87 FR 191 pgs. 60160-60170 - Framework for the Supervision of Insurance Organizations

Type: NOTICEVolume: 87Number: 191Pages: 60160 - 60170
Docket number: [Docket No. OP-1765]
FR document: [FR Doc. 2022-21414 Filed 10-3-22; 8:45 am]
Agency: Federal Reserve System
Official PDF Version:  PDF Version
Pages: 60160, 60161, 60162, 60163, 60164, 60165, 60166, 60167, 60168, 60169, 60170

[top] page 60160

FEDERAL RESERVE SYSTEM

[Docket No. OP-1765]

Framework for the Supervision of Insurance Organizations

AGENCY:

Board of Governors of the Federal Reserve System (Board).

ACTION:

Final guidance.

SUMMARY:

The Board is adopting a new supervisory framework for depository institution holding companies significantly engaged in insurance activities, referred to as supervised insurance organizations. The framework provides a supervisory approach that is designed specifically to reflect the differences between banking and insurance. Within the framework, the application of supervisory guidance and the assignment of supervisory resources is based explicitly on a supervised insurance organization's complexity and individual risk profile. The framework establishes the supervisory ratings applicable to these organizations with rating definitions that reflect specific supervisory requirements and expectations. It also emphasizes the Board's policy to rely to the fullest extent possible on work done by other relevant supervisors, describing, in particular, the way it relies on reports and other supervisory information provided by state insurance regulators to minimize supervisory duplication.

DATES:

Effective November 3, 2022.

FOR FURTHER INFORMATION CONTACT:

Thomas Sullivan, Senior Associate Director, (202) 475-7656; Lara Lylozian, Deputy Associate Director, (202) 475-6656; Matt Walker, Manager, (202) 872-4971; Brad Roberts, Lead Insurance Policy Analyst, (202) 452-2204; or Joan Sullivan, Senior Insurance Policy Analyst, (202) 912-4670, Division of Supervision and Regulation; or Dafina Stewart, Assistant General Counsel, (202) 872-7589; Andrew Hartlage, Senior Counsel, (202) 452-6483; Christopher Danello, Senior Attorney, (202) 736-1960; or Evan Hechtman, Senior Attorney, (202) 263-4810, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551. For users of TTY-TRS, please call 711 from any telephone, anywhere in the United States.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background

II. Notice of Proposed Guidance and Overview of Comments

III. Overview of Final Guidance and Modifications From the Proposal

IV. Final Guidance

A. Proportionality-Supervisory Activities and Expectations

B. Supervisory Ratings

C. Incorporating the Work of Other Supervisors

D. Additional Comments

V. Regulatory Analysis

A. Paperwork Reduction Act

Appendix A-Text of Insurance Supervisory Framework

I. Background

The Board supervises and regulates companies that control one or more banks (bank holding companies) and companies that are not bank holding companies that control one or more savings associations (savings and loan holding companies, and together with bank holding companies, depository institution holding companies). Congress gave the Board regulatory and supervisory authority for bank holding companies through the enactment of the Bank Holding Company Act of 1956 (BHC Act). 1 The Board's regulation and supervision of savings and loan holding companies began in 2011 when provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)? 2 transferring supervision and regulation of savings and loan holding companies from the Office of Thrift Supervision to the Board took effect. 3 Upon this transfer, the Board became the federal supervisory agency for all depository institution holding companies, including a portfolio of firms significantly engaged in insurance activities (supervised insurance organizations). 4

Footnotes:

1 ?Ch. 240, 70 Stat. 133.

2 ?Public Law 111-203, 124 Stat. 1376 (2010).

3 ?Dodd-Frank Act tit. III, 124 Stat. at 1520-70.

4 ?Although currently all supervised insurance organizations are savings and loan holding companies, the proposed framework would apply to any depository institution holding company that meets the criteria of a supervised insurance organization.


[top] The Board has a long-standing policy of supervising holding companies on a consolidated basis. Consolidated supervision encompasses all legal entities within a holding company page 60161 structure and supports an understanding of the organization's complete risk profile and its ability to address financial, managerial, operational, or other deficiencies before they pose a danger to its subsidiary depository institution(s). The Board's current supervisory approach for noninsurance depository institution holding companies assesses holding companies whose primary risks are largely related to the business of banking. The risks arising from insurance activities, however, are materially different from traditional banking risks. The top-tier holding company for some supervised insurance organizations is an insurance underwriting company, which is subject to supervision and regulation by the relevant state insurance regulator as well as consolidated supervision from the Board; for all supervised insurance organizations, the state insurance regulators supervise and regulate the business of insurance underwriting companies. Additionally, instead of producing consolidated financial statements based on generally accepted accounting principles, many of these firms only produce legal entity financial statements based on Statutory Accounting Principles (SAP) established by states through the National Association of Insurance Commissioners (NAIC).

The Board has recognized these differences in its supervision and regulation of supervised insurance organizations. For example, in 2013, when the Board made significant revisions to its regulatory capital framework, the Board determined not to apply it to this group of companies, stating that it would "explore further whether and how the proposed rule should be modified for these companies in a manner consistent with section 171 of the Dodd-Frank Act and safety and soundness concerns."? 5 In 2019, the Board invited comment on a proposal to establish a risk-based capital framework designed specifically for supervised insurance organizations, termed the Building Block Approach, that would adjust and aggregate existing legal entity capital requirements to determine an enterprise-wide capital requirement. 6 In addition, in 2018, the Board did not apply to these firms the supervisory rating systems applicable to other depository institution holding companies. 7 The insurance supervisory framework represents a significant step in the continuation of the Board's tailored approach to supervision and regulation for supervised insurance organizations.

Footnotes:

5 ?78 FR 62017, 62027 (October 11, 2013).

6 ?84 FR 57240 (October 24, 2019).

7 ? See 83 FR 58724 (November 21, 2018); 83 FR 56081 (November 9, 2018).

II. Notice of Proposed Guidance and Overview of Comments

On February 4, 2022, the Board invited public comment on a proposed framework for the supervision of insurance organizations (proposal). 8 The proposal would have established a transparent framework for consolidated supervision of supervised insurance organizations. A depository institution holding company would have been considered a supervised insurance organization if it were an insurance underwriting company or if over 25 percent of its consolidated assets were held by insurance underwriting subsidiaries. The proposed framework would have consisted of a risk-based approach to establishing supervisory expectations, assigning supervisory resources, and conducting supervisory activities; a supervisory rating system; and a description of how examiners would work with state insurance regulators to limit the burden associated with supervisory duplication.

Footnotes:

8 ?87 FR 6537 (February 4, 2022).

The comment period on the proposal closed on May 5, 2022. 9 The Board received four comments on the proposal. In addition, representatives of the Federal Reserve met with stakeholders and obtained supplementary information from certain commenters. Commenters generally supported the proposal. However, commenters also requested additional clarity on certain aspects of the proposal and provided suggestions on potential changes.

Footnotes:

9 ?The comment period on the proposal was extended by the Board. See 87 FR 17089 (March 25, 2022).

III. Overview of Final Guidance and Modifications From the Proposal

The final insurance supervisory framework adopts the core elements of the proposal with certain modifications to address comments received. Consistent with the proposal, the final framework consists of a risk-based approach to establishing supervisory expectations, assigning supervisory resources, and conducting supervisory activities; applies tailored supervisory ratings; and describes how Federal Reserve examiners will rely to the fullest extent possible on the work of state insurance regulators to limit supervisory duplication. The final guidance has been modified from the proposal to include additional clarity in various sections, including with respect to the complexity classification and applicable guidance. The final guidance also includes additional references to incorporating the work performed by state insurance regulators and allows for noncomplex supervised insurance organizations to be rated up to every other year.

