CFP Governance: Roles, Responsibilities & Board Reporting

Most contingency funding plans look fine on paper. Clear liquidity stress scenarios. Multiple tranches of contingent funding sources. A tiered activation framework. Professionally formatted.

Then the examiner asks: “Who pulls the trigger? What criteria authorize moving from monitoring mode to activation? When did you last confirm that your repo counterparties and Fed discount window access are actually operational?” And the room gets quiet.

CFP governance failures aren’t design failures — they’re execution failures. The plan exists but doesn’t have an owner with authority. Triggers exist but aren’t tied to anything being monitored. The funding sources are listed but haven’t been tested in 18 months. The board approved the CFP three years ago and hasn’t seen it since.

This is what regulators find when they actually examine CFP programs, and it’s what separates a defensible CFP from a document that sits in a policy repository until the moment you need it most.

TL;DR

• FINRA Regulatory Notice 15-33 and the 2010 Interagency Policy Statement (SR 10-6) both emphasize governance — not just CFP content — as a core examination focus
• Effective CFP governance requires clear role assignment at three levels: board oversight, ALCO/committee operational governance, and named individual accountability for execution
• Board reporting should include liquidity metrics, stress test results, and CFP readiness status — at minimum annually, more frequently during elevated stress periods
• The most common exam finding isn’t a missing CFP — it’s a CFP with no documented trigger criteria and no evidence of operational testing
• Governance gaps tell regulators one thing: the CFP is compliance documentation, not a real operating plan

The Regulatory Foundation for CFP Governance

Two foundational documents set the regulatory expectation for CFP governance: the 2010 Interagency Policy Statement on Funding and Liquidity Risk Management and FINRA Regulatory Notice 15-33.

2010 Interagency Policy Statement (SR 10-6)

The 2010 Interagency Policy Statement — issued jointly by the OCC, Federal Reserve, FDIC, OTS, and NCUA, transmitted via Federal Reserve SR Letter 10-6 — established the interagency framework for liquidity risk management that remains the foundational regulatory benchmark for banks and credit unions.

On governance, the policy statement is direct: institutions should manage liquidity risk using processes and systems that include effective governance and management oversight, adequate policies, procedures, and limits, and strong management information systems for measuring, monitoring, reporting, and controlling liquidity risk.

The policy statement places the board at the top of the governance structure: responsible for understanding and approving the institution’s liquidity risk tolerance, ensuring that senior management maintains an effective risk management program, and receiving sufficient information to carry out its oversight responsibilities.

In July 2023, following the failures of Silicon Valley Bank, Signature Bank, and First Republic, the agencies issued an addendum (OCC Bulletin 2023-25, Federal Reserve press release July 28, 2023) with a specific operational readiness checklist. The addendum directly reflects what regulators found when they reviewed SVB: a bank that had crossed the $100 billion threshold, became subject to Enhanced Prudential Standards, repeatedly failed its own Internal Liquidity Stress Tests — and had never tested its capacity to borrow at the Fed discount window. When the bank run hit, SVB couldn’t access liquidity it had assumed would be available.

The 2023 addendum’s checklist is now an examiner benchmark:

• Assess current funding stability
• Maintain diverse funding sources readily available under adverse circumstances
• Verify the readiness of contingency borrowing lines — specifically test discount window and FHLB access, not just list them
• Plan timely movement and posting of collateral
• Continuously evaluate and adapt funding plans as conditions change

For any institution that lists the Fed discount window or FHLB advances in its CFP: if you haven’t tested the operational mechanics of accessing those sources, SVB is the case study for why that gap becomes catastrophic under stress.

FINRA Regulatory Notice 15-33

FINRA Regulatory Notice 15-33 provides liquidity risk management guidance for broker-dealers, based on FINRA’s liquidity stress testing program. On governance, the notice identifies several characteristics of a well-developed CFP:

• A governance process around stress test results: Clear criteria for when results should be escalated and discussed with senior management, appropriate management committees, board committees, or the full board
• A written liquidity plan with an activation governance process: Not just the plan itself, but documented procedures for determining when to implement it
• Operational readiness: The operational processes needed to carry out the plan must actually exist and be tested — not just described
• Transition trigger criteria: Clear criteria for when a firm shifts from business-as-usual liquidity management to contingent funding mode

The notice describes these as best practices, but FINRA examiners treat them as examination standards. Firms that cannot demonstrate governance processes aligned to Regulatory Notice 15-33 will receive findings.

The Three-Level CFP Governance Structure

Effective CFP governance operates at three levels, each with distinct accountability.

Level 1: Board Oversight

The board holds ultimate accountability for the institution’s liquidity risk tolerance and CFP oversight. Board-level responsibilities include:

In practice, board-level CFP oversight typically runs through a board Risk Committee or Finance Committee, which handles the substantive review before full board approval. The key examination question is whether the board received meaningful information — not just a one-page attestation that the CFP was reviewed.

Level 2: Management Committee (ALCO or Equivalent)

For most institutions with a formal Asset Liability Committee, ALCO serves as the primary operational governance body for CFP oversight. For smaller broker-dealers without a formal ALCO, the CFO and CRO (or equivalent roles) typically fill this function.

