Bookshop > Trading and Capital-Markets Activities Manual > This page

Trading and Capital-Markets Activities Manual

Capital-Markets Activities: Investment Securities and End-User Activities
Source: Federal Reserve System 
(The complete Activities Manual (pdf format) can be downloaded from the Federal Reserve's web site)

A depository institution's investment and end-user activities involve the use of securities (both available-for-sale and held-to-maturity) and off-balance-sheet (OBS) derivative contracts to achieve earnings and risk-management objectives that involve longer time horizons than those typically associated with trading activities. 1 These ''non-trading'' activities involve the full array of cash securities, money market instruments, and OBS derivative contracts. Cash securities include fixed- and floating-rate notes and bonds, structured notes, mortgage pass-through and other asset-backed securities, and mortgage-derivative products. OBS derivative contracts include swaps, futures, and options. 

When institutions acquire and manage securities and derivative instruments, they must ensure that these activities are permissible and appropriate within the established limitations and restrictions on banks' holdings. Institutions must also employ sound risk-management practices consistently across these varying product categories, regardless of their legal characteristics or nomenclature. This section provides examiners with guidance on- 

  the permissibility and appropriateness of securities holdings by state member banks; 
  sound risk-management practices and internal controls used by banking institutions in their investment and end-user activities; 
  review of securities and derivatives acquired by the bank's international division and overseas branches for its own account, as well as on the bank's foreign equity investments that are held either directly or through Edge Act corporations; and 
  unsuitable investment practices. 


Many states extend the same investment authorities available to national banks to their chartered banks-often with direct reference. In turn, the security investments of national banks are governed by the seventh paragraph of 12 USC 24 (section 5136 of the Revised Statutes) and by the investment securities regulation of the Office of the Comptroller of the Currency (OCC). 

Under 12 USC 24, an ''investment security'' is defined as a debt obligation that is not predominantly speculative. A security is not predominantly speculative if it is rated investment-grade. An ''investment-grade security'' has been rated in one of the four highest rating categories by two or more nationally recognized statistical rating organizations (one rating may suffice if the security has only been rated by one organization). In the case of split ratings-different ratings from different rating organizations-the lower rating applies. 

The OCC's investment-securities regulation, which was revised in 1996, identifies five basic types of investment securities (types I, II, III, IV, and V) and establishes limitations on a bank's investment in these types of securities based on the percentage of capital and surplus that such holdings represent. For calculating concentration limits, the term ''capital and surplus'' includes the balance of a bank's allowance for loan and lease losses not included in tier 2 capital. Table 1 summarizes bank-eligible securities and their investment limitations. 

Type I securities are those debt instruments that national and state member banks can deal in, underwrite, purchase, and sell for their own accounts without limitation. Type I securities are obligations of the U.S. government or its agencies, general obligations of states and political subdivisions, and mortgage-related securities. A bank may purchase type I securities for its own account subject to no limitations, other than the exercise of prudent banking judgment (see 12 USC 24 (7) and 15 USC 78c(a)(41)). 

Type II securities are those debt instruments that national and state member banks may deal in, underwrite, purchase, and sell for their own accounts subject to a 10 percent limitation of a bank's capital and surplus for any one obligor. Type II investments include obligations issued by the International Bank for Reconstruction and Development; the Inter-American Development Bank; the Asian Development Bank; the Tennessee Valley Authority; the United States Postal Service; obligations issued by any state or political subdivision for housing, university, or dormitory purposes; and other issuers specifically identified in 12 USC 24 (7). 

Type III is a residual securities category consisting of all types of investment securities not specifically designated to another security ''type'' category. Banks cannot deal in or underwrite type III securities, and their holdings of these instruments are limited to 10 percent of the banks' capital and surplus for any one obligor.

