On September 2, 2014, the OCC issued guidelines establishing heightened standards for certain institutions with $50 billion in total assets and for “highly complex” institutions, noting that it does not intend to apply the guidelines to community banks. However, the guidelines distill the OCC’s characterization of directors’ responsibilities that apply regardless of asset size. In this regard, the guidelines should be required reading for directors of every bank.
With regard to the role of directors, the OCC did not adopt a higher standard of director liability than the law generally provides (depending upon state of incorporation or chartering). This approach is very different from that espoused by the Federal Reserve Board’s Governor Tarullo in his controversial speech last year. Governor Daniel Tarullo exhorted legislatures to change the standards governing director conduct to impose a duty to meet regulatory and supervisory objectives (not just a duty to their institution and shareholders). The OCC notably bypassed the opportunity to try to extend director obligations beyond statute. Thus, the guidelines need to be read in conjunction with the existing legal framework.
The OCC reformulated what are in many cases age-old principles of director conduct. The guidelines are beneficial to directors in a variety of ways. Notably, the OCC sought to reclarify the divide between director and managerial responsibilities. To understand the significance of such line drawing, directors need to be aware of the regulatory approach to conflating the roles of directors and management since the downturn. Specifically, administrative actions, matters requiring attention and supervisory correspondence, have discussed the directors’ obligations to become further involved in their institutions’ activities in a quasi-managerial tone.
The OCC’s guidelines, however, note that they do not impose managerial responsibilities on boards or suggest the boards must guarantee any particular result. Instead, the OCC notes that the board’s duty is the traditional one of strategy and oversight.
However, there are increasing expectations for directors, particularly in terms of oversight of risk management. First, the OCC expects institutions to establish strategic plans that set forth a risk appetite. The board then must hold management accountable for adhering to the framework established. The guidelines clarify that the board provides active oversight by relying on risk assessments prepared by the departments of risk management and internal audit. Thus, although the board’s active oversight is in reliance on risk assessments, the board still must evaluate whether the risk appetite is being exceeded.
This expectation for oversight of risk tolerance have been seeping down the landscape and has become common practice for banking organizations of over $1 billion. I have seen institutions of $600 million and $700 million in total assets adding chief risk officers and risk committees. Risk assessments have proliferated like kudzu. Whether the guidelines are only expectations generally for the systemic important financial institutions (SIFIs) or not, these principles are becoming mainstream ideas for community banks as well. For SIFIs, the scope and pervasiveness of the risk management and mitigation framework are yet to be fleshed out.
The OCC expects boards to provide a credible challenge to management. Specifically, boards, in reliance on information from independent risk management and internal audit, should question, challenge and, when necessary, oppose decisions to expand the bank’s risk profile beyond its risk appetite.
The guidelines note that boards are not prohibited from engaging third-party experts to assist them. Thus, the OCC keeps open the well-worn ability of directors to rely on others for guidance (although the fiduciary decision-making remains exclusively the province of the board).
Otherwise, the OCC trots out existing basic minimum standards for corporate governance. Specifically, the guidelines provide that boards should conduct annual self-assessments. The guidelines also note that the OCC will review director training to see if it touches on all appropriate areas. Moreover, the guidelines note that directors must dedicate time and energy to reviewing and understanding the key issues affecting their bank. Those expectations are hardly new.
In short, the guidelines represent a mixed bag for bank directors. The OCC’s adherence to the separation between board and managerial responsibilities and directors’ ability to rely on third-party experts is reassuring. The OCC’s discussion of risk management and engaged directors challenging managerial direction are not threatening in themselves. Director concerns lie in the notion that examiners will expect an increasingly elaborate edifice of risk tolerance and assessment. For community banks, the question is how much of this edifice will they need. Thus, it is not the principles that are controversial, but the way in which such principles will be measured that causes concern for director liability.