risks inherent in a given business line, the
internal audit activities even in a dual role. The mitigating control processes, and the resulting
objectivity and organizational stature of the residual risk exposure of the institution. They
internal audit function are best served under should be updated regularly to reflect changes
such a dual arrangement if the internal audit to the system of internal control or work
manager reports administratively to the CEO. processes and to incorporate new lines of
Some institutions seek to coordinate the business.
internal audit function with several risk- • An internal audit plan is based on the control
monitoring functions (for example, loan-review, risk assessment and typically includes a sum-
market-risk-assessment, and legal compliance mary of key internal controls within each
departments) by establishing an administrative significant business activity, the timing and
arrangement under one senior executive. Coor- frequency of planned internal audit work, and
dination of these other monitoring activities a resource budget.
with the internal audit function can facilitate the • An internal audit program describes the
reporting of material risk and control issues to objectives of the audit work and lists the
the audit committee, increase the overall effec- procedures that will be performed during each
tiveness of these monitoring functions, better internal audit review.
utilize available resources, and enhance the • An audit report generally presents the pur-
institution’s ability to comprehensively manage pose, scope, and results of the audit, including
risk. Such an administrative reporting relation- findings, conclusions, and recommendations.
ship should be designed so as to not interfere Workpapers that document the work per-
with or hinder the manager of internal audit’s formed and support the audit report should be
functional reporting to and ability to directly maintained.
communicate with the institution’s audit com-
mittee. In addition, the audit committee should Ideally, the internal audit function’s only role
ensure that efforts to coordinate these monitor- should be to independently and objectively
ing functions do not result in the manager of evaluate and report on the effectiveness of an
internal audit conducting control activities nor institution’s risk-management, control, and gov-
diminish his or her independence with respect to ernance processes. Internal auditors increasingly
the other risk-monitoring functions. Further- have taken a consulting role within institutions
more, the internal audit manager should have on new products and services and on mergers,
the ability to independently audit these other acquisitions, and other corporate reorganiza-

May 2006 Commercial Bank Examination Manual

Page 8
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

tions. This role typically includes helping design

controls and participating in the implementation
of changes to the institution’s control activities.
The audit committee, in its oversight of the
internal audit staff, should ensure that the func-
tion’s consulting activities do not interfere or
conflict with the objectivity it should have with
respect to monitoring the institution’s system of
internal control. In order to maintain its inde-

Commercial Bank Examination Manual May 2006

Page 8.1
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

pendence, the internal audit function should not munications and critical examination of issues
assume a business-line management role over to better understand the importance and severity
control activities, such as approving or imple- of internal control weaknesses identified by the
menting operating policies or procedures, includ- internal auditor and operating management’s
ing those it has helped design in connection with solutions to these weaknesses. Internal auditors
its consulting activities. The agencies encourage should report internal control deficiencies to the
internal auditors to follow the IIA’s standards, appropriate level of management as soon as they
including guidance related to the internal audit are identified. Significant matters should be
function acting in an advisory capacity. promptly reported directly to the board of direc-
The internal audit function should be compe- tors (or its audit committee) and senior manage-
tently supervised and staffed by people with ment. In periodic meetings with management
sufficient expertise and resources to identify the and the manager of internal audit, the audit
risks inherent in the institution’s operations and committee should assess whether management
assess whether internal controls are effective. is expeditiously resolving internal control weak-
The manager of internal audit should oversee nesses and other exceptions. Moreover, the audit
the staff assigned to perform the internal audit committee should give the manager of internal
work and should establish policies and proce- audit the opportunity to discuss his or her
dures to guide the audit staff. The form and findings without management being present.
content of these policies and procedures should Furthermore, each audit committee should
be consistent with the size and complexity of the establish and maintain procedures for employ-
department and the institution. Many policies ees of their institution to confidentially and
and procedures may be communicated infor- anonymously submit concerns to the committee
mally in small internal audit departments, while about questionable accounting, internal account-
larger departments would normally require more ing control, or auditing matters.8 In addition, the
formal and comprehensive written guidance. audit committee should set up procedures for the
timely investigation of complaints received and
Scope. The frequency and extent of internal the retention for a reasonable time period of
audit review and testing should be consistent documentation concerning the complaint and its
with the nature, complexity, and risk of the subsequent resolution.
institution’s on- and off-balance-sheet activities.
At least annually, the audit committee should Contingency planning. As with any other func-
review and approve internal audit’s control risk tion, the institution should have a contingency
assessment and the scope of the audit plan, plan to mitigate any significant discontinuity in
including how much the manager relies on the audit coverage, particularly for high-risk areas.
work of an outsourcing vendor. It should also Lack of contingency planning for continuing
periodically review internal audit’s adherence to internal audit coverage may increase the insti-
the audit plan. The audit committee should tution’s level of operational risk.
consider requests for expansion of basic internal
audit work when significant issues arise or when
significant changes occur in the institution’s Small Financial Institution’s Internal
environment, structure, activities, risk expo- Audit Function
sures, or systems.7
An effective system of internal control and an
Communication. To properly carry out their independent internal audit function form the
responsibility for internal control, directors and foundation for safe and sound operations,
senior management should foster forthright com- regardless of an institution’s size. Each institu-
tion should have an internal audit function that
7. Major changes in an institution’s environment and
conditions may compel changes to the internal control system is appropriate to its size and the nature and
and also warrant additional internal audit work. These changes scope of its activities. The procedures assigned
include (1) new management; (2) areas or activities experi- to this function should include adequate testing
encing rapid growth or rapid decline; (3) new lines of
business, products, or technologies or disposals thereof; (4) cor-
porate restructurings, mergers, and acquisitions; and (5) an
expansion or acquisition of foreign operations (including the 8. When the board of directors fulfills the audit committee
impact of changes in the related economic and regulatory responsibilities, the procedures should provide for the submis-
environments). sion of employee concerns to an outside director.

Commercial Bank Examination Manual November 2003

Page 9
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

and review of internal controls and information nal audit, and the outsourcing vendor reports to
systems. him or her. Institutions often use outsourcing
It is the responsibility of the audit committee vendors for audits of areas requiring more tech-
and management to carefully consider the extent nical expertise, such as electronic data process-
of auditing that will effectively monitor the ing and capital-markets activities. Such uses are
internal control system, after taking into account often referred to as ‘‘internal audit assistance’’
the internal audit function’s costs and benefits. or ‘‘audit co-sourcing.’’
For institutions that are large or have complex Some outsourcing arrangements may require
operations, the benefits derived from a full-time an outsourcing vendor to perform virtually all
manager of internal audit or an auditing staff the procedures or tests of the system of internal
likely outweigh the cost. For small institutions control. Under such an arrangement, a desig-
with few employees and less complex opera- nated manager of internal audit oversees the
tions, however, these costs may outweigh the activities of the outsourcing vendor and typi-
benefits. Nevertheless, a small institution with- cally is supported by internal audit staff. The
out an internal auditor can ensure that it main- outsourcing vendor may assist the audit staff in
tains an objective internal audit function by determining risks to be reviewed and may rec-
implementing a comprehensive set of indepen- ommend testing procedures, but the internal
dent reviews of significant internal controls. The audit manager is responsible for approving the
key characteristic of such reviews is that the audit scope, plan, and procedures to be per-
persons directing and/or performing the review formed. Furthermore, the internal audit manager
of internal controls are not also responsible for is responsible for the results of the outsourced
managing or operating those controls. A person audit work, including findings, conclusions, and
who is competent in evaluating a system of recommendations. The outsourcing vendor may
internal control should design the review proce- report these results jointly with the internal audit
dures and arrange for their implementation. The manager to the audit committee.
person responsible for reviewing the system of
internal control should report findings directly to
the audit committee. The audit committee should Additional Considerations for Internal
evaluate the findings and ensure that senior Audit Outsourcing Arrangements
management has or will take appropriate action
to correct the control deficiencies. Even when outsourcing vendors provide internal
audit services, the board of directors and senior
management of an institution are responsible for
ensuring that both the system of internal control
Internal Audit Outsourcing and the internal audit function operate effec-
Arrangements (Part II) tively. In any outsourced internal audit arrange-
ment, the institution’s board of directors and
Examples of Internal Audit Outsourcing senior management must maintain ownership of
Arrangements the internal audit function and provide active
oversight of outsourced activities. When nego-
An outsourcing arrangement is a contract tiating the outsourcing arrangement with an
between an institution and an outsourcing ven- outsourcing vendor, an institution should care-
dor to provide internal audit services. Outsourc- fully consider its current and anticipated busi-
ing arrangements take many forms and are used ness risks in setting each party’s internal audit
by institutions of all sizes. Some institutions responsibilities. The outsourcing arrangement
consider entering into these arrangements to should not increase the risk that a breakdown of
enhance the quality of their control environment internal control will go undetected.
by obtaining the services of a vendor with the To clearly distinguish its duties from those of
knowledge and skills to critically assess, and the outsourcing vendor, the institution should
recommend improvements to, their internal con- have a written contract, often taking the form of
trol systems. The internal audit services under an engagement letter.9 Contracts between the
contract can be limited to helping internal audit
staff in an assignment for which they lack 9. The engagement-letter provisions described are compa-
expertise. Such an arrangement is typically under rable to those outlined by the American Institute of Certified
the control of the institution’s manager of inter- Public Accountants (AICPA) for financial statement audits.

November 2003 Commercial Bank Examination Manual

Page 10
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

institution and the vendor typically include pro- management or an employee and, if applica-
visions that— ble, will comply with AICPA, U.S. Securities
and Exchange Commission (SEC), PCAOB,
• define the expectations and responsibilities or regulatory independence guidance.
under the contract for both parties;
• set the scope and frequency of, and the fees to Vendor competence. Before entering an outsourc-
be paid for, the work to be performed by the ing arrangement, the institution should perform
vendor; due diligence to satisfy itself that the outsourc-
• set the responsibilities for providing and ing vendor has sufficient staff qualified to per-
receiving information, such as the type and form the contracted work. The staff’s qualifica-
frequency of reporting to senior management tions may be demonstrated, for example, through
and directors about the status of contract prior experience with financial institutions.
work; Because the outsourcing arrangement is a
• establish the process for changing the terms of personal-services contract, the institution’s
the service contract, especially for expansion internal audit manager should have confidence
of audit work if significant issues are found, in the competence of the staff assigned by the
and stipulations for default and termination of outsourcing vendor and receive timely notice of
the contract; key staffing changes. Throughout the outsourc-
• state that internal audit reports are the prop- ing arrangement, management should ensure
erty of the institution, that the institution will that the outsourcing vendor maintains sufficient
be provided with any copies of the related expertise to effectively perform its contractual
workpapers it deems necessary, and that obligations.
employees authorized by the institution will
have reasonable and timely access to the Management of the outsourced internal audit
workpapers prepared by the outsourcing function. Directors and senior management
vendor; should ensure that the outsourced internal audit
• specify the locations of internal audit reports function is competently managed. For example,
and the related workpapers; larger institutions should employ sufficient com-
• specify the period of time (for example, seven petent staff members in the internal audit depart-
years) that vendors must maintain the work- ment to assist the manager of internal audit in
papers;10 overseeing the outsourcing vendor. Small insti-
• state that outsourced internal audit services tutions that do not employ a full-time audit
provided by the vendor are subject to regula- manager should appoint a competent employee
tory review and that examiners will be granted who ideally has no managerial responsibility for
full and timely access to the internal audit the areas being audited to oversee the outsourc-
reports and related workpapers prepared by ing vendor’s performance under the contract.
the outsourcing vendor; This person should report directly to the audit
• prescribe a process (arbitration, mediation, or committee for purposes of communicating inter-
other means) for resolving disputes and for nal audit issues.
determining who bears the cost of consequen-
tial damages arising from errors, omissions, Communication when an outsourced internal
and negligence; and audit function exists. Communication between
• state that the outsourcing vendor will not the internal audit function and the audit com-
perform management functions, make man- mittee and senior management should not
agement decisions, or act or appear to act in a diminish because the institution engages an
capacity equivalent to that of a member of outsourcing vendor. All work by the outsourcing
vendor should be well documented and all
(See AICPA Professional Standards, AU section 310.) These findings of control weaknesses should be
provisions are consistent with the provisions customarily
included in contracts for other outsourcing arrangements, such
promptly reported to the institution’s manager
as those involving data processing and information technol- of internal audit. Decisions not to report the
ogy. Therefore, the federal banking agencies consider these outsourcing vendor’s findings to directors and
provisions to be usual and customary business practices. senior management should be the mutual deci-
10. If the workpapers are in electronic format, contracts
often call for the vendor to maintain proprietary software that
sion of the internal audit manager and the
enables the bank and examiners to access the electronic outsourcing vendor. In deciding what issues
workpapers for a specified time period. should be brought to the board’s attention, the

Commercial Bank Examination Manual November 2003

Page 11
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

concept of ‘‘materiality,’’ as the term is used in under section 15(d) of that act.11 The act pro-
financial statement audits, is generally not a hibits an accounting firm from acting as the
good indicator of which control weakness to external auditor of a public company during the
report. For example, when evaluating an insti- same period that the firm provides internal audit
tution’s compliance with laws and regulations, outsourcing services to the company.12 In addi-
any exception may be important. tion, if a public company’s external auditor will
be providing auditing services and permissible
Contingency planning to ensure continuity of nonaudit services, such as tax services, the
outsourced audit coverage. When an institution company’s audit committee must preapprove
enters into an outsourcing arrangement (or sig- each of these services.
nificantly changes the mix of internal and exter- According to the SEC’s final rules (effective
nal resources used by internal audit), it may May 6, 2003) implementing the act’s nonaudit-
increase its operational risk. Because the arrange- service prohibitions and audit committee preap-
ment may be terminated suddenly, the institu- proval requirements, an accountant is not inde-
tion should have a contingency plan to mitigate pendent if, at any point during the audit and
any significant discontinuity in audit coverage, professional engagement period, the accountant
particularly for high-risk areas. provides internal audit outsourcing or other
prohibited nonaudit services to the public com-
pany audit client. The SEC’s final rules gener-
ally become effective on May 6, 2003, although
Independence of the Independent there is a one-year transition period if the
Public Accountant (Part III) accountant is performing prohibited nonaudit
services and external audit services for a public
The following discussion applies only when a company pursuant to a contract in existence on
financial institution is considering using a pub- May 6, 2003. The services provided during this
lic accountant to provide both external audit transition period must not have impaired the
and internal audit services to the institution. auditor’s independence under the preexisting
independence requirements of the SEC, the
When one accounting firm performs both the Independence Standards Board, and the AICPA.
external audit and the outsourced internal audit Although the SEC’s pre-Sarbanes-Oxley inde-
function, the firm risks compromising its inde- pendence requirements (issued in November
pendence. These concerns arise because, rather 2000, effective August 2002) did not prohibit
than having two separate functions, this outsourc- the outsourcing of internal audit services to a
ing arrangement places the independent public public company’s independent public accoun-
accounting firm in the position of appearing to
audit, or actually auditing, its own work. For
example, in auditing an institution’s financial
11. 15 USC 78l and 78o(d).
statements, the accounting firm will consider the 12. In addition to prohibiting internal audit outsourcing,
extent to which it may rely on the internal the Sarbanes-Oxley Act (15 USC 78j-1) also identifies other
control system, including the internal audit func- nonaudit services that an external auditor is prohibited from
tion, in designing audit procedures. providing to a public company whose financial statements it
audits. The legislative history of the act indicates that three
broad principles should be considered when determining
whether an auditor should be prohibited from providing a
Applicability of the SEC’s Auditor nonaudit service to an audit client. These principles are that an
auditor should not (1) audit his or her own work, (2) perform
Independence Requirements management functions for the client, or (3) serve in an
advocacy role for the client. To do so would impair the
Institutions that are public companies. To auditor’s independence. Based on these three broad principles,
strengthen auditor independence, Congress the other nonaudit services that an auditor is prohibited from
providing to a public company audit client include bookkeep-
passed the Sarbanes-Oxley Act of 2002 (the ing or other services related to the client’s accounting records
act). Title II of the act applies to any public or financial statements; financial information systems design
company—that is, any company that has a class and implementation; appraisal or valuation services, fairness
of securities registered with the SEC or the opinions, or contribution-in-kind reports; actuarial services;
management or human resources functions; broker or dealer,
appropriate federal banking agency under sec- investment adviser, or investment banking services; legal
tion 12 of the Securities Exchange Act of 1934 services and expert services unrelated to the audit; and any
or that is required to file reports with the SEC other service determined to be impermissible by the PCAOB.

November 2003 Commercial Bank Examination Manual

Page 12
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

tant, they did place conditions and limitations on audited by an independent public accountant.17
internal audit outsourcing. The agencies also encourage each such institu-
tion to follow the internal audit outsourcing
Depository institutions subject to the annual prohibition in the Sarbanes-Oxley Act, as dis-
audit and reporting requirements of section 36 cussed above for institutions that are public
of the FDI Act. Under section 36, as imple- companies.
mented by part 363 of the FDIC’s regulations, As previously mentioned, some institutions
each FDIC-insured depository institution with seek to enhance the quality of their control
total assets of $500 million or more is required environment by obtaining the services of an
to have an annual audit performed by an inde- outsourcing vendor who can critically assess
pendent public accountant.13 The part 363 guide- their internal control system and recommend
lines address the qualifications of an indepen- improvements. The agencies believe that a small
dent public accountant engaged by such an nonpublic institution with less complex opera-
institution by stating that ‘‘[t]he independent tions and limited staff can, in certain circum-
public accountant should also be in compliance stances, use the same accounting firm to perform
with the AICPA’s Code of Professional Conduct both an external audit and some or all of the
and meet the independence requirements and institution’s internal audit activities. These cir-
interpretations of the SEC and its staff.’’14 cumstances include, but are not limited to,
Thus, the guidelines provide for each FDIC- situations in which—
insured depository institution with $500 million
or more in total assets, whether or not it is a • splitting the audit activities poses significant
public company, and its external auditor to costs or burden;
comply with the SEC’s auditor independence • persons with the appropriate specialized knowl-
requirements that are in effect during the period edge and skills are difficult to locate and
covered by the audit. These requirements include obtain;
the nonaudit-service prohibitions and audit com- • the institution is closely held and investors are
mittee preapproval requirements implemented not solely reliant on the audited financial
by the SEC’s January 2003 auditor indepen- statements to understand the financial position
dence rules once these rule come into effect.15 and performance of the institution; and
• the outsourced internal audit services are lim-
Institutions not subject to section 36 of the FDI ited in either scope or frequency.
Act that are neither public companies nor sub-
sidiaries of public companies. The agencies In circumstances such as these, the agencies
have long encouraged each institution not sub- view an internal audit outsourcing arrangement
ject to section 36 of the FDI Act that is neither between a small nonpublic institution and its
a public company nor a subsidiary of a public external auditor as not being inconsistent with
company16 to have its financial statements their safety-and-soundness objectives for the
13. 12 CFR 363.3(a). (See FDIC Financial Institutions When a small nonpublic institution decides to
Letter FIL-17-2003 (Corporate Governance, Audits, and hire the same firm to perform internal and
Reporting Requirements), attachment II, March 5, 2003.)
14. Appendix A to part 363, Guidelines and Interpreta-
external audit work, the audit committee and the
tions, paragraph 14, Independence. external auditor should pay particular attention
15. If a depository institution subject to section 36 and part to preserving the independence of both the
363 satisfies the annual independent audit requirement by internal and external audit functions. Further-
relying on the independent audit of its parent holding com-
pany, once the SEC’s January 2003 regulations prohibiting an
more, the audit committee should document
external auditor from performing internal audit outsourcing both that it has preapproved the internal audit
services for an audit client take effect May 6, 2003, or May 6, outsourcing to its external auditor and has con-
2004, depending on the circumstances, the holding company’s sidered the independence issues associated with
external auditor cannot perform internal audit outsourcing
work for that holding company or the subsidiary institution.
this arrangement.18 In this regard, the audit
16. FDIC-insured depository institutions with less than
$500 million in total assets are not subject to section 36 of the 17. See, for example, the 1999 Interagency Policy State-
FDI Act. Section 36 does not apply directly to holding ment on External Auditing Programs of Banks and Savings
companies but provides that, for an insured depository insti- Institutions.
tution that is a subsidiary of a holding company, the audited 18. If a small nonpublic institution is considering having its
financial statements requirement and certain of the statute’s external auditor perform other nonaudit services, its audit
other requirements may be satisfied by the holding company. committee may wish to discuss the implications of the

Commercial Bank Examination Manual November 2003

Page 13
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

committee should consider the independence actions or otherwise exercising authority on

standards described in parts I and II of the policy behalf of the client. For additional details, refer
statement, the AICPA guidance discussed below, to Interpretation 101-3, Performance of Other
and the broad principles that the auditor should Services, and Interpretation 101-13, Extended
not perform management functions or serve in Audit Services, in the AICPA’s Code of Profes-
an advocacy role for the client. sional Conduct.
Accordingly, the agencies will not consider
an auditor who performs internal audit outsourc-
ing services for a small nonpublic audit client to Examination Guidance (Part IV)
be independent unless the institution and its
auditor have adequately addressed the associ-
ated independence issues. In addition, the insti- Review of the Internal Audit Function and
tution’s board of directors and management Outsourcing Arrangements
must retain ownership of and accountability for
the internal audit function and provide active Examiners should have full and timely access to
oversight of the outsourced internal audit an institution’s internal audit resources, includ-
relationship. ing personnel, workpapers, risk assessments,
A small nonpublic institution may be required work plans, programs, reports, and budgets. A
by another law or regulation, an order, or another delay may require examiners to widen the scope
supervisory action to have its financial state- of their examination work and may subject the
ments audited by an independent public accoun- institution to follow-up supervisory actions.
tant. In this situation, if warranted for safety- Examiners should assess the quality and scope
and-soundness reasons, the institution’s primary of an institution’s internal audit function, regard-
federal regulator may require that the institution less of whether it is performed by the institu-
and its independent public accountant comply tion’s employees or by an outsourcing vendor.
with the auditor-independence requirements of Specifically, examiners should consider
the act.19 whether—

AICPA guidance. As noted above, the indepen- • the internal audit function’s control risk
dent public accountant for a depository institu- assessment, audit plans, and audit programs
tion subject to section 36 of the FDI Act also are appropriate for the institution’s activities;
should be in compliance with the AICPA’s Code • the internal audit activities have been adjusted
of Professional Conduct. This code includes for significant changes in the institution’s
professional ethics standards, rules, and inter- environment, structure, activities, risk expo-
pretations that are binding on all certified public sures, or systems;
accountants (CPAs) who are members of the • the internal audit activities are consistent with
AICPA in order for the member to remain in the long-range goals and strategic direction of
good standing. Therefore, this code applies to the institution and are responsive to its inter-
each member CPA who provides audit services nal control needs;
to an institution, regardless of whether the • the audit committee promotes the internal
institution is subject to section 36 or is a public audit manager’s impartiality and indepen-
company. dence by having him or her directly report
The AICPA has issued guidance indicating audit findings to it;
that a member CPA would be deemed not • the internal audit manager is placed in the
independent of his or her client when the CPA management structure in such a way that the
acts or appears to act in a capacity equivalent to independence of the function is not impaired;
a member of the client’s management or as a • the institution has promptly responded to
client employee. The AICPA’s guidance includes significant identified internal control
illustrations of activities that would be consid- weaknesses;
ered to compromise a CPA’s independence. • the internal audit function is adequately man-
Among these are activities that involve the CPA aged to ensure that audit plans are met,
authorizing, executing, or consummating trans- programs are carried out, and the results of
audits are promptly communicated to senior
performance of these services on the auditor’s independence. management and members of the audit com-
19. 15 USC 78j-1. mittee and board of directors;

November 2003 Commercial Bank Examination Manual

Page 14
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

• workpapers adequately document the internal function, whether or not it is outsourced, does
audit work performed and support the audit not sufficiently meet the institution’s internal
reports; audit needs; does not satisfy the Interagency
• management and the board of directors use Guidelines Establishing Standards for Safety
reasonable standards, such as the IIA’s Stan- and Soundness, if applicable; or is otherwise
dards for the Professional Practice of Internal inadequate, he or she should determine whether
Auditing, when assessing the performance of the scope of the examination should be adjusted.
internal audit; and The examiner should also discuss his or her
• the audit function provides high-quality advice concerns with the internal audit manager or
and counsel to management and the board of other person responsible for reviewing the sys-
directors on current developments in risk tem of internal control. If these discussions do
management, internal control, and regulatory not resolve the examiner’s concerns, he or she
compliance. should bring these matters to the attention of
senior management and the board of directors or
The examiner should assess the competence audit committee. If the examiner finds material
of the institution’s internal audit staff and man- weaknesses in the internal audit function or the
agement by considering the education, profes- internal control system, he or she should discuss
sional background, and experience of the prin- them with appropriate agency staff in order to
cipal internal auditors. In addition, when determine the appropriate actions the agency
reviewing outsourcing arrangements, examiners should take to ensure that the institution corrects
should determine whether— the deficiencies. These actions may include
formal and informal enforcement actions.
• the arrangement maintains or improves the The institution’s management and composite
quality of the internal audit function and the ratings should reflect the examiner’s conclu-
institution’s internal control; sions regarding the institution’s internal audit
• key employees of the institution and the function. The report of examination should con-
outsourcing vendor clearly understand the tain comments concerning the adequacy of this
lines of communication and how any internal function, significant issues or concerns, and
control problems or other matters noted by the recommended corrective actions.
outsourcing vendor are to be addressed;
• the scope of the outsourced work is revised Concerns about the independence of the out-
appropriately when the institution’s environ- sourcing vendor. An examiner’s initial review of
ment, structure, activities, risk exposures, or an internal audit outsourcing arrangement,
systems change significantly; including the actions of the outsourcing vendor,
• the directors have ensured that the outsourced may raise questions about the institution’s and
internal audit activities are effectively man- its vendor’s adherence to the independence stan-
aged by the institution; dards described in parts I and II of the policy
• the arrangement with the outsourcing vendor statement, whether or not the vendor is an
satisfies the independence standards described accounting firm, and in part III if the vendor
in this policy statement and thereby preserves provides both external and internal audit ser-
the independence of the internal audit func- vices to the institution. In such cases, the exam-
tion, whether or not the vendor is also the iner first should ask the institution and the
institution’s independent public accountant; outsourcing vendor how the audit committee
and determined that the vendor was independent. If
• the institution has performed sufficient due the vendor is an accounting firm, the audit
diligence to satisfy itself of the vendor’s committee should be asked to demonstrate how
competence before entering into the outsourc- it assessed that the arrangement has not com-
ing arrangement and has adequate procedures promised applicable SEC, PCAOB, AICPA, or
for ensuring that the vendor maintains suffi- other regulatory standards concerning auditor
cient expertise to perform effectively through- independence. If the examiner’s concerns are
out the arrangement. not adequately addressed, the examiner should
discuss the matter with appropriate agency staff
Examination concerns about the adequacy of prior to taking any further action.
the internal audit function. If the examiner If the agency staff concurs that the indepen-
concludes that the institution’s internal audit dence of the external auditor or other vendor

Commercial Bank Examination Manual November 2003

Page 15
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

appears to be compromised, the examiner will Competence of Internal Auditors

discuss his or her findings and the actions the
agency may take with the institution’s senior The responsibilities and qualifications of inter-
management, board of directors (or audit com- nal auditors vary depending on the size and
mittee), and the external auditor or other vendor. complexity of a bank’s operations and on the
In addition, the agency may refer the external emphasis placed on the internal audit function
auditor to the state board of accountancy, the by the directorate and management. In many
AICPA, the SEC, the PCAOB, or other authori- banks, the internal audit function is performed
ties for possible violations of applicable inde- by an individual or group of individuals whose
pendence standards. Moreover, the agency may sole responsibility is internal auditing. In other
conclude that the institution’s external auditing banks, particularly small ones, internal audit
program is inadequate and that it does not may be performed on a part-time basis by an
comply with auditing and reporting require- officer or employee.
ments, including sections 36 and 39 of the FDI The qualifications discussed below should not
Act and related guidance and regulations, if be viewed as minimum requirements but should
applicable. Issued jointly by the Board, FDIC, be considered by the examiner in evaluating the
OCC, and OTS on March 17, 2003. work performed by the internal auditors or audit
departments. Examples of the type of qualifica-
tions an internal audit department manager
should have are—
• academic credentials comparable to other bank
AUDITORS officers who have major responsibilities within
The ability of the internal audit function to the organization,
achieve its audit objectives depends, in large • commitment to a program of continuing edu-
part, on the independence maintained by audit cation and professional development,
personnel. Frequently, the independence of • audit experience and organizational and tech-
internal auditing can be determined by its nical skills commensurate with the responsi-
reporting lines within the organization and by bilities assigned, and
the person or level to whom these results are • oral and written communication skills.
reported. In most circumstances, the internal
audit function is under the direction of the board The internal audit department manager must
of directors or a committee thereof, such as the be properly trained to fully understand the flow
audit committee. This relationship enables the of data and the underlying operating procedures.
internal audit function to assist the directors in Training may come from college courses, courses
fulfilling their responsibilities. sponsored by industry groups such as the Bank
The auditor’s responsibilities should be Administration Institute (BAI), or in-house train-
addressed in a position description, with report- ing programs. Significant work experience in
ing lines delineated in personnel policy, and various departments of a bank also may provide
audit results should be documented in audit adequate training. Certification as a chartered
committee and board of directors’ minutes. bank auditor, certified internal auditor, or certi-
Examiners should review these documents, as fied public accountant meets educational and
well as the reporting process followed by the other professional requirements. In addition to
auditor, in order to subsequently evaluate the prior education, the internal auditor should be
tasks performed by the internal audit function. committed to a program of continuing educa-
The internal auditor should be given the author- tion, which may include attending technical
ity necessary to perform the job, including free meetings and seminars and reviewing current
access to any records necessary for the proper literature on auditing and banking.
conduct of the audit. Furthermore, internal The internal auditor’s organizational skills
auditors generally should not have responsibility should be reflected in the effectiveness of the
for the accounting system, other aspects of the bank’s audit program. Technical skills may be
institution’s accounting function, or any opera- demonstrated through internal audit techniques,
tional function not subject to independent such as internal control and other question-
review. naires, and an understanding of the operational

November 2003 Commercial Bank Examination Manual

Page 16
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

and financial aspects of the organization. would expose the institution to potential loss.
In considering the competence of the internal The assessment should be periodically updated
audit staff, the examiner should review the to reflect changes in the system of internal
educational and experience qualifications required control, work processes, business activities, or
by the bank for filling the positions in the the business environment. The risk-assessment
internal audit department and the training avail- methodology of the internal audit function should
able for that position. In addition, the examiner identify all auditable areas, give a detailed basis
must be assured that any internal audit super- for the auditors’ determination of relative risks,
visor understands the audit objectives and pro- and be consistent from one audit area to another.
cedures performed by the staff. The risk assessment can quantify certain risks,
In a small bank, it is not uncommon to find such as credit risk, market risk, and legal risk. It
that internal audit, whether full- or part-time, is can also include qualitative aspects, such as the
a one-person department. The internal auditor timeliness of the last audit and the quality of
may plan and perform all procedures personally management. Although there is no standard
or may direct staff borrowed from other depart- approach to making a risk assessment, it should
ments. In either case, the examiner should be appropriate to the size and complexity of the
expect, at a minimum, that the internal auditor institution. While smaller institutions may not
possesses qualifications similar to those of have elaborate risk-assessment systems, some
an audit department manager, as previously analysis should still be available to explain why
discussed. certain areas are more frequently audited than
The final measure of the competence of the others.
internal auditor is the quality of the work Within the risk assessment, institutions should
performed, the ability to communicate the clearly identify auditable units along business
results of that work, and the ability to follow up activities or product lines, depending on how the
on deficiencies noted during the audit work. institution is managed. There should be evi-
Accordingly, the examiner’s conclusions with dence that the internal audit manager is regu-
respect to an auditor’s competence should also larly notified of new products, departmental
reflect the adequacy of the audit program and changes, and new general ledger accounts, all of
the audit reports. which should be factored into the audit sched-
ule. Ratings of particular business activities or
corporate functions may change with time as the
internal audit function revises its method for
IMPLEMENTATION OF THE assessing risk. These changes should be incre-
INTERNAL AUDIT FUNCTION mental. Large-scale changes in the priority of
audits should trigger an investigation into the
The annual audit plan and budgets should be set
reasonableness of changes to the risk-assessment
by the internal audit manager and approved by
the board, audit committee, or senior manage-
ment. In many organizations, the internal audit
manager reports to a senior manager for admin-
istrative purposes. The senior manager appraises Audit Plan
the audit manager’s performance, and the direc-
tors or an audit committee approves the The audit plan is based on the risk assessment.
evaluation. The plan should include a summary of key
internal controls within each significant business
activity, the timing and frequency of planned
Risk Assessment internal audit work, and a resource budget.
A formal, annual audit plan should be devel-
In setting the annual audit plan, a risk assess- oped based on internal audit’s risk assessment.
ment should be made that documents the inter- The audit plan should include all auditable
nal audit function’s understanding of the insti- areas and set priorities based on the rating
tution’s various business activities and their determined by the risk assessment. The schedule
inherent risks. In addition, the assessment also of planned audits should be approved by the
evaluates control risk, or the potential that board or its audit committee, as should any
deficiencies in the system of internal control subsequent changes to the plan. Many organiza-

Commercial Bank Examination Manual November 2003

Page 17
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

tions develop an audit plan jointly with the Audit Program and Related Workpapers
external auditors. In this case, the audit plan
should clearly indicate what work is being The audit program documents the audit’s objec-
performed by internal and external auditors and tives and the procedures that were performed.
what aspects of internal audit work the external Typically, it indicates who performed the work
auditors are relying on. and who has reviewed it. Workpapers document
Typically, the schedule of audit is cyclic; for the evidence gathered and conclusions drawn by
example, high risks are audited annually, mod- the auditor, as well as the disposition of audit
erate risks every two years, and low risks every findings. The workpapers should provide evi-
three years. In some cases, the audit cycle may dence that the audit program adheres to the
extend beyond three years. In reviewing the requirements specified in the audit manual.
annual plan, examiners should determine the
appropriateness of the institution’s audit cycle.
Some institutions limit audit coverage of their Audit Reports
low-risk areas. Examiners should review areas
The audit report is internal audit’s formal notice
the institution has labeled ‘‘low risk’’ to deter-
of its assessment of internal controls in the
mine if the classification is appropriate and if
audited areas. The report is given to the area’s
coverage is adequate.
managers, senior management, and directors. A
typical audit report states the purpose of the
audit and its scope, conclusions, and recommen-
Audit Manual dations. Reports are usually prepared for each
audit. In larger institutions, monthly or quarterly
summaries that highlight major audit issues are
The internal audit department should have an
prepared for senior management and the board.
audit manual that sets forth the standards of
work for field auditors and audit managers to
use in their assignments. A typical audit manual
contains the audit unit’s charter and mis- EXAMINER REVIEW OF
sion, administrative procedures, workpaper- INTERNAL AUDIT
documentation standards, reporting standards,
and review procedures. Individual audits should The examination procedures section describes
conform to the requirements of the audit manual. the steps the examiner should follow when
As a consequence, the manual should be up-to- conducting a review of the work performed by
date with respect to the audit function’s mission the internal auditor. The examiner’s review and
and changes to the professional standards it evaluation of the internal audit function is a key
follows. element in determining the scope of the exami-
nation. In most situations, the competence and
independence of the internal auditors may be
reviewed on an overall basis; however, the
Performance of Individual Audits adequacy and effectiveness of the audit program
should be determined separately for each exami-
The internal audit manager should oversee the nation area.
staff assigned to perform the internal audit work The examiner should assess if the work per-
and should establish policies and procedures to formed by the internal auditor is reliable. It is
guide them. The internal audit function should often more efficient for the examiner to deter-
be competently supervised and staffed by people mine the independence or competence of the
with sufficient expertise and resources to iden- internal auditor before addressing the adequacy
tify the risks inherent in the institution’s opera- or effectiveness of the audit program. If the
tions and to assess whether internal controls are examiner concludes that the internal auditor
effective. While audits vary according to the possesses neither the independence nor the com-
objective, the area subjected to audit, the stan- petence deemed appropriate, the examiner must
dards used as the basis for work performed, and also conclude that the internal audit work per-
documentation, the audit process generates some formed is not reliable.
common documentation elements, as described The examiner should indicate in the report of
below. examination any significant deficiencies concern-

November 2003 Commercial Bank Examination Manual

Page 18
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

ing the internal audit function. Furthermore, the • surprise examinations, where appropriate;
examiner should review with management any • maintenance of control over records selected
significant deficiencies noted in the previous for audit;
report of examination to determine if these • review and evaluation of the bank’s policies
concerns have been appropriately addressed. and procedures and the system of internal
• reconciliation of detail to related control
Program Adequacy and Effectiveness records; and
• verification of selected transactions and bal-
An examiner should consider the following ances through procedures such as examination
factors when assessing the adequacy of the of supporting documentation, direct confirma-
internal audit program— tion and appropriate follow-up of exceptions,
and physical inspection.
• scope and frequency of the work performed,
• content of the programs, The internal auditor should follow the specific
• documentation of the work performed, and procedures included in all work programs to
• conclusions reached and reports issued. reach audit conclusions that will satisfy the
related audit objectives. Audit conclusions
The scope of the internal audit program must be should be supported by report findings; such
sufficient to attain the audit objectives. The reports should include, when appropriate, rec-
frequency of the audit procedures performed ommendations by the internal auditor for any
should be based on an evaluation of the risk required remedial actions.
associated with each targeted area under audit. The examiner should also analyze the internal
Among the factors that the internal auditor reporting process for the internal auditor’s find-
should consider in assessing risk are the nature ings, since required changes in the bank’s inter-
of the operation of the specific assets and nal controls and operating procedures can be
liabilities under review, the existence of appro- made only if appropriate officials are informed
priate policies and internal control standards, the of the deficiencies. This means that the auditor
effectiveness of operating procedures and inter- must communicate all findings and recommen-
nal controls, and the potential materiality of dations clearly and concisely, pinpointing prob-
errors or irregularities associated with the spe- lems and suggesting solutions. The auditor also
cific operation. should submit reports as soon as practical, and
To further assess the adequacy and effective- the reports should be routed to those authorized
ness of the internal audit program, an examiner to implement the suggested changes.
needs to obtain audit workpapers. Workpapers The final measure of the effectiveness of the
should contain, among other things, audit work audit program is a prompt and effective man-
programs and analyses that clearly indicate the agement response to the auditor’s recommenda-
procedures performed, the extent of the testing, tions. The audit department should determine
and the basis for the conclusions reached. the reasonableness, timeliness, and complete-
Although audit work programs are an integral ness of management’s response to their recom-
part of the workpapers, they are sufficiently mendations, including follow-up, if necessary.
important to deserve separate attention. Work Examiners should assess management’s response
programs serve as the primary guide to the audit and follow up when the response is either
procedures to be performed. Each program incomplete or unreasonable.
should provide a clear, concise description of
the work required, and individual procedures
should be presented logically. The detailed pro- EXTERNAL AUDITS
cedures included in the program vary depending
on the size and complexity of the bank’s opera- The Federal Reserve requires bank holding com-
tions and the area subject to audit. In addition, panies with total consolidated assets of $500 mil-
an individual audit work program may encom- lion or more to have annual independent audits.
pass several departments of the bank, a single Generally, banks must have external audits for
department, or specific operations within a the first three years after obtaining FDIC insur-
department. Most audit programs include proce- ance (an FDIC requirement) and upon becoming
dures such as— a newly chartered national bank (an OCC