Type IV securities include the following asset-backed securities (ABS) that are fully secured by interests in pools of loans made to numerous obligors: 

  investment-grade residential mortgage-related securities offered or sold pursuant to section 4(5) of the Securities Act of 1933 (15 USC 77d(5)) 
  residential mortgage-related securities as described in section 3(a)(41) of the Securities Exchange Act of 1934 (15 USC 78c(a)(41)) that are rated in one of the two highest investment-grade rating categories 
  investment-grade commercial mortgage securities offered or sold pursuant to section 4(5) of the Securities Act of 1933 (15 USC 77d(5)) 
  commercial mortgage securities as described in section 3(a)(41) of the Securities Exchange Act of 1934 (15 USC 78c(a)(41)) that are rated in one of the two highest investment-grade rating categories 
  investment-grade, small-business-loan securities as described in section 3(a)(53)(A) of the Securities Exchange Act of 1934 (15 USC 78c(a)(53)(A)) 

For all type IV commercial and residential mortgage securities and for type IV small-business-loan securities rated in the top two categories, there is no limitation on the amount a bank can purchase or sell for its own account. Type IV investment-grade, small-business-loan securities that are not rated in the top two rating categories are subject to a limit of 25 percent of a bank's capital and surplus for any one issuer. In addition to being able to purchase and sell type IV securities, subject to the above limitation, a bank may deal in those type IV securities which are fully secured by type I securities. 

Type V securities consist of all ABS that are not type IV securities. Specifically, they are defined as marketable, investment-grade rated securities that are not type IV and are ''fully secured by interests in a pool of loans to numerous obligors and in which a national bank could invest directly.'' They include securities backed by auto loans, credit card loans, home equity loans, and other assets. Also included are residential and commercial mortgage securities as described in section 3(a)(41) of the Securities Exchange Act of 1934 (15 USC 78c(a)(41)) which are not rated in one of the two highest investment-grade rating categories, but are still investment-grade. A bank may purchase or sell type V securities for its own account provided the aggregate par value of type V securities issued by any one issuer held by the bank does not exceed 25 percent of the bank's capital and surplus. 

As mentioned above, type III securities represent a residual category. The OCC requires a national bank to determine (1) that the type III instrument it plans to purchase is marketable and of sufficiently high investment quality and (2) that the obligor will be able to meet all payments and fulfill all the obligations it has undertaken in connection with the security. For example, junk bonds, which are often issued to finance corporate takeovers, are usually not considered to be of investment quality because they are predominately speculative and have limited marketability. 

The purchase of type II and III securities is limited to 10 percent of equity capital and reserves for each obligor when the purchase is based on adequate evidence of the maker's ability to perform. That limitation is reduced to 5 percent of equity capital and reserves for all obligors in the aggregate when the judgment of the obligor's ability to perform is based predominantly on ''reliable estimates.'' The term ''reliable estimates'' refers to projections of income and debt-service requirements or conditional ratings when factual credit information is not available and when the obligor does not have a record of performance. Securities purchased subject to the 5 percent limitation may, in fact, become eligible for the 10 percent limitation once a satisfactory financial record has been established. Additional limitations on specific securities that have been ruled eligible for investment are detailed in 12 CFR 1.3. The par value, not the book value or purchase price, of the security is the basis for computing the limitations. However, the limitations do not apply to securities acquired through debts previously contracted. 

1. In general terms, derivatives are financial contracts whose value derives from the value of one or more underlying assets, interest rates, exchange rates, commodities, or financial or commodity indexes.

Table 1-Summary of New Investment-Type Categories

Sub-investment-quality securities are those in which the investment characteristics are distinctly or predominantly speculative. This group includes securities in grades below the four highest grades and unrated securities of equivalent quality, defaulted securities, and sub-investment-quality stocks. As noted in the following table, securities in grades below the four highest grades and unrated securities of equivalent quality will be valued at market price. The market value will be classified substandard, and the depreciation will be classified doubtful. Depreciation in defaulted securities and sub-investment-quality stocks will generally be classified loss; market value will be classified substandard. 

Table 2-Security Classifications

An exception to the above is to be made for municipal general obligations, which are backed by the credit and taxing power of the issuer. The entire book value of sub-investment-quality municipal general obligations that are not in default should be classified substandard. In the event of a default of a municipal general obligation, a period of time is usually necessary to permit the market for these defaulted securities to stabilize or for the issuer to put in place budgetary, tax, or other actions that may eliminate the default or otherwise improve the post default value of the securities. The market for the defaulted securities will be periodically reviewed by the regulatory authorities. Upon a determination that a functioning market has been re-established, depreciation on defaulted municipal general obligations will be classified as loss. During this interim, the book value of all defaulted municipal general obligation securities will be classified doubtful. 

