Bankers have plenty to do these days in an ever-changing legal landscape. Fueled by major laws passed in recent years, federal and state regulatory agencies keep issuing new bulletins and en-forcement actions, leaving banks scurrying to keep up with it all. The upshot for directors: Perhaps more than ever before, the responsibility of compliance oversight falls on their shoulders. Long gone are the days of leaving management holding the bag. “It’s not enough to be spoon-fed these days by management on what the decision needs to be,” says Brian Smith, a partner at the Washington, D.C. office of Latham & Watkins. “These things are not quite as black and white as they once were, and directors, especially at banking institutions, are held to a higher standard of knowledge as to what is going on.”
And it won’t get any easier in the short run. Much of the impact of laws such as the Gramm-Leach-Bliley Act of 1999, the USA Patriot Act of 2001, and the Sarbanes-Oxley Act of 2002 has yet to be fully felt. After a law that affects banking is passed, it usually takes agencies 18 months or so to issue regulations, then at least another 18 months for the enforcement actions to start. All told, that’s three to five years after passage, making nowadays a sweet spot of sorts for enforcement actions.
All of the new legislation and guidelines bring increased responsibility to board members. “It intensifies the focus of the board to conduct itself within a proper process,” says James Rockett, co-head of the financial institutions corporate and regulatory practice at Bingham McCutchen in San Francisco. “The process that is established in the boardroom of working through strategic considerations is very important.”
Those considerations include a smorgasbord of topics that boards should be discussing with management and chief counsel. Bank Director recently conducted an informal poll of attorneys to unearth some key issues arising from the shifting legal environment. Legal experts offered advice on some of the recent developments and on the questions board members should be asking in areas such as corporate governance, anti-money-laundering, privacy and security, mergers and acquisitions, securities lawsuits, and general compliance issues.
When it comes to corporate governance, Sarbanes-Oxley has become a driving force in changing the way boards operate. “Sarbanes-Oxley calls into question the issue of just blind reliance on management,” Smith says. “This falls on the laps of the directors.”
Making sure internal controls are in place is critical, and those controls stop at the board, Smith warns. “You have to ask yourself, if you are on the board of a bank, ‘What do I need to know, and am I getting it?’” he says. “That is the principal issue facing directors today. It doesn’t make a difference whether your bank is a pimple or a watermelon. The size of the bank is irrelevant.”
The Sarbanes-Oxley Act was passed in 2002 after the run of corporate scandals. The intent was to bolster the governance of boards of directors at public companies and regulate the activities of the accounting profession. The act tightens auditing and accounting rules, primarily by requiring CEO and CFO certification of financial statements and the setup of independent audit committees. Although banks met many of Sarbanes-Oxley’s requirements through the Federal Deposit Insurance Improvement Act, the scrutiny is now greater.
“It is a ramping up of the disclosure effort to comply with the new rules that have come into play,” says Waverly Vest, a partner at Bracewell & Patterson’s Houston office. “Bank holding companies are being held to different standards in terms of level of scrutiny, disclosure, and the kinds of procedures they go through now.”
The act’s rules impact public and private banks alike, as regulators encourage all financial institutions to adopt best practices. For example, Alabama, one of a handful of states that has its own audit standards, is contemplating revising those rules now that the federal law has taken effect. The state is calling for banks to establish a three-member audit committee, recruit highly qualified independent auditors, and adopt codes of ethics.
In essence, “The regulators are looking at the overall governance of banks by the board of directors and taking some of the pages out of Sarbanes-Oxley, saying to the bank, ‘Why don’t you have an independent audit committee; why don’t you have a compensation committee?’” says Robert Clarke, a senior partner at Bracewell & Patterson and former head of the OCC.
Questions the board ought to ask:
– What kinds of internal controls for risk does the bank have? What are the most likely places for the bank to stumble? Which risks are big enough to put a dent in the capital of the bank?
– Who is checking to make sure that various internal controls are in place and that they are working?
– For any important decision being made, has the bank followed the proper process of going through committees and documenting the decisions?
