The FDIC’s recently amended Resolution Plan rule contained in 12 CFR 360.10 became effective on October 1, 2024 and heightens the expectations for covered insured depository institutions (CIDIs) to strengthen their resolution planning readiness. This rule, which is largely in response to the regional banking failures of 2023, seeks to enhance the operational and liquidity management of CIDIs as well as the demonstration and testing of those capabilities to help regulators navigate a potentially compressed resolution runway. The rule classifies CIDIs into two groups. Group A CIDIs have assets of $100 billion or more, and Group B CIDIs are those with assets between $50 billion and $100 billion. While the requirements from an operational capabilities perspective are largely the same, only Group A CIDIs have the requirement to develop a resolution strategy and franchise component valuation methodologies.
In addition to the new FDIC Resolution Plan rule, feedback letters from the review of the 2023 Dodd-Frank 165(d) resolution plan submissions performed by the FDIC and Federal Reserve Board (FRB) identified key areas within each of the U.S. Global Systemically Important Banks (G-SIB) that needed improvement. The focus on the assurance framework was consistent among all the letters as a critical component to help ensure a CIDI’s readiness to implement its resolution plan. This includes elements such as testing and fostering independent review and challenge. The new FDIC rule combined with the 165(d) feedback letters represents a focus of regulatory expectations on the assurance framework and its third line participants who play a critical role in the capabilities testing process.
Regardless of a CIDI’s classification as Group A or Group B, the internal audit team’s role and responsibilities related to resolution planning will continue to increase in the eyes of key stakeholders, especially regulators. Both constituents will be seeking assurance that effective controls are in place to address the new requirements, and that these key enhancements being implemented by the first and second lines (and monitored by internal audit) are effectively positioned to address the new requirements. However, to achieve this imperative, understanding key changes in the requirements and expectations for CIDIs will be critical for internal audit functions to navigate the path forward.
What’s New & What Remains the Same for Internal Audit
Against this new backdrop of resolution planning expectations, the role of internal audit relative to the new requirements will need to evolve in response to these heightened expectations. First and second line functions are likely well underway with gap assessments to understand the impact of the changes and are tasked with building a road map to design and implement needed enhancements. In parallel, internal audit functions should be doing the same as it relates to their critical third line “assurance” role.
Regardless of a CIDI’s classification, internal audit will need to continue providing independent assurance relative to the system of internal controls, risk management processes, and significant change events occurring in the organization. Hence, the role and responsibilities already in place for internal audit, relative to its overall mission and governance objectives, will remain the same. However, there are provisions in the new rule, along with commentary from the 165(d) feedback letters, which will impact certain aspects of internal audit’s scope and operations which include:
Introduction of new requirements from a resolution plan design perspective, e.g., franchise components, key depositors, critical services
Greater emphasis is placed on the effectiveness of enhanced resolution capabilities, designed to demonstrate the ability to execute the institution’s resolution strategy
Heightened level of scrutiny anticipated from regulators, particularly related to enhanced resolution capabilities and the institutional testing of these capabilities
Even for the largest of Group A filers, i.e., US G-SIBs, this will be more than an incremental lift over the current resolution planning requirements, including internal audit’s role and the scope of its assurance activities. However, for non-G-SIBs and Group B filers alike, the level of enhancements needed for the institution will be much more significant as existing routines are less mature, requiring more effort, investment, and time to build them out.
Regardless of an institution’s classification, internal audit functions should be proactive and align with their first and second line stakeholders to understand the key changes. Consider performing a gap assessment to identify the key impacts on the institution, compare to current internal audit processes (including resources/skill sets), identify gaps, and create a road map and plan to help address the gaps.
Staying Focused on Internal Audit Opportunities
For the immediate future, internal audit functions will be expected to provide independent assurance that controls are designed and operating effectively with respect to resolution planning and enhanced resolution capabilities. Some specific approaches internal audit should consider as a means to carry out their crucial role include:
Eyeing a Crucial Role for Internal Audit in Resolution Planning
Within the ever-changing regulatory landscape, internal audit functions will play a crucial role in helping financial institutions address the new requirements related to resolution planning. Whether by advising first and second line stakeholders in connection with internal audit’s role in the assurance framework, providing proactive assurance as new or enhanced capabilities are under construction, or as part of internal audit’s normal planning and execution, internal audit will have ample opportunities to carry out its third line responsibilities to help ensure effective controls are in place to execute a successful resolution strategy. All of these opportunities are of particular importance should adverse conditions arise.
Given the quick pace of regulatory expectations being codified and finalized, time is of the essence. Internal audit functions should begin working with key stakeholders to clearly define their role and responsibilities, establish an in-depth plan with key milestones to execute, and address any gaps in competencies or skills to help ensure internal audit is well-positioned for success in carrying out its assurance role and responsibilities.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
See our related FORsights™ for more information: