Related Organizations

Policies and Control Systems

As mentioned earlier, related organizations can subject the bank to a variety of risks. Accordingly, the bank’s relationships with its related organizations should be subject to robust risk management and control systems. Policies and procedures are of particular importance when the bank conducts new or complex activities within a subsidiary or affiliate. Among other things, the board’s risk management system should include guidelines and controls for related organizations governing:

• All transactions with related organizations, to ensure that they are carried out at arm’s length and in the bank’s best interests.

• The performance of functions or services on behalf of the bank, such as information processing, internal audit, and risk management.

• The formation or acquisition of new related organizations, and any new activities conducted by existing related organizations. These policies are especially important when a new related organization offers new services to the bank or its customers.

• Management information systems, including independent audit reports. Such information should document the nature and financial status of related organizations.

• Transactions with affiliates and lending to insiders’ related interests.

• Actual and potential conflicts of interest, to ensure that they are disclosed and controlled.

• Tying the availability of a product or service to obtaining a product or service from an affiliate of the bank, to ensure that no impermissible tying occurs.

• Sharing of customer information with the related organization, to ensure that such information sharing is permitted and that the customer information remains confidential.

• Sharing of employees or office space, to ensure that such arrangements comply with legal requirements and do not harm the bank or cause customer confusion.

• Transparency and disclosure, to ensure that shareholders and regulators understand the bank’s relationship with its affiliates and other related organizations, as well as the risks these relationships pose.

The formality and extent of a bank’s risk management and control systems will depend on the number, size, organizational and ownership characteristics, business activities, and operational diversity and complexity of its related organizations. (For more information on these topics, see the "Internal Control" booklet of theComptroller’s Handbook.)

Previous: Board and Management Responsibilities Next: Maintaining Independence