– Are the committees fully considering the matters within their jurisdiction?
No doubt regulators have a watchful eye on banks with regard to anti-money-laundering, particularly in the wake of 9/11. The OCC levied a $25 million fine against Riggs National Corp. in May for the bank’s failure to report suspicious activity. Riggs was found to have violated provisions of the Bank Secrecy Act, having failed to properly monitor and report transactions amounting to tens of millions of dollars in cash withdrawals, international drafts, and sequentially numbered cashier’s checks.
“Banks really need, in this environment, to make sure they have policies and controls in place that will keep them out of trouble; otherwise, the regulators are going to get them,” Clarke says. “Riggs Bank has become the poster child for that.”
With respect to anti-money-laundering, the USA Patriot Act adds more teeth to the Bank Secrecy Act. On the domestic side, it expands the definition of what encompasses a financial institution to include retail jewelers and dealers of precious stones. It also formalizes reporting requirements and enhances the obligations of employees, officers, and directors of financial institutions to institute and maintain robust anti-money-laundering programs. Internationally, it prohibits U.S. banks from dealing with shell banks.
“Because of the terrorist threats, banks have become first-line enforcers of compliance with AML and bank secrecy,” says Ron Glancz, a partner at Venable in Washington, D.C. “There is zero tolerance for any kind of deficiencies related to the Bank Secrecy Act in the anti-money-laundering area.”
Edward Wilson, another partner at Venable, suggests bank directors use the Riggs consent order to read about what is expected of them, such as having a designated compliance officer who regularly briefs the board. “You as a director can go right to the Riggs consent order for this,” he says. “It’s a blueprint of what to do.”
Questions the board ought to ask:
– What policies have been enacted to make sure the bank is complying with all the requirements of the Bank Secrecy Act and USA Patriot Act?
– What has management done to properly train the employees, particularly those on the front line, such as tellers?
– What internal control mechanisms are in place, either through an internal audit function or vendors who monitor those functions?
PRIVACY AND SECURITY
Directors also need to pay careful attention to security and privacy. Federal regulators have issued some 200 bulletins, pronouncements, and rules on information security since 1998, according to Thomas Vartanian, a partner at Fried, Frank, Harris, Shriver & Jacobson in Washington, D.C. The promulgations hold boards accountable for areas such as internal security, third-party security, online security, and customer-data protection.
“It’s very clear that the agencies have gone to great lengths to show that this is an area where the board is on the line, and it is their responsibility,” Vartanian says. The Gramm-Leach-Bliley Act requires institutions to have security programs to ensure that the data of customers are protected and that financial institutions have included security information in privacy disclosures. “Any defect in security at an institution becomes a possible violation of Gramm-Leach-Bliley because it exposes customer data to leaks, hacking, and theft,” Vartanian warns.
One such case occurred in 2002 and involved Goleta National Bank, which the OCC found had violated this provision of the act because one of its vendors had improperly thrown out customer records. Last year the OCC announced an enforcement action against two former employees of Colorado National Bank. The employees were charged with e-mailing more than 2,200 customer loan files to their new employer without using secure Internet connections.
Documenting security systems is just as important as the security itself, Vartanian says. Documentation will help show regulators there are rules, procedures, and controls in place. Otherwise, there’s little proof such a system exists. “You may have the best security in the world and the best protection of customer data, but if it is inadequately documented, the regulators will believe you don’t have the security,” Vartanian says. “In either case, you end up in the same place: the wrong side of the enforcement ledger.”
Complicating matters is the increasing reliance by banks on outside vendors. Says Vartanian: “Technology has moved most of the security outside of the walls of the bank.”
Questions the board ought to ask:
– Have the requirements of all security and privacy bulletins been met?
– Has the bank conducted testing to ensure it is meeting these requirements?
– What type of documentation is there, and is it adequate?
– Regarding outside service providers, to what extent has the bank implemented adequate controls, and is the bank in compliance with respect to all the vendors it uses?
