DATE:
April 16, 1998
LETTER NO.: 98-FCU-3
TO: ALL FEDERAL CREDIT UNIONS
DEAR BOARD OF DIRECTORS:
The National Credit Union Administration
(NCUA) with the Board of Governors of the Federal Reserve System,
the Federal Deposit Insurance Corporation, the Office of the Comptroller
of the Currency, and the Office of Thrift Supervision (collectively
referred to as the agencies), under the auspices of the Federal
Financial Institutions Examination Council, adopted a Supervisory
Policy Statement on Investment Securities and End-User Derivatives
Activities (1998 Statement). The 1998 Statement provides
guidance on sound practices for managing the risks of investment
activities and rescinds the Supervisory Policy Statement on
Securities Activities published on February 3, 1992 (1992
Statement) that NCUA adopted as Interpretative Ruling and Policy
Statement No. 92-1. The NCUA Board took action at its April 16,
1998 meeting to adopt the 1998 Statement as Interpretative Ruling
and Policy Statement (IRPS) No. 98-2 (enclosed).
The 1992 Statement focused attention on the
high risk securities tests (HRST) for mortgage derivative products,
mainly collateralized mortgage obligations (CMOs). Because of
this focus and increased examiner scrutiny of CMOs, many credit
unions avoided CMOs, even when they were low risk. Unfortunately,
many of these same credit unions purchased securities with greater
risk than the CMOs they avoided, simply because the securities
were not subject to the HRST.
The agencies believe that it is a sound practice
for institutions to understand the risks related to all their
investment holdings. Accordingly, the 1998 Statement substitutes
broader guidance than the specific pass/fail requirements contained
in the 1992 Statement. Both credit unions and examiner staff
will need additional information before these standards are fully
incorporated into NCUA's examinations. Therefore, the NCUA Board
has established an effective date for IRPS No. 98-2 of October
1, 1998.
The NCUA Board also took action to withdraw
IRPS No. 92-1 and to delete references to the HRST criteria in
Part 703 of the NCUA Rules and Regulations, effective October
1, 1998. While the pass/fail criteria for the HRST will be eliminated,
the ability to obtain stress-test analytics will still be available
and should remain a basic pre-purchase and ongoing risk management
discipline. A credit union's purchase of these instruments without
the analytical ability to fully evaluate the risks of these securities
would be an unsafe and unsound practice.
The NCUA Board cautions credit unions that
the action to eliminate the HRST does not reflect a lesser concern
with high risk CMOs, but instead recognizes it is sound business
practice for credit unions to understand the risks of all investments
prior to purchase and on an on-going basis. Whether a security,
CMO or otherwise, is an appropriate investment depends upon a
variety of factors, including the credit union's capital level,
the security's impact on the aggregate risk of the portfolio,
and management's ability to identify, measure, monitor, report
and control the risk. Sound business practices also require credit
unions to consider the risks in the investment portfolio in conjunction
with the risks in the rest of the balance sheet. Credit unions
should comply with the provisions of this Interpretative Ruling
when it is material to their operation, as long as it is not in
conflict with other statutory or regulatory requirements.
For the National Credit Union Administration
Board,
/S/
Norman E. D'Amours
Chairman
I. Purpose
This policy statement (Statement) provides
guidance to financial institutions (institutions) on sound practices
for managing the risks of investment securities and end-user
derivatives activities. The FFIEC agencies - the Board of Governors
of the Federal Reserve System, the Federal Deposit Insurance Corporation,
the Office of the Comptroller of the Currency, the Office of Thrift
Supervision, and the National Credit Union Administration - believe
that effective management of the risks associated with securities
and derivative instruments represents an essential component of
safe and sound practices. This guidance describes the practices
that a prudent manager normally would follow and is not intended
to be a checklist. Management should establish practices and
maintain documentation appropriate to the institution's individual
circumstances, consistent with this Statement.
