The US Regulatory Landscape: A Practitioner's Map
Your bank is regulated by multiple agencies, and each has a piece of ALM. The Federal Reserve cares about systemic risk. The OCC cares about national bank safety. The FDIC cares about deposit insurance. The SEC cares about disclosure. The CFPB cares about consumer protection. Understanding who oversees what—and which agency to call when—is essential.
For a junior ALM professional, the regulatory landscape can feel overwhelming. But it's actually logically structured. Each agency has turf; each has expectations for ALM. Know the structure, and you can navigate it.
The Regulator Landscape
1. The Federal Reserve
What they regulate: Bank holding companies (BHCs), state-chartered banks that are members of the Fed system, and systemically important financial institutions (SIFIs).
What they care about in ALM:
- Liquidity: Stress testing (CCAR, DFAST), LCR, NSFR
- Capital: Interest rate risk; how much EVE risk can a bank take?
- Market risk: Large exposures to single counterparties, foreign exchange, commodities
- Systemic risk: Is this bank's failure a threat to the system?
Their tools: Guidance documents, supervisory stress tests (CCAR, DFAST), enforcement, capital requirements.
Their examiners: Fed staff conduct annual examinations of BHCs and state-chartered Fed member banks. They look at ALM governance, interest rate risk models, liquidity position, and stress testing.
2. The OCC (Office of the Comptroller of the Currency)
What they regulate: National banks and federal savings associations.
What they care about in ALM:
- Interest rate risk: The OCC publishes the most detailed guidance on IRR (the Handbook)
- Liquidity: Contingency funding plans, liquidity stress testing
- Credit risk: How does the loan portfolio interact with rates?
- Market risk: Trading activities, large positions
Their tools: The Interest Rate Risk Handbook (a detailed best practices document), guidance, enforcement, capital requirements.
Their examiners: OCC examiners conduct annual examinations of national banks. They're very hands-on on ALM, requesting models, testing assumptions, comparing to peers.
3. The FDIC (Federal Deposit Insurance Corporation)
What they regulate: Insured depositories (which is most banks). They're the insurer and the backstop.
What they care about in ALM:
- Liquidity: Can the bank meet withdrawal demands? If not, FDIC pays depositors.
- Deposit composition: How much is insured? How much is rate-sensitive?
- Funding strategy: Is the bank over-reliant on brokered deposits? Single sources?
- Failures and resolution: If the bank fails, can FDIC resolve it quickly?
Their tools: Guidance, enforcement, the Least Cost Resolution doctrine (FDIC wants to minimize its losses), capital requirements.
Their examiners: FDIC examiners (sometimes jointly with Fed or OCC) look at liquidity, deposit composition, and funding stability.
4. State Banking Regulators
What they regulate: State-chartered banks that aren't Fed members. If a state bank is FDIC-insured (which most are), it's regulated by the state AND the FDIC (dual regulation).
What they care about: Usually the same things as Fed/OCC (interest rate risk, liquidity, credit) but may have state-specific expectations.
Note: This is less relevant to ALM than Fed/OCC, unless you work at a state bank.
5. The SEC
What they regulate: Disclosure. If your bank is public, you must file 10-Qs and 10-Ks.
What they care about in ALM:
- Risk disclosure: Your 10-K must include a full discussion of interest rate risk and liquidity risk
- Material events: Large hedges, repositioning, breaches of risk limits
- Management Discussion and Analysis (MD&A): Discussion of how interest rates, liquidity, and funding affect earnings
Their tools: Enforcement, accounting standards (via FASB), disclosure requirements.
Note: The SEC doesn't regulate banks' operations (that's Fed/OCC), but they do regulate what you disclose about operations.
The Examination and Supervision Process
Examination is how regulators check that you're following policy. Here's how it works:
Year 1: Large Bank Examination (every 12-24 months for large banks; 24-36 months for smaller banks)
- Pre-exam: Examiners request documents (ALCO minutes, risk limits, models, recent stress test results, regulatory capital calculations)
- On-site: Examiners come for 3-6 weeks, depending on bank size. They interview Treasurer, CRO, ALM team. They test models, review data quality, compare assumptions to peers.
