Alert
November 15, 2023

FDIC Proposes Guidelines Establishing Standards for Corporate Governance and Risk Management for Covered Institutions with Total Assets of $10 Billion or More

On October 3, 2023, the Federal Deposit Insurance Corporation (FDIC) approved proposed guidelines establishing standards for corporate governance and risk management for covered institutions with total assets of $10 billion or more (Proposed Guidelines). The Proposed Guidelines were approved by a vote of 3 – 2, with Chairman Gruenberg and Directors Chopra and Hsu voting in favor of the proposal and Vice Chairman Hill and Director McKernan voting against it.

On October 3, 2023, the Federal Deposit Insurance Corporation (FDIC) approved proposed guidelines establishing standards for corporate governance and risk management for covered institutions with total assets of $10 billion or more (Proposed Guidelines). The Proposed Guidelines were approved by a vote of 3 – 2, with Chairman Gruenberg and Directors Chopra and Hsu voting in favor of the proposal and Vice Chairman Hill and Director McKernan voting against it.

The Proposed Guidelines would provide standards for corporate governance and risk management for covered institutions, including standards outlining the general obligations and duties of the board of directors, expectations for board composition and board committee structures and responsibilities, and expectations for the establishment of an independent risk management function incorporating a three lines-of-defense model.

The Proposed Guidelines were prompted by the FDIC’s observations that financial institutions with poor corporate governance and risk management practices were more likely to fail. In the view of the FDIC, the three lines-of-defense model, together with the proposed, expanded duties and oversight of the board, are intended to ensure a bank’s safety and soundness and reduce the likelihood of its failure and the magnitude of any loss. The establishment of multiple checks within a bank’s risk management function and program are intended to prevent a “single point of failure” within the bank.

Highlights

Applicability
The Proposed Guidelines would apply to all insured state nonmember banks, state-licensed insured branches of foreign banks, and insured state savings associations (all generally referred to in this alert as banks) that are subject to Section 39 of the Federal Deposit Insurance Act, as amended (FDIA), with total consolidated assets of $10 billion or more on or after the effective date of the Proposed Guidelines.

The use of $10 billion or more in total consolidated assets as the threshold for the application of the Proposed Guidelines represents something of a return to the demarcation line for certain heightened risk management expectations initially set forth in the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the Dodd-Frank Act) for publicly traded bank holding companies with total consolidated assets of $10 billion or more.

A bank not subject to the Proposed Guidelines on the day they become effective would become subject to them as soon as the bank’s total consolidated assets reach $10 billion or more on two consecutive Consolidated Reports of Condition and Income, also referred to as Call Reports. There would be no other transition period.

The FDIC would also reserve the authority to apply the Proposed Guidelines, in whole or in part, to banks with less than $10 billion in total consolidated assets if the FDIC were to determine that the bank’s operations are highly-complex or present heightened risk.

Enforceability
Section 39 of the FDIA authorizes the FDIC to prescribe safety and soundness standards for banks, including operational and managerial standards, by issuing regulations and guidelines. If a bank fails to meet a standard prescribed by a guideline, such as the Proposed Guidelines, the FDIC has the discretion to decide whether to require the bank to submit a plan specifying the steps it will take to comply with the standard. If a bank fails to submit such a plan or, in any material respect, fails to implement such a plan, the FDIC may, by order, require the bank to correct the deficiency or take additional steps, including imposing growth restrictions, increased capital requirements or restrictions on interest paid on deposits.

Critiques
Two FDIC directors (Vice Chairman Hill and Director McKernan) voted against the Proposed Guidelines, expressing concerns about the enforceable nature of the Proposed Guidelines1 and the possibility that the Proposed Guidelines would, among other things, conflate the roles of the board and senior management.

Submission of Comments
Comments on the Proposed Guidelines are due by December 11, 2023.

