This bill amends the Financial Stability Act of 2010 to create a statutory Chief Risk Officer (CRO) role for firms covered by section 165(h) and for certain large banks that do not have a bank holding company. The CRO must be appointed from personnel with experience managing risk at large, complex financial firms and is given explicit enterprise-wide responsibilities for risk limits, governance, controls, and the integration of risk with compensation.
The statute also imposes strict reporting and vacancy procedures: the CRO must report up to both the company’s risk committee and its CEO, regulators must be notified swiftly of any vacancy, and prolonged vacancies trigger public disclosure and a freeze on the company’s ability to expand its total assets until the post is filled. The measure is designed to centralize accountability for enterprise risk and give supervisors clearer levers to address governance gaps.
At a Glance
What It Does
The bill inserts a new, defined CRO requirement into section 165(h): firms must appoint an experienced CRO responsible for enterprise-wide risk limits, governance, controls, and monitoring. The CRO must report both to the company’s risk committee and to the CEO and must surface emerging risks and deficiencies promptly.
Who It Affects
Large bank holding companies and nonbank financial companies covered by section 165(h), plus banks without a holding company that meet the bill’s asset threshold. Primary financial regulators (including the Board of Governors for certain nonbanks) will supervise implementation and compliance.
Why It Matters
It converts what has often been a best-practice governance feature into a statutory, enforceable obligation with operational consequences for vacancies and failures to remediate deficiencies. That raises hiring, compensation, succession-planning, and compliance costs for the largest firms while giving regulators a clearer path to hold firms accountable.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill amends the statutory language that governs heightened supervision of the largest U.S. financial firms by adding a defined Chief Risk Officer role into the fabric of section 165(h). Rather than leaving the contours of a risk executive to voluntary corporate practice or supervisory guidance, the statute prescribes the appointment of a CRO with enterprise-wide responsibility for setting and enforcing risk limits, establishing risk-management governance and controls across global operations, and ensuring processes exist to identify, report, and remediate emerging risks and deficiencies.
In practical terms, firms covered by the statute will need to move beyond a decentralized or advisory risk function to a centralized, executive-level role that is explicitly charged with independence, reporting, and integration of risk metrics into management and compensation. The CRO must be drawn from individuals experienced in large, complex financial firms; the statute emphasizes operational responsibilities such as monitoring, testing risk controls, and assigning managerial responsibility for risk tasks.
The position’s explicit linkage to compensation design and the independence requirement mean firms will have to document governance structures and compensation policies showing that risk outcomes influence pay and that the CRO’s function is insulated from commercial conflicts.The bill gives regulators concrete tools to police the role: firms must notify supervisors promptly of vacancies and submit plans to fill them, and failure to replace a CRO within the statutory window triggers mandated public disclosure and a restriction on the company’s ability to grow consolidated assets until the vacancy is filled. For banks without a holding company that meet the stated asset threshold, the statute requires regulators to impose the same risk-committee and CRO obligations — closing a supervisory gap that had allowed some large, independent banks to operate without these formal structures.
Finally, the bill clarifies which agency serves as the primary regulator for certain nonbank firms so there is a clear supervisory home for enforcement and rulemaking.
The Five Things You Need to Know
The bill adds a statutory Chief Risk Officer requirement into 12 U.S.C. 5365(h), eliminating the bill’s prior limitation tied to a firm's public trading status.
The CRO must report directly to both the company’s risk committee and the chief executive officer and is responsible for identifying and remediating risk-management deficiencies.
If the CRO post becomes vacant the company must notify its primary federal and relevant state supervisors within 24 hours and submit a hiring plan within 7 days.
If a company does not fill a CRO vacancy within 60 days it must publicly disclose the prolonged vacancy and is prohibited from increasing its total consolidated assets above the level at the vacancy date until the position is filled.
Regulators must apply the same risk-committee and CRO requirements to banks that lack a bank holding company but have consolidated assets at or above the bill’s specified $50 billion threshold; the Board of Governors is designated the primary regulator for covered nonbank firms supervised by the Fed.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Remove 'publicly traded' limitation and add CRO appointment requirement
The bill deletes language that limited certain governance requirements to 'publicly traded' companies, broadening statutory coverage. It then requires covered companies to 'appoint a chief risk officer,' directly changing who must comply and expanding the population of firms subject to heightened governance obligations. Practically, this means privately held financial firms that were previously outside the phrasing of section 165(h) may now be forced to create and staff an executive risk role.