IV. Final Guidance

A. Proportionality-Supervisory Activities and Expectations

Risk Profile, Complexity Classification, Risk Assessment

In the proposal, the terms "risk profile," "complexity classification," and "risk assessment" would have been used to describe the Board's approach to aligning its supervision with the risk of a firm. Under the proposal, an organization's risk profile would have depended on its products, investments, and strategy and would have been assessed independent of supervisory opinions or approach. The complexity classification would have been the Federal Reserve's preliminary view of the organization's risk profile and would have been used primarily to determine the level of supervisory resources needed to effectively supervise an organization. A supervised insurance organization would have been classified as either complex or noncomplex when the organization initially became subject to Federal Reserve supervision and only re-classified if the organization's risk profile significantly changed (typically the result of a major acquisition or divestiture). The risk assessment would have been an exercise typically completed annually by Federal Reserve examiners to support a discussion of the organization's material risks, ensuring that supervisory activities planned for the following year were risk-focused and did not duplicate work done by other regulators. Commenters requested clarity on the differences between these three terms as used in the proposal. The final guidance maintains these terms and their intended definitions, but the text has been adjusted to clarify how they will be used.

Complexity Classification


[top] Under the proposal, supervised insurance organizations would have been classified as either complex or noncomplex based on a list of characteristics. The complexity classification would have been the initial driver for the assignment of supervisory resources, with complex supervised insurance organizations being assigned a dedicated supervisory page 60162 team. The complexity classification would have also been a driver for the application of supervisory guidance. Organizations with over $100 billion of consolidated depository institution assets or that are designated as an internationally active insurance group (IAIG) would have automatically been classified as complex. Commenters requested additional transparency regarding the factors considered when making the complexity classification and suggested additional factors for consideration, such as the source of funding for non-insurance operations. Commenters also suggested removing the $100 billion consolidated depository institution asset threshold, removing the automatic complex classification for IAIGs in exchange for a materiality view of international exposure, attaching specific weights to the factors listed in the proposal, and providing organizations the opportunity to appeal or request a review of the complexity classification.

To ensure that organizations with similar sized banking operations are supervised consistently by the Federal Reserve, the final guidance retains the $100 billion consolidated depository institution asset threshold as proposed. The automatic complex classification proposed for IAIGs has been removed from the final guidance and instead the materiality of an insurance organization's international operations will be considered as part of the complexity classification decision. While weights were not added to the factors in order to preserve the flexibility needed to properly classify organizations of differing business and risk profiles, the factors in the final guidance are sequenced in order of expected relative priority. The Board believes that these factors are broad enough to cover the additional factors suggested by commenters. In response to the comments, and to promote transparency, the complexity classification work program used to support the complexity classification decision made by the Board will be published on the Board's website. The work program provides additional clarity regarding the information leveraged to make the complexity classification and several of the factors suggested by commenters are included in the work program as questions related to a listed factor. The final guidance also clarifies that an organization can request a review of its complexity classification if it has experienced a significant change to its risk profile.

Supervisory Activities

Under the proposal, supervisory activities would have focused on material risks to the consolidated organization and leveraged the work performed by the firm's functional regulators. Additionally, under the proposal, ratings examinations would have been performed annually for all supervised insurance organizations, including those classified as noncomplex. Commenters requested that supervisory activities focus on material risks not subject to oversight by other regulators and that, where appropriate, Federal Reserve examiners coordinate the timing and scope of supervisory activities with other regulators to avoid duplication. Specifically for noncomplex supervised insurance organizations, commenters requested that Federal Reserve examiners align periodic rating examinations with the frequency used by other regulators and limit the frequency of examinations to every other year, as described in SR letter 13-21, 10 "Inspection Frequency and Scope Requirements for Bank Holding Companies and Savings and Loan Holding Companies with Total Consolidated Assets of $10 Billion or Less."

Footnotes:

10 ? See SR letter 13-21, "Inspection Frequency and Scope Requirements for Bank Holding Companies and Savings and Loan Holding Companies with Total Consolidated Assets of $10 Billion or Less."

The final guidance emphasizes that supervisory activities focus primarily on material risks that could impede the organization's ability to act as a source of strength for its depository institution(s). Supervisory activities are also used to develop a better understanding of an organization's business and risk profile and to monitor the safety and soundness of the organization, including its adherence to applicable laws and regulations. As the consolidated supervisor, it is important for Federal Reserve examiners to understand all material risks to the organization. Federal Reserve examiners work closely with other regulators to promote knowledge sharing and to avoid, to the greatest extent possible, supervisory duplication. This includes discussing annual supervisory plans and coordinating the timing of supervisory activities. Under the final guidance, noncomplex supervised insurance organizations may be rated every other year, depending on the organization's risk profile.

Supervisory Expectations

Under the proposal, the requirement that supervised insurance organizations comply with all applicable laws and regulations, operate in a safe-and-sound manner, and act as a source of strength for their depository institution(s) would have been emphasized. Expectations within supervisory guidance published by the Board related to specific firm practices would have been tailored to reflect the firm's business and risk profile. Commenters were supportive of this tailoring and requested that the framework explicitly allow for supervisory expectations to differ by business line. Commenters also requested clarity regarding the applicability of SR letter 12-17, 11 "Consolidated Supervision Framework for Large Financial Institutions" to supervised insurance organizations.

Footnotes:

11 ? See SR letter 12-17, "Consolidated Supervision Framework for Large Financial Institutions."

Supervisory guidance issued by the Board often provides examples of practices that the Board generally considers consistent with safety-and-soundness standards. Most guidance issued by the Board provides examples specific to banking operations. The final guidance communicates that other practices used by supervised insurance organizations for their other business lines, including for insurance operations, may be different without being considered unsafe or unsound. When making an assessment of whether a different practice is unsafe or unsound, Federal Reserve examiners will work with supervised insurance organizations and their functional regulators, including state insurance regulators. The final guidance clarifies that it supersedes SR letter 12-17 for supervised insurance organizations.

One commenter also requested the Board provide additional clarity on supervisory expectations by continually updating the list of applicable guidance found in SR letter 14-9, 12 "Incorporation of Federal Reserve Policies into the Savings and Loan Holding Company Supervision Program." SR letter 14-9 was issued after supervisory authority for savings and loan holding companies was transferred from the Office of Thrift Supervision to the Board in order to clarify the applicability of guidance issued before the transfer. Guidance issued since the transfer has expressly stated its applicability to savings and loan holding companies, and this practice will continue. Accordingly, the Board does not intend to continually update SR letter 14-9 in this way.

Footnotes:

12 ? See SR letter 14-9, "Incorporation of Federal Reserve Policies into the Savings and Loan Holding Company Supervision Program."


[top] page 60163

B. Supervisory Ratings

Under the proposal, supervised insurance organizations would have been assigned supervisory ratings in each of three components: Capital Management, Liquidity Management, and Governance and Controls. The ratings would have been Broadly Meets Expectations, Conditionally Meets Expectations, Deficient-1, and Deficient-2. The definitions for the ratings would have been designed for supervised insurance organizations with particular emphasis on the obligation that the firms operate in a safe and sound manner and serve as a source of financial and managerial strength for their depository institution(s). Under the proposal, examples would have been included in the definitions for the Deficient-1 and Deficient-2 ratings for the Governance and Controls component that included being subject to informal or formal enforcement action by the Federal Reserve or another regulator. Commenters indicated that state insurance and other regulators may have different thresholds for enforcement actions and that the materiality of enforcement actions should be of more importance than the existence of an enforcement action. The final guidance qualifies the example provided by referring to enforcement actions tied to violations of laws and regulations that indicate severe deficiencies in the firm's governance and controls.

C. Incorporating the Work of Other Supervisors

Consistent with statutory requirements, under the proposal, Federal Reserve examiners would have relied to the fullest extent possible on the work performed by the firm's functional regulators, including state insurance regulators. This would have included coordinating with state insurance regulators before commencing certain supervisory activities, meeting periodically with state insurance regulators, and reviewing specific reports required of supervised insurance organizations from state insurance regulators. Commenters requested additional clarity regarding how Federal Reserve examiners would rely on the work of functional regulators and offered specific recommendations on ways to improve this reliance to avoid supervisory duplication. In response to these comments, the final guidance includes additional references to the importance of incorporating the work of other supervisors in the sections on proportionality and ratings. The final guidance also incorporates several of the suggested changes, including additional reports from the state insurance regulators that should be reviewed by Federal Reserve examiners.