Banks are required to maintain adequate credit information in their files to demonstrate that they are exercising prudent judgment in their securities and derivative transactions. Unrated securities must be evaluated by the bank to determine if the instrument is a bank-eligible investment. Examiners must ensure that the bank's methodology for evaluating unrated securities is sound. All credit-related information and analyses should be retained for as long as the security remains in the bank's portfolio. 

The transfer of low-quality securities from one depository institution to another may be made to avoid detection and classification during regulatory examinations, and may be accomplished through participations, purchases or sales, and asset swaps with other affiliated or non-affiliated financial institutions. Broadly defined, low-quality securities include depreciated or sub-investment-grade securities of questionable quality. Situations in which an institution appears to be concealing low-quality securities to avoid examination scrutiny and possible classification represent an unsafe and unsound practice. Further, this type of transfer between affiliated banks is a violation of section 23A of the Federal Reserve Act. 

Any situations involving the transfer of low quality or questionable securities should be brought to the attention of Reserve Bank supervisory personnel who, in turn, should notify the local office of the primary federal regulator of the other depository institution involved in the transaction. For example, if an examiner determines that a state member bank or holding company has transferred or intends to transfer low-quality securities to another depository institution, the Reserve Bank should notify the recipient institution's primary federal regulator of the transfer. The same notification requirement holds true if an examiner determines that a state member bank or holding company has acquired or intends to acquire low-quality securities from another depository institution. This procedure applies to transfers involving savings and loan associations and savings banks, as well as commercial banking organizations. 

Situations may arise when transfers of securities are undertaken for legitimate reasons. In these cases, the securities should be properly recorded on the books of the acquiring institution at their fair value on the date of transfer. If the transfer was with the parent holding company or a non-bank affiliate, the records of the affiliate should be reviewed as well. 


In April 1998, the FFIEC rescinded its Supervisory Policy Statement on Securities Activities published in February 1992, including the high risk test for mortgage-derivative products. 


Examiners are expected to conduct an adequate evaluation of the risk-management process an institution uses to acquire and manage the securities and derivative contracts used in non-trading activities. In conducting this analysis, examiners should evaluate the following four key elements of a sound risk-management process: 

  active board and senior management oversight 
  adequate risk-management policies and limits 
  appropriate risk-measurement and reporting systems 
  comprehensive internal controls 

This section identifies basic factors that examiners should consider in evaluating these elements for investment and end-user activities; it reiterates and supplements existing guidance and directives on the use of these instruments for non-trading purposes as provided in various supervisory letters and examination manuals.2 

In evaluating an institution's risk-management process, examiners should consider the nature and size of its holdings. Examiner judgment plays a key role in assessing the adequacy of an institution's risk-management process for securities and derivative contracts. Examiners should focus on evaluating an institution's understanding of the risks involved in the instruments it holds. Regardless of any responsibility, legal or otherwise, assumed by a dealer or counterparty for a particular transaction, the acquiring institution is ultimately responsible for understanding and managing the risks of the transactions into which it enters. Failure of an institution to adequately understand, monitor, and evaluate the risks involved in its securities or derivative positions, either through lack of internal expertise or inadequate outside advice, constitutes an unsafe and unsound banking practice. 

As with all risk-bearing activities, institutions should fully support the risk exposures of non-trading activities with adequate capital. Banking organizations should ensure that their capital positions are sufficiently strong to support all the risks associated with these activities on a fully consolidated basis and should maintain adequate capital in all affiliated entities engaged in these activities. In evaluating the adequacy of an institution's capital, examiners should consider any unrecognized net depreciation or appreciation in an institution's securities and derivative holdings. Further consideration should also be given to the institution's ability to hold these securities and thereby avoid recognizing losses. 

