The FDIC’s recently amended Resolution Plan rule contained in 12 CFR 360.10 became effective on October 1, 2024 and heightens the expectations for covered insured depository institutions (CIDIs) to strengthen their resolution planning readiness. This rule, which is largely in response to the regional banking failures of 2023, seeks to enhance the operational and liquidity management of CIDIs as well as the demonstration and testing of those capabilities to help regulators navigate a potentially compressed resolution runway. The rule classifies CIDIs into two groups. Group A CIDIs have assets of $100 billion or more, and Group B CIDIs are those with assets between $50 billion and $100 billion. While the requirements from an operational capabilities perspective are largely the same, only Group A CIDIs have the requirement to develop a resolution strategy and franchise component valuation methodologies.
In addition to the new FDIC Resolution Plan rule, feedback letters from the review of the 2023 Dodd-Frank 165(d) resolution plan submissions performed by the FDIC and Federal Reserve Board (FRB) identified key areas within each of the U.S. Global Systemically Important Banks (G-SIB) that needed improvement. The focus on the assurance framework was consistent among all the letters as a critical component to help ensure a CIDI’s readiness to implement its resolution plan. This includes elements such as testing and fostering independent review and challenge. The new FDIC rule combined with the 165(d) feedback letters represents a focus of regulatory expectations on the assurance framework and its third line participants who play a critical role in the capabilities testing process.
Regardless of a CIDI’s classification as Group A or Group B, the internal audit team’s role and responsibilities related to resolution planning will continue to increase in the eyes of key stakeholders, especially regulators. Both constituents will be seeking assurance that effective controls are in place to address the new requirements, and that these key enhancements being implemented by the first and second lines (and monitored by internal audit) are effectively positioned to address the new requirements. However, to achieve this imperative, understanding key changes in the requirements and expectations for CIDIs will be critical for internal audit functions to navigate the path forward.
What’s New & What Remains the Same for Internal Audit
Against this new backdrop of resolution planning expectations, the role of internal audit relative to the new requirements will need to evolve in response to these heightened expectations. First and second line functions are likely well underway with gap assessments to understand the impact of the changes and are tasked with building a road map to design and implement needed enhancements. In parallel, internal audit functions should be doing the same as it relates to their critical third line “assurance” role.
Regardless of a CIDI’s classification, internal audit will need to continue providing independent assurance relative to the system of internal controls, risk management processes, and significant change events occurring in the organization. Hence, the role and responsibilities already in place for internal audit, relative to its overall mission and governance objectives, will remain the same. However, there are provisions in the new rule, along with commentary from the 165(d) feedback letters, which will impact certain aspects of internal audit’s scope and operations which include:
Introduction of new requirements from a resolution plan design perspective, e.g., franchise components, key depositors, critical services
Greater emphasis is placed on the effectiveness of enhanced resolution capabilities, designed to demonstrate the ability to execute the institution’s resolution strategy
Heightened level of scrutiny anticipated from regulators, particularly related to enhanced resolution capabilities and the institutional testing of these capabilities
Even for the largest of Group A filers, i.e., US G-SIBs, this will be more than an incremental lift over the current resolution planning requirements, including internal audit’s role and the scope of its assurance activities. However, for non-G-SIBs and Group B filers alike, the level of enhancements needed for the institution will be much more significant as existing routines are less mature, requiring more effort, investment, and time to build them out.
Regardless of an institution’s classification, internal audit functions should be proactive and align with their first and second line stakeholders to understand the key changes. Consider performing a gap assessment to identify the key impacts on the institution, compare to current internal audit processes (including resources/skill sets), identify gaps, and create a road map and plan to help address the gaps.
Staying Focused on Internal Audit Opportunities
For the immediate future, internal audit functions will be expected to provide independent assurance that controls are designed and operating effectively with respect to resolution planning and enhanced resolution capabilities. Some specific approaches internal audit should consider as a means to carry out their crucial role include:
Assurance Framework
As specifically articulated in the 165(d) feedback letters, the regulators define assurance as the process for identifying, testing, and reporting on resolution capabilities and an assurance framework as the governance, policies, and procedures to execute the assurance process. As a critical component of the assurance framework for resolution planning, internal audit should represent the third line as a key member of any governance bodies, including steering committees and working groups, to proactively share perspectives and provide feedback or suggestions on improvement opportunities.
Risk Assessment & Planning
Internal audit risk assessment should be enhanced to address the new requirements. A common practice employed by many institutions under the legacy resolution planning regime has been to plan and perform an enterprisewide audit of resolution planning along with performing individual audits of key underlying aspects of resolution planning embedded within business units, e.g., Finance, Treasury, Technology, Operations, to achieve in-depth coverage and demonstrate alignment across the institution. This practice should continue while considering any impacts on scope and approach brought on by the new requirements.
Proactive Assurance
Given the dynamic nature of implementing new processes and routines across the first and second lines, internal audit should consider providing “proactive assurance” through ongoing review and evaluation of management’s plans and actions relative to the new requirements. It will be crucial for internal audit to get involved early and provide their third line review and challenge throughout the implementation process to help ensure that gaps or issues are addressed promptly. Also, internal audit is likely already providing proactive assurance relative to other large change programs underway at the institution. Hence, this would be just another aspect of that proactive assurance strategy.
Testing of Enhanced Capabilities
Discussions are underway at many affected institutions regarding the increased scrutiny expected by regulators to adequately demonstrate the ability to execute on enhanced capabilities. Also, the responsibility within the institution to test the enhanced capabilities to help ensure the success of their execution is largely a shared responsibility between second line testing functions and internal audit. To this end, internal audit should work with second line testing functions to define roles, responsibilities, and work plans and provide the desired coverage while reducing any potential duplication.
Skills & Competencies
With the introduction of the new requirements under the amended rule, internal audit will need to address gaps related to their knowledge of resolution planning processes and practices, as well as subject matter knowledge related to the multiple interdependent disciplines needed to fulfill internal audit’s enhanced approach. To this end, an assessment should be performed to address any gaps in knowledge or skills with a road map or plan to address gaps through recruiting, training, or co-sourcing.
Substantive Testing of Submissions
As an option and common practice among certain institutions, internal audit should consider whether they should play a validation role in actual submissions by performing substantive testing of resolution plan components and critical calculations before submission. If this role is currently being performed by internal audit, their testing programs will need to be updated to reflect the new requirements.
Eyeing a Crucial Role for Internal Audit in Resolution Planning
Within the ever-changing regulatory landscape, internal audit functions will play a crucial role in helping financial institutions address the new requirements related to resolution planning. Whether by advising first and second line stakeholders in connection with internal audit’s role in the assurance framework, providing proactive assurance as new or enhanced capabilities are under construction, or as part of internal audit’s normal planning and execution, internal audit will have ample opportunities to carry out its third line responsibilities to help ensure effective controls are in place to execute a successful resolution strategy. All of these opportunities are of particular importance should adverse conditions arise.
Given the quick pace of regulatory expectations being codified and finalized, time is of the essence. Internal audit functions should begin working with key stakeholders to clearly define their role and responsibilities, establish an in-depth plan with key milestones to execute, and address any gaps in competencies or skills to help ensure internal audit is well-positioned for success in carrying out its assurance role and responsibilities.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
See our related FORsights™ for more information: