On December 21, 2022, the New York State Department of Financial Services (DFS) released proposed guidance that would reinforce and expand on its supervisory expectations regarding financial institutions' management of safety and soundness risks related to climate change, as initially set forth in its October 29, 2020 industry letter. The proposed guidance would apply to New York State-regulated banking organizations, New York State-licensed branches and agencies of foreign banking organizations, New York State-regulated mortgage bankers and mortgage servicers, and New York State-regulated limited purpose trust companies (collectively, Regulated Organizations). DFS's proposed guidance is largely consistent with the proposed guidance on managing climate-related financial risk that the federal banking agencies (FBAs) issued at the end of 2021 and earlier this year: both DFS and the FBAs propose high-level principles for integrating climate-related financial risk into corporate governance frameworks, internal controls, risk management processes, and business strategies; and both suggest aggregating and reporting climate risk-related data and conducting climate scenario analyses.

But there are some important areas in which DFS's proposed guidance differs from the FBAs' proposed principles. This advisory highlights the notable differences between DFS's and the FBAs' proposed climate-related risk management guidance and summarizes the principles common to each agency's proposed guidance.

What's New and Different vs. the FBAs' Proposed Principles?

Scope. While the FBAs' principles are proposed specifically for financial institutions with over $100 billion in total consolidated assets, DFS's proposed guidance applies to Regulated Organizations of all sizes. DFS's rationale for a broad scope is that "[s]maller organizations are not necessarily less exposed to climate-related financial risk, because they may have concentrated business lines or geographies that are highly exposed to climate-related financial risks without the risk-mitigating benefit of diversification available to larger organizations." DFS recognizes that not all Regulated Organizations have equal resources to manage these risks, and reiterates that a Regulated Organization's approach to climate-related risk management should be proportionate to its unique risk exposure. DFS also recognizes that its proposal for climate scenario analysis (discussed below) has the potential to be particularly burdensome on smaller organizations and has asked for public comment on that topic.

Leveraging an Affiliate Company's Climate-Related Risk Management Processes. DFS proposes that a Regulated Organization that is part of a group of affiliated entities or a holding/parent company structure (Group) may leverage the Group policies, procedures and processes related to climate-related financial risk if: (1) the climate-related risks at the Group level include those faced by the Regulated Organization; (2) the Group level policies and procedures are implemented at the Regulated Organization; and (3) the Regulated Organization has appropriate access to relevant resources and expertise at the Group level. Smaller Regulated Organizations, in particular, should consider looking to its parent or affiliated companies to help minimize the potentially costly burden of managing both climate-related risks and DFS's expectations.

Considerations for Foreign Banking Organizations. DFS's proposed guidance underscores the importance of a foreign banking organization's (FBO's) US management keeping its head office apprised of its climate-related risks and US regulatory expectations concerning climate-related risk management to help ensure that its head office is providing appropriate risk management resources to the FBO. The proposed guidance reminds FBOs (and their head offices) that, if risk management and control functions are performed outside the US, the processes and systems should be sufficiently transparent to allow US supervisors to assess their adequacy for managing risk at the FBO.

Minimizing Impact to Low- and Moderate-Income Communities and Communities of Color. DFS cautions Regulated Organizations to minimize and affirmatively mitigate adverse impacts of climate-related risk management practices on low- and moderate-income (LMI) communities and communities of color, which already are disproportionately harmed by climate change and natural disasters. DFS notes its concern that a Regulated Organization seeking to mitigate climate-related financial risks by, for example, increasing the cost of credit for communities located in a geographically vulnerable area, will unintentionally exacerbate the inequities such communities already face. DFS reminds Regulated Organizations that they still must be mindful of their obligations under fair lending laws when implementing climate-related risk mitigation measures.