II. Scope
This guidance applies to all securities in
held-to-maturity and available-for-sale accounts
as defined in the Statement of Financial Accounting Standards
No.115 (FAS 115), certificates of deposit held
for investment purposes, and end-user derivative contracts not
held in trading accounts. This guidance covers all securities
used for investment purposes, including: money market instruments,
fixed-rate and floating-rate notes and bonds, structured notes,
mortgage pass-through and other asset-backed securities, and mortgage-derivative
products. Similarly, this guidance covers all end-user derivative
instruments used for nontrading purposes, such as swaps, futures,
and options. This Statement applies to all federally-insured
commercial banks, savings banks, savings associations, and federally
chartered credit unions.
As a matter of sound practice, institutions
should have programs to manage the market, credit, liquidity,
legal, operational and other risks of investment securities and
end-user derivatives activities (investment activities). While
risk management programs will differ among institutions, there
are certain elements that are fundamental to all sound risk management
programs. These elements include board and senior management
oversight and a comprehensive risk management process that effectively
identifies, measures, monitors, and controls risk. This Statement
describes sound principles and practices for managing and controlling
the risks associated with investment activities.
Institutions should fully understand and effectively
manage the risks inherent in their investment activities. Failure
to understand and adequately manage the risks in these areas constitutes
an unsafe and unsound practice.
III. Board and Senior Management Oversight
Board of director and senior management oversight
is an integral part of an effective risk management program. The
board of directors is responsible for approving major policies
for conducting investment activities, including the establishment
of risk limits. The board should ensure that management has the
requisite skills to manage the risks associated with such activities.
To properly discharge its oversight responsibilities, the board
should review portfolio activity and risk levels, and require
management to demonstrate compliance with approved risk limits.
Boards should have an adequate understanding of investment activities.
Boards that do not, should obtain professional advice to enhance
its understanding of investment activity oversight, so as to enable
it to meet its responsibilities under this Statement.
Senior management is responsible for the daily
management of an institution's investments. Management should
establish and enforce policies and procedures for conducting investment
activities. Senior management should have an understanding of
the nature and level of various risks involved in the institution's
investments and how such risks fit within the institution's overall
business strategies. Management should ensure that the risk management
process is commensurate with the size, scope, and complexity of
the institution's holdings. Management should also ensure that
the responsibilities for managing investment activities are properly
segregated to maintain operational integrity. Institutions with
significant investment activities should ensure that back-office,
settlement, and transaction reconciliation responsibilities are
conducted and managed by personnel who are independent of those
initiating risk taking positions.
IV. Risk Management Process
An effective risk management process for investment
activities includes: (1) policies, procedures, and limits; (2)
the identification, measurement, and reporting of risk exposures;
and (3) a system of internal controls.
Policies, Procedures, and Limits
Investment policies, procedures, and limits
provide the structure to effectively manage investment activities.
Policies should be consistent with the organization's broader
business strategies, capital adequacy, technical expertise, and
risk tolerance. Policies should identify relevant investment
objectives, constraints, and guidelines for the acquisition and
ongoing management of securities and derivative instruments.
Potential investment objectives include: generating earnings,
providing liquidity, hedging risk exposures, taking risk positions,
modifying and managing risk profiles, managing tax liabilities,
and meeting pledging requirements, if applicable. Policies should
also identify the risk characteristics of permissible investments
and should delineate clear lines of responsibility and authority
for investment activities.
An institution's management should understand
the risks and cashflow characteristics of its investments. This
is particularly important for products that have unusual, leveraged,
or highly variable cashflows. An institution should not acquire
a material position in an instrument until senior management and
all relevant personnel understand and can manage the risks associated
with the product.
An institution's investment activities should
be fully integrated into any institution-wide risk limits. In
so doing, some institutions rely only on the institution-wide
limits, while others may apply limits at the investment portfolio,
sub-portfolio, or individual instrument level.
The board and senior management should review,
at least annually, the appropriateness of its investment strategies,
policies, procedures, and limits.
Risk Identification, Measurement and Reporting
Institutions should ensure that they identify
and measure the risks associated with individual transactions
prior to acquisition and periodically after purchase. This can
be done at the institutional, portfolio, or individual instrument
level. Prudent management of investment activities entails examination
of the risk profile of a particular investment in light of its
impact on the risk profile of the institution. To the extent
practicable, institutions should measure exposures to each type
of risk and these measurements should be aggregated and integrated
with similar exposures arising from other business activities
to obtain the institution's overall risk profile.