Overview of Proposed Guidelines

The Board of Directors

General Obligations of a Bank’s Board of Directors and Individual Directors
The Proposed Guidelines would provide that the board is ultimately responsible for the affairs of the bank, with the expectation that each member of the board fulfills their duty to safeguard the interests of the bank. While the Proposed Guidelines are generally consistent with long held expectations for and obligations of bank boards, the FDIC explained that they are intended to “raise the FDIC’s standards for corporate governance…to help ensure that these larger institutions effectively anticipate, evaluate, and mitigate the risks they face.” The Proposed Guidelines would expand the responsibilities of the board to consider the interests of depositors, creditors, customers, regulators and the public as well as shareholders and would impose an active role for each director by requiring that each director “oversee and confirm” that the bank operates in a safe and sound manner.

As a counterpoint to the Proposed Guidelines, Director McKernan cautioned that “[f]or at least some banks…[consideration of all of these constituencies] seems to conflict with settled law” and that the Proposed Guidelines would “impose new responsibilities on directors that…should be tasked to senior management,” suggesting that the expectation that “each director has a duty to ‘oversee and confirm that the covered institution operates . . . in compliance with all laws and regulations’ could be read to suggest that the board must take steps to confirm that the bank is always in compliance with law, even absent red flags that put the board on notice of a compliance issue.” Director McKernan suggested that it should be clear that it is management’s responsibility to ensure compliance with law and the board’s responsibility to ensure that the bank has a framework to ensure compliance with law.

Board Composition
In addition to the ordinary board composition requirements contained in a bank’s organizational documents or applied by its chartering authority, the Proposed Guidelines would provide that, in considering the appropriate number of directors and board composition, the board should consider how the selection of, and diversity among, board members would best promote effective, independent oversight of the bank’s management. The Proposed Guidelines note that important aspects of diversity may include social, racial, ethnic, gender, age, and skills; differences in experience, perspectives and opinions; and differences in the ownership interests of the bank held by different directors.

The Proposed Guidelines also provide that the board should include a majority of outside and independent directors, with individuals who are not principals, members, officers, or employees of the bank, its affiliates, or its holding company or companies generally being considered independent. Notably, a director of an affiliate or a principal shareholder (including the bank’s own holding company) would generally not be considered independent under the Proposed Guidelines. Only in the limited instances where an affiliate or a principal shareholder is a holding company, and the holding company conducts limited or no additional business operations outside those of the bank, would an independent director of the holding company also be considered an independent director of the bank and then only if the individual is not also a principal, member, director, officer, or employee of any other affiliate of the bank or its holding company.

Duties of the Board
The Proposed Guidelines articulate a series of proposed duties of the board, including:

