The Crush of Compliance

Pity the bank general counsel. The job has always been both demanding and a bit thankless. Until recently, it wasn’t that unusual to hear stories of CEOs working to keep the company attorney, with all his gloom-and-doom warnings, out of strategy discussions and, when possible, away from the board. Those days are largely gone, although it’s not at all clear this is good news for banks or the GCs themselves.

Everywhere bankers and their boards look today, someone seems intent on making their lives more difficultu00e2u20ac”and more risky. “We’ve got shareholder activism, which is at its peak right now. We’ve got heightened regulatory scrutinyu00e2u20ac”both from a bank regulator standpoint and from the SEC and state attorneys general. And we have a very high sensitivity toward corporate governance issues and the litigiousness of our society in general,” says W. Granger Souder Jr., executive vice president and general counsel for Sky Financial Group, a $15 billion bank holding company in Bowling Green, Ohio. “And the thing that overlays it all is the rapid improvement in technology. Information is being disseminated very quickly. And if it’s in an electronic format, we have to spend a lot of time and energy making sure that information is protected and doesn’t get into the wrong hands.”

Souder doesn’t even mention the Bank Secrecy Act, which promotes banks to the role of money cops and may be the most intimidating issue on the typical bank GC’s plate. Nor does he bring up the looming implementation of Basel II, with all the potentially complicated changes to risk and capital management it promises for bigger banks.

The striking thing about the current landscape is that so many new and different legal-oriented challenges have converged at once. The past few years have witnessed an unprecedented spate of new laws, aimed at everything from safeguarding investors to preventing terrorism, and on most fronts the lack of precedent means no easy answers but plenty of risks. Concerns over the privacy of customer information, highlighted in recent breaches involving Bank of America and ChoicePoint, an information aggregator, are rising. “It’s really almost a perfect storm of pressures that seem to be coming together from different directions at the same time,” Souder says.

In the middle of that storm stands the general counsel. Typically the company’s worrier in chief, he or she is expected to interpret complicated compliance issues and navigate a constantly shifting legal environment. Small wonder the GC now is often considered a key cog in the management hierarchy, not simply someone to review contracts or call upon when things get sticky. As often as not, GCs are being integrated into the fabric of the business, working hand-in-hand with product managers and frontline employees to aid in strategic decision making.

“The general compliance and regulatory risk is a higher order-of-magnitude threat to banks today than it used to be. So it makes sense that the person responsible for helping to identify, manage, and mitigate that risk is more in the center of things,” says Michael Shepherd, executive vice president and general counsel for $44 billion Bank of the West in San Francisco. Indeed, some are even taking on operational roles. One example: Alan Polackwich, executive vice president and general counsel for $2.5 billion Riverside National Bank of Florida in Vero Beach, who also carries the title of president of the bank’s Indian River County operations.

On the surface, all this involvement sounds great for GCs. The problem is, the answer guy doesn’t necessarily have all the answers. “Everyone wants clarity. But there’s a limit to how much clarity you can provide when you’re trying to interpret laws and regulations that are being developed on the fly,” says William Bouton III, a partner with Tyler Cooper & Alcorn and general counsel for $6.3 billion NewAlliance Bancshares in New Haven, Connecticut. “With a lot of questions, the only answer you can give is, ‘There’s no clear guidance on that. … I can’t tell you definitively what’s required.’ It’s frustrating for the general counsel and for the board members when the answers aren’t crystal clear.”

The greatestu00e2u20ac”and most universalu00e2u20ac”of such difficulties centers on the 35-year-old BSA, which got a facelift via the USA Patriot Act and put banks squarely on the front line in fighting terrorist financing, money laundering, and other illicit financial activities. “The reality of being a bank today is that [lawmakers] have concluded financial institutions are now an important part of the law enforcement system,” Polackwich says.

The results have been something short of chaosu00e2u20ac”but not by much. Several banking companies, including $48 billion AmSouth Bancorp in Birmingham, Alabama, Puerto Rico’s Popular Inc., and City National Corp., a $14 billion institution in Los Angeles, have been stung with fines and penalties in the past year for failing to meet BSA requirements, and the punishment for noncompliance can be severe.

