Date: March 29, 2011
Description: Risk Management Elements: Collective Investment Funds and Outsourced Arrangements
As of October 30, 2013, this guidance applies to federal savings associations in addition to national banks.*
Background and Purpose
The Office of the Comptroller of the Currency (OCC) is providing guidance to national banks that offer common or collective investment funds (CIF) to certain eligible fiduciary and tax-exempt accounts. This bulletin expands upon long-standing regulatory and supervisory guidance that details the measures national banks are expected to follow to promote sound risk management and beneficiary/participant protections for bank-offered CIFs. This bulletin focuses on supervisory concerns that arise if a bank delegates responsibility for a bank CIF to a third-party service provider, such as a registered investment adviser (RIA), and fails to retain appropriate bank oversight for administration of the CIF or for its investment management. First, it is imperative that the bank understand that delegating responsibility to a third-party vendor does not, in any way, relieve the bank of its responsibility as fiduciary. Thus, a national bank may not outsource the administrative, operational, or investment functions of its CIFs to a third party unless the bank conducts thorough due diligence of that third-party vendor prior to delegation and adopts appropriate oversight and ongoing monitoring of the vendor. Second, to avoid confusion regarding the ultimate sponsor of the CIF, a national bank may not allow a third party to advertise or market a bank CIF unless there are clear and prominent disclosures that the CIF is managed and offered by the sponsoring bank.1
Overview of National Bank CIFs
National bank-managed CIFs are pooled investment vehicles established pursuant to federal and state banking and trust laws2 that qualify for exemptions from the registration requirements of the Securities Act of 1933 and the Investment Company Act of 1940. They are operated pursuant to the OCC's comprehensive CIF regulatory provisions set forth at 12 CFR 9.18. CIFs are offered not only by national banks but also by insured state member and non-member banks, thrifts, and state-chartered uninsured trust companies. Regardless of which financial entity sponsors the CIF, the CIF is typically created as a trust pursuant to a specific state's trust laws. To receive favorable tax treatment, CIFs must also comply with the Internal Revenue Code. In addition, CIFs must meet the requirements of the Employee Retirement Income Security Act for employee benefit assets.
The OCC's CIF regulation, 12 CFR 9.18, prescribes minimum written fund plan provisions and imposes specific requirements on the sponsoring bank's board of directors. In particular, 12 CFR 9.18(b)(1) requires that a bank's board, or a committee authorized by the board, approve each CIF's written plan. CIF plans, among other things, detail the fund's investment powers and policies, fees and expenses, terms and conditions governing admissions and withdrawals, fund valuation, and fund termination.
Pursuant to 12 CFR 9.18(b)(2), a bank administering a CIF may delegate specific management responsibilities for the fund if the board of directors determines that the delegation is prudent. The OCC's administration of fiduciary powers regulation, 12 CFR 9.4, expressly authorizes national bank fiduciaries to use "any qualified personnel and facilities of the bank or its affiliates to perform services related to the exercise of [the bank's] fiduciary powers." That regulation also authorizes a national bank exercising its fiduciary powers, such as sponsoring a CIF, to "purchase services related to the exercise of fiduciary powers from another bank or other entity." The bank, however, as fiduciary, retains the ultimate responsibility for the fund.
In addition to the statutory and regulatory requirements imposed on national banks sponsoring CIFs, the OCC has issued specific guidance regarding the creation, management, and offering of CIFs in the "Collective Investment Fund" booklet (October 2005) of the Comptroller's Handbook. Among other things, the CIF booklet outlines risks associated with banks offering CIFs and establishes a framework for managing those risks. It specifically cautions a bank sponsoring a CIF that the bank's "board and senior management must provide proper oversight of those given authority to administer the CIF, including a third-party vendor." As detailed in the following Risk Management Elements section, OCC guidance addressing third-party vendor issues requires that if bank management uses the services of a vendor, the bank must ensure that the vendor conducts its services in a safe and sound manner and in compliance with applicable law. This guidance applies to banks that use the services of an RIA for its CIFs.
Risk Management Elements
A national bank's risk management practices related to CIFs should be appropriate for the complexity and nature of this activity, consistent with safe and sound banking practices, and undertaken with appreciation of, and capacity to address, participant protection requirements, vendor management, legal compliance and fiduciary obligations, and reputation risk considerations associated with the activity. A national bank, as the fiduciary for a CIF, must take special care in the selection and oversight of third parties performing administrative, operational, or investment functions for a CIF. In addition to compliance with specific OCC regulations and policy guidance, national banks must implement appropriate policies, procedures, and controls to address and to ensure compliance with the following vendor management standards.
Third-Party Risk Management
A national bank's board of directors must ensure that a third party performs its functions in a safe and sound manner and in compliance with applicable laws and policy guidance. OCC Bulletin 2001-47, "Third-Party Relationships: Risk Management Principles," provides that national banks should adopt a third-party risk management process that includes, at a minimum
- A risk assessment to identify the bank's needs and requirements;
- Proper due diligence to identify and select a third-party provider;
- Written contracts that outline duties, obligations, and responsibilities of the parties involved; and
- Ongoing oversight of the third parties and third-party activities.