In measuring risks, institutions should conduct
their own in-house pre-acquisition analyses, or to the extent
possible, make use of specific third party analyses that are independent
of the seller or counterparty. Irrespective of any responsibility,
legal or otherwise, assumed by a dealer, counterparty, or financial
advisor regarding a transaction, the acquiring institution is
ultimately responsible for the appropriate personnel understanding
and managing the risks of the transaction.
Reports to the board of directors and senior
management should summarize the risks related to the institution's
investment activities and should address compliance with the investment
policy's objectives, constraints, and legal requirements, including
any exceptions to established policies, procedures, and limits.
Reports to management should generally reflect more detail than
reports to the board of the institution. Reporting should
be frequent enough to provide timely and adequate information
to judge the changing nature of the institution's risk profile
and to evaluate compliance with stated policy objectives and constraints.
Internal Controls
An institution's internal control structure
is critical to the safe and sound functioning of the organization
generally and the management of investment activities in particular.
A system of internal controls promotes efficient operations,
reliable financial and regulatory reporting, and compliance with
relevant laws, regulations, and institutional policies. An effective
system of internal controls includes enforcing official lines
of authority, maintaining appropriate separation of duties, and
conducting independent reviews of investment activities.
For institutions with significant investment
activities, internal and external audits are integral to the implementation
of a risk management process to control risks in investment activities.
An institution should conduct periodic independent reviews of
its risk management program to ensure its integrity, accuracy,
and reasonableness. Items that should be reviewed include:
(1) compliance with and the appropriateness
of investment policies, procedures, and limits;
(2) the appropriateness of the institution's
risk measurement system given the nature, scope, and complexity
of its activities;
(3) the timeliness, integrity, and usefulness
of reports to the board of directors and senior management.
The review should note exceptions to policies,
procedures, and limits and suggest corrective actions. The findings
of such reviews should be reported to the board and corrective
actions taken on a timely basis.
The accounting systems and procedures used
for public and regulatory reporting purposes are critically important
to the evaluation of an organization's risk profile and the assessment
of its financial condition and capital adequacy. Accordingly,
an institution's policies should provide clear guidelines regarding
the reporting treatment for all securities and derivatives holdings.
This treatment should be consistent with the organization's business
objectives, generally accepted accounting principles (GAAP), and
regulatory reporting standards.
V. The Risks of Investment Activities
The following discussion identifies particular
sound practices for managing the specific risks involved in investment
activities. In addition to these sound practices, institutions
should follow any specific guidance or requirements from their
primary supervisor related to these activities.
Market RiskMarket Risk
Market risk is the risk to an institution's
financial condition resulting from adverse changes in the value
of its holdings arising from movements in interest rates, foreign
exchange rates, equity prices, or commodity prices. An institution's
exposure to market risk can be measured by assessing the effect
of changing rates and prices on either the earnings or economic
value of an individual instrument, a portfolio, or the entire
institution. For most institutions, the most significant market
risk of investment activities is interest rate risk.
Investment activities may represent a significant
component of an institution's overall interest rate risk profile.
It is a sound practice for institutions to manage interest rate
risk on an institution-wide basis. This sound practice includes
monitoring the price sensitivity of the institution's investment
portfolio (changes in the investment portfolio's value over different
interest rate/yield curve scenarios). Consistent with agency
guidance, institutions should specify institution-wide interest
rate risk limits that appropriately account for these activities
and the strength of the institution's capital position. These
limits are generally established for economic value or earnings
exposures. Institutions may find it useful to establish price
sensitivity limits on their investment portfolio or on individual
securities. These sub-institution limits, if established, should
also be consistent with agency guidance.
It is a sound practice for an institution's
management to fully understand the market risks associated with
investment securities and derivative instruments prior to acquisition
and on an ongoing basis. Accordingly, institutions should have
appropriate policies to ensure such understanding. In particular,
institutions should have policies that specify the types of market
risk analyses that should be conducted for various types or classes
of instruments, including that conducted prior to their acquisition
(pre-purchase analysis) and on an ongoing basis. Policies should
also specify any required documentation needed to verify the analysis.
