12 CFR Appendix to Part 1236
Prudential Management and Operations Standards
November 10, 2020
CFR

The following provisions constitute the prudential management and operations standards established pursuant to 12 U.S.C. 4513b(a).

General Responsibilities of the Board of Directors and Senior Management

The following provisions address the general responsibilities of the boards of directors and senior management of the regulated entities as they relate to the matters addressed by each of the Standards. The descriptions are not a comprehensive listing of the responsibilities of either the boards or senior management, each of whom have additional duties and responsibilities to those described in these Standards.

Responsibilities of the Board of Directors

1. With respect to the subject matter addressed by each Standard, the board of directors is responsible for adopting business strategies and policies that are appropriate for the particular subject matter. The board should review all such strategies and policies periodically. It should review and approve all major strategies and policies at least annually and make any revisions that are necessary to ensure that such strategies and policies remain consistent with the entity's overall business plan.

2. The board of directors is responsible for overseeing management of the regulated entity, which includes ensuring that management includes personnel who are appropriately trained and competent to oversee the operation of the regulated entity as it relates to the functions and requirements addressed by each Standard, and that management implements the policies set forth by the board.

3. The board of directors is responsible for remaining informed about the operations and condition of the regulated entity, including operating consistently with the Standards, and senior management's implementation of the strategies and policies established by the board of directors.

4. The board of directors must remain sufficiently informed about the nature and level of the regulated entity's overall risk exposures, including market, credit, and counterparty risk, so that it can understand the possible short- and long-term effects of those exposures on the financial health of the regulated entity, including the possible short- and long-term consequences to earnings, liquidity, and economic value. The board of directors should: establish the regulated entity's risk tolerances and should provide management with clear guidance regarding the level of acceptable risks; review the regulated entity's entire market risk management framework, including policies and entity-wide risk limits at least annually; oversee the adequacy of the actions taken by senior management to identify, measure, manage, and control the regulated entity's risk exposures; and ensure that management takes appropriate corrective measures whenever market risk limit violations or breaches occur.

Responsibilities of Senior Management

5. With respect to the subject matter addressed by each Standard, senior management is responsible for developing the policies, procedures and practices that are necessary to implement the business strategies and policies adopted by the board of directors. Senior management should ensure that such items are clearly written, sufficiently detailed, and are followed by all personnel. Senior management also should ensure that the regulated entity has personnel who are appropriately trained and competent to carry out their respective functions and that all delegated responsibilities are performed.

6. Senior management should ensure that the regulated entity has adequate resources, systems and controls available to execute effectively the entity's business strategies, policies and procedures, including operating consistently with each of the Standards.

7. Senior management should provide the board of directors with periodic reports relating to the regulated entity's condition and performance, including the subject matter addressed by each of the Standards, that are sufficiently detailed to allow the board of directors to remain fully informed about the business of the regulated entity.

8. Senior management should regularly review and discuss with the board of directors information regarding the regulated entity's risk exposures that is sufficient in detail and timeliness to permit the board of directors to understand and assess the performance of management in identifying and managing the various risks to which the regulated entity is exposed.

Responsibilities of the Board of Directors and Senior Management

9. The board of directors and senior management should conduct themselves in such a manner as to promote high ethical standards and a culture of compliance throughout the organization.

10. The board of directors and senior management should ensure that the regulated entity's overall risk profile is aligned with its mission objectives.

Standard 1—Internal Controls and Information Systems

Responsibilities of the Board of Directors

1. Regarding internal controls and information systems, the board of directors of each regulated entity should adopt appropriate policies, ensure personnel are appropriately trained and competent, approve and periodically review overall business strategies, approve the organizational structure, and assess the adequacy of senior management's oversight of this function.

Responsibilities of Senior Management

2. Regarding internal controls and information systems, senior management should implement strategies and policies approved by the board of directors, establish appropriate policies, monitor the adequacy and effectiveness of this function, and ensure personnel are appropriately trained and competent. The organizational structure should clearly assign responsibility, authority, and reporting relationships.

Responsibilities of the Board of Directors and Senior Management

3. Regarding internal controls and information systems, both the board of directors and senior management should promote high ethical standards, create a culture that emphasizes the importance of this function, and promptly address any issues in need of remediation.

