The Role of Internal Audit in SCCL Compliance

The Role of Internal Audit in SCCL Compliance

1. Overview

The Single Counterparty Credit Limits (SCCL) rule is a key part of the Federal Reserve's effort to reduce systemic risk in the banking system. It limits how much credit exposure a large U.S. bank holding company (BHC), foreign banking organization (FBO), or U.S. intermediate holding company (IHC) can have to any single counterparty. This requirement helps prevent financial contagion in the event of a major counterparty failure.

While senior management is responsible for making sure the bank complies with SCCL, internal audit plays a crucial supporting role. Audit teams provide independent and objective assurance that the bank’s SCCL framework is effective, well-controlled, and aligned with regulatory expectations. Their work helps identify gaps before they become problems and gives regulators confidence in the strength of the bank’s overall compliance program.

2. Regulatory Requirement

Under Regulation YY (12 CFR Part 252, Subpart H), large banking organizations must implement strong internal controls for SCCL compliance.

Although the rule does not spell out a specific role for internal audit, the expectation is clear: internal audit must be involved as part of the broader governance and control framework. A senior officer is required to sign and attest to the accuracy of the FR 2590 report. That signature depends on reliable internal controls, and internal audit serves as a key line of defense to verify those controls are working as intended.

3. Common Challenges

Internal audit teams face several challenges when evaluating SCCL compliance. These challenges often stem from the complexity of the rule and the systems that support it:

  • Complex Data Requirements: SCCL exposure data comes from multiple business lines, systems, and counterparty records. Auditors must trace the full data flow to confirm accuracy and completeness.
  • Regulatory Interpretation: The rule includes nuanced aggregation rules based on control and economic interdependence. Internal audit must assess whether these rules are being applied correctly across the organization.
  • Daily Monitoring: Even though FR 2590 is filed quarterly, banks must monitor exposures daily. Auditors must confirm that daily monitoring systems are robust and functioning properly.
  • Interseries Data Consistency: Regulators compare SCCL data with other reports like FR Y-9C, FR Y-15, and FFIEC 009. Audit teams must ensure that reported data is consistent and reconciled across these filings.
  • Risk Mitigation: The rule allows for exposure offsets using collateral, guarantees, and derivatives. Internal audit must confirm these offsets are accurately valued and properly applied.

4. Peer Approaches

Based on industry observations and client experience, several trends have emerged in how banks are structuring internal audit coverage for SCCL:

  • Annual Audit Plans: For large firms, SCCL is often included in the annual internal audit plan, especially for GSIBs and IHCs of FBOs.
  • Integrated Audits: Some institutions conduct integrated reviews that combine SCCL with related regulatory reporting audits, such as CCAR or FR Y-15. This helps identify data inconsistencies and shared control weaknesses.
  • Layered Oversight: Many banks have a three-lines-of-defense model, where the business performs self-assessments, risk management provides independent oversight, and internal audit performs testing and assurance.
  • Model Validation: Where internal models are used for measuring exposures (e.g., for derivatives or securities financing transactions), leading banks perform periodic independent model validations, even if those models are already approved for capital purposes.

5. GLOBAL ABAS View

At GLOBAL ABAS, we believe that internal audit should take a proactive and risk-focused role in SCCL compliance. Below are key areas where internal audit should focus its efforts:

  • Governance Review: Audit should assess whether SCCL policies and governance structures are up to date and reflect current regulatory expectations.
  • Exposure Testing: Internal audit should test exposure calculations across all relevant product types—loans, SFTs, derivatives, guarantees—to ensure completeness and accuracy.
  • GAAP Consolidation /Regulatory Aggregation: Auditors must evaluate whether the bank has a well-documented and consistently applied process for identifying GAAP-consolidated subsidiaries and affiliates, as well as counterparties subject to economic interdependence and control-based aggregation, in accordance with regulatory requirements.
  • Data Governance: Given the importance of data quality, audit should review how data is sourced, validated, and reported for both daily monitoring and quarterly FR 2590 filings.
  • Risk-Shifting Validation: The use of collateral, guarantees, and hedging to reduce exposure must be carefully reviewed. Audit should confirm these are properly valued and reported under § 252.74 of the rule.
  • Benchmarking: Audit teams should periodically benchmark their SCCL procedures against peer institutions and evolving regulatory expectations. This helps keep audit practices aligned with industry standards and enhances credibility with regulators.