It is expected that the substance and form
of such analyses will vary with the type of instrument. Not all
investment instruments may need to be subjected to a pre-purchase
analysis. Relatively simple or standardized instruments, the
risks of which are well known to the institution, would likely
require no or significantly less analysis than would more volatile,
complex instruments.
For relatively more complex instruments, less
familiar instruments, and potentially volatile instruments, institutions
should fully address pre-purchase analyses in their policies.
Price sensitivity analysis is an effective way to perform the
pre-purchase analysis of individual instruments. For example,
a pre-purchase analysis should show the impact of an immediate
parallel shift in the yield curve of plus and minus 100, 200,
and 300 basis points. Where appropriate, such analysis should
encompass a wider range of scenarios, including non-parallel changes
in the yield curve. A comprehensive analysis may also take into
account other relevant factors, such as changes in interest rate
volatility and changes in credit spreads.
When the incremental effect of an investment
position is likely to have a significant effect on the risk profile
of the institution, it is a sound practice to analyze the effect
of such a position on the overall financial condition of the institution.
Accurately measuring an institution's market
risk requires timely information about the current carrying and
market values of its investments. Accordingly, institutions should
have market risk measurement systems commensurate with the size
and nature of these investments. Institutions with significant
holdings of highly complex instruments should ensure that they
have the means to value their positions. Institutions employing
internal models should have adequate procedures to validate the
models and to periodically review all elements of the modeling
process, including its assumptions and risk measurement techniques.
Management relying on third parties for market risk measurement
systems and analyses should ensure that they fully understand
the assumptions and techniques used.
Institutions should provide reports to their
boards on the market risk exposures of their investments on a
regular basis. To do so, the institution may report the market
risk exposure of the whole institution. Alternatively, reports
should contain evaluations that assess trends in aggregate market
risk exposure and the performance of portfolios in terms of established
objectives and risk constraints. They also should identify compliance
with board approved limits and identify any exceptions to established
standards. Institutions should have mechanisms to detect and
adequately address exceptions to limits and guidelines. Management
reports on market risk should appropriately address potential
exposures to yield curve changes and other factors pertinent to
the institution's holdings.
Credit Risk
Broadly defined, credit risk is the risk that
an issuer or counterparty will fail to perform on an obligation
to the institution. For many financial institutions, credit risk
in the investment portfolio may be low relative to other areas,
such as lending. However, this risk, as with any other risk,
should be effectively identified, measured, monitored, and controlled.
An institution should not acquire investments
or enter into derivative contracts without assessing the creditworthiness
of the issuer or counterparty. The credit risk arising from these
positions should be incorporated into the overall credit risk
profile of the institution as comprehensively as practicable.
Institutions are legally required to meet certain quality standards
(i.e., investment grade) for security purchases. Many institutions
maintain and update ratings reports from one of the major rating
services. For non-rated securities, institutions should establish
guidelines to ensure that the securities meet legal requirements
and that the institution fully understands the risk involved.
Institutions should establish limits on individual counterparty
exposures. Policies should also provide credit risk and concentration
limits. Such limits may define concentrations relating to a single
or related issuer or counterparty, a geographical area, or obligations
with similar characteristics.
In managing credit risk, institutions should
consider settlement and pre-settlement credit risk. These risks
are the possibility that a counterparty will fail to honor its
obligation at or before the time of settlement. The selection
of dealers, investment bankers, and brokers is particularly important
in effectively managing these risks. The approval process should
include a review of each firm's financial statements and an evaluation
of its ability to honor its commitments. An inquiry into the
general reputation of the dealer is also appropriate. This includes
review of information from state or federal securities regulators
and industry self-regulatory organizations such as the National
Association of Securities Dealers concerning any formal enforcement
actions against the dealer, its affiliates, or associated personnel.
The board of directors is responsible for
supervision and oversight of investment portfolio and end-user
derivatives activities, including the approval and periodic review
of policies that govern relationships with securities dealers.
