The Audit and Risk Committee ("Committee") of the Board of Directors ("Board") of the Federal Reserve Bank of New York ("Bank") operates pursuant to the bylaws of the Bank and consistent with the applicable policies of the Board of Governors of the Federal Reserve System ("Board of Governors"). Through this Charter, the Board delegates certain responsibilities to the Committee to assist the Board in the fulfillment of its duties to the Bank as set forth below.
The Committee is appointed by the Board for the purpose of assisting it in assessing (1) the adequacy and effectiveness of the controls over financial reporting; (2) the qualifications, independence and performance of the Bank's external auditors; (3) the effectiveness, independence and overall performance of the Bank's Internal Audit Group;
(4) the adequacy and effectiveness of risk management framework and practices; (5) the adequacy and effectiveness of Bank management's recommendations regarding material risks related to the performance of the strategic and material activities of the Bank; and
(6) the adequacy and effectiveness of the Bank’s compliance with legal and regulatory requirements, including those concerning the Bank's responsibilities over the execution of operational activities as related to monetary policy.
The Committee shall consist of no fewer than three members and no more than five members. The members of the Committee shall be appointed by the Board on the recommendation of the Nominating and Corporate Governance Committee. At least one member of the Committee shall also be a member of the Management and Budget Committee of the Board. In no event may the Class A Directors constitute a majority of the Committee's membership. Committee members may be replaced by the Board. Committee assignments are reviewed annually by the Nominating and Corporate Governance Committee.
The members of the Committee shall meet the independence and experience requirements of Section 4 of the Federal Reserve Act and, to the extent not inconsistent therewith, (a) System Letter 2622 (December 20, 2004), as the same may be amended, supplemented, superseded or otherwise modified; (b) the Rules of the New York Stock Exchange; and (c) Section 10A(m)(3) of the Securities Exchange Act of 1934 (the "Exchange Act") and the related rules and regulations of the Securities and Exchange Commission (the "Commission"), including but not limited to Subpart C, Canons of Ethics. At least one member of the Committee shall be a financial expert as defined by the Commission. Additionally, members of the Committee are expected to possess an adequate familiarity with and knowledge of effective risk management practices.
Committee members shall not simultaneously serve on the audit committees of more than two public companies.
The Committee has the authority to meet as often as circumstances require, but not less frequently than quarterly. A majority of the current members of the Committee shall constitute a quorum for the transaction of business, and action at a meeting by the Committee shall be upon the vote of a majority of those present at any meeting at which a quorum is present.
The Committee shall meet at least once per year with each of the Bank’s external auditor and the Bank's General Counsel. To foster open communication, the Committee shall meet periodically with the Chief Risk Officer, the Chief Compliance & Ethics Officer, the General Auditor, the President and First Vice President, and the external auditor in separate executive sessions. The Committee may request any Officer or employee of the Bank or the Bank’s outside counsel or external auditor to attend a meeting of the Committee or to meet with any members of, or consultants to, the Committee.
The Corporate Secretary, in consultation with and subject to the oversight of, the General Auditor, the Chief Risk Officer, and the Committee Chair, will prepare and distribute meeting agendas and other briefing materials to Committee members in advance of meetings. The Corporate Secretary, in consultation with and subject to the oversight of the General Auditor, will ensure that meeting minutes are prepared.
The Committee may transact business through notational voting subject to the following restrictions:
- notational voting shall be allowed only for routine matters, such as the annual approval of Committee charters;
- the decision to allow notational voting on any particular matter shall be subject to the approval of the Chair of the Committee;
- only actual votes shall be counted - silence shall not be interpreted as consent; and
- action by the Committee pursuant to notational voting shall be upon a vote of a majority of the Committee members and can be made in writing or by electronic transmission.
- Financial Statement and Disclosure Matters
The Committee is responsible for assisting the Board of Directors in assessing the adequacy and effectiveness of the controls over financial reporting. In this regard, the Committee shall:
- Ensure that the Internal Audit Group has appropriate access to the documents and individuals needed to accomplish their assigned responsibilities.