Framework

4. The regulated entity should have an adequate and effective system of internal controls, which should include a board approved organizational structure that clearly assigns responsibilities, authority, and reporting relationships, and establishes an appropriate segregation of duties that ensures that personnel are not assigned conflicting responsibilities.

5. The regulated entity should establish appropriate internal control policies and should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.

6. The regulated entity should have an organizational culture that emphasizes and demonstrates to personnel at all levels the importance of internal controls.

7. The regulated entity should address promptly any violations, findings, weaknesses, deficiencies, and other issues in need of remediation relating to the internal control systems.

Risk Recognition and Assessment

8. A regulated entity should have an effective risk assessment process that ensures that management recognizes and continually assesses all material risks, including credit risk, market risk, interest rate risk, liquidity risk, and operational risk.

Control Activities and Segregation of Duties

9. A regulated entity should have an effective internal control system that defines control activities at every business level.

10. A regulated entity's control activities should include:

a. Board of directors and senior management reviews of progress toward goals and objectives;

b. Appropriate activity controls for each business unit;

c. Physical controls to protect property and other assets and limit access to property and systems;

d. Procedures for monitoring compliance with exposure limits and follow-up on non-compliance;

e. A system of approvals and authorizations for transactions over certain limits; and

f. A system for verification and reconciliation of transactions.

Information and Communication

11. A regulated entity should have information systems that provide relevant, accurate and timely information and data.

12. A regulated entity should have secure information systems that are supported by adequate contingency arrangements.

13. A regulated entity should have effective channels of communication to ensure that all personnel understand and adhere to policies and procedures affecting their duties and responsibilities.

Monitoring Activities and Correcting Deficiencies

14. A regulated entity should monitor the overall effectiveness of its internal controls and key risks on an ongoing basis and ensure that business units and internal and external audit conduct periodic evaluations.

15. Internal control deficiencies should be reported to senior management and the board of directors on a timely basis and addressed promptly.

Applicable Laws, Regulations, and Policies

16. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing internal controls and information systems.

Standard 2—Independence and Adequacy of Internal Audit Systems

Audit Committee

1. A regulated entity's board of directors should have an audit committee that exercises proper oversight and adopts appropriate policies and procedures designed to ensure the independence of the internal audit function. The audit committee should ensure that the internal audit department includes personnel who are appropriately trained and competent to oversee the internal audit function.

2. The board of directors should review and approve the audit committee charter at least every three years.

3. The audit committee of the board of directors is responsible for monitoring and evaluating the effectiveness of the regulated entity's internal audit function.

4. Issues reported by the internal audit department to the audit committee should be promptly addressed and satisfactorily resolved.

Internal Audit Function

5. A regulated entity should have an internal audit function that provides for adequate testing of the system of internal controls.

6. A regulated entity should have an independent and objective internal audit department that reports directly to the audit committee of the board of directors.

7. A regulated entity's internal audit department should be adequately staffed with properly trained and competent personnel.

8. The internal audit department should conduct risk-based audits.

9. The internal audit department should conduct adequate testing and review of internal control and information systems.

10. The internal audit department should determine whether violations, findings, weaknesses and other issues reported by regulators, external auditors, and others have been promptly addressed.

Applicable Laws, Regulations, and Policies

11. A regulated entity should comply with applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the independence and adequacy of internal audit systems.

Standard 3—Management of Market Risk Exposure

Responsibilities of the Board of Directors

1. Regarding the overall management of market risk exposure, the board of directors should remain sufficiently informed about the nature and level of the regulated entity's market risk exposures. At least annually, the board should review the entire market risk framework, including policies and risk limits, and provide an assessment of compliance.

2. Regarding the policies, practices and procedures surrounding the management of market risk, the board of directors should approve all major strategies and policies relating to the management of market risk, ensure all major strategies and policies are consistent with the overall business plan, establish and communicate a market risk tolerance, and ensure appropriate corrective measures are taken when market risk limit violations or breaches occur.

3. The board, or a board appointed committee, should oversee the adequacy of actions taken by senior management to identify, measure, manage, and control market risk exposures, ensure market risk policies establish lines of authority and responsibility, and review risk exposures on a periodic basis.

Responsibilities of Senior Management

4. Regarding the overall management of market risk exposure, senior management should provide sufficient and timely information to the board of directors, ensure personnel are appropriately trained and competent, ensure adequate systems and resources are available to manage and control market risk, report any breaches to the board of directors (or the appropriate board committee), and take appropriate remedial action.