  1. Setting an appropriate tone for a corporate culture that promotes responsible and ethical behavior, with the board holding directors, officers, and employees accountable for their conduct.
  2. Approving a strategic plan covering at least a three-year period for the bank, which provides clear objectives within which the bank’s management can operate.
  3. Approving policies that govern and guide the bank in accordance with its risk profile and applicable laws and regulations.
  4. Establishing a written code of ethics for the bank, addressing areas such as conflicts of interest, protection and proper use of bank assets, integrity of financial reporting, compliance with applicable laws and regulations, reporting of illegal or unethical behavior, and forbidding retaliation for such reporting.
  5. Providing active oversight of all material risk-taking activities undertaken by management, including holding management accountable for adhering to the bank’s strategic plan and approved policies and procedures, and questioning, challenging, and, when necessary, opposing management recommendations that are not in accordance with the bank’s risk appetite or that could jeopardize the bank’s safety and soundness or undermine compliance with applicable laws or regulations. The board would also be expected to ensure that management corrects deficiencies identified by auditors or examiners in a timely manner.
  6. Exercising independent judgment and taking steps to ensure that the board is not excessively influenced by a dominant policymaker, whether a member of management, a director, a shareholder, or any combination thereof.
  7. Selecting qualified executive officers who are able to administer the bank’s affairs effectively and soundly, with selection criteria including an individual’s integrity, technical competence,2 character, and experience in financial services. The board would be expected to implement a formal performance review process for management, with the expectation that the board would dismiss and replace any executive officer, including the chief executive officer (CEO), not able to meet reasonable standards of executive ability and ethical conduct. The board would also be expected to develop a succession plan for the CEO and other key personnel and implement adequate training and personnel activities to provide for continuity in qualified management and staff.
  8. Establishing and adhering to an ongoing board training program to ensure that each director has the knowledge, skills and abilities to stay abreast of general industry trends and applicable legal and regulatory developments and to meet the standards that would be established in the Proposed Guidelines. The training program would be expected to address, among other things, products, services, lines of business, and risks with a significant impact on the bank, as well as laws, regulations, and supervisory requirements and expectations applicable to the bank.
  9. Establishing a self-assessment process for the board evaluating its effectiveness in meeting the standards articulated in the Proposed Guidelines.
  10. Establishing a compensation and performance management program for executive and non-executive employees that does not provide incentives to take risks that are inconsistent with the long-term health of the bank or encourage noncompliance with applicable laws and regulations. Among other things, front line unit compensation plans and decisions would be expected to consider the level and severity of concerns identified by the independent risk management and internal audit units.
  11. At least annually, the board would be expected to review and, as appropriate, update the strategic plan, policies, code of ethics, executive officer succession plan, board self-assessment for compliance with the Proposed Guidelines, compensation and performance management programs and risk governance framework.

The Proposed Guidelines do not address if, or the extent to which, a bank’s board may rely on the annual reviews and updates of such items performed by the board of its holding company or performed at joint meetings of mirror boards at the bank and its holding company. However, as discussed in further detail below, only if a bank has a holding company with a substantially similar risk profile would the bank be permitted to adopt and implement all or part of its holding company’s risk management program. It is possible that the FDIC would expect a bank board to make an independent determination that it is appropriate to rely on the plan, policies, code of ethics, etc. adopted by the holding company.

Board Committee Structure and Responsibilities
The Proposed Guidelines indicate that the board would be expected to implement an organizational structure that keeps members informed and provides an adequate framework to oversee the bank, which includes establishing board committees that allow for a division of labor enabling directors with expertise to handle matters that require detailed review. A bank would be required to have an audit committee and a risk committee and generally expected to have a compensation committee. A bank with trust powers would also be expected to have a trust committee, and all banks would be expected to have such other committees as are needed in accordance with their risk profiles and applicable law.