Commercial Bank Examination Manual November 2003

Page 19
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

requirement). The SEC also has a longstanding formed by external auditors for three principal
audit requirement for all public companies, reasons. First, situations will arise when internal
which applies to bank holding companies that audit work is not being performed or when such
are SEC registrants and to state member banks work is deemed to be of limited value to the
that are subject to SEC reporting requirements examiner. Second, the work performed by
pursuant to the Federal Reserve’s Regulation H. external auditors may affect the amount of
For insured depository institutions with fiscal testing the examiner must perform. Third, exter-
years beginning after December 31, 1992, nal audit reports often provide the examiner
FDICIA, through its amendments to section 36 with information pertinent to the examination of
of the FDI Act, requires annual independent the bank.
audits for all FDIC-insured banks that have total The major factors that should be considered
assets in excess of $500 million. (See SR-94-3 in evaluating the work of external auditors are
and SR-96-4.) In September 1999, the Federal similar to those applicable to internal auditors,
Financial Institutions Examination Council namely, the competence and independence of
(FFIEC) issued an interagency policy statement the auditors and the adequacy of the audit
on external auditing programs of banks and program.
savings associations.20 The policy encourages The federal banking agencies view a full-
banks and savings associations that have less scope annual audit of a bank’s financial state-
than $500 million in total assets and that are not ments by an independent public accountant as
subject to other audit requirements to adopt an preferable to other types of external auditing
external auditing program as a part of their programs. The September 1999 policy statement
overall risk-management process. (See the fol- recognizes that a full-scope audit may not be
lowing subsection for the complete text of the feasible for every small bank. It therefore encour-
interagency policy statement.) ages those banks to pursue appropriate alterna-
Independent audits enhance the probability tives to a full-scope audit. Small banks are also
that financial statements and reports to the FRB encouraged to establish an audit committee
and other financial-statement users will be consisting of outside directors. The policy state-
accurate and will help detect conditions that ment provides guidance to examiners on the
could adversely affect banking organizations, review of external auditing programs.
the FRB, or the public. The independent audit The policy statement is consistent with the
process also subjects the internal controls and Federal Reserve’s longstanding guidance that
the accounting policies, procedures, and records encourages the use of external auditing pro-
of each banking organization to periodic review. grams, and with its goals for (1) ensuring the
Banks often employ external auditors and accuracy and reliability of regulatory reports,
other specialists to assist management in spe- (2) improving the quality of bank internal con-
cialized fields, such as taxation and management trols over financial reporting, and (3) enhancing
information systems. External auditors and con- the efficiency of the risk-focused examination
sultants often conduct in-depth reviews of the process. The Federal Reserve adopted the FFIEC
operations of specific bank departments; the policy statement effective for fiscal years begin-
reviews might focus on operational procedures, ning on or after January 1, 2000. (See
personnel requirements, or other specific areas SR-99-33.)
of interest. After completing the reviews, the
auditors may recommend that the bank strengthen
controls or improve efficiency. INTERAGENCY POLICY
External auditors provide services at various STATEMENT ON EXTERNAL
times during the year. Financial statements are AUDITING PROGRAMS OF
examined annually. Generally, the process com- BANKS AND SAVINGS
mences in the latter part of the year, with the
report issued as soon thereafter as possible.
Other types of examinations or reviews are
performed at various dates on an as-required
basis. Introduction
The examiner is interested in the work per-
The board of directors and senior managers of a
20. See 64 Fed. Reg. 52319 (September 28, 1999). banking institution or savings association (insti-

November 2003 Commercial Bank Examination Manual

Page 20
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

tution) are responsible for ensuring that the considering the significant risk areas of an
institution operates in a safe and sound manner. institution, an effective external auditing pro-
To achieve this goal and meet the safety-and- gram may reduce the examination time the
soundness guidelines implementing section 39 agencies spend in such areas. Moreover, it can
of the Federal Deposit Insurance Act (FDI Act) improve the safety and soundness of an institu-
(12 USC 1831p-1),21 the institution should main- tion substantially and lessen the risk the institu-
tain effective systems and internal control22 to tion poses to the insurance funds administered
produce reliable and accurate financial reports. by the Federal Deposit Insurance Corporation
Accurate financial reporting is essential to an (FDIC).
institution’s safety and soundness for numerous This policy statement outlines the character-
reasons. First, accurate financial information istics of an effective external auditing program
enables management to effectively manage the and provides examples of how an institution can
institution’s risks and make sound business use an external auditor to help ensure the
decisions. In addition, institutions are required reliability of its financial reports. It also provides
by law23 to provide accurate and timely financial guidance on how an examiner may assess an
reports (e.g., Reports of Condition and Income institution’s external auditing program. In addi-
[call reports] and Thrift Financial Reports) to tion, this policy statement provides specific
their appropriate regulatory agency. These reports guidance on external auditing programs for
serve an important role in the agencies’24 risk- institutions that are holding company subsidi-
focused supervision programs by contributing to aries, newly insured institutions, and institutions
their pre-examination planning, off-site monitor- presenting supervisory concerns.
ing programs, and assessments of an institu- The adoption of a financial statement audit or
tion’s capital adequacy and financial strength. other specified type of external auditing pro-
Further, reliable financial reports are necessary gram is generally only required in specific
for the institution to raise capital. They provide circumstances. For example, insured depository
data to stockholders, depositors and other funds institutions covered by section 36 of the FDI Act
providers, borrowers, and potential investors on (12 USC 1831m), as implemented by part 363 of
the company’s financial position and results of the FDIC’s regulations (12 CFR 363), are
operations. Such information is critical to effec- required to have an external audit and an audit
tive market discipline of the institution. committee. Therefore, this policy statement is
To help ensure accurate and reliable financial directed toward banks and savings associations
reporting, the agencies recommend that the which are exempt from part 363 (i.e., institu-
board of directors of each institution establish tions with less than $500 million in total assets
and maintain an external auditing program. An at the beginning of their fiscal year) or are not
external auditing program should be an impor- otherwise subject to audit requirements by order,
tant component of an institution’s overall risk- agreement, statute, or agency regulations.
management process. For example, an external
auditing program complements the internal
auditing function of an institution by providing
management and the board of directors with an
Overview of External Auditing
independent and objective view of the reliability Programs
of the institution’s financial statements and the
adequacy of its financial-reporting internal con- Responsibilities of the Board of Directors
trols. Additionally, an effective external auditing
program contributes to the efficiency of the The board of directors of an institution is
agencies’ risk-focused examination process. By responsible for determining how to best obtain
reasonable assurance that the institution’s finan-
21. See 12 CFR 30 for national banks; 12 CFR 364 for cial statements and regulatory reports are reli-
state nonmember banks; 12 CFR 208 for state member banks;
and 12 CFR 510 for savings associations.
ably prepared. In this regard, the board is also
22. This policy statement provides guidance consistent responsible for ensuring that its external audit-
with the guidance established in the Interagency Policy ing program is appropriate for the institution and
Statement on the Internal Audit Function and Its Outsourcing. adequately addresses the financial-reporting
23. See 12 USC 161 for national banks; 12 USC 1817a for
state nonmember banks; 12 USC 324 for state member banks;
aspects of the significant risk areas and any
and 12 USC 1464(v) for savings associations. other areas of concern of the institution’s
24. Terms are defined at the end of the policy statement. business.

Commercial Bank Examination Manual November 2003

Page 21
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

To help ensure the adequacy of its internal tures from, professional standards. Furthermore,
and external auditing programs, the agencies when the external auditing program includes an
encourage the board of directors of each insti- audit of the financial statements, the board or
tution that is not otherwise required to do so to audit committee obtains an opinion from the
establish an audit committee consisting entirely independent public accountant stating whether
of outside directors.25 However, if this is the financial statements are presented fairly, in
impracticable, the board should organize the all material respects, in accordance with gener-
audit committee so that outside directors consti- ally accepted accounting principles (GAAP).
tute a majority of the membership. When the external auditing program includes an
examination of the internal control structure
over financial reporting, the board or audit
Audit Committee committee obtains an opinion from the indepen-
dent public accountant stating whether the
The audit committee or board of directors is financial-reporting process is subject to any
responsible for identifying at least annually the material weaknesses.
risk areas of the institution’s activities and Both the staff performing an internal audit
assessing the extent of external auditing involve- function and the independent public accountant
ment needed over each area. The audit commit- or other external auditor should have unre-
tee or board is then responsible for determining stricted access to the board or audit committee
what type of external auditing program will best without the need for any prior management
meet the institution’s needs (see the descrip- knowledge or approval. Other duties of an audit
tions under ‘‘Types of External Auditing committee may include reviewing the indepen-
Programs’’). dence of the external auditor annually, consult-
When evaluating the institution’s external ing with management, seeking an opinion on an
auditing needs, the board or audit committee accounting issue, and overseeing the quarterly
should consider the size of the institution and regulatory reporting process. The audit commit-
the nature, scope, and complexity of its opera- tee should report its findings periodically to the
tions. It should also consider the potential bene- full board of directors.
fits of an audit of the institution’s financial
statements or an examination of the institution’s
internal control structure over financial report-
ing, or both. In addition, the board or audit External Auditing Programs
committee may determine that additional or
specific external auditing procedures are war- Basic Attributes
ranted for a particular year or several years to
cover areas of particularly high risk or special External auditing programs should provide the
concern. The reasons supporting these decisions board of directors with information about the
should be recorded in the committee’s or board’s institution’s financial-reporting risk areas, e.g.,
minutes. the institution’s internal control over financial
If, in its annual consideration of the institu- reporting, the accuracy of its recording of trans-
tion’s external auditing program, the board or actions, and the completeness of its financial
audit committee determines, after considering reports prepared in accordance with GAAP.
its inherent limitations, that an agreed-upon The board or audit committee of each insti-
procedures/state-required examination is suffi- tution at least annually should review the risks
cient, they should also consider whether an inherent in its particular activities to determine
independent public accountant should perform the scope of its external auditing program. For
the work. When an independent public accoun- most institutions, the lending and investment-
tant performs auditing and attestation services, securities activities present the most significant
the accountant must conduct his or her work risks that affect financial reporting. Thus, exter-
under, and may be held accountable for depar- nal auditing programs should include specific
procedures designed to test at least annually the
risks associated with the loan and investment
25. Institutions with $500 million or more in total assets
must establish an independent audit committee made up of
portfolios. This includes testing of internal con-
outside directors who are independent of management. See 12 trol over financial reporting, such as manage-
USC 1831m(g)(1) and 12 CFR 363.5. ment’s process to determine the adequacy of the

November 2003 Commercial Bank Examination Manual

Page 22
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

allowance for loan and lease losses and whether mendations on internal control (including inter-
this process is based on a comprehensive, nal auditing programs) necessary to ensure the
adequately documented, and consistently applied fair presentation of the financial statements.
analysis of the institution’s loan and lease
portfolio. Reporting by an independent public accoun-
An institution or its subsidiaries may have tant on an institution’s internal control structure
other significant financial-reporting risk areas over financial reporting. Another external audit-
such as material real estate investments, insur- ing program is an independent public accoun-
ance underwriting or sales activities, securities tant’s examination and report on management’s
broker-dealer or similar activities (including assertion on the effectiveness of the institution’s
securities underwriting and investment advisory internal control over financial reporting. For a
services), loan-servicing activities, or fiduciary smaller institution with less complex operations,
activities. The external auditing program should this type of engagement is likely to be less
address these and other activities the board or costly than an audit of its financial statements or
audit committee determines present significant its balance sheet. It would specifically provide
financial-reporting risks to the institution. recommendations for improving internal con-
trol, including suggestions for compensating
controls, to mitigate the risks due to staffing and
Types of External Auditing Programs resource limitations.
Such an attestation engagement may be per-
The agencies consider an annual audit of an formed for all internal controls relating to the
institution’s financial statements performed by preparation of annual financial statements or
an independent public accountant to be the specified schedules of the institution’s regula-
preferred type of external auditing program. The tory reports.26 This type of engagement is per-
agencies also consider an annual examination of formed under generally accepted standards for
the effectiveness of the internal control structure attestation engagements (GASAE).27
over financial reporting or an audit of an insti-
tution’s balance sheet, both performed by an
26. Since the lending and investment-securities activities
independent public accountant, to be acceptable generally present the most significant risks that affect an
alternative external auditing programs. How- institution’s financial reporting, management’s assertion and
ever, the agencies recognize that some institu- the accountant’s attestation generally should cover those
tions only have agreed-upon procedures/state- regulatory report schedules. If the institution has trading or
off-balance-sheet activities that present material financial-
required examinations performed annually as reporting risks, the board or audit committee should ensure
their external auditing program. Regardless of that the regulatory report schedules for those activities also are
the option chosen, the board or audit committee covered by management’s assertion and the accountant’s
should agree in advance with the external audi- attestation. For banks and savings associations, the lending,
investment-securities, trading, and off-balance-sheet sched-
tor on the objectives and scope of the external ules consist of:
auditing program.
Reports of Thrift
Condition Financial
Financial statement audit by an independent and Income Report
public accountant. The agencies encourage all Area Schedules Schedules
institutions to have an external audit performed Loans and lease-financing
in accordance with generally accepted auditing receivables RC-C, Part I SC, CF
standards (GAAS). The audit’s scope should be Past-due and nonaccrual
loans, leases,
sufficient to enable the auditor to express an and other assets RC-N PD
opinion on the institution’s financial statements Allowance for
credit losses RI-B SC, VA
taken as a whole. Securities RC-B SC, SI, CF
A financial statement audit provides assur- Trading assets
ance about the fair presentation of an institu- and liabilities RC-D SO, SI
tion’s financial statements. In addition, an audit Off-balance-sheet
items RC-L SI, CMR
may provide recommendations for management
in carrying out its control responsibilities. For These schedules are not intended to address all possible risks
example, an audit may provide management in an institution.
27. An attestation engagement is not an audit. It is per-
with guidance on establishing or improving formed under different professional standards than an audit of
accounting and operating policies and recom- an institution’s financial statements or its balance sheet.

Commercial Bank Examination Manual November 2003

Page 23
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

Balance-sheet audit performed by an indepen- examination of the effectiveness of the internal

dent public accountant. With this program, the control structure over financial reporting, and a
institution engages an independent public balance-sheet audit may be accepted in some
accountant to examine and report only on the states and for national banks in lieu of agreed-
balance sheet. As with the audit of the financial upon procedures/state-required examinations.
statements, this audit is performed in accor-
dance with GAAS. The cost of a balance-sheet
audit is likely to be less than a financial- Other Considerations
statement audit. However, under this type of
program, the accountant does not examine or Timing. The preferable time to schedule the
report on the fairness of the presentation of the performance of an external auditing program is
institution’s income statement, statement of as of an institution’s fiscal year-end. However, a
changes in equity capital, or statement of cash quarter-end date that coincides with a regulatory
flows. report date provides similar benefits. Such an
approach allows the institution to incorporate
Agreed-upon procedures/state-required exami- the results of the external auditing program into
nations. Some state-chartered depository insti- its regulatory reporting process and, if appropri-
tutions are required by state statute or regulation ate, amend the regulatory reports.
to have specified procedures performed annually
by their directors or independent persons.28 The External auditing staff. The agencies encour-
bylaws of many national banks also require that age an institution to engage an independent
some specified procedures be performed annu- public accountant to perform its external audit-
ally by directors or others, including internal or ing program. An independent public accountant
independent persons. Depending upon the scope provides a nationally recognized standard of
of the engagement, the cost of agreed-upon knowledge and objectivity by performing
procedures or a state-required examination may engagements under GAAS or GASAE. The firm
be less than the cost of an audit. However, under or independent person selected to conduct an
this type of program, the independent auditor external auditing program and the staff carrying
does not report on the fairness of the institu- out the work should have experience with
tion’s financial statements or attest to the effec- financial-institution accounting and auditing or
tiveness of the internal control structure over similar expertise and should be knowledgeable
financial reporting. The findings or results of the about relevant laws and regulations.
procedures are usually presented to the board or
the audit committee so that they may draw their
own conclusions about the quality of the finan-
cial reporting or the sufficiency of internal Special Situations
When choosing this type of external auditing Holding Company Subsidiaries
program, the board or audit committee is respon-
sible for determining whether these procedures When an institution is owned by another entity
meet the external auditing needs of the institu- (such as a holding company), it may be appro-
tion, considering its size and the nature, scope, priate to address the scope of its external audit
and complexity of its business activities. For program in terms of the institution’s relationship
example, if an institution’s external auditing to the consolidated group. In such cases, if the
program consists solely of confirmations of group’s consolidated financial statements for the
deposits and loans, the board or committee same year are audited, the agencies generally
should consider expanding the scope of the would not expect the subsidiary of a holding
auditing work performed to include additional company to obtain a separate audit of its finan-
procedures to test the institution’s high-risk cial statements. Nevertheless, the board of
areas. Moreover, a financial statement audit, an directors or audit committee of the subsidiary
may determine that its activities involve signifi-
28. When performed by an independent public accountant, cant risks to the subsidiary that are not within
‘‘specified procedures’’ and ‘‘agreed-upon procedures’’
engagements are performed under standards, which are dif-
the procedural scope of the audit of the financial
ferent professional standards than those used for an audit of an statements of the consolidated entity. For exam-
institution’s financial statements or its balance sheet. ple, the risks arising from the subsidiary’s

November 2003 Commercial Bank Examination Manual

Page 24
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

activities may be immaterial to the financial • the need for direct verification of loans or
statements of the consolidated entity, but mate- deposits;
rial to the subsidiary. Under such circumstances, • questionable transactions with affiliates; or
the audit committee or board of the subsidiary • the need for improvements in the external
should consider strengthening the internal audit auditing program.
coverage of those activities or implementing
an appropriate alternative external auditing The agencies may also require that the insti-
program. tution provide its appropriate supervisory office
with a copy of any reports, including manage-
ment letters, issued by the independent public
Newly Insured Institutions accountant or other external auditor. They also
may require the institution to notify the super-
Under the FDIC statement of policy on applica- visory office prior to any meeting with the
tions for deposit insurance, applicants for deposit independent public accountant or other external
insurance coverage are expected to commit the auditor at which auditing findings are to be
depository institution to obtain annual audits by presented.
an independent public accountant once it begins
operations as an insured institution and for a
limited period thereafter.
Examiner Guidance

Institutions Presenting Supervisory Review of the External Auditing Program

The review of an institution’s external auditing
As previously noted, an external auditing pro- program is a normal part of the agencies’
gram complements the agencies’ supervisory examination procedures. An examiner’s evalua-
process and the institution’s internal auditing tion of, and any recommendations for improve-
program by identifying or further clarifying ments in, an institution’s external auditing pro-
issues of potential concern or exposure. An gram will consider the institution’s size; the
external auditing program also can greatly assist nature, scope, and complexity of its business
management in taking corrective action, particu- activities; its risk profile; any actions taken or
larly when weaknesses are detected in internal planned by it to minimize or eliminate identified
control or management information systems weaknesses; the extent of its internal audit
affecting financial reporting. program; and any compensating controls in
The agencies may require a financial institu- place. Examiners will exercise judgment and
tion presenting safety-and-soundness concerns discretion in evaluating the adequacy of an
to engage an independent public accountant or institution’s external auditing program.
other independent external auditor to perform Specifically, examiners will consider the poli-
external auditing services.29 Supervisory con- cies, processes, and personnel surrounding an
cerns may include— institution’s external auditing program in deter-
mining whether—
• inadequate internal control, including the
internal auditing program; • the board of directors or its audit committee
• a board of directors generally uninformed adequately reviews and approves external
about internal control; auditing program policies at least annually;
• evidence of insider abuse; • the external auditing program is conducted by
• known or suspected defalcations; an independent public accountant or other
• known or suspected criminal activity; independent auditor and is appropriate for the
• probable director liability for losses; institution;
• the engagement letter covering external audit-
ing activities is adequate;
29. The Office of Thrift Supervision requires an external • the report prepared by the auditor on the
audit by an independent public accountant for savings asso- results of the external auditing program
ciations with a composite rating of 3, 4, or 5 under the
Uniform Financial Institution Rating System, and on a case- adequately explains the auditor’s findings;
by-case basis. • the external auditor maintains appropriate

Commercial Bank Examination Manual November 2003

Page 25
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

independence regarding relationships with external auditing program should be communi-

the institution under relevant professional cated promptly to the appropriate supervisory
standards; office. Examples of those developments include
• the board of directors performs due diligence the hiring of an independent public accountant
on the relevant experience and competence of or other third party to perform external auditing
the independent auditor and staff carrying out work and a change in, or termination of, an
the work (whether or not an independent independent public accountant or other external
public accountant is engaged); and auditor.
• the board or audit committee minutes reflect
approval and monitoring of the external audit-
ing program and schedule, including board or
committee reviews of audit reports with man- Definitions
agement and timely action on audit findings
and recommendations. Agencies. The agencies are the Board of Gov-
ernors of the Federal Reserve System (FRB), the
Federal Deposit Insurance Corporation (FDIC),
the Office of the Comptroller of the Currency
Access to Reports
(OCC), and the Office of Thrift Supervision
Management should provide the independent (OTS).
public accountant or other auditor with access to
all examination reports and written communica- Appropriate supervisory office. The regional or
tion between the institution and the agencies or district office of the institution’s primary federal
state bank supervisor since the last external banking agency responsible for supervising the
auditing activity. Management also should pro- institution or, in the case of an institution that is
vide the accountant with access to any supervi- part of a group of related insured institutions,
sory memoranda of understanding, written agree- the regional or district office of the institution’s
ments, administrative orders, reports of action federal banking agency responsible for moni-
initiated or taken by a federal or state banking toring the group. If the institution is a subsidiary
agency under section 8 of the FDI Act (or a of a holding company, the term ‘‘appropriate
similar state law), and proposed or ordered supervisory office’’ also includes the federal
assessments of civil money penalties against the banking agency responsible for supervising
institution or an institution-related party, as well the holding company. In addition, if the institu-
as any associated correspondence. The audi- tion is state-chartered, the term ‘‘appropriate
tor must maintain the confidentiality of exami- supervisory office’’ includes the appropriate
nation reports and other confidential supervisory state bank or savings association regulatory
information. authority.
In addition, the independent public accoun-
tant or other auditor of an institution should Audit. An examination of the financial state-
agree in the engagement letter to grant examin- ments, accounting records, and other supporting
ers access to all the accountant’s or auditor’s evidence of an institution performed by an
workpapers and other material pertaining to the independent certified or licensed public accoun-
institution prepared in the course of performing tant in accordance with generally accepted
the completed external auditing program.
Institutions should provide reports30 issued
in the audited consolidated financial statements of its parent
by the independent public accountant or other company, the institution should provide a copy of the audited
auditor pertaining to the external auditing pro- financial statements of the consolidated company and any
gram, including any management letters, to the other reports by the independent public accountant in accor-
agencies and any state authority in accordance dance with their appropriate supervisory office’s guidance. If
several institutions are owned by one parent company, a single
with their appropriate supervisory office’s guid- copy of the reports may be supplied in accordance with the
ance.31 Significant developments regarding the guidance of the appropriate supervisory office of each agency
supervising one or more of the affiliated institutions and the
holding company. A transmittal letter should identify the
30. The institution’s engagement letter is not a ‘‘report’’ institutions covered. Any notifications of changes in, or
and is not expected to be submitted to the appropriate terminations of, a consolidated company’s independent public
supervisory office unless specifically requested by that office. accountant may be similarly supplied to the appropriate
31. When an institution’s financial information is included supervisory office of each supervising agency.

November 2003 Commercial Bank Examination Manual

Page 26
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

auditing standards (GAAS) and of sufficient and changes in equity together with related
scope to enable the independent public accoun- notes.
tant to express an opinion on the institution’s
financial statements as to their presentation in Independent public accountant. An accountant
accordance with generally accepted accounting who is independent of the institution and regis-
principles (GAAP). tered or licensed to practice, and holds himself
or herself out, as a public accountant, and who is
Audit committee. A committee of the board of in good standing under the laws of the state or
directors whose members should, to the extent other political subdivision of the United States
possible, be knowledgeable about accounting in which the home office of the institution is
and auditing. The committee should be respon- located. The independent public accountant
sible for reviewing and approving the institu- should comply with the American Institute of
tion’s internal and external auditing programs or Certified Public Accountants’ (AICPA) Code of
recommending adoption of these programs to Professional Conduct and any related guidance
the full board. adopted by the Independence Standards Board
and the agencies. No certified public accountant
Balance-sheet audit performed by an indepen- or public accountant will be recognized as
dent public accountant. An examination of an independent who is not independent both in fact
institution’s balance sheet and any accompany- and in appearance.
ing footnotes performed and reported on by an
independent public accountant in accordance Internal auditing. An independent assessment
with GAAS and of sufficient scope to enable the function established within an institution to
independent public accountant to express an examine and evaluate its system of internal
opinion on the fairness of the balance-sheet control and the efficiency with which the various
presentation in accordance with GAAP. units of the institution are carrying out their
assigned tasks. The objective of internal audit-
Engagement letter. A letter from an independent ing is to assist the management and directors of
public accountant to the board of directors or the institution in the effective discharge of their
audit committee of an institution that usually responsibilities. To this end, internal auditing
addresses the purpose and scope of the external furnishes management with analyses, evalua-
auditing work to be performed, period of time to tions, recommendations, counsel, and informa-
be covered by the auditing work, reports tion concerning the activities reviewed.
expected to be rendered, and any limitations
placed on the scope of the auditing work. Outside directors. Members of an institution’s
board of directors who are not officers, employ-
Examination of the internal control structure ees, or principal stockholders of the institution,
over financial reporting. See ’’Reporting by an its subsidiaries, or its affiliates, and who do not
independent public accountant on an institu- have any material business dealings with the
tion’s internal control structure over financial institution, its subsidiaries, or its affiliates.
Regulatory reports. These reports are the Reports
External auditing program. The performance of of Condition and Income (call reports) for banks,
procedures to test and evaluate high-risk areas Thrift Financial Reports (TFRs) for savings
of an institution’s business by an independent associations, Federal Reserve (FR) Y reports for
auditor, who may or may not be a public bank holding companies, and the H-(b)11 Annual
accountant, sufficient for the auditor to be able Report for thrift holding companies.
to express an opinion on the financial statements
or to report on the results of the procedures Reporting by an independent public accountant
performed. on an institution’s internal control structure
over financial reporting. Under this engage-
Financial statement audit by an independent ment, management evaluates and documents its
public accountant. See Audit. review of the effectiveness of the institution’s
internal control over financial reporting in the
Financial statements. The statements of finan- identified risk areas as of a specific report date.
cial position (balance sheet), income, cash flows, Management prepares a written assertion, which

Commercial Bank Examination Manual May 2006

Page 27
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

specifies the criteria on which management vices.33 The advisory informs financial institu-
based its evaluation about the effectiveness of tions’34 boards of directors, audit committees,
the institution’s internal control over financial management, and external auditors of the safety-
reporting in the identified risk areas and states and-soundness implications that may arise when
management’s opinion on the effectiveness of the financial institution enters into engagement
internal control over this specified financial letters that contain provisions to limit the audi-
reporting. The independent public accountant is tors’ liability. Such provisions may weaken the
engaged to perform tests on the internal control external auditors’ objectivity, impartiality, and
over the specified financial reporting in order to performance and, thus, reduce the agencies’
attest to management’s assertion. If the accoun- ability to rely on audits. Therefore, certain
tant concurs with management’s assertion, even limitation-of-liability provisions (described in
if the assertion discloses one or more instances the advisory) are unsafe and unsound. In addi-
of material internal control weakness, the tion, such provisions may not be consistent with
accountant would provide a report attesting to the auditor-independence standards of the SEC,
management’s assertion. the PCAOB, and the AICPA.
The advisory does not apply to previously
Risk areas. Those particular activities of an executed engagement letters. However, any
institution that expose it to greater potential financial institution subject to a multiyear audit
losses if problems exist and go undetected. The engagement letter containing unsafe and unsound
areas with the highest financial-reporting risk in limitation-of-liability provisions should seek an
most institutions generally are their lending and amendment to its engagement letter to be con-
investment-securities activities. sistent with the advisory for periods ending in
2007 or later. (See SR-06-4.)
Specified procedures. Procedures agreed upon
by the institution and the auditor to test its
activities in certain areas. The auditor reports Scope of the Advisory on
findings and test results, but does not express an
opinion on controls or balances. If performed by
Engagement Letters
an independent public accountant, these proce- The advisory applies to engagement letters
dures should be performed under generally between financial institutions and external audi-
accepted standards for attestation engagements tors with respect to financial-statement audits,
(GASAE). audits of internal control over financial report-
ing, and attestations on management’s assess-
Issued by the FFIEC on September 28, 1999. ment of internal control over financial reporting
(collectively, audit or audits).
The advisory does not apply to—
LIMITATION OF LIABILITY • nonaudit services that may be performed by
PROVISIONS IN EXTERNAL financial institutions’ external auditors,
AUDIT ENGAGEMENT LETTERS • audits of financial institutions’ 401(k) plans,
pension plans, and other similar audits,
On February 9, 2006, the Federal Reserve and • services performed by accountants who are
the other financial institution regulatory agen- not engaged to perform financial institutions’
cies (the agencies)32 issued an interagency audits (e.g., outsourced internal audits or loan
advisory (the advisory) to address safety-and- reviews), and
soundness concerns that may arise when finan- • other service providers (e.g., software consult-
cial institutions enter into external audit con- ants or legal advisers).
tracts (typically referred to as engagement letters)
that limit the auditors’ liability for audit ser- While the agencies have observed several

32. The Board of Governors of the Federal Reserve System 33. The advisory is effective for audit engagement letters
(Board), the Office of the Comptroller of the Currency (OCC), issued on or after February 9, 2006.
the Office of Thrift Supervision (OTS), the Federal Deposit 34. As used in this advisory, the term financial institutions
Insurance Corporation (FDIC), and the National Credit Union includes banks, bank holding companies, savings associations,
Administration (NCUA). savings and loan holding companies, and credit unions.

May 2006 Commercial Bank Examination Manual

Page 28
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

types of limitation-of-liability provisions in with all agreements that affect a financial insti-
external audit engagement letters, this advisory tution’s legal rights, the financial institution’s
applies to any agreement that a financial insti- legal counsel should carefully review audit
tution enters into with its external auditor that engagement letters to help ensure that those
limits the external auditor’s liability with respect charged with engaging the external auditor make
to audits in an unsafe and unsound manner. a fully informed decision.
The advisory describes the types of objection-
able limitation-of-liability provisions and pro-
External Audits and Their vides examples.35 Financial institutions’ boards
of directors, audit committees, and management
Engagement Letters should also be aware that certain insurance
A properly conducted audit provides an inde- policies (such as error and omission policies and
pendent and objective view of the reliability of a directors’ and officers’ liability policies) might
financial institution’s financial statements. The not cover losses arising from claims that are
external auditor’s objective in an audit is to form precluded by limitation-of-liability provisions.
an opinion on the financial statements taken as a
whole. When planning and performing the audit,
the external auditor considers the financial insti- Limitation-of-Liability Provisions
tution’s internal control over financial reporting.
Generally, the external auditor communicates The provisions of an external audit engagement
any identified deficiencies in internal control to letter that the agencies deem to be unsafe and
management, which enables management to unsound can be generally categorized as fol-
take appropriate corrective action. In addition, lows: a provision within an agreement between
certain financial institutions are required to file a client financial institution and its external
audited financial statements and internal control auditor that effectively—
audit or attestation reports with one or more of
the agencies. The agencies encourage financial • indemnifies the external auditor against claims
institutions not subject to mandatory audit made by third parties;
requirements to voluntarily obtain audits of their • holds harmless or releases the external auditor
financial statements. The FFIEC’s Interagency from liability for claims or potential claims
Policy Statement on External Auditing Pro- that might be asserted by the client financial
grams of Banks and Savings Associations institution, other than claims for punitive dam-
notes, 34a ‘‘[a]n institution’s internal and exter- ages; or
nal audit programs are critical to its safety and • limits the remedies available to the client
soundness.’’ The policy also states that an effec- financial institution, other than punitive
tive external auditing program ‘‘can improve the damages.
safety and soundness of an institution substan-
tially and lessen the risk the institution poses to Collectively, these categories of provisions are
the insurance funds administered by the FDIC.’’ referred to in this advisory as limitation-of
Typically, a written engagement letter is used liability-provisions.
to establish an understanding between the exter- Provisions that waive the right of financial
nal auditor and the financial institution regard- institutions to seek punitive damages from their
ing the services to be performed in connection external auditor are not treated as unsafe and
with the financial institution’s audit. The engage- unsound under the advisory. Nevertheless, agree-
ment letter commonly describes the objective of
the audit, the reports to be prepared, the respon-
35. In the majority of external audit engagement letters
sibilities of management and the external audi- reviewed, the agencies did not observe provisions that limited
tor, and other significant arrangements (for exam- an external auditor’s liability. However, for those reviewed
ple, fees and billing). Boards of directors, audit external audit engagement letters that did have external
committees, and management are encouraged to auditor limited-liability provisions, the agencies noted a sig-
nificant increase in the types and frequency of the provisions.
closely review all of the provisions in the audit The provisions took many forms, which made it impractical
engagement letter before agreeing to sign. As for the agencies to provide an all-inclusive list. Examples of
auditor limitation-of-liability provisions are illustrated in the
advisory’s appendix A, which can be found in section A.1010.1
34a. See 64 Fed. Reg. 52319 (September 28, 1999). of this manual.

Commercial Bank Examination Manual October 2008

Page 29
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

ments by clients to indemnify their auditors tion is public or not, or (3) whether the external
against any third-party damage awards, includ- audit is required or voluntary.
ing punitive damages, are deemed unsafe and
unsound under the advisory. To enhance trans-
parency and market discipline, public financial Auditor Independence
institutions that agree to waive claims for puni-
tive damages against their external auditors may Currently, auditor-independence standard-setters
want to disclose annually the nature of these include the SEC, PCAOB, and AICPA. Depend-
arrangements in their proxy statements or other ing on the audit client, an external auditor is
public reports. subject to the independence standards issued by
Many financial institutions are required to one or more of these standard-setters. For all
have their financial statements audited, while nonpublic financial institutions that are not
others voluntarily choose to undergo such audits. required to have annual independent audits, the
For example, federally insured banks with FDIC’s rules, pursuant to part 363, require only
$500 million or more in total assets are required that an external auditor meet the AICPA inde-
to have annual independent audits.36 Further- pendence standards. The rules do not require the
more, financial institutions that are public com- financial institution’s external auditor to comply
panies37 must have annual independent audits. with the independence standards of the SEC and
The agencies rely on the results of audits as part the PCAOB.
of their assessment of a financial institution’s In contrast, for financial institutions subject to
safety and soundness. the audit requirements in part 363 of the FDIC’s
For audits to be effective, the external audi- regulations, the external auditor should be in
tors must be independent in both fact and compliance with the AICPA’s Code of Profes-
appearance, and they must perform all necessary sional Conduct and meet the independence
procedures to comply with auditing and attesta- requirements and interpretations of the SEC and
tion standards established by either the AICPA its staff.38 In this regard, in a December 13,
or, if applicable, the PCAOB. When financial 2004, frequently asked question (FAQ) on the
institutions execute agreements that limit the application of the SEC’s auditor-independence
external auditors’ liability, the external auditors’ rules, the SEC staff reiterated its long-standing
objectivity, impartiality, and performance may position that when an accountant and his or her
be weakened or compromised, and the useful- client enter into an agreement that seeks to
ness of the audits for safety-and-soundness pur- provide the accountant immunity from liability
poses may be diminished. for his or her own negligent acts, the accountant
By their very nature, limitation-of-liability is not independent. The FAQ also stated that
provisions can remove or greatly weaken exter- including in engagement letters a clause that
nal auditors’ objective and unbiased consider- would release, indemnify, or hold the auditor
ation of problems encountered in audit engage- harmless from any liability and costs resulting
ments and may diminish auditors’ adherence to from knowing misrepresentations by manage-
the standards of objectivity and impartiality ment would impair the auditor’s indepen-
required in the performance of audits. The dence.39 The FAQ is consistent with the SEC’s
existence of such provisions in external audit Codification of Financial Reporting Policies,
engagement letters may lead to the use of less section 602.02.f.i , ‘‘Indemnification by Client.’’
extensive or less thorough procedures than would (See section A.1010.1 of this manual.)
otherwise be followed, thereby reducing the On the basis of the SEC guidance and the
reliability of audits. Accordingly, financial insti- agencies’ existing regulations, certain limits on
tutions should not enter into external audit
arrangements that include unsafe and unsound
limitation-of-liability provisions identified in the
advisory, regardless of (1) the size of the finan- 38. See part 363 of the FDIC’s regulation (12 CFR 363),
cial institution, (2) whether the financial institu- Appendix A—Guidelines and Interpretations, Guideline 14,
‘‘Role of the Independent Public Accountant-Independence.’’
36. For banks, see section 36 of the FDI Act (12 USC 39. In contrast to the SEC’s position, AICPA Ethics Ruling
1831m) and part 363 of the FDIC’s regulations (12 CFR 363). 94 (ET, section 191.188–189) currently concludes that indem-
37. Public companies are companies subject to the report- nification for ‘‘knowing misrepresentations by management’’
ing requirements of the Securities Exchange Act of 1934. does not impair independence.