Sound credit risk management requires that
credit limits be developed by personnel who are as independent
as practicable of the acquisition function. In authorizing issuer
and counterparty credit lines, these personnel should use standards
that are consistent with those used for other activities conducted
within the institution and with the organization's over-all policies
and consolidated exposures.
Liquidity Risk
Liquidity risk is the risk that an institution
cannot easily sell, unwind, or offset a particular position at
a fair price because of inadequate market depth. In specifying
permissible instruments for accomplishing established objectives,
institutions should ensure that they take into account the liquidity
of the market for those instruments and the effect that such characteristics
have on achieving their objectives. The liquidity of certain
types of instruments may make them inappropriate for certain objectives.
Institutions should ensure that they consider the effects that
market risk can have on the liquidity of different types of instruments
under various scenarios. Accordingly, institutions should articulate
clearly the liquidity characteristics of instruments to be used
in accomplishing institutional objectives.
Complex and illiquid instruments can often
involve greater risk than actively traded, more liquid securities.
Oftentimes, this higher potential risk arising from illiquidity
is not captured by standardized financial modeling techniques.
Such risk is particularly acute for instruments that are highly
leveraged or that are designed to benefit from specific, narrowly
defined market shifts. If market prices or rates do not move
as expected, the demand for such instruments can evaporate, decreasing
the market value of the instrument below the modeled value.
Operational (Transaction) Risk
Operational (transaction) risk is the risk
that deficiencies in information systems or internal controls
will result in unexpected loss. Sources of operating risk include
inadequate procedures, human error, system failure, or fraud.
Inaccurately assessing or controlling operating risks is one
of the more likely sources of problems facing institutions involved
in investment activities.
Effective internal controls are the first
line of defense in controlling the operating risks involved in
an institution's investment activities. Of particular importance
are internal controls that ensure the separation of duties and
supervision of persons executing transactions from those responsible
for processing contracts, confirming transactions, controlling
various clearing accounts, preparing or posting the accounting
entries, approving the accounting methodology or entries, and
performing reevaluations.
Consistent with the operational support of
other activities within the financial institution, securities
operations should be as independent as practicable from business
units. Adequate resources should be devoted, such that systems
and capacity are commensurate with the size and complexity of
the institution's investment activities. Effective risk management
should also include, at least, the following:
Valuation.
Procedures should ensure independent portfolio pricing. For
thinly traded or illiquid securities, completely independent pricing
may be difficult to obtain. In such cases, operational units
may need to use prices provided by the portfolio manager. For
unique instruments where the pricing is being provided by a single
source (e.g., the dealer providing the instrument), the institution
should review and understand the assumptions used to price the
instrument.
Personnel.
The increasingly complex nature of securities available in the
marketplace makes it important that operational personnel have
strong technical skills. This will enable them to better understand
the complex financial structures of some investment instruments.
Documentation.
Institutions should clearly define documentation requirements
for securities transactions, saving and safeguarding important
documents, as well as maintaining possession and control of instruments
purchased.
An institution's policies should also provide
guidelines for conflicts of interest for employees who are directly
involved in purchasing and selling securities for the institution
from securities dealers. These guidelines should ensure that
all directors, officers, and employees act in the best interest
of the institution. The board may wish to adopt policies prohibiting
these employees from engaging in personal securities transactions
with these same securities firms without specific prior board
approval. The board may also wish to adopt a policy applicable
to directors, officers, and employees restricting or prohibiting
the receipt of gifts, gratuities, or travel expenses from approved
securities dealer firms and their representatives.
Legal Risk
Legal risk is the risk that contracts are
not legally enforceable or documented correctly. Institutions
should adequately evaluate the enforceability of its agreements
before individual transactions are consummated. Institutions
should also ensure that the counterparty has authority to enter
into the transaction and that the terms of the agreement are legally
enforceable. Institutions should further ascertain that netting
agreements are adequately documented, executed properly, and are
enforceable in all relevant jurisdictions. Institutions should
have knowledge of relevant tax laws and interpretations governing
the use of these instruments.