MARCH 5, Federal Reserve Proposes Enhanced Risk Management Expectations for Large Financial Institutions

Transcription

1 promontory.com INFOCUS MARCH 5, 2018 BY JULIE WILLIAMS, WILLIAM LANG, AND JUSTIN GUO Federal Reserve Proposes Enhanced Risk Management Expectations for Large Financial Institutions Julie Williams Managing Director and Director of Domestic Advisory Practice, Washington, D.C. The Federal Reserve Board in January proposed guidance 1 that sets forth core principles of effective senior management, management of business lines, and independent risk management and controls for large financial institutions. The proposed guidance seeks to consolidate, clarify, and update the Federal Reserve s supervisory expectations on various aspects of a banking organization s risk management framework, including roles and responsibilities for key executives and functions. It would supersede supervision and regulation letter 95-51: Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies. 2 The proposed guidance is part of a larger initiative to develop a new supervisory rating system 3 consistent with the Federal Reserve s post-crisis supervision framework for large financial institutions. 4 The Federal Reserve plans to start using the proposed LFI rating framework during the 2018 examination cycle. The proposal would apply to domestic bank holding companies and savings-and-loan holding companies with total consolidated assets of $50 billion or more; combined U.S. operations of foreign banking organizations with U.S. assets of $50 billion or more 5 ; any state member-bank subsidiaries of the foregoing; and systemically important nonbank financial companies designated by the Financial Stability Oversight Council for Federal Reserve oversight. William Lang Managing Director, New York The enhanced risk management expectations are established in the form of supervisory guidance, in contrast to the Office of the Comptroller of the Currency s September 2014 heightened standards, which are enforceable guidelines. 6 The proposed guidance is a different supervisory tool, but it can provide the basis for Federal Reserve examiners to issue matters requiring (immediate) attention, which, if not met, can ultimately lead to enforcement actions by the Federal Reserve. Justin Guo Principal, Washington, D.C. 1 Proposed Supervisory Guidance, Board of Governors of the Federal Reserve System, Federal Register (Jan. 11, 2018). 2 SR 95-51: Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies, Federal Reserve (Nov. 14, 1995). 3 Large Financial Institution Rating System; Regulations K and LL, Federal Reserve, Federal Register (Nov. 24, 2017). 4 Consolidated Supervision Framework for Large Financial Institutions, Federal Reserve (Dec. 17, 2012). 5 Note that insurance SLHCs and commercial SLHCs are subject to the proposed guidance, but not the proposed revised rating system for LFIs. In addition, only intermediate holding companies of FBOs established pursuant to the Federal Reserve s Regulation YY (12 CFR ) would be subject to the revised rating system. 6 OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations, Office of the Comptroller of the Currency (Sept. 11, 2014).

2 The Federal Reserve requests comments (which may foreshadow changes in the final guidance) on a number of issues, including: Other factors to be considered in assessing governance and controls at LFIs Further clarifications needed to the roles and responsibilities of the board, senior management, business-line management, and independent risk management Additional clarity regarding structure and coverage of and controls Tailoring of supervisory expectations for FBOs Any divergence of this proposal from industry practices related to risk management and controls Any confusion created by the terminology risk tolerance under the proposal Any confusion or impact created by the terminology management of business lines The comment period for this proposal ends on March 15, Simplicity or Complexity? This proposed guidance is issued in the context of leadership and policy changes at the Federal Reserve. In a recent speech, Vice Chairman for Supervision Randal K. Quarles set forth key principles that will guide future regulatory reforms: efficiency, transparency, and simplicity. In particular, he stated that simplicity of regulation is a principle that promotes public understanding of regulation, promotes meaningful compliance by the industry with regulation, and reduces unexpected negative synergies among regulations. Confusion that results from overly complex regulation does not advance the goal of a safe system. 7 Aspects of the proposal raise questions as to whether it achieves these principles. While the proposal takes steps to consolidate and clarify existing supervisory expectations, in other respects it is complex, internally inconsistent in some places, and does not clearly synchronize with existing supervisory guidance. For large banking organizations particularly those with a large nationalbank subsidiary the differences between the proposal and the OCC s heightened standards create uncertainties regarding the extent to which the organization can rely on the same framework for both holding company and bank. For some FBOs, the proposal would present the challenge of reconciling the proposal s risk-governance expectations with three other sets of risk-governance guidance and regulations directed to large national-bank subsidiaries, intermediate holding companies, and FBOs combined U.S. operations (or CUSO). ISSUES WITH KEY DEFINITIONS The delineation of roles and responsibilities under the proposal is generally based on concepts of three lines of defense. Although the Federal Reserve does not explicitly use that terminology in the proposal, it effectively creates distinct subparts of both the first and second lines, with distinguishable expectations attributed to each. For example, the proposal s definition of senior management 8 starts out almost identically to the definition used in the Basel Committee on Banking Supervision s Corporate governance principles 7 Randal K. Quarles, Early Observations on Improving the Effectiveness of Post-Crisis Regulation, Federal Reserve (Jan. 19, 2018). 8 Senior management refers to the core group of individuals directly accountable to the board of directors for the sound and prudent day-to-day management of the firm, the proposal says. Senior management oversees the firm s business lines,, and controls (including internal audit function). PROMONTORY Sightlines InFocus MARCH 5,