October 2008 Commercial Bank Examination Manual

Page 30
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

auditors’ liability are already inappropriate in • provide a fair process (for example, neutral
audit engagement letters entered into by— decision makers and appropriate hearing pro-
cedures), and
• public financial institutions that file reports • are not imposed in a coercive manner.
with the SEC or with the agencies,
• financial institutions subject to part 363, and
• certain other financial institutions that are The Advisory’s Conclusion
required to have annual independent audits.
Financial institutions’ boards of directors, audit
In addition, certain of these limits on auditors’ committees, and management should not enter
liability may violate the AICPA independence into any agreement that incorporates limitation-
standards. Notwithstanding the potential appli- of-liability provisions with respect to audits. In
cability of auditor-independence standards, the addition, financial institutions should document
limitation-of-liability provisions discussed in the their business rationale for agreeing to any other
advisory present safety-and-soundness concerns provisions that limit their legal rights.
for all financial institution audits. The inclusion of limitation-of-liability provi-
sions in external audit engagement letters and
other agreements that are inconsistent with the
advisory will generally be considered an unsafe
Alternative Dispute-Resolution and unsound practice. Examiners will consider
Agreements and Jury-Trial Waivers the policies, processes, and personnel surround-
ing a financial institution’s external auditing
The agencies observed that a review of the program in determining whether (1) the engage-
engagement letters of some financial institutions ment letter covering external auditing activities
revealed that they had agreed to submit disputes raises any safety-and-soundness concerns and
over external audit services to mandatory and (2) the external auditor maintains appropriate
binding alternative dispute resolution, binding independence regarding relationships with the
arbitration, or other binding nonjudicial dispute- financial institution under relevant professional
resolution processes (collectively, mandatory standards. The agencies may take appropriate
ADR) or to waive the right to a jury trial. By supervisory action if unsafe and unsound
agreeing in advance to submit disputes to man- limitation-of-liability provisions are included in
datory ADR, financial institutions may waive external audit engagement letters or other agree-
the right to full discovery, limit appellate review, ments related to audits that are executed
or limit or waive other rights and protections (accepted or agreed to by the financial institution).
available in ordinary litigation proceedings.
Mandatory ADR procedures and jury-trial
waivers may be efficient and cost-effective tools
for resolving disputes in some cases. Accord- CERTIFIED PUBLIC
ingly, the agencies believe that mandatory ADR ACCOUNTANTS
or waiver of jury-trial provisions in external
audit engagement letters do not present safety- This section discusses the standards for compe-
and-soundness concerns, provided that the tence and independence of certified public
engagement letters do not also incorporate accountants (CPAs) as well as the standards
limitation-of-liability provisions. Institutions are required in connection with their audits.
encouraged to carefully review mandatory ADR
and jury-trial provisions in engagement letters,
as well as review any agreements regarding Standards of Conduct
rules of procedure, and to fully comprehend the
ramifications of any agreement to waive any The Code of Professional Ethics for CPAs who
available remedies. Financial institutions should are members of the American Institute of Cer-
ensure that any mandatory ADR provisions in tified Public Accountants (AICPA) requires that
audit engagement letters are commercially rea- audits be performed according to generally
sonable and— accepted auditing standards (GAAS). GAAS, as
distinct from generally accepted accounting prin-
• apply equally to all parties, ciples, or GAAP, are concerned with the audi-

Commercial Bank Examination Manual May 2006

Page 31
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

tor’s professional qualifications, the judgment ration of the financial statements and the pre-
the auditor exercises in the performance of an sentations therein. The auditor’s responsibility
audit, and the quality of the audit procedures. is to express an opinion on the financial state-
On the other hand, GAAP represents all of the ments. GAAS (or the audit requirements previ-
conventions, rules, and procedures that are nec- ously set forth) require that audits cover the
essary to define accepted accounting practices at following financial statements: balance sheet,
a particular time. GAAP includes broad guide- income statement, statement of changes in stock-
lines of general application and detailed prac- holders’ equity, and statement of cash flows.
tices and procedures that have been issued by GAAS require that CPAs plan and perform
the Financial Accounting Standards Board auditing procedures to obtain reasonable assur-
(FASB), the AICPA, the SEC, or other authori- ance that financial statements are free from
tative bodies that set accounting standards. Thus, material misstatement. Under GAAS, an audit
GAAP provides guidance on financial-reporting includes examining on a test basis and should
and disclosure matters. include evidence supporting the amounts and
disclosures in the financial statements. An audit
also includes assessing the accounting principles
used and significant estimates made by manage-
Generally Accepted Auditing ment, as well as evaluating the overall financial-
Standards statement presentation.

GAAS are grouped into three categories: gen-

eral standards, standards of field work, and Independence
standards of reporting.
In the performance of their work, CPAs must be
The general standards require that the audit be independent of those they serve. Traditionally,
performed by a person or persons having independence has been defined as the ability to
adequate technical training and proficiency; that act with integrity and objectivity. In accordance
independence in mental attitude be maintained; with the rule on independence included in the
and that due professional care be exercised in SEC’s independence rules and the Code of
the performance of the audit and the preparation Professional Ethics and related AICPA interpre-
of the report. tations, the independence of a CPA is considered
to be impaired if, during the period of his or her
Standards of field work require that the work be professional engagement, the CPA or his or her
adequately planned; assistants, if any, be prop- firm had any direct or material indirect financial
erly supervised; a proper study and evaluation of interest in the enterprise or had any loan to or
existing internal controls be made for determin- from the enterprise or any officer, director, or
ing the audit scope and the audit procedures to principal stockholder thereof. The latter prohi-
be performed during the audit; and sufficient bition does not apply to the following loans
evidence be obtained to formulate an opinion from a financial institution when made under
regarding the financial statements under audit. normal lending procedures, terms, and
Standards of reporting require that the CPA state
whether the financial statements are presented in • automobile loans and leases collateralized by
accordance with GAAP. The application of the automobile
GAAP in audited financial statements and • loans in the amount of the cash surrender
reports must achieve the fundamental objectives value of a life insurance policy
of financial accounting, which are to provide • borrowings fully collateralized by cash depos-
reliable financial information about the eco- its at the same financial institution (for exam-
nomic resources and obligations of a business ple, passbook loans)
enterprise. In addition, the informative disclo- • credit cards and cash advances under lines of
sures in the financial statements must follow credit associated with checking accounts with
GAAP, or the CPA must state otherwise in the aggregate unpaid balances of $5,000 or less
GAAS recognizes that management—not the Such loans must, at all times, be kept current by
CPA—has primary responsibility for the prepa- the CPA as to all terms.

May 2006 Commercial Bank Examination Manual

Page 32
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

Other loans have been grandfathered by the • other reports from the auditor to regulators
AICPA under recent ethics interpretations. These during the audit period.
other loans (mortgage loans, other secured loans,
and loans not material to the AICPA member’s The major types of standard audit reports will
net worth) must, at all times, be current as to all never have a heading or other statement in the
terms and shall not be renegotiated with the report that identifies which type it is. Rather, the
client financial institution after the latest of— type of report is identified by certain terminol-
ogy used in the text of the report. The major
• January 1, 1992; types of standard audit reports are described
• the date that the financial institution first below.
becomes a client;
• the date the loans are sold from a nonclient The unqualified report, sometimes referred to as
financial institution to the client financial a clean opinion, states that the financial state-
institution; or ments are ‘‘presented fairly’’ in conformity with
• the date of becoming a member in the AICPA. GAAP and that the necessary audit work was
The examiner may decide under certain cir-
cumstances to test the independence of the CPA The qualified report may generally have the
through reviews of loan listings, contracts, stock- same language as the unqualified report but will
holder listings, and other appropriate measures. use the phrase ‘‘except for’’ or some other
Concerns about independence should be identi- qualification to indicate that some problem
fied in the report of examination. exists. The types of problems include a lack of
sufficient evidential matter, restrictions on the
The SEC has also released guidance relating
scope of audit work, or departures from GAAP
to the independence of auditors for public insti-
in the financial statements. This type of report is
tutions. According to SEC Rule 101, the inde-
not necessarily negative but indicates that the
pendence of an auditor would be impaired if
examiner should ask additional questions of
financial, employment, or business relationships
exist between auditors and audit clients, and if
there are relationships between auditors and
An adverse report basically concludes that the
audit clients in which the auditors provide cer-
financial statements are not presented fairly in
tain nonaudit services to their audit clients.
conformity with GAAP. This type of report is
Much of the language found in the SEC’s
rarely issued because auditors and management
independence rules is incorporated in the Inter-
usually work out their differences in advance.
agency Policy Statement on the Internal Audit
Function and Its Outsourcing.
A disclaimer expresses no opinion on the finan-
cial statements. CPAs may issue a disclaimer
when they have concluded that substantial doubt
exists about the ability of the institution to
EXTERNAL AUDIT REPORTS continue as a going concern for a reasonable
period of time. This disclaimer is intended to
The external auditor generates various types of indicate that the CPA is not assuming any
reports and other documents. These reports responsibility for these statements.
typically include—

• the standard audit report, which is generally a

one-page document; REVIEW OF THE EXTERNAL
• a ‘‘management letter’’ in which the auditor AUDITOR’S INDEPENDENCE
confidentially presents detailed findings and AND AUDIT
recommendations to management; and
• an attestation report in which the auditor Because of the professional and ethical stan-
attests to management’s assertion of internal dards of the public accounting profession, the
controls and procedures over financial reports Federal Reserve has concluded that the exam-
(for public companies and institutions subject iner should conduct an in-depth review of the
to section 36 of the FDI Act); and competence and independence of the CPA only

Commercial Bank Examination Manual May 2006

Page 33
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

in unusual situations. One such situation would grams of Banks and Savings Associations
be a recent change in CPAs by a bank, particu- (effective January 1, 2000) (SR-99-33)).
larly if the change was made after an audit had
Ordinarily, specific tests to determine inde- LIMITATIONS OF AUDITS AND
pendence are not necessary. However, there may AUDITED FINANCIAL
be occasions when the examiner has sufficient STATEMENTS
reason to question the independence of a CPA or
the quality of his or her work. For example, the Although auditing standards are designed to
examiner may discover that during the period of require the use of due care and objectivity, a
a CPA’s professional engagement, which includes properly designed and executed audit does not
the period covered by the financial statements necessarily guarantee that all misstatements of
on which the CPA has expressed an opinion, the amounts or omissions of disclosure in the finan-
CPA or a member of his or her firm— cial statements have been detected. Moreover, a
properly designed and executed audit does not
• had a direct financial interest in the bank; guarantee that the auditor addressed FRB safety-
• was connected with the bank in a capacity and-soundness considerations. Examination per-
equivalent to that of a member of management sonnel should be cognizant of the limitations
or was a director of the bank; inherent in an audit. The following examples
• maintained, completely or in part, the books illustrate some common limitations of audits:
and records of the bank and did not perform
audit tests with respect to such books and • The auditor is not responsible for deciding
records; or whether an institution operates wisely. An
• had a prohibited loan from the bank (as unqualified audit report means that the trans-
discussed earlier). actions and balances are reported in accor-
dance with GAAP. It does not mean that the
In these and similar instances, the CPA would transactions made business sense, that the
not have complied with professional standards. associated risks are managed in a safe and
The examiner should determine the scope of sound manner, or that the balances can be
the CPA’s examination by reviewing the most recovered upon disposition or liquidation.
recent report issued by the CPA. If the audit is in • The auditor’s report concerning financial state-
progress or is planned to commence in the near ments does not signify that underwriting stan-
future, the examiner should review any engage- dards, operating strategies, loan-monitoring
ment letter to the bank from the CPA. The systems, and workout procedures are adequate
examiner also should obtain and review any to mitigate losses if the environment changes.
adjusting journal entries suggested by the CPA The auditor’s report that financial statements
at the conclusion of the examination. This should fairly present the bank’s financial position is
be done to determine whether such entries were based on the prevailing evidence and current
the result of breakdowns in the internal control environment, and it indicates that reported
structure and procedures for financial reporting. assets can be recovered in the normal course
Under certain circumstances, a CPA may of business. In determining that reported assets
issue a qualified or adverse opinion or may can be recovered in the normal course of
disclaim an opinion on a bank’s financial state- business, the auditor attempts to understand
ments. In such circumstances, the examiner financial-reporting internal controls and can
should first determine the reasons for the par- substitute other audit procedures when these
ticular type of opinion issued. If the matters controls are weak or nonexistent.
involved affect specific areas of the bank’s • The quality of management and how it man-
operations, a review of the work performed by ages risk are not considered in determining
the CPA may help the examiner understand the historical cost and its recoverability. Although
problem that gave rise to this opinion. The certain assets and instruments are marked to
examination procedures (section 1010.3) market (for example, trading accounts), GAAP
describes the steps the examiner should follow generally uses historical cost as the basis of
when conducting a review of the work per- presentation. Historical cost assumes that the
formed by the CPA. (See the FFIEC interagency entity is a going concern. The going-concern
Policy Statement on the External Auditing Pro- concept allows certain mark-to-market losses

May 2006 Commercial Bank Examination Manual

Page 34
Internal Control and Audit Function, Oversight, and Outsourcing 1010.1

to be deferred because management believes tion between external auditors and examiners.
the cost basis can be recovered during the Examination personnel should provide banking
remaining life of the asset. organizations with advance notice of the starting
• GAAP financial statements offer only limited date of the examination when appropriate, so
disclosures of risks, uncertainties, and the management can inform external auditors in
other safety-and-soundness factors on which advance and facilitate the planning and sched-
the institution’s viability depends. uling of their audit work.
• Under GAAP, loan-loss reserves are provided Some institutions prefer that audit work be
for ‘‘probable losses’’ currently ‘‘inherent’’ completed at different times than examination
(that is, anticipated future charge-offs are work to reduce demands on their staff members
based on current repayment characteristics) in and facilities. Other institutions prefer to have
the portfolio. GAAP defines probable as the audit work and examination work performed
likelihood that a future event will occur, during similar periods so the institution’s opera-
confirming the fact of the loss. Additionally, tions are affected only at certain times during the
the amount of the loss must be reasonably year. By knowing when examinations are
estimable. planned, institutions have the flexibility to sched-
ule external audit work concurrent with, or
separate from, examinations.
GAAS requires that the external auditor can
Meetings and Discussions Between
consider regulatory authorities as a source of External Auditors and Examiners
competent evidential matter when conducting an
audit of the financial statements of a banking An external auditor may request a meeting with
organization. Accordingly, an external auditor the FRB regulatory authorities involved in the
may review communications from, and make supervision of the institution or its holding
inquiries of, the regulatory authorities. company during or after completion of exami-
Generally, the Federal Reserve encourages nations to inquire about supervisory matters
auditors to attend examination exit conferences relevant to the institution under audit. External
upon completion of the examiner’s field work or auditors should provide an agenda in advance.
to attend other meetings concerning examina- The FRB regulatory authorities will generally
tion findings between supervisory examiners request that management of the institution under
and an institution’s management or board of audit be represented at the meeting. In this
directors (or a committee thereof). Banks should regard, examiners will generally only discuss
ensure that their external auditors are informed with an auditor examination findings that have
in a timely manner of scheduled exit confer- been presented to bank management.
ences and other relevant meetings with examin- In certain cases, external auditors may wish to
ers and of the FRB’s policies regarding auditor discuss with examiners matters relevant to the
attendance at such meetings. institution without bank management represen-
tation. External auditors may request such con-
When other conferences between examiners
fidential meetings with the FRB regulatory
and management are scheduled (those that do
authorities, who may also request such meetings
not involve examination findings that are rel-
with the external auditor.
evant to the scope of the external auditor’s
work), the institution should first obtain the
approval of the appropriate Federal Reserve
Bank personnel for the auditor to attend the meet- Information Required to Be Made
ings. The interagency policy statement of July 23, Available to External Auditors
1992, does not preclude the Federal Reserve
from holding meetings with the management of Section 931 of the Financial Institutions Reform,
banks without auditor attendance or from requir- Recovery, and Enforcement Act of 1989
ing that the auditor attend only certain portions (FIRREA) and section 112 of FDICIA (12 USC
of the meetings. (See SR-92-28.) 1811) pertain to depository institutions insured
The 1992 interagency policy statement was by the FDIC that have engaged the services of
issued to improve coordination and communica- an external auditor to audit the banking organi-

Commercial Bank Examination Manual May 2006

Page 35
1010.1 Internal Control and Audit Function, Oversight, and Outsourcing

zation within the past two years. FIRREA and requirements of section 931 of FIRREA (12
FDICIA require banks to provide the auditor USC 1817(a)) and section 112 of FDICIA and
with copies of the most recent Report of Con- should report instances of noncompliance in the
dition (Call Report), report of examination, and report of examination.
pertinent correspondence or reports received
from its regulator. This information is to be
provided to the external auditor by the bank Confidentiality of Supervisory
under audit, not by the FRB. In addition, bank-
ing organizations must provide the independent
auditor with— While the policies of the FRB regulatory author-
ities permit external auditors to have access to
• a copy of any supervisory memorandum of the information described above, institutions
understanding or written agreement between a and their auditors are reminded that information
federal or state banking agency and the bank contained in examination reports, inspection
put into effect during the period covered by reports, and supervisory discussions—including
the audit, and any summaries or quotations—is confidential
• a report of any formal action taken by a supervisory information and must not be dis-
federal or state banking agency during such closed to any party without the written permis-
period, or any civil money penalty assessed sion of the FRB. Unauthorized disclosure of
with respect to the bank or any banking confidential supervisory information may lead
organization–affiliated party. to civil and criminal actions and fines and other
Regulatory personnel should ascertain if the
banking organization is in compliance with the

May 2006 Commercial Bank Examination Manual

Page 36
Internal Control and Audit Function, Oversight, and Outsourcing
Examination Objectives
Effective date May 2006 Section 1010.2

1. To determine whether internal and external tence of those who provide the internal and
audit functions exist. external audit functions.
2. To determine with reasonable assurance that 6. To consider the policies, processes, and per-
the bank has an adequate internal audit func- sonnel surrounding the bank’s external audit-
tion that ensures efficient and effective ing program and to determine if—
operations, including the safeguarding of a. any engagement letter or other agreement
assets, reliable financial reporting, and com- related to external audit activities for the
pliance with applicable laws and regulations. bank (1) provides any assurances of
3. To ascertain, through the examination pro- indemnification to the bank’s external
cess, that the bank’s internal audit function auditors that relieves them of liability for
monitors, reviews, and ensures the continued their own negligent acts (including any
existence and maintenance of sound and losses, claims, damages, or other liabili-
adequate internal controls over the bank’s ties) or (2) raises any other safety-and
management process—the control environ- soundness-concerns; and
ment, risk assessment, control activities, b. the external auditors have maintained
information and communication, and moni- appropriate independence in their relation-
toring activities. ships with the bank, in accordance with
4. To review and evaluate internal audit out- relevant professional standards.
sourcing arrangements and the actions of the 7. To determine the adequacy of the procedures
outsourcing vendor under the standards performed by the internal and external
established by the Interagency Policy State- auditors.
ment on the Internal Audit Function and Its 8. To determine, based on the criteria above, if
Outsourcing. the work performed by internal and
5. To evaluate the independence and compe- external auditors is reliable.

Commercial Bank Examination Manual May 2006

Page 1
Internal Control and Audit Function, Oversight, and Outsourcing
Examination Procedures
Effective date May 2006 Section 1010.3

This examination program must be used in 4. Audit staff qualifications. Review the
conjunction with the audit function and audit biographical data and interview the manage-
outsourcing questionnaire section to review the ment staff of the audit department to
bank’s internal and external audits and the audit determine their qualifications for their del-
procedures they encompass. The audit guide- egated responsibilities.
lines are general and all sections or questions 5. Content and use of the audit frequency and
may not be applicable to every bank. scope schedule. Review the organization
Before reviewing any specific audit proce- charts and the bank’s chart of accounts to
dures, the examiner should first determine the determine the adequacy of the audit program.
independence and competence of the auditors. If 6. Audit department participation in systems
the examiner believes the auditors to be both design projects. Determine, through inter-
competent and independent, he or she should views with the internal auditor and appro-
then determine the acceptability of their work. priate staff members and through the docu-
Based on the answers to the audit function mentation review, the department’s role in
questions and on the auditor’s work, the automated and/or manual systems design.
examiner must then determine the scope of the 7. Audit manual. Review the audit manuals
examination. The program and related support- and associated internal control question-
ing documentation should be completed in an naires to determine the adequacy of the
organized manner and should be retained as part prescribed procedures for the accomplish-
of the examination workpapers. ing the audit objectives.
Upon completion of the program, the exam- 8. Maintenance of audit records. Review a
iner should be able to formulate a conclusion on sample of the audit reports and associated
the adequacy of audit coverage. Conclusions workpapers to determine compliance
about any weaknesses in the internal or external with prescribed procedures and proper
audit work performed for the bank should be documentation.
summarized and included in the report of 9. Audit department’s formal reporting
examination. Significant recommendations procedures. Review all auditor’s reports to
should be discussed with the audit committee the board of directors (audit or examining
and senior bank management. If recommenda- committee) and a representative sample of
tions are made orally, a memorandum of the the departmental or functional reports, con-
discussion should be prepared and included in sider their distribution and follow-up proce-
the workpapers. dures, and determine how effectively the
audit department responsibility is discharged.
10. Use and effectiveness of audit computer
programs. Interview the auditor and/or the
INTERNAL AUDITORS appropriate staff members regarding the use
of the computer and access to the files for
1. Organizational structure of the audit audit purposes.
department. Review the bylaws and the
organization chart of the bank and the
minutes of the board’s audit or examining
committee to determine how effectively the INTERNAL AUDIT FUNCTION
board of directors is discharging its ADEQUACY
2. Independence of the audit function. Inter- 1. Adjust the scope of the examination if the
view the auditor and observe the operation bank’s internal audit function does not suf-
of the audit department to determine its ficiently meet the bank’s internal audit needs
functional responsibilities. (whether or not the audit function is out-
3. Auditors’ qualifications. Review biographi- sourced), does not satisfy the Interagency
cal data and interview the auditor to deter- Guidelines Establishing Standards for Safety
mine his or her ability to manage the and Soundness, or is otherwise inadequate.
auditor’s responsibility in the bank. 2. Discuss supervisory concerns and outstand-

Commercial Bank Examination Manual May 2006

Page 1
1010.3 Internal Control and Audit Function, Oversight, and Outsourcing—Examination Procedures

ing internal-external audit report comments to be compromised, discuss the exami-

with the internal audit manager or other nation findings and the supervisory actions
person responsible for reviewing the system that may be taken with the bank’s senior
of internal control. If these discussions do management, board of directors (or audit
not resolve the examiner’s comments and committee), and the external auditor or
concerns, bring these matters to the atten- other vendor.
tion of senior management and the board of
directors or the audit committee.
3. If material weaknesses in the internal audit
function or the internal control system exist, EXTERNAL AUDITORS
discuss them with appropriate Federal
Reserve Bank supervisory staff to deter- 1. If the bank has engaged any external audit
mine the appropriate actions (including for- firms to conduct audits of its financial
mal and informal enforcement actions) that statements (including their certification),
should be taken to ensure that the bank audits of internal control over financial
corrects the deficiencies. reporting, attestations on management’s
4. Incorporate conclusions about the bank’s assessment of internal control, appraisals of
internal audit function into the bank’s man- the bank’s audit function, any internal audit
agement and composite supervisory ratings. or audit function or operational review,
review any pending or past engagement
5. Include in the report of examination com-
letters and agreements. Determine if the
ments concerning the adequacy of the inter-
audit engagement letters or other agree-
nal audit function, significant issues or con-
ments include unsafe and unsound provi-
cerns, and recommended corrective actions.
sions that—
a. indemnify the external auditor against all
claims made by third parties;
INDEPENDENCE OF THE b. hold harmless, release, or indemnify the
OUTSOURCING VENDOR external auditor from liability for claims
or potential claims that the bank may
1. If the initial review of an internal audit assert (other than claims for punitive
outsourcing arrangement, including the damages), thus providing relief from lia-
actions of the outsourcing vendor, raises bility for the auditors’ own negligent
questions about the bank’s and its vendor’s acts, including any losses, claims, dam-
adherence to the independence standards ages, or other liabilities; or
discussed in parts I and II (and also in part c. limit the remedies available to the bank
III, if the vendor provides both external and (other than punitive damages).
internal audit services to the bank) of the 2. Find out whether the bank’s board of direc-
Interagency Policy Statement on the Inter- tors, audit committee, and senior manage-
nal Audit Function and Its Outsourcing— ment closely review all of the provisions of
a. ask the bank and the outsourcing vendor audit engagement letters or other agree-
how the audit committee determined that ments for providing external auditing ser-
the vendor was independent; vices for the bank before agreeing to sign
b. if the vendor is an accounting firm, ask them, thus indicating the bank’s approval
the audit committee how it assessed that and financial commitment.
the arrangement has not compromised 3. Verify that the bank has documented its
applicable SEC, PCAOB, AICPA, or business rationale qfor any engagement let-
other regulatory standards concerning ter or other agreement provisions with
auditor independence; external audit firms that limit or impair the
c. if the answers to the above supervisory bank’s legal rights.
concerns are not adequately addressed, 4. With the cooperation of the audit commit-
discuss the matter with appropriate tee, review and determine the adequacy of
Reserve Bank supervisory staff; and the bank’s external auditors’ reports, letters,
d. if the Reserve Bank supervisory staff or correspondence, including their support-
concurs that the independence of the ing workpapers, for the audit work per-
external auditor or other vendor appears formed since the previous examination.

May 2006 Commercial Bank Examination Manual

Page 2
Internal Control and Audit Function, Oversight, and Outsourcing—Examination Procedures 1010.3

REGULATORY EXAMINATIONS member bank examination. Interview any

involved auditors to determine their respon-
1. Review any functional regulatory examina- sibilities and extent of involvement with the
tion or supervisory examination report for work in this area.
work performed since the previous state

Commercial Bank Examination Manual May 2006

Page 3
Internal Control and Audit Function, Oversight, and Outsourcing
Audit Function Questionnaire
Effective date May 2006 Section 1010.4

Review the documentation as instructed in the quality advice and counsel to management
examination procedures section to answer the and the board of directors on current devel-
following audit function and audit outsourcing opments in risk management, internal con-
questions. Where appropriate, supporting docu- trol, and regulatory compliance?
mentation and pertinent information should be
retained or noted under comments.
ENVIRONMENT OF THE AUDIT 1. Is the audit department functionally segre-
DEPARTMENT gated from operations in the organizational
1. Has the board of directors delegated respon- 2. Does the audit committee review or approve
sibility for the audit function? If so, to the budget and salary of the auditor? If not,
whom? who does?
2. Has the board of directors established an 3. Are the reporting procedures of the auditor
audit committee? Is it composed solely of independent of the influence of any operat-
outside directors? ing personnel?
3. Are the members of the audit commit- 4. Is the internal audit function adequately
tee qualified for their particular managed to ensure that audit plans are
responsibilities? accomplished and the audit results are
4. Does the audit committee promote the promptly communicated to the audit com-
internal audit manager’s impartiality and mittee, senior management, and the board
independence by having him or her directly of directors?
report audit findings to it? How often does 5. Has the audit staff been relieved of respon-
the audit committee meet with and review sibility for conducting continuous audits?
reports issued by the auditor? 6. Has the audit department been relieved of
5. Are the audit committee meetings with the responsibility for maintaining duplicate
auditor closed to bank personnel? records?
6. Do the minutes of the audit committee 7. Do the responsibilities of the audit staff
indicate an appropriate interest in the exclude any duties to be performed in lieu
activities and findings? of operating personnel, such as preparation
7. Does the auditor report to the board of or approval of general ledger entries, offi-
directors, the audit committee, or an cial checks, daily reconcilements, dual con-
executive officer who is sufficiently high in trol, etc.?
the bank’s hierarchy? If so, which one? If
not, to whom does the auditor report?
8. Are the internal audit function’s control risk AUDITOR’S QUALIFICATIONS
assessment, audit plans, and audit programs
appropriate for the bank’s activities? 1. Are the auditor’s academic credentials
9. Are internal audit activities consistent with comparable to other bank officers who
the long-range goals and strategic direction have major responsibilities within the
of the bank, and are they responsive to its organization?
internal control needs? 2. Is the auditor certified (or in the process of
10. Do management and the board of directors becoming certified) as a chartered bank
use reasonable standards, such as the IIA’s auditor, certified internal auditor, or certi-
Standards for the Professional Practice of fied public accountant? If yes, which one
Internal Auditing, when assessing the per- (or ones)?
formance of internal audit? 3. Is the auditor’s experience in both auditing
11. Does the audit function provide high- and banking comparable both in quality and

Commercial Bank Examination Manual May 2006

Page 1
1010.4 Internal Control and Audit Function, Oversight, and Outsourcing: Audit Function Questionnaire

in duration to that required of the officers 6. Does the frequency and scope schedule
assigned major responsibilities? require approval by the audit committee, the
4. Does the auditor communicate and relate board of directors, regulatory authorities, or
well with all levels of personnel? others? If so, by whom, and has such
5. Does the auditor demonstrate a commit- approval been obtained?
ment to continuing education and a current 7. Does the frequency and scope schedule
knowledge of the latest developments in comply with state statutory requirements, if
banking and auditing technology? any, for internal audits, including minimum
6. Is the auditor dedicated to the standards and audit standards?
ethics of his or her profession (such as those
published by the Bank Administration 8. Does the auditor periodically report his or
Institute, the Institute of Internal her progress in completing the frequency
Auditors, and the American Institute of and scope schedule to the board’s audit
Certified Public Accountants)? committee?
a. If not to the board’s audit committee, to
AUDIT STAFF QUALIFICATIONS b. Does the committee approve significant
deviations, if any, in the original
1. Is the audit staff sufficient in number to program?
perform its tasks adequately? 9. Does the auditor prepare a time budget? Are
2. Is the staff adequately experienced in budgeted versus actual time analyses used
auditing and banking? as a guide in forward planning?
3. Are members of the staff experienced in 10. Does the depth of coverage appear to be
specialized areas, such as EDP, foreign- sufficient?
exchange trading, trust, and subsidiary
activities of the bank? 11. Are different entry dates and time periods
4. Is there a formal audit training program in between reviews scheduled so as to frus-
effect? trate reliable anticipation of entry dates by
5. Is the number of unfilled vacancies on the auditees?
audit staff considered reasonable? 12. Is the bank’s possession of all assets owned
6. Is the turnover of audit personnel acceptable? or managed in fiduciary capacities sub-
7. Does management have plans to improve its jected to verification?
audit capability, if needed? 13. Are controls on opening and closing general
ledger and subsidiary accounts adequate
and is the auditor formally advised of any
AUDIT FREQUENCY AND SCOPE 14. If the bank has automated systems, does the
SCHEDULE program call for the application of indepen-
dently prepared computer programs that
1. Is the audit program formalized and there- employ the computer as an audit tool?
fore on record as a commitment that can 15. Will the audit staff examine the documen-
be analyzed and reviewed? tation of all bank systems and produce their
2. Are all important bank functions and ser- own documentation?
vices identified as subjects of the audits?
3. Does the audit program include procedures 16. Are all service-related activities not specifi-
necessary to ensure compliance with the cally manifested in general ledger accounts
Federal Election Campaign Act and the subject to adequate periodic review (for
Foreign Corrupt Practices Act? example, supervisory regulations, security,
4. Does the internal audit department have vacation policy, purchases, traveler’s checks,
access to all reports, records, and minutes? and safekeeping)?
5. Are internal audit activities adjusted for 17. Will appraisals of administrative control be
significant changes in the bank’s environ- made for each function, yielding audit com-
ment, structure, activities, risk exposures, or ments and suggestions for improvements of
systems? operational efficiency?

May 2006 Commercial Bank Examination Manual

Page 2
Internal Control and Audit Function, Oversight, and Outsourcing: Audit Function Questionnaire 1010.4

AUDIT DEPARTMENT 10. Does the manual prescribe that full control
PARTICIPATION IN SYSTEMS be established at the time of entry over the
DESIGN PROJECTS records selected for audit?
11. Is proof of subsidiary to control records
1. Is there a formal or informal procedure for required?
notifying the auditor of contemplated new 12. Are subsidiary direct verification programs
systems or systems modifications in the covering all forms of customer deposit,
early planning stages? loan, safekeeping, collateral, collection, and
2. Is the auditor a member of an executive trust accounts included?
systems planning or steering committee? If 13. Are flow charts called for as evidence of
not, does the auditor have access thorough analytical auditing?
to and review the minutes of such 14. Do the procedures employ scientific sam-
committees? pling techniques that have acceptable relia-
3. Does an audit representative review the bility and precision?
activities of systems design teams for audit 15. Does the audit manual provide for the
and internal control requirements? Is the resolution of exceptions and deficiencies?
specialized training and experience of the 16. Does the audit manual contain provisions
audit staff sufficient to support effective for report format and content and an expres-
reviews? sion of the opinion of the auditor regarding
4. Does the audit department avoid over- the adequacy, effectiveness, and efficiency
participation in systems design, modifica- of internal controls?
tion, and conversion? 17. For each audit, do audit procedures provide
5. Is the auditor’s ‘‘sign-off’’ on new or modi- for a documented method of assuring audit
fied systems restricted to control and audit management that a proper study and evalu-
trail features? ation of existing internal controls has been
made, such as an internal control question-
naire or memorandum?
AUDIT MANUAL 18. Does the audit manual contain a provision
for a review and update of the procedures
1. Has responsibility for the establishment and
for each audit, where required, upon the
maintenance of the audit manual been
audit’s completion?
clearly assigned?
2. Does the audit manual require approval by 19. Does the audit manual provide for the
the board of directors, the audit committee, maintenance of a permanent file for audits
or others? If so, has such approval been conducted?
obtained? 20. Does the audit manual contain provisions
3. Is the content of the audit manual indepen- for the formal, standardized preparation and
dent from adverse influence by other inter- maintenance of workpapers?
ests, such as operating management or 21. Are applicable statutory and regulatory
independent CPAs? requirements included in the audit
4. Is the audit manual current, and are proce- procedures?
dures for keeping the manual current
5. Does the audit manual contain the scope MAINTENANCE OF AUDIT
and objective of each audit? RECORDS
6. Does the manual provide for valid devia-
tions from audit procedures to be officially 1. Are workpapers arranged and maintained
approved by audit management? for filing and reference in—
7. Do audit procedures provide for the follow-up a. the current file?
of exceptions noted in previous audits? b. the permanent file?
8. Does the manual prescribe that each audit 2. Is a reasonable record-retention schedule
procedure be cross-referenced to the appro- and departmental index maintained for audit
priate audit workpapers? records?
9. Must an auditor initial each program step as 3. Are audit procedures being complied with
testimony of his or her performance? during each audit?

Commercial Bank Examination Manual May 2003

Page 3
1010.4 Internal Control and Audit Function, Oversight, and Outsourcing: Audit Function Questionnaire

4. Do the workpapers contain evidence that differences of opinion between audit and
all significant deviations from standard operating management effective?
audit procedures are documented and 4. Does the auditor maintain a formal record
have received the approval of audit of all audit reports that contain unresolved
management? recommendations and exceptions?
5. Are procedures for preparing and maintain- 5. Does the bank promply respond to signifi-
ing workpapers being adhered to? cant identified internal control weaknesses?
6. Do workpapers adequately document the Are exceptions and recommendations
internal audit work performed and support generally resolved within 90 days?
the audit reports? 6. Are audit reports submitted promptly?
7. Do workpapers contain a copy of the audit 7. Are responses received promptly?
report, an adequate index, an internal con-
trol questionnaire, audit procedures, and
other appropriate material? USE AND EFFECTIVENESS OF
8. Are workpapers numbered, indexed, and AUDIT COMPUTER PROGRAMS
cross-referenced to audit procedures and the
workpapers index? 1. What audit computer programs are used and
9. Is each workpaper dated and initialed by the what are their purposes?
preparer? 2. Is there a member of the audit staff qualified
a. Are sources of data clearly shown? to write and appraise the quality of audit
b. Are tick marks explained? computer programs?
10. From the workpapers, can it be determined 3. Is the auditor satisfied that he or she has
how various sample sizes were determined sufficient ‘‘free access’’ to the computer
(by judgment or statistical sampling), includ- files?
ing the range and confidence level? 4. Are audit programs run on request?
11. Do workpapers contain evidence that 5. Do direct verification programs allow the
supervisory personnel of the audit depart- auditor flexibility in selecting the criteria to
ment have reviewed the workpapers and be used in determining the sample?
resultant findings? 6. Have procedures been established for the
12. Are all significant or unresolved exceptions development and maintenance of documen-
noted in workpapers required to be included tation for audit computer programs? Are
in the report? they adhered to?
13. Are applicable statutory and regulatory 7. Are changes to audit programs controlled?
requirements being complied with?

