Who Should Own the Contingency Funding Plan? Treasury, Finance, Risk, and the Review-and-Challenge Model

May 15, 2026 • Rebecca Leung •

contingency funding plan liquidity risk three lines of defense

Table of Contents

A regulator walks into your CFP governance meeting and asks one question: “Who owns this?” The room goes quiet. Treasury looks at Finance. Finance looks at Risk. Risk looks at Audit. Audit looks at the door.

That silence is the finding.

TL;DR

Treasury writes and operates the CFP. Independent risk management challenges it. The board approves it. That’s the entire governance answer — but most banks blur all three.

SR 10-6 and the July 2023 interagency addendum both require independent review and challenge of the CFP. Treasury cannot grade its own homework.

SVB’s CFP failure wasn’t about ownership ambiguity — it was about a Treasury team that switched to friendlier stress assumptions and a second line that didn’t push back hard enough.

For fintechs and non-bank financial institutions, ownership often defaults to the CFO. That’s fine for execution, but you still need an independent challenge function that doesn’t report to the same VP.

The Three-Line CFP Ownership Model

SR 10-6, the Federal Reserve’s 2010 interagency policy statement on funding and liquidity risk management, sets the framework. The July 2023 addendum reinforced it after SVB and Signature. Both documents agree on one thing: contingency funding planning is a multi-line responsibility, not a single team’s job.

Here’s how it maps cleanly to the standard three-lines-of-defense model.

Function	Line	CFP Role	What Examiners Look For
Treasury	1 (own & operate)	Drafts CFP, runs stress scenarios, maintains funding sources list, executes plan when triggered	Documented assumptions, tested funding sources, current contact lists, evidence of plan activation rehearsals
Independent Liquidity Risk (often CRO org)	2 (review & challenge)	Validates assumptions, challenges optimism, reviews stress severity, approves framework	Written challenge memos, escalation paths, independence from Treasury reporting line
Internal Audit	3 (independent assurance)	Audits both 1LoD execution and 2LoD challenge effectiveness	Annual or biennial audit cycle, findings tracked to remediation, no scope gaps
Board / Risk Committee	Oversight	Approves CFP, sets risk appetite, reviews stress results and triggers	Approval minutes, quarterly liquidity reports, evidence of board questions and pushback

The phrase “review and challenge” matters. It’s not “review and rubber-stamp.” Examiners specifically look for documented evidence that the second line pushed back on Treasury’s assumptions and that Treasury responded — not necessarily by changing them, but by defending them with data.

Why Treasury Cannot Own the CFP Alone

Treasury has the cash flow, the funding relationships, and the operational levers. They have to write the plan — nobody else has the daily knowledge to do it credibly. But they cannot also be the line that approves their own work, for three structural reasons.

Conflict 1: Optimism bias. Treasury teams are compensated and evaluated on cost of funds, net interest margin, and balance sheet efficiency. CFP stress assumptions that look severe make Treasury’s job harder. The natural pull is toward assumptions that show plenty of contingent capacity at reasonable cost. The OIG’s Material Loss Review of SVB documented exactly this drift — management “switched to using less conservative stress testing assumptions, which masked some of these risks.”

Conflict 2: Reporting line. At most US banks, Treasury reports through the CFO. The CFO has financial-statement interests that align with showing strong liquidity. If your second line is a risk officer who also reports to the CFO, the independence is structural fiction.

Conflict 3: Speed vs. caution. When liquidity tightens, Treasury wants flexibility to act. The second line’s job is to make sure that flexibility doesn’t come at the cost of risk appetite breaches. You need someone whose paycheck doesn’t depend on Treasury being right.

The Independent Risk Function: What “Challenge” Actually Looks Like

Most CFP review-and-challenge writeups are theatrical. Treasury sends a deck. Risk reads it. Risk sends back a memo that says “we have reviewed the CFP and find it reasonable.” That’s not review and challenge. That’s a notarization service.

Real challenge looks like this:

Assumption stress tests. “You assumed 15% deposit runoff in a moderate stress. The 2023 SVB experience saw $42 billion outflow in 24 hours. Defend the 15%.” Treasury then either provides data justifying their assumption or revises it.
Source availability audits. “You list $4 billion in FHLB advance capacity as contingent funding. When was the last time we drew on FHLB? Do we have current collateral pledged? What’s the haircut?” The July 2023 OCC Bulletin 2023-25 addendum specifically called out the Discount Window and FHLB readiness as supervisory expectations.
Trigger tightness review. “Your early warning indicator triggers at 90% LCR. By the time LCR hits 90%, you’re already in trouble. Why not 95%?” If Treasury defends the 90%, document the defense. If they can’t, the trigger gets tightened.
Counterparty concentration challenges. “Three of your four contingent funding sources are correlated with the same macro stress. What’s your plan if all three are unavailable simultaneously?”