Reliance on third-party relationships can significantly increase a bank's risk profile, notably strategic, reputation, compliance, and transaction risks. Increased risk most often arises from poor planning, oversight, or control by the bank and inferior performance or service by the third party. When considering whether to enter into a third-party relationship with an RIA or other vendor, the board and management should clearly identify the nature and scope of the relationship, given the bank's overall business strategy and objectives, and should ensure that third-party activities are clearly integrated with corporate strategic goals. At the outset, a bank should identify the strategic purposes, benefits, legal aspects, costs, and risks associated with the third-party activity, including fiduciary, compliance, and reputation risks. An RIA retained by a bank to manage a CIF's investments or to provide fund administration and support services must be able to demonstrate that it has the systems and trained personnel to operate the fund, as agent for the bank, under the same investment management, advertising, participant eligibility, and other restrictions as the sponsoring bank. While an RIA may accept clients on behalf of a bank, it is ultimately the bank that has a direct relationship with these clients and invests their assets in a bank CIF.
Selecting a competent and qualified third-party provider is essential to managing third-party risk. The due diligence process enables the bank to identify qualitative and quantitative aspects, both financial and operational, of a third party and to assess whether the third party can help the bank achieve its strategic goals. Due diligence should involve a thorough evaluation of all available information about the third party and may include a review of audited financial statements, qualifications, backgrounds, and reputations of company principals and the evaluation of the adequacy of management information systems and insurance coverage. A bank's due diligence process should also ensure that the third-party provider has appropriate compliance systems and controls in place.
Bank-maintained CIFs are often offered as an option by RIAs to their plan sponsor and other customers. The bank's board and management must first ensure that the RIA has systems in place to ensure that only eligible accounts will have access to the bank's CIF. They must ensure that the expectations and obligations of each party are clearly defined and understood. The bank must also have the ability to enforce these requirements. A contract between a bank and an RIA that pertains to the operation of a bank-sponsored CIF would customarily include provisions that define the scope of the arrangement and specify performance measures. In addition, the contract should detail: the RIA's responsibility to provide specific reports to the bank; the bank's right to audit the RIA; compensation and fees; ownership and use of the bank's data and intellectual property; confidentiality of information; business resumption and contingency plans; dispute resolution; the bank's right to terminate the contract; and a process for forwarding customer complaints about the RIA to the bank. The contract must also detail the RIA's responsibilities with respect to Bank Secrecy Act/Anti-Money Laundering requirements, implementation of a customer identification program, undertaking Office of Foreign Assets Control screenings, filing of suspicious activity reports, and fraud identification.
The OCC also expects a bank to include a provision in any contract involving its CIFs that requires the RIA, or other marketer of the CIF, to disclose that the CIF is, ultimately, sponsored and maintained by the bank, not the RIA or other vendor marketing the fund.
A national bank may not delegate any of its functions to a third party vendor, unless the bank has the capacity to assess the quality of the vendor's performance and promptly terminate the vendor relationship if the vendor does not satisfy the fiduciary standards to which the bank is subject. Thus, it is crucial that banks have the requisite expertise to understand and oversee the risks presented by the third-party relationship. In addition, responsibilities for managing third-party relationships should be clearly assigned. The bank must be able to devote the resources necessary to closely monitor and measure performance under the terms of the third-party agreement. Management should appoint a senior officer to directly oversee the third-party relationship. The senior officer must ensure appropriate due diligence has been conducted prior to any delegation to a third party. Due diligence should include, at a minimum, the adequacy of the implementation plans, quality of management, and procedures for monitoring the arrangement, including preparing periodic reports to the board. The senior officer should also have sufficient knowledge and skills to critically evaluate the design, operation, and oversight of the third-party relationship and the performance of the third party. Further discussion on managing third-party relationships is provided in OCC Bulletin 2001-47.
The decision to delegate specified responsibilities for a CIF to a third-party vendor is a matter of fiduciary judgment. It requires a determination by a bank's board, or designee, that the delegation is prudent. A bank must exercise skill, care, and caution in selecting a vendor and in negotiating and establishing the terms of the delegation, including investment responsibilities. The OCC expects that national banks offering CIFs will have effective risk management systems characterized by active board and senior management supervision and sound processes for risk assessment, control, and monitoring. To the extent a bank CIF is offered by third parties directly to customers, the bank shall ensure that the third party clearly and prominently discloses in its advertising and marketing materials that the CIF is ultimately offered and maintained by the bank. Examiners will periodically evaluate the adequacy of board and senior management's compliance with OCC policies in this area, as well as the bank's compliance with applicable laws and guidance pertaining to the offering and maintenance of CIFs. Examiners will seek corrective action for significant weaknesses or unwarranted risks.
For additional information, contact Kerri Corn, Director for Market Risk, at (202) 649-6360; Joel Miller, Asset Management Group Leader, at (202) 649-6417; or David Barfield, National Bank Examiner, at (202) 649-6396.
Timothy W. Long
Senior Deputy Comptroller for Bank Supervision Policy
and Chief National Bank Examiner
1 National banks are authorized under the federal securities laws and OCC banking regulations to offer two different types of CIFs: CIFs offered pursuant to 12 CFR 9.18(a)(1) (called "A1 funds") and CIFs offered pursuant to 12 CFR 9.18(a)(2) (called "A2 funds"). A1 funds are maintained by the bank for the collective investment of money contributed to the fund by the bank, or by one or more affiliated banks, in its capacity as a trustee, executor, administrator, guardian, or custodian under a uniform gifts to minors act. A2 funds are limited to assets of retirement, pension, profit sharing, stock bonus, or other trusts exempt from federal income tax. A national bank may not advertise or publicize A1 funds, except in connection with the advertisement of the general fiduciary services of the bank.
* References in this guidance to national banks or banks generally should be read to include federal savings associations (FSA). If statutes, regulations, or other OCC guidance is referenced herein, please consult those sources to determine applicability to FSAs. If you have questions about how to apply this guidance, please contact your OCC supervisory office.