MERGERS AND ACQUISITIONS
While Sarbanes-Oxley doesn’t have specific provisions that address mergers and acquisitions, its effect is making bank boards more active in M&A deals, says Rodgin Cohen, the managing partner at New York-based Sullivan & Cromwell.
“Everything is overshadowed by corporate governance,” Cohen says. “The general thrust of the new concept of corporate governance applies to all divisions, but particularly to M&A. Bank boards today want to be involved earlier in the process and want to know more.”
All the new laws and regulations should prompt boards to dig deeper, he adds. “They should be asking how comprehensive the due diligence is, particularly about legal and regulatory compliance. Because a failure in that area can blow up the entire transaction.”
Adds Stephen Klein, a partner at Graham & Dunn in Seattle: “In the late ’90s, what you had was fly-by due diligence. Those days are over. Acquirers have to be more thorough. Directors need to make sure management is combing over all aspects of the seller, including operations, loan portfolio, and legal issues.”
When it comes to buying or selling, the first question should be automatic, says Rockett of Bingham McCutchen: Why is the company acquiring or selling? Board members “need to have a really good sense that the decision making being done is in consideration of shareholder value.”
“You need to make sure they have good policies and procedures in place and that compliance is in good shape,” Klein says. Vendor contracts should be examined to determine what implications they have for the buyer. On the legal side, examine not only whether any litigation is taking place, but other things that can impede a transaction, such as stock plans and leases that expire upon a sale, he says.
Executive compensation also needs to be examined, including stock options, retirement benefits, restricted stock, and bonuses. Another potential land mine includes so-called tax-gross-ups, where a company has agreed to pay certain taxes for which the chief executive might be liable. Gross-ups are designed to compensate executives for additional tax exposure that results from golden parachute payments. In sum, “They should know exactly what the CEO on the other side is receiving,” Cohen says.
Boards should also be brought in one to two weeks before an agreement is reached, Cohen says. That will allow the bank to follow up its due diligence with questions from the board.
Questions an acquiring board ought to ask:
– Does the transaction make sense?
– Does the bank have the management structure in place to successfully integrate the new company?
– Does the deal fit the strategic vision of the company?
– Can the acquirer create a culture within the combined institution that will continue to be successful and help it realize its strategic objectives?
– How sound are the internal controls of the other party?
– What do the compensation plans include?
Questions the selling board ought to ask:
– Does the transaction make sense?
– Is it the right time?
– What challenges does the bank face by remaining independent?
– By selling, will the bank achieve the best valuation opportunities given current stock multiples?
– Is the bank protecting its customers and employees?
Regulatory and market changes will always leave banks vulnerable to lawsuits. For example, starting in August, public companies will be required to report more information and expand disclosures on 8-K forms, which are filed with the Securities and Exchange Commission for events that have a material impact on a company’s financial condition. Some of the changes include newly defined events that trigger a filing, such as entry into or termination of agreements not made in the ordinary course of business, the creation of financial obligations arising out of off-balance-sheet arrangements, and making the determination that investors should stop relying on any previous financial statements.
“Boards need to take very seriously the securities filings that are being done,” says Rockett of Bingham McCutchen. “Ask counsel to provide an explanation of those rules and what they portend for future obligations.” Boards should also take time at the audit committee level to carefully review 10-K and 10-Q filings to make sure they are not putting undue reliance on management and that the forms accurately reflect the risks in the company, Rockett adds.
Changing market conditions also complicate things for financial institutions. While providing short-term relief on banks’ net-interest margin, a rise in interest rates could lead to an erosion of bank stock prices in the second half of the year. In the second quarter, expectation of rising rates had already taken a chunk out of the NASDAQ bank stock index, which had dropped 8% by mid-May from its peak in March.
“When stock prices go down, investors get unhappy,” says Kip Weissman, a partner at Luse Gorman Pomerenk & Schick in Washington, D.C. “They will look for reasons to sue.”
While directors have plenty to deal regarding changes in corporate governance practices, they must also make sure management has taken the necessary steps to disclose risks, Weissman notes. Using best practices from Sarbanes-Oxley, management and the audit committee should undertake a periodic risk-assessment review of the institution.