3 for banks document, 9 but then adds new elements. The definition includes the executives responsible for overseeing the activities of a company s business lines and risk functions as the BCBS definition does but explicitly adds that senior management includes senior management overseeing the company s independent risk management and controls, which include the internal audit function. However, the proposal does not elaborate on how this oversight will be conducted while maintaining the independence of and audit. The proposal also distinguishes the responsibilities of senior management and business-line management, 10 an approach different from the BCBS governance principles and OCC heightened standards. Here, the Federal Reserve acknowledges that individuals might be part of both senior management and business-line management, which would subject them to both sets of expectations. And while the proposal defines business lines as both revenue-generating units and support functions, it does not clarify the treatment of certain functions including, in particular, the legal department. TWO SEPARATE FRAMEWORKS FOR RISK TOLERANCES AND LIMITS? The proposal sets forth multilayered risk-tolerance and risk-limit frameworks, starting with a boardapproved risk tolerance, which incorporates the aggregate level and types of risk that the board and senior management are willing to assume. There are then business-line risk objectives, which must align with the firmwide strategy and risk tolerance. And finally, enterprise risk limits and specific risk limits 11 are established by, and must be both qualitative and quantitative and include explicit thresholds. These risk limits must be consistent with the firm s risk tolerance and cover the firm s full set of risks. The proposal further requires that inform senior management and the board of the suitability an undefined term of risk positions relative to both risk limits and risk tolerance. By contrast, the OCC s heightened standards require a risk appetite framework that includes frontline-unit risk limits and concentration-risk limits. While the proposal and the OCC s heightened standards are not necessarily inconsistent, their relationships are unclear and could require large banking organizations to rationalize the different sets of frameworks. ESCALATION AND REPORTING The proposed guidance contains multiple provisions relative to breach escalation and reporting. For example, when a deviation from a firm s risk tolerance occurs, different sections of the proposal would envision different escalation paths: Section I (senior management) requires escalation from senior management to the board or a board committee. Section III.A.I (chief risk officer) requires escalation from the CRO to senior management and the board. Section III.B () requires escalation from to senior management. 9 Corporate governance principles for banks, Basel Committee on Banking Supervision (July 8, 2015). 10 Business-line management refers to the core group of individuals responsible for the prudent day-to-day management of the business line and who report directly to senior management for that responsibility, according to the proposal. 11 The proposal suggests that establish risk limits for specific risk types, business lines, legal entities, jurisdictions, geographic areas, and products or activities commensurate with the firm s risk profile. PROMONTORY Sightlines InFocus MARCH 5,