- Ensure that the second line function supporting the Chief Financial Officer has appropriate access to the documents and individuals needed to accomplish their assigned responsibilities.
- Review with management, including the Chief Financial Officer, and the external auditor the annual audited financial statements in both draft and final form and discuss any issues arising with respect to accuracy, fraud, or other irregularities.
- Discuss with management, including the Chief Financial Officer, and the external auditor significant financial reporting issues and judgments made in connection with the preparation of the Bank’s financial statements, including any significant changes in the Bank’s selection or application of accounting principles, any major issues as to the adequacy of the Bank’s internal controls and any special steps adopted in light of material control deficiencies.
- Discuss with management and the external auditor any correspondence with any governmental agencies and any published reports that raise material issues regarding the Bank’s financial statements or accounting policies.
- Discuss with the Bank’s General Counsel legal matters that may have a material impact on the financial statements.
- Review and discuss reports from the external auditors on:
- All critical accounting policies and practices to be used.
- All alternative treatments of financial information within generally accepted accounting principles that have been discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred by the external auditor.
- Other material written communications between the external auditor and management, such as any management letter or schedule of unadjusted differences.
- Discuss with management and the external auditor any off-balance sheet structures on the Bank’s financial statements.
- Discuss with the external auditor any difficulties encountered in the course of the audit work, any restrictions on the scope of activities or access to requested information, and any significant disagreements with management.
- Review disclosures made to the Committee by the Bank's President, First Vice President and the Bank's Chief Financial Officer during their certification process about any significant deficiencies in the design or operation of internal controls in financial reporting or material weaknesses therein and any fraud involving management or other employees who have a significant role in the Bank’s internal controls with respect to financial reporting.
- Review and approve any significant deviations from financial accounting practices.
- Oversight of Bank's Relationship with the External Auditor
The Committee is responsible for assisting the Board of Directors in assessing the external auditor's qualifications and independence. In this regard, the Committee shall:
- Consult with the Board of Governors with regard to the selection, compensation and performance of the external auditor, and shall do so at least annually. The Committee shall recommend, if necessary, the termination of the external auditor. The Committee shall be responsible for the oversight of the work of the external auditor (including resolution of disagreements between management and the external auditor regarding financial reporting) for the purpose of preparing or issuing an audit report or related work. The external auditor shall report directly to the Committee.
- Pre-approve all services, auditing and non-auditing (including the fees and terms thereof), to be performed for the Bank by its external auditor that fall outside the scope of its engagement as the Bank’s external auditor, subject to de minimis exceptions which are approved by the Committee prior to the completion of the audit.
- Review and evaluate the lead partner of the external auditor team.
- Obtain and critically evaluate a report from the external auditor at least annually regarding:
- the external auditor’s internal quality-control procedures,
- any material issues raised by the most recent internal quality-control review, or peer review, of the firm, or by any inquiry or investigation by governmental or professional authorities within the preceding five years respecting one or more external audits carried out by the firm,
- any steps taken to deal with any such issues, and
- all relationships between the external auditor and the Bank.
- Evaluate the qualifications, performance and independence of the external auditor, including considering whether the auditor’s quality controls are adequate. The Committee shall present its conclusions with respect to the external auditor to the Board.
- Ensure the rotation of the lead (or coordinating) audit partner having primary responsibility for the audit and the audit partner responsible for reviewing the audit at least once every five years and in a manner otherwise consistent with the requirements of the laws applicable to public companies.
- Discuss with the national office of the external auditor issues on which they were consulted by the Bank’s internal audit team and matters of audit quality and consistency.
- Oversight of Internal Audit
The Committee is responsible for assisting the Board of Directors in assessing the performance of the Bank's Internal Audit Group ("Internal Audit"). In this regard, the Committee shall:
- Review and approve the Internal Audit Group Charter at least annually.
