(a) General. A regulated entity shall establish and administer a written code of conduct and ethics that is reasonably designed to assure that its directors, officers, and employees discharge their duties and responsibilities in an objective and impartial manner that promotes honest and ethical conduct, compliance with applicable laws, rules, and regulations, accountability for adherence to the code, and prompt internal reporting of violations of the code to appropriate persons identified in the code. The code also shall include provisions applicable to the regulated entity's principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions, that are reasonably designed to promote full, fair, accurate, and understandable disclosure in reports and other documents filed with the Securities and Exchange Commission and in other public communications reporting on the entity's financial condition.

(b) Review. Not less often than once every three years, a regulated entity shall review the adequacy of its code of conduct and ethics for consistency with practices appropriate to the entity and make any appropriate revisions to such code.

(a) Risk management program—(1) Adoption. Each regulated entity's board of directors shall approve, have in effect at all times, and periodically review an enterprise-wide risk management program that establishes the regulated entity's risk appetite, aligns the risk appetite with the regulated entity's strategies and objectives, addresses the regulated entity's exposure to credit risk, market risk, liquidity risk, business risk and operational risk, and complies with the requirements of this part and with all applicable FHFA regulations and policies.

(2) Risk appetite. The board of directors shall ensure that the risk management program aligns with the regulated entity's risk appetite.

(3) Risk management program requirements. The risk management program shall include:

(i) Risk limitations appropriate to each business line of the regulated entity;

(ii) Appropriate policies and procedures relating to risk management governance, risk oversight infrastructure, and processes and systems for identifying and reporting risks, including emerging risks;

(iii) Provisions for monitoring compliance with the regulated entity's risk limit structure and policies relating to risk management governance, risk oversight, and effective and timely implementation of corrective actions; and

(iv) Provisions specifying management's authority and independence to carry out risk management responsibilities, and the integration of risk management with management's goals and compensation structure.

(b) Risk committee. The board of each regulated entity shall establish and maintain a risk committee of the board of directors that assists the board in carrying out its duties to oversee the enterprise-wide risk management program at the regulated entity.

(1) Committee structure. The risk committee shall:

(i) Be chaired by a director not serving in a management capacity of the regulated entity;

(ii) Have at least one member with risk management experience that is commensurate with the regulated entity's capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors;

(iii) Have committee members that have, or that will acquire within a reasonable time after being elected to the committee, a practical understanding of risk management principles and practices relevant to the regulated entity;

(iv) Fully document and maintain records of its meetings, including its risk management decisions and recommendations; and

(v) Report directly to the board and not as part of, or combined with, another committee.

(2) Committee responsibilities. The risk committee shall:

(i) Periodically review and recommend for board approval an appropriate enterprise-wide risk management program that is commensurate with the regulated entity's capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors;

(ii) Receive and review regular reports from the regulated entity's chief risk officer, as required under paragraph (c)(5) of this section ; and

(iii) Periodically review the capabilities for, and adequacy of resources allocated to, enterprise-wide risk management.

(c) Chief Risk Officer.—(1) Appointment of a chief risk officer (CRO). Each regulated entity shall appoint a CRO to implement and maintain appropriate enterprise-wide risk management practices for the regulated entity.

(2) Organizational structure of the risk management function. The CRO shall head an independent enterprise-wide risk management function, or unit, and shall report directly to the risk committee and to the chief executive officer.

(3) Responsibilities of the CRO. The CRO shall be responsible for the enterprise-wide risk management function, including:

(i) Allocating risk limits and monitoring compliance with such limits;

(ii) Establishing appropriate policies and procedures relating to risk management governance, practices, and risk controls, and developing appropriate processes and systems for identifying and reporting risks, including emerging risks;

(iii) Monitoring risk exposures, including testing risk controls and verifying risk measures; and

(iv) Communicating within the organization about any risk management issues and/or emerging risks, and ensuring that risk management issues are effectively resolved in a timely manner.

(4) The CRO should have risk management expertise that is commensurate with the regulated entity's capital structure, risk appetite, complexity, activities, size, and other appropriate risk related factors.

(5) The CRO shall report regularly to the risk committee and to the chief executive officer on significant risk exposures and related controls, changes to risk appetite, risk management strategies, results of risk management reviews, and emerging risks. The CRO shall also report regularly on the regulated entity's compliance with, and the adequacy of, its current risk management policies and procedures, and shall recommend any adjustments to such policies and procedures that he or she considers necessary or appropriate.

(6) The compensation of a regulated entity's CRO shall be appropriately structured to provide for an objective and independent assessment of the risks taken by the regulated entity.

A regulated entity shall establish and maintain a compliance program that is reasonably designed to assure that the regulated entity complies with applicable laws, rules, regulations, and internal controls. The compliance program shall be headed by a compliance officer, however styled, who reports directly to the chief executive officer. The compliance officer also shall report regularly to the board of directors, or an appropriate committee thereof, on the adequacy of the entity's compliance policies and procedures, including the entity's compliance with them, and shall recommend any revisions to such policies and procedures that he or she considers necessary or appropriate.

(a) Reports. Each regulated entity shall file Regulatory Reports with FHFA in accordance with the forms, instructions, and schedules issued by FHFA from time to time. If no regularly scheduled reporting dates are established, Regulatory Reports shall be filed as requested by FHFA.

(b) Definition. For purposes of this section, the term Regulatory Report means any report to FHFA of information or raw or summary data needed to evaluate the safe and sound condition or operations of a regulated entity, or to determine compliance with any:

(1) Provision in the Bank Act, Safety and Soundness Act, or other law, order, rule, or regulation;

(2) Condition imposed in writing by FHFA in connection with the granting of any application or other request by a regulated entity; or

(3) Written agreement entered into between FHFA and a regulated entity.

(a) Adoption of strategic business plan. Each board of directors shall adopt and have in effect at all times a strategic business plan for the regulated entity that describes, at a minimum, how the significant business activities of the regulated entity will achieve its mission and public purposes consistent with its authorizing statute, the Safety and Soundness Act, and, in the case of a Bank, part 1265 of this chapter. Specifically, each regulated entity's strategic business plan shall at a minimum:

(1)(i) In the case of a Bank, articulate measurable goals and objectives for each significant business activity and for all authorized new business activities, which must include plans for maximizing activities that further the Bank's housing finance and community lending mission, consistent with part 1265 of this chapter;

(ii) In the case of an Enterprise, articulate measurable goals and objectives for each significant existing activity and for significant authorized new activities;

(2) Discuss how the regulated entity will address credit needs and market opportunities identified through ongoing market research and stakeholder consultations;

(3) Describe any significant activities in which the regulated entity is planning to be engaged, including any significant changes to business strategy or approach that the regulated entity is planning to undertake, and discuss how such activities would further the regulated entity's mission and public purposes;

(4)(i) In the case of a Bank, be supported by appropriate and timely research and analysis of relevant market developments and member and housing associate demand for Bank products and services;

(ii) In the case of an Enterprise, be supported by appropriate and timely research and analysis of relevant market developments; and

(5) Identify current and emerging risks associated with the regulated entity's significant existing activities or new activities, and discuss how the regulated entity plans to address such risks while furthering its public purposes and mission in a safe and sound manner.

(b) Review and monitoring. Each board of directors shall:

(1) Review the regulated entity's strategic business plan at least annually;

(2) Re-adopt the strategic business plan for the regulated entity at least every three years; and

(3) Establish management reporting requirements and monitor implementation of the strategic business plan and the goals and objectives contained therein.