- Findings: Examiners identify issues: "Your deposit beta assumption is stale." "Your liquidity stress test doesn't include deposit runoff under your specific risk profile." "Your interest rate risk governance is unclear."
- Remediation: Bank responds with a plan to fix issues within 30-90 days
- Follow-up: Examiners may return to verify fixes
Year 2-3: Off-site Monitoring
- Examiners review quarterly reports and ALCO minutes
- They run their own models to compare to the bank's models
- If something looks wrong, they may conduct an exam of that area
Ratings:
Banks receive CAMEL ratings (Capital, Asset quality, Management, Earnings, Liquidity). Each component is 1-5. A 1 is excellent; a 5 is troubled. The overall CAMEL rating is the worst component.
For ALM, the most relevant components are:
- Capital: Do you have enough capital relative to risk?
- Management: Is your ALM governance strong? Do you have clear policies? Do you enforce them?
- Earnings: Are you profitable? Is NII stable?
- Liquidity: Can you survive a stress?
A bank with a CAMEL rating of 1-2 has strong supervision. A bank with 3+ may face increased examination, restrictions on growth, or demands to strengthen capital/governance.
The Key Regulatory Expectations for ALM
Across all regulators, the expectations are:
1. Documented governance: ALCO charter, policies (IRR policy, liquidity policy), risk limits. In writing. Board-approved. Enforced.
2. Models and measurement: You must measure EVE and NII. You must stress-test. You must validate models annually. The OCC's Handbook is the gold standard; the Fed expects at least that level of rigor.
3. Contingency funding plan: You must have a written CFP with trigger, sources, and accountability. It must be exercised (tabletop tested) annually.
4. Stress testing: You must stress your balance sheet under Fed scenarios (CCAR/DFAST if you're large enough) and your own scenarios (based on your specific risk profile). SVB didn't stress-test for a 80% deposit outflow; regulators now expect you to.
5. Breach management: If you exceed a risk limit, you must identify it, report it, and remediate it. Hiding a breach is a regulatory violation.
6. Data quality: The data feeding your models must be accurate. Regular reconciliation, validation, and audit.
7. Disclosure: If you're public, you must disclose interest rate risk and liquidity risk clearly.
Takeaway
The regulatory landscape is complex, but it's organized:
- Fed: BHCs; systemic risk; capital and liquidity
- OCC: National banks; interest rate risk (detailed guidance); operations
- FDIC: All insured banks; deposit insurance and resolution
- SEC: Public banks; disclosure
- State regulators: State banks; local requirements
Your bank may be under multiple regulators (e.g., a national bank BHC is under both OCC and Fed). Know which examiner is your primary contact. Build relationships. Bring them into ALCO discussions. A mature bank views regulators as partners in risk management, not adversaries.
The Multi-Agency Regulatory Framework: Detailed Turf and Expectations
Which Regulator Does What: The Detail
Federal Reserve
Scope: All BHCs, regardless of size, and state-chartered banks that are Fed members.
Primary ALM focus:
- Supervisory capital ratios: Tier 1, Tier 2, Common Equity Tier 1 (CET1)
- Stress testing: CCAR (Comprehensive Capital Analysis and Review) for large banks; DFAST (Dodd-Frank Act Stress Testing) for medium-sized banks
- Liquidity ratios: LCR and NSFR (implemented phased, depending on bank size)
- Interest rate risk: Expects EVE and NII measurement and scenarios
- Recovery and Resolution: Expects plans for how to stay solvent if liquidity deteriorates
Examiner interactions:- Annual on-site examination for large banks; every 2-3 years for smaller
- Detailed review of capital models, stress test assumptions, liquidity modeling
- Comparison to peer group (Fed has database of all banks; they benchmark you)
- Post-SVB, emphasis on deposit concentration and uninsured deposit sensitivity
Enforcement: The Fed can issue enforcement actions, cap dividend payments, restrict growth, or recommend a holding company merger if ratings deteriorate.
OCC
Scope: All national banks; all federal savings associations.
