On December 21, 2023, the New York Department of Financial Services (“DFS”) published guidance (the Guidance) to assist regulated institutions in assessing and managing their climate-related financial and operational risks.

This is a follow up to DFS’s previous letter published in October 2020, which highlighted the impact of risks from climate change on its regulated institutions. That letter set forth DFS’s expectation that financial institutions start integrating both financial and operational risks from climate change into their governance frameworks, risk management processes, and business strategies.

The Guidance specifically applies to New York State-regulated banking organizations, New York State-licensed branches and agencies of foreign banking organizations, and New York State-regulated mortgage bankers and mortgage servicers (collectively, “Regulated Organizations”). According to the Guidance, Regulated Organizations that are assessing and managing material climate-related financial and operational risks should account for three key themes: the physical and transition risk channels that give rise to climate-related financial risks, the centrality of operational resilience to an institution’s safety and soundness, and the requirement to ensure compliance with all applicable consumer-protection considerations—including fair lending—in adapting the institution’s risk management framework. Physical and transition risks include impacts of disasters such as hurricanes and fires, re-valuation of assets that turn out to be worth less than originally modeled due to changes affecting certain sectors or businesses, and costs to reinvest in and replace infrastructure affected by impacts of climate change.

Despite indicating that many low- and moderate-income (“LMI”) communities and communities of color are harmed disproportionately by climate change and natural disasters. the Guidance goes into detail about the expectation to provide fair lending to all communities and warned Regulated Organizations to keep watch for trends that may harm communities that are already vulnerable. DFS instructs Regulated Organizations to “not base their risk management response to climate change on the concept or practice of disinvesting from low-income communities or communities of color, or by making credit or banking more difficult or expensive for members of these communities to obtain. To ensure that a Regulated Organization manages its compliance risk appropriately, its board should direct management to incorporate consideration of fair-lending and consumer-protection requirements into the organization’s internal processes for management of climate-related financial risk.” Regulated Organizations should also pay attention to their obligations under the NY Community Reinvestment Act to ensure they continue to meet the credit needs of all of the communities they serve.

Generally, DFS expects Regulated Organizations to make strategic changes to their operations in order to manage potential risks associated with climate change, including the following:

  • Corporate Governance. DFS expects that a Regulated Organization’s governance framework will ensure that there is a process in place for identifying, measuring, monitoring, and controlling that organization’s material financial and operational risks associated with climate change, and expects that the organization’s board of directors are appropriately involved in overseeing this framework. A Regulated Origination should consider the types of climate-related financial and operational risks it may be exposed to and analyze which business units or areas would be most affected. The organization can then implement risk-mitigation strategies accordingly. Risk-mitigation strategies should also be reflected in the organization’s policies, procedures, and control plan.
  • Internal Control Framework. DFS expects Regulated Organizations to incorporate climate-related risks across three lines of defense: the risk-taking function, the management function, and the internal audit function. An organization should have sound, comprehensive plans for assessing, monitoring, and mitigating climate-related risks to the organization’s business, customers, and environment. Internal policies and procedures should take climate-related risks into account, and audits should include an independent review of the organization’s climate-related internal control framework.
  • Risk Management Process. DFS expects Regulated Organizations to implement climate-related risk strategies into existing risk management processes, in accordance with the organization’s risk appetite. This includes processes for the organization to identify, measure, monitor, and control climate-related financial and operational risks. Regulated Organizations should consider the possible physical and transition risks of climate change and determine how these risks would impact the business, including changes to credit risk, liquidity risk, market risk, compliance risk, operational risk, and strategic risk.
  • Data Aggregation and Reporting. The Guidance explains that Regulated Organizations should review their data collection and monitoring systems to ensure they are equipped to monitor for climate-related risks.
  • Scenario Analysis. When evaluating its resilience against potential market challenges, a Regulated Organization should incorporate a range of climate scenarios based on assumptions regarding impact of climate-related financial and operational risks over different time horizons.

DFS advises that it will not set a timeline for implementation of this guidance, but plans to publish a Request for Information (RFI) soliciting information from Regulated Organizations regarding the steps they are taking, or plan to take to assess and manage their climate-related financial and operational risks. Additionally, DFS plans to coordinate with federal banking regulators to determine when and how to incorporate an assessment of a Regulated Organization’s implementation of this Guidance into supervisory examinations.