1. If the bank outsources its internal audit
1. Does the auditor submit formal reports? If function, does it have a written contract or
so, to whom? an engagement letter with the vendor?
2. Do the reports convey to the reader the 2. Does the written contract or engagement
auditor’s general observation of the condi- letter include provisions that—
tion of the operation of the department or a. define the expectations and responsibili-
function? ties under the contract for both parties?
a. Do they adequately reflect the scope of b. set the scope and frequency of, and the
the audit? fees to be paid for, the work to be
b. Do they contain an opinion of the auditor performed by the vendor?
regarding the adequacy, effectiveness, c. set the responsibilities for providing and
and efficiency of internal controls? receiving information, such as the type
c. Do they call for a prompt response, and frequency of reporting to senior
where appropriate? management and directors about the sta-
3. With regard to audit exceptions and recom- tus of contract work?
mendations, is the method of resolving d. establish the process for changing the

May 2003 Commercial Bank Examination Manual

Page 4
Internal Control and Audit Function, Oversight, and Outsourcing: Audit Function Questionnaire 1010.4

terms of the service contract, especially 5. Is the scope of the outsourced work revised
for expansion of audit work if significant appropriately when the bank’s environment,
issues are found, and contain stipulations structure, activities, risk exposures, or sys-
for default and termination of the contract? tems change significantly?
e. state that internal audit reports are the 6. Have the directors ensured that the out-
property of the institution, that the insti- sourced internal audit activities are effec-
tution will be provided with any copies tively managed by the bank?
of the related workpapers it deems nec- 7. Does the arrangement with the outsourcing
essary, and that employees authorized by vendor satisfy the independence standards
the institution will have reasonable and described in the Policy Statement on the
timely access to the workpapers prepared Internal Audit Function and Its Outsourcing
by the outsourcing vendor? and thereby preserve the independence of
f. specify the locations of internal audit the internal audit function, whether or not
reports and the related workpapers? the vendor is also the bank’s independent
g. specify the period of time (for example, public accountant?
seven years) that vendors must maintain 8. Has the bank performed sufficient due dili-
the workpapers?1 gence to satisfy itself of the vendor’s com-
h. state that outsourced internal audit ser- petence before entering into the outsourcing
vices provided by the vendor are subject arrangement, and are there adequate proce-
to regulatory review and that examiners dures for ensuring that the vendor maintains
will be granted full and timely access to sufficient expertise to perform effectively
the internal audit reports and related throughout the arrangement?
workpapers prepared by the outsourcing 9. Does the bank have a contingency plan to
vendor? ensure continuity in audit coverage, espe-
i. prescribe a process (arbitration, media- cially for high-risk areas?
tion, or other means) for resolving
disputes and for determining who bears
the cost of consequential damages EXTERNAL AUDIT
arising from errors, omissions, and ENGAGEMENT LETTERS AND
j. state that the outsourcing vendor will not
perform management functions, make 1. Does the bank’s board of directors, audit
management decisions, or act or appear committee, and senior management closely
to act in a capacity equivalent to that of review all of the provisions in audit engage-
a member of management or an employee ment letters or other audit work agreements
and, if applicable, will comply with before agreeing to sign them?
AICPA, SEC, Public Company Account- 2. Does the bank’s legal counsel carefully
ing Oversight Board (PCAOB), or regu- review audit engagement letters to ensure
latory independence guidance? that those charged with engaging the exter-
3. Does the outsourced internal audit arrange- nal auditor make a fully informed decision?
ment maintain or improve the quality of the 3. Does the bank have any engagement letters
internal audit function and the bank’s inter- for audits of financial statements, audits of
nal control? internal control over financial reporting, or
4. Do key employees of the bank and the attestations on management’s assessment of
outsourcing vendor clearly understand the internal control that include unsafe and
lines of communication and how any inter- unsound provisions that—
nal control problems or other matters noted a. indemnify the external auditor against all
by the outsourcing vendor are to be claims made by third parties?
addressed? b. hold harmless or release the external
auditor from liability for claims or
potential claims that might be asserted
1. If the workpapers are in electronic format, contracts by the client financial institution (other
often call for the vendor to maintain proprietary software that
enables the bank and examiners to access the electronic than claims for punitive damages)?
workpapers for a specified time period. c. limit the remedies available to the client

Commercial Bank Examination Manual May 2006

Page 5
1010.4 Internal Control and Audit Function, Oversight, and Outsourcing: Audit Function Questionnaire

financial institution (other than punitive an independent CPA audit, did the bank
damages)? comply?
4. Has the bank agreed in any engagement a. If so, was the opinion rendered by the
letters or other audit work agreements to accounting firm unqualified?
submit disputes over external audit services b. If not, has the auditor taken appropriate
to mandatory and binding alternative dis- action to resolve any deficiencies?
pute resolution, binding arbitration, or other 2. Does the bank policy prohibit loans to its
binding nonjudicial dispute-resolution pro- external auditor or the engagement of an
cesses (collectively, mandatory ADR) or to external auditor who is a stockholder? If
waive the right to a jury trial. If so— not, has the board considered the materiality
a. has the bank’s senior management care- of any existing transactions regarding the
fully reviewed mandatory ADR and jury- auditor’s independence?
trial provisions in engagement letters, as 3. Has an external auditor been engaged to
well as reviewed any agreements regard- perform special reviews of specific depart-
ing rules of procedure, in order to fully ments or areas of the bank since the previ-
comprehend the ramifications of any ous examination? If deficiencies were cited,
agreement to waive any available have they been corrected?
remedies? 4. Has the same public accounting firm been
b. has the bank’s senior management engaged for the prior two years? If not,
obtained written assurances that its insur- obtain a reason for change.
ance policies (for example, the bank’s 5. Have management letters from the external
errors and omissions policies and direc- auditors or other reports from consultants
tors’ and officers’ liability policies) will been presented to management since the
cover losses from claims that are pre- last examination?
cluded by limitation-of-liability provi- 6. Do deficiencies in management letters
sions in audit engagement letters or other receive appropriate attention?
audit agreements? 7. Are the notes pertaining to the financial
5. Has the bank’s senior management ensured statements reviewed for any information
that any mandatory ADR provisions in that may allude to significant accounting or
audit engagement letters are commercially control problems?
reasonable and— 8. Does the report of examination or the man-
a. apply equally to all parties? agement letter submitted by the public
b. provide a fair process (e.g., neutral deci- accounting firm comprehensively define the
sion makers and appropriate hearing scope of the examination conducted?
c. are not imposed in a coercive manner?
6. Has the bank’s board of directors, audit REGULATORY EXAMINATION
committee, or senior management docu- ACTIVITIES
mented their business rationale for agreeing
to any provisions that limit their legal rights? 1. Does the internal audit department have
access to the examination reports?
2. Does the internal audit department investi-
gate the reasons for adverse comments and
EXTERNAL AUDIT ACTIVITIES recommendations in the examination reports?
3. Does the internal audit department monitor
1. When state, federal, or supervisory regula- the progress in dealing with these com-
tions or stock-exchange listing require ments and recommendations?

May 2006 Commercial Bank Examination Manual

Page 6
Conflict-of-Interest Rules for Examiners
Effective date May 2006 Section 1015.1

The Federal Reserve System (System) maintains rules as a result of the Preserving Independence
a long-standing policy that compels System of Financial Institution Examinations Act of
employees, including examiners, to avoid any 2003 (18 USC 212–213). The act included
action that may result in an employee (or create provisions that liberalized examiner borrowing
the appearance that an employee) is— restrictions by providing narrow exceptions that
enable bank examiners to obtain credit cards and
• using his or her Federal Reserve position for certain home mortgage loans from a broader
private gain, range of lenders. (See SR-05-2.)
• giving preferential treatment to any person or Under the act, a Reserve Bank examiner may
institution, accept a credit card or a loan secured by a
• losing independence or impartiality, or mortgage on the examiner’s principal residence
• making decisions outside of official channels. from an institution supervised by the Federal
Reserve, as long as the examiner meets the
Federal Reserve examiners are also subject to financial requirements to obtain such credit or
conflict-of-interest rules that are designed to loan. The terms of the credit or loan cannot be
ensure (1) both the objectivity and integrity of more favorable than the terms that are generally
bank examinations and (2) that Federal Reserve offered to other borrowers. Federal Reserve
examiners comply with criminal statutory policy, however, does not permit examiners to
prohibitions. participate in the examination of any banking
The conflict-of-interest rules are set forth in organization from which they have obtained
section 5 of the Federal Reserve Administrative home mortgage loans.
Manual and in each Reserve Bank’s uniform
codes of conduct.
On November 17, 2005, the federal bank regu-
A bank examiner is prohibited from accepting a
latory agencies1 adopted a rule (effective Decem-
loan or gratuity from any bank examined by the
ber 17, 2005) to implement the post-employment
individual (18 USC 213). An officer, director, or
restriction found in the Intelligence Reform and
employee of a bank is prohibited from making
Terrorism Prevention Act of 2004 (see 12 USC
or granting any loan or gratuity to any examiner
1820).2 (See the Board’s rules at 12 CFR 263
who examines or has authority to examine the
and 264, as well as SR-05-26 and its attach-
bank (18 USC 212). These statutory provisions
ments.) The restriction prohibits an examiner
may also be applicable to a loan obtained by a
who served as a ‘‘senior examiner’’ for a deposi-
System employee who has been issued a special,
tory institution or depository institution holding
temporary, or ad hoc examiner credential. An
company for two or more months during the
examiner found to be in violation of these
examiner’s final twelve months of employment
provisions can be—
with a Reserve Bank from knowingly accepting
compensation as an employee, an officer, a
• fined under title 18 of the U.S. Code (Crimes
director, or a consultant from that depository
and Criminal Procedure), imprisoned not more
institution or holding company, or from certain
than one year, or both;
related entities.3 The rule is expected to affect a
• further fined a sum equal to the money loaned
or gratuity given; and
1. The Board of Governors of the Federal Reserve System
• disqualified from holding office as an examiner. (Board), the Office of the Comptroller of the Currency, the
Federal Deposit Insurance Corporation, and the Office of
On February 3, 2005, the director of the Thrift Supervision.
Board’s Division of Banking Supervision and 2. Pub. L. 108-458, 118 Stat. 3638, 3751–53 (Decem-
ber 17, 2004).
Regulation and the Board’s general counsel, 3. The Board’s rule applies to a covered examiner who
acting under delegated authority, approved leaves the Federal Reserve’s service after December 17, 2005.
changes to the System’s examiner borrowing Because the statute has a one-year look-back provision, an

Commercial Bank Examination Manual May 2006

Page 1
1015.1 Conflict-of-Interest Rules for Examiners

relatively small number of Federal Reserve state member bank, bank holding company,
examiners, primarily the ‘‘central points of con- or foreign bank or its respective affiliates.
tact’’ (CPC) or other examiners in functionally
equivalent positions for the largest and most The rule does not cover an examiner who
complex institutions. Table 1 summarizes how performs only periodic, short-term examinations
the restriction applies to ‘‘senior examiners’’ of of a depository institution or holding company
the different types of organizations within the and who does not have ongoing, continuing
Federal Reserve’s jurisdiction. responsibility for the institution or holding com-
pany. The rule also does not cover an examiner
who spends a substantial portion of his or her
Definition of ‘‘Senior Examiner’’ time conducting or leading a targeted examina-
tion (such as a review of an institution’s credit-
For purposes of this rule, an officer or employee risk management, information systems, or inter-
of the Federal Reserve is considered to be the nal audit functions) and who does not have
‘‘senior examiner’’ for a particular state member broad and lead responsibility for the overall
bank, bank holding company, or foreign bank if examination program for the institution or hold-
the individual meets all of the following criteria: ing company.
The restriction applies to a covered individual
• The officer or employee has been authorized for one year after the individual terminates his
by the Board to conduct examinations or or her employment with the Reserve Bank. If an
inspections on behalf of the Board. examiner violates the one-year restriction, the
• The officer or employee has been assigned statute requires the appropriate federal banking
continuing, broad, and lead responsibility for agency to seek an order of removal and industry-
examining or inspecting that state member wide employment prohibition, a civil money
bank, bank holding company, or foreign bank. penalty of up to $250,000, or both. In special
• The officer’s or employee’s responsibilities circumstances, the Chairman of the Board of
for examining, inspecting, and supervising the Governors may waive the restriction for the
state member bank, bank holding company, or ‘‘senior examiner’’ of the Federal Reserve by
foreign bank— certifying in writing that granting the individual
– represent a substantial portion of the offic- a waiver of the restriction would not affect the
er’s or employee’s assigned responsibilities integrity of the Federal Reserve’s supervisory
and program.
– require the officer or employee to interact
routinely with officers or employees of the

examiner’s responsibilities from as far back as December 17,

2004, may subject the "senior examiner" to the post-
employment restriction.

May 2006 Commercial Bank Examination Manual

Page 2
Conflict-of-Interest Rules for Examiners 1015.1

Table 1—Summary of Prohibited Employment Based on Examination


Examiner Responsibility Restriction

If during two or more months of the last Then for one year after leaving the Reserve
twelve months of service, the examiner serves Bank, the ‘‘senior examiner’’ may not know-
as the ‘‘senior examiner’’ for a— ingly accept compensation as an employee,
officer, director, or consultant from—

State member bank • the state member bank (including any sub-
sidiary of the state member bank) or
• any company (including a bank holding
company) that controls the state member

Bank holding company • the bank holding company or

• any depository institution controlled by the
bank holding company (including any sub-
sidiary of the depository institution).

Foreign bank • the foreign bank,

• any U.S. branch or agency of the foreign
bank, or
• any U.S. depository institution controlled by
the foreign bank (including any subsidiary
of the depository institution).

Commercial Bank Examination Manual May 2006

Page 3
Federal Reserve System Bank Watch List and
Surveillance Programs
Effective date May 2006 Section 1020.1

The Federal Reserve System (the System) uses sures that correspond to areas of supervisory
automated screening systems to conduct routine concern. The monitoring screens and watch
monitoring of the financial condition and per- list are designed and used to spot trends and
formance of state member banks. These surveil- changes in an institution’s financial condition
lance systems rely on Call Reports and other and performance to determine if identified
financial regulatory reports, as well as examina- companies require further review.
tion data, to identify institutions exhibiting finan- 3. Corrective action and follow-up. Reserve
cial deterioration or increased risk profiles. This Bank follow-up action is performed for out-
surveillance process ensures that these banks lier institutions. The nature and extent of
receive timely supervisory attention and that follow-up depend on current conditions at
examination resources can be directed to weak the identified bank. Actions range from com-
and potentially troubled banks to supplement pleting a written analysis of the factors con-
on-site examinations. tributing to the outlier status to conducting an
System surveillance screens focus on many on-site examination. These efforts ensure that
areas evaluated in the supervisory process, identified problems are monitored until they
including capitalization, asset growth, loan qual- can be corrected or resolved.
ity, loan concentrations, interest-rate risk, and
liquidity. In addition, the screens flag banks
engaging in new or complex activities. The
surveillance information helps identify weak or
deteriorating banks and those with changing risk PROGRAM
The State Member Bank Watch List Program,
Examiners also use the surveillance results in detailed in SR-06-2, ‘‘Enhancements to the Sys-
preexamination planning. For example, before tem’s Off-Site Bank Surveillance Program,’’ is
an on-site review, the examiner will determine the Federal Reserve’s primary means for moni-
whether a bank is on the System’s State Member toring state member bank performance and con-
Bank Watch List (the watch list) and if the bank dition between on-site examinations. The watch
has failed any surveillance monitoring screens. list is a record of banks that failed selected
This information is useful in determining the monitoring screens or ratings criteria. The watch
type of examination scope (full, limited, or list helps the Reserve Banks track and address
targeted) and staff resources that will be needed. troubled or potentially weak banks and identify
The surveillance results can also be used to common supervisory issues in the banks meet-
identify bank activities that may warrant a ing watch list criteria. The program consists of
higher degree of review or focus during an five phases: (1) generating, reviewing, and modi-
on-site examination. Thus, the surveillance fying a watch list of banks meeting certain
information helps examination and supervision inclusion criteria; (2) analyzing the financial
staff plan and schedule more-forward-looking condition and risk profile of each bank on the
risk-focused examinations. final watch list and specifying the factors re-
The surveillance program activities generally sponsible for the bank’s appearance on the
consist of the following three supervisory watch list; (3) determining whether the safety-
components: and-soundness examination schedule should be
accelerated for those banks listed on the watch
1. A set of System monitoring screens of finan- list; (4) preparing or updating a surveillance
cial data. The process, referred to as ‘‘screen- write-up for each bank listed on the watch
ing,’’ involves a routine monitoring of the list; and (5) developing a suitable supervisory
financial condition, performance, and risk of response, including possible corrective action,
banks. that addresses identified problems.
2. Analysis based on the watch list and other The Watch List Program applies to all state
reports. System staff use the watch list and member banks and includes both state member
other data derived from the surveillance pro- banks with known weaknesses and those with
cess to flag outlier institutions, using mea- characteristics that could affect supervisory

Commercial Bank Examination Manual May 2006

Page 1
1020.1 Bank Watch List and Surveillance Programs

assessments of the quality of bank management a bank is reporting poor financial results or
or of the overall safety and soundness of a bank. showing other signs of significant weakness
The program helps to ensure that weaknesses compared with similarly rated banks. For exam-
existing at supervised banks are being addressed ple, a 1A rating signifies a 1-rated bank that
appropriately and that potential emerging prob- reports strong financial and supervisory indi-
lems can be promptly identified in between cators when compared with all 1- and 2-rated
regularly scheduled on-site safety-and-soundness banks, while a 1F indicates that, while the bank
examinations. State member banks are included currently maintains the strongest possible com-
on a watch list and require quarterly written posite CAMELS rating, its financial or other
analyses when they meet any of the following supervisory indicators place it among the weak-
criteria: est of the banks currently rated either 1 or 2.
SR-SABR ratings that include a ‘‘B’’ generally
• overall Supervision and Regulation Statistical correspond to banks with financial and super-
Assessment of Bank Risk (SR-SABR) surveil- visory measures that are comparable to most
lance rating of 1D, 1F, 2D, or 2F banks in the CAMELS rating category. Those
• CAMELS composite rating of 3 or worse with a ‘‘C’’ have weaker measures than those of
• Management or Risk Management component most other banks in their CAMELS rating cate-
rating of 3 or worse gory, and those with a ‘‘D’’ have significantly
• composite rating in either of the worst two weaker financial or supervisory measures com-
categories under the Trust, Information Tech- pared with other banks in their rating category.
nology, Consumer Compliance, or Commu- Three separate econometric models contrib-
nity Reinvestment Act rating systems ute to SR-SABR surveillance ratings. Two of
the models estimate the probability of an adverse
Reserve Banks and Board staff may add state supervisory rating change for a bank if it was
member banks to the watch list for reasons other examined within the next quarter. The first
than those listed above. For example, they may estimates the probability of an adverse rating
elect to include selected de novo banks, banks change for banks currently rated CAMELS 1 or
reporting rapid asset or loan growth or signifi- 2. The second estimates the probability of an
cant changes in business mix, and other institu- adverse rating change for banks currently rated
tions with financial characteristics that suggest 3, 4, or 5.2 Together, these models are used to
the need for heightened off-site monitoring in assign an ‘‘adverse change’’ rating. They utilize
between on-site examinations. seven financial variables computed using Call
Report data and seven supervisory variables that
have been statistically significant in explaining
SR-SABR Model adverse ratings assigned over the past three
years. The third model is retained from the
The SR-SABR model assigns a two-component System to Estimate Examination Ratings (SEER)
surveillance rating to each bank. The first com- framework and estimates the probability that a
ponent is the current composite CAMELS rating bank will fail or become critically undercapital-
assigned to the bank. The second component is ized within the next two years. This model is
a letter (A, B, C, D, or F), reflecting the model’s referred to as the ‘‘viability’’ model and includes
assessment of the relative strength or weakness 11 financial variables computed using Call
of a bank compared with other institutions Report data. The model was estimated and
within the same CAMELS rating category.1 An developed based on the financial results from
SR-SABR rating that includes an ‘‘A’’ denotes the large group of banks that failed in the late
a bank with particularly strong financial and 1980s and early 1990s.
supervisory indicators compared with other
banks within its CAMELS rating category. An
SR-SABR rating including an ‘‘F’’ indicates that Quarterly Watch List Procedures
Board staff will distribute a preliminary quar-
1. For banks currently rated 1 or 2, ‘‘CAMELS rating
category’’ refers to all banks with satisfactory (1 or 2) terly watch list to surveillance contacts at each
CAMELS ratings. Banks with less than satisfactory CAMELS
ratings are compared only with other banks that have the same 2. For 5-rated banks, an adverse rating change is defined as
CAMELS rating. the continuation of the current rating.

May 2006 Commercial Bank Examination Manual

Page 2
Bank Watch List and Surveillance Programs 1020.1

Reserve Bank upon the finalization of quarterly Holding Company Performance Reports, and
Call Report processing. To assist examiners and results of the System Bank Monitoring Screens
analysts in interpreting SR-SABR model results, and the System BHC Monitoring Screens.
Board staff will also distribute SR-SABR Sched- • Determine whether the safety-and-soundness
ule of Risk Factors (SRFs) reports. The SRFs examination schedule should be accelerated
highlight financial ratios that cause the model to for each watch list bank. In cases where
flag a bank as particularly strong or weak. These substantial deterioration in a bank’s financial
reports also include peer statistics to highlight condition is evident or where a bank’s risk
the relative position of a bank compared with profile has increased significantly, Reserve
other institutions that have similar CAMELS Banks should commence an on-site review of
composite ratings. In addition, supplemental the bank no later than 60 days after the release
monitoring screens will be distributed to assist of the final watch list. Unless an on-site
in analyzing watch list banks and in identifying examination has been completed within the
other banks that may require additional super- last six months or the Reserve Bank can
visory attention. document that SR-SABR results do not reflect
Upon notification from Board staff that quar- material safety-and-soundness concerns,
terly surveillance materials are ready for review, Reserve Banks should generally accelerate
Reserve Banks should perform the following examinations when a state member bank is
procedures: assigned an SR-SABR rating of 1F, 2F, or 3F.
The scope of on-site reviews conducted for
• Review and modify the watch list. Review the watch list banks may vary, depending on the
preliminary watch list and add any other state risk factors present and knowledge about
member banks from their districts that have the bank and its management. In some cases,
significant safety-and-soundness weaknesses. discussing the issues with management may
For each bank to be added, the Reserve Bank suffice; in others, a full-scope safety-and-
should submit the name, ID RSSD number, soundness examination may be necessary.
location, asset size, and the reasons for its • Prepare surveillance write-ups for each watch
inclusion on the watch list by e-mail to the list bank. No more than 30 days after receiv-
manager of the Surveillance, Financial Trends, ing the quarter’s final watch list, Reserve
and Analysis Section at the Board within five Banks should document conclusions on the
business days of receiving the preliminary watch list banks in a write-up posted to the
watch list. Reserve Banks also may recom- System’s Central Data and Text Repository
mend removal of banks that they previously (CDTR) using the Banking Organization
had added to the watch list and that no longer National Desktop (BOND) application.3 Each
appear to warrant watch list status. In these write-up should be posted as a ‘‘State Member
cases, the Reserve Bank should also provide Bank Watch List Write-Up’’ and assigned an
a brief written rationale to Board staff for ‘‘as of’’ date that corresponds to the quarterly
removing any banks from the watch list. Ten surveillance cycle. The write-ups should—
days after the distribution of the draft, the — briefly summarize the cause for a bank’s
watch list will be deemed final, and the time appearance on the watch list and assess
frame for completing all follow-up work will whether it poses risks to the safety and
commence. soundness of the bank;
• Assess the financial condition and risk profile
of each final watch list bank. Reserve Banks
should review each final watch list bank in
their Districts to assess the bank’s financial 3. In general, Reserve Banks should create a separate
condition and risk profile. Reserve Banks quarterly watch list document for each state member bank
should consider recent examination findings included on the watch list. However, for bank subsidiaries of
the largest banking organizations, which are subject to con-
for the bank and its affiliates, relevant infor- tinuous supervision and already require separate quarterly
mation included in correspondence between written analyses, the factors required for a quarterly watch list
the bank and the Reserve Bank, and other write-up, if applicable, may be addressed within the standard
outside sources of information. Reserve Banks quarterly documentation posted in the CDTR and BOND.
Reserve Bank surveillance contacts, however, should notify
also should use all appropriate surveillance the manager of the Surveillance, Financial Trends, and Analy-
tools in evaluating each bank, including the sis section of the specific CDTR documents that address these
Uniform Bank Performance Report, Bank requirements.

Commercial Bank Examination Manual May 2006

Page 3
1020.1 Bank Watch List and Surveillance Programs

— detail the supervisory actions that have For state member banks that have been
been taken in response to safety-and- included on the watch list in the prior quarter,
soundness concerns; write-ups should focus on new developments or
— describe bank management’s response to changes in the condition or performance of the
safety-and-soundness concerns; bank. Key background information, however,
— address whether the current CAMELS should be carried forward so that the write-up
rating accurately reflects the bank’s con- serves as a stand-alone summary document of
dition, considering adverse SR-SABR the bank’s current condition and prospects for
results when applicable; improvement.
— assess whether the timing of the next
safety-and-soundness examination should
be accelerated; and
— describe the Reserve Bank’s plans for
addressing any safety-and-soundness issues
over the next quarter.

May 2006 Commercial Bank Examination Manual

Page 4
Federal Reserve System Bank Watch List and Surveillance
Examination Objectives
Effective date November 2000 Section 1020.2

1. To identify major changes in the financial 3. To check the validity of the data being
condition of the bank between examinations. reported by the bank.
2. To assist in determining the scope of the 4. To investigate areas where an in-depth review
examination and the priority of work to be is indicated.

Commercial Bank Examination Manual November 2000

Page 1
Federal Reserve System Bank Watch List and Surveillance
Examination Procedures
Effective date November 2000 Section 1020.3

1. Obtain any surveillance screening reports, report. This analysis should be considered
such as the watch list and Federal Reserve when determining the scope of the examina-
System monitoring screens, or other analysis tion, and when making staffing decisions.
reports prepared by the Reserve Bank or 4. Follow up on unusual aspects revealed in the
Board that have been generated for the bank. surveillance screening reports, in analysis
2. Review the reports obtained in step 1 reports, or on newly obtained data signifi-
and discuss with surveillance staff, if neces- cantly different from prior information.
sary, for clarification or for further back- 5. Perform validity checks necessary to ensure
ground information. the quality of reported data. This would
3. If a pre-examination analysis has not been include such normal examination procedures
prepared, create one from information con- as validating call report information and
tained in the bank performance report, cur- confirming the accuracy and soundness of
rent call report, and previous examination past-due and accrual accounting practices.

Commercial Bank Examination Manual November 2000

Page 1
Effective date March 1984 Section 1030.1

INTRODUCTION • information that is of a continuing or perma-

nent nature.
Workpapers are the written documentation of • guidance in preparation of workpapers for the
the procedures followed and the conclusions current examination.
reached during the examination of a bank. • an indication of changes or inconsistencies in
Accordingly, they include, but are not necessar- accounting procedures or methods of their
ily limited to, examination procedures and application since the last examination.
verifications, memoranda, schedules, question-
naires, checklists, abstracts of bank documents Accumulation of relevant documentation con-
and analyses prepared or obtained by examiners. sistent with prior examinations, however, is
The definition of workpapers, their purpose, often insufficient. Workpapers should be pre-
and their quality and organization are important pared in a manner designed to facilitate an
because the workpapers as a whole should objective review, should be organized to support
support the information and conclusions con- an examiner’s current findings and should doc-
tained in the related report of examination. The ument the scope of the current examination.
primary purposes of workpapers are to— Minimum content necessary for each section of
workpapers includes:
• organize the material assembled during an
examination to facilitate review and future Source of Information—This is important, not
reference. only in identifying the bank, but also in identi-
• aid the examiner in efficiently conducting the fying the preparer. In subsequent examinations,
examination. the preparer should be able to readily determine
• document the policies, practices, procedures the bank personnel from whom the information
and internal controls of the bank. was obtained during the previous examination
• provide written support of the examination as well as the examiner who prepared the
and audit procedures performed during the workpapers. Accordingly, each workpaper should
examination. include—
• document the results of testing and formalize
the examiner’s conclusions. • bank name and subdivision thereof, either
• substantiate the assertions of fact or opinion functional or financial.
contained in the report of examination. • statement of title or purpose of the specific
analysis or schedule.
They also are useful as— • specific identification of dates, examination
date and work performance date.
• a tool for the examiner-in-charge to use in • initials of preparer and initials indicating
planning, directing, and coordinating the work review by the examiner designated to perform
of the assistants. that function. Although appropriate use may
• a means of evaluating the quality of the work be made of initials, the full names and initials
performed. of all examiners should appear on a time and
• a guide in estimating future personnel and planning summary or on an attachment to the
time requirements. file to facilitate future identification.
• a record of the procedures used by the bank to • name and title of person, or description of
assemble data for reports to the Board of records, that provided the information needed
Governors of the Federal Reserve System. to complete the workpaper.
• a guide to assist in the direction of subsequent • an index number identifying the workpaper
examinations, inquiries and studies. and facilitating organization of the workpaper
The initial step in preparing workpapers is to
review, where available, the applicable sections Scope of Work—This includes an indication of
of supporting data prepared during the prior the nature, timing and extent of testing in
examination. When reviewing prior workpapers, application of examination and audit proce-
the examiner should consider the data prepared dures. It also includes the examiner’s evaluation
in each area for— of and reliance on internal and external audit

Commercial Bank Examination Manual March 1994

Page 1
1030.1 Workpapers

procedures and compliance testing of internal • Condense information for simplicity.

controls. To the extent that this information is
contained in other workpapers, such as an Frequently, time can be saved by carrying
examination procedure or a questionnaire, a forward workpapers from one examination to
reference to the appropriate workpaper will be the next. Thus, when laying out an analysis that
sufficient. might be repeated in future examinations, the
examiner should arrange it in a manner to
Conclusions—The examiner should develop con- facilitate future use. For example, extra columns
clusions, in accordance with the examination may be left blank within an account analysis
objectives, with respect to the information displaying little activity for insertion of transac-
obtained, documentation provided and the tion information during future examinations. In
results of the examination and audit procedures such a situation, appropriate space (boxes and
performed. Such conclusions provide the ba- column headings) should be provided for the
sis for information contained in the report of signature or initials of the preparer and reviewer
examination. during each examination. When a workpaper is
removed from one examination file and carried
To develop workpapers that have the qualities forward, a notation should be made in the file
of clarity, completeness and conciseness, ade- from which the paper is extracted. This is
quate planning and organization of content are important in the event workpapers applicable to
essential. Therefore, before the workpaper is a particular examination are needed several
prepared, the examiner should determine the years after the completion of the examination.

• What examination objective will be satisfied INITIAL PREPARATION BY

by preparing the analysis or workpaper?
• Can preparation of the analysis be avoided
by testing the bank’s records and indicating
Although all items included in the report of
the nature and extent of testing in an exami-
examination should be supported by workpa-
nation or an audit procedure or by comment
pers, their preparation may not always require
on a related schedule or another supporting
document? original work by the examiner. Frequently, ar-
• Is the analysis necessary to support the infor- rangements can be made for bank personnel,
mation in the report of examination? including internal auditors, to prepare workpa-
pers for examination use or to make available
Subsequent to the determination that an anal- papers prepared by them as part of their regular
ysis is required, but before initiating prepara- duties. Examples include outstanding checklists,
tion, the examiner should decide if— lists of outstanding certificates of deposit, sched-
ules of employee borrowings, and debt maturity
• previous examination analyses can be schedules. The extent to which examiners can
adapted and carried forward to the current utilize analyses and data prepared by bank
examination. personnel increases the efficiency with which
• the analysis can be prepared by an internal examination procedures are completed.
auditor or other bank personnel. As part of the initial examination planning
• the format of the analysis may be designed process, arrangements should be made with
in a manner to facilitate its use in future appropriate bank management for the timely
examinations. completion of bank-prepared data and informa-
tion. The coordinating bank officer(s) must un-
Once it has been determined that preparation derstand what information is being requested
of an analysis is required, the examiner should and why it is being requested, in order to avoid
consider the following techniques that promote confusion and unnecessary regulatory burden.
clarity of workpaper preparation: Arrangements, however, may have to be made
for the bank to supply supporting details or other
• Restrict writing to only one side of the paper. schedules or items to comply with the requests.
• Use a standard size sheet of paper large Upon receipt of bank-prepared analyses, an
enough to avoid overcrowding. examiner should review the documents for over-

March 1994 Commercial Bank Examination Manual

Page 2
Workpapers 1030.1

all completeness and note the date of receipt. dures should not be made available to bank
This facilitates future planning and provides a employees.
ready reference as to which analyses have been In cases where customary examination prac-
received from the bank at any given point during tices are not practical, alternative procedures
the examination. Also, all bank-prepared work- and the extent to which they are applied should
papers should be tested and the nature and be documented. The need for completeness
extent of testing performed by the examiner requires that there be no open items, unfinished
should be indicated on the papers. operations or unanswered questions in the work-
papers at the conclusion of the examination.
The clarity of workpapers should be such that
an examiner or Federal Reserve official unfamil-
INITIAL APPROACH IN iar with the work could readily understand it.
WORKPAPER PREPARATION Handwritten commentaries should be legible,
concise and should support the examiner’s con-
The initial approach in preparing workpapers
clusions. Descriptions of work done, notations
that support balances in the statement of condi-
of conferences with bankers, conclusions reached
tion is quantitative. In using this approach, the
and explanations of symbols used should be free
examiner obtains an analysis of the composition
from ambiguity or obscurity. Excessive use of
of the account balance as of the examination
symbols usually can be avoided by expanding a
date. This inventory of the composition may be
comment to include the nature and extent of
represented by a trial balance of loans, a listing
work performed instead of using separate sym-
of outstanding official checks, a listing of indi-
bols for each portion of the work performed. In
vidual deposit accounts, or other similar items.
addition, instructions to assisting personnel con-
Only after determining the composition and
cerning standards or workpaper content are
insuring that the total agrees with the bank’s
necessary to ensure that they will meet the
records is the examiner in a position to perform
quality standards of the Federal Reserve. When
examination procedures and to arrive at a con-
workpapers have the necessary qualities of com-
clusion about the overall quality of the items
pleteness, clarity, conciseness and neatness, a
comprising the balance.
qualified reviewer may easily determine their
For certain analyses, however, it is preferable
relative value in support of conclusions and
to include account activity (transactions) in the
objectives reached. Incomplete, unclear or vague
workpapers. Typical examples of such analyses
workpapers should, and usually will, lead a
are those of bank premises and equipment and
reviewer to the conclusion that the examination
of reserve for possible loan losses. The format
has not been adequately performed.
for reserve for possible loan losses should include
beginning balances (prior examination ending
balances), provisions for loan losses, collec-
tions, charge-offs, other transactions (transfers
to/from undivided profits) and ending balances
Experienced personnel must review all workpa-
as of the examination date.
pers prepared during an examination. Usually
that review is performed by the examiner-in-
charge, although in some cases, the examiner-
CONTROL AND REVIEW in-charge may designate other experienced per-
sonnel to perform an initial review. An overall
All examiners assigned to an examination should review is then performed by the examiner-in-
insure that workpapers are controlled at all times charge. The two primary purposes of a review of
while the examination is in progress. For exam- workpapers by senior personnel are to determine
ple, when in the bank’s offices, the workpapers that the work is adequate given the circum-
should be secured at night and safeguarded stances, and to ensure that the record is suffi-
during the lunch hour or at other times when no cient to support the conclusions reached in the
examining personnel are present in the immedi- report of examination. The timely review of
ate vicinity. It is essential to completely control workpapers and subsequent discussion of them
confidential information provided by the bank. with the individual who prepared them also is
In addition, information relating to the extent of one of the more effective procedures for on-the-
tests and similar details of examination proce- job training.

Commercial Bank Examination Manual March 1994

Page 3
1030.1 Workpapers

Normally, the review should be performed as • loans.

soon as practicable after the completion of each • reserve for possible loan losses.
work area. This review ideally occurs at the • bank premises and equipment.
bank’s office so that if the need for obtaining • other assets.
additional information arises or additional work • deposits.
is required the matter can be promptly attended • other liabilities.
to with minimum loss of efficiency. • capital accounts and dividends.
When the review of workpapers is completed,
the reviewer should sign or initial the applicable Each individual file would normally include—
documents. Although all workpapers should be
reviewed, the depth and degree of detail depends • related examination and audit procedures.
on factors such as: • detailed information and other documentation
necessary to indicate the specific procedures
• The nature of the work and its relative performed, the extent of such procedures and
importance to the overall examination the examiner’s conclusions for the specific
objectives. area.
• The extent to which the reviewer has been • a summary, in comparative form, of the sup-
associated with the area during the porting general ledger balances with appropri-
examination. ate cross-references.
• The experience of the examiners who have
carried out the various operations. Judgment is required as to what the file
should include on any specific examination.
Professional judgment must be exercised Lengthy documents should be summarized or
throughout the review process. highlighted (underlined) so that the examiner
who is performing the work in the related area
can readily locate the important provisions,
ORGANIZATION OF WORKPAPER without having to read the entire document. It
FILES also may be desirable to have a complete copy
of the document in the file to support the
Administration of an examination includes— summaries or answer questions of a specific
legal nature.
• organizing the workpaper files. Examples of documents that might be con-
• delegating authority for completion of all tained in the files are—
applicable workpaper sections.
• reviewing and assembling the completed • a brief history and organization of the bank.
workpapers. • organization charts of applicable departments
within the bank.
To ensure efficiency in locating information • copies of, or excerpts from, the charter and
contained in the workpapers and completion of bylaws.
all necessary procedures, workpapers should be • copies of capital stock certificates, debentures
filed and indexed in a standard manner. agreements and lease agreements.
• excerpts from minutes or contracts that are of
interest beyond the current year.
FILES • a chart of accounts and an accounting manual,
if available, supplemented by descriptions of
The file provides the organizational vehicle to unique accounts and unusual accounting
assemble workpapers applicable to specific areas methods.
of the examination. Files might include detailed • lists of names and titles of the board of
workpapers related to— directors, important committees and relevant
departmental personnel.
• management appraisal.
• overall conclusions about the condition of the
bank. Indexing and Cross-Referencing
• cash accounts.
• investments. To promote efficiency and help ensure that all

March 1994 Commercial Bank Examination Manual

Page 4
Workpapers 1030.1

applicable areas of an examination have been • facilitates the review of the workpapers.
considered and documented, the use of an in- • helps in following the workpapers during the
dexing system aids in the organization of work- succeeding examination.
paper files. A general outline or index including
all examination areas provides a basis for orga-
nization to which a numbering or other sequen-
tial system can be assigned and applied to each WORKPAPER RETENTION
workpaper file.
When all workpapers pertinent to a specific Examiners should retain on a readily available
area of the examination have been completed, a basis those workpapers from—
cover sheet listing the contents of each file
should be attached to the front to provide a • the most recent full-scope Federal Reserve
permanent record for reference. This permits not examination.
only efficient location of a set of workpapers
• the most recent general EDP examination.
pertinent to a specific area of the examination
(for example, cash or commercial loans), but • examinations of banks requiring or recom-
also facilitates the location of a specific analysis mended for more than normal or special
(or other document) within the set. supervisory attention (composite rating of 3, 4
Amounts or other pertinent information or 5; consumer compliance rating of 3, 4 or 5;
appearing in more than one place in the work- EDP departments rated 4 or 5; or those subject
papers should be cross-referenced between the to administrative action such as civil money
analyses. A notation on the index, including penalties) until such banks are no longer the
appropriate cross-referencing of those items subject of such scrutiny.
removed or filed elsewhere, facilitates location • examinations disclosing conditions that may
of specific data and records and also helps to lead eventually to more than normal or special
prevent inadvertent loss of documents. An supervisory attention, as described above,
example is the cross-referencing of net charge- until the supporting workpapers are no longer
offs obtained in the review of the reserve for appropriate.
possible loan losses to the amount approved in • examinations disclosing conditions that lead,
the board of director’s minutes. Proper cross- or may eventually lead, to a criminal referral
referencing is important because it— or criminal investigation.

• serves as a means of locating work performed These guidelines are the minimum required
for a particular account or group of accounts. retention period for workpapers; longer reten-
• identifies the source of supporting amounts in tion periods may be set by individual Reserve
a particular analysis. Banks.