4 UNIQUE CHALLENGES FACING FBOS In addition to the conceptual issues highlighted above, FBOs face unique challenges in harmonizing home- and host-country supervisory expectations. The proposal would apply to larger FBOs at the CUSO level, including branch and subsidiary operations, while recognizing that certain elements of an FBO s governance framework may be located outside of the U.S. The proposal would make framework harmonization at the CUSO level more challenging, because it provides a more detailed and prescriptive delineation of roles and responsibilities and key risk management processes, as compared to existing regulations and supervisory expectations applicable at the CUSO level. For example, the proposed guidance notes that the risk tolerance for the combined U.S. operations might be developed separately for an FBO s IHC and branch operations. Also, for an FBO, the term senior management can refer to individuals located inside or outside the U.S. who are accountable to an IHC board, U.S. risk committee, or global board of directors with respect to U.S. operations. In practice, harmonizing risk-governance frameworks also involves data sourcing, analytics, and reporting that help execute the frameworks including for risk appetite(s) across an FBO s U.S. operations. However, differences may exist across an FBO s U.S. entities regarding risk-data measurement, aggregation, monitoring, reporting, and management processes. Such differences can impede effective framework alignment in practice, even if there are no apparent inconsistencies among framework standards. A Comprehensive Set of Supervisory Expectations for Enterprise Risk Management The proposal sets forth core principles corresponding to the following roles and functions: senior management and business-line management, the CRO and, and the chief audit executive and internal audit. SENIOR MANAGEMENT AND BUSINESS-LINE MANAGEMENT As noted above, the proposal contains separate, but complementary, sets of expectations for senior management and business-line management, which together are responsible for substantially all first-line responsibilities under the traditional three-lines-of-defense framework. A major focus of the proposal is the management of business lines, and the Federal Reserve indicated it would take a risk-based approach to determine which business lines to examine first. 12 Institutions size, complexity, recent supervisory experience, relative growth and maturity, and significant changes relative to particular business lines are among the factors examiners would consider. Because substantial portions of a given business line s assets may reside in a bank subsidiary supervised by the OCC or Federal Deposit Insurance Corp., the Federal Reserve stated that it recognizes the need to coordinate with other federal and state agencies particularly with the primary regulators of a firm s insured-depository-institution subsidiaries. Despite this stated intent, the agencies will 12 For companies in the scope of the Federal Reserve s Large Institution Supervision Coordinating Committee, all business lines are covered by the guidance; for firms that are LFIs but not in the LISCC program, the guidance applies to any business line in which a significant control disruption, failure, or loss event could result in a material loss of revenue, profit, or franchise value, or result in significant consumer harm. PROMONTORY Sightlines InFocus MARCH 5,

5 Examples of Internal Controls Policies and procedures Assignment of roles and responsibilities and separation of duties Physical controls Approvals and dual authorizations Verifications of transaction details Reconciliations Access controls Change-management controls Data-integrity controls, including data reconciliations, variance analysis, and dataquality logic checks Escalation procedures face the considerable challenge of avoiding duplicative and possibly inconsistent evaluations of the same business activities. Specific responsibilities of senior management and business lines include the following: Strategy and Risk Tolerance. Senior management is responsible for implementing the strategy and risk tolerance approved by the firm s board, and for identifying any deviations and escalating them to the board. Business-line management is responsible for executing business-line activities by establishing specific business and risk objectives that align with the firmwide strategy and risk tolerance; informing senior management of insufficiencies in risk management capabilities; and during the strategic-planning process, explaining the business line s risk exposures and how they are managed. Risk Identification, Assessment, and Measurement. Senior management is responsible for establishing clear responsibilities and accountability for the identification, measurement, management, and control of risk. The proposal also emphasizes risk ownership by requiring business-line management to identify, assess, measure, aggregate, and mitigate current and emerging risks, incorporating feedback from. Risk Limits and Breach Escalation. Risk limits set by describe explicit thresholds, which if crossed, prohibit the activity generating the risk but exceptions to the limits are possible, subject to a formal approval process involving. Before allowing any exceptions to risk limits, businessline management must consult with senior management and seek approvals under the firm s formal process, which should result in well-supported decisions to accept or mitigate the risk. In addition, the business-line management is expected to evaluate risk-limit breaches to identify and remediate weaknesses in business lines monitoring or limits frameworks. Business Control and Testing. Firms must identify their systems of internal control, assign management responsibilities, foster a control culture by integrating control activities into the daily functions of all personnel, and demonstrate that the system is appropriate for firms particular circumstances. Under the proposal, business-line management has responsibility for the development, maintenance, testing, remediation, reporting, and update of internal control systems. In addition, the proposal lists various types of internal controls, such as physical controls, dual authorizations, and transaction verifications. PROMONTORY Sightlines InFocus MARCH 5,