2. Existing policies and examiner guidance on various supervisory topics applicable to securities and off-balance-sheet instruments can be found in this manual, the Commercial Bank Examination Manual, the Bank Holding Company Supervision Manual, and the Trust Activities Examination Manual, as well as in various supervision and regulation (SR) letters, including SR-90-16, ''Implementation of Examination Guidelines for the Review of Asset Securitization Activities''; SR-91-4, ''Inspections of Investment-Adviser Subsidiaries of Bank Holding Companies''; SR-92-1, ''Supervisory Policy Statement on Securities Activities''; SR-93-69, ''Risk Management and Internal Controls for Trading Activities''; SR-95-17, ''Evaluating the Risk Management and Internal Controls of Securities and Derivative Contracts Used in Non-trading Activities''; and SR-98-12, ''FFIEC Policy Statement on Investment Securities and End-User Derivatives Activities.'' Examiners of U.S. branches and agencies of foreign banks should take the principles included in these guidelines into consideration in accordance with the procedures set forth in the Examination Manual for Branches and Agencies of Foreign Banking Organizations.

Board of Directors and Senior Management Oversight 

Active oversight by the institution's board of directors and relevant senior management is critical to a sound risk-management process. Examiners should ensure that these individuals are aware of their responsibilities and that they adequately perform their appropriate roles in overseeing and managing the risks associated with non-trading activities involving securities and derivative instruments. 

Board of Directors 

The board of directors has the ultimate responsibility for the level of risk taken by the institution. Accordingly, the board should approve overall business strategies and significant policies that govern risk-taking, including those involving securities and derivative contracts. In particular, the board should approve policies identifying managerial oversight and articulating risk tolerances and exposure limits for securities and derivative activities. The board should also actively monitor the performance and risk profile of the institution and its various securities and derivative portfolios. Directors should periodically review information that is sufficiently detailed and timely to allow them to understand and assess the credit, market, and liquidity risks facing the institution as a whole and its securities and derivative positions in particular. These reviews should be conducted at least quarterly and more frequently when the institution holds significant positions in complex instruments. In addition, the board should periodically re-evaluate the institution's business strategies and significant risk-management policies and procedures, placing special emphasis on the institution's financial objectives and risk tolerances. The minutes of board meetings and accompanying reports and presentation materials should clearly demonstrate the board's fulfillment of these basic responsibilities. The section of this guidance on managing specific risks provides guidance on the types of objectives, risk tolerances, limits, and reports that directors should consider. 

The board of directors should also conduct and encourage discussions between its members and senior management, as well as between senior management and others in the institution, regarding the institution's risk-management process and risk exposures. Although it is not essential for board members to have detailed technical knowledge of these activities, if they do not, it is their responsibility to ensure that they have adequate access to independent legal and professional advice on the institution's securities and derivative holdings and strategies. The familiarity, technical knowledge, and awareness of directors and senior management should be commensurate with the level and nature of an institution's securities and derivative positions. Accordingly, the board should be knowledgeable enough or have access to independent advice to evaluate recommendations presented by management or investment advisors. 

Senior Management 

Senior management is responsible for ensuring that there are adequate policies and procedures for conducting investment and end-user activities on both a long-range and day-to-day basis. Management should maintain clear lines of authority and responsibility for acquiring instruments and managing risk, setting appropriate limits on risk-taking, establishing adequate systems for measuring risk, setting acceptable standards for valuing positions and measuring performance, establishing effective internal controls, and enacting a comprehensive risk reporting and risk-management review process. To provide adequate oversight, management should fully understand the institution's risk profile, including that of its securities and derivative activities. Examiners should review the reports to senior management and evaluate whether they provide both good summary information and sufficient detail to enable management to assess the sensitivity of securities and derivative holdings to changes in credit quality, market prices and rates, liquidity conditions, and other important risk factors. As part of its oversight responsibilities, senior management should periodically review the organization's risk-management procedures to ensure that they remain appropriate and sound. Senior management should also encourage and participate in active discussions with members of the board and with risk-management staff regarding risk-measurement, reporting, and management procedures. 

Management should ensure that investment and end-user activities are conducted by competent staff whose technical knowledge and experience is consistent with the nature and scope of the institution's activities. There should be sufficient depth in staff resources to manage these activities if key personnel are not available. Management should also ensure that back-office and financial-control resources are sufficient to manage and control risks effectively. 