Statutory baseline for who can serve as CRO
This provision requires firms to choose a CRO from individuals with experience identifying, assessing, and managing risks at large, complex financial firms. The language sets a qualitative hiring standard rather than a strict credential or license. Firms will need to document candidates’ experience and demonstrate to supervisors that appointees possess the practical knowledge required for enterprise-scale risk oversight.
Defined enterprise-wide duties for the CRO
The statute enumerates responsibilities: setting and monitoring enterprise risk limits, developing risk-management governance and procedures for global operations, building processes to identify and report emerging risks and deficiencies, ensuring independence of the risk function, assigning managerial responsibility for risk tasks, and integrating risk management with compensation. That list turns many best-practice functions into enforceable obligations firms must operationalize and evidence in audits, board materials, and supervisory exams.
Dual reporting and strict vacancy-response timeline
The bill requires the CRO to report to both the risk committee and the CEO and to report deficiencies and emerging risks promptly. On vacancy, firms must notify regulators within 24 hours and deliver a hiring plan within 7 days. If the firm fails to hire within 60 days it must publicly disclose the prolonged vacancy and is restricted from expanding total consolidated assets above the vacancy-date level until the CRO is in place. These procedural rules create immediate supervisory touchpoints and a blunt operational consequence for prolonged leadership gaps.
Application to large banks without bank holding companies and primary-regulator designation
Regulators must issue rules bringing banks that lack a bank holding company but meet the bill’s $50 billion-asset threshold into the same risk-committee/CRO framework. The bill also designates the Board of Governors as the primary regulator for nonbank financial companies supervised by the Fed, clarifying the supervisory home for enforcement, rulemaking, and examinations related to these new statutory duties.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Risk committees and boards — gain a clear statutory partner and reporting channel (the CRO) to enforce enterprise-wide risk limits and to receive formal, mandated reporting on emerging risks and remediation timelines.
- Regulators and supervisors — obtain explicit statutory tools (mandatory appointment, notification timelines, and the asset-growth restriction) that strengthen enforcement leverage when governance or staffing gaps appear.
- Depositors and counterparties — benefit from stronger, centralized risk oversight at large firms, which should reduce the probability that unmanaged enterprise risks cascade into failures that affect customers and the financial system.
Who Bears the Cost
- Large financial firms (bank holding companies and covered nonbank firms) — face hiring, documentation, governance, and reporting costs to implement the CRO role and demonstrate compliance to supervisors.
- Banks without holding companies above the asset threshold — will incur new compliance and governance obligations they may not currently staff, including forming risk committees and creating succession plans.
- Shareholders and compensation committees — may see short-term pressure as firms adjust pay structures to integrate risk outcomes and to protect the independence of the CRO, potentially changing incentive schemes and pay levels.
- Regulatory agencies — will experience increased supervisory workload to review qualifications, vacancy plans, remediation timelines, and to enforce the statutory vacancy and asset-growth restrictions.
Key Issues
The Core Tension
The central tension is between stronger, statutory centralization of risk accountability (a visible, enforceable CRO) and the risk of creating rigid, blunt enforcement mechanics (vacancy-triggered asset caps and near-immediate public disclosure) that can produce gaming, talent shortages, or unintended operational constraints on otherwise healthy firms.
The bill creates clear benefits — a named executive with statutorily defined duties — but also introduces sharp implementation and enforcement questions. The vacancy penalty (public disclosure plus an asset-growth cap) is an unusually blunt compliance lever.
It creates a strong incentive to fill the role quickly, but it also risks perverse outcomes: firms might install interim or minimally qualified appointees to restore asset-growth flexibility, or conversely delay necessary transactions while searching for a candidate who meets supervisors’ expectations. That dynamic could impede normal business decisions or prompt short-term staffing fixes that undermine the goal of genuine independence and competence.
Another friction point is scope and calibration. By removing the "publicly traded" limitation and applying requirements to banks without holding companies above a numerical threshold, the bill expands coverage into private firms and unconventional corporate structures.
Those firms may not have existing governance layers (audit and risk committees, compensation frameworks) that publicly traded firms use to support an independent CRO, creating administrative burden and legal ambiguity about how independence and compensation-integration standards will be measured. Regulators will need to define terms such as "experience in identifying, assessing, and managing risk exposures" and what qualifies as "timely" remediation — standards that will drive hiring markets and enforcement outcomes but are not spelled out in the text.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.