6 Information Flow and Risk Reporting. Senior management should promote effective communication and information sharing across the firm by (among other responsibilities) addressing impediments to the effective flow of information; providing timely, useful, and accurate risk information to the board; and being responsive to the board s directions and informational needs. Importantly, senior management should base its decisions, actions, and communications with the board on a full understanding of the firm s risks and activities. To this end, the proposal would require senior management to implement strong internal controls, financial and risk reporting, management information systems, and succession and contingency staffing plans for key positions. Issue Remediation. Senior management is expected to stay informed about risk management deficiencies; ensure timely issue remediation; escalate issues to the board; and, when appropriate, communicate issues internally. New Products and Initiatives. Firms should establish policies and procedures for vetting new business products and initiatives. Specifically, business-line management is expected to identify and capture risks in infrastructure, compliance, risk management governance, and processes before commencing a new business; and escalate to senior management any required changes to risk management systems or internal control policies and procedures arising from the adoption of a new business or initiative. THE CRO AND The proposal emphasizes the stature, independence, and accountability of the CRO, highlighting that the CRO should have the ability and authority to influence decisions and effect changes, procure adequate resources, escalate issues as needed to senior management and the board, and observe or participate on relevant management committees. In referring to the CRO (our emphasis added), the proposal seems to envision a single-leader structure for the risk organization. In practice, however, some large banking organizations have two or more senior-most officials for the risk organization (e.g., having the CRO and chief compliance officer both reporting to the CEO), splitting the different risk types under their respective responsibilities. Overall, the CRO is responsible for establishing and maintaining the function. In connection with this responsibility, the CRO is expected to periodically assess s staffing, systems, and sufficiency in its understanding of risks and business activities, as well as its authority to identify and escalate issues and challenge management when warranted. In addition, the proposal expects the CRO to be involved in key corporate processes and escalate concerns as needed, including strategic planning, capital and liquidity planning, incentive-compensation design and oversight, and proposed mergers or new product offerings. As needed, the CRO should recommend constraints on risk taking and enhancements to risk management to senior management and the board. Under the proposal, specific responsibilities of include the following: Risk Identification, Measurement, and Assessment. is responsible for providing an objective, critical perspective of a firm s risks. This responsibility entails identifying, assessing, measuring, and aggregating current and emerging risks along meaningful dimensions such as risk type, legal PROMONTORY Sightlines InFocus MARCH 5,

7 Risk Types Risk Dimensions Credit Market Operational Liquidity Interest rate Legal Compliance Other related risks Enterprise Risk type Business line Legal entity Jurisdiction/ country Geographic area Concentration (e.g., funding) Obligor Counterparty Product or activity Industry entity, or jurisdiction. In addition, should establish dynamic, inclusive, and comprehensive standards for risk identification and measurement practices, including both qualitative and quantitative elements. The proposal specifically notes that should be able to aggregate all retail credit risk across the firm s different consumer business lines (such as credit cards, residential mortgages, and auto lending). Based on the risk assessments, would determine the impact of risks on the firm and inform senior management and the board about the suitability of risk positions relative to risk limits and the risk tolerance. Finally, the proposal would require that assess risk-mitigation strategies and recommend alternatives if concerns arise. Risk Tolerance and Limits. The firm should have a board-approved, firmwide risk tolerance supported by business-line risk objectives that flow from the components of the firm s risk tolerances. In addition, the proposal includes a framework that establishes multiple tiers of limits, including enterprisewide risk limits set by that are consistent with the risk tolerance, as well as specific risk limits also set by such as for a business line, and created based on the enterprisewide limits, including certain risk thresholds that if crossed, would strictly prohibit the risk-taking activities. Notably, under the proposal, risk limits are both qualitative and quantitative. The figure on the following page provides a comparison of the definitions used by the Federal Reserve, OCC, and BCBS. Under the direction of the CRO, is responsible for participating in the establishment of the firmwide risk tolerance by evaluating whether it meets certain criteria, such as comprehensiveness in risk-type coverage; establishing, monitoring, and updating these risk limits; assessing the firm s risk positions relative to the parameters of the firm s risk tolerance; and providing relevant risk information to senior management and the board. In addition, the proposal sets forth various considerations in setting risk limits, including the range of possible external conditions over a period of time; aggregation and interaction of risks; the firm s financial, managerial, technological, and operational resources; and the need to reinforce compliance with laws, regulations, and supervisory expectations. PROMONTORY Sightlines InFocus MARCH 5,