ALCO’s CFP responsibilities include:

ALCO minutes should document CFP-related discussions with enough specificity to show that liquidity metrics were reviewed, not just acknowledged. Regulators read ALCO minutes. Generic minutes that record attendance and a brief “liquidity position reviewed and found satisfactory” will not demonstrate meaningful governance.

Level 3: Named Individual Accountability

Every CFP needs a designated owner — not a committee, not a department, but a specific person with authority and accountability. Common ownership structures:

• CFO or Treasurer: Most common at banks and broker-dealers; holds P&L accountability and funding relationships with counterparties
• Chief Risk Officer: Appropriate where the CFP is embedded in the enterprise liquidity risk management framework, with the CRO managing the trigger monitoring and stress testing functions
• Dual accountability: Some institutions separate the “plan owner” (Treasurer, responsible for funding source readiness) from the “trigger owner” (CRO, responsible for monitoring early warning indicators and recommending escalation)

What matters is that the ownership is documented, the owner has been briefed on the plan’s contents and their responsibilities, and the owner is still at the firm. Stale ownership is one of the most avoidable governance gaps in CFP programs.

Trigger Criteria: The Most Common Gap

The activation trigger framework is where CFP governance most commonly fails examination scrutiny.

A well-structured CFP has two types of triggers:

Qualitative triggers: Events that by their nature require CFP review or activation regardless of whether metrics have breached quantitative thresholds. Examples:

• Rating agency downgrade of the institution or a major counterparty
• Regulatory action (formal enforcement order, consent order)
• Significant adverse press coverage or social media attention
• Failure of a key clearing bank or prime broker relationship

Quantitative triggers: Metrics-based thresholds derived from the stress test scenarios. Examples:

• Net liquidity outflow exceeding X% of liquid assets
• Liquid asset buffer falling below $X million
• Specific early warning indicators breaching pre-defined levels (repo haircut increases, counterparty funding line availability, customer deposit runoff rate)

Both types need to be documented, monitored, and tied to named individuals with authority to escalate and activate. A CFP that lists triggers but doesn’t specify who monitors them or who has authority to pull the activation lever isn’t operationally ready.

The connection between early warning indicators and CFP triggers is worth explicit attention: your early warning indicator monitoring (the dashboards, the metric reporting, the weekly/monthly review) should feed directly into the CFP governance process. If your EWI monitoring and your CFP activation criteria are managed by different people with no documented handoff, that’s an exam finding waiting to happen.

Board Reporting: What to Include

Board reports on CFP status don’t need to be long, but they need to be substantive. Regulators looking at board reports assess whether the board was receiving information sufficient to exercise meaningful oversight — not just information sufficient to check a box.

A defensible board-level CFP report should include:

1. Current liquidity position summary — How does current liquidity compare to the institution’s stress scenario buffers? Are any early warning indicators elevated?

2. Contingent funding source status — For each major source (repo facilities, Fed discount window, FHLB access, committed credit lines), confirm: Is the facility current? Has it been tested within the past 12 months? What is the confirmed available capacity?

3. Stress test results summary — How does the institution perform under its key stress scenarios? Has anything changed since the last board review that would affect scenario results?

4. CFP plan maintenance status — When was the CFP last reviewed and updated? Are roles and responsibilities current? Have there been any business changes that require plan updates?

5. Testing and exercise results — When was the CFP last tested operationally? What were the findings? What actions were taken?

Reporting frequency — what the 2010 Interagency Policy Statement actually requires:

This is a common source of confusion. The annual requirement is for the board to review and re-approve the CFP itself. The quarterly requirement is for regular liquidity risk reporting to the board — including current position, stress test results, and EWI status. Senior management (typically ALCO or the CFO) receives liquidity reports monthly. Both frequency requirements increase automatically as stress conditions emerge — institutions must be capable of increasing reporting frequency on short notice.

Operational Readiness: The Testing Gap

The governance gap most commonly cited in CFP examinations isn’t a missing policy. It’s a policy that’s never been put into practice.

Operational readiness means:

• Contingent funding sources have been tested: Not just listed. Actual drawdown tests, repo execution tests, discount window mechanics tests. Contact information is current. Counterparties have confirmed current availability and terms.
• Activation procedures have been walked through: Someone has actually simulated what happens when the trigger is pulled — who calls who, what authorizations are needed, what systems are used to execute the funding transactions.
• Staff know their roles: The named individuals in the CFP have been briefed on their responsibilities, not just named in a document they may never have read.
• Documentation supports the testing: Exercise reports, test results, and contact confirmations are documented and dated. “We tested it” without documentation is not verifiable.

FINRA Regulatory Notice 15-33 specifically calls out operational testing as a governance requirement. Examiners who find a beautifully documented CFP with no evidence of operational testing treat that as a governance failure, not an execution failure.