D. Additional Comments

Regulatory Reporting

Under the proposal, there would have been no changes to regulatory reporting required by the Federal Reserve from supervised insurance organizations. Given the extensive subsidiary reporting required by state insurance regulators and to avoid duplication, commenters requested that supervised insurance organizations not be required to report on the FR Y-6 or submit FR Y-10, FR Y-11, or FR 2314 reports for passive real estate and other investments held by insurance underwriting companies. The proposal did not contemplate any changes to regulatory reporting requirements, and the Board is not making any such changes at this time. The Board will, however, consider incorporating these suggestions in future revisions of these reporting forms.

Adjustments To Accommodate Different Charter Types

Under the proposal, the framework would have included references to regulations applicable only to certain depository institution holding company charter types (savings and loan holding companies). The guidance is designed to apply to all organizations supervised by the Federal Reserve that meet the definition of a supervised insurance organization. Text included in the proposal applicable only to savings and loan holding companies has been removed from the final guidance.

V. Regulatory Analysis

A. Paperwork Reduction Act

There is no collection of information required by this notice that would be subject to the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq.

This Appendix A will not publish in the CFR.

Appendix A-Text of Insurance Supervisory Framework

Framework for the Supervision of Insurance Organizations

This framework describes the Federal Reserve's approach to consolidated supervision of supervised insurance organizations. 1 The framework is designed specifically to account for the unique risks and business profiles of these firms resulting mainly from their insurance business. The framework consists of a risk-based approach to establishing supervisory expectations, assigning supervisory resources, and conducting supervisory activities; a supervisory rating system; and a description of how Federal Reserve examiners work with the state insurance regulators to limit supervisory duplication.

Footnotes:

1 ?In this framework, a "supervised insurance organization" is a depository institution holding company that is an insurance underwriting company, or that has over 25 percent of its consolidated assets held by insurance underwriting subsidiaries, or has been otherwise designated as a supervised insurance organization by Federal Reserve staff.

A. Proportionality-Supervisory Activities and Expectations

Consistent with the Federal Reserve's approach to risk-based supervision, supervisory guidance is applied, and supervisory activities are conducted, in a manner that is proportionate to each firm's individual risk profile. This begins by classifying each supervised insurance organization either as complex or noncomplex based on its risk profile and continues with a risk-based application of supervisory guidance and supervisory activities driven by a periodic risk assessment. The risk assessment drives planned supervisory activities and is communicated to the firm along with the supervisory plan for the upcoming cycle. Supervisory activities are focused on resolving supervisory knowledge gaps, monitoring the safety and soundness of the firm, assessing the firm's management of risks that could potentially impact its ability to act as a source of managerial and financial strength for its depository institution(s), and monitoring for potential systemic risk, if relevant.

A. Complexity Classification and Supervised Activities

The Federal Reserve classifies each supervised insurance organization as either complex or noncomplex based on its risk profile. The classification serves as the basis for determining the level of supervisory resources dedicated to each firm, as well as the frequency and intensity of supervisory activities.

Complex


[top] Complex firms have a higher level of risk and therefore require more supervisory attention and resources. Federal Reserve dedicated supervisory teams are assigned to execute approved supervisory plans led by a dedicated Central Point of Contact. The activities listed in the supervisory plans focus on understanding any risks that could threaten the safety and soundness of the consolidated organization or a firm's ability to act as a source of strength for its subsidiary depository institution(s). These activities typically include continuous monitoring, targeted topical examinations, coordinated reviews, and an annual roll-up assessment resulting in ratings for the three rating components. The relevance of certain supervisory guidance may vary among complex firms based on each firm's risk profile. Supervisory guidance targeted at smaller depository institution holding companies, for example, may be more page 60164 relevant for complex supervised insurance organizations with limited inherent exposure to a certain risk.

Noncomplex

Noncomplex firms, due to their lower risk profile, require less supervisory oversight relative to complex firms. The supervisory activities for these firms occur primarily during a rating examination that occurs no less often than every other year and results in the three component ratings. The supervision of noncomplex firms relies more heavily on the reports and assessments of a firm's other relevant supervisors, although these firms may also be subject to continuous monitoring, targeted topical examinations, and coordinated reviews as appropriate. The focus and types of supervisory activities for noncomplex firms are also set based on the risks of each firm.

Factors considered when classifying a supervised insurance organization as either complex or noncomplex include the absolute and relative size of its depository institution(s), its current supervisory and regulatory oversight (ratings and opinions of its supervisors, and the nature and extent of any unregulated and/or unsupervised activities), the breadth and nature of product and portfolio risks, the nature of its organizational structure, its quality and level of capital and liquidity, the materiality of any international exposure, and its interconnectedness with the broader financial system.

For supervised insurance organizations that are commencing Federal Reserve supervision, the classification as complex or noncomplex is done and communicated during the application phase after initial discussions with the firm. The firm's risk profile, including the characteristics listed above, are evaluated by staff of the Board and relevant Reserve Bank before the complexity classification is assigned by Board staff. Large, well-established, and financially strong supervised insurance organizations with relatively small depository institutions can be classified as noncomplex if, in the opinion of Board staff, the corresponding level of supervisory oversight is sufficient to accomplish its objectives. Although the risk profile is the primary basis for assigning a classification, a firm is automatically classified as complex if its depository institution's average assets exceed $100 billion. A firm may request that the Federal Reserve review its complexity classification if it has experienced a significant change to its risk profile.

The focus, frequency, and intensity of supervisory activities are based on a risk assessment of the firm completed periodically by the supervisory team and will vary among firms within the same complexity classification. For each risk described in the Supervisory Expectations section below, the supervisory team assesses the firm's inherent risks and its residual risk after considering the effectiveness of its management of the risk. The risk assessment and the supervisory activities that follow from it take into account the assessments made by and work performed by the firm's other regulators. In certain instances, Federal Reserve examiners may be able to rely on a firm's internal audit (if it is rated effective) or internal control functions in developing the risk assessment.

B. Supervisory Expectations

Supervised insurance organizations are required to operate in a safe and sound manner, to comply with all applicable laws and regulations, and to possess sufficient financial and operational strength to serve as a source of strength for their depository institution(s) through a range of stressful yet plausible conditions. The governance and risk management practices necessary to accomplish these objectives will vary based on a firm's specific risk profile, size, and complexity. Guidance describing supervisory expectations for safe and sound practices can be found in Supervision & Regulation (SR) letters published by the Board and other supervisory material. Supervisory guidance most relevant to a specific supervised insurance organization is driven by the risk profile of the firm. Federal Reserve examiners periodically reassess the firm's risk profile and inform the firm if different supervisory guidance becomes more relevant as a result of a material change to its risk profile.

Most supervisory guidance issued by the Board is intended specifically for institutions that are primarily engaged in banking activities. Examples of specific practices provided in these materials may differ from (or not be applicable to) the nonbanking operations of supervised insurance organizations, including for insurance operations. The Board recognizes that practices in nonbanking business lines can be different than those published in supervisory guidance without being considered unsafe or unsound. When making their assessment, Federal Reserve examiners work with supervised insurance organizations and other involved regulators, including state insurance regulators, to appropriately assess practices that may be different than those typically observed for banking operations.

This section describes general safety and soundness expectations and how the Board has adapted its supervisory expectations to reflect the special characteristics of a supervised insurance organization. The section is organized using the three rating components-Governance and Controls, Capital Management, and Liquidity Management.