5. Regarding the policies, practices, and procedures surrounding market risk exposure, senior management should ensure market risk policies and procedures are clearly written, sufficiently detailed, and followed. Approved policies and procedures should include clear market risk limits and lines of authority for managing market risk.

Market Risk Strategy

6. A regulated entity should have a clearly defined and well-documented strategy for managing market risk, which must be consistent with its overall business plan, must enable the regulated entity to identify, manage, monitor, and control the regulated entity's risk exposures on a business unit and an enterprise-wide basis, and must ensure that the lines of authority and responsibility for managing market risk and monitoring market risk limits are clearly identified. The strategy should specify a target account, or target accounts, for managing market risk (e.g., specify whether the objective is to control risk to earnings, net portfolio value, or some other target, or some combination of targets), and, if a market risk limit is breached, should require that the breach be reported to the board of directors, or the appropriate board committee, and that appropriate remedial action, including any ordered by the board of directors, should be taken.

7. Management should ensure that the board of directors is made aware of the advantages and disadvantages of the regulated entity's chosen market risk management strategy, as well as those of alternative strategies, so that the board of directors can make an informed judgment about the relative efficacy of the different strategies.

8. A Bank's strategy for managing market risk should take into account the importance of maintaining the market value of equity of member stock commensurate with the par value of that stock so that the Bank is able to redeem and repurchase member stock at par value.

9. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance, (e.g., advisory bulletins) governing the independence and adequacy of the management of market risk exposure.

Standard 4—Management of Market Risk—Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting

Risk Measurement Systems

1. A regulated entity should have a risk measurement system (a model or models) that capture(s) all material sources of market risk and provide(s) meaningful and timely measures of the regulated entity's risk exposures, as well as personnel who are appropriately trained and competent to operate and oversee the risk measurement system.

2. The risk measurement system should be capable of estimating the effect of changes in interest rates and other key risk factors on the regulated entity's earnings and market value of equity over a range of scenarios.

3. The measurement system should be capable of valuing all financial assets and liabilities in the regulated entity's portfolio.

4. The measurement system should address all material sources of market risk including repricing risk, yield curve risk, basis risk, and options risk.

5. Management should ensure the integrity and timeliness of the data inputs used to measure the regulated entity's market risk exposures, and should ensure that assumptions and parameters are reasonable and properly documented.

6. The measurement system's methodologies, assumptions, and parameters should be thoroughly documented, understood by management, and reviewed on a regular basis.

7. A regulated entity's market risk model should be upgraded periodically to incorporate advances in risk modeling technology.

8. A regulated entity should have a documented approval process for model changes that requires model changes to be authorized by a party independent of the party making the change.

9. A regulated entity should ensure that its models are independently validated on a regular basis.

Risk Limits

10. Risk limits should be consistent with the regulated entity's strategy for managing interest rate risk and should take into account the financial condition of the regulated entity, including its capital position.

11. Risk limits should address the potential impact of changes in market interest rates on net interest income, net income, and the regulated entity's market value of equity.

Stress Testing

12. A regulated entity should conduct stress tests on a regular basis for a variety of institution-specific and market-wide stress scenarios to identify potential vulnerabilities and to ensure that exposures are consistent with the regulated entity's tolerance for risk.

13. A regulated entity should use stress test outcomes to adjust its market risk management strategies, policies, and positions and to develop effective contingency plans.

14. Special consideration should be given to ensuring that complex financial instruments, including instruments with complex option features, are properly valued under stress scenarios and that the risks associated with options exposures are properly understood.

15. Management should ensure that the regulated entity's board of directors or a committee thereof considers the results of stress tests when establishing and reviewing its strategies, policies, and limits for managing and controlling interest rate risk.

16. The board of directors and senior management should review periodically the design of stress tests to ensure that they encompass the kinds of market conditions under which the regulated entity's positions and strategies would be most vulnerable.

Monitoring and Reporting

17. A regulated entity should have an adequate management information system for reporting market risk exposures.

18. The board of directors, senior management, and the appropriate line managers should be provided with regular, accurate, informative, and timely market risk reports.

Applicable Laws, Regulations, and Policies

19. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the management of market risk.