6. Final Thoughts

Internal audit plays a critical role in supporting SCCL compliance. By providing independent assurance on the design and effectiveness of key controls, audit helps prevent compliance breaches and strengthens the overall risk management framework.

In today’s regulatory environment, the Federal Reserve continues to emphasize data integrity, internal controls, and governance. A well-informed and engaged internal audit function can make a real difference in meeting these expectations. For banks subject to SCCL, investing in strong audit coverage is not just good practice—it is a regulatory necessity.

To learn more about how GLOBAL ABAS can support your SCCL compliance program, visit our website or subscribe for future updates.

Disclaimer: This blog post is for informational purposes only and reflects our understanding of the SCCL rule and FR 2590 reporting as of the date of publication. It does not constitute legal, regulatory, or professional advice. Institutions should consult with internal and external advisors and refer directly to the SCCL rule (12 CFR Part 252, Subpart H) and FR 2590 instructions for specific guidance. GLOBAL ABAS disclaims any liability for actions taken or not taken based on this information.

Consult a GLOBAL ABAS Consulting, LLC professional regarding your specific issues and questions. Your feedback will help us improve the SCCL Compliance Lab. Please let us know what you think in the Comment below. Copyright © 2025 GLOBAL ABAS Consulting, LLC. All rights reserved.

Comments

Post a Comment

Popular posts from this blog

GAAP Consolidation vs. SCCL Aggregation: A Two-Step Framework for Identifying a Single Counterparty

Image
GAAP Consolidation vs. SCCL Aggregation: A Two-Step Framework for Identifying a Single Counterparty 1. Overview The Single Counterparty Credit Limits (SCCL) rule sets strict limits on how much credit exposure a large U.S. bank holding company or intermediate holding company (IHC) can have to any single counterparty. To comply with this rule, firms must correctly identify what counts as “a single counterparty.” This is not always straightforward. Some counterparties are part of complex corporate structures. Others may not be consolidated under accounting rules but are still closely tied through control relationship or economic interdependence. The SCCL rule addresses this challenge through a two-step framework: Step 1: Determine the counterparty based on GAAP consolidation (specifically, for the counterparty type of "company"). Step 2: Aggregate additional exposures based on control relationship or economic interdependence. 2. Regulatory Requirement Th...
Read more

What is SCCL? A Beginner’s Guide

Image
What is SCCL? A Beginner’s Guide 1. Overview The Single-Counterparty Credit Limits (SCCL) rule is a key regulation issued by the Federal Reserve. It is designed to make sure that large banks do not take on too much credit risk with any single borrower or trading partner. In simple terms, SCCL limits how much a bank can lend or be exposed to any one counterparty. The goal is to reduce the chance that the failure of a large counterparty, like a major financial institution, could threaten the health of a bank or even the broader financial system. SCCL is part of the broader set of rules under the Dodd-Frank Act aimed at making the financial system safer. You can think of SCCL as a diversification rule for credit exposure. Just like investors are encouraged not to put all their money in one stock, SCCL requires banks to spread their credit risk across different counterparties. 2. Regulatory Requirement The SCCL rule ...
Read more

SCCL vs. Large Exposures Framework: Key Differences

Image
SCCL vs. Large Exposures Framework: Key Differences 1. Overview The Single Counterparty Credit Limits (SCCL) rule and the Basel Large Exposures Framework (LEF) are both designed to reduce the risk that a bank suffers significant losses due to its exposure to a single counterparty. Both frameworks aim to promote financial stability by limiting how much credit risk a bank can have with one firm or group of connected firms. However, while they share a common goal, the U.S. SCCL rule and the Basel LEF differ in how they define exposures, set limits, and require reporting. The Basel LEF sets a global standard. The SCCL rule builds on that foundation but introduces more specific and often stricter requirements in the U.S. context. 2. Regulatory Requirement Basel Large Exposures Framework (LEF): Applies to internationally active banks under Basel III. Limits exposure to any single counterparty or group of connected counterparties to 25% of the bank’s Tier 1 capital. Re...
Read more