Governance and Controls

The Governance and Controls component rating is derived from an assessment of the effectiveness of a firm's (1) board and senior management, and (2) independent risk management and controls. All firms are expected to align their strategic business objectives with their risk appetite and risk management capabilities; maintain effective and independent risk management and control functions including internal audit; promote compliance with laws and regulations; and remain a source of financial and managerial strength for their depository institution(s). When assessing governance and controls, Federal Reserve examiners consider a firm's risk management capabilities relative to its risk exposure within the following areas: internal audit, credit risk, legal and compliance risk, market risk, model risk, and operational risk, including cybersecurity/information technology and third-party risk.

Governance & Controls expectations:

• Despite differences in their business models and the products offered, insurance companies and banks are expected to have effective and sustainable systems of governance and controls to manage their respective risks. The governance and controls framework for a supervised insurance organization should:

? Clearly define roles and responsibilities throughout the organization;

? Include policies and procedures, limits, requirements for documenting decisions, and decision-making and accountability chains of command; and

? Provide timely information about risk and corrective action for non-compliance or weak oversight, controls, and management.

• The Board expects the sophistication of the governance and controls framework to be commensurate with the size, complexity, and risk profile of the firm. As such, governance and controls expectations for complex firms will be higher than that for noncomplex firms but will also vary based on each firm's risk profile.

• The Board expects supervised insurance organizations to have a risk management and control framework that is commensurate with its structure, risk profile, complexity, activities, and size. For any chosen structure, the firm's board is expected to have the capacity, expertise, and sufficient information to discharge risk oversight and governance responsibilities in a safe and sound manner.

In assigning a rating for the Governance and Controls component, Federal Reserve examiners evaluate:

Board and Senior Management Effectiveness


[top] • The firm's board is expected to exhibit certain attributes consistent with effectiveness, including: (i) setting a clear, aligned, and consistent direction regarding the firm's strategy and risk appetite; (ii) directing senior management regarding board reporting; (iii) overseeing and holding senior management accountable; (iv) supporting the independence and stature of independent risk management and internal audit; and (v) maintaining a capable board and an effective governance structure. As the consolidated supervisor, the Board focuses on the board of the supervised insurance organization and its committees. Complex firms are expected to take into consideration the Board's guidance on board of directors' effectiveness. 2 In assessing the effectiveness of a firm's senior management, Federal Reserve examiners consider the extent to which senior management effectively and prudently manages the day-to-day operations of the firm and provides for ongoing resiliency; implements the firm's strategy and risk appetite; identifies and manages risks; maintains an effective risk management framework and system of internal controls; and promotes prudent risk taking behaviors and business practices, including compliance page 60165 with laws and regulations such as those related to consumer protection and the Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control (BSA/AML and OFAC). Federal Reserve examiners evaluate how the framework allows management to be responsible for and manage all risk types, including emerging risks, within the business lines. Examiners rely to the fullest extent possible on insurance and banking supervisors' examination reports and information concerning risk and management in specific lines of business, including relying specifically on state insurance regulators to evaluate and assess how firms manage the pricing, underwriting, and reserving risk of their insurance operations.

Footnotes:

2 ? See SR letter 21-3, "Supervisory Guidance on Board of Directors' Effectiveness."

Independent Risk Management and Controls

• In assessing a firm's independent risk management and controls, Federal Reserve examiners consider the extent to which independent risk management effectively evaluates whether the firm's risk appetite framework identifies and measures all of the firm's material risks; establishes appropriate risk limits; and aggregates, assesses and reports on the firm's risk profile and positions. Additionally, the firm is expected to demonstrate that its internal controls are appropriate and tested for effectiveness and sustainability.

Internal Audit is an integral part of a supervised insurance organization's internal control system and risk management structure. An effective internal audit function plays an essential role by providing an independent risk assessment and objective evaluation of all key governance, risk management, and internal control processes. Internal audit is expected to effectively and independently assess the firm's risk management framework and internal control systems, and report findings to senior management and to the firm's audit committee. Despite differences in business models, the Board expects the largest, most complex supervised insurance organizations to have internal audit practices in place that are similar to those at banking organizations and as such, no modification to existing guidance is required for these firms. 3 At the same time, the Board recognizes that firms should have an internal audit function that is appropriate to their size, nature, and scope of activities. Therefore, for noncomplex firms, Federal Reserve examiners will consider the expectations in the insurance company's domicile state's Annual Financial Reporting Regulation (NAIC Model Audit Rule 205), or similar state regulation, to assess the effectiveness of a firm's internal audit function.

Footnotes:

3 ?Regulatory guidance provided in SR letter 03-5, "Amended Interagency Guidance on the Internal Audit Function and its Outsourcing" and SR letter 13-1, "Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing" are applicable to complex supervised insurance organizations.

The principles of sound risk management described in the previous sections apply to the entire spectrum of risk management activities of a supervised insurance organization, including but not limited to:

Credit risk arises from the possibility that a borrower or counterparty will fail to perform on an obligation. Fixed income securities, by far the largest asset class held by many insurance companies, is a large source of credit risk. This is unlike most banking organizations, where loans generally make up the largest portion of balance sheet assets. Life insurer investment portfolios in particular are generally characterized by longer duration holdings compared to those of banking organizations. Additionally, an insurance company's reinsurance recoverables/receivables arising from the use of third-party reinsurance and participation in regulatory required risk-pooling arrangements expose the firm to additional counterparty credit risk. Federal Reserve examiners scope examination work based on a firm's level of inherent credit risk. The level of inherent risk is determined by analyzing the composition, concentration, and quality of the consolidated investment portfolio; the level of a firm's reinsurance recoverables, the credit quality of the individual reinsurers, and the amount of collateral held for reinsured risks; and credit exposures associated with derivatives, securities lending, or other activities that may also have off-balance sheet counterparty credit exposures. In determining the effectiveness of a firm's management of its credit risk, Federal Reserve examiners rely, where possible, on the assessments made by other relevant supervisors for the depository institution(s) and the insurance company(ies). In its own assessment, the Federal Reserve will determine whether the board and senior management have established an appropriate credit risk governance framework consistent with the firm's risk appetite; whether policies, procedures and limits are adequate and provide for ongoing monitoring, reporting and control of credit risk; the adequacy of management information systems as it relates to credit risk; and the sufficiency of internal audit and independent review coverage of credit risk exposure.

Market risk arises from exposures to losses as a result of underlying changes in, for example, interest rates, equity prices, foreign exchange rates, commodity prices, or real estate prices. Federal Reserve examiners scope examination work based on a firm's level of inherent market risk exposure, which is normally driven by the primary business line(s) in which the firm is engaged as well as the structure of the investment portfolio. A firm may be exposed to inherent market risk due to its investment portfolio or as result of its product offerings, including variable and indexed life insurance and annuity products, or asset/wealth management business. While interest rate risk (IRR), a category of market risk, differs between insurance companies and banking organizations, the degree of IRR also differs based on the type of insurance products the firm offers. IRR is generally a small risk for U.S. property/casualty (P/C) whereas it can be a significant risk factor for life insurers with certain life and annuity products that are spread-based, longer in duration, may include embedded product guarantees, and can pose disintermediation risk. Equity market risk can be significant for life insurers that issue guarantees tied to equity markets, like variable annuity living benefits, and for P/C insurers with large common equity allocations in their investment portfolios. Generally foreign exchange and commodity risk is low for supervised insurance organizations but could be material for some complex firms. Firms are expected to have sound risk management infrastructure that adequately identifies, measures, monitors, and controls any material or significant forms of market risks to which it is exposed.