Reinforcing That the Proposed Guidance is Not Meant to Encourage a Boycott. The FBAs, and other government agencies—such as the US Securities and Exchange Commission—that have sought to impose climate-related risk management principles, have been accused of mission creep for allegedly wading into areas of environmental policy. The agencies also increasingly have been the targets of challenging political attention and threatened congressional investigations for allegedly seeking to undermine the oil and gas industry through financial regulation. Likely to preempt similar responses, DFS makes explicit—where the FBAs perhaps did not—that its guidance "is not intended to and does not instruct Regulated Organizations on the outcomes of their specific risk assessments, including how credit or investment decisions might evolve to account for climate-related financial risks." And while DFS does not mention the oil and gas or any other specific industry, its proposed guidance provides that Regulated Organizations "are encouraged to avoid market disruptions and to provide key products and services to New Yorkers."

Common Climate-Related Risk Management Principles in Both DFS's and the FBAs' Proposed Guidance

Corporate Governance. Like the FBAs' proposed principles, DFS's proposed guidance encourages Regulated Organizations to adopt a governance framework that ensures a process for identifying, measuring, monitoring, and controlling financial risks associated with climate change. According to DFS, this entails three components: business environment and strategy; board and management oversight; and policies, procedures and limits.

  • Business Environment and Strategy. DFS's proposed guidance provides that Regulated Organizations develop and implement sound processes for understanding and assessing the potential impact of climate-related financial risks on businesses and on the environments in which they operate in the short, medium and long term. Regulated Organizations should consider questions such as: what business areas are, or may in the future be, exposed to climate-related risks and is our business model resilient to such risks?
  • Board and Management Oversight. DFS recommends that boards and management demonstrate knowledge of climate-related financial risks and the impact of those risks on the organization's strategy and risk appetite. DFS suggests designating a board member or board committee to take responsibility for the oversight of assessment and management of climate-related financial risks, including ensuring adequate allocation of resources to and communication with management regarding such risks. The board should integrate climate-related financial risks into the organization's risk appetite framework, with material climate-related risks clearly defined. Senior management should be responsible for managing climate-related financial risks and, importantly, for regularly reporting to the board on such risks.
  • Policies, Procedures and Limits. The proposed guidance recommends that management of material climate-related financial risk be embedded in policies, procedures and controls across all relevant functions and business units, in line with the strategy and risk appetite set by the board. DFS recommends that policies, procedures and limits be dynamic, modified as necessary to reflect the evolving nature of climate-related financial risks and changes in the institution's activities.

Internal Control Framework. DFS's proposed guidance encourages Regulated Organizations to incorporate climate-related financial risks into their internal control frameworks across the three lines of defense. According to DFS, the first line of defense—the risk-taking function—should assess climate-related financial risks during client onboarding, credit application and credit review processes. The second line of defense—the risk management function—should perform independent climate-related financial risk assessments and monitoring; ensure adherence to relevant climate-related rules and regulations, as well as applicable consumer protection and fair lending laws and guidance; and ensure that internal policies and procedures are compliant with climate-related standards, directives, charters, or codes of conduct to which the regulated institution is subject. The third line of defense—the internal audit function—should conduct regular independent reviews of the organization's climate-related internal control framework and systems in light of changes in the methodology, business model and risk profile of the institution, as well as in the quality of the underlying data.

Risk Management Process. The proposed guidance addresses the identification, measurement, monitoring, and control of climate-related financial risks through the existing risk management framework. DFS suggests that Regulated Organizations should consider how physical risk (e.g., a portfolio of mortgaged properties in a flood plain) and transition risk (e.g., a portfolio of loans heavily concentrated in diesel-fueled vehicles) may impact specific asset classes, sectors, counterparties, or geographical locations. To measure the identified risks, institutions should develop appropriate key risk measurement tools or indicators, such as utilizing climate scenario analysis, which is discussed below. DFS suggests regular monitoring of risk positions and exceptions to operating within established policies, limits and risk appetite. In addition to risk positions, DFS suggests monitoring climate-related financial risks on outsourcing arrangements, service providers, supply chains, and business continuity planning. To help control climate-related financial risks, Regulated Organizations should implement plans to mitigate and manage exposures to such risks by, for example, setting internal limits or setting risk-based pricing measures.