- Recommend to the Board the appointment and termination (including separation payments) of the General Auditor, and to concur with any reassignment of the General Auditor to another position in the Bank.
- Formally evaluate the performance of the General Auditor, following the guidelines set forth by the Bank for evaluating the performance of other Officers.
- Recommend to the Board, or a designated subset of the Board, all actions affecting the salary or classification of the General Auditor.
- Approve all actions affecting the salary or classification of other Officers assigned to Internal Audit.
- Ensure that the General Auditor is not dependent on any Bank Officer for the security of his or her position and has access to the Board on a confidential basis.
- Ensure that Internal Audit is independent of Bank management, both by intent and actual practice.
- Review the independence and effectiveness of Internal Audit to ensure that it operates in accordance with applicable and appropriate professional standards, including those endorsed by the Institute of Internal Auditors.
- Review and approve the General Auditor’s Annual Audit Plan and any material changes to it.
- Review the reports to management prepared by Internal Audit for matters deemed significant by the General Auditor and management’s response to such reports.
- Review Internal Audit’s assessment of the Bank’s risk management practices.
- Bring before the Board any matters reported by the Board of Governors, General Auditor, or external auditors that warrant the Board’s attention, and ensure that audit recommendations and concerns receive proper attention by Bank management.
- Discuss with the external auditor and management, Internal Audit’s responsibilities, budget and staffing and any recommended changes in the planned scope of Internal Audit.
- Annually, the Chair of the Audit and Risk Committee shall consult with the Chair of the Management and Budget Committee regarding the adequacy of the budget for Internal Audit.
- Oversight of the Bank's Risk Management Framework
The Committee is responsible for assisting the Board of Directors in assessing the adequacy and effectiveness of: the Bank’s risk management framework and practices; Bank management’s recommendations regarding material risks related to the performance of the strategic and material activities of the Bank; and the Bank’s compliance with legal and regulatory requirements and those concerning the Bank’s responsibilities over the execution of operational activities as related to monetary policy. In this regard, the Committee shall:
- Ensure that the Chief Risk Officer has sufficient authority, seniority, and resources within the organization; is independent from individual business units within the Bank; is not dependent on any Bank Officer other than the President and First Vice President for the security of his or her respective position; and has access to the Board and the Committee on a confidential basis.
- Ensure that the Chief Compliance & Ethics Officer has sufficient authority, seniority, and resources and is sufficiently independent from individual business units within the Bank.
- Provide oversight, guidance and feedback to Bank management regarding material risks related to the performance of the strategic and material activities of the Bank. The Committee shall receive reports on these matters, including but not limited to annual reporting from the Federal Reserve Financial Services Enterprise and Federal Reserve System Chief Payments Executive.
- In coordination with the Management and Budget Committee of the Board of Directors, review on behalf of the Board of Directors management recommendations relating to the Bank’s material and strategic activities and businesses, and the risks related thereto.
- Receive reports and briefings from Bank senior management, including the Chief Risk Officer, General Counsel, Chief Compliance & Ethics Officer, the General Auditor, and other senior management of other significant business activities, regarding the Bank’s compliance with:
- risk management frameworks and risk and compliance related policies,
- applicable legal requirements,
- the Bank's Code of Conduct, and
- the Bank's Personal Trading Compliance Policy.
- Receive and discuss periodic reports from senior management on the Bank’s cyber program and cyber risks.
- Obtain reports from senior management regarding the alignment of the Bank’s strategic objectives with its risk tolerances, risk management framework, and risk-related policies.
- Obtain from the Chief Compliance & Ethics Officer an assessment of the potential for or actual occurrences of fraud within the organization. Such reports should include, among other things, the Bank’s process for communicating the Code of Conduct to employees and officers and compliance therewith, and the Bank’s investigation and follow- up regarding instances of non-compliance and/or fraud.