Model risk is the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports. Model risk can lead to financial loss, poor business and strategic decision-making, or damage to a firm's reputation. Supervised insurance organizations are often heavily reliant on models for product pricing and reserving, risk and capital management, strategic planning and other decision-making purposes. A sound model risk management framework helps manage this risk. 4 Federal Reserve examiners take into account the firm's size, nature, and complexity, as well as the extent of use and sophistication of its models when assessing its model risk management program. Examiners focus on the governance framework, policies and controls, and enterprise model risk management through a holistic evaluation of the firm's practices. The Federal Reserve's review of a firm's model risk management program complements the work of the firm's other relevant supervisors. A sound model risk management framework includes three main elements: (1) an accurate model inventory and an appropriate approach to model development, implementation, and use; (2) effective model validation and continuous model performance monitoring; and (3) a strong governance framework that provides explicit support and structure for model risk management through policies defining relevant activities, procedures that implement those policies, allocation of resources, and mechanisms for evaluating whether policies and procedures are being carried out as specified, including internal audit review. The Federal Reserve relies on work already conducted by other relevant supervisors and appropriately collaborates with state insurance regulators on their findings related to insurance models. With respect to insurance models, the Federal Reserve recognizes the important role played by actuaries as described in actuarial standards of practice on model risk management. With respect to the business of insurance, Federal Reserve examiners focus on the firm's adherence to its own policies and procedures and the comprehensiveness of model validation rather than technical specifications such as the appropriateness of the model, its assumptions, or output. Federal Reserve examiners may request that firms provide model documentation or model validation reports for insurance and bank models when performing transaction testing.

Footnotes:

4 ?SR letter 11-7, "Guidance on Model Risk Management" is applicable to all supervised insurance organizations.


[top] Legal risk arises from the potential that unenforceable contracts, lawsuits, or adverse page 60166 judgments can disrupt or otherwise negatively affect the operations or financial condition of a supervised insurance organization.

Compliance risk is the risk of regulatory sanctions, fines, penalties, or losses resulting from failure to comply with laws, rules, regulations, or other supervisory requirements applicable to a firm. By offering multiple financial service products that may include insurance, annuity, banking, services provided by securities broker-dealers, and asset and wealth management products, provided through a diverse distribution network, supervised insurance organizations are inherently exposed to a significant amount of legal and compliance risk. As the consolidated supervisor, the Board expects firms to have an enterprise-wide legal and compliance risk management program that covers all business lines, legal entities, and jurisdictions of operation. Firms are expected to have compliance risk management governance, oversight, monitoring, testing, and reporting commensurate with their size and complexity, and to ensure compliance with all applicable laws and regulations. The principles-based guidance in existing SR letters related to legal and compliance risk is applicable to supervised insurance organizations. 5 For both complex and noncomplex firms, Federal Reserve examiners rely on the work of the firm's other supervisors. As described in section C, Incorporating the Work of Other Supervisors, the assessments, examination results, ratings, supervisory issues, and enforcement actions from other supervisors will be incorporated into a consolidated assessment of the enterprise-wide legal and compliance risk management framework.

Footnotes:

5 ?SR letter 08-8, "Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles" is applicable to complex supervised insurance organizations. For noncomplex firms, the Federal Reserve will assess legal and compliance risk management based on the guidance in SR letter 16-11, "Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion."

? Money laundering, terrorist financing and other illicit financial activity risk is the risk of providing criminals access to the legitimate financial system and thereby being used to facilitate financial crime. This financial crime includes laundering criminal proceeds, financing terrorism, and conducting other illegal activities. Money laundering and terrorist financing risk is associated with a financial institution's products, services, customers, and geographic locations. This and other illicit financial activity risks can impact a firm across business lines, legal entities, and jurisdictions. A reasonably designed compliance program generally includes a structure and oversight that mitigates these risks and supports regulatory compliance with both BSA/AML OFAC requirements. Although OFAC regulations are not part of the BSA, OFAC compliance programs are frequently assessed in conjunction with BSA/AML. Supervised insurance organizations are not defined as financial institutions under the BSA and, therefore, are not required to have an AML program, unless the firm is directly selling certain insurance products. However, certain subsidiaries and affiliates of supervised insurance organizations, such as insurance companies and banks, are defined as financial institutions under 31 U.S.C. 5312(a)(2) and must develop and implement a written BSA/AML compliance program as well as comply with other BSA regulatory requirements. Unlike banks, insurance companies' BSA/AML obligations are limited to certain products, referred to as covered insurance products. 6 The volume of covered products, which the Financial Crimes Enforcement Network (FinCEN) has determined to be of higher risk, is an important driver of supervisory focus. In addition, as U.S. persons, all supervised insurance organizations (including their subsidiaries and affiliates) are subject to OFAC regulations. Federal Reserve examiners assess all material risks that each firm faces, extending to whether business activities across the consolidated organization, including within its individual subsidiaries or affiliates, comply with the legal requirements of BSA and OFAC regulations. In keeping with the principles of a risk-based framework and proportionality, Federal Reserve supervision for BSA/AML and OFAC primarily focuses on oversight of compliance programs at a consolidated level and relies on work by other relevant supervisors to the fullest extent possible. In the evaluation of a firm's risks and BSA/AML and OFAC compliance program, however, it may be necessary for examiners to review compliance with BSA/AML and OFAC requirements at individual subsidiaries or affiliates in order to fully assess the material risks of the supervised insurance organization.

Footnotes:

6 ?"Covered products" means: a permanent life insurance policy, other than a group life insurance policy; an annuity contract, other than a group annuity contract; or any other insurance product with features of cash value or investment. 31 CFR 1025.100(b). "Permanent life insurance policy" means an agreement that contains a cash value or investment element and that obligates the insurer to indemnify or to confer a benefit upon the insured or beneficiary to the agreement contingent upon the death of the insured. 31 CFR 1025.100(h). "Annuity contract" means any agreement between the insurer and the contract owner whereby the insurer promises to pay out a fixed or variable income stream for a period of time. 31 CFR 1025.100(a).

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. Operational resilience is the ability to maintain operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions. A firm that operates in a safe and sound manner is able to identify threats, respond and adapt to incidents, and recover and learn from such threats and incidents so that it can prioritize and maintain critical operations and core business lines, along with other operations, services and functions identified by the firm, through a disruption.

? Cybersecurity/information technology risks are a subset of operational risk and arise from operations of a firm requiring a strong and robust internal control system and risk management oversight structure. Information Technology (IT) and Cybersecurity (Cyber) functions are especially critical to a firm's operations. Examiners of financial institutions, including supervised insurance organizations, utilize the detailed guidance on mitigating these risks in the Federal Financial Institutions Examination Council's (FFIEC) IT Handbooks. In assessing IT/Cyber risks, Federal Reserve examiners assess each firm's:

Board and senior management for effective oversight and support of IT management;

Information/cyber security program for strong board and senior management support, integration of security activities and controls through business processes, and establishment of clear accountability for security responsibilities;

IT operations for sufficient personnel, system capacity and availability, and storage capacity adequacy to achieve strategic objectives and appropriate solutions;

Development and acquisition processes' ability to identify, acquire, develop, install, and maintain effective IT to support business operations; and

Appropriate business continuity management processes to effectively oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, assets, products, and services.

Complex and noncomplex firms are assessed in these areas. All supervised insurance organizations are required to notify the Federal Reserve of any computer-security notification incidents. 7

Footnotes:

7 ?SR letter 22-4, "Contact Information in Relation to Computer-Security Incident Notification Requirements " applies to all supervised insurance organizations.

? Third party risk is also a subset of operational risk and arises from a firm's use of service providers to perform operational or service functions. These risks may be inherent to the outsourced activity or be introduced with the involvement of the service provider. When assessing effective third party risk management, Federal Reserve examiners evaluate eight areas: (1) third party risk management governance, (2) risk assessment framework, (3) due diligence in the selection of a service provider, (4) a review of any incentive compensation embedded in a service provider contract, (5) management of any contract or legal issues arising from third party agreements, (6) ongoing monitoring and reporting of third parties, (7) business continuity and contingency of the third party for any service disruptions, and (8) effective internal audit program to assess the risk and controls of the firm's third party risk management program. 8

Footnotes:

8 ?SR letter 13-19, "Guidance on Managing Outsourcing Risk " applies to all supervised insurance organizations.