8 TERMINOLOGY USED TO DESCRIBE RISK-TOLERANCE AND -LIMIT FRAMEWORKS FRB Risk Tolerance: The aggregate level and types of risk the board and senior management are willing to assume to achieve the firm s strategic business objectives, consistent with applicable capital, liquidity, and other requirements and constraints. Risk Objectives: The level and type of risks a business line plans to assume in its activities relative to the level and type specified in the firmwide risk tolerance. Enterprisewide Risk Limits: Limits with the firm s risk tolerance that constrain risk taking so that the level and type of risks assumed remains aligned with the firmwide risk tolerance. Specific Risk Limits: Risk limits assigned to specific risk types, business lines, geographies products or activities, etc. Risk-Position Suitability: Undefined. OCC Risk Appetite: The aggregate level and types of risk the board of directors and management are willing to assume to achieve a covered bank s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements. Risk Limits: The quantitative portion of a risk appetite statement, including limits on concentration and frontline-unit risks. Aggregate risk appetite limits should reflect the aggregate level of risk that the board of directors and executive management are willing to accept. BCBS Risk Capacity: The maximum amount of risk a bank is able to assume given its capital base, risk management, and control capabilities as well as its regulatory constraints. Risk Appetite: The aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan. Risk Limits: Specific quantitative measures or limits based on, for example, forward-looking assumptions that allocate the bank s aggregate risk to business lines; legal entities as relevant; specific risk categories; concentrations; and, as appropriate, other measures. Breach Escalation. The CRO is expected to escalate issues to senior management and the board when activities or practices at the firmwide, risk-specific, and business-line level do not align with the firm s overall risk tolerance. In addition, is expected to determine the consistency between the firm s risk profile and risk tolerance, and assess the capacity of the firm s risk management framework including resources and infrastructure in relevant areas of the firm relative to the risks outlined in the risk tolerance. Separately, is expected to escalate to senior management any material breaches of the firm s enterprisewide risk limits and risk tolerance, as well as instances where s conclusions differ from the conclusions of a business line. If a business line seeks exceptions to established risk limits, the CRO or should provide an assessment of the proposal and escalate it to the board of directors (or a board committee) as appropriate, pursuant to clearly articulated policies and procedures that govern the necessary level of approval within and the escalation path. A comparison of the rather complicated reporting and escalation paths under various sections of this proposal and the OCC s heightened standards is set out in the figure on the opposite page. Risk Reporting. would be expected to provide the board and senior management with risk reports that are comprehensive, useful, accurate, timely, adaptable, and tailored to the informational needs of the board, senior management, and other recipients. Such reports should enable prompt escalation and remediation of risks and issues, provide current and forward-looking risk perspectives, and support or influence strategic decision-making. PROMONTORY Sightlines InFocus MARCH 5,

9 POTENTIALLY DUPLICATIVE OR INCONSISTENT EXPECTATIONS FOR BREACH ESCALATION THAT SHOULD BE CLARIFIED Risk Events FRB Proposal OCC HS Escalated By Escalated To Escalated By Escalated To Breaches to enterprisewide risk limits and risk tolerance Senior Management Board (or Board Risk Committee) Instances where s conclusions differ from the conclusions of a business line Senior Management CEO and Board (or Board Risk Committee) Instances where s assessment of risk differs from that of the CEO Undefined Undefined Board (or Board Risk Committee) Risk that the firm s activities collectively may deviate from the firm s strategy and risk tolerance Senior Management Board (or a Board Committee) Board (or Board Risk Committee) Activities or practices at the firmwide level that do not align with the firm s overall risk tolerance CRO Senior Management and Board (or a Board Committee) Board (or Board Risk Committee) Activities or practices at the risk-specific level that do not align with the firm s overall risk tolerance CRO Senior Management and Board (or a Board Committee) Board (or Board Risk Committee) Activities or practices at the business-line level that do not align with the firm s overall risk tolerance CRO Senior Management and Board (or a Board Committee) (1) Business Line or (2) (1) or (2) CEO and Board (or Board Risk Committee) Specifically, risk reports are expected to cover current and emerging risks; adherence to risk limits; information on aggregate risks within and across business lines and risk types, as well as by legal entity, jurisdiction, and concentrations; and strategic, capital, and liquidity-planning processes. CHIEF AUDIT EXECUTIVE AND INTERNAL AUDIT Under the proposal, the chief audit executive is expected to have clear roles and responsibilities to establish and maintain an internal audit function that is appropriate for the size, complexity, and risk profile of the firm. The CAE should be appointed by the board, with sufficient capability, experience, independence, and stature to manage the audit function. Under the direction of the CAE, the internal audit function should provide independent assessments and reporting to the board s audit committee and senior management regarding the effectiveness of risk management and internal control systems. PROMONTORY Sightlines InFocus MARCH 5,