Independence in managing risks. The process of measuring, monitoring, and controlling risks within an institution should be managed as independently as possible from those individuals who have the authority to initiate transactions. Otherwise, conflicts of interest could develop. The nature and extent of this independence should be commensurate with the size and complexity of an institution's securities and derivative activities. Institutions with large and complex balance sheets or with significant holdings of complex instruments would be expected to have risk managers or risk-management functions fully independent of the individuals who have the authority to conduct transactions. Institutions with less complex holdings should ensure they have some mechanism for independently reviewing both the level of risk exposures created by securities and derivative holdings and the adequacy of the process used in managing those exposures. Depending on the size and nature of the institution, this review function may be carried out by either management or a board committee. Regardless of size and sophistication, institutions should ensure that back-office, settlement, and transaction-reconciliation responsibilities are conducted and managed by personnel who are independent of those initiating risk-taking positions.

Policies, Procedures, and Limits 

Institutions should maintain written policies and procedures that clearly outline their approach for managing securities and derivative instruments. These policies should be consistent with the organization's broader business strategies, capital adequacy, technical expertise, and general willingness to take risks. They should identify relevant objectives, constraints, and guidelines for both acquiring instruments and managing portfolios. In doing so, policies should establish a logical framework for limiting the various risks involved in an institution's securities and derivative holdings. Policies should clearly delineate lines of responsibility and authority over securities and derivative activities. They should also provide for the systematic review of products new to the firm, specify accounting guidelines, and ensure the independence of the risk-management process. Examiners should evaluate the adequacy of an institution's risk-management policies and procedures in relation to its size, its sophistication, and the scope of its activities. 

Specifying Objectives 

Institutions can use securities and derivative instruments for several primary and complementary purposes.3 Banking organizations should articulate these objectives clearly and identify the types of securities and derivative contracts to be used for achieving them. Objectives also should be identified at the appropriate portfolio and institutional levels. These objectives should guide the acquisition of individual instruments and provide benchmarks for periodically evaluating the performance and effectiveness of an institution's holdings, strategies, and programs. Whenever multiple objectives are involved, management should identify the hierarchy of potentially conflicting objectives. 

Identifying Constraints, Guidelines, and Limits 

An institution's policies should clearly articulate the organization's risk tolerance by identifying its willingness to take the credit, market, and liquidity risks involved in holding securities and derivative contracts. A statement of authorized instruments and activities is an important vehicle for communicating these risk tolerances. This statement should clearly identify permissible instruments or instrument types and the purposes or objectives for which the institution may use them. The statement also should identify permissible credit-quality, market-risk-sensitivity, and liquidity characteristics of the instruments and portfolios used in non-trading activities. For example, in the case of market risk, policies should address the permissible degree of price sensitivity and/or effective maturity volatility, taking into account an instrument's or portfolio's option and leverage characteristics. Specifications of permissible risk characteristics should be consistent with the institution's overall credit-, market-, and liquidity-risk limits and constraints, and should help delineate a clear set of institutional limits for use in acquiring specific instruments and managing portfolios. Limits can be specified either as guidelines within the overall policies or as management operating procedures. Further guidance on managing specific risks and on the types of constraints and limits an institution might use in managing the credit, market, and liquidity risk of securities and derivative contracts is provided later in this section.

Limits should be set to guide acquisition and ongoing management decisions, control exposures, and initiate discussion within the organization about apparent opportunities and risks. Although procedures for establishing limits and operating within them may vary among institutions, examiners should determine whether the organization enforces its policies and procedures through a clearly identified system of risk limits. The organization's policies should also include specific guidance on the resolution of limit excesses. Positions that exceed established limits should receive the prompt attention of appropriate management and should be resolved according to approved policies. 