AmSouth agreed in October to pay authorities $50 millionu00e2u20ac”including a $10 million civil money penaltyu00e2u20ac”on charges that it had committed “serious and systemic” violations of the BSA. It also was forced into a cease-and-desist order designed to boost its anti-money-laundering program. The case was triggered by an investigation into a Ponzi scheme by a lawyer and a registered representative that allegedly bilked investors out of $15 million. According to the order, AmSouth ignored employee concerns about the accounts and failed to file a SAR (suspicious activity report) on the matter for two years.

Defense mechanisms

Bank boards are understandably confused and worried by such developments, and they’re looking to GCs for guidance. GCs in turn complain that they’re getting conflicting signals about how much enforcement and monitoring is enough.
Primary bank regulators, under pressure from Washington lawmakers, are pushing banks to file early and often when it comes to SARs, and bank GCs are falling in line. Walt Moeling, a partner at Powell Goldstein LLC and general counsel for several banks, including $800 million Georgian Bancorp in Atlanta, tells of getting an unprecedented number of questions from directors “about the propriety of specific transactions and about their obligations to oversee various aspects of the bank.” More than once he’s had to tell a client to file a suspicious activity report on a matter that once would have been considered routine. “The regulators have told the banks, ‘If you have any desire to do anything strategic [that requires approval], don’t you dare have a BSA ding: You must be beyond perfect in your policing duties,” Moeling says.

“Banks are making a lot of defensive SARs filings,” says Chris Cole, regulatory counsel for the Independent Community Bankers of America in Washington, D.C. “Most general counsels are saying, when in doubt, file a SAR. That’s the smart advice.” But he also is quick to note the concerns of William Fox, director of the Financial Crimes Enforcement Network, the government agency that administers the BSA, at a March ICBA convention. Fox told GCs that his agency was being overwhelmed by often meaningless SARs, diverting attention from those that matter. In fiscal 2004, FinCEN collected 663,655 SARs, a jump of more than 250,000, or 60%, from a year earlier. “All these filings are hurting FinCEN’s ability to identify the handful that are really serious problems.”

Says Jeffrey Smith, a partner for Thompson Hine in Columbus, Ohio and a former counsel for Bank One Corp.: “The problem for boards and GCs alike is that you can easily get whipsawed between one agency that says, ‘We don’t need so many of theseu00e2u20ac”slow down’ and another agency that says, ‘You’d better be aggressive about these filings.’”
George Jones Jr., CEO and president of $2.6 billion Texas Capital Bancshares in Dallas, says it’s a mistake for banks “to simply file hundreds of SARs to cover themselves.” Texas Capital’s board, like many others, has worked with its general counsel to craft policies, processes, and procedures for handling BSA-related incidents. “It’s not necessarily how you handle issues that arise. It’s the procedures you have in place to track potential illicit activities in your customer base,” Jones says. Sky’s Souder agrees: “It’s about processes, and it’s about trainingu00e2u20ac”ensuring that everyone in the organization understands what the BSA is trying to accomplish.”

Anecdotal evidence suggests even rock-solid policies won’t overcome regulator inconsistencies or policy newness in certain areas. One key source of confusion is a BSA requirement that banks police so-called “money services businesses” such as grocers, convenience stores, foreign-currency exchange houses, and check-cashing outfits that are clients.

In Florida, Riverside’s 50 branches cover 10 counties, several of them rural. Migrant workers come to work the areas farms and groves and make regular use of MSBs to cash checks and send remittances home. But government officials view those businesses as vulnerable to money laundering. This presents Polackwich with a conundrum. “We know these customers, and we know they’re not doing illegal activities or funding terrorists,” he explains. But because they fall within the technical definition of being an MSB, regulators require additional paperwork and monitoring of their businesses. “We then have to decide whether we’re going to retain these customers, knowing that it’s going to require such a high level of monitoring by us that it can make the relationship unprofitable,” he says.
Regulators are expected to offer greater definition on BSA compliance rules this summer.

Guidelines on governance

No issue touches banks as uniformly as the BSA; many of the other hot buttons are related to size and the extent of activities in which a bank is involved. For larger banksu00e2u20ac”or at least those with more than 500 shareholdersu00e2u20ac”the Sarbanes-Oxley Act, with its emphasis on documenting internal processes and controls, is a continuing drain on resources.