The proposed guidance also discusses the management of risk areas, including assessment of credit, market, operational, liquidity, legal/compliance, and strategic risk. With respect to credit risk, DFS indicates that Regulated Organizations should consider climate-related financial risks that exist or may arise in their underwriting and ongoing portfolio monitoring practices. DFS suggests that climate-related credit risk monitoring could include credit risk concentrations resulting from physical and transition risks, as well as any changes in correlations across exposures or asset classes.

Data Aggregation and Reporting. DFS's proposed guidance indicates that Regulated Organizations should develop risk data aggregation capabilities and risk reporting practices that are capable of monitoring material climate-related financial risks and producing timely information to facilitate board and senior management decision-making. The proposed guidance further states that this may require organizations to enhance existing systems to make it possible to identify, collect and centralize the data necessary to assess material climate-related financial risks so that such risks can be considered alongside other risks that the organizations monitor and manage.

Scenario Analysis. DFS's proposed guidance suggests that climate scenario analysis can be a useful tool in identifying, anticipating, managing, and measuring climate-related financial risks. It recommends that Regulated Organizations should consider using a range of climate scenarios based on assumptions regarding the impact of climate-related financial risks over different time horizons to assess the resiliency of their business models and strategies, identify and measure vulnerability to relevant climate-related risk factors, estimate exposures and potential impacts, and determine the materiality of climate-related financial risks.

DFS Request for Comment

As part of its proposal, DFS is soliciting feedback on all aspects of its proposed guidance and requests comment from stakeholders on four questions in particular:

  1. The proposed guidance does not include an implementation timeline. Should one be established? If so, what should it be and why?
  2. What does appropriate climate scenario analysis look like for smaller institutions?
  3. Should existing regulatory reporting requirements be supplemented to capture disclosure of exposure to material climate-related financial risks and their management of such risks? If so, what should the supplemental report look like?
  4. Are there other aspects of climate-related financial risks this guidance should consider? Are there aspects of this guidance that would benefit from further clarification, context or reframing?

Comments are due by March 21, 2023. Interested parties may submit feedback through a template found on DFS's website. On January 11, 2023, at 10:30 am EST, DFS will be hosting a webinar to provide an overview of the proposed guidance.

Key Takeaways

  • The commonality of many areas of DFS's proposed guidance with the FBA's principles provides a strong indication of the likelihood that these areas will be adopted substantially as proposed.
  • Key areas for boards and senior management to focus on in the near term are climate risk education, governance, and data evaluation and aggregation.
  • Like the FBAs, DFS believes credit underwriting should take into account climate-related risk in the origination process, but complicates the guidance by stressing that LMI and fair lending concerns will trump climate risk concerns. This would seem to be an area that begs for greater clarity from DFS.
  • The application of DFS's proposed guidance to Regulated Organizations of all sizes, but with a recognition that an organization's approach to climate-related risk management should be proportionate to its unique risk exposure, should not be viewed as endorsing a minimalist approach for smaller community banks.

Conclusion

Arnold & Porter's Financial Services, Corporate, Environmental Practice and Securities Groups continue to monitor climate-related and other ESG developments in the financial services sector and to develop best practices for the firm's financial institution clients. If New York-regulated financial institutions are seeking to comment on DFS's proposed guidance, or are seeking advice on how to incorporate ESG factors—including climate-related considerations—into their business strategy, risk management, or disclosure processes, please contact any author of this Advisory or your regular Arnold & Porter contact.

* Michael Treves contributed to this Advisory. Mr. Treves is a graduate of the New York University School of Law and is employed at Arnold & Porter's Washington, DC office. Mr. Treves is admitted only in New York. He is not admitted to the practice of law in Washington, DC.

Footnote

1. SeeOCC Principles for Climate-Related Financial Risk Management for Large Banks; FDIC Statement of Principles for Climate-Related Financial Risk Management for Large Financial Institutions; and Federal Reserve System Principles for Climate-Related Financial Risk Management for Large Financial Institutions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.