Limits should implement the overall risk tolerances and constraints articulated in general policy statements. Depending on the nature of an institution's holdings and its general sophistication, limits can be identified for individual business units, portfolios, instrument types, or specific instruments. The level of detail of risk limits should reflect the characteristics of the institution's holdings, including the types of risk to which the institution is exposed. Regardless of their specific form or level of aggregation, limits should be consistent with the institution's overall approach to managing various types of risks. They should also be integrated to the fullest extent possible with institution-wide limits on the same risks as they arise in other activities of the firm. Later in this section, specific examiner considerations for evaluating the policies and limits used in managing each of the various types of risks involved in non-trading securities and derivative activities are addressed. 

3. Such purposes include, but are not limited to, generating earnings, creating funding opportunities, providing liquidity, hedging risk exposures, taking risk positions, modifying and managing risk profiles, managing tax liabilities, and meeting pledging requirements. 

New-Product Review 

An institution's policies should also provide for effective review of any products being considered that would be new to the firm. An institution should not acquire a meaningful position in a new instrument until senior management and all relevant personnel (including those in internal-control, legal, accounting, and auditing functions) understand the product and can integrate it into the institution's risk-measurement and control systems. An institution's policies should define the terms ''new product'' and ''meaningful position'' consistent with its size, complexity, and sophistication. Institutions should not be hesitant to define an instrument as a new product. Small changes in the payment formulas or other terms of relatively simple and standard products can greatly alter their risk profiles and justify designation as a new product. New product reviews should analyze all of the relevant risks involved in an instrument and assess how well the product or activity achieves specified objectives. New-product reviews also should include a description of the relevant accounting guidelines and identify the procedures for measuring, monitoring, and controlling the risks involved. 

Accounting Guidelines 

The accounting systems and procedures used for general-purpose financial statements and regulatory reporting purposes are critically important to enhancing the transparency of an institution's risk profile. Accordingly, an institution's policies should provide clear guidelines on accounting for all securities and derivative holdings. Accounting treatment should be consistent with specified objectives and with the institution's regulatory requirements. Furthermore, institutions should ensure that they designate each cash or derivative contract for accounting purposes consistent with appropriate accounting policies and requirements. Accounting for non-trading securities and OBS derivative contracts should reflect the economic substance of the transactions. When instruments are used for hedging purposes, the hedging rationale and performance criteria should be well documented. Management should reassess these designations periodically to ensure that they remain appropriate. 

Risk-Measurement and Risk-Reporting Systems 

Clear procedures for measuring and monitoring risks are the foundation of a sound risk-management process. Examiners should ensure that an institution sufficiently integrates these functions into its ongoing management process and that relevant personnel recognize their role and understand the instruments held. 

Risk Measurement 

An institution's system for measuring the credit, market, liquidity, and other risks involved in cash and derivative contracts should be as comprehensive and accurate as practicable. The degree of comprehensiveness should be commensurate with the nature of the institution's holdings and risk exposures. Exposures to each type of risk (that is, credit, market, liquidity) should be aggregated across securities and derivative contracts and integrated with similar exposures arising from lending and other business activities to obtain the institution's overall risk profile. 

Examiners should evaluate whether the risk measures and the risk-measurement process are sufficient to accurately reflect the different types of risks facing the institution. Institutions should establish clear risk-measurement standards for both the acquisition and ongoing management of securities and derivative positions. Risk-measurement standards should provide a common framework for limiting and monitoring risks and should be understood by relevant personnel at all levels of the institution-from individual managers to the board of directors. 

Acquisition standards. Institutions conducting securities and derivative activities should have the capacity to evaluate the risks of instruments before acquiring them. Before executing any transaction, an institution should evaluate the instrument to ensure that it meets the various objectives, risk tolerances, and guidelines identified by the institution's policies. Evaluations of the credit-, market-, and liquidity-risk exposures should be clearly and adequately documented for each acquisition. Documentation should be appropriate for the nature and type of instrument; relatively simple instruments would probably require less documentation than instruments with significant leverage or option characteristics. 