Capital Management


[top] The Capital Management rating is derived from an assessment of a firm's current and stressed level of capitalization, and the page 60167 quality of its capital planning and internal stress testing. A capital management program should be commensurate with a supervised insurance organization's complexity and risk profile. In assigning this rating, the Federal Reserve examiners evaluate the extent to which a firm maintains sound capital planning practices through effective governance and oversight, effective risk management and controls, maintenance of updated capital policies and contingency plans for addressing potential shortfalls, and incorporation of appropriately stressful conditions into capital planning and projections of capital positions. The extent to which a firm's capital is sufficient to comply with regulatory requirements, to support the firm's ability to meet its obligations, and to enable the firm to remain a source of strength to its depository institution(s) in a range of stressful, but plausible, economic and financial environments is also evaluated.

Insurance company balance sheets are typically quite different from those of most banking organizations. For life insurance companies, investment strategies may focus on cash flow matching to reduce interest rate risk and provide liquidity to support their liabilities, while for traditional banks, deposits (liabilities) are attracted to support investment strategies. Additionally, for insurers, capital provides a buffer for policyholder claims and creditor obligations, helping the firm absorb adverse deviations in expected claims experience, and other drivers of economic loss. The Board recognizes that the capital needs for insurance activities are materially different from those of banking activities and can be different between life and property and casualty insurers. Insurers may also face capital fungibility constraints not faced by banking organizations.

In assessing a supervised insurance organization's capital management, the Federal Reserve relies to the fullest extent possible on information provided by state insurance regulators, including the firm's own risk and solvency assessment (ORSA) and the state insurance regulator's written assessment of the ORSA. An ORSA is an internal process undertaken by an insurance group to assess the adequacy of its risk management and current and prospective capital position under normal and stress scenarios. As part of the ORSA, insurance groups are required to analyze all reasonably foreseeable and relevant material risks that could have an impact on their ability to meet obligations.

The Board expects supervised insurance organizations to have sound governance over their capital planning process. A firm should establish capital goals that are approved by the board of directors, and that reflect the potential impact of legal and/or regulatory restrictions on the transfer of capital between legal entities. In general, senior management should establish the capital planning process, which should be reviewed and approved periodically by the board. The board should require senior management to provide clear, accurate, and timely information on the firm's material risks and exposures to inform board decisions on capital adequacy and actions. The capital planning process should clearly reflect the difference between the risk profiles and associated capital needs of the insurance and banking businesses.

A firm should have a risk management framework that appropriately identifies, measures, and assesses material risks and provides a strong foundation for capital planning. This framework should be supported by comprehensive policies and procedures, clear and well-established roles and responsibilities, strong internal controls, and effective reporting to senior management and the board. In addition, the risk management framework should be built upon sound management information systems.

As part of capital management, a firm should have a sound internal control framework that helps ensure that all aspects of the capital planning process are functioning as designed and result in an accurate assessment of the firm's capital needs. The internal control framework should be independently evaluated periodically by the firm's internal audit function.

The governance and oversight framework should include an assessment of the principles and guidelines used for capital planning, issuance, and usage, including internal post-stress capital goals and targeted capital levels; guidelines for dividend payments and stock repurchases; strategies for addressing capital shortfalls; and internal governance responsibilities and procedures for the capital policy. The capital policy should reflect the capital needs of the insurance and banking businesses based on their risks, be approved by the firm's board of directors or a designated committee of the board, and be re-evaluated periodically and revised as necessary.

A strong capital management program will incorporate appropriately stressful conditions and events that could adversely affect the firm's capital adequacy and capital planning. As part of its capital plan, a firm should use at least one scenario that stresses the specific vulnerabilities of the firm's activities and associated risks, including those related to the firm's insurance activities and its banking activities.

Supervised insurance organizations should employ estimation approaches to project the impact on capital positions of various types of stressful conditions and events, and that are independently validated. A firm should estimate losses, revenues, expenses, and capital using sound methods that incorporate macroeconomic and other risk drivers. The robustness of a firm's capital stress testing processes should be commensurate with its risk profile.

Liquidity Management

The Liquidity Management rating is derived from an assessment of the supervised insurance organization's liquidity position and the quality of its liquidity risk management program. Each firm's liquidity risk management program should be commensurate with its complexity and risk profile.

The Board recognizes that supervised insurance organizations are typically less exposed to traditional liquidity risk than banking organizations. Instead of cash outflows being mainly the result of discretionary withdrawals, cash outflows for many insurance products only result from the occurrence of an insured event. Insurance products, like annuities, that are potentially exposed to call risk generally have product features ( i.e., surrender charges, market value surrenders, tax treatment, etc.) that help mitigate liquidity risk.

Federal Reserve examiners tailor the application of existing supervisory guidance on liquidity risk management to reflect the liquidity characteristics of supervised insurance organizations. 9 For example, guidance on intra-day liquidity management would only be applicable for supervised insurance organizations with material intra-day liquidity risks. Additionally, specific references to liquid assets may be more broadly interpreted to include other asset classes such as certain investment-grade corporate bonds.

Footnotes:

9 ? See SR letter 10-6, "Interagency Policy Statement on Funding and Liquidity Risk Management."

The scope of the Federal Reserve's supervisory activities on liquidity risk is influenced by each firm's individual risk profile. Traditional property and casualty insurance products are typically short duration liabilities backed by short-duration, liquid assets. Because of this, they typically present lower liquidity risk than traditional banking activities. However, some non-traditional life insurance and retirement products create liquidity risk through features that allow payments at the request of policyholders without the occurrence of an insured event. Risks of certain other insurance products are often mitigated using derivatives. Any differences between collateral requirements related to hedging and the related liability cash flows can also create liquidity risk. The Board expects firms significantly engaged in these types of insurance activities to have correspondingly more sophisticated liquidity risk management programs.

A strong liquidity risk management program includes cash flow forecasting with appropriate granularity. The firm's suite of quantitative metrics should effectively inform senior management and the board of directors of the firm's liquidity risk profile and identify liquidity events or stresses that could detrimentally affect the firm. The metrics used to measure a firm's liquidity position may vary by type of business.

Federal Reserve examiners rely to the fullest extent possible on each firm's ORSA, which requires all firms to include a discussion of the risk management framework and assessment of material risks, including liquidity risk.


[top] Supervised insurance organizations are expected to perform liquidity stress testing at least annually and more frequently, if necessary, based on their risk profile. The scenarios used should reflect the firm's specific risk profile and include both idiosyncratic and system-wide stress events. Stress testing should inform the firm on the amount of liquid assets necessary to meet net cash outflows over relevant time periods, including at least a one-year time horizon. Firms should hold a liquidity buffer page 60168 comprised of highly liquid assets to meet stressed net cash outflows. The liquidity buffer should be measured using appropriate haircuts based on asset quality, duration, and expected market illiquidity based on the stress scenario assumptions. Stress testing should reflect the expected impact on collateral requirements. For material life insurance operations, Federal Reserve examiners will rely to the greatest extent possible on information submitted by the firm to comply with the National Association of Insurance Commissioners' (NAIC) liquidity stress test framework.

The fungibility of sources of liquidity is often limited between an insurance group's legal entities. Large insurance groups can operate with a significant number of legal entities and many different regulatory and operational barriers to transferring funds among them. Regulations designed to protect policyholders of insurance operating companies can limit the transferability of funds from an insurance company to other legal entities within the group, including to other insurance operating companies. Supervised insurance organizations should carefully consider these limitations in their stress testing and liquidity risk management framework. Effective liquidity stress testing should include stress testing at the legal entity level with consideration for intercompany liquidity fungibility. Furthermore, the firm should be able to measure and provide an assessment of liquidity at the top-tier depository institution holding company in a manner that incorporates fungibility constraints.

The enterprise-wide governance and oversight framework should be consistent with the firm's liquidity risk profile and include policies and procedures on liquidity risk management. The firm's policies and procedures should describe its liquidity risk reporting, stress testing, and contingency funding plan.

