I. Purpose

This policy statement (Statement) provides guidance to financial institutions (institutions) on sound practices for managing the risks of investment securities and end-user derivatives activities. The FFIEC agencies - the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration - believe that effective management of the risks associated with securities and derivative instruments represents an essential component of safe and sound practices. This guidance describes the practices that a prudent manager normally would follow and is not intended to be a checklist. Management should establish practices and maintain documentation appropriate to the institution's individual circumstances, consistent with this Statement.

II. Scope

This guidance applies to all securities in held-to-maturity and available-for-sale accounts as defined in the Statement of Financial Accounting Standards No.115 (FAS 115), certificates of deposit held for investment purposes, and end-user derivative contracts not held in trading accounts. This guidance covers all securities used for investment purposes, including: money market instruments, fixed-rate and floating-rate notes and bonds, structured notes, mortgage pass-through and other asset-backed securities, and mortgage-derivative products. Similarly, this guidance covers all end-user derivative instruments used for nontrading purposes, such as swaps, futures, and options. This Statement applies to all federally-insured commercial banks, savings banks, savings associations, and federally chartered credit unions.

As a matter of sound practice, institutions should have programs to manage the market, credit, liquidity, legal, operational and other risks of investment securities and end-user derivatives activities (investment activities). While risk management programs will differ among institutions, there are certain elements that are fundamental to all sound risk management programs. These elements include board and senior management oversight and a comprehensive risk management process that effectively identifies, measures, monitors, and controls risk. This Statement describes sound principles and practices for managing and controlling the risks associated with investment activities.

Institutions should fully understand and effectively manage the risks inherent in their investment activities. Failure to understand and adequately manage the risks in these areas constitutes an unsafe and unsound practice.

III. Board and Senior Management Oversight

Board of director and senior management oversight is an integral part of an effective risk management program. The board of directors is responsible for approving major policies for conducting investment activities, including the establishment of risk limits. The board should ensure that management has the requisite skills to manage the risks associated with such activities. To properly discharge its oversight responsibilities, the board should review portfolio activity and risk levels, and require management to demonstrate compliance with approved risk limits. Boards should have an adequate understanding of investment activities. Boards that do not, should obtain professional advice to enhance its understanding of investment activity oversight, so as to enable it to meet its responsibilities under this Statement.

Senior management is responsible for the daily management of an institution's investments. Management should establish and enforce policies and procedures for conducting investment activities. Senior management should have an understanding of the nature and level of various risks involved in the institution's investments and how such risks fit within the institution's overall business strategies. Management should ensure that the risk management process is commensurate with the size, scope, and complexity of the institution's holdings. Management should also ensure that the responsibilities for managing investment activities are properly segregated to maintain operational integrity. Institutions with significant investment activities should ensure that back-office, settlement, and transaction reconciliation responsibilities are conducted and managed by personnel who are independent of those initiating risk taking positions.

IV. Risk Management Process

An effective risk management process for investment activities includes: (1) policies, procedures, and limits; (2) the identification, measurement, and reporting of risk exposures; and (3) a system of internal controls.

Policies, Procedures, and Limits

Investment policies, procedures, and limits provide the structure to effectively manage investment activities. Policies should be consistent with the organization's broader business strategies, capital adequacy, technical expertise, and risk tolerance. Policies should identify relevant investment objectives, constraints, and guidelines for the acquisition and ongoing management of securities and derivative instruments. Potential investment objectives include: generating earnings, providing liquidity, hedging risk exposures, taking risk positions, modifying and managing risk profiles, managing tax liabilities, and meeting pledging requirements, if applicable. Policies should also identify the risk characteristics of permissible investments and should delineate clear lines of responsibility and authority for investment activities.

An institution's management should understand the risks and cashflow characteristics of its investments. This is particularly important for products that have unusual, leveraged, or highly variable cashflows. An institution should not acquire a material position in an instrument until senior management and all relevant personnel understand and can manage the risks associated with the product.