  1. A bank’s audit committee would be required to comply with Section 36 of the FDIA3 and 12 C.F.R. Part 363, concerning annual independent audits and audit committee requirements,4 and be composed entirely of outside5 and independent6 directors.7
    The audit committee would be expected to oversee the bank’s accounting and financial reporting processes and audits of its financial statements and related internal controls; approve all audit services; assist in board oversight of the integrity of the bank’s financial statements and disclosures; appoint, compensate, and retain any public accounting firm engaged to prepare any audit report and oversee the work of any such firm; approve all decisions regarding the appointment or removal and annual compensation of the chief audit officer (CAO); approve the charter of the bank’s internal audit function and oversee such function, including reviewing and approving audit plans and reports of the internal audit function related to the risk management program and identified or suspected violations of laws or regulations, determining whether and how such issues are being addressed, and making recommendations on any appropriate further corrective action to the board; and fulfill all other requirements provided by applicable laws and regulations.
    The CAO would lead the bank’s internal audit unit and report directly to the board or the audit committee and the CEO.
  2. A bank’s risk committee8 would be responsible for approving and reviewing, at least annually, the bank’s risk management policies and overseeing the bank’s risk management framework. The risk committee would be required to be chaired by an independent director and be an independent committee of the board. The committee would also be required to include at least one member experienced in managing risk exposures at large firms.
    The risk committee would be expected to receive and review reports from the chief risk officer (CRO) no less frequently than quarterly; meet at least quarterly and maintain appropriate records of its proceedings, including risk management decisions; review and approve all decisions regarding the appointment or removal of the CRO and ensure that the CRO’s compensation is consistent with providing an objective assessment of the bank’s risks.
    The CRO is the individual who leads the bank’s independent risk management unit and is experienced in identifying, assessing, and managing risk exposures of large financial firms. The CRO would report directly to the Board or the risk committee and, solely for administrative matters, the CEO.
  3. A bank’s compensation committee9 would be expected to comply with all laws and regulations applicable to it, monitor adherence to a compensation and performance management program, review compensation packages (including all direct and indirect cash and non-cash payments and benefits) for executives, and consider executive officer performance. For a bank board that mirrors the board of its holding company whose shares are registered with the US Securities and Exchange Commission (SEC), the boards would be subject to the SEC’s requirement that any company with securities registered with the SEC have a compensation committee composed entirely of independent directors (15 U.S.C. § 78j-3; 17 C.F.R. Parts 229 and 240).10
    A bank would be prohibited from paying compensation in an amount or manner that constitutes an unsafe and unsound practice (including excessive compensation or compensation that could lead to material financial loss) and would be expected to ensure that incentive compensation does not encourage imprudent risk-taking behavior or violations of legal requirements.
  4. The trust committee’s purpose would be to ensure that the operation of the trust department is separate and apart from every other department of the bank and that trust assets are appropriately segregated, both from the bank’s own assets and from assets held in trust accounts established for other customers.
  5. Each committee would be expected to have a board-approved written charter, detailing its purpose and responsibilities. Committee charters would be reviewed and approved by the board at least annually. At least annually, the audit committee would be responsible for reviewing and approving the charter of the bank’s internal audit function and audit plans; and the risk committee would be responsible for reviewing and approving the bank’s risk management framework and policies.
Risk Management

Independent Risk Management Function and Three Lines-of-Defense
The Proposed Guidelines indicate that the board would be expected to adopt, and management should implement, a comprehensive and independent risk management function incorporating a three lines-of-defense model and effective programs for internal controls, risk management, and audit.

  1. Risk Management Program: A bank’s risk management program would be expected to identify, measure, monitor, and manage risks using a framework appropriate for the current and forecast risk environment, covering the following risk categories, as applicable: credit, concentration, interest rate, liquidity, price, model, operational (including IT, cybersecurity, BSA/AML/CFT compliance, and third-party service providers), strategic, and legal risk.

    Only if a bank has a holding company with a substantially similar risk profile would the bank be permitted to adopt and implement all or part of its holding company’s risk management program. Before adopting all or part of such a program, the board would be expected to consider whether the holding company’s program satisfies the standards of the Proposed Guidelines, ensures that the safety and soundness of the bank is not jeopardized by decisions made by the holding company’s board and management, and ensures that the bank’s risk profile is easily distinguished and separate from its holding company for risk management and supervisory reporting, or whether these factors mitigate in favor of a separate, focused risk management program at the bank.

  2. Risk Appetite Statement: The Proposed Guidelines indicate that a bank would be expected to have a comprehensive written risk appetite statement that provides risk limits in the aggregate, as well as for separate lines of business, material activities, and products. The risk appetite statement would be reviewed quarterly and updated as needed by the board, based on quarterly reviews of the bank’s risk profile.
    The risk appetite statement would be expected to reflect the level of risk the board and management are willing to accept, including qualitative components describing a safe and sound risk culture and how the bank would assess and accept risks, as well as quantitative limits that explicitly constrain the size of risk exposures relative to the bank’s earnings, capital, and liquidity positions and take into account capital and liquidity buffers that prompt reductions in risk before the adequacy of the bank’s earnings, capital, or liquidity is jeopardized. Bank management would be permitted to accept risks within such quantitative limits without other board approval.
    The bank’s management, front line units, and independent risk management unit would be expected to incorporate the risk appetite statement, concentration limits, and front line risk limits into strategic and annual operating plans, capital and liquidity stress testing and planning, product and service risk management processes, decisions regarding strategic transactions, and compensation and performance management programs.