B. Supervisory Ratings

Supervised insurance organizations are expected to operate in a safe and sound manner, to comply with all applicable laws and regulations, and to possess sufficient financial and operational strength to serve as a source of strength for their depository institution(s) through a range of stressful yet plausible conditions. Supervisory ratings and supervisory findings are used to communicate the assessment of a firm. Federal Reserve examiners periodically assign one of four ratings to each of the three rating components used to assess supervised insurance organizations. The rating components are Capital Management, Liquidity Management, and Governance & Controls. The four potential ratings are Broadly Meets Expectations, Conditionally Meets Expectations, Deficient-1, and Deficient-2. To be considered "well managed," a firm must receive a rating of Conditionally Meets Expectations or better in each of the three rating components. Each rating is defined specifically for supervised insurance organizations with particular emphasis on the obligation that firms serve as a source of financial and managerial strength for their depository institution(s). High-level definitions for each rating are below, followed by more specific rating definitions for each component.

Broadly Meets Expectations. The supervised insurance organization's practices and capabilities broadly meet supervisory expectations. The holding company effectively serves as a source of managerial and financial strength for its depository institution(s) and possesses sufficient financial and operational strength and resilience to maintain safe-and-sound operations through a range of stressful yet plausible conditions. The firm may have outstanding supervisory issues requiring corrective actions, but these are unlikely to present a threat to its ability to maintain safe-and-sound operations and unlikely to negatively impact its ability to fulfill its obligation to serve as a source of strength for its depository institution(s). These issues are also expected to be corrected on a timely basis during the normal course of business.

Conditionally Meets Expectations. The supervised insurance organization's practices and capabilities are generally considered sound. However, certain supervisory issues are sufficiently material that if not resolved in a timely manner during the normal course of business, may put the firm's prospects for remaining safe and sound, and/or the holding company's ability to serve as a source of managerial and financial strength for its depository institution(s), at risk. A firm with a Conditionally Meets Expectations rating has the ability, resources, and management capacity to resolve its issues and has developed a sound plan to address the issue(s) in a timely manner. Examiners will work with the firm to develop an appropriate timeframe during which it will be required to resolve that supervisory issue(s) leading to this rating.

Deficient-1. Financial or operational deficiencies in a supervised insurance organization's practices or capabilities put its prospects for remaining safe and sound, and/or the holding company's ability to serve as a source of managerial and financial strength for its depository institution(s), at significant risk. The firm is unable to remediate these deficiencies in the normal course of business, and remediation would typically require it to make material changes to its business model or financial profile, or its practices or capabilities. A firm with a Deficient-1 rating is required to take timely action to correct financial or operational deficiencies and to restore and maintain its safety and soundness and compliance with laws and regulations. Supervisory issues that place the firm's safety and soundness at significant risk, and where resolution is likely to require steps that clearly go beyond the normal course of business-such as issues requiring a material change to the firm's business model or financial profile, or its governance, risk management or internal control structures or practices-would generally warrant assignment of a Deficient-1 rating. There is a strong presumption that a firm with a Deficient-1 rating will be subject to an enforcement action.

Deficient-2. Financial or operational deficiencies in a supervised insurance organization's practices or capabilities present a threat to its safety and soundness, have already put it in an unsafe and unsound condition, and/or make it unlikely that the holding company will be able to serve as a source of financial and managerial strength to its depository institution(s). A firm with a Deficient-2 rating is required to immediately implement comprehensive corrective measures and demonstrate the sufficiency of contingency planning in the event of further deterioration. There is a strong presumption that a firm with a Deficient-2 rating will be subject to a formal enforcement action.

Definitions for the Governance and Controls Component Rating:

Broadly Meets Expectations. Despite the potential existence of outstanding supervisory issues, the supervised insurance organization's governance and controls broadly meet supervisory expectations, supports maintenance of safe-and-sound operations, and supports the holding company's ability to serve as a source of financial and managerial strength for its depository institutions(s). Specifically, the firm's practices and capabilities are sufficient to align strategic business objectives with its risk appetite and risk management capabilities; maintain effective and independent risk management and control functions, including internal audit; promote compliance with laws and regulations; and otherwise provide for the firm's ongoing financial and operational resiliency through a range of conditions. The firm's governance and controls clearly reflect the holding company's obligation to act as a source of financial and managerial strength for its depository institution(s).

Conditionally Meets Expectations. Certain material financial or operational weaknesses in a supervised insurance organization's governance and controls practices may place the firm's prospects for remaining safe and sound through a range of conditions at risk if not resolved in a timely manner during the normal course of business. Specifically, if left unresolved, these weaknesses may threaten the firm's ability to align strategic business objectives with its risk appetite and risk-management capabilities; maintain effective and independent risk management and control functions, including internal audit; promote compliance with laws and regulations; or otherwise provide for the firm's ongoing resiliency through a range of conditions. Supervisory issues may exist related to the firm's internal audit function, but internal audit is still regarded as effective.

Deficient-1. Deficiencies in a supervised insurance organization's governance and controls put its prospects for remaining safe and sound through a range of conditions at significant risk. The firm is unable to remediate these deficiencies in the normal course of business, and remediation would typically require a material change to the firm's business model or financial profile, or its governance, risk management or internal control structures or practices.

Examples of issues that may result in a Deficient-1 rating include, but are not limited to:


[top] • The firm may be currently subject to, or expected to be subject to, informal or formal page 60169 enforcement action(s) by the Federal Reserve or another regulator tied to violations of laws and regulations that indicate severe deficiencies in the firm's governance and controls.

• Significant legal issues may have or be expected to impede the holding company's ability to act as a source of financial strength for its depository institution(s).

• The firm may have engaged in intentional misconduct.

• Deficiencies within the firm's governance and controls may limit the credibility of the firm's financial results, limit the board or senior management's ability to make sound decisions, or materially increase the firm's risk of litigation.

• The firm's internal audit function may be considered ineffective.

• Deficiencies in the firm's governance and controls may have limited the holding company's ability to act as a source of financial and/or managerial strength for its depository institution(s).

Deficient-2. Financial or operational deficiencies in a supervised insurance organization's governance and controls present a threat to its safety and soundness, a threat to the holding company's ability to serve as a source of financial strength for its depository institution(s), or have already put the firm in an unsafe and unsound condition.

Examples of issues that may result in a Deficient-2 rating include, but are not limited to:

• The firm is currently subject to, or expected to be subject to, formal enforcement action(s) by the Federal Reserve or another regulator tied to violations of laws and regulations that indicate severe deficiencies in the firm's governance and controls.

• Significant legal issues may be impeding the holding company's ability to act as a source of financial strength for its depository institution(s).

• The firm may have engaged in intentional misconduct.

• The holding company may have failed to act as a source of financial and/or managerial strength for its depository institution(s) when needed.

• The firm's internal audit function is regarded as ineffective.

Definitions for the Capital Management Component Rating:

Broadly Meets Expectations. Despite the potential existence of outstanding supervisory issues, the supervised insurance organization's capital management broadly meets supervisory expectations, supports maintenance of safe-and-sound operations, and supports the holding company's ability to serve as a source of financial strength for its depository institution(s). Specifically:

• The firm's current and projected capital positions on a consolidated basis and within each of its material business lines/legal entities comply with regulatory requirements and support its ability to absorb potential losses, meet obligations, and continue to serve as a source of financial strength for its depository institution(s);

• Capital management processes are sufficient to give credibility to stress testing results and the firm is capable of producing sound assessments of capital adequacy through a range of stressful yet plausible conditions; and

• Potential capital fungibility issues are effectively mitigated, and capital contingency plans allow the holding company to continue to act as a source of financial strength for its depository institution(s) through a range of stressful yet plausible conditions.

Conditionally Meets Expectations. Capital adequacy meets regulatory minimums, both currently and on a prospective basis. Supervisory issues exist but these do not threaten the holding company's ability to act as a source of financial strength for its depository institution(s) through a range of stressful yet plausible conditions. Specifically, if left unresolved, these issues:

• May threaten the firm's ability to produce sound assessments of capital adequacy through a range of stressful yet plausible conditions; and/or

• May result in the firm's projected capital positions being insufficient to absorb potential losses, comply with regulatory requirements, and support the holding company's ability to meet current and prospective obligations and continue to serve as a source of financial strength to its depository institution(s).

