Skip to main content
OCC Flag

An official website of the United States government

Appeal of Composite Rating, Component Ratings, and Matters Requiring Attention First Quarter 2025

Background

A bank supervised by the Office of the Comptroller of the Currency (OCC) filed a formal appeal with the Ombudsman, disputing the conclusions in the most recent report of examination (ROE). Specifically, the bank appealed the following:

  • Issuance of matters requiring attention (MRA) for strategic and capital planning, liquidity risk management, concentration risk management, credit administration, allowance for credit losses (ACL), interest rate risk (IRR) management, and information security.
  • Component ratings for management, asset quality, liquidity, and sensitivity to market risk.
  • Composite rating.

Discussion

The appeal disputed the asset quality component rating of 3, citing asset quality ratios near the top of its peer group. The appeal asserted that the credit administration MRA was unwarranted, and loan underwriters performed formal credit monitoring. The appeal contended that the concentration risk management MRA was unwarranted because the process was effective and bank management corrected any inaccuracies in concentrations reporting during the examination. The appeal disputed the ACL MRA, noting that the methodology was well supported and validated by a third party.

The appeal challenged the liquidity component rating of 3, noting well managed funding concentrations and appropriate liquidity risk management practices. The appeal disputed the liquidity risk management MRA, noting effective contingency funding plan and asset liability management policy.

The appeal contended that the sensitivity to market risk component rating should be a 2 rather than a 3, claiming IRR was well managed and performance was consistent with modeling. The appeal disputed the IRR management MRA, asserting that criticisms of the bank’s IRR simulation model were not valid.

The appeal disputed the information security MRA, claiming that the bank had an effective information security risk assessment at the time of the examination.

The appeal contended that the composite and management component ratings should be a 2 rather than a 3, asserting that the bank’s risk profile had not increased and growth was well planned. The appeal disputed the strategic and capital planning MRA, asserting that the plans were adequate, inclusive of succession planning, and effective but could be enhanced.

Supervisory Standards

The Ombudsman conducted a comprehensive review of the appeal using the following supervisory standards in effect at the time of the examination:

Conclusions

The Ombudsman concurred with the supervisory office’s (SO) conclusions on all appealed matters but directed corrections to the ROE for accuracy.

The Ombudsman concurred with the issuance of MRAs related to credit administration, concentration risk management, and the ACL and the rating of 3 for the asset quality component. The growth in the loan portfolio and unknown level of credit risk due to concerns with ongoing credit monitoring supported assessments of weak credit risk management and high aggregate credit risk. The bank’s loan-to-asset ratio was high at over 85 percent, with large concentrations exceeding internal risk limits in several categories. Material credit administration weaknesses included the lack of a credit risk officer that was independent from lending, and weaknesses with ongoing credit monitoring, exceptions tracking, supervisory loan-to-value exception tracking and reporting, and appraisal reviews on participation loans purchased. The ACL methodology was not adequately supported, and the balance was not directionally consistent with the loan growth and increased portfolio risk. Management did not adhere to the board-approved concentration policy, provided inaccurate reporting for loan concentrations, lacked ongoing market analyses, and performed inadequate loan portfolio stress testing.

The Ombudsman concurred with the issuance of the liquidity risk management MRA and the rating of 3 for the liquidity and asset liability management component. The bank’s liquidity position and funding sources indicated current and potential future challenges to maintaining cost-effective, short-term, and long-term liquidity. On-hand liquidity was low, considering off-balance-sheet commitments, anticipated loan growth, and rate-sensitive funding concentrations. Funds management practices needed improvement. The liquidity risk management MRA was supported. The bank lacked a robust liquidity risk management framework and funding strategy prior to engaging in aggressive loan growth funded by volatile deposits and wholesale funding. The existing policy, last revised in 2012, was outdated given the bank's significant growth and, therefore, was not reflective of the bank’s liquidity position and risk profile. The contingency funding plan was inadequate, lacking stress scenarios, quantification of stress events, and consideration of potential impacts from the loss of major funding sources.

The Ombudsman concurred with the issuance of the IRR management MRA and rating of 3 for the sensitivity to market risk component. Control of market risk sensitivity needed improvement. The IRR assessment was moderate aggregate risk with an increasing direction of risk, and weak quality of risk management. The SO appropriately issued an IRR management MRA to address concerns related to board and management oversight, policy development and approval, and model risk management. The bank’s IRR policy, last revised in 2012, was outdated and had not been reviewed to reflect the bank’s growth strategy and increased risk profile. Management was overly dependent on the bank’s IRR model vendor, with no evidence of board or management review of the reasonableness of assumptions or validation of the IRR model.

The Ombudsman concurred with the issuance of the information security MRA. Information security reporting to the board did not include all required components detailed in 12 CFR 30, appendix B. The report lacked discussion of an information security risk assessment, third-party risks related to information security, and physical security of bank assets. The bank did not conduct an appropriate risk assessment to identify reasonable and foreseeable internal and external threats, assess the likelihood and potential damage of these threats, or evaluate the sufficiency of policies and procedures in place to control those risks.

The Ombudsman concurred with the issuance of the strategic and capital planning MRA and a rating of 3 for the management component. Management pursued a high growth strategy without sufficient consideration of the bank’s increased risk exposure or necessary improvements in risk management. The quality of risk management was weak for credit, interest rate, liquidity, and strategic risks, and insufficient for operational risk. The bank’s strategic plan did not include the planned growth or accompanying improvements needed to risk management systems. Succession planning was ineffective. The bank’s capital plan did not adequately identify or evaluate risks, include goals or objectives, or incorporate stress testing results and early warning indicators. Further the capital planning process did not align with the strategic planning process. These deficiencies supported the issuance of the strategic and capital planning MRA.

The Ombudsman concurred with the rating of 3 for the composite. The overall condition of the bank is less than satisfactory. The component ratings for capital, asset quality, management, liquidity, and sensitivity to market risk are a 3. The bank exhibited a combination of weaknesses requiring more than normal supervision, including seven new MRAs indicating risk management deficiencies in strategic and succession planning, credit administration, allowance for credit losses, concentration risk management, liquidity risk management, IRR management, and information security. Management’s ability to respond to changing circumstances and address risks arising from changing business conditions was inadequate, as evidenced by risk management practices failing to keep pace with the significant growth.