Commercial Bank Examination Manual March 1994

Page 5
Cash Accounts
Effective date May 1996 Section 2000.1

Cash accounts include U.S. and foreign coin and ment, a check-processing department, an out-
currency on hand and in transit, clearings, and clearing department, or some other department
cash items. that is characteristic of the area of the country
where the bank operates. The functions may be
centralized or decentralized, manual or auto-
mated, depending on the size of the bank and the
CASH volume of transactions. The volume of clearings
may be so great that the bank’s proof operations
Every bank maintains a certain amount of U.S.
are conducted after time deadlines for trans-
currency and some may have foreign currency
action posting or courier delivery. In these cases,
on hand. To avoid having excess nonearning
daily clearings customarily are determined as of
assets and to minimize exposure to misappro-
a specific cutoff time. Checks processed to that
priation and robbery, each bank should establish
time are carried in one day’s totals, and checks
a policy to maintain cash balances at the mini-
processed after that time are carried in the
mum levels necessary to serve its customers.
following day’s totals. However, no matter who
The amount will vary from bank to bank
performs the function or how large the bank, the
depending on anticipated needs of customers
objectives of a proof and transit system are the
and the availability of replenishment monies,
with a reasonable allowance made for unusual
• to forward items for collection so that funds
Foreign currency may not be included in cash are available as soon as possible
positions for management purposes when the
• to distribute all incoming checks and deposits
amounts are not significant. However, the coin
to their destinations
and currency of other countries are foreign-
• to establish whether deposit totals balance
currency assets, as are loans or nostro accounts,
with the totals shown on deposit tickets
and should be included in the foreign-currency
positions. • to prove the totals of general ledger entries
and other transactions
• to collect data for computing the individual
customer’s service charges and determining
CLEARINGS the availability of the customer’s funds
• to accomplish the assigned functions at the
Clearings are checks, drafts, notes, and other lowest possible cost
items that a bank has cashed or received for
deposit that are drawn on other local banks and
cleared directly with them. These items can
usually be exchanged more efficiently among CASH ITEMS
local banks than through correspondent banks or
the Federal Reserve System. Many communities Cash items are checks or other items in the
with two or more banks have formally organized process of collection that are payable in cash
clearinghouse associations, which have adopted upon presentation. A separate control of all cash
rules governing members in the exchange of items is usually maintained on the bank’s gen-
checks. Clearinghouse associations often extend eral ledger and, if applicable, on the interna-
their check-exchange arrangements to other tional division general ledger. The ledger is
nearby cities and towns. In most banks, clear- supported by a subsidiary record of individual
ings will be found in the department responsible amounts and other pertinent data. Cash items
for processing checks. and the related records are usually in the custody
Proof and transit were once two separate of one employee at each banking office.
functions in a bank: the proving of work (proof) In their normal daily operations, banks have
and the sending of out-of-town cash items (tran- an internal charge, on the general ledger, to total
sit) for collection. Most banks have now com- demand deposits not charged to individual
bined these two functions. Proof and transit may accounts because of insufficient funds, computer
be performed by any combination of tellers or misreads, or other problems. Commonly known
proof clerks, a separate proof and transit depart- as return items or rejected or unposted debits,

Commercial Bank Examination Manual November 2000

Page 1
2000.1 Cash Accounts

these items may consist of checks received in In addition to those items carried in the
the ordinary course of business, loan-payment separate ‘‘cash items’’ account on the general
debits, and other debit memos. In some banks, ledger, most banks will have several sources of
return items are separated by the bookkeepers internal float in which irregular cash items can
and an entry is made reclassifying them to a be concealed. Such items include any memo-
separate asset account entitled ‘‘bookkeepers’ randa slips; checks drawn on the bank; checks
return items.’’ Other banks do not use a separate returned by other banks; checks of directors,
asset account; instead, the bookkeepers include officers, employees, and their interests; checks
the items in a subsidiary control account in the of affiliates; debits purporting to represent cur-
individual demand deposit ledgers. In that case, rency or coin shipments; notes, usually past due;
the account would have a debit balance and and all aged and unusual items of any nature that
would be credited when the bank processes might involve fictitious entries, manipulations,
items for posting or returns the checks to their or uncollectible accounts.
Since bookkeepers’ return items are usually
processed and posted to an individual account or
returned to their source on the next business day, CURRENCY TRANSACTIONS
the balance of the bookkeepers’ return items
account should represent the total of only one The Financial Recordkeeping and Reporting of
day’s returned items. Currency and Foreign Transactions regulation,
When data processing systems are used, the 31 CFR 103, requires financial institutions to
common practice is to post all properly encoded maintain records that might be useful in crimi-
debit items, regardless of whether an overdraft is nal, tax, or regulatory investigations. The regu-
created. The resulting preliminary overdraft list, lation also seeks to identify persons who attempt
together with the items charged, is subsequently to avoid payment of taxes through transfers of
reviewed by bank employees, and unapproved cash to or from foreign accounts. The examina-
items are reversed and separated as bookkeep- tion procedures for determining compliance with
ers’ return items. The total of the resulting final the regulation require the examiner to ascertain
overdraft list becomes the final overdraft figure the quality of the bank’s auditing procedures
shown on the general ledger. The examination and operating standards relating to financial
of overdrafts is discussed in ‘‘Deposit Accounts,’’ recordkeeping.1 Examiners also determine the
section 3000.1. The examination of international adequacy of written policies and bank training
overdrafts is discussed in ‘‘Due from Banks,’’ programs. The Financial Recordkeeping and
‘‘Borrowed Funds,’’ and ‘‘International—Foreign Reporting of Currency and Foreign Transactions
Exchange,’’ sections 2010.1, 3010.1, and 7100.1, checklist (see the Bank Secrecy Act Examination
respectively. Manual) is to be used in checking compliance
Several types of cash items should be consid- and for reporting apparent violations. Any vio-
ered ‘‘cash items not in the process of collec- lations noted should be listed with appropriate
tion’’ and shown in an appropriate ‘‘other assets’’ comments in the report of examination. Inad-
account. Some examples are (1) items that are equate compliance could result in a cease-and-
payable upon presentation but which the bank desist order to effect prompt compliance with
has elected to accumulate and periodically for- the statute.
ward to the payor, such as Series EE bonds or
food stamps; (2) items that are not immediately
1. Section 208.63 of Regulation H establishes procedures
payable in cash upon presentation; and (3) items to ensure that state member banks establish and maintain
that were not paid when presented and require procedures reasonably designed to ensure and monitor com-
further collection effort. pliance with the regulation.

November 2000 Commercial Bank Examination Manual

Page 2
Cash Accounts
Examination Objectives
Effective date May 1996 Section 2000.2

1. To determine if the policies, practices, pro- 4. To determine compliance with laws and
cedures, and internal controls regarding ‘‘cash regulations.
accounts’’ are adequate. 5. To initiate corrective action when policies,
2. To determine if bank officers and employees practices, procedures, or internal controls are
are operating in conformance with the estab- deficient or when violations of laws or regu-
lished guidelines. lations have been noted.
3. To determine the scope and adequacy of the
audit function.

Commercial Bank Examination Manual May 1996

Page 1
Cash Accounts
Examination Procedures
Effective date March 1984 Section 2000.3

1. If selected for implementation, complete or tive inquiry of responsible bank officials

update the cash accounts section of the and review of documentation, whether a
internal control questionnaire. security program that equals or exceeds
2. Based on the evaluation of internal controls the standards prescribed by Regulation H
and the work performed by internal or (12 CFR 208.61(c)) is in effect and that
external auditors, determine the scope of the the annual compliance report and any
examination. other reports requested by the Federal
3. Test for compliance with policies, practices, Reserve System have been filed.
procedures and internal controls in conjunc- 8. Review compliance with the Financial
tion with performing the remaining exami- Recordkeeping and Reporting of Currency
nation procedures. Also obtain a listing of and Foreign Transactions Act, 31 CFR 103.
any deficiencies noted in the latest review 9. Review tellers’ over and short accounts for
done by internal or external auditors from recurring patterns and any large or unusual
the examiner assigned to that area of exami- items and follow up as considered neces-
nation, and determine if appropriate correc- sary. Investigate differences centered in any
tions have been made. one teller or banking office. Determine
4. Scan the general ledger cash accounts for whether corrective action has been taken, if
any unusual items or abnormal fluctuations. required.
Investigate any such items and document 10. Determine, by discreet corroborative inquiry
any apparent noncompliance with policies, of responsible bank officials and review of
practices and procedures for later review documentation, whether defalcations and/or
with appropriate management personnel. mysterious disappearances of cash since the
5. Obtain teller settlement sheet recap or simi- preceding examination have been properly
lar document as of the examination date and reported pursuant to current requirements of
agree to the general ledger. Scan for reason- the Board of Governors.
ableness and conformity to bank 11. Review foreign-currency control ledgers
policy. and dollar book value equivalents for the
6. Obtain detailed listings of cash items, includ- following:
ing any bank items which are carried in the a. accuracy of calculations and booking
general ledger under ‘‘other assets,’’ agree procedures
listings to general ledger balances and scan b. unusual fluctuations
for propriety and conformity to bank policy.
c. concentrations
7. Test compliance with Regulation H
d. unusual items
(12 CFR 208) by—
a. selecting teller and banking office cash- 12. Review international division revaluation
balance sheets and determining that calculations and procedures.
balances are within currency limits 13. Review the following items with appropri-
established; ate management personnel (or prepare a
b. selecting bait money and agreeing serial memo to other examining personnel for
numbers to applicable records; their use in reviewing with management):
c. reviewing documentation showing train- a. internal-control exceptions and deficien-
ing sessions held since the preceding cies in, or noncompliance with, written
examination; policies, practices and procedures
d. performing any visual inspections deemed b. uncorrected audit deficiencies
appropriate; c. violations of law
e. analyzing the bank’s system of security d. inaccurate booking of U.S. dollar book
and protection against external crimes value equivalents for foreign currencies
(Guidance for this analysis is provided in e. inaccurate revaluation calculations and
the internal control questionnaire in this procedures performed by cash-account
section of the manual.); and operations staff
f. determining, through discreet corrobora- 14. Prepare comments on deficiencies or

Commercial Bank Examination Manual November 2000

Page 1
2000.3 Cash Accounts: Examination Procedures

violations of law noted above for inclusion 15. Update the workpapers with any informa-
in the examination report. tion that will facilitate future examinations.

November 2000 Commercial Bank Examination Manual

Page 2
Cash Accounts
Internal Control Questionnaire
Effective date May 2007 Section 2000.4

Review the bank’s internal-control policies, prac- 15. Are maximum amounts established for
tices, and procedures for cash accounts. The tellers’ cashing checks or allowing with-
bank’s system should be documented com- drawal from time deposit accounts without
pletely and concisely and should include, where officer approval?
appropriate, narrative descriptions, flow charts, 16. Does the currency at each location include
copies of forms used, and other pertinent infor- a supply of bait money?
mation. Items marked with an asterisk require 17. Are tellers provided with operational guide-
substantiation by observation or testing. lines on check-cashing procedures and
dollar limits?
18. Is a record maintained showing amounts
and denominations of reserve cash?
CASH ON HAND *19. Is reserve cash under dual custody?
*1. Do all tellers, including relief tellers, have *20. Are currency shipments—
sole access to their own cash supply, and a. prepared and sent under dual control
are all spare keys kept under dual control? and
*2. Do tellers have their own vault cubicle or b. received and counted under dual control?
controlled cash drawer in which to store *21. If the bank uses teller machines—
their cash supply? a. is the master key controlled by some-
3. When a teller is leaving for vacation or for one independent of the teller function,
any other extended period of time, is that b. is the daily proof performed by some-
teller’s total cash supply counted? one other than the teller, and
4. Is each teller’s cash verified periodically c. are keys removed by the teller during
on a surprise basis by an officer or other any absence?
designated official (if so, is a record of *22. Is dual control maintained over mail
such count retained)? deposits?
*5. Are cash drawers or teller cages provided 23. Is the night depository box under a dual
with locking devices to protect the cash lock system?
during periods of the teller’s absence? 24. Is the withdrawal of night deposits made
6. Is a specified limit in effect for each under dual control?
teller’s cash? 25. Regarding night depository transactions—
*7. Is each teller’s cash checked daily to an a. are written contracts in effect;
independent control from the proof or b. are customers provided with lockable
accounting control department? bags; and
8. Are teller differences cleared daily? c. are the following procedures completed
9. Is an individual, cumulative over and short with two employees present:
record maintained for all persons han- • opening of the bags
dling cash, and is the record reviewed by • initial recording of bag numbers,
management? envelope numbers, and depositors’
10. Does the teller prepare and sign a daily names in the register
proof sheet detailing currency, coin, and • counting and verification of the
cash items? contents
*11. Are large teller differences required to be *26. Regarding vault control—
reported to a responsible official for a. is a register maintained which is signed
clearance? by the individuals opening and closing
12. Is there a policy against allowing teller the vault;
‘‘kitties’’? b. are time-clock settings checked by a
*13. Are teller transactions identified through second officer;
use of a teller stamp? c. is the vault under dual control; and
*14. Are teller transfers made by tickets or d. are combinations changed periodically
blotter entries which are verified and and every time there is a change in
initialed by both tellers? custodianship?

Commercial Bank Examination Manual May 2007

Page 1
2000.4 Cash Accounts: Internal Control Questionnaire

27. Are tellers prohibited from processing their an ATM and the central processing unit
own checks? trigger the alarm system?
*28. Are tellers required to clear all checks 43. Are alarm devices connected to all auto-
from their funds daily? mated teller machines?
*29. Are tellers prevented from having access 44. For on-line operations, are all messages to
to accounting department records? and from the central processing unit and
*30. Are teller duties restricted to teller the ATM protected from tapping, message
operations? insertion, modification of message or sur-
veillance by message encryption (scram-
bling techniques)? (One recognized encryp-
CASH-DISPENSING MACHINES tion formula is the National Bureau of
Standards Algorithm.)
*31. Is daily access to the automated teller *45. Are PINs mailed separately from cards?
machine (ATM) made under dual control? *46. Are bank personnel who have custody of
*32. When maintenance is being performed on cards prohibited from also having custody
a machine, with or without cash in it, is a of PINs at any stage (issuance, verifica-
representative of the bank required to be in tion, or reissuance)?
attendance? 47. Are magnetic stripe cards encrypted
*33. Are combinations and keys to the machines (scrambled) using an adequate algorithm
controlled (if so, indicate controls)? (formula) including a total message
34. Do the machines and the related system control?
have built-in controls that— 48. Are encryption keys, i.e., scramble plugs,
a. limit the amount of cash and number of under dual control of personnel not asso-
times dispensed during a specified pe- ciated with operations or card issuance?
riod (if so, indicate detail) and *49. Are captured cards under dual control of
b. capture the card if the wrong PIN (per- persons not associated with bank operation
sonal identification number) is consecu- card issuance or PIN issuance?
tively used? *50. Are blank plastics and magnetic stripe
35. Does the machine automatically shut down readers under dual control?
after it experiences recurring errors?
51. Are all cards issued with set expiration
36. Is lighting around the machine provided?
37. Does the machine capture cards of other
banks or invalid cards? 52. Are transaction journals provided that
enable management to determine every
38. If the machine is operated ‘‘off line,’’ does
transaction or attempted transaction at the
it have negative-file capability for present
and future needs, which includes lists of
lost, stolen, or other undesirable cards
which should be captured?
39. Is use of an ATM by an individual cus-
tomer in excess of that customer’s past CASH ITEMS
history indicated on a Suspicious Activity
Report by Depository Institutions (SAR- *53. Are returned items handled by someone
DI) form to be checked out by bank other than the teller who originated the
management (for example, three uses dur- transaction?
ing past three days as compared with a 54. Does an officer or other designated indi-
history of one use per month)? vidual review the disposition of all cash
40. Have safeguards been implemented at the items over a specified dollar limit?
ATM to prevent, during use, the disclosure 55. Is a daily report made of all cash items,
of a customer’s PIN by others observing and is it reviewed and initialed by the
the PIN pad? bank’s operations officer or other desig-
41. Are ‘‘fish-proof’’ receptacles provided for nated individual?
customers to dispose of printed receipts, 56. Is there a policy requiring that all cash
rather than insecure trash cans, etc.? items uncollected for a period of 30 days
42. Does a communication interruption between be charged off?

May 2007 Commercial Bank Examination Manual

Page 2
Cash Accounts: Internal Control Questionnaire 2000.4

57. Do the bank’s present procedures forbid this section and are clearing on a
the holding of overdraft checks in the timely basis,
cash-item account? *c. scrutinized for employee items, and
58. Are all cash items reviewed at least d. reviewed for large or repeat items?
monthly at an appropriate level of 67. Are holdover items—
management? a. appropriately identified in the general
*59. Are cash items recommended for charge- ledger,
off reviewed and approved by the board *b. handled by an independent section of
of directors, a designated committee the department, and
thereof, or an officer with no operational c. reviewed periodically by responsible
responsibilities? supervisory personnel to determine that
items are clearing on a timely basis?
68. Does the proof and transit department
PROOF AND TRANSIT maintain a procedures manual describing
the key operating procedures and func-
60. Are individuals working in the proof and tions within the department?
transit department precluded from work- *69. Are items reported missing from cash
ing in other departments of the bank? letter promptly traced and a copy sent for
61. Is the handling of cash letters such that— credit?
a. they are prepared and sent on a daily *70. Is there a formal system to ensure that
basis; work distributed to proof machine opera-
b. they are photographed before they leave tors is formally rotated?
the bank; 71. Are proof machine operators prohibited
c. copy of proof or hand-run tape is prop- from—
erly identified and retained; a. filing checks or deposit slips or
d. records of cash letters sent to correspon- b. preparing deposit account statements?
dent banks are maintained with identi- 72. Are proof machine operators instructed to
fication of the subject bank, date, and report unusually large deposits or with-
amount; and drawals to a responsible officer (if so, over
e. remittances for cash letters are received what dollar amount $ )?
by employees independent of those who
send out the cash letters?
62. Are all entries to the general ledger either
originated or approved by the proof REGULATION H (12 CFR 208)—
63. Are all entries prepared by the general
ledger and/or customer accounts depart- 73. Has a security officer been designated by
ment reviewed by responsible supervisory the board of directors in accordance with
personnel other than the person preparing Regulation H (12 CFR 208.61(b))?
the entry? 74. Has a security program been developed
64. Are errors detected by the proof operator and implemented in accordance with Regu-
in proving deposits corrected by another lation H (12 CFR 208.61(c))?
employee or designated officer? 75. Does the bank have security devices that
65. Are all postings to the general ledger and give a general level of protection and that
subsidiary ledgers supported by source are at least equivalent to the minimum
documents? requirements of Regulation H?
66. Are returned items— 76. Has the installation, maintenance, and
*a. handled by an independent section of operation of security devices considered
the department or delivered unopened the operating environment of each office
to personnel not responsible for pre- and the requirements of Regulation H (12
paring cash letters or handling cash, CFR 206.61(c))?
b. reviewed periodically by responsible 77. Does the security officer report at least
supervisory personnel to determine that annually to the bank’s board of directors
items are being handled correctly by on the administration and effectiveness of

Commercial Bank Examination Manual November 2000

Page 3
2000.4 Cash Accounts: Internal Control Questionnaire

the security program in accordance with racy by someone other than the foreign-
Regulation H (12 CFR 206.61(d))? currency tellers?
*82. Does the internal auditor periodically
review for accuracy revaluation calcu-
lations, including the verification of
31 CFR 103—COMPLIANCE rates used and the resulting general ledger

78. Is the bank in compliance with the

financial recordkeeping and reporting regu- CONCLUSION
83. Is the foregoing information considered an
adequate basis for evaluating internal con-
trol in that there are no significant defi-
INTERNATIONAL DIVISION ciencies in areas not covered in this ques-
tionnaire that impair any controls? Explain
*79. Are foreign-currency control ledgers and negative answers briefly, and indicate any
dollar-book-value equivalents posted additional examination procedures deemed
accurately? necessary.
*80. Is each foreign currency revalued at least 84. Based on a composite evaluation as evi-
monthly, and are profit and loss entries denced by answers to the foregoing
passed on to the appropriate income questions, internal control is considered
accounts? (adequate/inadequate). A separate evalua-
*81. Are revaluation calculations, including the tion should be made for each area, i.e.,
rates used, periodically reviewed for accu- cash on hand, cash items, etc.

November 2000 Commercial Bank Examination Manual

Page 4
Due from Banks
Effective date April 2008 Section 2010.1

Banks maintain deposits in other banks to facili- form, and maturity of the exposure. Sec-
tate the transfer of funds. Those bank assets, tion 206.4(a) of Regulation F stipulates that any
known as ‘‘due from bank deposits’’ or ‘‘corre- FDIC-insured depository institution must limit
spondent bank balances’’1 are a part of the its interday credit exposure to an individual
primary, uninvested funds of every bank. A correspondent that is not ‘‘adequately capital-
transfer of funds between banks may result from ized’’2 to 25 percent of the institution’s total
the collection of cash items and cash letters, the capital.3 For a more detailed discussion of Regu-
transfer and settlement of securities transac- lation F, refer to sections 2015.1–.4 and SR-93-
tions, the transfer of participating loan funds, the 36 (‘‘Examiner Guidelines for Regulation F—
purchase or sale of federal funds, and many Interbank Liabilities’’).
other causes.
In addition to deposits kept at the Federal
Reserve Bank and with correspondent banks, a BALANCES WITH FEDERAL
bank may maintain interest-bearing time depos-
its with international banks. Those deposits are a
form of investment, and relevant examination All state member banks are required by Regu-
considerations are included in ‘‘Investment lation D (12 CFR 204) to keep reserves equal to
Securities and End-User Activities,’’ section specified percentages of the deposits on their
2020.1, and ‘‘International—Due from Banks— books. These reserves are maintained in the
Time,’’ section 7070.1. form of vault cash or deposits with the Federal
Banks also use other banks to provide certain Reserve Bank. The Federal Reserve Bank moni-
services that can be performed more economi- tors the deposits of each bank to determine that
cally or efficiently by another facility because of reserves are kept at required levels. The reserves
its size or geographic location. These services provide the Federal Reserve System with a
include processing of cash letters, packaging means of controlling the nation’s money supply.
loan agreements, performing EDP services, col- Changes in the level of required reserves affect
lecting out-of-area items, providing safekeeping the availability and cost of credit in the econ-
for bank and customer securities, exchanging omy. The examiner must determine that the
foreign currency, and providing financial advice information supplied to the Federal Reserve
in specialized loan areas. When the service is Bank for computing reserves is accurate.
one way, the receiving bank usually maintains a The Monetary Control Act of 1980 enables a
minimum balance at the providing bank to nonmember financial institution to borrow from
compensate in full or in part for the services the Reserve Bank’s discount window on the
received. same terms and conditions as member banks.
For member banks, loan transactions are usually
effected through their reserve account. For non-
DEPOSITS WITH OTHER member banks, the Reserve Bank typically
DEPOSITORY INSTITUTIONS requires the institution to open a special account
called a clearing account. The loan transactions
Section 206.3 of Regulation F (12 CFR 206) are then processed through the clearing account.
requires FDIC-insured depository institutions to However, in some instances, the Reserve Bank
adopt written policies and procedures to address may allow a nonmember institution to process
the risk arising from exposure to a correspon- discount loan transactions through the account
dent, and to prevent excessive exposure to any of a member bank. In most of these isolated
individual correspondent. These policies and
procedures should take into account the finan- 2. See section 206.5(a) of Regulation F for the capital
cial condition of a correspondent and the size, ratios necessary for a correspondent bank to be considered
adequately capitalized.
3. The Board may waive this requirement if the primary
1. Balances due from such institutions include all interest- federal supervisor of the insured institution advises the Board
bearing and non-interest-bearing balances, whether in the that the institution is not reasonably able to obtain necessary
form of demand, savings, or time balances, including certifi- services, including payment-related services and placement of
cates of deposit, but excluding certificates of deposit held in funds, without incurring exposure to a correspondent in excess
trading accounts. of the otherwise applicable limit.

Commercial Bank Examination Manual April 2008

Page 1
2010.1 Due from Banks

cases, a transaction of a nonmember institution of its international customers. This can be

is being processed through the account of the accomplished by maintaining accounts (nostro
bank with which the nonmember institution has balances) with banks in foreign countries in
a correspondent relationship. whose currencies receipts and payments are
Under the reserve account charge agreements made.
used by most Federal Reserve Banks, the Nostro balances may be compared with an
member bank’s reserve account may be charged inventory of goods and must be supervised in
if the nonmember bank defaults on the loan the same manner. For example, payment to
processed through the member bank’s account. import goods manufactured in Switzerland to
Since member banks may not act as the guarantor the United States can be made through a U.S.
of the debts of another, member banks may only bank’s Swiss franc account with another bank in
legally enter into revocable reserve account Switzerland. Upon payment in Switzerland, the
charge agreements. Revocable agreements allow U.S. bank will credit its nostro account with the
the member bank, at its option, to revoke the Swiss bank and charge its U.S. customer’s dollar
charge and thus avoid liability for the debt of the account for the appropriate amount in dollars.
nonmember correspondent. In contrast, irrevo- Conversely, exporting U.S. goods to Switzerland
cable charge agreements constitute a binding results in a debit to the U.S. bank’s Swiss
guarantee of the nonmember correspondent’s correspondent account. The first transaction
debt and generally cannot be entered into by a results in an outflow of the U.S. bank’s ‘‘inven-
member bank. Banks that enter into revocable tory’’ of Swiss francs, while the second transac-
charge agreements should establish written tion results in an inflow of Swiss francs. The
procedures to ensure their ability to make U.S. bank must maintain adequate balances in its
prudent, timely decisions. nostro accounts to meet unexpected needs and to
avoid overdrawing those accounts for which
interest must be paid. However, the bank should
not maintain excessive idle nostro balances that
DEPOSIT BROKERS do not earn interest, causing a loss of income.
The U.S. bank also runs risks by being either
On the asset side of the balance sheet, examiners
long or short in a particular foreign currency or
should review the activities of banks that place
by maintaining undue gaps. Losses could result
deposits through money brokers. These banks
if that currency appreciates or depreciates sig-
should have sufficient documentation to, among
nificantly or if the bank must purchase or
other things, verify the amounts and terms of
borrow the currency at a higher rate.
individual deposits and the names of depository
Excessive nostro overages and shortages can
institutions in which the deposits are placed.
be avoided by entering into spot and forward
Banks should also be able to demonstrate that
exchange contracts to buy or sell such nostro
they have exercised appropriate credit judgment
inventories. Those contracts are discussed in
with respect to each depository institution in
‘‘International—Foreign Exchange,’’ section
which they have placed funds. Deficiencies in
7100.1. However, all foreign-currency transac-
this area could constitute an unsafe or unsound
tions, except over-the-counter cash trades, are
banking practice. A more detailed discussion of
settled through nostro accounts. Therefore, the
brokered deposits is included in ‘‘Deposit
volume of activity in those accounts may be
Accounts,’’ sections 3000.1–3000.3 of this
substantial, and the accounts must be properly
In addition, an account service known as a
payable-through account is being marketed by
DUE FROM FOREIGN BANKS U.S. banks, Edge corporations, and the U.S.
branches and agencies of foreign banks to for-
Due from foreign banks demand or nostro eign banks that otherwise would not have the
accounts are handled in the same manner as due ability to offer their customers access to the U.S.
from domestic bank accounts, except that the banking system. This account service, referred
balances due are generally denominated in for- to by other names such as pass-through accounts
eign currency. and pass-by accounts, involves a U.S. banking
A bank must be prepared to make and receive entity’s opening of a deposit account for the
payments in foreign currencies to meet the needs foreign bank. Policies and procedures should be

April 2008 Commercial Bank Examination Manual

Page 2
Due from Banks 2010.1

developed to guard against the possible improper Examination procedures relating to this area are
or illegal use of payable-through account facili- part of the FFIEC Bank Secrecy Act/Anti-Money
ties by foreign banks and their customers. Laundering Examination Manual.

Commercial Bank Examination Manual April 2008

Page 3
Due from Banks
Examination Objectives
Effective date May 1996 Section 2010.2
1. To determine if the policies, practices, pro- 5. To determine the scope and adequacy of the
cedures, and internal controls regarding due audit coverage.
from banks are adequate.
6. To determine compliance with laws, rulings,
2. To determine if bank officers and employees
and regulations.
are operating in conformance with the estab-
lished guidelines. 7. To initiate corrective action when policies,
3. To determine that all due from accounts are practices, procedures, or internal controls are
reasonably stated and represent funds on deficient or when violations of law, rulings,
deposit with other banks. or regulations have been noted.
4. To evaluate the credit quality of banks with
whom demand accounts are maintained.

Commercial Bank Examination Manual May 1996

Page 1
Due From Banks
Examination Procedures
Effective date May 2007 Section 2010.3

1. If selected for implementation, complete or a bank supplied list, of correspondent banks.

update the Due From Banks Internal Con- (This effort should be coordinated with the
trol Questionnaire. examiner assigned to ‘‘Deposit Accounts’’
2. Determine the scope of the examination, to avoid duplication of work.)
based on the evaluation of internal controls 9. Review the maximum deposit balance
and the work performed by internal/external established for each due from bank account
auditors. and determine if the maximum balance:
3. Test for compliance with policies, practices, a. Is established after consideration of com-
procedures and internal controls in conjunc- pensating balance requirements resulting
tion with performing the remaining exami- from commitments or credit lines made
nation procedures. Also, obtain a listing of available to the bank or its holding
any deficiencies noted in the latest review company. Coordinate this effort with
done by internal/external auditors from examiner assigned ‘‘Bank-Related Orga-
the examiner assigned ‘‘Internal Control,’’ nizations.’’
and determine if corrections have been b. Appears to be related to loans of execu-
accomplished. tive officers or directors or to loans
4. Scan the most recent bank-prepared recon- which have been used to acquire stock
cilements for any unusual items and deter- control of the bank under examination.
mine that closing balances listed on recon- • If such due from accounts are detected,
cilements agree with the general ledger and provide full details of the account to
with the balance shown on the cut-off state- the examiner assigned to check for
ment if one has been obtained. compliance with the law relating to
5. If the bank’s policy for charge-off of old loans to insiders of correspondent
open items provides for exceptions in banks (12 USC 1972(2)).
extenuating circumstances, review excepted 10. Determine the existence of any concentra-
items and determine if charge-off is tions of assets with other banks. Include
appropriate. correspondent accounts, time deposits and
6. If the bank has no policy for charge-off of any federal funds sold in computation. For
old open items, review any items which are concentrations exceeding 25 percent of the
large or unusual or which have been out- bank’s capital structure, forward the infor-
standing for over two months, along with mation to examiners assigned ‘‘Concentra-
related correspondence, and determine if tions of Credit’’ for possible inclusion in the
charge-off is appropriate. report of examination.
7. Test the bank’s calculation of its Federal Note: Procedures 11 through 21 apply to
Reserve requirement and determine that due from foreign banks—demand (nostro
reports are accurate and complete by: accounts).
a. Performing a limited review of a sample
of line items if the bank has effective 11. Obtain or prepare a trial balance (including
operating procedures and has an audit local currency book values) of due from
program covering the required reports. foreign banks—demand by bank customer
b. Performing a detailed review of all line and:
items if the bank has not established a. Agree or reconcile balances to depart-
operating procedures or does not have an ment controls and the general ledger.
audit program covering the required b. Review reconciling items for reasonable-
reports. ness.
8. Confer with the examiner assigned to check 12. Using the appropriate sampling technique,
for compliance with the laws and regula- select demand account banks for
tions relating to insider loans at correspon- examination.
dent banks and loans to insiders of corre- 13. Prepare credit line sheets to include:
spondent banks (Regulation O and 12 USC a. Customer’s aggregate due from banks—
1972(2)) and either provide a list, or verify demand liability in foreign currency

Commercial Bank Examination Manual May 2007

Page 1
2010.3 Due From Banks: Examination Procedures

amount and local currency equivalent. ance to determine which due from
b. Amount of customer’s line designated by foreign banks—demand deposits are
the bank. portions of Interagency Country Expo-
c. Frequency of recent overdrawn nostro sure Review Committee credits.
accounts. • For each due from foreign bank—
demand deposit so identified, tran-
(Overdrawn nostro accounts as they relate
scribe appropriate information to
to foreign exchange activities are discussed
line sheets and forward the informa-
in the International—Foreign Exchange sec-
tion to the examiner assigned
tion. Also, the examiner assigned ‘‘Bor-
‘‘International—Loan Portfolio Man-
rowed Funds’’ must obtain (or prepare) a
listing of overdrawn nostro accounts for
c. Loans criticized during the previous
inclusion in the borrowing section of the
examination (due from foreign banks—
report of examination.)
demand portion):
d. Past compliance with customer’s line • Determine the disposition of the due
limitation as determined from review of from foreign banks—demand so criti-
liability ledger records. cized by transcribing:
14. Obtain from the examiner assigned — Current balance and payment
‘‘International—Loan Portfolio Manage- status, or
ment,’’ schedules on the following, if they — Date the deposit was paid and the
are applicable to the due from foreign source of repayment.
banks—demand: 16. Transcribe or compare information from the
a. Delinquencies. above schedules to credit line sheets, where
b. Miscellaneous loan debit and credit sus- appropriate, and indicate any cancelled
pense accounts. bank lines.
c. Criticized shared national credits. 17. Prepare credit line cards for any due from
d. Interagency Country Exposure Review foreign banks—demand not in the sample
Committee credits. which, based on information derived from
e. Loans criticized during the previous the above schedules, requires in-depth re-
examination. view.
f. Information on directors, officers and 18. Obtain liability and other information on
their interests, as contained in statements common borrowers from examiners as-
required under Regulation O (12 CFR signed to cash items, overdrafts and loan
215). areas and together decide who will review
g. Specific guidelines in the bank policy the borrowing relationship. Pass or retain
relating to due from banks—demand. completed credit line cards.
h. Current listing of due from foreign 19. Obtain credit files for all due from foreign
banks—demand approved customer banks—demand for whom credit line cards
lines. were prepared and complete credit line
i. Any useful information resulting from cards where appropriate. To analyze the
the review of the minutes of the loan loans, perform the procedures set forth in
and discount committee or any similar step 14 of the International—Due From
committee. Banks–Time section.
j. Reports furnished to the board of directors. 20. By reviewing appropriate bank records,
15. Review the information received and per- determine that:
form the following for: a. Profit or losses resulting from revalua-
a. Miscellaneous loan debit and credit sus- tion adjustment on net open positions
pense accounts: spot are passed properly to the respective
• Discuss with management any large or due from foreign bank—demand
old items. (nostro) account (usually monthly).
• Perform additional procedures as b. At the delivery of the ‘‘swap’’ forward
deemed appropriate. contract, proper entries are made to the
b. Interagency Country Exposure Review respective due from foreign bank—
Committee Credits: demand (nostro) and swap adjustment
• Compare the schedule to the trial bal- accounts.

May 2007 Commercial Bank Examination Manual

Page 2
Due From Banks: Examination Procedures 2010.3

21. Determine compliance with laws, regula- demand deposits that exceed the required
tions and rulings pertaining to due from reserve balance at the Federal Reserve
foreign banks—demand activities by per- Bank and that exceed the working bal-
forming the following for: ances at correspondent banks.
a. Reporting of Foreign Exchange Activities: 24. Discuss with appropriate officer(s) and pre-
• Determine that Foreign Currency Forms pare in suitable report form of:
FC-1, FC-2, FC-1a and FC-2a, as a. Cancelled due from foreign banks—
required, are submitted to the Depart- demand deposit lines that are unpaid.
ment of the Treasury under the provi- b. Violations of laws, regulations and rulings.
sions of 31 CFR 128. c. Internal control exceptions and deficien-
• Check that copies of those forms are cies, or noncompliance with written pol-
forwarded by each state member bank icies, practices and procedures.
to the Federal Reserve at each filing d. A n y i t e m s t o b e c o n s i d e r e d f o r
time specified in 31 CFR 128. charge-off.
Note: Due from foreign banks—demand e. Uncorrected audit deficiencies.
(nostro) deposits will be reviewed, dis- f. Due from foreign banks—demand depos-
cussed with appropriate bank officers, and its not supported by current and com-
prepared in suitable report form by the plete financial information.
examiner assigned ‘‘International—Due g. Due from foreign banks—demand depos-
From Banks–Time’’, if the bank maintains its on which documentation is deficient.
international due from banks—time and/or h. Concentrations.
call money deposits. i. Criticized loans (portions applicable to
22. Forward list of due from banks accounts to due from foreign banks—demand
the examiner assigned to ‘‘Investment deposits).
Securities’’ and to ‘‘Loan Portfolio j. Due from foreign banks—demand depos-
Management.’’ its which for any other reason are
23. Consult with the examiner assigned ‘‘Asset/ questionable as to quality and ultimate
Liability Management’’ and provide the collection.
following, if requested: k. Other matters regarding condition of the
a. A listing, by maturity and amount, of due department.
from banks—time deposits. 25. Update the workpapers with any informa-
b. The amounts of due from banks— tion that will facilitate future examinations.

Commercial Bank Examination Manual March 1994

Page 3
Due From Banks
Internal Control Questionnaire
Effective date March 1984 Section 2010.4

Review the bank’s internal controls, policies, sign of alteration and are payments or paid
practices and procedures for due from bank drafts compared with such statements by
accounts. The bank’s system should be docu- the persons who prepare bank reconcile-
mented in a complete and concise manner and ments (if so, skip question 5)?
should include, where appropriate, narrative *5. If the answer to question 4 is no, are bank
descriptions, flowcharts, copies of forms used statements and paid drafts or payments
and other pertinent information. Items marked handled before reconcilement only by per-
with an asterisk require substantiation by obser- sons who do not also:
vation or testing. a. Issue drafts or official checks and pre-
pare, add or post the general or subsid-
iary ledgers?
POLICIES FOR DUE FROM BANK b. Handle cash and prepare, add or
DOMESTIC AND FOREIGN— post the general ledger or subsidiary
*6. Are bank reconcilements prepared by per-
1. Has the board of directors, consistent with sons who do not also:
its duties and responsibilities, adopted a. Issue drafts or official checks?
written policies for due from bank accounts b. Handle cash?
that: c. Prepare general ledger entries?
a. Provide for periodic review and approval 7. Concerning bank reconcilements:
of balances maintained in each such a. Are amounts of paid drafts or repay-
account? ments compared or tested to entries on
b. Indicate person(s) responsible for mon- the ledgers?
itoring balances and the application of b. Are entries or paid drafts examined or
approved procedures? reviewed for any unusual features?
c. Establish levels of check-signing
c. Whenever a delay occurs in the clear-
ance of deposits in transit, outstanding
d. Indicate officers responsible for approval
drafts and other reconciling items, are
of transfers between correspondent
such delays investigated?
banks and procedures for documenting
such approval? d. Is a record maintained after an item has
e. Indicate the supervisor responsible for cleared regarding the follow-up and
regular review of reconciliations and reason for any delay?
reconciling items? e. Are follow-up and necessary adjusting
f. Indicate that all entries to the accounts entries directed to the department orig-
are to be approved by an officer or inating or responsible for the entry for
appropriate supervisor and that such correction with subsequent review of
approval will be documented? the resulting entries by the person
g. Establish time guidelines for charge-off responsible for reconcilement?
of old open items? f. Is a permanent record of the account
2. Are the policies for due from bank accounts reconcilement maintained?
reviewed at least annually by the board or g. Are records of the account reconcile-
the board’s designee to determine their ments safeguarded against alteration?
adequacy in light of changing conditions? h. Are all reconciling items clearly
described and dated?
i. Are details of account reconcilement
BANK RECONCILEMENTS reviewed and approved by an officer or
supervisory employee?
3. Are bank reconcilements prepared j. Does the person performing reconcile-
promptly upon receipt of the statements? ments sign and date them?
*4. Are bank statements examined for any k. Are reconcilement duties for foreign

Commercial Bank Examination Manual March 1994

Page 1
2010.4 Due From Banks: Internal Control Questionnaire

demand accounts rotated on a formal *a. They are delivered unopened and
basis? reviewed by someone who is not
responsible for preparation of cash
DRAFTS b. All large unusual items or items on
which an employee is listed as maker,
8. Are procedures in effect for the handling payee or endorser are reported to an
of drafts so that: officer?
*a. All unissued drafts are maintained c. Items reported missing from cash let-
under dual control? ters are promptly traced and a copy
b. All drafts are prenumbered? sent for credit?
c. A printer’s certificate is received with
each supply of new prenumbered
d. A separate series of drafts is used for
each bank?
e. Drafts are never issued payable to *11. Are persons handling and reconciling due
cash? from foreign bank—demand accounts
f. Voided drafts are adequately cancelled excluded from performing foreign ex-
to prevent possible reuse? change and position clerk functions?
*g. A record of issued and voided drafts is *12. Is there a daily report of settlements made
maintained? and other receipts and payments of foreign
*h. Drafts outstanding for an unreason- currency affecting the due from foreign
able period of time (perhaps six months bank—demand accounts?
or more) are placed under special *13. Is each due from foreign bank—-demand
controls? foreign currency ledger revalued monthly
i. All drafts are signed by an authorized and are appropriate profit or loss entries
employee? passed to applicable subsidiary ledgers
*j. The employees authorized to sign and the general ledger?
drafts are prohibited from doing so *14. Does an officer not preparing the calcula-
before a draft is completely filled out? tions review revaluations of due from
*k. If a check-signing machine is used, foreign bank—demand ledgers, including
controls are maintained to prevent its the verification of rates used and the
unauthorized use? resulting general ledger entries?