What Gets Cited: Common Exam Findings

Based on patterns from FINRA and banking regulator examination findings, the most common CFP governance deficiencies include:

No CFP at all — FINRA’s 2024 Annual Regulatory Oversight Report uses this exact language to describe the deficiency: “Failing to develop contingency funding plans that would provide sources of liquidity for operating under market or idiosyncratic stress conditions, including identifying the firm staff responsible for enacting the plan and the process for accessing liquidity during a stress event.” Near-identical language appears in the 2021, 2022, and 2024 oversight reports — meaning FINRA is still finding this at member firms year after year.

No documented trigger criteria — The CFP describes activation tranches but doesn’t specify what metrics or events trigger movement from one tranche to the next. Examiners ask: “What would cause you to activate this plan?” and get “well, it depends on the situation.”

Stale roles and responsibilities — The CFP names individuals who have left the firm or been reassigned. The current Treasurer or CFO has never read the plan they nominally own.

Untested funding sources — Repo facilities listed in the CFP haven’t had drawdown tests in 12–24 months. FHLB membership hasn’t been confirmed. Fed discount window access hasn’t been tested. The list of sources looks strong on paper but has unknown operational reliability.

Board reporting that’s too thin — One-page annual updates that confirm the CFP was reviewed without providing metrics, stress test results, or source readiness data. Regulators look at whether the board could actually have known the institution’s liquidity position from the reports it received.

Governance structure not calibrated to firm size — Either over-engineered (a small broker-dealer with three employees has a 40-person ALCO governance process that clearly doesn’t function) or under-built (a mid-size bank with complex funding structure where the CFP “owner” is whoever has bandwidth that week).

The SVB Case: What Governance Failure Actually Looks Like

Silicon Valley Bank is the most thoroughly documented CFP governance failure in U.S. banking history. The Federal Reserve’s April 2023 review and the OIG Material Loss Review published in September 2023 are public records that every CFP practitioner should read.

The documented findings are a textbook illustration of every governance gap listed above:

• Received an MRA on its CFP — and didn’t fix it — The Federal Reserve issued an MRA to SVB in mid-2022 requiring “targeted improvements to its contingency funding plan by end of Q2:2022.” SVB did not remediate the finding. By the end of 2022, SVB had 31 open supervisory findings. The board failed to monitor financial health and allowed a risk-laden balance sheet “without proper mitigation measures.”
• Failed its own Internal Liquidity Stress Tests repeatedly — Beginning in July 2022, after SVB crossed $100 billion in assets and became subject to Enhanced Prudential Standards, SVB’s ILST results showed liquidity shortfalls under its own stress scenarios. Examiners identified these as foundational weaknesses.
• Never tested discount window access — SVB listed Fed discount window borrowing as a contingent funding source. It had never actually tested the operational mechanics of accessing it. When the bank run hit on March 9–10, 2023, SVB could not rapidly access the discount window because it hadn’t posted collateral and hadn’t operationalized the borrowing process.
• Governance was nominal — The board and ALCO reviewed the CFP, but the Federal Reserve’s review found that SVB’s liquidity risk management practices did not meet supervisory expectations — and that the bank failed to act on supervisory findings quickly enough.
• CFP did not reflect actual funding vulnerabilities — SVB’s stress scenarios didn’t adequately model the concentrated, flighty nature of its uninsured depositor base (primarily venture-backed startups) or the impact of unrealized losses on its held-to-maturity portfolio on depositor confidence.

The 2023 Interagency Addendum wasn’t issued into a vacuum. It was a direct regulatory response to SVB’s failure — and regulators are now examining other institutions against the same checklist they wish SVB had implemented.

So What?

Regulators aren’t just testing whether you have a contingency funding plan. They’re testing whether the CFP is a real operational program — with an owner, with trigger criteria, with tested funding sources, and with a board that receives meaningful reporting.

The gap between a CFP that passes examination and one that doesn’t is almost always governance. Not content, not formatting, not length. Governance: who owns it, who monitors it, who activates it, who reports on it, and whether any of that has been tested in the last 12 months.

For firms building or overhauling their CFP governance structure, the Financial Risk Management Kit includes liquidity risk management templates, governance frameworks, and board reporting structures aligned to FINRA and interagency expectations.

Related reading:

• What Is a Contingency Funding Plan? A Practitioner’s Guide
• Common CFP Exam Findings: Top Deficiencies Regulators Flag
• Early Warning Indicators for Liquidity Stress: What to Monitor & How to Set Triggers

Sources:

• FINRA Regulatory Notice 15-33: Liquidity Risk Management
• OCC Bulletin 2010-13: Interagency Policy Statement on Funding and Liquidity Risk Management
• Federal Reserve SR 10-6: Interagency Policy Statement on Funding and Liquidity Risk Management
• OCC Bulletin 2023-25: Importance of Contingency Funding Plans (Interagency Addendum)
• Federal Reserve — Agencies Update Guidance on Liquidity Risks and Contingency Planning (July 28, 2023)
• Federal Reserve Review of the Supervision and Regulation of Silicon Valley Bank (April 2023)
• OIG: Material Loss Review of Silicon Valley Bank (September 2023)
• FINRA Regulatory Notice 23-11: Concept Proposal for Liquidity Risk Management Rule