An institution's investment activities should be fully integrated into any institution-wide risk limits. In so doing, some institutions rely only on the institution-wide limits, while others may apply limits at the investment portfolio, sub-portfolio, or individual instrument level.

The board and senior management should review, at least annually, the appropriateness of its investment strategies, policies, procedures, and limits.

Risk Identification, Measurement and Reporting

Institutions should ensure that they identify and measure the risks associated with individual transactions prior to acquisition and periodically after purchase. This can be done at the institutional, portfolio, or individual instrument level. Prudent management of investment activities entails examination of the risk profile of a particular investment in light of its impact on the risk profile of the institution. To the extent practicable, institutions should measure exposures to each type of risk and these measurements should be aggregated and integrated with similar exposures arising from other business activities to obtain the institution's overall risk profile.

In measuring risks, institutions should conduct their own in-house pre-acquisition analyses, or to the extent possible, make use of specific third party analyses that are independent of the seller or counterparty. Irrespective of any responsibility, legal or otherwise, assumed by a dealer, counterparty, or financial advisor regarding a transaction, the acquiring institution is ultimately responsible for the appropriate personnel understanding and managing the risks of the transaction.

Reports to the board of directors and senior management should summarize the risks related to the institution's investment activities and should address compliance with the investment policy's objectives, constraints, and legal requirements, including any exceptions to established policies, procedures, and limits. Reports to management should generally reflect more detail than reports to the board of the institution. Reporting should be frequent enough to provide timely and adequate information to judge the changing nature of the institution's risk profile and to evaluate compliance with stated policy objectives and constraints.

Internal Controls

An institution's internal control structure is critical to the safe and sound functioning of the organization generally and the management of investment activities in particular. A system of internal controls promotes efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations, and institutional policies. An effective system of internal controls includes enforcing official lines of authority, maintaining appropriate separation of duties, and conducting independent reviews of investment activities.

For institutions with significant investment activities, internal and external audits are integral to the implementation of a risk management process to control risks in investment activities. An institution should conduct periodic independent reviews of its risk management program to ensure its integrity, accuracy, and reasonableness. Items that should be reviewed include:

(1) compliance with and the appropriateness of investment policies, procedures, and limits;

(2) the appropriateness of the institution's risk measurement system given the nature, scope, and complexity of its activities;

(3) the timeliness, integrity, and usefulness of reports to the board of directors and senior management.

The review should note exceptions to policies, procedures, and limits and suggest corrective actions. The findings of such reviews should be reported to the board and corrective actions taken on a timely basis.

The accounting systems and procedures used for public and regulatory reporting purposes are critically important to the evaluation of an organization's risk profile and the assessment of its financial condition and capital adequacy. Accordingly, an institution's policies should provide clear guidelines regarding the reporting treatment for all securities and derivatives holdings. This treatment should be consistent with the organization's business objectives, generally accepted accounting principles (GAAP), and regulatory reporting standards.

V. The Risks of Investment Activities

The following discussion identifies particular sound practices for managing the specific risks involved in investment activities. In addition to these sound practices, institutions should follow any specific guidance or requirements from their primary supervisor related to these activities.

Market RiskMarket Risk

Market risk is the risk to an institution's financial condition resulting from adverse changes in the value of its holdings arising from movements in interest rates, foreign exchange rates, equity prices, or commodity prices. An institution's exposure to market risk can be measured by assessing the effect of changing rates and prices on either the earnings or economic value of an individual instrument, a portfolio, or the entire institution. For most institutions, the most significant market risk of investment activities is interest rate risk.

Investment activities may represent a significant component of an institution's overall interest rate risk profile. It is a sound practice for institutions to manage interest rate risk on an institution-wide basis. This sound practice includes monitoring the price sensitivity of the institution's investment portfolio (changes in the investment portfolio's value over different interest rate/yield curve scenarios). Consistent with agency guidance, institutions should specify institution-wide interest rate risk limits that appropriately account for these activities and the strength of the institution's capital position. These limits are generally established for economic value or earnings exposures. Institutions may find it useful to establish price sensitivity limits on their investment portfolio or on individual securities. These sub-institution limits, if established, should also be consistent with agency guidance.