9. Is the handling of foreign cash letters such
that: *15. Are separate dual currency general ledger
a. They are prepared and sent on a daily or individual subsidiary accounts main-
basis? tained for each due from foreign bank—
b. They are copied or photographed prior demand account, indicating the foreign
to leaving the bank? currency balance and a U.S. dollar (or
c. A copy of proof or hand run tape is local currency) equivalent balance?
properly identified and retained? 16. Do the above ledger or individual subsid-
d. Records of foreign cash letters sent to iary accounts clearly reflect entry and
correspondent banks are maintained, value dates?
identifying the subject bank, date and 17. Are the above ledger or individual sub-
amount? sidiary accounts balanced to the general
ledger on a daily basis?
18. Does international division management
FOREIGN RETURN ITEMS receive a daily trial balance of due from
foreign bank—demand customer balances
10. Are there procedures for the handling of by foreign currency and U.S. dollar (or
return items so that: local currency) equivalents?

March 1994 Commercial Bank Examination Manual

Page 2
Due From Banks: Internal Control Questionnaire 2010.4

OTHER ment are reviewed to ensure they do not

include asset items ineligible for meet-
19. Is a separate general ledger account or ing the reserve requirement, and that
individual subsidiary account maintained all liability items are properly classified
for each due from bank account? as required by Regulation D and its
20. Are overdrafts of domestic and foreign interpretations?
due from bank accounts properly recorded 22. Does the foregoing information constitute
on the bank’s records and promptly re- an adequate basis for evaluating internal
ported to the responsible officer? control in that there are no significant
21. Are procedures for handling the Federal deficiencies in areas not covered in this
Reserve account established so that: questionnaire that impair any controls?
Explain negative answers briefly and indi-
a. The account is reconciled on a daily cate any additional examination proce-
basis? dures deemed necessary.
b. Responsibility is assigned for assuring 23. Based on a composite evaluation, as
that the required reserve is maintained? evidenced by answers to the foregoing
c. Figures supplied to the Federal Reserve questions, internal control is considered
for use in computing the reserve require- (adequate/inadequate).

Commercial Bank Examination Manual March 1994

Page 3
Interbank Liabilities
Effective date May 2006 Section 2015.1

It is important for a federally insured depository ‘‘soft charges’’ in the form of balances instead
institution 1 (bank) to control and limit the risk of ‘‘hard charges’’ in the form of fees.
exposures posed to it by another domestic bank Exposure to a correspondent may be signifi-
(whether or not that institution is an insured cant, particularly when a bank uses one corre-
depository institution) or foreign bank with spondent for all of its check collections and
which it does business (referred to as a corre- other payment services; loans excess reserve
spondent). These exposures may include all account balances (federal, or fed, funds) to the
extensions of credit to a correspondent; deposits correspondent,2 or engages in other banking
or reverse repurchase agreements with a corre- transactions with correspondents.3 This expo-
spondent; guarantees, acceptances, or standby sure may increase when interest rates fall, as
letters of credit on behalf of a correspondent; higher levels of compensating balances may be
purchases or acceptance as collateral of required to provide adequate compensation to
correspondent-issued securities; and all similar the correspondent.
transactions. A bank needs to develop internal Money-center banks and large regional banks
procedures to evaluate and control the risk may have significant exposure to correspon-
exposures to the bank from its correspondents. dents 4 through their activities in interbank mar-
Such procedures would help prevent a situation kets, such as the securities, swap, and foreign-
whereby the failure of a single correspondent exchange markets. Interbank transactions that
could trigger the failure of a federally insured call for performance in the future (such as
depository institution having claims on the failed swaps, foreign-exchange contracts, and over-the-
correspondent. (See SR-93-36.) counter options) give rise to exposure to the
A bank’s principal sources of exposure to its correspondents that act as counterparties 5 in
correspondent tend to arise from two types of such transactions. In addition to credit risk, such
activity. First, banks may become exposed when transactions may involve interest-rate risk,
obtaining services from (such as check-collection
services), or providing services to, their corre-
spondents. Second, exposure may arise when 2. In the fed funds market, a loan of fed funds is often
referred to as a sale. Borrowing of fed funds is referred to as
banks engage in transactions with correspon- a purchase.
dents in the financial markets. Each type of 3. Although a bank’s primary correspondent often will
exposure has its own characteristics and its own borrow (purchase) fed funds as principal directly from the
risks. bank, a correspondent may act as agent to place the funds with
another institution. In such agency arrangements, a bank may
Correspondent banking services are the pri- provide its correspondent with a preapproved list of institu-
mary source of interbank exposure for the tions with which the correspondent may place the funds.
majority of banks, particularly small and medium- When a correspondent is acting as the bank’s agent in placing
sized banks. In connection with check-collection fed funds, the bank’s exposure would be to the ultimate
purchaser of the funds, not to the correspondent placing the
services and other trade- or payment-related funds on its behalf.
correspondent services, banks often maintain Generally, fed funds loans are unsecured. A bank may also
balances with their correspondents in order to provide funds to a correspondent through transactions known
settle transactions and compensate the correspon- as reverse repurchase agreements, in which the bank provides
funds to the correspondent by buying an asset, generally a
dents for the services provided. These balances government security. The correspondent agrees that it will
give rise to exposure to the correspondents. repurchase the asset from the bank at the expiration of a set
Although correspondent services are in some period, generally overnight, at a repurchase price calculated to
cases provided on a fee basis, many correspon- compensate the bank for the use of its funds. Unlike fed funds
loans, these transactions are essentially secured transactions.
dents may prefer compensating-balance arrange- 4. Although the depository institutions that are parties to
ments, as these balances provide the correspon- transactions in the interbank markets discussed above gener-
dents with a stable source of funding. Also, ally are referred to as counterparties, the term correspondent
some banks may prefer to pay for services with is used in this discussion to denote any domestic depository
institution or a foreign bank to which a bank is exposed. The
term correspondent does not include a commonly controlled
correspondent, as defined in section 206.2(b) of Regulation F.
1. A federally insured depository institution refers to a 5. In other banking transactions, such as foreign-exchange,
bank, as defined in section 3 of the Federal Deposit Insurance money market, and other permissible transactions, activi-
Act (12 USC 1813), and includes a federally insured national ties, or contractual arrangements, the other party to the
bank, state bank, District bank, or savings association, and a transaction is referred to as the counterparty rather than as the
federally insured branch of a foreign bank. correspondent.

Commercial Bank Examination Manual May 2006

Page 1
2015.1 Interbank Liabilities

foreign-exchange risk, and settlement risk. Settle- and foreign banks. Regulation F sets forth these
ment risk is the risk that a counterparty will fail standards. All depository institutions insured by
to make a payment or delivery in a timely the FDIC are subject to the Federal Reserve
manner. Settlement risk may arise from unse- Board’s Regulation F.6 Regulation F was first
cured transactions in the government securities, adopted in 1992 and has remained substantially
foreign-exchange, or other markets, and it may the same, except for the technical amendments
result from operational, liquidity, or credit adopted by the Board on September 10, 2003.
problems. (See 68 Fed. Reg. 53,283.) Regulation F con-
Lending limits prohibit national banks from sists of two primary parts: (1) prudential stan-
lending amounts equal to more than 15 percent dards that apply to exposures generally (sec-
of a national bank’s unimpaired capital and tion 206.3) and (2) special rules that apply to
surplus to a single borrower on an unsecured credit exposure under certain circumstances (sec-
basis (12 USC 84(a)(1)); these limits also pro- tion 206.4).
hibit a national bank from lending an additional The ‘‘Prudential Standards’’ section requires
10 percent on a secured basis (12 USC 84(a)(2)). depository institutions to develop and adopt
The national bank lending limits apply only to internal policies and procedures to evaluate and
‘‘loans and extensions of credit,’’ and the limits control all types of exposures to correspondents
do not include most off-balance-sheet transac- with which they do business.7 Policies and
tions that may provide significant sources of procedures are to be established and maintained
exposure to correspondents. Additionally, the to prevent excessive exposure to any individual
national bank lending limits do not apply to correspondent in relation to the condition of the
overnight fed funds loans, a significant source of correspondent. The ‘‘Prudential Standards’’ sec-
short-term exposure to correspondents. State tion requires a bank to adopt internal exposure
limits generally do not apply to a broader range limits when the financial condition of the corre-
of transactions than the national bank limits, spondent and the form or maturity of the expo-
although some states include fed funds transac- sure create a significant risk that payments will
tions within their limits. not be made in full or on time. This section also
State-chartered banks generally are subject to provides that a bank shall structure the transac-
lending limits under state law. Almost all states tions of a correspondent or monitor exposures to
impose lending limits on the banks they charter. a correspondent such that the bank’s exposure
Most of these limits are patterned on the national ordinarily does not exceed its internal limits.
bank lending limits, although the specific per- The ‘‘Credit Exposure’’ section provides that
centages or transactions covered vary. The state a bank’s internal limit on interday credit expo-
limits generally do not apply to a broader range sure to an individual correspondent may not be
of off-balance-sheet transactions, although some more than 25 percent of the exposed bank’s total
states include fed funds transactions within their capital, unless the bank can demonstrate that its
limits. A number of states, however, exclude correspondent is at least ‘‘adequately capital-
interbank transactions from their lending limits ized,’’ as defined in section 206.5(a) of the rule.
entirely. No limit is specified for credit exposure to
correspondents that are at least adequately capi-
talized, but prudential standards are required for
all correspondents, regardless of capital level.
LIMITS ON INTERBANK The term correspondent includes both domesti-
LIABILITIES cally chartered depository institutions that are
FDIC insured and foreign banks; the term does
Regulation F, Limitations on Interbank Liabili- not include a commonly controlled correspondent.
ties (12 CFR 206), implemented section 308
of the Federal Deposit Insurance Corporation
Improvement Act of 1991 (FDICIA), which
amended section 23 of the Federal Reserve Act
(12 USC 371b-2). Section 23, as amended, 6. Correspondent is defined in section 206.2(c) of Regula-
requires the Board of Governors of the Federal tion F to mean a U.S. depository institution or a foreign bank
to which a bank has exposure, but does not include commonly
Reserve System (the Board) to prescribe stan- controlled correspondents.
dards to limit the risks posed by exposure of 7. Banks had to have the internal policies and procedures in
banks to other domestic depository institutions place on June 19, 1993.

May 2006 Commercial Bank Examination Manual

Page 2
Interbank Liabilities 2015.1

Prudential Standards financial condition.9 Factors bearing on the finan-

cial condition of the correspondent include, but
Standards for Selecting Correspondents are not necessarily limited to, (1) the capital
level of the correspondent, (2) the level of
Banks are to address the risk arising from nonaccrual and past-due loans and leases, and
exposure to a correspondent, taking into account (3) the level of earnings.
the financial condition of the correspondent and Examiners should determine that a bank has
the size, form, and maturity of its exposure to periodically reviewed the financial condition of
the correspondent. Banks must adopt internal any correspondent to which the bank has sig-
policies and procedures that evaluate the credit nificant exposure. The frequency of these reviews
and liquidity risks, including operational risks, will depend on the size and maturity of the
in selecting correspondents and terminating those exposure and the condition of the correspon-
relationships. Depository institutions are permit- dent. For example, the policies of many banks
ted to adopt flexible policies and procedures in provide for an extensive annual review of a
order to permit resources to be allocated in a correspondent’s financial condition; such poli-
manner that will result in real reductions in risk. cies may also provide for less extensive interim
The policies and procedures must be reviewed reviews under some circumstances, such as
annually by the bank’s board of directors, but when exposure to a correspondent is very high
individual correspondent relationships need not or when a correspondent has experienced finan-
be approved by the board. Examiners should cial difficulty. A bank need not require periodic
determine that the policies and procedures review of the financial condition of all corre-
adopted by the board provide for a determina- spondents. For example, periodic reviews would
tion of the credit, liquidity, and operational risks not be necessary for a correspondent to which
of a correspondent when the relationship with the bank has only insignificant levels of expo-
the correspondent is established and as it is sure, such as small balances maintained for
maintained.8 Additionally, if the bank has sig- clearing purposes.10 Significant levels of expo-
nificant operational risk—such as relying on a sure should reflect those amounts that a prudent
correspondent for extensive data processing— bank believes deserve analysis for risk of loss.
that exposure could also lead to liquidity prob- A bank may base its review of the financial
lems. This exposure may not be an issue for condition of a correspondent on publicly avail-
institutions that are not operationally dependent able information, such as bank Call Reports,
on any particular correspondent. Many banks financial statements or reports, Uniform Bank
may also address this exposure elsewhere in Performance Reports, or annual reports, or the
their operational procedures. bank may use financial information obtained
A bank’s policies and procedures should pro- from a rating service. A bank generally is not
vide for periodic review of the financial condi- required to obtain nonpublic information to use
tion of any correspondent to which the bank has as the basis for its analysis and review of the
significant exposure. This review should evalu- financial condition of a correspondent.11 For
ate whether the size and maturity of the expo-
sure is commensurate with the correspondent’s
9. Because exposure to a Federal Reserve Bank or Federal
Home Loan Bank poses minimal risk to a respondent, Federal
Reserve Banks and Federal Home Loan Banks are not
8. Liquidity risk and operational risk are terms used in the included in the definition of correspondent.
definition of exposure. Liquidity risk is the risk that payment 10. Other forms of exposure that generally would not be
will be delayed for some period of time. For example, a bank considered significant include (1) a collecting bank’s risk that
is subject to the liquidity risk that a payment due from a failed a check will be returned, (2) an originating bank’s risk that an
correspondent will not be made on time; the bank’s credit risk automated clearinghouse (ACH) debit transfer will be returned
may be a lesser amount due to later distributions from the or its settlement reversed, (3) a receiving bank’s remote risk
correspondent’s receiver. Liquidity risk is included in the that settlement for an automated credit transfer could be
definition of exposure. reversed, or (4) a credit card transaction. In these types of
Operational risk is the risk that a correspondent’s opera- transactions, the amounts involved are generally small, and
tional problems may prevent it from making payments, the exposed bank usually has prompt recourse to other parties.
thereby creating liquidity risks for other banks. For example, 11. A bank is required to obtain nonpublic information to
a computer failure at a correspondent that a bank relies on for evaluate a correspondent’s condition for those foreign banks
extensive data processing support may prevent the correspon- for which no public financial statements are available. In these
dent from making payments, and thus may create liquidity limited circumstances, the bank would need to obtain financial
problems for the bank and other banks as well. Operational information for its review (including information obtained
risk is also included in the definition of exposure. directly from the correspondent).

Commercial Bank Examination Manual May 2006

Page 3
2015.1 Interbank Liabilities

correspondents with which a bank has a signifi- policy and procedural limits are consistent with
cant relationship, a bank may have considerable the risk undertaken, given the maturity of the
nonpublic information, such as information on exposure and the condition of the correspon-
the quality of management, general portfolio dent. Inflexible dollar limits may not be neces-
composition, and similar information, but such sary in all cases. As stated earlier, limits can be
information is not always available and is not flexible and be based on factors such as the level
required. of the bank’s monitoring of its exposure and the
Regardless of whether public or nonpublic condition of the correspondent. For example, a
sources of information are used, a bank may rely bank may choose not to establish a specific limit
on another party, such as a bank rating agency, on exposure to a correspondent when the bank is
its bank holding company, or another correspon- able to ascertain account balances with the
dent, to assess the financial condition of or select correspondent on a daily basis, because such
a correspondent, provided that the board of balances could be reduced rapidly if necessary.
directors has reviewed and approved the general In appropriate circumstances, a bank may estab-
assessment or selection criteria used by that lish limits for longer-term exposure to a corre-
party. Examiners should ascertain that the bank spondent, while not setting limits for interday
reviews and approves the assessment criteria (overnight) or intraday (within the day) expo-
used by such other parties. Additionally, when a sure. Generally, banks do not need to set one
bank relies on its bank holding company to overall limit on their exposure to a correspon-
select and monitor correspondents—or relies on dent. Banks may prefer instead to set separate
a correspondent, such as a bankers’ bank, to limits for different forms of exposure, products,
choose other correspondents with which to place or maturities. A bank’s evaluation of its overall
the bank’s federal funds or other deposits— facility with a correspondent should take into
examiners should ensure that the bank has account utilization levels and procedures for
reviewed and approved the selection criteria further limiting or monitoring overall exposure.
used. When a bank has established internal limits
for its significant exposure, examiners should
ensure that the bank either (1) has procedures to
Internal Limits on Exposure monitor its exposure to remain within estab-
lished limits or (2) structures transactions with
When the financial condition of the correspon- the correspondent to ensure that the exposure
dent and the form or maturity of the exposure ordinarily remains within the bank’s established
represent a significant risk that payments will internal limits. While some banks may monitor
not be made in full or in a timely manner, a actual overall exposure, others may establish
bank’s policies and procedures must limit its individual lines for significant sources of expo-
exposure to the correspondent, either by the sure, such as federal funds sales. For such banks,
establishment of internal limits or by other the examiner should ensure that the bank has
means. Limits are to be consistent with the risks established procedures to ensure that exposure
undertaken, considering the financial condition generally remains within the established lines.
and the form and maturity of the exposure to the In some instances, a bank may accomplish this
correspondent. Limits may specify fixed expo- objective by establishing limits on exposure that
sure amounts, or they may be more flexible and are monitored by a correspondent, such as for
be based on factors such as the monitoring of sales of federal funds through the correspondent
exposure and the financial condition of the as agent.
correspondent. Different limits may be set for When a bank monitors its exposures, the
different forms of exposure, different products, appropriate level of monitoring will depend on
and different maturities. (1) the type and volatility of the exposure,
When a bank has exposure to a correspondent (2) the extent to which the exposure approaches
that has a deteriorating financial condition, the bank’s internal limits for the correspondent,
examiners should determine if the bank took and (3) the condition of the correspondent.
that deterioration into account when it evaluated Generally, monitoring may be conducted retro-
the correspondent’s creditworthiness. The exam- spectively. Examples of retrospective monitor-
iner should also evaluate if the bank’s level of ing include checking close-of-business balances
exposure to the correspondent was appropriate. at a correspondent for the prior day or obtaining
Examiners need to determine that the bank’s daily balance records from a correspondent at

May 2006 Commercial Bank Examination Manual

Page 4
Interbank Liabilities 2015.1

the end of each month. Thus, banks are not demonstrate that its correspondent is at least
expected to monitor exposure to correspondents adequately capitalized.12 The credit exposure of
on a real-time basis. a bank to a correspondent shall consist of the
The purpose of requiring banks to monitor or bank’s assets and off-balance-sheet items that
structure their transactions that are subject to are (1) subject to capital requirements under the
limits is to ensure that the bank’s exposure capital adequacy guidelines of the bank’s pri-
generally remains within established limits. mary federal supervisor and (2) involve claims
However, occasional excesses over limits may on the correspondent or capital instruments
result from factors such as unusual market issued by the correspondent.13 Credit exposure
disturbances, unusual favorable market moves, therefore includes items such as deposit bal-
or other unusual increases in activity or opera- ances with a correspondent, fed funds sales, and
tional problems. Unusual late incoming wires or credit-equivalent amounts of interest-rate and
unusually large foreign cash letters (interna- foreign-exchange-rate contracts and other off-
tional pouch) would be considered examples of balance-sheet transactions. Credit exposure does
activities that could lead to excesses over inter- not include settlement of transactions, transac-
nal limits and that would not be considered tions conducted in an agency or similar capacity
impermissible under the rule. Examiners should where losses will be passed back to the principal
verify that banks have established appropriate or other party, and other sources of exposure that
procedures to address any excesses over internal are not covered by the capital adequacy guide-
limits. lines or that do not involve exposure to a
A bank’s internal policies and procedures correspondent.14 A bank may exclude the fol-
must address intraday exposure. However, as lowing from the calculation of credit exposure
with other exposure of longer maturities (i.e., to a correspondent: (1) transactions, including
interday or longer), the rule does not necessarily reverse repurchase agreements, to the extent that
require that limits be established on intraday the transactions are secured by government
exposure. Examiners should expect to see such securities or readily marketable collateral; (2) the
limits or frequent monitoring of balances only if proceeds of checks and other cash items depos-
the size of the intraday exposure and the condi-
tion of the correspondent indicate a significant 12. Total capital is the total of a bank’s tier 1 and tier 2
risk that payments will not be made as contem- capital calculated according to the risk-based capital guide-
plated. Examiners should keep in mind that lines of the bank’s primary federal supervisor. For an insured
branch of a foreign bank organized under the laws of a country
intraday exposure may be difficult for a bank to that subscribes to the principles of the Basel Capital Accord,
actively monitor and limit. Consequently, like total capital means total tier 1 and tier 2 capital as calculated
interday exposure, intraday exposure may be under the standards of that country. For an insured branch of
monitored retrospectively. In addition, smaller a foreign bank organized under the laws of a country that does
not subscribe to the principles of the Basel Capital Accord,
banks may limit their focus on intraday expo- total capital means total tier 1 and tier 2 capital as calculated
sure to being aware of the range of peak intraday under the provisions of the accord. The limit on credit
exposure to particular institutions and the effect exposure of the insured branch of a foreign bank is based on
that exposure may have on the bank. For exam- the foreign bank’s total capital, as defined in this section, not
on the imputed capital of the branch.
ple, a bank may receive reports on intraday For purposes of Regulation F, an adequately capitalized
balances from a correspondent on a monthly correspondent is a correspondent with a total risk-based
basis and would only need to take actions to capital ratio of 8.0 percent or greater, a tier 1 risk-based capi-
limit or more actively monitor such exposure if tal ratio of 4.0 percent or greater, and a leverage ratio of
4.0 percent or greater. The leverage ratio does not apply to
the bank becomes concerned about the size of correspondents that are foreign banks. See section 206.5(e) for
the intraday exposure relative to the condition of definitions of these terms.
the correspondent. 13. A bank is required to include with its own credit
exposure 100 percent of the credit exposure of any subsidiary
that the bank is required to consolidate on its bank Call
Report. This provision generally captures the credit exposure
of any majority-owned subsidiary of the bank. Therefore,
Credit Exposure none of a minority-owned subsidiary’s exposure and all of a
majority-owned subsidiary’s exposure would be included in
A bank’s internal policies and procedures must the parent bank’s exposure calculation.
14. For example, when assets of a bank, such as securities,
limit overnight credit exposure to an individual are held in safekeeping by a correspondent, there is no
correspondent to not more than 25 percent of the exposure to the correspondent, even though the securities
exposed bank’s total capital, unless the bank can themselves may be subject to a capital charge.

Commercial Bank Examination Manual May 2006

Page 5
2015.1 Interbank Liabilities

ited in an account at a correspondent that are not credit-exposure level rather than as a safe-
yet available for withdrawal, (3) quality assets harbor level of credit exposure.
on which the correspondent is secondarily liable, Examiners should ensure that the bank has in
or obligations of the correspondent on which a place policies and procedures that ensure the
creditworthy obligor in addition to the corre- quarterly monitoring of the capital of its domes-
spondent is available; (4) exposure that results tic correspondents. This quarterly schedule
from the merger with or acquisition of another allows the bank to pick up information from the
bank for one year after that merger or acquisi- correspondent’s most recent bank Call Report,
tion is consummated; and (5) the portion of the financial statement, or bank rating report. Cur-
bank’s exposure to the correspondent that is rently, it is difficult to obtain information on the
covered by federal deposit insurance. (See sec- risk-based capital levels of a correspondent.
tion 206.4(d) for a more detailed discussion of Regulation F requires that a bank must be able
these exclusions.) This regulatory limit on credit to demonstrate only that its correspondent’s
exposure should be implemented as part of the capital ratios qualify it as at least adequately
bank’s policies and procedures required under capitalized.
the ‘‘Prudential Standards’’ section. Regula- A bank is not limited to a single source of
tion F does not impose regulatory limits for information for capital ratios. A bank may rely
‘‘credit exposure’’ to adequately or well- on capital information obtained from a corre-
capitalized correspondents. spondent, a bank rating agency, or another
Quarterly monitoring of capital is only reliable source of information. Further, examin-
required for correspondents to which a bank’s ers should anticipate that most banks will receive
potential credit exposure is more than 25 percent information on their correspondent’s capital
of its total capital.15 If the internal systems of a ratios either directly from the correspondents or
bank ordinarily limit credit exposure to a corre- from a bank rating agency. The standard used in
spondent to 25 percent or less of the exposed the rule is based solely on capital ratios and does
bank’s total capital, no monitoring of the corre- not require disclosure of CAMELS ratings. For
spondent’s capital would be necessary, although foreign bank correspondents, monitoring fre-
periodic reviews of the correspondent’s finan- quency should be related to the frequency with
cial condition may be required under the ‘‘Pru- which financial statements or other regular
dential Standards’’ section if exposure to the reports are available. Although such information
correspondent is significant. Every effort should is available quarterly for some foreign banks,
be made to allow banks to use existing risk- financial statements for many foreign banks are
monitoring and -control systems and practices generally available only on a semiannual basis.
when these systems and practices effectively Information on risk-based capital ratios may
maintain credit exposure within the prescribed not be available for many foreign bank corre-
limits. For smaller institutions, it is relatively spondents. As with domestic correspondents,
easy to determine how their measure of expo- however, examiners should anticipate that in
sure compares with the definition of credit most instances the correspondent will provide
exposure in Regulation F because these institu- the information to the banks with which it does
tions have relatively simple types of exposure. business.
Examiners should remember that the regulation A bank’s internal policies and procedures
emphasizes appropriate levels of exposure based should limit overnight credit exposure to a
on the exposed bank’s analysis of the credit- correspondent to not more than 25 percent of the
worthiness of its correspondents. Accordingly, exposed bank’s total capital, unless the bank can
for those correspondents that the bank has not demonstrate that its correspondent is at least
demonstrated are at least adequately capitalized, adequately capitalized, as defined by the rule.
this limit should be viewed as a maximum However, examiners should not necessarily
expect banks to have formal limits on credit
exposure to a correspondent for which the bank
15. Because information on risk-based capital ratios for does not maintain quarterly capital information
banks is generally based on the bank Call Report, a bank or that is a less than adequately capitalized
would be justified in relying on the most recently available correspondent if the banks’ policies and proce-
reports based on Call Report data. While there may be a
significant lag in such data, Call Reports are useful for
dures effectively limit credit exposure to an
monitoring trends in the condition of a correspondent— amount below the 25 percent limit of total
especially when a bank follows the data on a continuing basis. capital. Such situations include those in which

May 2006 Commercial Bank Examination Manual

Page 6
Interbank Liabilities 2015.1

only small balances are maintained with the the regulatory limit, the provisions of sec-
correspondent or in which the correspondent has tion 206.3 (prudential standards) concerning
only been approved for a limited relationship. excesses over internal limits also apply to limits
Although in many cases it will be necessary for established for the purpose of controlling credit
a bank to establish formal internal limits to meet exposure under section 206.4 of Regulation F.

Commercial Bank Examination Manual May 2006

Page 7
Interbank Liabilities
Examination Objectives
Effective date May 2006 Section 2015.2
The following examination objectives should be 5. To determine if (1) exposure ordinarily
considered when examiners are (1) evaluating remains within the established internal limits
the bank’s interbank liabilities with respect to and (2) appropriate procedures have been
its credit exposures to correspondents and established to address excesses over internal
(2) assessing the bank’s compliance with Regu- limits.
lation F. 6. To determine that a bank’s credit exposure to
less than adequately capitalized correspon-
1. To determine if the policies, practices, pro- dents is not more than 25 percent of the
cedures, and internal controls for interbank exposed bank’s total capital. (Note that Regu-
liabilities adequately address the risks posed lation F places greater emphasis on maintain-
by the bank’s exposure to other domestic ing appropriate levels of exposure based on a
depository institutions and foreign banks. bank’s analysis of the creditworthiness of its
2. To determine if bank officers and employees correspondents as opposed to merely staying
are operating in compliance with the policies within regulatory established limits.)
and procedures established by the bank. 7. To determine if those correspondents to which
3. To determine if the financial condition of the bank has credit exposure exceeding
correspondents to which the bank has signifi- 25 percent of total capital are monitored
cant exposure—significant both in the size quarterly to ensure that such correspondents
and maturity of the exposure and the finan- remain at least adequately capitalized.
cial condition of the correspondent—is 8. To reach agreement with the board of direc-
reviewed periodically. tors and senior management to initiate cor-
4. To determine if internal limits on exposure rective action when policies, procedures, or
(1) have been established where necessary internal controls are deficient, or when there
and (2) are consistent with the risk undertaken. are violations of laws or regulations.

Commercial Bank Examination Manual May 2006

Page 1
Interbank Liabilities
Examination Procedures
Effective date May 2006 Section 2015.3

Examiners should obtain or prepare the infor- the assessment criteria used by the other
mation necessary to perform the appropriate party.
procedural steps. e. When the bank relies on its bank holding
company or on a correspondent, such as a
1. If selected for implementation, complete or bankers’ bank, to select and monitor cor-
update the ‘‘Interbank Liabilities’’ section of respondents or to choose other correspon-
the internal control questionnaire. dents with which to place the depository
2. On the basis of an evaluation of the bank’s institution’s federal funds, ensure that the
internal controls, determine the scope of the bank’s board of directors has reviewed
examination. and approved the selection criteria used.
3. Test for compliance with policies, practices, f. If the bank is exposed to a correspondent
procedures, and internal controls in conjunc- that has experienced deterioration in its
tion with performing the remaining examina- financial condition, ascertain whether the
tion procedures. bank has taken the deterioration into
4. Request bank files relating to its exposure to account in its evaluation of the credit-
its correspondents, as exposure is defined worthiness of the correspondent and of
in Regulation F and applied and used in the appropriate level of exposure to the
the ‘‘Prudential Standards’’ section of the correspondent.
regulation. g. When the bank has established internal
a. Request documentation demonstrating that limits for significant exposure, determine
the bank has periodically reviewed the that the bank either monitors its exposure
financial condition of any correspondent or structures transactions with the corre-
to which the depository institution has spondent to ensure that exposure ordi-
significant exposure. Factors bearing on narily remains within the bank’s internal
the financial condition of the correspon- limits for the risk undertaken.
dent that should be addressed by the bank h. If the bank chooses to set separate limits
(depository institution) include the capital for different forms of exposure, products,
level of the correspondent, the level of or maturities and does not set an overall
nonaccrual and past-due loans and leases, internal limit on exposure to a correspon-
the level of earnings, and other factors dent, review information on actual inter-
affecting the financial condition of the day exposure to determine if the aggregate
correspondent. exposure (especially for less than ade-
b. Request that the bank provide information quately capitalized correspondents or
indicating its level of exposure to each financially deteriorating correspondents)
correspondent, as measured by the bank’s is consistent with the risk undertaken.
internal control systems (for smaller banks, i. When a bank monitors its exposures, deter-
this information may include correspon- mine if the level of monitoring of signifi-
dent statements and a list of securities cant exposure (especially for less than
held in the investment portfolio). adequately capitalized correspondents or
c. Determine if the frequency of the bank’s financially deteriorating correspondents)
reviews of its correspondents’ financial is adequate, commensurate with the type
condition is adequate for those correspon- and volatility of exposure, the extent to
dents to which the bank has very large or which the exposure approaches the bank’s
long maturities or for correspondents in internal limits, and the condition of the
deteriorating condition. correspondent.
d. If a bank relies on another party (such as j. Determine if the bank had any occasional
a bank rating agency, its bank holding excesses in exposure over its internal
company, or another correspondent) to limits. If so, verify that the bank used
provide financial analysis of a correspon- appropriate and adequate procedures to
dent, determine if the bank’s board of address such excesses.
directors has reviewed and approved k. If the size of intraday exposure to a

Commercial Bank Examination Manual May 2006

Page 1
2015.3 Interbank Liabilities: Examination Procedures

correspondent and the condition of the monitoring and -control systems and prac-
correspondent indicate a significant risk tices when these systems and practices effec-
that payments will not be made in full or tively maintain credit exposure within the
in a timely manner, verify that the bank prescribed limits). Review the bank’s files
has established intraday limits consistent to—
with the risk undertaken and that it has a. verify that the correspondent’s capital lev-
monitored its intraday exposure. els are monitored quarterly;
5. Request and review a list of the correspon- b. verify that these correspondents are at
dent transaction files for all domestic deposi- least adequately capitalized, in compli-
tory institutions and foreign banks to which ance with Regulation F; and
the bank regularly has credit exposure (as c. determine that the credit exposure to those
defined in section 206.4 of Regulation F) correspondents that are at risk of dropping
exceeding 25 percent of the bank’s total below the adequately capitalized capital
capital during a specified time interval. levels could be reduced to 25 percent or
(Where appropriate, every effort should be less of the bank’s total capital in a timely
made to allow banks to use existing risk- manner.

May 2006 Commercial Bank Examination Manual

Page 2
Interbank Liabilities
Internal Control Questionnaire
Effective date May 2006 Section 2015.4

Review the bank’s internal controls, policies, 9. If a party other than bank management
practices, and procedures for interbank liabili- conducts the financial analysis of or selects
ties and compliance with the Board’s Regula- a correspondent, has the bank’s board of
tion F. The bank’s system should be documented directors reviewed and approved the gen-
completely and concisely and should include, eral assessment and selection criteria used
where appropriate, narrative descriptions, flow by that party?
charts, copies of forms used, and other pertinent 10. If the financial condition of a correspon-
information. When identifying and resolving dent, or the form or maturity of the bank’s
any existing deficiencies, examiners should seek exposure to that correspondent, creates sig-
the answers to the following key questions. nificant risk, do the bank’s written policies
and procedures establish internal limits or
other procedures, such as monitoring, to
PRUDENTIAL STANDARDS control exposure?
1. Has the bank developed written policies and 11. Are the bank’s internal limits or controls
procedures to evaluate and control its expo- appropriate for the level of its risk exposure
sure to all of its correspondents? to correspondents? If no internal limits have
2. Have the written policies and procedures been established, is this appropriate based
been reviewed and approved by the board of on the financial condition of a correspon-
directors annually? dent and the size, form, and maturity of the
3. Do the written policies and procedures bank’s exposure? What are your reasons for
adequately address the bank’s exposure(s) this conclusion?
to a correspondent, including credit risk, 12. When internal limits for significant expo-
liquidity risk, operational risk, and settle- sure to a correspondent have been set, has
ment risk? the bank established procedures and struc-
4. Has the bank adequately evaluated its intra- tured its transactions with the correspondent
day exposure? Does the bank have signifi- to ensure that the exposure ordinarily
cant exposure to its correspondent from remains within the bank’s established inter-
operational risks, such as extensive reliance nal limits?
on a correspondent for data processing? If 13. If not, is actual exposure to a correspondent
so, has the bank addressed these operational monitored to ensure that the exposure ordi-
risks? narily remains within the bank’s established
5. Do the bank’s written policies and proce- internal limits?
dures establish criteria for selecting a cor- 14. Is the level (frequency) of monitoring per-
respondent or terminating that relationship? formed appropriate for—
6. Do the bank’s written policies and proce- a. the type and volatility of the exposure?
dures require a periodic review of the finan- b. the extent to which the exposure
cial condition of a correspondent whenever approaches the bank’s internal limits?
the size and maturity of exposure is consid- c. the financial condition of the correspon-
ered significant in relation to the financial dent?
condition of the correspondent? 15. Are transactions and monitoring reports on
7. When exposure is considered significant, is exposure reviewed for compliance with
the financial condition of a correspondent internal policies and procedures? If so, by
periodically reviewed? whom and how often?
8. Does the periodic review of a correspon- 16. Do the bank’s written policies and proce-
dent’s financial condition include— dures address deterioration in a correspon-
a. the level of capital? dent’s financial condition with respect to—
b. the level of nonaccrual and past-due a. the periodic review of the correspon-
loans and leases? dent’s financial condition?
c. the level of earnings? b. appropriate limits on exposure?
d. other factors affecting the financial con- c. the monitoring of the exposure, or the
dition of the correspondent? structuring of transactions with the cor-

Commercial Bank Examination Manual May 2006

Page 1
2015.4 Interbank Liabilities: Internal Control Questionnaire

respondent, to ensure that the exposure sure to 25 percent or less of the bank’s total
remains within the established internal capital, if a correspondent is less than ade-
limits? quately capitalized?
Are these measures appropriate and realistic? 2. If credit exposure is not limited to 25 percent
17. Do the bank’s written procedures establish or less of the bank’s total capital, does the
guidelines to address excesses over its bank—
internal limits? (Such excesses could include a. obtain quarterly information to determine
unusual late incoming wires, unusually large its correspondent’s capital levels (if so,
foreign cash letters (international pouch), determine the source of the information)?
unusual market moves, or other unusual b. monitor its overnight credit exposure to
increases in activity or operational prob- its correspondents (if so, determine the
lems.) Are the procedures appropriate? frequency)?