- Discuss with management the Bank’s major risks across the Bank's principal risk types (operational, technology, compliance, financial, legal, financial statement reporting, strategic, and reputational) including management’s assessment of these risks, effectiveness of internal controls, and steps management has taken to respond to and monitor such risks.
- Review and discuss with management assessments of risk management capabilities and the effectiveness of the risk management framework provided by the organization.
- Discuss with the Chief Risk Officer and the General Auditor the Bank’s major risks across the Bank’s principal risk types (for legal risk, discuss with the General Counsel) including independent assessments of these risks relative to risk tolerances, effectiveness of internal controls, and steps management has taken to respond to and monitor such risks.
- Understand how the Bank's internal audit work plan is aligned with the risks that have been identified in the Bank's risk profile.
- Obtain from the General Auditor an independent and objective assessment of (1) the adequacy and effectiveness of the risk management framework and risk-related policies (2) the adequacy and effectiveness of the Bank’s compliance with the risk management framework and risk-related policies, and (3) the adequacy and effectiveness of the Bank’s compliance with legal and regulatory requirements and those relating to the Bank’s responsibilities for the execution of operational activities relating to monetary policy, and (4) compliance with requirements relating to the strategic and material activities of the Bank.
- Answer external auditors' questions, including those about risks (including fraud) and whether Committee members have knowledge of risk (or fraud or suspect fraud) affecting the Bank.
- Review procedures and receive reports for the receipt, retention and treatment of complaints and issues raised through the FRBNY Integrity Hotline and employee complaints protected under the Bank’s whistleblower policies.
- At least every three years, the Committee shall discuss with the full Board the Committee’s assessment of the Bank’s risk management framework, including methods for risk identification, analysis, response, communication, monitoring, and escalation.
- Annually or after any interim updates, the Committee shall approve the Bank’s Risk Tolerance Statement.
- At least every three years, the Committee shall approve the Bank’s Risk Management Framework.
- Other / Additional Responsibilities
- The Committee shall receive reports from the General Counsel or the Corporate Secretary regarding risk events involving the Board of Directors, an individual Director, and/or the General Auditor, including but not limited to a waiver of any applicable policy. The Committee shall be responsible for ensuring that risks involving the full Board, a Director, or the General Auditor are being properly managed by the person or entity responsible, including, where applicable, the full Board, a Board committee, an individual Board member, and/or senior Bank management.
- The Committee shall make regular reports to the Board and ensure that all audit recommendations and concerns receive proper attention by Bank management.
- The Committee shall review and reassess the adequacy of this Charter annually, confirm that all responsibilities outlined therein have been carried out, and recommend any proposed changes to the Board for approval.
- The Committee shall perform an annual self-evaluation of the Committee’s performance of its responsibilities as stated in the Bank’s bylaws and this Charter and determine whether obtaining an assessment by the General Auditor or other outside party would provide a useful additional perspective.
- The Committee shall have the authority, to the extent it deems necessary or appropriate, to retain independent legal, accounting or other advisors, with sufficient funding provided by the Bank to retain any such advisors.
- The Committee shall have the power to authorize investigations into any matters within the Committee’s scope of responsibility.
- If the Conference of General Auditors appoints the Bank’s General Auditor as a Coordinating General Auditor for a System endeavor, the Committee shall consider whether that appointment creates new or additional responsibilities for the Committee. If the appointment creates new or additional responsibilities, the Committee shall make a report to the Board on how it will address those responsibilities.
- Limitation of Audit and Risk Committee's Role
While the Committee has the responsibilities and powers set forth in this Charter, it is not the duty of the Committee to plan or conduct audits or to determine that the Bank’s financial statements and disclosures are complete and accurate and are in accordance with generally accepted accounting principles and applicable rules and regulations. These are the responsibilities of management and the external auditor.
Additionally, the Committee does not participate in activities pertaining to the development of monetary policy or the supervision and regulation of financial institutions, and does not receive confidential supervisory information.
Effective as of December 14, 2023