Primary ALM focus: The OCC published the most detailed guidance on interest rate risk. Their Handbook is ~40 pages and covers:
- Risk measurement methodologies
- Stress scenarios (including bank-specific scenarios)
- Gap analysis and duration analysis
- Assumptions (deposit repricing, loan prepayment, customer behavior)
- Governance and limits
- Disclosure of interest rate risk
Examiner interactions:- Annual examination for large banks; biennial for smaller
- Deep dive into IRR models and assumptions
- Requests for detailed balance sheet data and repricing schedules
- Back-testing of model predictions against actual results
- Post-SVB, interest rate risk heightened (OCC is concerned about mark-to-market losses on securities)
Expectations: OCC expects banks to have:
- "Management of interest rate risk is essential to the safe and sound operation of commercial banks"
- Explicit board approval of IRR policy
- Measurement of EVE and earnings sensitivity
- Scenarios that include "sudden shocks, gradual changes, and non-parallel curve shifts"
- Independent validation of models
- "Stress testing should address the effects of interest rate changes on the composition and size of the bank's asset and liability portfolios"
Note: The OCC is very specific. They don't just want EVE; they want
HOW you calculate it, what assumptions you use, and why those assumptions are reasonable.
FDIC
Scope: All FDIC-insured institutions (this includes national banks, state Fed member banks, and insured state non-member banks).
Primary ALM focus:
- Deposit insurance: FDIC insures up to $250k per depositor per bank. Anything above that is uninsured and at risk in a failure.
- Liquidity: FDIC wants to know if depositors can be paid quickly in a failure. This affects resolution costs.
- Funding structure: How reliant are you on brokered deposits? Institutional deposits? Single large customers? All of this affects FDIC resolution costs.
- Market risk: If the bank fails, will securities losses deplete capital?
Examiner interactions:- FDIC examiners may be the same person as Fed/OCC examiners (joint exams are common) or separate
- Focus on liquidity and deposit composition
- Requests for deposit analysis (concentration, FDIC insurance coverage, maturity ladder)
- Post-SVB, FDIC is scrutinizing uninsured deposit flight risk and funding stability
Expectations: FDIC's "Least Cost Resolution" doctrine means:
- FDIC resolves failed banks in the way that costs FDIC insurance fund the least
- If a bank is undercapitalized or over-reliant on risky funding, FDIC may intervene earlier (not let it deteriorate further)
- FDIC expects banks to have contingency funding plans and to disclose funding sources
SEC (if you're public)
Scope: All public companies, including public banks.
Primary ALM focus:
- Disclosure: 10-K, 10-Q, 8-K filings must disclose interest rate risk and liquidity risk
- Quantitative disclosure: You must quantify the impact of a 100 bp rate move on NII and EVE (or equivalently, mark-to-market impact)
- Qualitative discussion: You must discuss your interest rate risk management strategy, hedging programs, funding strategy
- Material events: Significant hedges, large repositioning, breaches of risk limits must be disclosed (if material)
Examiner interactions:- SEC doesn't "examine" banks the way Fed/OCC do, but the SEC office of compliance may request supplemental information
- Accounting auditors may request documentation of interest rate assumptions (for audit purposes)
Expectations: SEC expects:
- Clear disclosure of interest rate risk
- Quantitative tables showing impact of rate shocks
- Discussion of hedging programs (if any)
- Management discussion of how rates affect earnings
A Practical Example: The Interest Rate Risk Disclosure
Say you're a public bank. Your 10-K must include this (simplified example):
``
INTEREST RATE RISK DISCLOSURE
We measure interest rate risk using economic value of equity (EVE) and net interest income (NII) sensitivity.
As of December 31, 2024, under the Federal Reserve's standard rate shock scenarios:
Rate Scenario | EVE Impact | NII Impact (12-month)
+200 bp | -$240M (-7.5% of capital) | +$180M (+12.8% of net income)
-200 bp | -$360M (-11.2% of capital) | -$90M (-6.4% of net income)
Twist | -$75M (-2.3% of capital) | +$20M (+1.4% of net income)
The +200 basis point scenario benefits NII because we have more floating-rate assets than liabilities. The -200 basis point scenario pressures both EVE and NII due to lower deposit repayment and mortgage prepayment.
We manage interest rate risk through our ALCO committee, which meets monthly to review EVE and NII metrics against policy limits. Our current policy limits EVE sensitivity to -12% of capital and NII to +/- 5%.