1. Do the bank’s written policies and proce-
dures effectively limit overnight credit expo-

May 2006 Commercial Bank Examination Manual

Page 2
Investment Securities and End-User Activities
Effective date October 2008 Section 2020.1

This section provides guidance on the manage- LIMITATIONS AND

ment of a depository institution’s investment RESTRICTIONS ON SECURITIES
and end-user activities. The guidance applies to HOLDINGS
(1) all securities in held-to-maturity and available-
for-sale accounts as defined in the Statement of Many states extend the investment authority that
Financial Accounting Standards No. 115 (FAS is available to national banks to their chartered
115), (2) all certificates of deposit held for banks—often by direct reference. The security
investment purposes, and (3) all derivative con- investments of national banks are governed in
tracts not held in trading accounts (end-user turn by the seventh paragraph of 12 USC 24
derivative contracts).1 The guidance also covers (section 5136 of the Revised Statutes) and by
all securities used for investment purposes, the investment securities regulations of the Office
including money market instruments, fixed- and of the Comptroller of the Currency (OCC). If
floating-rate notes and bonds, structured notes, state law permits, state member banks are sub-
mortgage pass-through and other asset-backed ject to the same limitations and conditions for
securities, and mortgage-derivative products. All purchasing, selling, underwriting, and holding
end-user derivative instruments used for non- investment securities and stocks as national
trading purposes, such as swaps, futures, and banks under 12 USC 24 (seventh). To determine
options, are also discussed. whether an obligation qualifies as a permissible
Institutions must ensure that their investment investment for state member banks, and to
and end-user activities are permissible and calculate the limits with respect to the purchase
appropriate within established limitations and of such obligations, refer to the OCC’s invest-
restrictions on bank holdings of these instru- ment securities regulation at 12 CFR 1. (See also
ments. Institutions should also employ sound section 208.21(b) of Regulation H (12 CFR
risk-management practices consistently across 208.21(b)).)
these varying product categories, regardless of Under 12 USC 24, an ‘‘investment security’’
their legal characteristics or nomenclature. This is defined as a debt obligation that is not pre-
section provides examiners with guidance on— dominantly speculative. A security is not pre-
dominantly speculative if it is rated investment
• the permissibility and appropriateness of grade. An ‘‘investment-grade security’’ is a
securities holdings by state member banks; security that has been rated in one of the four
• sound risk-management practices and internal highest rating categories by two or more nation-
controls used by banking institutions in their ally recognized statistical rating organizations
investment and end-user activities; (one rating may suffice if the security has been
rated by only one organization). For example,
• the review of securities and derivatives securities rated AAA, AA, A, and BBB by
acquired by the bank’s international division Standard and Poor’s and Aaa, Aa, A or A-1, and
and overseas branches for its own account as Baa-1 or Baa by Moody’s are considered invest-
well as the bank’s foreign equity investments ment grade. In the case of split ratings—
that are held either directly or through Edge different ratings from different rating
Act corporations; organizations—the lower rating applies. Although
• banking agency policies on certain high-risk the analyses of major rating agencies are basi-
mortgage-derivative products; and cally sound and are updated frequently, bank
personnel should keep in mind that ratings are
• unsuitable investment practices. only evaluations of probabilities. To determine
appropriate credit limits for a particular coun-
terparty, the bank should supplement bond rat-
1. Derivatives, in general, are financial contracts whose
values are derived from the value of one or more underlying
ings with its own credit analysis of the issuer.
assets, interest rates, exchange rates, commodities, or financial (See table 1 for a summary of the above-
or commodity indexes. mentioned rating systems.)

Commercial Bank Examination Manual October 2008

Page 1
2020.1 Investment Securities and End-User Activities

Table 1—Summary of Rating Systems

Standard & Poor’s Moody’s Description

Bank-quality investments

AAA Aaa Highest-grade obligations

AA Aa High-grade obligations

A A, A-1 Upper-medium grade

BBB Baa-1, Baa Medium-grade, on the borderline between defi-

nitely sound obligations and those containing
predominantly speculative elements

Speculative and defaulted issues

BB Ba Lower-medium grade with only minor investment


B B Low-grade, default probable

CCC, CC, C, D Caa, Ca, C Lowest-rated class, defaulted, extremely poor pros-

Bank-Eligible Securities capital and surplus that such holdings represent.

For calculating concentration limits, the term
The OCC’s investment securities regulation iden- ‘‘capital and surplus’’ includes the balance of a
tifies five basic types of investment securities bank’s allowance for loan and lease losses not
(types I, II, III, IV, and V) and establishes included in tier 2 capital. Table 2 on the next
limitations on a bank’s investment in those types page summarizes bank-eligible securities and
of securities based on the percentage of their investment limitations.

October 2008 Commercial Bank Examination Manual

Page 2
Investment Securities and End-User Activities 2020.1

Table 2—Summary of New Investment-Type Categories

Type Category Characteristics Limitations

Type I securities • U.S. government securities No limitations on banks’ investment,

• general obligations of a state or dealing, or underwriting abilities.
political subdivision With respect to all municipal securi-
• municipal bond activities by well- ties, a member bank that is well
capitalized* banks, other than capitalized* may deal in, underwrite,
types II, III, IV, or V securities purchase, and sell any municipal
• obligations backed by the full bond for its own account without any
faith and credit of the U.S. limit tied to the bank’s capital and
government surplus.
• FHLB, Fannie Mae, and FHLMC
debt or similarly collateralized
debt of a state or political subdi-
vision backed by the full faith and
credit of the U.S. government

Type II securities • state obligations for housing, uni- Banks may deal in, underwrite, or
versity, or dormitory purposes that invest subject to the limitation that the
would not qualify as a type I aggregate par value of the obligation of
municipal security any one obligor may not exceed 10 per-
• obligations of international devel- cent of a bank’s capital and surplus.
opment banks
• debt of Tennessee Valley
• debt of U.S. Postal Service
• obligations that a national bank is
authorized to deal in, underwrite,
purchase, or sell under 12 USC
24 (seventh), other than type I

Type III securities • an investment security that does The aggregate par value of a bank’s
not qualify as type I, II, IV, or V purchases and sales of the securities
• municipal revenue bonds, except of any one obligor may not exceed
those that qualify as a type I 10 percent of a bank’s capital and
municipal security surplus.
• corporate bonds

* subject to the statutory prompt-corrective-action standards (12 USC 1831o)

Commercial Bank Examination Manual November 2001

Page 3
2020.1 Investment Securities and End-User Activities

Type Category Characteristics Limitations

Type IV securities • small business–related securities For securities rated AA or Aa or higher,

that are rated investment-grade or no investment limitations.
the equivalent and that are fully
secured by a loan pool For lower-rated investment-grade secu-
• residential or commercial rities, the aggregate par value of a
mortgage–related securities rated bank’s purchases and sales of the se-
AA or Aa or higher curities of any one obligor may not
exceed 25 percent of a bank’s capital
and surplus.

For mortgage-related securities, no

investment limitations.

A bank may deal in type IV securities

with limitation.

Type V securities • asset-backed securities (credit The aggregate par value of a bank’s
card, auto, home equity, student purchases and sales of the securities of
loan, manufactured housing) any one obligor may not exceed 25 per-
that are investment-grade and are cent of a bank’s capital and surplus.
• residential and commercial
mortgage–related securities rated
below AA or Aa, but still

Type I securities are those debt instruments versity, or dormitory purposes that do not qualify
that national and state member banks can deal as a type I security and other issuers specifically
in, underwrite, purchase, and sell for their own identified in 12 USC 24(7).
accounts without limitation. Type I securities Type III is a residual securities category
are obligations of the U.S. government or its consisting of all types of investment securities
agencies; general obligations of states and not specifically designated to another security
political subdivisions; municipal bonds (includ- ‘‘type’’ category and that do not qualify as a
ing municipal revenue bonds) other than a type type I security. Banks cannot deal in or under-
II, III, IV, or V security by a bank that is well write type III securities, and their holdings of
capitalized; and mortgage-related securities. A these instruments are limited to 10 percent of the
bank may purchase type I securities for its own bank’s capital and surplus for any one obligor.
account subject to no limitations, other than the Type IV securities include the following asset-
exercise of prudent banking judgment. (See 12 backed securities (ABS) that are fully secured
USC 24(7) and 15 USC 78(c)(a)(41).) by interests in pools of loans made to numerous
Type II securities are those debt instruments obligors:
that national and state member banks may deal
in, underwrite, purchase, and sell for their own • investment-grade residential mortgage–related
account subject to a 10 percent limitation of a securities that are offered or sold pursuant to
bank’s capital and surplus for any one obligor. section 4(5) of the Securities Act of 1933 (15
Type II investments include obligations issued USC 77d(5))
by the International Bank for Reconstruction • residential mortgage–related securities as
and Development, the Inter-American Develop- described in section 3(a)(41) of the Securities
ment Bank, the Asian Development Bank, the Exchange Act of 1934 (15 USC 78c(a)(41))
Tennessee Valley Authority, and the U.S. Postal that are rated in one of the two highest
Service, as well as obligations issued by any investment-grade rating categories
state or political subdivision for housing, uni- • investment-grade commercial mortgage secu-

November 2001 Commercial Bank Examination Manual

Page 4
Investment Securities and End-User Activities 2020.1

rities offered or sold pursuant to section 4(5) finance corporate takeovers, are usually not
of the Securities Act of 1933 (15 USC 77d(5)) considered to be of investment quality because
• commercial mortgage securities as described they are predominately speculative and have
in section 3(a)(41) of the Securities Exchange limited marketability.
Act of 1934 (15 USC 78c(a)(41)) that are The purchase of type II and type III securities
rated in one of the two highest investment- is limited to 10 percent of equity capital and
grade rating categories surplus for each obligor when the purchase is
• investment-grade, small-business-loan securi- based on adequate evidence of the maker’s
ties as described in section 3(a)(53)(A) of the ability to perform. That limitation is reduced to
Securities Exchange Act of 1934 (15 USC 5 percent of equity capital and reserves for all
78c(a)(53)(A)) obligors in the aggregate when the judgment of
the obligor’s ability to perform is based predomi-
For all type IV commercial and residential nantly on ‘‘reliable estimates.’’ The term ‘‘reli-
mortgage securities and for type IV small- able estimates’’ refers to projections of income
business-loan securities rated in the top two and debt-service requirements or conditional
rating categories, there is no limitation on the ratings when factual credit information is not
amount a bank can purchase or sell for its own available and when the obligor does not have a
account. Type IV investment-grade, small- record of performance.
business-loan securities that are not rated in the OCC regulations specifically provide for sepa-
top two rating categories are subject to a limit of rate type I, II, III, IV, and V limits. In the
25 percent of a bank’s capital and surplus for extreme, therefore, national banks can lend
any one issuer. In addition to being able to 15 percent of their capital to a corporate bor-
purchase and sell type IV securities, subject to rower, buy the borrower’s corporate bonds
the above limitation, a bank may deal in those amounting to another 10 percent of capital and
type IV securities that are fully secured by type surplus (type III securities), and purchase the
I securities. borrower’s ABS up to an additional 25 percent
Type V securities consist of all ABS that are of capital (type V securities), for a total expo-
not type IV securities. Specifically, they are sure of 50 percent of the bank’s capital and
defined as marketable, investment-grade-rated surplus. This could be expanded even further if
securities that are not type IV and are ‘‘fully the borrower also issued highly rated type IV
secured by interests in a pool of loans to securities, upon which there is no investment
numerous obligors and in which a national bank limitation. However, an exposure to any one
could invest directly.’’ Type V securities include issuer of 25 percent or more should be consid-
securities backed by auto loans, credit card ered a credit concentration, and banks are
loans, home equity loans, and other assets. Also expected to justify why exposures in excess of
included are residential and commercial mort- 25 percent do not entail an undue concentration.
gage securities as described in section 3(a)(41) (See table 2 for a summary of the new
of the Securities Exchange Act of 1934 (15 USC investment-type categories.)
78c(a)(41)) that are not rated in one of the two
highest investment-grade rating categories but
that are still investment grade. A bank may Municipal Revenue Bonds
purchase or sell type V securities for its own
Upon enactment of the Gramm-Leach-Bliley
account provided the aggregate par value of type
Act (the GLB Act), most state member banks
V securities issued by any one issuer held by the
were authorized to deal in, underwrite, purchase,
bank does not exceed 25 percent of the bank’s
and sell municipal revenue bonds (12 USC 24
capital and surplus.
(seventh)). Effective March 13, 2000, these
As mentioned above, type III securities rep-
activities (involving type I securities) could be
resent a residual category. The OCC requires a
conducted by well-capitalized1a banks, without
national bank to determine (1) that the type III
limitation as to the level of these activities
instrument it plans to purchase is marketable
relative to the bank’s capital. Previously, banks
and of sufficiently high investment quality and
were limited to only underwriting, dealing in, or
(2) that the obligor will be able to meet all
payments and fulfill all the obligations it has 1a. See the prompt corrective action at 12 USC 1831o and
undertaken in connection with the security. For see subpart D of the Federal Reserve’s Regulation H (12 CFR
example, junk bonds, which are often issued to 208).

Commercial Bank Examination Manual November 2004

Page 5
2020.1 Investment Securities and End-User Activities

investing in, without limitation, general obliga- source; these limits help ensure adequate risk
tion municipal bonds backed by the full faith diversification. Furthermore, examiners and other
and credit of an issuer with general powers of supervisory staff should be aware of the extent
taxation. Member banks could purchase for their to which state laws place further restrictions on
own account, but not underwrite or deal in, municipal securities activities but should defer
municipal revenue bonds, but the purchases and to state banking regulators on questions of legal
sales of such investment securities for any authority under state laws and regulations.
obligor were limited to 10 percent of a member For underwriting and dealing activities, the
bank’s capital and surplus. As a result of the nature and extent of due diligence should be
GLB Act amendment, municipal revenue bonds commensurate with the degree of risk posed by
are the equivalent of type I securities for well- and the complexity of the proposed activity.
capitalized state member banks. 1b (See SR-01- Bank dealer activities should be conducted sub-
13.) ject to the types of prudential limitations
The expanded municipal revenue bond author- described above but should also be formulated
ity under the GLB Act necessitates heightened in light of the reputational risk that may accom-
awareness by banks, examiners, and supervisory pany underwriting and dealing activities. Senior
staff of the particular risks of municipal revenue management and the board of directors should
bond underwriting, dealing, and investment establish credit-quality and position-risk guide-
activities. Senior management of a state member lines, including guidelines for concentration risk.
bank has the responsibility to ensure that the A bank serving as a syndicate manager would
bank conducts municipal securities underwrit- be expected to conduct extensive due diligence
ing, dealing, and investment activities in a safe to mitigate its underwriting risk. Due diligence
and sound manner, in compliance with applica- should include an assessment of the creditwor-
ble laws and regulations. Sound risk-management thiness of the issuer and a full analysis of
practices are critical. State member banks primary and any contingent sources of repay-
engaged in municipal securities activities should ment. Offering documents should be reviewed
maintain written policies and procedures gov- for their accuracy and completeness, as well as
erning these activities and make them available for full disclosure of all of the offering’s rel-
to examiners upon request. evant risks.
Prudent municipal securities investment in-
volves considering and adopting risk-
management policies, including appropriate limi- UNIFORM AGREEMENT ON THE
tations, on the interest-rate, liquidity, price,
credit, market, and legal risks in light of the
bank’s appetite and tolerance for risk. Histori- AND THE APPRAISAL OF
cally, municipal revenue bonds have had higher SECURITIES
default rates than municipal general obligation
bonds. The risks of certain industrial develop- On June 15, 2004, the agencies 1c issued a joint
ment revenue bonds have been akin to the risks interagency statement that revised the Uniform
of corporate bonds. Therefore, when bondhold- Agreement on the Classification of Assets and
ers are relying on a specific project or private- Appraisal of Securities Held by Banks and
sector obligation for repayment, banks should Thrifts (the uniform agreement). (See SR-04-9.)
conduct a credit analysis, using their normal The uniform agreement amends the examination
credit standards, to identify and evaluate the procedures that were established in 1938 and
source of repayment before purchasing the then revised and issued on July 15, 1949, and on
bonds. Banks must also perform periodic credit May 7, 1979. The uniform agreement sets forth
analyses of those securities that remain in the the definitions of the classification categories
bank’s investment portfolio. Prudent banking and the specific examination procedures and
practices require that management adopt appro- information for classifying bank assets, includ-
priate exposure limits for individual credits and ing securities. The uniform agreement’s classi-
on credits that rely on a similar repayment
1c. The statement was issued by the Board of Governors of
1b. The OCC published final amendments to its investment the Federal Reserve System, the Office of the Comptroller of
securities regulation (12 CFR 1) on July 2, 2001 (66 Fed. Reg. the Currency, the Federal Deposit Insurance Corporation, and
34784). the Office of Thrift Supervision (the agencies).

November 2004 Commercial Bank Examination Manual

Page 6
Investment Securities and End-User Activities 2020.1

fication of loans remains unchanged from the the collateral pledged, if any. Assets so classi-
1979 revision. fied must have a well-defined weakness or
The June 15, 2004, agreement changes the weaknesses that jeopardize the liquidation of the
classification standards applied to banks’ hold- debt. They are characterized by the distinct
ings of debt securities by— possibility that the institution will sustain some
loss if the deficiencies are not corrected. An
• eliminating the automatic classification of sub- asset classified Doubtful has all the weaknesses
investment-grade debt securities when a bank- inherent in one classified Substandard, with the
ing organization has developed an accurate, added characteristic that the weaknesses make
robust, and documented credit-risk- collection or liquidation in full, on the basis of
management framework to analyze its securi- currently existing facts, conditions, and values,
ties holdings; highly questionable and improbable. Assets clas-
• conforming the uniform agreement to current sified Loss are considered uncollectible and of
generally accepted accounting principles by such little value that their continuance as bank-
basing the recognition of depreciation on all able assets is not warranted. This classification
available-for-sale securities on the bank’s does not mean that the asset has absolutely no
determination as to whether the impairment of recovery or salvage value but rather that it is not
the underlying securities is ‘‘temporary’’ or practical or desirable to defer writing off this
‘‘other than temporary’’; basically worthless asset even though partial
• eliminating the preferential treatment given to recovery may be effected in the future. Amounts
defaulted municipal securities; classified Loss should be promptly charged off.
• clarifying how examiners should address
securities that have two or more different
ratings, split or partially rated securities, and Appraisal of Securities in Bank
nonrated debt securities;
• identifying when examiners may diverge from
conforming their ratings to those of the rating
agencies; and In an effort to streamline the examination pro-
cess and achieve as much consistency as pos-
• addressing the treatment of Interagency Coun-
sible, examiners will use the published ratings
try Exposure Review Committee ratings.
provided by nationally recognized statistical
ratings organizations (NRSROs) as a proxy for
The uniform agreement’s classification catego-
the supervisory classification definitions. Exam-
ries also apply to the classification of assets held
iners may, however, assign a more- or less-
by the subsidiaries of banks. Although the clas-
severe classification for an individual security,
sification categories for bank assets and assets
depending on a review of applicable facts and
held by bank subsidiaries are the same, the
classification standards may be difficult to apply
to the classification of subsidiary assets because
of differences in the nature and risk character-
istics of the assets. Despite the differences that Investment-Quality Debt Securities
may exist between assets held directly by a bank
and those held by its subsidiary, the standards Investment-quality debt securities are market-
for classifying investment securities are to be able obligations in which the investment char-
applied directly to securities held by a bank and acteristics are not distinctly or predominantly
its subsidiaries. speculative. This group generally includes invest-
ment securities in the four highest rating cate-
gories provided by NRSROs and includes
unrated debt securities of equivalent quality.
Classification of Assets in Because investment-quality debt securities do
Examinations not exhibit weaknesses that justify an adverse
classification rating, examiners will generally
Classification units are designated as Substan- not classify them. However, published credit
dard, Doubtful, and Loss. A Substandard asset is ratings occasionally lag demonstrated changes
inadequately protected by the current sound in credit quality, and examiners may, in limited
worth and paying capacity of the obligor or of cases, classify a security notwithstanding an

Commercial Bank Examination Manual November 2004

Page 7
2020.1 Investment Securities and End-User Activities

investment-grade rating. Examiners may use Nonrated Debt Securities

such discretion, when justified by credit infor-
mation the examiner believes is not reflected in The agencies expect institutions holding indi-
the rating, to properly reflect the security’s vidually large nonrated debt security exposures,
credit risk. or having significant aggregate exposures from
small individual holdings, to demonstrate that
they have made prudent pre-acquisition credit
Sub-Investment-Quality Debt Securities decisions and have effective, risk-based stan-
dards for the ongoing assessment of credit risk.
Sub-investment-quality debt securities are those Examiners will review the institution’s program
in which the investment characteristics are dis- for monitoring and measuring the credit risk of
tinctly or predominantly speculative. This group such holdings and, if the assessment process is
generally includes debt securities, including considered acceptable, generally will rely upon
hybrid equity instruments (for example, trust those assessments during the examination pro-
preferred securities), in grades below the four cess. If an institution has not established inde-
highest rating categories; unrated debt securities pendent risk-based standards and a satisfactory
of equivalent quality; and defaulted debt process to assess the quality of such exposures,
securities. examiners may classify such securities, includ-
In order to reflect asset quality properly, an ing those of a credit quality deemed to be the
examiner may in limited cases ‘‘pass’’ a debt equivalent of subinvestment grade, as appropriate.
security that is rated below investment quality.
Examiners may use such discretion when, for Some nonrated debt securities held in invest-
example, the institution has an accurate and ment portfolios represent small exposures rela-
robust credit-risk-management framework and tive to capital, both individually and in aggre-
has demonstrated, based on recent, materially gate. While institutions generally have the same
positive credit information, that the security is supervisory requirements (as applicable to large
the credit equivalent of investment grade. holdings) to show that these holdings are the
credit equivalent of investment grade at pur-
chase, comprehensive credit analysis subse-
Rating Differences quent to purchase may be impractical and not
cost effective. For such small individual expo-
Some debt securities may have investment- sures, institutions should continue to obtain and
quality ratings by one (or more) rating agencies review available financial information, and as-
and sub-investment-quality ratings by others. sign risk ratings. Examiners may rely upon the
Examiners will generally classify such securi- bank’s internal ratings when evaluating such
ties, particularly when the most recently as- holdings.
signed rating is not investment quality. How-
ever, an examiner has discretion to ‘‘pass’’ a
debt security with both investment-quality and Foreign Debt Securities
sub-investment-quality ratings. The examiner
may use that discretion if, for example, the The Interagency Country Exposure Review
institution has demonstrated through its docu- Committee (ICERC) assigns transfer-risk rat-
mented credit analysis that the security is the ings for cross-border exposures. Examiners
credit equivalent of investment grade. should use the guidelines in this uniform agree-
ment rather than ICERC transfer-risk ratings in
assigning security classifications, except when
Split or Partially Rated Securities the ICERC ratings result in a more-severe clas-
Some individual debt securities have ratings for
principal but not interest. The absence of a
rating for interest typically reflects uncertainty
regarding the source and amount of interest the Treatment of Declines in Fair Value
investor will receive. Because of the speculative Below Amortized Cost on Debt Securities
nature of the interest component, examiners will
generally classify such securities, regardless of Under generally accepted accounting principles
the rating for the principal. (GAAP), an institution must assess whether a

November 2004 Commercial Bank Examination Manual

Page 8
Investment Securities and End-User Activities 2020.1

decline in fair value 1d below the amortized cost onstrates through its trading activity a short-
of a security is a ‘‘temporary’’ or an ‘‘other-than- term holding period or holds the security as a
temporary’’ impairment. When the decline in hedge for a customer’s valid derivative contract.
fair value on an individual security represents
‘‘other-than-temporary’’ impairment, the cost
basis of the security must be written down to fair Credit-Risk-Management Framework
value, thereby establishing a new cost basis for for Securities
the security, and the amount of the write-down
must be reflected in current-period earnings. If When an institution has developed an accurate,
an institution’s process for assessing impairment robust, and documented credit-risk-management
is considered acceptable, examiners may use framework to analyze its securities holdings,
those assessments in determining the appropri- examiners may choose to depart from the gen-
ate classification of declines in fair value below eral debt security classification guidelines in
amortized cost on individual debt securities. favor of individual asset review in determining
Any decline in fair value below amortized whether to classify those holdings. A robust
cost on defaulted debt securities will be classi- credit-risk-management framework entails
fied as indicated in table 3. Apart from classifi- appropriate pre-acquisition credit due diligence
cation, for impairment write-downs or charge- by qualified staff that grades a security’s credit
offs on adversely classified debt securities, the risk based on an analysis of the repayment
existence of a payment default will generally be capacity of the issuer and the structure and
considered a presumptive indicator of ‘‘other- features of the security. It also involves the
than-temporary’’ impairment. ongoing monitoring of holdings to ensure that
risk ratings are reviewed regularly and updated
in a timely fashion when significant new infor-
Classification of Other Types of mation is received.
Securities The credit analysis of securities should vary
based on the structural complexity of the secu-
Some investments, such as certain equity hold- rity, the type of collateral, and external ratings.
ings or securities with equity-like risk and return The credit-risk-management framework should
profiles, have highly speculative performance reflect the size, complexity, quality, and risk
characteristics. Examiners should generally clas- characteristics of the securities portfolio; the
sify such holdings based on an assessment of the risk appetite and policies of the institution; and
applicable facts and circumstances. the quality of its credit-risk-management staff,
and should reflect changes to these factors over
time. Policies and procedures should identify
the extent of credit analysis and documentation
Summary Table of Debt Security required to satisfy sound credit-risk-management
Classification Guidelines standards.
Table 3 outlines the uniform classification
approach the agencies will generally use when Transfers of Low-Quality Securities
assessing credit quality in debt securities and Assets
The general debt security classification guide- The purchase of low-quality assets by a bank
lines do not apply to private debt and equity from an affiliated bank or nonbank affiliate is a
holdings in a small business investment com- violation of section 23A of the Federal Reserve
pany or an Edge Act corporation. The uniform Act. The transfer of low-quality securities from
agreement does not apply to securities held in one depository institution to another may be
trading accounts, provided the institution dem- done to avoid detection and classification dur-
ing regulatory examinations; this type of trans-
1d. As currently defined under GAAP, the fair value of an fer may be accomplished through participations,
asset is the amount at which that asset could be bought or sold purchases or sales, and asset swaps with other
in a current transaction between willing parties, that is, other
than in a forced or liquidation sale. Quoted market prices are
affiliated or nonaffiliated financial institutions.
the best evidence of fair value and must be used as the basis Broadly defined, low-quality securities include
for measuring fair value, if available. depreciated or sub-investment-quality securi-

Commercial Bank Examination Manual November 2004

Page 8.1
2020.1 Investment Securities and End-User Activities

Table 3—General Debt Security Classification Guidelines

Type of security Classification

Substandard Doubtful Loss

Investment-quality debt securities with — — —

‘‘temporary’’ impairment

Investment-quality debt securities with — — Impairment

‘‘other-than-temporary’’ impairment

Sub-investment-quality debt securities Amortized — —

with ‘‘temporary’’ impairment1 cost

Sub-investment-quality debt securities Fair — Impairment

with ‘‘other-than-temporary’’ impair- value
ment, including defaulted debt

Note. Impairment is the amount by which amortized cost gains and losses on AFS debt securities are excluded from
exceeds fair value. earnings and reported in a separate component of equity
1. For sub-investment-quality available-for-sale (AFS) debt capital. In contrast, these unrealized gains and losses are
securities with ‘‘temporary’’ impairment, amortized cost rather excluded from regulatory capital. Accordingly, the amount
than the lower amount at which these securities are carried on classified Substandard on these AFS debt securities, i.e.,
the balance sheet, i.e., fair value, is classified Substandard. amortized cost, also excludes the balance-sheet adjustment for
This classification is consistent with the regulatory capital unrealized losses.
treatment of AFS debt securities. Under GAAP, unrealized

ties. Situations in which an institution appears to rities from another depository institution. This
be concealing low-quality securities to avoid procedure applies to transfers involving savings
examination scrutiny and possible classification associations and savings banks, as well as com-
represent an unsafe and unsound activity. mercial banking organizations.
Any situations involving the transfer of low- Situations may arise when transfers of secu-
quality or questionable securities should be rities are undertaken for legitimate reasons. In
brought to the attention of Reserve Bank super- these cases, the securities should be properly
visory personnel who, in turn, should notify the recorded on the books of the acquiring institu-
local office of the primary federal regulator of tion at their fair value on the date of transfer. If
the other depository institution involved in the the transfer was with the parent holding com-
transaction. For example, if an examiner deter- pany or a nonbank affiliate, the records of the
mines that a state member bank or holding affiliate should be reviewed as well.
company has transferred or intends to transfer
low-quality securities to another depository
institution, the Reserve Bank should notify the Permissible Stock Holdings
recipient institution’s primary federal regulator
of the transfer. The same notification require- The purchase of securities convertible into stock
ment holds true if an examiner determines that a at the option of the issuer is prohibited (12 CFR
state member bank or holding company has 1.6). Other than as specified in table 4, banks are
acquired or intends to acquire low-quality secu- prohibited from investing in stock.

November 2004 Commercial Bank Examination Manual

Page 8.2
Investment Securities and End-User Activities 2020.1

Table 4—Permitted Stock Holdings by Member Banks

Type of stock Authorizing statute and limitation

Federal Reserve Bank Federal Reserve Act, sections 2 and 9 (12 USC 282 and 321) and
Regulation I (12 CFR 209). Subscription must equal 6 percent of
the bank’s capital and surplus, 3 percent paid in.

Safe deposit corporation 12 USC 24. 15 percent of capital and surplus.

Corporation holding bank Federal Reserve Act, section 24A (12 USC 371(d)). 100 percent of
premises capital stock. Limitation includes total direct and indirect invest-
ment in bank premises in any form (such as loans). Maximum
limitation may be exceeded with permission of the Federal
Reserve Bank for state member banks and the Comptroller of the
Currency for national banks.

Small business investment Small Business Investment Act of August 21, 1958, section 302(b)
company (15 USC 682(b)). Banks are prohibited from acquiring shares of
such a corporation if, upon making the acquisition, the aggregate
amount of shares in small business investment companies then
held by the bank would exceed 5 percent of its capital and surplus.

Edge Act and agreement Federal Reserve Act, sections 25 and 25A (12 USC 601 and 618).
corporations and The aggregate amount of stock held in all such corporations may
foreign banks not exceed 10 percent of the member bank’s capital and surplus.
Also, the member bank must possess capital and surplus of
$1 million or more before acquiring investments pursuant to
section 25.

Bank service company Bank Service Corporation Act of 1958, section 2 (12 USC 1861
and 1862). (Redesignated as Bank Service Company Act.) 10 per-
cent of paid in and unimpaired capital and surplus. Limitation
includes total direct and indirect investment in any form. No
insured banks shall invest more than 5 percent of their total assets.

Federal National Mortgage National Housing Mortgage Association Act of 1934, sec-
Corporation tion 303(f) (12 USC 1718(f)). No limit.

Bank’s own stock 12 USC 83. Shares of the bank’s own stock may not be acquired
or taken as security for loans, except as necessary to prevent loss
from a debt previously contracted in good faith. Stock so acquired
must be disposed of within six months of the date of acquisition.

Corporate stock acquired Case law has established that stock of any corporation debt may be
through debt previously acquired to prevent loss from a debt previously contracted in good
contracted (DPC) transaction faith. See Oppenheimer v. Harriman National Bank & Trust Co. of
the City of New York, 301 US 206 (1937). However, if the stock
is not disposed of within a reasonable time period, it loses its status
as a DPC transaction and becomes a prohibited holding under
12 USC 24(7).

Operations subsidiaries 12 CFR 250.141. Permitted if the subsidiary is to perform, at

locations at which the bank is authorized to engage in business,
functions that the bank is empowered to perform directly.

Commercial Bank Examination Manual November 2004

Page 8.3
2020.1 Investment Securities and End-User Activities
Type of stock Authorizing statute and limitation

State housing corporation 12 USC 24. 5 percent of its capital stock, paid in and unimpaired,
incorporated in the state plus 5 percent of its unimpaired surplus fund when considered
in which the bank is located together with loans and commitments made to the corporation.

Agricultural credit 12 USC 24. 20 percent of capital and surplus unless the bank owns
corporation over 80 percent. No limit if the bank owns 80 percent or more.

Government National 12 USC 24. No limit.

Mortgage Association

Student Loan Marketing 12 USC 24. No limit.


Bankers’ banks 12 USC 24. 10 percent of capital stock and paid-in and unimpaired
surplus. Bankers’ banks must be insured by the FDIC, owned
exclusively by depository institutions, and engaged solely in
providing banking services to other depository institutions and
their officers, directors, or employees. Ownership shall not result in
any bank’s acquiring more than 5 percent of any class of voting
securities of the bankers’ bank.

Mutual funds 12 USC 24(7). Banks may invest in mutual funds as long as the
underlying securities are permissible investments for a bank.

Community development Federal Reserve Act, section 9, paragraph 23 (12 USC 338a). Up
corporation to 10 percent of capital stock and surplus1 subject to 12 CFR

1. Section 208.2(d) of Regulation H defines ‘‘capital stock under this law to approve public-welfare or other such
and surplus’’ to mean tier 1 and tier 2 capital included in a investments, up to the sum of 5 percent of paid-in and
member bank’s risk-based capital and the balance of a unimpaired capital stock and 5 percent of unimpaired surplus,
member bank’s allowance for loan and lease losses not unless the Board determines by order that the higher amount
included in its tier 2 capital for calculation of risk-based will pose no significant risk to the affected deposit insurance
capital, based on the bank’s most recent consolidated Report fund, and the bank is adequately capitalized. In no case may
of Condition and Income. Section 9 of the Federal Reserve the aggregate of such investments exceed 10 percent of the
Act (12 USC 338a) provides that the Board has the authority bank’s combined capital stock and surplus.

LIMITED EQUITY INVESTMENTS increased volatility of both earnings and capital.

The supervisory guidance in SR-00-9 on private
Investing in the equity of nonfinancial compa- equity investments and merchant banking activi-
nies and lending to private-equity-financed com- ties is concerned with a BO’s proper risk-
panies (that is, companies financed by private focused management of its private equity invest-
equity) have emerged as increasingly important ment activities so that these investments do not
sources of earnings and business relationships at adversely affect the safety and soundness of the
a number of banking organizations (BOs). In affiliated insured depository institutions.
this guidance, the term private equity refers to An institution’s board of directors and senior
shared-risk investments outside of publicly management are responsible for ensuring that
quoted securities and also covers activities such the risks associated with private equity activities
as venture capital, leveraged buyouts, mezza- do not adversely affect the safety and soundness
nine financing, and holdings of publicly quoted of the banking organization or any other affili-
securities obtained through these activities. While ated insured depository institutions. To this end,
private equity securities can contribute substan- sound investment and risk-management prac-
tially to earnings, these activities can give rise to tices and strong capital positions are critical

November 2004 Commercial Bank Examination Manual

Page 8.4
Investment Securities and End-User Activities 2020.1

elements in the prudent conduct of these ownership, middle-market business expansions,

activities. and mergers and acquisitions.

Legal and Regulatory Authority Oversight by the Board of Directors

Depository institutions are able to make limited
and Senior Management
equity investments under the following statutory
Equity investment activities require the active
and regulatory authorities:
oversight of the board of directors and senior
management of the depository institution that is
• Depository institutions may make equity
conducting the private equity investment activi-
investments through small business invest-
ties. The board should approve portfolio objec-
ment corporations (SBICs). Investments made
tives, overall investment strategies, and general
by SBIC subsidiaries are allowed up to a total
investment policies that are consistent with the
of 50 percent of a portfolio company’s out-
institution’s financial condition, risk profile, and
standing shares, but can only be made in
risk tolerance. Portfolio objectives should ad-
companies defined as a small business, accord-
dress the types of investments, expected busi-
ing to SBIC rules. A bank’s aggregate invest-
ness returns, desired holding periods, diversifi-
ment in the stock of SBICs is limited to
cation parameters, and other elements of sound
5 percent of the bank’s capital and surplus.
investment-management oversight. Board-
• Under Regulation K, which implements sec-
approved objectives, strategies, policies, and
tions 25 and 25A of the Federal Reserve Act
procedures should be documented and clearly
(FRA) and section 4(c)(13) of the Bank Hold-
communicated to all the personnel involved in
ing Company Act of 1956 (BHC Act), a
their implementation. The board should actively
depository institution may make portfolio
monitor the performance and risk profile of
investments in foreign companies, provided
equity investment business lines in light of the
the investments do not in the aggregate exceed
established objectives, strategies, and policies.
25 percent of the tier 1 capital of the bank
The board also should ensure that there is an
holding company. In addition, individual
effective management structure for conducting
investments must not exceed 19.9 percent of a
the institution’s equity activities, including
portfolio company’s voting shares or 40 per-
adequate systems for measuring, monitoring,
cent of the portfolio company’s total equity.1e
controlling, and reporting on the risks of equity
investments. The board should approve policies
Equity investments made under the authori-
that specify lines of authority and responsibility
ties listed above may be in publicly traded
for both acquisitions and sales of investments.
securities or privately held equity interests. The
The board should also approve (1) limits on
investment may be made as a direct investment
aggregate investment and exposure amounts;
in a specific portfolio company, or it may be
(2) the types of investments (for example, direct
made indirectly through a pooled investment
and indirect, mezzanine financing, start-ups,
vehicle, such as a private equity fund.1f In
seed financing); and (3) appropriate
general, private equity funds are investment
diversification-related aspects of equity invest-
companies, typically organized as limited part-
ments such as industry, sector, and geographic
nerships, that pool capital from third-party
investors to invest in shares, assets, and owner-
For its part, senior management must ensure
ship interests in companies for resale or other
that there are adequate policies, procedures, and
disposition. Private-equity-fund investments may
management information systems for managing
provide seed or early-stage investment funds to
equity investment activities on a day-to-day and
start-up companies or may finance changes in
longer-term basis. Management should set clear
1e. Shares of a corporation held in trading or dealing
lines of authority and responsibility for making
accounts or under any other authority are also included in the and monitoring investments and for managing
calculation of a depository institution’s investment. Portfolio risk. Management should ensure that an institu-
investments of $25 million or less can be made without prior tion’s equity investment activities are conducted
notice to the Board. See Regulation K for more detailed
by competent staff whose technical knowledge
1f. For additional stock holdings that state member banks and experience are consistent with the scope of
are authorized to hold, see table 4. the institution’s activities.

Commercial Bank Examination Manual November 2004

Page 8.5
2020.1 Investment Securities and End-User Activities

Management of the Investment strategies should identify limits on hedged

Process exposures and permissible hedging instruments.