Standard 5—Adequacy and Maintenance of Liquidity and Reserves

Responsibilities of the Board of Directors

1. Regarding the adequacy and maintenance of liquidity and reserves, the board of directors should review (at least annually) all major strategies and policies governing this area, approve appropriate revisions to such strategies and policies, and ensure senior management are appropriately trained to effectively manage liquidity.

Responsibilities of Senior Management

2. Regarding the adequacy and maintenance of liquidity and reserves, senior management should develop strategies, policies, and practices to manage liquidity risk, ensure personnel are appropriately trained and competent, and provide the board of directors with periodic reports on the regulated entity's liquidity position.

Policies, Practices, and Procedures

3. A regulated entity should establish a liquidity management framework that ensures it maintains sufficient liquidity to withstand a range of stressful events.

4. A regulated entity should articulate a liquidity risk tolerance that is appropriate for its business strategy and its mission goals and objectives.

5. A regulated entity should have a sound process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and its liquidity risk exposures.

6. A regulated entity should establish a funding strategy that provides effective diversification in the sources and tenor of funding.

7. A regulated entity should conduct stress tests on a regular basis for a variety of institution-specific and market-wide stress scenarios to identify sources of potential liquidity strain and to ensure that current exposures remain in accordance with each regulated entity's established liquidity risk tolerance.

8. A regulated entity should use stress test outcomes to adjust its liquidity management strategies, policies, and positions and to develop effective contingency plans.

9. A regulated entity should have a formal contingency funding plan that clearly sets out the strategies for addressing liquidity shortfalls in emergencies. Where practical, contingent funding sources should be tested or drawn on periodically to assess their reliability and operational soundness.

10. A regulated entity should maintain adequate reserves of liquid assets, including adequate reserves of unencumbered, marketable securities that can be liquidated to meet unexpected needs.

Applicable Laws, Regulations, and Policies

11. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the adequacy and maintenance of liquidity and reserves.

Standard 6—Management of Asset and Investment Portfolio Growth

Responsibilities of the Board of Directors and Senior Management

1. Regarding the management of asset and investment portfolio growth, the board of directors is responsible for overseeing the management of growth in these areas, ensuring senior management are appropriately trained and competent, establishing policies governing the regulated entity's assets and investment growth, with prudential limits on the growth of mortgages and mortgage-backed securities, and reviewing policies at least annually.

2. Regarding the management of asset and investment portfolio growth, senior management should adhere to board-approved policies governing growth in these areas, and ensure personnel are appropriately trained and competent to manage the growth.

Risk Measurement, Monitoring, and Control

3. A regulated entity should manage its asset growth and investment growth in a prudent manner that is consistent with the regulated entity's business strategy, board-approved policies, risk tolerances, and safe and sound operations, and should establish prudential limits on the growth of its portfolios of mortgage loans and mortgage backed securities.

4. A regulated entity should manage asset growth and investment growth in a way that is compatible with mission goals and objectives.

5. A regulated entity should manage investments and acquisition of assets in a way that complies with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins).

Standard 7—Investments and Acquisitions of Assets

Responsibilities of the Board of Directors and Senior Management

1. The board of directors is responsible for overseeing the regulated entity's investments and acquisition of other assets, ensuring senior management are appropriately trained and competent, and establishing, approving and periodically reviewing policies and procedures governing investments and acquisitions of other assets.

Policies, Practices, and Procedures

2. A regulated entity should have a board-approved investment policy that establishes clear and explicit guidelines that are appropriate to the regulated entity's mission and objectives. The investment policy should establish the regulated entity's investment objectives, risk tolerances, investment constraints, and policies and procedures for selecting investments.

3. A regulated entity should have a board-approved policy governing acquisitions of major categories of assets other than investments. The policy should establish clear and explicit guidelines for asset acquisitions that are appropriate to the regulated entity's mission and objectives.

4. A regulated entity should manage investments and acquisitions of assets prudently and in a manner that is consistent with mission goals and objectives.

5. Each Bank's investment policies and acquisition of assets should take into account the importance of maintaining the market value of member stock commensurate with the par value of that stock so that the Bank is able to redeem and repurchase member stock at par value at all times.

6. A regulated entity should manage investments and acquisitions of assets in a way that complies with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins).

Standard 8—Overall Risk Management Processes

Responsibilities of the Board of Directors

1. Regarding overall risk management processes, the board of directors is responsible for overseeing the process, ensuring senior management are appropriately trained and competent, ensuring processes are in place to identify, manage, monitor and control risk exposures (this function may be delegated to a board appointed committee), approving all major risk limits, and ensuring incentive compensation measures for senior management capture a full range of risks.