10 The proposal does not supersede, but cross-references SR 13-1/CA 13-1: Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing. 13 How Banking Organizations Can Prepare Large banking organizations can begin preparing for compliance by: Comparing expectations in the proposal to other supervisory pronouncements to which the firm is subject, such as the OCC s heightened standards, IHC regulatory standards, and CUSO requirements; identifying areas where current frameworks may need to be built out; and determining, on a preliminary basis, potential areas for further clarification or enhancement Reviewing alignment of roles and responsibilities between the first and second lines of defense, including between senior management and business lines and the CRO and Assessing the substantive coverage, structure, and effectiveness of the enterprise risk management framework and supporting policies and procedures, such as: The management committee s structure, reporting routines, and information flow The risk appetite framework, including the rationalization of multiple levels of risk metrics (e.g., risk appetite metrics, thresholds, and key risk indicators) The internal control framework, including control documentation and mapping The monitoring and testing program (first-line assurance activities and integration of risk-control self-assessments and compliance testing) Standards for risk assessment and measurement Risk-data aggregation and reporting strategy and capabilities Assessing infrastructure and resource needs in light of revisions to the ERM framework, policies, and roles and responsibilities, particularly for entities that historically have not been subject to this level of enhanced risk management expectations Conclusion The Federal Reserve s proposed guidance on risk management consolidates some supervisory expectations, but also adds more. As proposed, the guidance does not synchronize well with some existing supervisory standards and regulatory regimes, presenting implementation challenges for large U.S. and global banking organizations in building out or reconciling risk management frameworks at multiple levels or types of legal entities. 13 SR 13-1/CA 13-1: Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing, Federal Reserve (Jan. 23, 2013). PROMONTORY Sightlines InFocus MARCH 5,

11 About the Authors Julie Williams is a managing director who leads Promontory s domestic advisory practice and advises clients on government expectations that shape regulatory and compliance requirements. William Lang is a Promontory managing director and leading authority on financial risk management, quantitative analysis, bank supervision, and stress testing. Justin Guo is a Promontory principal and advises clients on corporate governance, risk management, and regulatory compliance. PROMONTORY Sightlines InFocus MARCH 5,

12 Contact Promontory For more information, please call or your usual Promontory contact or: Arthur Angulo Managing Director, New York Jim Hilton Executive Managing Director for the United States, New York Elizabeth McCaul Managing Director and CEO, Promontory Europe, New York Mark Sexton Director, New York Ronald Cathcart Managing Director, New York William Lang Managing Director, New York Julie Williams Managing Director and Director of Domestic Advisory Practice, Washington, D.C Justin Guo Principal, Washington, D.C To subscribe to Promontory s publications, please visit promontory.com/subscribe.aspx Follow Promontory on Promontory Financial Group, an IBM Company, excels at helping clients resolve critical issues, particularly those with a regulatory dimension. Promontory professionals have unparalleled regulatory experience and insight, and provide our clients with frank, proactive advice informed by best practices and regulatory expectations. Founded in 2001 by Chief Executive Officer Eugene A. Ludwig, former U.S. comptroller of the currency, Promontory became a wholly owned subsidiary of IBM in th Street, NW, Suite 1100, Washington, DC Telephone Fax promontory.com 2018 Promontory Financial Group, an IBM Company. All Rights Reserved.