Institutions with significant securities and derivative activities are expected either to conduct in-house pre-acquisition analyses or use specific third-party analyses that are independent of the seller or counterparty. Analyses provided by the originating dealer or counterparty should be used only when a clearly defined investment advisory relationship exists. Less active institutions with relatively uncomplicated holdings may use risk analyses provided by the dealer only if the analyses are derived using standard industry calculators and market conventions. Such analyses must comprehensively depict the potential risks involved in the acquisition, and they should be accompanied by documentation that sufficiently demonstrates that the acquirer understands fully both the analyses and the nature of the institution's relationship with the provider of the analyses. Notwithstanding information and analyses obtained from outside sources, management is ultimately responsible for understanding the nature and risk profiles of the institution's securities and derivative holdings. 

It is a prudent practice for institutions to obtain and compare price quotes and risk analyses from more than one dealer before acquisition. Institutions should ensure that they clearly understand the responsibilities of any outside parties that provide analyses and price quotes. If analyses and price quotes provided by dealers are used, institutions should assume that each party deals at arm's length for its own account unless a written agreement states otherwise. Institutions should exercise caution when dealers limit the institution's ability to show securities or derivative contract proposals to other dealers to receive comparative price quotes or risk analyses. As a general sound practice, unless the dealer or counterparty is also acting under a specific investment advisory relationship, an investor or end-user should not acquire an instrument or enter into a transaction if its fair value or the analyses required to assess its risk cannot be determined through a means that is independent of the originating dealer or counterparty. 

Portfolio-management standards. 

Institutions should periodically review the performance and effectiveness of instruments, portfolios, and institutional programs and strategies. This review should be conducted at least quarterly and should evaluate the extent to which the institution's securities and derivative holdings meet the various objectives, risk tolerances, and guidelines established by its policies.4 Institutions with large or highly complex holdings should conduct reviews more frequently. 

For internal measurements of risk, effective measurement of the credit, market, and liquidity risks of many securities and derivative contracts requires mark-to-market valuations. Accordingly, the periodic revaluation of securities and derivative holdings is an integral part of an effective risk-measurement system. Periodic revaluations should be fully documented. When available, actual market prices should be used. For less liquid or complex instruments, institutions with only limited holdings may use properly documented periodic prices and analyses provided by dealers or counterparties. More active institutions should conduct periodic revaluations and portfolio analyses using either in-house capabilities or outside-party analytical systems that are independent of sellers or counterparties. Institutions should recognize that indicative price quotes and model revaluations may differ from the values at which transactions can be executed. 

Stress testing. Analyzing the credit, market, and liquidity risk of individual instruments, portfolios, and the entire institution under a variety of unusual and stressful conditions is an important aspect of the risk-measurement process. Management should seek to identify the types of situations or the combinations of credit and market events that could produce substantial losses or liquidity problems. Typically, securities and derivative contracts are managed on the basis of an institution's consolidated exposures, and stress testing should be conducted on the same basis. Stress tests should evaluate changes in market conditions, including alternatives in the underlying assumptions used to value instruments. All major assumptions used in stress tests should be identified. 

Stress tests should not be limited to quantitative exercises that compute potential losses or gains, but should include qualitative analyses of the tools available to management to deal with various scenarios. Contingency plans outlining operating procedures and lines of communication, both formal and informal, are important products of such qualitative analyses. 

The appropriate extent and sophistication of an institution's stress testing depend heavily on the scope and nature of its securities and derivative holdings and on its ability to limit the effect of adverse events. Institutions holding securities or derivative contracts with complex credit, market, or liquidity risk profiles should have an established regime of stress testing. Examiners should consider the circumstances at each institution when evaluating the adequacy or need for stress-testing procedures. 

4. For example, the performance of instruments and portfolios used to meet objectives for tax-advantaged earnings should be evaluated to ensure that they meet the necessary credit-rating, market-sensitivity, and liquidity characteristics established for this objective. 

Risk Reporting 

An accurate, informative, and timely management information system is essential. Examiners should evaluate the adequacy of an institution's monitoring and reporting of the risks, returns, and overall performance of security and derivative activities to senior management and the board of directors. Management reports should be frequent enough to provide the responsible individuals with adequate information to judge the changing nature of the institution's risk profile and to evaluate compliance with stated policy objectives and constraints. 