Responsibilities of the Board and Senior Management

2. Regarding overall risk management processes, the board of directors and senior management should establish and sustain a culture that promotes effective risk management. This culture includes timely, accurate and informative risk reports, alignment of the regulated entity's overall risk profile with its mission objectives, and the annual review of comprehensive self-assessments of material risks.

Independent Risk Management Function

3. A regulated entity should have an independent risk management function, or unit, with responsibility for risk measurement and risk monitoring, including monitoring and enforcement of risk limits.

4. The chief risk officer should head the risk management function.

5. The chief risk officer should report directly to the chief executive officer and the risk committee of the board of directors.

6. The risk management function should have adequate resources, including a well-trained and capable staff.

Risk Measurement, Monitoring, and Control

7. A regulated entity should measure, monitor, and control its overall risk exposures, reviewing market, credit, liquidity, and operational risk exposures on both a business unit (or business segment) and enterprise-wide basis.

8. A regulated entity should have the risk management systems to generate, at an appropriate frequency, the information needed to manage risk. Such systems should include systems for market, credit, operational, and liquidity risk analysis, asset and liability management, regulatory reporting, and performance measurement.

9. A regulated entity should have a comprehensive set of risk limits and monitoring procedures to ensure that risk exposures remain within established risk limits, and a mechanism for reporting violations and breaches of risk limits to senior management and the board of directors.

10. A regulated entity should ensure that it has sufficient controls around risk measurement models to ensure the completeness, accuracy, and timeliness of risk information.

11. A regulated entity should have adequate and well-tested disaster recovery and business resumption plans for all major systems and have remote facilitates to limit the impact of disruptive events.

Applicable Laws, Regulations, and Policies

12. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the management of risk.

Standard 9—Management of Credit and Counterparty Risk

Responsibilities of the Board of Directors and Senior Management

1. Regarding the management of credit and counterparty risk, the board of directors and senior management are responsible for ensuring that the regulated entity has appropriate policies, procedures, and systems that cover all aspects of credit administration, including credit pricing, underwriting, credit limits, collateral standards, and collateral valuation procedures. This should also include derivatives and the use of clearing houses. They are also responsible for ensuring personnel are appropriately trained, competent, and equipped with the necessary tools, procedures and systems to assess risk.

2. Senior management should provide the board of directors with regular briefings and reports on credit exposures.

Policies, Procedures, Controls, and Systems

3. A regulated entity should have policies that limit concentrations of credit risk and systems to identify concentrations of credit risk.

4. A regulated entity should establish prudential limits to restrict exposures to a single counterparty that are appropriate to its business model.

5. A regulated entity should establish prudential limits to restrict exposures to groups of related counterparties that are appropriate to its business model.

6. A regulated entity should have policies, procedures, and systems for evaluating credit risk that will enable it to make informed credit decisions.

7. A regulated entity should have policies, procedures, and systems for evaluating credit risk that will enable it to ensure that claims are legally enforceable.

8. A regulated entity should have policies and procedures for addressing problem credits.

9. A regulated entity should have an ongoing credit review program that includes stress testing and scenario analysis.

Applicable Laws, Regulations, and Policies

10. A regulated entity should manage credit and counterparty risk in a way that complies with applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins).

Standard 10—Maintenance of Adequate Records

1. A regulated entity should maintain financial records in compliance with Generally Accepted Accounting Principles (GAAP), FHFA guidelines, and applicable laws and regulations.

2. A regulated entity should ensure that assets are safeguarded and financial and operational information is timely and reliable.

3. A regulated entity should have a records retention program consistent with laws and corporate policies, including accounting policies, as well as personnel that are appropriately trained and competent to oversee and implement the records management plan.

4. A regulated entity, with oversight from the board of directors, should conduct a review and approval of the records retention program and records retention schedule for all types of records at least once every two years.

5. A regulated entity should ensure that reporting errors are detected and corrected in a timely manner.

6. A regulated entity should comply with all applicable laws, regulations, and supervisory guidance (e.g., advisory bulletins) governing the maintenance of adequate records.

[77 FR 33959, June 8, 2012, as amended at 80 FR 72336, Nov. 19, 2015]


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.