The initial round of governance tweaks, such as reviewing and rewriting committee charters, has been wrapped up. And most larger firms that are considered accelerated filers completed the first round of 404 reporting with their 2004 10Ks, allowing many attorneys to breathe a small sigh of relief. (Smaller institutions, with market capitalizations below $75 million, have until later this year to file.) But many facets of Sarbanes-Oxley remain open to interpretation.

As GC, Bouton says he’s still getting a lot of questions from bank boards on the basics, such as fine-tuning the composition of audit or compensation committees, or the proper interplay between those committees and the board. Sarbanes-Oxley, for instance, gives audit committees responsibility for hiring and firing outside auditors. “But if there’s a problem with the audit and it results in a restatement of financial statements or something worse, it can have ramifications for the entire board,” he says. This strikes some non-audit-committee members as unjust.

Perhaps a more significant concern spawned by Sarbanes-Oxley is the costs of documenting controls called for in Section 404. Larger publicly held banks have no choice but to accept the compliance tab, which can sometimes climb into the tens of millions of dollars. For smaller institutions, however, the numbers can be staggering and the benefits murky, meaning some are looking to their GCs for guidance. Moeling says some of his small-bank clients have rung up bills of $500,000 on 404 compliance. For a $500 million bank, that can amount to nearly 10% of net income. He has calculated that some banks are paying up to $1,000 per extra shareholder each year to be public.

No surprise, then, that a growing number of general counsels are advising boards to proactively manage their investor bases, either by staying below the 500-shareholder level at which the SEC considers a company public or by reducing it to below 300u00e2u20ac”the level at which a company is considered private. “If a bank gets close to 500 shareholders, we’re advising them to buy back some shares to stay under that level,” says Glen Garrison, a Seattle-based partner with Keller Rohrback and general counsel to several Washington banks, including Cascade Financial Corp. and Frontier Financial Corp., both of Everett. Some of those that were once above that levelu00e2u20ac”including Valley Bank in Puyallup, Washington and Atlanta’s Georgian Bancorpu00e2u20ac”have bought out smaller shareholders to get below the 300 mark.

GCs also are prodding boards to adopt best practices, such as having outside directors meet in executive session without senior management present. Many CEOs “don’t automatically warm to the idea,” Moeling says. And sometimes, things can get testy. “Frankly, I’ve been in more than a few meetings where I’ve wished I wasn’t there.” His response to such kickback: Executive sessions happen whether you want them or not. In parking lots or over the phone, outside directors “are talking about how you’re doing and your compensation and management succession. And they’re talking about the ultimate strategic issue of buy, sell or hold. … The only question is, do you want to formalize those meetings and have a role in those discussions?”

Michael Roster, executive vice president and general counsel for $105 billion Golden West Financial Corp. in Oakland, California, has both his board and key committees hold meetings at least once a year without management. “If I were a director, I would always look at my general counsel and ask, ‘Is there anything that we, as directors, need to know about the company that hasn’t been brought to us,’” Roster says. “I would put responsibility for bringing bad news forwardu00e2u20ac”even if the CEO and CFO don’t want it knownu00e2u20ac”squarely on that person.”

Compliance quagmire

GCs say they sometimes feel like they’re bogging down their boards in administrative minutiae. But they also must keep directors ahead of the curveu00e2u20ac”and the latest risks. And they’re finding that the concerns of shareholders and regulators are often working hand-in-hand against them.

GCs, for instance, are now helping comp committees grapple with the impact of new SEC requirements, beginning in June, that options grants be expensed. “Boards are asking how expensing will affect them,” Garrison explains. The simple answeru00e2u20ac”that it will put a significant dent in earningsu00e2u20ac”has most everyone looking at alternatives, such as restricted stock awards “where, instead of giving someone 1,000 options, you give them 300 shares over some vesting schedule and take the charge to earnings,” he says. “That’s what we’re recommending. It really makes more financial sense.”