It is a sound practice for an institution's management to fully understand the market risks associated with investment securities and derivative instruments prior to acquisition and on an ongoing basis. Accordingly, institutions should have appropriate policies to ensure such understanding. In particular, institutions should have policies that specify the types of market risk analyses that should be conducted for various types or classes of instruments, including that conducted prior to their acquisition (pre-purchase analysis) and on an ongoing basis. Policies should also specify any required documentation needed to verify the analysis.

It is expected that the substance and form of such analyses will vary with the type of instrument. Not all investment instruments may need to be subjected to a pre-purchase analysis. Relatively simple or standardized instruments, the risks of which are well known to the institution, would likely require no or significantly less analysis than would more volatile, complex instruments.

For relatively more complex instruments, less familiar instruments, and potentially volatile instruments, institutions should fully address pre-purchase analyses in their policies. Price sensitivity analysis is an effective way to perform the pre-purchase analysis of individual instruments. For example, a pre-purchase analysis should show the impact of an immediate parallel shift in the yield curve of plus and minus 100, 200, and 300 basis points. Where appropriate, such analysis should encompass a wider range of scenarios, including non-parallel changes in the yield curve. A comprehensive analysis may also take into account other relevant factors, such as changes in interest rate volatility and changes in credit spreads.

When the incremental effect of an investment position is likely to have a significant effect on the risk profile of the institution, it is a sound practice to analyze the effect of such a position on the overall financial condition of the institution.

Accurately measuring an institution's market risk requires timely information about the current carrying and market values of its investments. Accordingly, institutions should have market risk measurement systems commensurate with the size and nature of these investments. Institutions with significant holdings of highly complex instruments should ensure that they have the means to value their positions. Institutions employing internal models should have adequate procedures to validate the models and to periodically review all elements of the modeling process, including its assumptions and risk measurement techniques. Management relying on third parties for market risk measurement systems and analyses should ensure that they fully understand the assumptions and techniques used.

Institutions should provide reports to their boards on the market risk exposures of their investments on a regular basis. To do so, the institution may report the market risk exposure of the whole institution. Alternatively, reports should contain evaluations that assess trends in aggregate market risk exposure and the performance of portfolios in terms of established objectives and risk constraints. They also should identify compliance with board approved limits and identify any exceptions to established standards. Institutions should have mechanisms to detect and adequately address exceptions to limits and guidelines. Management reports on market risk should appropriately address potential exposures to yield curve changes and other factors pertinent to the institution's holdings.

Credit Risk

Broadly defined, credit risk is the risk that an issuer or counterparty will fail to perform on an obligation to the institution. For many financial institutions, credit risk in the investment portfolio may be low relative to other areas, such as lending. However, this risk, as with any other risk, should be effectively identified, measured, monitored, and controlled.

An institution should not acquire investments or enter into derivative contracts without assessing the creditworthiness of the issuer or counterparty. The credit risk arising from these positions should be incorporated into the overall credit risk profile of the institution as comprehensively as practicable. Institutions are legally required to meet certain quality standards (i.e., investment grade) for security purchases. Many institutions maintain and update ratings reports from one of the major rating services. For non-rated securities, institutions should establish guidelines to ensure that the securities meet legal requirements and that the institution fully understands the risk involved. Institutions should establish limits on individual counterparty exposures. Policies should also provide credit risk and concentration limits. Such limits may define concentrations relating to a single or related issuer or counterparty, a geographical area, or obligations with similar characteristics.

In managing credit risk, institutions should consider settlement and pre-settlement credit risk. These risks are the possibility that a counterparty will fail to honor its obligation at or before the time of settlement. The selection of dealers, investment bankers, and brokers is particularly important in effectively managing these risks. The approval process should include a review of each firm's financial statements and an evaluation of its ability to honor its commitments. An inquiry into the general reputation of the dealer is also appropriate. This includes review of information from state or federal securities regulators and industry self-regulatory organizations such as the National Association of Securities Dealers concerning any formal enforcement actions against the dealer, its affiliates, or associated personnel.