We also use interest rate hedging. As of December 31, we had $500M in interest rate swaps (notional) to hedge against a portion of our asset sensitivity.
``
This disclosure tells investors: (1) how you measure rate risk, (2) what your current risk is, (3) what your policy is, and (4) how you manage it. If your bank then reports a loss due to rates, investors know it was disclosed and thus not a surprise.
Examination Scenario: A Real On-Site Exam
Let's walk through what happens when examiners come:
Day 1: Opening meeting
- Examiner meets with Treasurer, CFO, CRO
- Examiner outlines scope: "We're conducting a comprehensive examination with emphasis on interest rate risk governance, liquidity management, and deposit stability."
Day 2-3: Document review and interviews- Examiner requests and reviews:
- ALCO charter and minutes (last 12 months)
- IRR policy (current version and any changes in last 3 years)
- Liquidity policy and CFP
- EVE and NII models (documentation, code, inputs)
- Model validation reports
- Stress test results (CCAR, DFAST, internal)
- Deposit concentration analysis
- Funding maturity ladder
- Examiner interviews ALM team: How do you calculate EVE? What's your deposit beta assumption? How did you validate it?
Day 4-5: Testing- Examiner runs their own EVE model using your balance sheet data
- Compares results to your model: Do they match? If not, why not?
- Examiner pulls deposit data and calculates concentration: Top 10 depositors, insured vs. uninsured
- Examiner reviews recent ALCO decisions: Were limits breached? If so, was it reported and remediated?
Day 6-7: Findings and exit- Examiner summarizes findings
- Potential findings:
1. "Deposit beta assumption of 60% is outdated. Recent experience shows 75%. Recommend updating model." (Severity: Minor; Timeline: update by Q1 next year)
2. "Liquidity stress test does not include a scenario where your largest depositor (3% of deposits) leaves. Recommend adding this scenario." (Severity: Moderate; Timeline: update by next examination)
3. "Interest rate risk model has not been independently validated in 18 months. Model Risk team should validate by year-end." (Severity: Moderate; Timeline: immediate)
Bank Response:
- Within 30 days, bank provides remediation plan
- Month 2-3, bank executes plan (updates model, validates, implements)
- Next examination, examiner verifies fixes
If fixes are inadequate or slow, examiner can issue a "Matter Requiring Attention" (MRA) or "Violation" (which is more serious and can trigger enforcement).
Post-SVB Examination Intensity
Since March 2023, examination intensity on ALM has increased significantly:
1. Deposit concentration: Examiners now request detailed depositor lists (not just top 10, but top 50). They want to understand your uninsured deposit concentration and flight risk.
2. Stress scenarios: Examiners run their own deposit runoff scenarios (often more aggressive than the bank's). They want to see that you can survive a 50% deposit outflow in 30 days.
3. Securities portfolio: Post-SVB, examiners care about duration and mark-to-market losses. "If you had to liquidate your securities portfolio, how much would you lose?" This is especially scrutinized if most of your portfolio is in long-duration mortgages.
4. Governance: Examiners ask: "Can you show me evidence that ALCO actually met monthly? Do ALCO minutes show real debate, or is it all rubber-stamp approvals?" Weak governance is now a red flag.
5. Funding reliability: Examiners want evidence that funding sources are real. "You say you can issue 200M in CDs in a crisis. Have you actually done this? What did it cost? Can you do it again?"
Takeaway
The regulatory landscape for ALM is complex, but coherent:
- Fed: Focus on systemic risk, capital, CCAR/DFAST
- OCC: Focus on interest rate risk detail, governance
- FDIC: Focus on liquidity, deposit insurance, resolution costs
- SEC: Focus on disclosure (if public)
Understand your primary regulator's expectations. If you're a national bank, master the OCC Handbook. If you're a BHC, understand CCAR/DFAST deeply. If you're over-reliant on uninsured deposits, make sure FDIC examiners see a credible contingency plan.
Post-SVB, all regulators are scrutinizing interest rate risk, liquidity, and deposit stability. A mature bank addresses all three with clear governance, realistic models, and tested contingency plans.