Rest assured, shareholders will be watching. Moeling notes the average bank stock owner has owned shares in a bank before “and is much more sophisticated and demanding in his or her expectations of the board.” And they’re getting more help from third-party governance watchdogs, such as Institutional Shareholder Services, which now review every proxy filing and advise client investors on how to vote on key issues.

At worst, this scrutiny can mean shareholder lawsuits if a company steps out of line or pressure to sell if a company’s not performing up to snuff. More common are challenges to such governance flash points as staggered board terms, supermajority voting requirements, and director independence.

GCs are eyeing corporate governance ratings put out by ISS, which can influence investor perceptions of their institutions. They’re also considering what to some is an uncomfortable twist: buying consulting services from
ISS aimed at helping companies get the best scores. ISS maintains there’s a firm wall between its consulting and rating services, and many companies are reportedly buying in. Some attorneys, however, worry about conflicts of interest and figure out their own scores based on publicly available information. Some, such as Polackwich, also spend much of their time trolling regulatory and litigation-oriented websites for the next threat. “As general counsel, I want to make sure we’re aware of, and in compliance with, everything that comes up.”

What he sees makes Polackwich glad he’s not GC of a really big bank. Those with large card or mortgage operations are increasingly questioning the effectiveness of arbitration or alternative dispute resolution systems for settling consumer grievances, noting that the costs and complications of those meansu00e2u20ac”just the things they were meant to sidestepu00e2u20ac”are rising. (General counsels have to control legal costs, of course.) And over the past year, Citigroup, J.P. Morgan Chase & Co., and Bank of America have all paid out big civil settlements over their involvements in the Enron and WorldCom collapses.

Now, although they don’t want to admit it publicly, many banks with insurance, investment, or other nonbank subsidiaries worry that state attorneys general, inspired by the recent successes of New York AG Elliot Spitzer, are on an investigation jihad that might easily spill over into big fines and lawsuits. At a recent meeting of big-bank GCs sponsored by the Financial Services Roundtable, “it was all they could talk about,” says the ICBA’s Cole. “There’s a real siege mentality,” confirms one big-bank GC.

Earlier probes into mutual fund operations resulted in follow-on shareholder suits against many of the biggest banks, including Citigroup, Wachovia Corp., and the former FleetBoston Financial, now part of Bank of America. Even so, they were considered manageable. But when Spitzer and the SEC began registering wins against insurers for paying improper fees to brokers in exchange for businessu00e2u20ac”and other state AGs caught the investigation bugu00e2u20ac”things began to get hairy.

The key worry isn’t so much the investigations themselves as what could come next. As one GC explains, large institutions feel “under unfair pressure” from attorneys general “to disclose and waive attorney-client privileges and immunity from discovery.” The AGs will say they’ll go easy on banks that cooperate and release internal documents to aid an investigation. “But once you waive that privilege, civil litigants can use that information to sue.” That’s what has already happened to American International Group and The Hartford Financial Services Group, and some bank GCs fear their institutions could be next.

Looming risks

Farther out, large banks are preparing for the expected onset of Basel II, a new international capital and risk management standard. The accords contain some 600 pages, about half of which are nothing but equations. Directors of U.S. banks that adopt the provisionu00e2u20ac”only the top 10 banks are required to do so but others will be allowed to opt inu00e2u20ac”face some significant challenges, given Sarbanes-Oxley’s documentation requirements. “The Basel models include thousands, if not tens of thousands, of individual control-point decisions. Imposing America’s section 404 rules on that is something no one has even begun to address yet,” says Golden West’s Roster.

“As a general counsel, what do I bring into the boardroom to try and immunize not just the bank, but also the board and directors” from potential trouble? “Do I do a lot of presentations and bring in experts so there’s a record they were thoroughly briefed?” Roster asks. Provided directors ask probing questions, that would theoretically provide the protection of the business judgment rule, should adopting Basel provisions bring trouble. “But who in the world would I even hire to be an expert? And how much does the model have to be probed to give the board satisfaction?
“There’s no real answer to that,” Roster adds. “And most general counsels haven’t even begun to deal with it yet.”

That’s no surprise. As one GC says, there are no longer enough hours in the day to tackle all the challenges on their plates. And with banks facing new legal and operational threats around every corner, those workloads are likely to continue increasing.