The board of directors is responsible for supervision and oversight of investment portfolio and end-user derivatives activities, including the approval and periodic review of policies that govern relationships with securities dealers.

Sound credit risk management requires that credit limits be developed by personnel who are as independent as practicable of the acquisition function. In authorizing issuer and counterparty credit lines, these personnel should use standards that are consistent with those used for other activities conducted within the institution and with the organization's over-all policies and consolidated exposures.

Liquidity Risk

Liquidity risk is the risk that an institution cannot easily sell, unwind, or offset a particular position at a fair price because of inadequate market depth. In specifying permissible instruments for accomplishing established objectives, institutions should ensure that they take into account the liquidity of the market for those instruments and the effect that such characteristics have on achieving their objectives. The liquidity of certain types of instruments may make them inappropriate for certain objectives. Institutions should ensure that they consider the effects that market risk can have on the liquidity of different types of instruments under various scenarios. Accordingly, institutions should articulate clearly the liquidity characteristics of instruments to be used in accomplishing institutional objectives.

Complex and illiquid instruments can often involve greater risk than actively traded, more liquid securities. Oftentimes, this higher potential risk arising from illiquidity is not captured by standardized financial modeling techniques. Such risk is particularly acute for instruments that are highly leveraged or that are designed to benefit from specific, narrowly defined market shifts. If market prices or rates do not move as expected, the demand for such instruments can evaporate, decreasing the market value of the instrument below the modeled value.

Operational (Transaction) Risk

Operational (transaction) risk is the risk that deficiencies in information systems or internal controls will result in unexpected loss. Sources of operating risk include inadequate procedures, human error, system failure, or fraud. Inaccurately assessing or controlling operating risks is one of the more likely sources of problems facing institutions involved in investment activities.

Effective internal controls are the first line of defense in controlling the operating risks involved in an institution's investment activities. Of particular importance are internal controls that ensure the separation of duties and supervision of persons executing transactions from those responsible for processing contracts, confirming transactions, controlling various clearing accounts, preparing or posting the accounting entries, approving the accounting methodology or entries, and performing reevaluations.

Consistent with the operational support of other activities within the financial institution, securities operations should be as independent as practicable from business units. Adequate resources should be devoted, such that systems and capacity are commensurate with the size and complexity of the institution's investment activities. Effective risk management should also include, at least, the following:

Valuation. Procedures should ensure independent portfolio pricing. For thinly traded or illiquid securities, completely independent pricing may be difficult to obtain. In such cases, operational units may need to use prices provided by the portfolio manager. For unique instruments where the pricing is being provided by a single source (e.g., the dealer providing the instrument), the institution should review and understand the assumptions used to price the instrument.

Personnel. The increasingly complex nature of securities available in the marketplace makes it important that operational personnel have strong technical skills. This will enable them to better understand the complex financial structures of some investment instruments.

Documentation. Institutions should clearly define documentation requirements for securities transactions, saving and safeguarding important documents, as well as maintaining possession and control of instruments purchased.

An institution's policies should also provide guidelines for conflicts of interest for employees who are directly involved in purchasing and selling securities for the institution from securities dealers. These guidelines should ensure that all directors, officers, and employees act in the best interest of the institution. The board may wish to adopt policies prohibiting these employees from engaging in personal securities transactions with these same securities firms without specific prior board approval. The board may also wish to adopt a policy applicable to directors, officers, and employees restricting or prohibiting the receipt of gifts, gratuities, or travel expenses from approved securities dealer firms and their representatives.

Legal Risk

Legal risk is the risk that contracts are not legally enforceable or documented correctly. Institutions should adequately evaluate the enforceability of its agreements before individual transactions are consummated. Institutions should also ensure that the counterparty has authority to enter into the transaction and that the terms of the agreement are legally enforceable. Institutions should further ascertain that netting agreements are adequately documented, executed properly, and are enforceable in all relevant jurisdictions. Institutions should have knowledge of relevant tax laws and interpretations governing the use of these instruments.