United States: New York State Department Of Financial Services Issues Final Guidance On Climate-Related Risk Management

On December 21, 2023, the New York State Department of Financial Services (DFS) published final guidance regarding financial institutions' assessment and management of material climate-related financial and operational risks (Guidance). More sweeping than the federal banking agency principles on climate-related risk management, which apply only to financial institutions with over US$100 billion in consolidated assets,¹ DFS' Guidance applies to all New York State-regulated banking organizations, New York State-licensed branches and agencies of foreign banking organizations (FBOs), and New York State-regulated mortgage bankers and mortgage servicers (collectively, Regulated Organizations).

DFS did not set an implementation timeline for the Guidance. As a first step, during 2024, DFS will request information from Regulated Organizations on their current or planned climate-related risk management processes. DFS will factor the responses to these requests into its determination of the appropriate implementation timing. DFS also will coordinate with relevant federal banking regulators to determine when and how to incorporate an assessment of this Guidance into DFS' supervisory examinations.

Notwithstanding this undetermined timeline, Regulated Organizations should begin taking the Guidance into account now, as it is not a question of if DFS will incorporate climate-related risk management into the examination process, but when.

Key Elements of the Guidance

The Guidance is substantially the same as the guidance DFS proposed in October 2022 (see our prior Advisory), with some changes in response to public comments. As in the proposed guidance, the final Guidance addresses five areas of climate-related financial and operational risk management: corporate governance; internal control framework; risk management process; data aggregation and reporting; and climate scenario analysis.

Corporate Governance: The Guidance recognizes that corporate governance is the foundational element of an effective climate-related risk management program. While many aspects of the Guidance provide what Regulated Organizations should do, the Guidance states that DFS expects a Regulated Organization's governance framework will ensure that there is a process in place for identifying, measuring, monitoring, and controlling material financial and operational climate-related risks. DFS encourages a risk-based approach to climate-related risk management and therefore does not propose any "one-size fits all" measures for monitoring or controlling such risks; however, this Guidance makes clear that every Regulated Organization must have a process for, at the very least, considering the impact of climate risk on its business.

The Guidance places significant responsibility on the board of directors, providing that the board should, among other things, (1) establish a risk management framework that integrates climate-related financial and operational risks and (2) exercise effective oversight of, and hold management accountable for, its implementation.

Internal Control Framework: Regulated Organizations should incorporate climate-related risks across the three lines of defense:

• The first line of defense — the risk-taking function — should assess climate-related financial risks during client onboarding, credit application, and credit review processes. A Regulated Organization's credit underwriting and monitoring processes should include a review of how physical and transition climate risks may impact its clients' business.²
• The second line of defense — the risk management function — should undertake independent, climate-related financial risk assessment and monitoring and assess compliance with climate-related rules, regulations, and internal policies. This function also should assess compliance with fair lending and consumer protection laws, regulations, and guidance.
• The third line of defense — the internal audit function — should conduct regular independent reviews of the Regulated Organization's climate-related internal control framework and systems, taking into account changes in the methodology, business model, and risk profile of the organization, as well as in the quality of underlying data.

Risk Management Process: DFS expects Regulated Organizations to identify, measure, monitor, and control material climate-related financial and operational risks through their existing risk management framework in line with their board-approved risk appetites. Regulated Organizations should assess the impact of physical and transition risks as drivers of their existing risk categories, including credit risk, liquidity risk, market risk, legal/compliance risk, operational risk, and strategic risk, to the extent material and relevant.

Data Aggregation and Reporting: Regulated Organizations should ensure that their processes for aggregating data and internal reporting are sufficient to monitor material climate-related financial risks and to produce timely information to facilitate board and senior management decision-making. Where the required data for assessing climate-related financial risks is not yet captured by existing information technology infrastructure, Regulated Organizations should enhance existing systems to make it possible to identify, collect, and centralize the data necessary to assess material climate-related financial risks.

Climate Scenario Analysis: The Guidance describes climate scenario analysis — an internal assessment tool to help identify potential future climate-related risks and risk management capabilities over varying time horizons and climate scenarios — as an exercise that "can be useful," and something that Regulated Organizations "should consider" conducting. This language indicates that DFS does not expect all Regulated Organizations to conduct climate scenario analyses. Given DFS' theme of "proportionate implementation" (discussed below), it is likely that DFS' expectation that a Regulated Organization conduct climate scenario analyses will be commensurate with that entity's climate-related risk exposure.