Risk Management Program Standards
A bank would be expected to have an independent risk management unit responsible for designing a formal, written risk management program that implements the risk appetite statement and ensures that the bank complies with applicable laws and regulations.

  1. The risk management program would be expected to cover, at minimum, credit, concentration, interest rate, liquidity, price, model, operational, strategic, and legal risk and be commensurate with the bank’s structure, risk profile, complexity, activities, and size. It would be expected to include certain key components, such as the development and adoption of policies and procedures establishing and implementing a governance structure for the risk management program and an infrastructure designed to identify, monitor, control, and report on the risks arising from the bank’s operations, including emerging risks and risk management deficiencies, to undertake timely actions to respond to such risks and deficiencies.
  2. The governance structure would be expected to ensure that instances of known or suspected noncompliance with applicable laws and regulations will be reported to the risk committee and the internal audit unit, that managerial and employee responsibilities for risk management will be clearly articulated, that the risk management function maintains its independence, and that risk management and associated controls will be integrated into management goals and the bank’s compensation structure.
  3. The bank would also be expected to have policies, procedures, and processes designed to ensure that a bank’s risk reporting capabilities (including the way it aggregates risk data) be appropriate to the risk-profile of the institution itself and support internal and regulatory reporting responsibilities during both normal and stressed times. Among other things, a bank would be expected to have a data architecture and information technology infrastructure that captures and aggregates risk data and reports material risks, concentrations, risk limit breaches, and emerging risks in a timely manner to the board and CEO. A bank would also be expected to adopt protocols for informing the board, front line unit management, independent risk management, and the FDIC of risk limit breaches and appropriate remedial actions and the distribution of risk reports to various units within the bank to promote effective decision-making.
  4. Three units, or three lines-of-defense, would be accountable to the CEO and/or board for monitoring and reporting on the bank’s compliance with the risk management program.
    Front line units, which are generally those units that generate revenue, provide operational support for the delivery of products and services to customers (excluding functions providing solely legal services to the bank), or provide technology services, would be responsible for ensuring that their activities do not create excessive risks or exceed the risk appetite of the bank.
    The independent risk management unit would be under the direction of the CRO and responsible for identifying, measuring, monitoring, and controlling the bank’s risk-taking activities on an ongoing basis. The independent risk management unit would remain independent of the front line units because the CRO would have unrestricted access to the board and board committees, including the risk committee. To address risks identified by the independent risk management unit, the board or risk committee would review and approve the risk governance framework, and the unit would adhere to compensation and performance management programs designed to ensure the unit’s independence and that the unit provides an accurate assessment of the risks taken by the bank. No front line unit executive would oversee the independent risk management unit.
    The internal audit unit would be the organizational unit designed to fulfill the roles and responsibilities for an internal audit system outlined in Section II.B of 12 C.F.R. Part 364, Appendix A, Interagency Guidelines Establishing Standards for Safety and Soundness, under the direction of the CAO and responsible for ensuring that that bank complies with applicable laws and regulations and adheres to the bank’s risk management program. The internal audit unit would remain independent of the front line units and the independent risk management unit. Its responsibilities include establishing and adhering to an audit plan and reporting its findings, including any recommendations, to the audit committee.

Communications
The Proposed Guidelines would require that banks communicate and reinforce the bank’s risk appetite statement to ensure that management and bank employees align their activities and decisions with the bank’s risk appetite statement.

Processes Governing Identification and Reporting of Risk Limit Breaches and Violations of Laws or Regulations

The board would be expected to establish processes that require front line units and the independent risk management unit to identify known or suspected breaches of the risk appetite statement, concentration risk limits, and front line risk limits, as well as known or suspected violations of applicable laws and regulations.