Deficient-1. Financial or operational deficiencies in a supervised insurance organization's capital management put its prospects for remaining safe and sound through a range of plausible conditions at significant risk. The firm is unable to remediate these deficiencies in the normal course of business, and remediation would typically require a material change to the firm's business model or financial profile, or its capital management processes.

Examples of issues that may result in a Deficient-1 rating include, but are not limited to:

• Capital adequacy currently meets regulatory minimums although there may be uncertainty regarding the firm's ability to continue meeting regulatory minimums.

• Fungibility concerns may exist that could challenge the firm's ability to contribute capital to its depository institutions under certain stressful yet plausible scenarios.

• Supervisory issues may exist that undermine the credibility of the firm's current capital adequacy and/or its stress testing results.

Deficient-2. Financial or operational deficiencies in a supervised insurance organization's capital management present a threat to the firm's safety and soundness, a threat to the holding company's ability to serve a source of financial strength for its depository institution(s), or have already put the firm in an unsafe and unsound condition.

Examples of issues that may result in a Deficient-2 rating include, but are not limited to:

• Capital adequacy may currently fail to meet regulatory minimums or there is significant concern that the firm will not meet capital adequacy minimums prospectively.

• Supervisory issues may exist that significantly undermine the firm's capital adequacy metrics either currently or prospectively.

• Significant fungibility constraints may exist that would prevent the holding company from contributing capital to its depository institution(s) and fulfilling its obligation to serve as a source of financial strength.

• The holding company may have failed to act as source of financial strength for its depository institution when needed.

Definitions for the Liquidity Management Component Rating:

Broadly Meets Expectations. Despite the potential existence of outstanding supervisory issues, the supervised insurance organization's liquidity management broadly meets supervisory expectations, supports maintenance of safe-and-sound operations, and supports the holding company's ability to serve as a source of financial strength for its depository institutions(s). The firm generates sufficient liquidity to meet its short-term and long-term obligations currently and under a range of stressful yet plausible conditions. The firm's liquidity management processes, including its liquidity contingency planning, support its obligation to act as a source of financial strength for its depository institution(s). Specifically:

• The firm is capable of producing sound assessments of liquidity adequacy through a range of stressful yet plausible conditions; and

• The firm's current and projected liquidity positions on a consolidated basis and within each of its material business lines/legal entities comply with regulatory requirements and support the holding company's ability to meet obligations and to continue to serve as a source of financial strength for its depository institution(s).

Conditionally Meets Expectations. Certain material financial or operational weaknesses in a supervised insurance organization's liquidity management place its prospects for remaining safe and sound through a range of stressful yet plausible conditions at risk if not resolved in a timely manner during the normal course of business.

Specifically, if left unresolved, these weaknesses:

• May threaten the firm's ability to produce sound assessments of liquidity adequacy through a range of conditions; and/or

• May result in the firm's projected liquidity positions being insufficient to comply with regulatory requirements and support the firm's ability to meet current and prospective obligations and to continue to serve as a source of financial strength to its depository institution(s).

Deficient-1. Financial or operational deficiencies in a supervised insurance organization's liquidity management put the firm's prospects for remaining safe and sound through a range of stressful yet plausible conditions at significant risk. The firm is unable to remediate these deficiencies in the normal course of business, and remediation would typically require a material change to the firm's business model or financial profile, or its liquidity management processes.


[top] Examples of issues that may result in a Deficient-1 rating include, but are not limited to: page 60170

• The firm is currently able to meet its obligations but there may be uncertainty regarding the firm's ability to do so prospectively.

• The holding company's liquidity contingency plan may be insufficient to support its obligation to act as a source of financial strength for its depository institution(s).

• Supervisory issues may exist that undermine the credibility of the firm's liquidity metrics and stress testing results.

Deficient-2. Financial or operational deficiencies in a supervised insurance organization's liquidity management present a threat to its safety and soundness, a threat to the holding company's ability to serve as a source of financial strength for its depository institution(s), or have already put the firm in an unsafe and unsound condition.

Examples of issues that may result in a Deficient-2 rating include, but are not limited to:

• Liquidity shortfalls may exist within the firm that have prevented the firm, or are expected to prevent the firm, from fulfilling its obligations, including the holding company's obligation to act as a source of financial strength for its depository institution(s).

• Liquidity adequacy may currently fail to meet regulatory minimums or there is significant concern that the firm will not meet liquidity adequacy minimums prospectively for at least one of its regulated subsidiaries.

• Supervisory issues may exist that significantly undermine the firm's liquidity metrics either currently or prospectively.

• Significant fungibility constraints may exist that would prevent the holding company from supporting its depository institution(s) and fulfilling its obligation to serve as a source of financial strength.

• The holding company may have failed to act as source of financial strength for its depository institution when needed.

C. Incorporating the Work of Other Supervisors

Similar to the approach taken by the Federal Reserve in its consolidated supervision of other firms, the oversight of supervised insurance organizations relies to the fullest extent possible, on work performed by other relevant supervisors. Federal Reserve supervisory activities are not intended to duplicate or replace supervision by the firm's other regulators and Federal Reserve examiners typically do not specifically assess firms' compliance with laws outside of its jurisdiction, including state insurance laws. The Federal Reserve collaboratively coordinates with, communicates with, and leverages the work of the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Securities and Exchange Commission (SEC), Financial Crimes Enforcement Network (FinCEN), Internal Revenue Service (IRS), applicable state insurance regulators, and other relevant supervisors to achieve its supervisory objectives and eliminate unnecessary burden.

Existing statutes specifically require the Board to coordinate with, and to rely to the fullest extent possible on work performed by the state insurance regulators. The Board and all state insurance regulators have entered into Memorandums of Understanding (MOU) allowing supervisors to freely exchange information relevant for the effective supervision of supervised insurance organizations. Federal Reserve examiners take the actions below with respect to state insurance regulators to support accomplishing the objective of minimizing supervisory duplication and burden, without sacrificing effective oversight:

• Routine discussions (at least annually) with state insurance regulatory staff with greater frequency during times of stress;

• Discussions around the annual supervisory plan, including how best to leverage work performed by the state and potential participation by state insurance regulatory staff on relevant supervisory activities;

• Consideration of the opinions and work done by the state when scoping relevant examination activities;

• Documenting any input received from the state and considering the assessments of and work performed by the state for relevant supervisory activities;

• Sharing and discussing with the state the annual ratings and relevant conclusion documents from supervisory activities;

• Collaboratively working with the states and the NAIC on the development of policies that affect insurance depository institution holding companies; and

• Participating in supervisory colleges.

The Federal Reserve relies on the state insurance regulators to participate in the activities above and to share proactively their supervisory opinions and relevant documents. These documents include the annual ORSA, 10 the state insurance regulator's written assessment of the ORSA, results from its examination activities, the Corporate Governance Annual Disclosure, financial analysis memos, risk assessments, material risk determinations, material transaction filings (Form D), the insurance holding company system annual registration statement (Form B), submissions for the NAIC liquidity stress test framework, and other state supervisory material. If the Federal Reserve determines that it is necessary to perform supervisory activities related to aspects of the supervised insurance organization that also fall under the jurisdiction of the state insurance regulator, it will communicate the rationale and result of these activities to the state insurance regulator.

Footnotes:

10 ? See NAIC Own Risk and Solvency Assessment (ORSA) Guidance Manual (December 2017) at https://content.naic.org/sites/default/files/publication-orsa-guidance-manual.pdf.

By order of the Board of Governors of the Federal Reserve System.

Ann E. Misback,

Secretary of the Board.

[FR Doc. 2022-21414 Filed 10-3-22; 8:45 am]

BILLING CODE 6210-01-P