Management reports should translate measured risks from technical and quantitative formats to formats that can be easily read and understood by senior managers and directors, who may not have specialized and technical knowledge of all financial instruments used by the institution. Institutions should ensure that they use a common conceptual framework for measuring and limiting risks in reports to senior managers and directors. These reports should include the periodic assessment of the performance of appropriate instruments or portfolios in meeting their stated objective, subject to the relevant constraints and risk tolerances. 

Management evaluation and review. Management should regularly review the institution's approach and process for managing risks. This includes regularly assessing the methodologies, models, and assumptions used to measure risks and limit exposures. Proper documentation of the elements used in measuring risks is essential for conducting meaningful reviews. Limits should be compared to actual exposures. Reviews should also consider whether existing measures of exposure and limits are appropriate in view of the institution's holdings, past performance, and current capital position. 

The frequency of the reviews should reflect the nature of an institution's holdings and the pace of market innovations in measuring and managing risks. At a minimum, institutions with significant activities in complex cash or derivative contracts should review the underlying methodologies of the models they use at least annually-and more often as market conditions dictate-to ensure that they are appropriate and consistent. Reviews by external auditors or other qualified outside parties, such as consultants with expertise in highly technical models and risk-management techniques, may often supplement these internal evaluations. Institutions depending on outside parties to provide various risk-measurement capabilities should ensure that the outside institution has personnel with the necessary expertise to identify and evaluate the important assumptions incorporated in the risk-measurement methodologies it uses. 

Comprehensive Internal Controls and Audit Procedures 

Institutions should have adequate internal controls to ensure the integrity of the management process used in investment and end-user activities. Internal controls consist of procedures, approval processes, reconciliations, reviews, and other mechanisms designed to provide a reasonable assurance that the institution's risk-management objectives for these activities are achieved. Appropriate internal controls should address all of the various elements of the risk-management process, including adherence to policies and procedures and the adequacy of risk identification, risk measurement, and reporting. 

An important element of a bank's internal controls for investment and end-user activities is comprehensive evaluation and review by management. Management should ensure that the various components of the bank's risk-management process are regularly reviewed and evaluated by individuals who are independent of the function they are assigned to review. Although procedures for establishing limits and for operating within them may vary among banks, periodic management reviews should be conducted to determine whether the organization complies with its investment and end-user risk-management policies and procedures. Any positions that exceed established limits should receive the prompt attention of appropriate management and should be resolved according to the process described in approved policies. Periodic reviews of the risk-management process should also address any significant changes in the nature of instruments acquired, limits, and internal controls that have occurred since the last review. 

Examiners should also review the internal controls of all key activities involving securities and derivative contracts. For example, examiners should evaluate and assess adherence to the written policies and procedures for transaction recording and processing. They should analyze the transaction-processing cycle to ensure the integrity and accuracy of the institution's records and management reports. Examiners should review all significant internal controls associated with management of the credit, market, liquidity, operational, and legal risks involved in securities and derivative holdings. 

The examiner should review the frequency, scope, and findings of any independent internal and external auditors relative to the institution's securities and derivative activities. When applicable, internal auditors should audit and test the risk-management process and internal controls periodically. Internal auditors are expected to have a strong understanding of the specific products and risks faced by the organization. In addition, they should have sufficient expertise to evaluate the risks and controls of the institution. The depth and frequency of internal audits should increase if weaknesses and significant issues exist or if portfolio structures, modeling methodologies, or the overall risk profile of the institution has changed. 

In reviewing risk management of non-trading securities and derivative activities, internal auditors should thoroughly evaluate the effectiveness of the internal controls used for measuring, reporting, and limiting risks. Internal auditors should also evaluate compliance with risk limits and the reliability and timeliness of information reported to the institution's senior management and board of directors, as well as the independence and overall effectiveness of the institution's risk-management process. The level of confidence that examiners place in an institution's audit programs, the nature of the internal and external audit findings, and management's response to those findings will influence the scope of the current examination of securities and derivative activities. 

Examiners should pay special attention to significant changes in the nature of instruments acquired, risk-measurement methodologies, limits, and internal controls that have occurred since the last examination. Significant changes in earnings from securities and derivative contracts, in the size of positions, or in the value at-risk associated with these activities should also receive attention during the examination. 


Back to Activities Manual Index