Risk Limit Breaches
The Proposed Guidelines would require that reports of risk limit breaches be given to front line unit management, the CRO, the risk committee, the audit committee, the CEO and the FDIC, including an assessment of the severity of the breach and its impact on the bank, as well as how the breach will be resolved.

Violations of Laws or Regulations
The Proposed Guidelines would require that all violations of laws or regulations be documented in writing and that notification be provided to the CEO, audit committee, and risk committee, including information on actions being taken to return the bank to compliance. The board’s processes should also ensure that known or suspected violations of laws or regulations involving dishonesty or misrepresentation are reported as required by any applicable laws or regulations and that all violations of laws or regulations be reported to the agency with responsibility for administering the relevant laws or regulations.

Annual Reviews and Updates
At least annually, the board should review and, as needed, update the process related to risk limit breaches and violations of laws or regulations. At least annually, the risk committee should also review and approve the risk management program. The independent risk management units should review the risk management program at least annually and address changes to the bank’s risk profile.

 

 


For more than 100 years, Goodwin has been a full-service law firm committed to the banking industry. We provide financial institutions with comprehensive, one-stop advice on mergers and acquisitions, de novo bank formations, capital markets transactions, corporate governance, executive compensation, stock conversions, holding company formations, fintech, bank products and services, privacy and data security, and compliance management. We are also recognized for advising clients on the full range of state and federal laws applicable to the provision of financial products to consumers and businesses.

[1] The Proposed Guidelines are adopted and enforceable under Section 39 of the FDIA and distinguishable from supervisory guidance issued by the FDIC. Supervisory guidance does not have the force and effect of law, and the FDIC has stated that it will not take enforcement actions based on supervisory guidance. See 12 C.F.R. Part 302, Use of Supervisory Guidance, and Appendix A to Part 302, Statement Clarifying the Role of Supervisory Guidance.

[2] The Proposed Guidelines do not explain what “technical competence” means in this context. Without more guidance from the FDIC, it is reasonable to take into account the specific responsibilities of each executive officer and consider whether they have sufficient skills and experience to perform their assigned responsibilities.

[3] 12 U.S.C. § 1831m.

[4] The requirements of the Proposed Guidelines would be in addition to those contained in 12 C.F.R. Part 363, Annual Independent Audits and Reporting Requirements, which requires each insured depository institution with $500 million or more in total assets to establish an audit committee. For banks with total assets of $500 million or more, but less than $1 billion, as of the beginning of the fiscal year, all of the audit committee members must be outside directors, with a majority of the committee members independent of management. For banks with total assets of $1 billion or more as of the beginning of the fiscal year, all of the members of the audit committee must be outside directors and independent of management. 12 C.F.R. § 363.5(a) (defining “outside director” to mean a director who is not, and within the preceding fiscal year was not, an officer or employee of the bank or any of its affiliates). See also Appendix A to Part 363, Guidelines and Interpretations, Interpretation 28, “‘Independent of Management’ Considerations.” 12 C.F.R. Part 363 also provides that the audit committees of “large institutions” (i.e., with total assets of more than $3 billion as of the beginning of the fiscal year) are required to include members with banking or related financial management expertise, have access to their own outside counsel, and not include any large customers of the bank.

[5] The term “outside director” is not separately defined in the Proposed Guidelines, and we have assumed that it would have the meaning ascribed to it in 12 C.F.R. § 363.5(a)(3).