These challenges go in a written memo, signed by the independent risk lead, that the board’s risk committee receives along with the CFP itself. The 2LoD’s challenge memo is the document that protects the institution — and the examiner is going to read it before they read the CFP.

For background on what a defensible CFP framework looks like, see our guide on how to build a contingency funding plan and the template key components examiners expect to see.

The CFO Question: First Line or Second Line?

A common point of confusion. The CFO is not a second line of defense. The CFO owns the funding strategy, the capital structure, and the balance sheet — all first-line responsibilities. At most US banks, Treasury rolls up to the CFO, which makes CFO sign-off part of the first-line approval chain.

Some banks try to solve the independence problem by having the CFO co-approve the CFP with the CRO. That’s not enough. The CRO needs to be able to escalate to the board over the CFO’s head if necessary, and that escalation path needs to be in writing.

If your CRO and CFO disagree on CFP assumptions and the dispute gets resolved by the CEO, the second line works. If the dispute gets resolved by the CFO unilaterally, the second line is decorative.

The Board’s Job

The board’s risk committee — or the full board at smaller institutions — has three specific responsibilities under SR 10-6:

Approve the CFP framework, including triggers, stress scenarios, and contingent source assumptions. Annual minimum; quarterly recommended for banks over $10B.
Receive and review liquidity stress test results, including any breaches of internal limits. When SVB started failing its own stress tests in July 2022, the board should have been told monthly. Whether they were, and what they did about it, is the central governance question in the Fed’s April 2023 SVB review.
Approve material changes in funding profile or contingent source mix. A shift from retail to wholesale funding, a new sponsor-bank relationship, a meaningful change in deposit composition — all should trigger CFP reapproval, not just routine update.

Board minutes are evidence. Examiners will pull two years of risk committee minutes and look for evidence that the committee actually engaged with the CFP — questions asked, concerns raised, follow-ups tracked. “The CFP was presented and approved by unanimous vote” with no other detail is a finding waiting to be written.

What This Looks Like at a Fintech or Non-Bank

For payment fintechs, lending platforms, BD/IAs with custody arrangements, and BaaS partners, CFP ownership is messier because most don’t have a Treasurer in the traditional sense. The CFO usually fills that role, and the “risk function” is often a one-person compliance or risk officer who also handles BSA, vendor management, and consumer protection.

The substance still applies:

Someone writes the plan. Usually the CFO or VP Finance.
Someone independently challenges it. This cannot be the CFO’s direct report. It can be the CCO, the CRO if you have one, or a board-appointed independent director if you’re too small for a dedicated risk function. For sponsored fintechs, the sponsor bank often performs this challenge function under the bank partner agreement — and increasingly insists on it.
The board approves. Document the approval, document the questions, document the changes that came from the challenge.

The 2LoD challenge memo at a 20-person fintech might be two pages. That’s fine. What matters is that it exists, names who did the review, lists what they pushed back on, and shows how Treasury (or Finance) responded.

The Working Group Composition

For institutions complex enough to need a standing CFP working group — which is most banks over $1B in assets — here’s a defensible composition:

Role	Function	Why
Treasurer	Chair, 1LoD	Owns the document and the execution
ALM / Capital Markets head	1LoD	Owns wholesale funding capacity
Deposit Operations head	1LoD	Owns retail funding and deposit segmentation
Independent Liquidity Risk lead	2LoD	Owns the challenge and the framework
CFO designee	1LoD (advisory)	Funding strategy alignment
Internal Audit liaison	3LoD (observer)	Awareness for audit planning, no voting
Bank partnerships / fintech lead (if applicable)	1LoD	Owns deposit concentration risk from program partners

Meeting cadence: quarterly minimum, with ad-hoc meetings triggered by early warning indicator activation, material balance sheet changes, or material market events. Minutes are kept by the chair, reviewed by the 2LoD lead, and submitted to the board risk committee as part of the quarterly liquidity package.

So What?

The single biggest finding in the post-2023 supervisory reviews wasn’t that banks lacked CFPs. It was that the CFPs they had were owned, operated, and approved by the same team — Treasury — with insufficient challenge from anyone who could push back. SVB had a CFP. It just didn’t have an independent function willing to tell management the assumptions were too soft.