Weissman suggests making sure all risks have been identified and discussed in the disclosure document, including any recent developments. In the case of an institution that is especially sensitive to interest rates, for example, banks should disclose the magnitude of the risk, what is being done about it, and whether there’s been any change in that risk from quarter to quarter.
Overall, “Boards are dealing with a lot of what they would consider legal mumbo jumbo,” Weissman says. “But at the same time, they are dealing with a changing economic environment. If I was a director, I’d feel like I had a full plate. Unfortunately, the economic environment is not going to wait, nor are the legal requirements.”
Questions the board ought to ask:
– Do filings accurately reflect the risks of the company in material matters that can influence the value of its shares?
– Who is tracking changes in filing requirements with the SEC?
– Is the audit committee reviewing all financial forms before they are filed?
While compliance is a vast concept in itself, banking lawyers say boards need to keep an eye on areas that are of particular concern to regulators.
Boards need to be wary about embarking into new product lines and investments and always ask questions to make sure the bank is in compliance. Many times, banks enter a new business only to find a nightmare awaiting them.
“The warning flag for the directors is, don’t get a product that is declared to be radioactive by one or more of the regulators,” Clarke says. “And if you have crossed that step and you’ve determined it’s OK to be in the business, then be very careful how you go about it. Make sure you are not getting a big concentration in that kind of product, because that is going to be viewed negatively.”
Having endured tight interest rate margins for years, many banks have turned to other lending areas such as payday and subprime lending. But bewareu00e2u20ac”both state and federal regulators have pounced on the issue, eager to show they are out to protect the consumer, lawyers warn.
As a result, many financial institutions have had to retreat after getting into payday lending. The OCC has taken the position that national banks should not be in the business, prompting institutions such as Eagle National Bank, based in Upper Darby, Pennsylvania, and Brickyard Bank in Lincolnwood, Illinois to abandon the business.
In subprime, for example, some banks have gotten into trouble by teaming up with credit card marketers. The sticking point: Regulators are going after marketers and banks they believe have not properly disclosed the potential cost and the true nature of the credit card, Clarke says.
Clarke advises reviewing any advertising materials to make sure they comply with all disclosure requirements, including those of the Federal Trade Commission.
Furthermore, the board should see that control mechanisms are installed to ensure that polices are followed, and are, in fact, understood by the employees through adequate training.
Questions the board should ask about new retail products:
– What do regulators require of the product in question?
– How are advertising materials reviewed to make sure they are in compliance?
– What control mechanisms have been put in place?
Banks also need to make sure they are in compliance when it comes to newer types of investments, such as bank-owned life insurance. Generally, this insurance is purchased to help fund future financial obligations under employee retirement and benefit plans. Most of the larger banks have purchased the product; brokers are now focusing on community banks. Yet unlike their larger counterparts, lawyers say, community banks often lack the resources to adequately analyze the product.
“This is an issue,” says Smith of Latham & Watkins. Regulators are concerned because bank-owned life insurance can get complicated. A bank purchases life insurance for officers and managers; the insurance acts as a way to fund executive compensation and to defer benefit costs. Yet generally, bank-owned life insurance is an illiquid asset. Should a bank want to cancel policies to free up capital, it could run into trouble, depending on how much it has on its balance sheet. Exiting contracts prematurely can lead to heavy fees and tax penalties. Says Smith: “You need to understand where you are and how much is appropriate. These are really complex products.”
Boards should expect this question from regulators: “Can you tell us about the policy?” That means not simply handing them a brochure across the table. Regulators, says Smith, want to see that a board is aware of the terms of the policy and that the bank has a clear idea for what specific purpose it purchased the insurance.
Questions the board should ask about bank-owned life insurance:
– What will be the costs of bank-owned life insurance over time?
– Who will be insured?
– From whom should the bank buy a policy?
– What is the credit rating of the insurer?
– What experts has the bank hired to bring on board to help understand the product?