[6] Refer to the discussion above concerning the meaning of “independent director” under the Proposed Guidelines. Subject to certain conditions, the audit committee requirements applicable to banks with total assets of $5 billion or more as of the beginning of the fiscal year and a composite CAMELS rating of 1 or 2 may be satisfied with the audit committee of the top-tier or any mid-tier holding company. 12 C.F.R. §§ 363.1(b)(1) and (2). See also Appendix A to Part 363, Guidelines and Interpretations, Interpretation 30, “Holding Company Audit Committees.” The Proposed Guidelines do not address when, or under what circumstances, such reliance on the holding company’s audit committee would be permitted for banks; however, the Proposed Guidelines do note that “[i]f permitted under Section 36 and part 363 of the FDIC’s regulations, the audits of the financial statements and of internal control over financial reporting may be done at the consolidated holding company level and not the covered institution level” (emphasis added). Consistent with the requirement under 12 C.F.R. § 363.1(b)(2)(i) that an insured depository institution may only rely on the audit committee of its top-tier or mid-tier holding company if the committee performs “services and functions comparable” to those required of the insured depository institution, including the requirement that the audit committee of the relevant holding company meet the requirements of 12 C.F.R. Part 363 appropriate to its largest insured depository institution subsidiary, it is likely that the FDIC would only permit a bank, under the Proposed Guidelines, to rely on the relevant holding company’s audit committee if such committee is composed entirely of outside and independent directors. See Appendix A to Part 363, Guidelines and Interpretations, Interpretation 4, “Comparable Services and Functions.”

[7] Additional audit committee independence and qualification requirements are applicable to entities that are publicly traded in the United States. For example, Section 10A of the Securities Exchange Act of 1934, as amended (15 U.S.C. § 78j–1(m)), sets forth standards relating to audit committees, including committee member independence; and the listing standards of the exchange, such as the New York Stock Exchange (NYSE) or the Nasdaq Stock Market (Nasdaq), on which a publicly traded entity is listed may also incorporate additional independence requirements.

[8] Section 165(h)(2) of the Dodd-Frank Act initially required the Board of Governors of the Federal Reserve System (FRB) to issue regulations requiring publicly traded bank holding companies with total consolidated assets of $10 billion or more to establish a risk committee and permitted the FRB to extend such regulations to publicly traded bank holding companies with less than $10 billion in assets to promote sound risk management practices. In 2014, the FRB adopted enterprise-wide risk committee requirements for publicly traded bank holding companies with total consolidated assets of $10 billion or more (as well as certain foreign banking organizations). 79 Fed. Reg. 17240 (Mar. 27, 2014). Five years later, as required by the passage of the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) adopted in 2018, the FRB raised the asset threshold for the application of the risk committee requirement from $10 billion to $50 billion. See EGRRCPA § 401(a)(4); 84 Fed. Reg. 59032 (Nov. 1, 2019).

[9] On June 21, 2010, the US federal bank regulatory agencies issued guidance in an effort to ensure that the incentive compensation practices of banking organizations do not encourage undue risk-taking and are consistent with safe and sound practices. Among other things, the guidance encouraged boards of the largest and most complex institutions, as well as other banking organizations that use incentive compensation to a significant extent, to consider establishing compensation committees. Such committees would have primary responsibility for incentive compensation arrangements, be composed solely or predominantly of non-executive directors and report to the full board. See 75 Fed. Reg. 36395 (June 25, 2010). Section 956 of the Dodd-Frank Act required the federal financial regulatory agencies to adopt regulations or guidance prohibiting incentive-based compensation arrangements that could lead to material financial loss to financial institutions. The agencies initially proposed a rule implementing this section of the Dodd-Frank Act in 2011 and reproposed a rule on incentive-based compensation arrangements in 2016. See 76 Fed. Reg. 21170 (Apr. 14, 2011); 81 Fed. Reg. 37669 (June 10, 2016). The proposed rule was never finalized; however, in May 2023, it was reported that Chair Gruenberg indicated his belief that the agencies would “repropose” a rule this year. See Victoria Guida, “Gruenberg: Agencies working on a long-awaited executive compensation plan,” POLITICO (May 31, 2023).

[10] Additional requirements may be imposed on publicly traded companies listed on the NYSE or Nasdaq. See NYSE Listed Company Manual § 303A.04(a), Nasdaq Listing Rule 5605(e), and any other or successor corporate governance rules prescribed by the exchange’s governing body.