If you can answer these three questions in writing today, your CFP governance is probably defensible:

Who drafted the current CFP and when did they last update it?
Who independently challenged the assumptions, and where is their written memo?
Which board meeting approved the current version and what questions did the board ask?

If any of those answers is “we’ll have to look into that,” you have a finding waiting. Our Financial Risk Management Kit includes a CFP governance charter template, a 2LoD challenge memo template, and a board approval package — the three documents that turn ownership ambiguity into auditable governance.

For practitioners building or rebuilding a CFP from scratch, also see our walkthrough of CFP regulatory requirements across FINRA, OCC, and the interagency framework.

Ownership isn’t the hard part. Challenge is. Make sure you have someone in the room whose job is to make Treasury uncomfortable.

Frequently Asked Questions

Who owns the contingency funding plan at a bank?

Treasury typically drafts and operates the CFP as the first line of defense — they run the cash flow, manage the funding stack, and execute against stress assumptions. The second line (independent risk management, often led by the CRO) owns the framework, challenges Treasury's assumptions, and reports to the board. Internal Audit is the third line and tests both. The board's risk committee approves the CFP at least annually. SR 10-6 and the 2023 interagency addendum both place ultimate accountability with the board, not Treasury.

Can Treasury both write and approve its own CFP?

No. SR 10-6 explicitly requires independent review and challenge of the funding and liquidity risk management framework, including the CFP. Treasury writes it; independent risk management challenges it; the board approves it. If your second line of defense is a Treasury employee in a different cubicle, you don't have independent review — and examiners will say so.

What role does the CFO play in the CFP?

The CFO typically owns the funding strategy that the CFP defends — but the CFO is part of the first line, not the second. At many mid-size banks, Treasury reports up through the CFO. That means the CFO has a vested interest in the CFP's assumptions looking favorable. This is exactly the conflict the second-line review is designed to address. Don't confuse CFO sign-off with independent challenge.

How often should the board review the CFP?

At minimum annually, with interim approval required when there's a material change in the institution's funding profile, balance sheet composition, or operating environment. The 2023 interagency addendum after SVB and Signature emphasizes that boards should review CFP assumptions and contingent source availability on a more frequent basis — quarterly is now standard practice for banks above $10 billion in assets.

What did SVB's CFP governance look like before it failed?

The OIG Material Loss Review found that SVB's CFP had foundational weaknesses: management switched to less conservative stress testing assumptions, the bank did not test Discount Window borrowing capacity in 2022, and SVB repeatedly failed its own internal liquidity stress tests starting in July 2022 without rapidly executing remediation. The board and senior management failed to appreciate the layered risks. The governance breakdown wasn't that no one owned the CFP — it was that no one was willing to challenge it.

Who should sit on the CFP working group?

At a minimum: Treasurer (chair), CFO designee, head of independent liquidity risk (2LoD), head of deposit operations, head of wholesale funding, head of capital markets/asset-liability management, and an Internal Audit liaison. For banks with sponsor-bank or fintech partner relationships, add the partnerships lead. The chair drafts; the 2LoD documents the challenge; the board's risk committee approves.

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

Related Framework

Financial Risk Management Kit

Credit risk, liquidity, concentration, and capital adequacy templates built for fintechs.

See What's Included → Buy Now — $59

Keep Reading

Compliance Strategy

Fintech Acceptable Use Policy: How to Handle High-Risk Customers Without Killing Good Business

How to build a fintech acceptable use policy that evaluates high-risk customers by actual platform use, not blunt industry labels.

May 14, 2026

Compliance Strategy

Compliance Calendar Template: Tracking Regulatory Deadlines, Filings, and Internal Reviews

How to build a compliance calendar that tracks every BSA, HMDA, Call Report, SAR, and exam deadline — with a 2026 reference template and the fields that survive an audit.

May 9, 2026

Compliance Strategy

FFIEC IT Examination Handbook: A Practitioner's Walkthrough of What Examiners Actually Test

The FFIEC IT Handbook is 11 booklets and thousands of pages. Here's what examiners actually focus on, which booklets matter most for your institution, and how to prepare for each domain.

May 9, 2026

Immaterial Findings ✉️

Weekly newsletter

Sharp risk & compliance insights practitioners actually read. Enforcement actions, regulatory shifts, and practical frameworks — no fluff, no filler.

Join practitioners from banks, fintechs, and asset managers. Delivered weekly.