Depository institutions engaging in equity invest-

ment activities should have a sound process for Procedures
executing all elements of investment manage-
ment, including initial due diligence, periodic Management and staff compensation play a
reviews of holdings, investment valuation, and critical role in providing incentives and control-
realization of returns. This process requires ling risks within a private equity business line.
appropriate policies, procedures, and manage- Clear policies should govern compensation
ment information systems, the formality of which arrangements, including co-investment struc-
should be commensurate with the scope, com- tures and staff sales of portfolio company
plexity, and nature of an institution’s equity interests.
investment activities. The supervisory review Institutions have different procedures for
should be risk-focused, taking into account the assessing, approving, and reviewing invest-
institution’s stated tolerance for risk, the ability ments based on the size, nature, and risk profile
of senior management to govern these activities of an investment. The procedures used for direct
effectively, the materiality of activities in com- investments may be different than those used for
parison to the institution’s risk profile, and the indirect investments made through private equity
capital position of the institution. funds. For example, different levels of due
Depository institutions engaging in equity diligence and senior management approvals may
investment activities require effective policies be required. When constructing management
that (1) govern the types and amounts of invest- infrastructures for conducting these investment
ments that may be made, (2) provide guidelines activities, management should ensure that oper-
on appropriate holding periods for different ating procedures and internal controls appropri-
types of investments, and (3) establish param- ately reflect the diversity of investments.
eters for portfolio diversification. Investment The potential diversity in investment practice
strategies and permissible types of investments should be recognized when conducting supervi-
should be clearly identified. Portfolio- sory reviews of the equity investment process.
diversification policies should identify factors The supervisory focus should be on the appro-
pertinent to the risk profile of the investments priateness of the process employed relative to
being made, such as industry, sector, geo- the risk of the investments made and on the
graphic, and market factors. Policies establish- materiality of this business line to the overall
ing expected holding periods should specify the soundness of the depository institution, as well
general criteria for liquidation of investments as the potential impact on affiliated depository
and guidelines for the divestiture of an under- institutions. The procedures employed should
performing investment. Decisions to liquidate include the following:
underperforming investments are necessarily
made on a case-by-case basis considering all • Investment analysis and approvals, including
relevant factors. Policies and procedures, how- well-founded analytical assessments of invest-
ever, should require more frequent review and ment opportunities and formal investment-
analysis for investments that are performing approval processes.
poorly or that have been in a portfolio for a The methods and types of analyses conducted
considerable length of time, as compared with should be appropriately structured to adequately
the other investments overall. assess the specific risk profile, industry
dynamics, management, specific terms and
conditions of the investment opportunity, and
Policies and Limits other relevant factors. All elements of the
analytical and approval processes, from initial
Policies should identify the aggregate exposure review through the formal investment deci-
that the institution is willing to accept, by type sion, should be documented and clearly
and nature of investment (for example, direct or understood by the staff conducting these
indirect, industry sectors). The limits should activities.
include funded and unfunded commitments. For- The evaluation of existing and potential
mal and clearly articulated hedging policies and investments in private equity funds should

November 2004 Commercial Bank Examination Manual

Page 8.6
Investment Securities and End-User Activities 2020.1

involve an assessment of the adequacy of a — internal investment-risk ratings and rating-

fund’s structure. Consideration should be given change triggers;
to the (1) management fees, (2) carried inter- — exit strategies, both primary and contin-
est and its computation on an aggregate port- gent, and expected internal rates of return
folio basis,1g (3) sufficiency of capital com- upon exit; and
mitments that are provided by the general — other pertinent information for assessing
partners in providing management incentives, the appropriateness, performance, and
(4) contingent liabilities of the general partner, expected returns of investments.
(5) distribution policies and wind-down pro- Portfolio reviews should include an aggre-
visions, and (6) performance benchmarks and gation of individual investment-risk and per-
return-calculation methodologies. formance ratings; an analysis of appropriate
• Investment-risk ratings. industry, sector, geographic, and other perti-
Internal risk ratings should assign each invest- nent concentrations; and total portfolio valu-
ment a rating based on factors such as the ations. Portfolio reports that contain the cost
nature of the company, strength of manage- basis, carrying values, estimated fair values,
ment, industry dynamics, financial condition, valuation discounts, and other factors summa-
operating results, expected exit strategies, mar- rizing the status of individual investments are
ket conditions, and other pertinent factors. integral tools for conducting effective port-
Different rating factors may be appropriate for folio reviews. Reports containing the results
indirect investments and direct investments. of all reviews should be available to supervi-
• Periodic and timely investment strategy and sors for their inspection.
performance (best, worst, and probable case Given the inherent uncertainties in equity
assessment) reviews of equity investments, investment activities, institutions should
conducted at the individual and portfolio include in their periodic reviews consideration
levels. of the best case, worst case, and probable case
Management should ensure that periodic and assessments of investment performance. These
timely review of the institution’s equity invest- reviews should evaluate changes in market
ments takes place at both individual-investment conditions and the alternative assumptions
and portfolio levels. Depending on the size, used to value investments—including expected
complexity, and risk profile of the investment, and contingent exit strategies. Major assump-
reviews should, when appropriate, include tions used in valuing investments and fore-
factors such as— casting performance should be identified.
— the history of the investment, including These assessments need not be confined to
the total funds approved; quantitative analyses of potential losses, but
— commitment amounts, principal-cash- may also include qualitative analyses. The
investment amounts, cost basis, carrying formality and sophistication of investment
value, major-investment cash flows, and reviews should be appropriate for the overall
supporting information including valua- level of risk the depository institution incurs
tion rationales and methodologies; from this business line.
— the current actual percentage of ownership • Assessment of the equity investment valuation
in the portfolio company on both a diluted and accounting policies and the procedures
and undiluted basis; used, their impact on earnings, and the extent
— a summary of recent events and current of their compliance with generally accepted
outlook; accounting principles (GAAP).
— the recent financial performance of port- Valuation and accounting policies and proce-
folio companies, including summary com- dures can have a significant impact on the
pilations of performance and forecasts, earnings of institutions engaged in equity
historical financial results, current and investment activities. Many equity invest-
future plans, key performance metrics, and ments are made in privately held companies,
other relevant items; for which independent price quotations are
either unavailable or not available in sufficient
volume to provide meaningful liquidity or a
1g. The carried interest is the share of a partnership’s
market valuation. Valuations of some equity
return that is received by the general partners or investment investments may involve a high degree of
advisers. judgment on the part of management or the

Commercial Bank Examination Manual November 2004

Page 8.7
2020.1 Investment Securities and End-User Activities

skillful use of peer comparisons. Similar cir- Accounting and valuation of equity invest-
cumstances may exist for publicly traded ments should be subject to regular periodic
securities that are thinly traded or subject to review. In all cases, valuation reviews should
resale and holding-period restrictions, or when produce documented audit trails that are avail-
the institution holds a significant block of a able to supervisors and auditors. These reviews
company’s shares. It is of paramount impor- should assess the consistency of the method-
tance that an institution’s policies and proce- ologies used in estimating fair value.
dures on accounting and valuation methodolo- Accounting and valuation treatments should
gies for equity investments be clearly be assessed in light of their potential for
articulated. abuse, such as through the inappropriate man-
Under GAAP, equity investments held by agement or manipulation of reported earnings
investment companies, held by broker-dealers, on equity investments. For example, high
or maintained in the trading account are valuations may produce overstatements of
reported at fair value, with any unrealized earnings through gains and losses on invest-
appreciation or depreciation included in earn- ments reported at ‘‘fair value.’’ On the other
ings and flowing to tier 1 capital. For some hand, inappropriately understated valuations
holdings, fair value may reflect adjustments can provide vehicles for smoothing earnings
for liquidity and other factors. by recognizing gains on profitable invest-
Equity investments that are not held in ments when an institution’s earnings are oth-
investment companies, by broker-dealers, or erwise under stress. While reasonable people
in the trading account and that have a readily may disagree on valuations given to illiquid
determinable fair value (quoted market price) private equity investments, institutions should
are generally reported as available-for-sale have rigorous valuation procedures that are
(AFS). They are marked to market with unre- applied consistently.
alized appreciation or depreciation recognized Increasingly, equity investments are contrib-
in GAAP-defined ‘‘comprehensive income’’ uting to an institution’s earnings. The poten-
but not earnings. Appreciation or depreciation tial impact of these investments on the com-
flows to equity, but, for regulatory capital position, quality, and sustainability of overall
purposes only, depreciation is included in tier earnings should be appropriately recognized
1 capital.1h Equity investments without readily and assessed by both management and
determinable fair values generally are held at supervisors.
cost, subject to write-downs for impairments • A review of assumed and actual equity-
to the value of the asset. Impairments of value investment exit strategies and the extent of
should be promptly and appropriately recog- their impact on the returns and reported
nized and written down. earnings.
In determining fair value, the valuation The principal means of exiting an equity
methodology plays a critical role. Formal investment in a privately held company include
valuation and accounting policies should be initial public stock offerings, sales to other
established for investments in public compa- investors, and share repurchases. An institu-
nies; direct private investments; indirect fund tion’s assumptions on exit strategies can sig-
investments; and, where appropriate, other nificantly affect the valuation of the invest-
types of investments with special characteris- ment. Management should periodically review
tics. When establishing valuation policies, investment exit strategies, with particular focus
institutions should consider market condi- on larger or less-liquid investments.
tions, taking account of lockout provisions, • Policies and procedures governing the sale,
the restrictions of Securities and Exchange exchange, transfer, or other disposition of
Commission Rule 144, liquidity features, the equity investments.
dilutive effects of warrants and options, and Policies and procedures to govern the sale,
industry characteristics and dynamics. exchange, transfer, or other disposition of the
institution’s investments should state clearly
the levels of management or board approval
1h. Under the risk-based capital rule, supplementary (tier required for the disposition of investments.
2) capital may include up to 45 percent of pretax unrealized
holding gains (that is, the excess, if any, of the fair value over
• Internal methods for allocating capital based
historical cost) on AFS equity securities with readily deter- on the risk inherent in the equity investment
minable fair values. activities, including the methods for identify-

November 2004 Commercial Bank Examination Manual

Page 8.8
Investment Securities and End-User Activities 2020.1

ing all material risks and their potential sible in smaller, less-complex institutions, alter-
impact on the safety and soundness of the native checks and balances should be estab-
institution. lished. These alternatives may include random
Consistent with SR-99-18, depository institu- internal audits, reviews by senior management
tions that are conducting material equity who are independent of the function, or the use
investment activities should have internal of outside third parties.
methods for allocating economic capital. These
methods should be based on the risk inherent
in the equity investment activities, including Documentation
the identification of all material risks and their
Documentation of key elements of the invest-
potential impact on the institution. Organiza-
ment process, including initial due diligence,
tions that are substantially engaged in these
approval reviews, valuations, and dispositions,
investment activities should have strong capi-
is an integral part of any private equity invest-
tal positions supporting their equity invest-
ment internal control system. This documenta-
ments. The economic capital that organiza-
tion should be accessible to supervisors.
tions allocate to their equity investments
should be well in excess of the current regu-
latory minimums applied to lending activities. Legal Compliance
The amount of percentage of capital dedicated
to the equity investment business line should An institution’s internal controls should focus
be appropriate to the size, complexity, and on compliance with all federal laws and regula-
financial condition of the institution. Assess- tions that are applicable to the institution’s
ments of capital adequacy should cover not investment activities. Regulatory compliance
only the institution’s compliance with regula- requirements, in particular, should be incorpo-
tory capital requirements and the quality of rated into internal controls so managers outside
regulatory capital, but should also include an of the compliance or legal functions understand
institution’s methodologies for internally the parameters of permissible investment
allocating economic capital to this business activities.
line. To ensure compliance with federal securities
laws, institutions should establish policies, pro-
cedures, and other controls addressing insider
Internal Controls trading. A ‘‘restricted list’’ of securities for
which the institution has inside information is
An adequate system of internal controls, with one example of a widely used method for
appropriate checks and balances and clear audit controlling the risk of insider trading. In addi-
trails, is critical to conducting equity investment tion, control procedures should be in place to
activities effectively. Appropriate internal con- ensure that appropriate reports are filed with
trols should address all the elements of the functional regulators.
investment-management process. The internal The limitations in sections 23A and 23B of
controls should focus on the appropriateness of the FRA, which deal with transactions between
existing policies and procedures; adherence to a depository institution and its affiliates, are
policies and procedures; and the integrity and presumed by the Gramm-Leach-Bliley Act (GLB
adequacy of investment valuations, risk identi- Act) to apply to certain transactions between a
fication, regulatory compliance, and manage- depository institution and any portfolio com-
ment reporting. Any departures from policies pany in which an affiliate of the institution owns
and procedures should be documented and at least a 15 percent equity interest. This own-
reviewed by senior management, and this docu- ership threshold is lower than the ordinary
mentation should be available for examiner definition of an affiliate, which is typically
review. 25 percent.
As with other financial activities, the assess-
ments of an organization’s compliance with
both written and implied policies and proce- Compensation
dures should be independent of line decision-
making functions to the fullest extent possible. Often, key employees in the private equity
When fully independent reviews are not pos- investment units of banking organizations may

Commercial Bank Examination Manual November 2004

Page 8.9
2020.1 Investment Securities and End-User Activities

co-invest in the direct or fund investments made • the accounting techniques and valuation meth-
by the unit. These co-investment arrangements odologies, including key assumptions and
can be an important incentive and risk-control practices affecting valuation and changes in
technique, and they can help to attract and retain those practices
qualified management. However, ‘‘cherry pick- • the realized gains (or losses) arising from
ing,’’ or selecting only certain investments for sales and unrealized gains (or losses)
employee participation while excluding others, • insights regarding the potential performance
should be discouraged. of equity investments under alternative mar-
The employees’ co-investment may be funded ket conditions
through loans from the depository institution or
its affiliates, which, in turn, would hold a lien
against the employees’ interests. The adminis-
tration of the compensation plan should be Lending to or Engaging in Other
appropriately governed pursuant to formal agree- Transactions with Portfolio
ments, policies, and procedures. Among other Companies
matters, policies and procedures should address
the terms and conditions of employee loans and Additional risk-management issues may arise
the sales of participants’ interests before the when a depository institution or an affiliate lends
release of the lien. to or has other business relationships with (1) a
company in which the depository institution or
an affiliate has invested (that is, a portfolio
Disclosure of Equity Investment company), (2) the general partner or manager of
Activities a private equity fund that has also invested in a
portfolio company, or (3) a private-equity-
Given the important role that market discipline financed company in which the banking institu-
plays in controlling risk, institutions should tion does not hold a direct or indirect ownership
ensure that they adequately disclose the infor- interest but which is an investment or portfolio
mation necessary for the markets to assess the company of a general partner or fund manager
institution’s risk profile and performance in this with which the banking organization has other
business line. Indeed, it is in the institution’s investments. Given the potentially higher-than-
interest, as well as that of its creditors and normal risk attributes of these lending relation-
shareholders, to publicly disclose information ships, institutions should devote special atten-
about earnings and risk profiles. Institutions are tion to ensuring that the terms and conditions of
encouraged to disclose in public filings informa- such relationships are at arm’s length and are
tion on the type and nature of investments, consistent with the lending policies and proce-
portfolio concentrations, returns, and their con- dures of the institution. Similar issues may arise
tributions to reported earnings and capital. in the context of derivatives transactions with or
Supervisors should fully review and use these guaranteed by portfolio companies and general
disclosures, as well as periodic regulatory reports partners. Lending and other business transac-
filed by publicly held banking organizations, as tions between an insured depository institution
part of the information they review routinely. and a portfolio company that meet the definition
The following topics are relevant for public of an affiliate must be negotiated on an arm’s-
disclosure, though disclosures on each of these length basis, in accordance with section 23B of
topics may not be appropriate, relevant, or the FRA.
sufficient in every case: When a depository institution lends to a
private-equity-financed company in which it has
• the size of the portfolio no equity interest but in which the borrowing
• the types and nature of investments (for exam- company is a portfolio investment of private
ple, direct or indirect, domestic or interna- equity fund managers or general partners with
tional, public or private, equity or debt with which the institution may have other private-
conversion rights) equity-related relationships, care must be taken
• initial cost, carrying value, and fair value of to ensure that the extension of credit is con-
investments and, when applicable, compari- ducted on reasonable terms. In some cases,
sons to publicly quoted share values of port- lenders may wrongly assume that the general
folio companies partners or another third party implicitly guar-

November 2004 Commercial Bank Examination Manual

Page 8.10
Investment Securities and End-User Activities 2020.1

antees or stands behind such credits. Reliance on This section identifies basic factors that examiners
implicit guarantees or comfort letters should not should consider in evaluating these elements for
substitute for reliance on a sound borrower that investment and end-user activities; it reiterates
is expected to service its debt with its own and supplements existing guidance and direc-
resources. As with any type of credit extension, tives on the use of these instruments for non-
absent a written contractual guarantee, the credit trading purposes as provided in various super-
quality of a private equity fund manager, general visory letters and examination manuals.2
partner, or other third party should not be used to In evaluating an institution’s risk-management
upgrade the internal credit-risk rating of the process, examiners should consider the nature
borrower company or to prevent the classifica- and size of its holdings. Examiner judgment
tion or special mention of a loan. plays a key role in assessing the adequacy of an
When an institution lends to a portfolio com- institution’s risk-management process for secu-
pany in which it has a direct or an indirect rities and derivative contracts. Examiners should
interest, implications arise under sections 23A focus on evaluating an institution’s understand-
and 23B of the FRA, which govern credit- ing of the risks involved in the instruments it
related transactions and asset purchases between holds. Regardless of any responsibility, legal or
a depository institution and its affiliates. Section otherwise, assumed by a dealer or counterparty
23A applies to transactions between a deposi- for a particular transaction, the acquiring insti-
tory institution and any company in which the
institution’s holding company or shareholders
own at least 25 percent of the company’s voting
shares. The GLB Act extends this coverage by
establishing a presumption that a portfolio com-
pany is an affiliate of a depository institution if
the financial holding company (FHC) uses the
merchant banking authority of the GLB Act to
own or control more than 15 percent of the
equity of the company. Institutions should obtain
the assistance of counsel in determining whether
such issues exist or would exist if loans were
extended to a portfolio company, general part-
ner, or manager. Supervisors, including examin-
ers, should ensure that the institution has con-
ducted a proper review of these issues to avoid
violations of law or regulations.

Examiners are expected to conduct an adequate
evaluation of the risk-management process used
to acquire and manage the securities and deriva-
tive contracts used in nontrading activities. In 2. Existing policies and examiner guidance on various
conducting this analysis, examiners should evalu- supervisory topics applicable to securities and off-balance-
ate the following four key elements of a sound sheet instruments can be found in this manual, and the Bank
risk-management process: Holding Company Supervision Manual, as well as in various
supervision and regulation (SR) letters, including SR-90-16,
‘‘Implementation of Examination Guidelines for the Review
• active board and senior management oversight of Asset Securitization Activities’’; SR-91-4, ‘‘Inspection of
• adequate risk-management policies and limits Investment-Adviser Subsidiaries of Bank Holding Compa-
• appropriate risk-measurement and reporting nies’’; SR-93-69, ‘‘Risk Management and Internal Controls
for Trading Activities’’; and SR-98-12, ‘‘FFIEC Policy State-
systems ment on Investment Securities and End-User Derivatives
• comprehensive internal controls Activities.’’

Commercial Bank Examination Manual October 2008

Page 8.11
Investment Securities and End-User Activities 2020.1

tution is ultimately responsible for understand- periodically review information that is suffi-
ing and managing the risks of the transactions ciently detailed and timely to allow them to
into which it enters. Failure of an institution to understand and assess the credit, market, and
adequately understand, monitor, and evaluate liquidity risks facing the institution as a whole
the risks involved in its securities or derivative and its securities and derivative positions in
positions, either through lack of internal exper- particular. These reviews should be conducted at
tise or inadequate outside advice, constitutes an least quarterly and more frequently when the
unsafe and unsound banking practice. institution holds significant positions in complex
As with all risk-bearing activities, institutions instruments. In addition, the board should peri-
should fully support the risk exposures of non- odically reevaluate the institution’s business
trading activities with adequate capital. Banking strategies and significant risk-management poli-
organizations should ensure that their capital cies and procedures, placing special emphasis
positions are sufficiently strong to support all the on the institution’s financial objectives and risk
risks associated with these activities on a fully tolerances. The minutes of board meetings and
consolidated basis and should maintain adequate accompanying reports and presentation materi-
capital in all affiliated entities engaged in these als should clearly demonstrate the board’s ful-
activities. In evaluating the adequacy of an fillment of these basic responsibilities. The sec-
institution’s capital, examiners should consider tion of this guidance on managing specific risks
any unrecognized net depreciation or apprecia- provides guidance on the types of objectives,
tion in an institution’s securities and derivative risk tolerances, limits, and reports that directors
holdings. Further consideration should also be should consider.
given to the institution’s ability to hold these The board of directors should also conduct
securities and thereby avoid recognizing losses. and encourage discussions between its members
and senior management, as well as between
senior management and others in the institution,
on the institution’s risk-management process
Board of Directors and Senior and risk exposures. Although it is not essential
Management Oversight for board members to have detailed technical
knowledge of these activities, if they do not, it is
Active oversight by the institution’s board of their responsibility to ensure that they have
directors and relevant senior management is adequate access to independent legal and pro-
critical to a sound risk-management process. fessional advice on the institution’s securities
Examiners should ensure that these individuals and derivative holdings and strategies. The
are aware of their responsibilities and that they familiarity, technical knowledge, and awareness
adequately perform their appropriate roles in of directors and senior management should be
overseeing and managing the risks associated commensurate with the level and nature of an
with nontrading activities involving securities institution’s securities and derivative positions.
and derivative instruments. Accordingly, the board should be knowledge-
able enough or have access to independent
advice to evaluate recommendations presented
Board of Directors by management or investment advisors.

The board of directors has the ultimate respon-

sibility for the level of risk taken by the institu- Senior Management
tion. Accordingly, the board should approve
overall business strategies and significant poli- Senior management is responsible for ensuring
cies that govern risk taking, including those that there are adequate policies and procedures
involving securities and derivative contracts. In for conducting investment and end-user activi-
particular, the board should approve policies ties on both a long-range and day-to-day basis.
identifying managerial oversight and articulat- Management should maintain clear lines of
ing risk tolerances and exposure limits for secu- authority and responsibility for acquiring instru-
rities and derivative activities. The board should ments and managing risk, setting appropriate
also actively monitor the performance and risk limits on risk taking, establishing adequate sys-
profile of the institution and its various securi- tems for measuring risk, setting acceptable stan-
ties and derivative portfolios. Directors should dards for valuing positions and measuring per-

Commercial Bank Examination Manual October 2008

Page 9
2020.1 Investment Securities and End-User Activities

formance, establishing effective internal controls, tive holdings and the adequacy of the process
and enacting a comprehensive risk-reporting used in managing those exposures. Depending
and risk-management review process. To pro- on the size and nature of the institution, this
vide adequate oversight, management should review function may be carried out by either
fully understand the institution’s risk profile, management or a board committee. Regard-
including that of its securities and derivative less of size and sophistication, institutions
activities. Examiners should review the reports should ensure that back-office, settlement, and
to senior management and evaluate whether transaction-reconciliation responsibilities are
they provide both good summary information conducted and managed by personnel who
and sufficient detail to enable management to are independent of those initiating risk-taking
assess the sensitivity of securities and derivative positions.
holdings to changes in credit quality, market
prices and rates, liquidity conditions, and other
important risk factors. As part of its oversight Policies, Procedures, and Limits
responsibilities, senior management should peri-
odically review the organization’s risk- Institutions should maintain written policies and
management procedures to ensure that they procedures that clearly outline their approach
remain appropriate and sound. Senior manage- for managing securities and derivative instru-
ment should also encourage and participate in ments. These policies should be consistent with
active discussions with members of the board the organization’s broader business strategies,
and with risk-management staff regarding risk capital adequacy, technical expertise, and gen-
measurement, reporting, and management pro- eral willingness to take risks. They should
cedures. identify relevant objectives, constraints, and
Management should ensure that investment guidelines for both acquiring instruments and
and end-user activities are conducted by com- managing portfolios. In doing so, policies should
petent staff whose technical knowledge and establish a logical framework for limiting the
experience is consistent with the nature and various risks involved in an institution’s securi-
scope of the institution’s activities. There should ties and derivative holdings. Policies should
be sufficient depth in staff resources to manage clearly delineate lines of responsibility and
these activities if key personnel are not avail- authority over securities and derivative activi-
able. Management should also ensure that back- ties. They should also provide for the systematic
office and financial-control resources are suffi- review of products new to the firm. Examiners
cient to manage and control risks effectively. should evaluate the adequacy of an institution’s
risk-management policies and procedures in
relation to its size, its sophistication, and the
Independence in Managing Risks scope of its activities.
The process of measuring, monitoring, and con-
trolling risks within an institution should be Specifying Objectives
managed as independently as possible from
those individuals who have the authority to Institutions can use securities and derivative
initiate transactions. Otherwise, conflicts of inter- instruments for several primary and complemen-
est could develop. The nature and extent of this tary purposes.3 Banking organizations should
independence should be commensurate with articulate these objectives clearly and identify
the size and complexity of an institution’s secu- the types of securities and derivative contracts to
rities and derivative activities. Institutions with be used for achieving them. Objectives also
large and complex balance sheets or with sig- should be identified at the appropriate portfolio
nificant holdings of complex instruments would and institutional levels. These objectives should
be expected to have risk managers or risk- guide the acquisition of individual instruments
management functions fully independent of the
individuals who have the authority to conduct
transactions. Institutions with less complex hold- 3. Such purposes include, but are not limited to, generating
earnings, creating funding opportunities, providing liquidity,
ings should ensure that there is some mechanism hedging risk exposures, taking risk positions, modifying and
for independently reviewing both the level of managing risk profiles, managing tax liabilities, and meeting
risk exposures created by securities and deriva- pledging requirements.

October 2008 Commercial Bank Examination Manual

Page 10
Investment Securities and End-User Activities 2020.1

and provide benchmarks for periodically evalu- limit excesses. Positions that exceed established
ating the performance and effectiveness of an limits should receive the prompt attention of
institution’s holdings, strategies, and programs. appropriate management and should be resolved
Whenever multiple objectives are involved, man- according to approved policies.
agement should identify the hierarchy of poten- Limits should implement the overall risk
tially conflicting objectives. tolerances and constraints articulated in general
policy statements. Depending on the nature of
an institution’s holdings and its general sophis-
Identifying Constraints, Guidelines, and tication, limits can be identified for individual
Limits business units, portfolios, instrument types, or
specific instruments. The level of detail of risk
An institution’s policies should clearly articulate limits should reflect the characteristics of the
the organization’s risk tolerance by identifying institution’s holdings, including the types of risk
its willingness to take the credit, market, and to which the institution is exposed. Regardless
liquidity risks involved in holding securities and of their specific form or level of aggregation,
derivative contracts. A statement of authorized limits should be consistent with the institution’s
instruments and activities is an important vehi- overall approach to managing various types of
cle for communicating these risk tolerances. risks. They should also be integrated to the
This statement should clearly identify permis- fullest extent possible with institution-wide lim-
sible instruments or instrument types and the its on the same risks as they arise in other
purposes or objectives for which the institution activities of the firm. Later in this section,
may use them. The statement also should identify specific examiner considerations for evaluating
permissible credit quality, market-risk sensitivity, the policies and limits used in managing each
and liquidity characteristics of the instruments of the various types of risks involved in non-
and portfolios used in nontrading activities. For trading securities and derivative activities are
example, in the case of market risk, policies addressed.
should address the permissible degree of price
sensitivity and/or effective maturity volatility,
taking into account an instrument’s or port-
folio’s option and leverage characteristics. Speci- New-Product Review
fications of permissible risk characteristics
should be consistent with the institution’s over- An institution’s policies should also provide for
all credit-, market-, and liquidity-risk limits and effective review of any products being consid-
constraints, and should help delineate a clear set ered that would be new to the firm. An institu-
of institutional limits for use in acquiring spe- tion should not acquire a meaningful position in
cific instruments and managing portfolios. Lim- a new instrument until senior management and
its can be specified either as guidelines within all relevant personnel (including those in internal-
the overall policies or in management operating control, legal, accounting, and auditing func-
procedures. Further guidance on managing spe- tions) understand the product and can integrate
cific risks and on the types of constraints and it into the institution’s risk-measurement and
limits an institution might use in managing the control systems. An institution’s policies should
credit, market, and liquidity risk of securities define the terms ‘‘new product’’ and ‘‘meaning-
and derivative contracts is provided later in this ful position’’ consistent with its size, complex-
section. ity, and sophistication. Institutions should not be
Limits should be set to guide acquisition and hesitant to define an instrument as a new prod-
ongoing management decisions, control expo- uct. Small changes in the payment formulas or
sures, and initiate discussion within the organi- other terms of relatively simple and standard
zation about apparent opportunities and risks. products can greatly alter their risk profiles and
Although procedures for establishing limits and justify designation as a new product. New-
operating within them may vary among institu- product reviews should analyze all of the rel-
tions, examiners should determine whether the evant risks involved in an instrument and assess
organization enforces its policies and proce- how well the product or activity achieves speci-
dures through a clearly identified system of risk fied objectives. New-product reviews also should
limits. The organization’s policies should also include a description of the relevant accounting
include specific guidance on the resolution of guidelines and identify the procedures for mea-

Commercial Bank Examination Manual November 1997

Page 11
2020.1 Investment Securities and End-User Activities

suring, monitoring, and controlling the risks exposures arising from lending and other busi-
involved. ness activities to obtain the institution’s overall
risk profile.
Examiners should evaluate whether the risk
Accounting Guidelines measures and the risk-measurement process
are sufficient to accurately reflect the different
The accounting systems and procedures used for types of risks facing the institution. Institutions
general-purpose financial statements and regu- should establish clear risk-measurement stan-
latory reporting purposes are critically important dards for both the acquisition and ongoing
to enhancing the transparency of an institution’s management of securities and derivative posi-
risk profile. Accordingly, an institution’s poli- tions. Risk-measurement standards should pro-
cies should provide clear guidelines on account- vide a common framework for limiting and
ing for all securities and derivative holdings. monitoring risks and should be understood
Accounting treatment should be consistent with by relevant personnel at all levels of the
specified objectives and with the institution’s institution—from individual managers to the
regulatory requirements. Furthermore, institu- board of directors.
tions should ensure that they designate each
cash or derivative contract for accounting pur- Acquisition standards. Institutions conducting
poses consistent with appropriate accounting securities and derivative activities should have
policies and requirements. Accounting for non- the capacity to evaluate the risks of instruments
trading securities and OBS derivative contracts before acquiring them. Before executing any
should reflect the economic substance of the transaction, an institution should evaluate the
transactions. When instruments are used for instrument to ensure that it meets the various
hedging purposes, the hedging rationale and objectives, risk tolerances, and guidelines iden-
performance criteria should be well docu- tified by the institution’s policies. Evaluations of
mented. Management should reassess these des- the credit-, market-, and liquidity-risk exposures
ignations periodically to ensure that they remain should be clearly and adequately documented
appropriate. for each acquisition. Documentation should be
appropriate for the nature and type of instru-
ment; relatively simple instruments would prob-
ably require less documentation than instru-
Risk-Measurement and Reporting ments with significant leverage or option
Systems characteristics.
Institutions with significant securities and
Clear procedures for measuring and monitoring derivative activities are expected either to con-
risks are the foundation of a sound risk- duct in-house preacquisition analyses or use
management process. Examiners should ensure specific third-party analyses that are indepen-
that an institution sufficiently integrates these dent of the seller or counterparty. Analyses
functions into its ongoing management process provided by the originating dealer or counter-
and that relevant personnel recognize their role party should be used only when a clearly defined
and understand the instruments held. investment advisory relationship exists. Less
active institutions with relatively uncomplicated
holdings may use risk analyses provided by the
Risk Measurement dealer only if the analyses are derived using
standard industry calculators and market con-
An institution’s system for measuring the credit, ventions. Such analyses must comprehensively
market, liquidity, and other risks involved in depict the potential risks involved in the acqui-
cash and derivative contracts should be as com- sition, and they should be accompanied by
prehensive and accurate as practicable. The documentation that sufficiently demonstrates that
degree of comprehensiveness should be com- the acquirer understands fully both the analyses
mensurate with the nature of the institution’s and the nature of the institution’s relationship
holdings and risk exposures. Exposures to each with the provider of these analyses. Notwith-
type of risk (that is, credit, market, liquidity) standing information and analyses obtained from
should be aggregated across securities and outside sources, management is ultimately
derivative contracts and integrated with similar responsible for understanding the nature and

November 1997 Commercial Bank Examination Manual

Page 12
Investment Securities and End-User Activities 2020.1

risk profiles of the institution’s securities and provided by dealers or counterparties. More
derivative holdings. active institutions should conduct periodic
When reviewing an instrument, it is a prudent revaluations and portfolio analyses using either
practice for institutions to obtain and compare in-house capabilities or outside-party analytical
price quotes and risk analyses from more than systems that are independent of sellers or coun-
one dealer before acquisition. Institutions should terparties. Institutions should recognize that
ensure that they clearly understand the respon- indicative price quotes and model revaluations
sibilities of any outside parties that provide may differ from the values at which transactions
analyses and price quotes. If analyses and price can be executed.
quotes provided by dealers are used, institutions
should assume that each party deals at arm’s Stress testing. Analyzing the credit, market, and
length for its own account unless a written liquidity risk of individual instruments, port-
agreement stating otherwise exists. Institutions folios, and the entire institution under a variety
should exercise caution when dealers limit the of unusual and stressful conditions is an impor-
institution’s ability to show securities or deriva- tant aspect of the risk-measurement process.
tive contract proposals to other dealers to receive Management should seek to identify the types of
comparative price quotes or risk analyses. As a situations, or the combinations of credit and
general sound practice, unless the dealer or market events, that could produce substantial
counterparty is also acting under a specific losses or liquidity problems. Typically, manage-
investment advisory relationship, an investor or ment considers the institutions’s consolidated
end-user should not acquire an instrument or exposures when managing nontrading securities
enter into a transaction if its fair value or the and derivative contracts; therefore, the effect of
analyses required to assess its risk cannot be stress on these exposures should be reviewed.
determined through a means that is independent Stress tests should evaluate changes in market
of the originating dealer or counterparty. conditions, including alternatives in the under-
lying assumptions used to value instruments. All
Portfolio-management standards. Institutions major assumptions used in stress tests should be
should periodically review the performance and identified.
effectiveness of instruments, portfolios, and Stress tests should not be limited to quantita-
institutional programs and strategies. This review tive exercises that compute potential losses or
should be conducted at least quarterly and should gains, but should include qualitative analyses of
evaluate the extent to which the institution’s the tools available to management to deal with
securities and derivative holdings meet the vari- various scenarios. Contingency plans outlining
ous objectives, risk tolerances, and guidelines operating procedures and lines of communication,
established by the institution’s policies.4 Institu- both formal and informal, are important prod-
tions with large or highly complex holdings ucts of such qualitative analyses.
should conduct reviews more frequently. The appropriate extent and sophistication of
For internal measurements of risk, effective an institution’s stress testing depend heavily on
measurement of the credit, market, and liquidity the scope and nature of its securities and deriva-
risks of many securities and derivative contracts tive holdings and on its ability to limit the effect
requires mark-to-market valuations. Accord- of adverse events. Institutions holding securities
ingly, the periodic revaluation of securities and or derivative contracts with complex credit,
derivative holdings is an integral part of an market, or liquidity risk profiles should have an
effective risk-measurement system. Periodic established regime of stress testing. Examiners
revaluations should be fully documented. When should consider the circumstances at each insti-
available, actual market prices should be used. tution when evaluating the adequacy or need for
For less liquid or complex instruments, institu- stress-testing procedures.
tions with only limited holdings may use prop-
erly documented periodic prices and analyses
Risk Reporting
4. For example, the performance of instruments and port- An accurate, informative, and timely manage-
folios used to meet objectives for tax-advantaged earnings
should be evaluated to ensure that they meet the necessary
ment information system is essential. Examiners
credit-rating, market-sensitivity, and liquidity characteristics should evaluate the adequacy of an institution’s
established for this objective. monitoring and reporting of the risks, returns,

Commercial Bank Examination Manual November 1997

Page 13
2020.1 Investment Securities and End-User Activities

and overall performance of security and deriva- necessary expertise to identify and evaluate the
tive activities to senior management and the important assumptions incorporated in the risk-
board of directors. Management reports should measurement methodologies it uses.
be frequent enough to provide the responsible
individuals with adequate information to judge
the changing nature of the institution’s risk
profile and to evaluate compliance with stated Comprehensive Internal Controls and
policy objectives and constraints. Audit Procedures
Management reports should translate mea-
sured risks from technical and quantitative for- Institutions should have adequate internal
mats to formats that can be easily read and controls to ensure the integrity of the manage-
understood by senior managers and directors, ment process used in investment and end-user
who may not have specialized and technical activities. Internal controls consist of proce-
knowledge of all financial instruments used by dures, approval processes, reconciliations,
the institution. Institutions should ensure that reviews, and other mechanisms designed to
they use a common conceptual framework for provide a reasonable assurance that the institu-
measuring and limiting risks in reports to senior tion’s risk-management objectives for these
managers and directors. These reports should activities are achieved. Appropriate internal con-
include the periodic assessment of the perfor- trols should address all of the various elements
mance of appropriate instruments or portfolios of the risk-management process, including
in meeting their stated objective, subject to the adherence to polices and procedures, the adequacy
relevant constraints and risk tolerances. of risk identification, and risk measurement and
An important element of a bank’s internal
Management Evaluation and Review controls for investment and end-user activities is
comprehensive evaluation and review by man-
Management should regularly review the insti- agement. Management should ensure that the
tution’s approach and process for managing various components of the bank’s risk-
risks. This includes regularly assessing the meth- management process are regularly reviewed and
odologies, models, and assumptions used to evaluated by individuals who are independent of
measure risks and limit exposures. Proper docu- the function they are assigned to review.
mentation of the elements used in measuring Although procedures for establishing limits and
risks is essential for conducting meaningful for operating within them may vary among
reviews. Limits should be compared with actual banks, management should conduct periodic
exposures. Reviews should also consider whether reviews to determine whether the organization
existing measures of exposure and limits are complies with its investment and end-user risk-
appropriate in view of the institution’s holdings, management policies and procedures. Positions
past performance, and current capital position. that exceed established limits should receive the
The frequency of the reviews should reflect prompt attention of appropriate management
the nature of an institution’s holdings and the and should be resolved according to the process
pace of market innovations in measuring and described in approved policies. Periodic reviews
managing risks. At a minimum, institutions with of the risk-management process should also
significant activities in complex cash or deriva- address any significant changes in the nature of
tive contracts should review the underlying instruments acquired, limits, and internal con-
methodologies of the models they use at least trols that have occurred since the last review.
annually—and more often as market conditions Examiners should also review the internal
dictate—to ensure that they are appropriate and controls of all key activities involving securities
consistent. Reviews by external auditors or other and derivative contracts. For example, for trans-
qualified outside parties,