Proportionate Implementation and Leveraging Parent Company Resources

While the Guidance applies to Regulated Organizations regardless of size, DFS encourages a proportionate approach to climate risk management, appropriate to each organization's exposure to the impacts of climate risk on the organization's operational resilience and safety and soundness. Importantly, the Guidance notes that small asset size should not necessarily be equated with low climate-related risk exposure. Smaller institutions may have concentrated business lines or geographies that are highly exposed to climate-related risks, and DFS will expect such institutions to have commensurate climate-risk management programs, notwithstanding their asset size.

The Guidance contains potentially encouraging provisions for FBOs and other entities that are part of a group of affiliated entities or a holding or parent company structure (Group). Such Regulated Organizations may leverage existing Group-level climate-related governance frameworks and risk management policies, procedures, and resources to satisfy DFS' supervisory expectations, if the climate-related risks at the Group level include those faced by the Regulated Organization.³

Balancing Climate-Related Risk Management With Fair Lending and Consumer Protection Considerations

DFS expects Regulated Organizations to incorporate climate-related risk management principles, as appropriate, without disinvesting from low- and moderate-income (LMI) communities and communities of color, which are disproportionately harmed by climate change and natural disasters.⁴ Notwithstanding the practices outlined in the Guidance, Regulated Organizations must continue to comply with applicable consumer protection and fair lending laws, regulations, and guidance.

Practical Considerations

• DFS recognizes that management of climate-related risk is an evolving practice, and financial institutions may not currently have complete processes and information to assess climate-related risks. Such statements should not lull financial institutions into complacency. DFS, and other financial regulators, have explicitly stated that uncertainty and data gaps do not justify inaction. Regulated Organizations should begin the process of considering how to incorporate this Guidance now.
• U.S. management of FBOs seeking to leverage existing Group-level climate-related policies and resources should keep their head office apprised of their climate-related risks and the U.S. regulatory expectations pertinent to their U.S. operations so that the head office may provide appropriate risk management resources to the FBO. The FBO and head office also should ensure that the head office climate-related policies and information systems are sufficiently transparent to allow DFS, and other U.S. supervisors, to assess their adequacy for the FBO's U.S. operations.
• The Guidance underscores the importance of consumer protection and fair lending compliance to DFS. Regulated Organizations should consider opportunities to mitigate their climate-related financial risks through financing or investments that enhance the climate resiliency of LMI communities and communities of color. Such activities may be eligible for credit under the New York State Community Reinvestment Act.⁵
• DFS, like its federal counterparts, is focused on potential misleading climate-related public statements. Regulated Organizations should consider a process for ensuring that all such statements and disclosures are vetted for accuracy and consistency with the entity's climate-related strategies, initiatives, risk appetite, and risk management framework.
• Boards of Directors will need to be engaged in the process of compliance with the Guidelines, starting with board education on climate risk and an evaluation of the governance processes around risk management of climate-related risks.

Conclusion

Arnold & Porter's Financial Services, Corporate, Environmental, and Securities practice groups continue to monitor climate-related and other ESG developments in the financial services sector and to develop best practices for the firm's financial institution clients. If financial institutions are seeking advice on how to incorporate ESG factors — including climate-related considerations — into their business strategy, risk management, or disclosure processes, please contact any author of this Advisory or your regular Arnold & Porter contact.

Footnotes

1. The federal banking agencies finalized interagency principles for large financial institutions' management of climate-related financial risk on October 24, 2023 (see our prior Advisory).

2. "Physical risks" refer to harm to people and property arising from acute, climate-related events or chronic shifts in weather patterns. "Transition risks" refer to stresses to institutions or sectors arising from economic and behavioral shifts driven by policy and regulations, adoption of new technologies, consumer and investor preferences, and changing liability risks.

3. These provisions apply also to Regulated Organizations that are part of an intermediate holding company structure.

4. DFS also explicitly provides that its Guidance neither prohibits nor establishes limits for providing loans or other services to any specific class or type, as permitted by law or regulation. This statement likely is in response to criticisms that climate-related risk management guidance encourages financial institutions to "boycott" the oil and gas and other carbon intensive industries.

5. N.Y. Banking Law § 28-b(4).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.