Eyes Wide Open: Managing D&O Risk

It sometimes takes a little detective work to uncover the snares that await directors and threaten their personal liability when they sign up for board service. For most, the assurance that they have D&O liability insurance provides some peace of mind. Nevertheless, directors must clearly understand both the duties and ever-shifting risks that come along with a seat at the boardroom table.

Like many banking companies, First Busey Corp. has undergone some pretty dramatic changes over the past few years. The Urbana, Illinois-based holding company has launched a highly successful Internet bank, gotten into the brokerage business, and, last year, went public with an eye to eventually making an acquisition. These are all exciting developments for the $960 million organization. But each move also increases the possibility that First Busey’s directors and officers could wind up on the wrong end of a lawsuit.

So are they concerned about the increased liability? Of course, says David Kuhl, CEO of flagship Busey Bank and a director. But it’s not exactly something the directors lie awake at night fretting over. “Naturally, the board wants to make sure that we’re covered,” he explains. “But the economy has been so strong and we run such a clean operation that I don’t think they’re overly concerned.”

With profits and valuations near all-time highs, times have rarely been better for banks and thrifts. Still, there’s nothing to prevent a bank’s officers or directors from being subject to a lawsuit, which is why First Busey works overtime to shield its board from liability. Attorneys review all documentation, down to the most innocuous signature card, and regularly consult with the board. Internal auditors provide reports to the board on the bank’s operations, and external auditors review those findings. Customers are warned repeatedly about the risks of investing in speculative stocks.

Kuhl has even put two consultants from the National Supercomputer Center at the nearby University of Illinois on retainer. Their job: to try to hack into his Internet bank. “All it takes is one instance where management has done something wrong, and the board can be sued” for poor oversight, he says.

Despite the relatively good times, the number of suits being filed against bank directors and officers has crept up during the past 18 months. If the industry’s boom turns to bust, the liability trickle could become a flood. “With the current climate, there’s a great temptation at the board level to get complacent,” says Dan Bailey, a partner specializing in D&O liability for Arter & Hadden in Columbus, Ohio. “But when things do turn, the board that steps in and starts acting then might find that it’s too late.”

While all corporate directors are vulnerable to lawsuits, the standards are especially high for those sitting on bank boards. The reason: Banks are responsible for safekeeping the public’s deposits and enjoy a limited government-granted monopoly. If an institution’s fortunes sour, “directors face total liability,” says Bob Calvert, president and owner of Roswell, Georgia-based Calvert Consulting and a former bank CEO and director. “It’s not only their investment in the bank that’s at risk. Their personal and business assets are attachable by the regulators.”

The advent of new bank-based products and technologiesu00e2u20ac”Internet banking, online brokerage, insurance sales, and the likeu00e2u20ac”combined with a virulent strain of shareholder activism, have increased the potential for D&O lawsuits. “Banks have gone through a tremendous metamorphosis over the last couple of years, moving into nontraditional areas in an effort to grow the bottom line,” explains Jack Flug, a managing director for insurance broker Marsh Inc. “But there are [business lines] where directors haven’t done their homework and those

haven’t been the right fit. When that happens, you can see D&O litigation.”

Of course, some directors say they aren’t that concerned. Bill Ware, executive vice president and a director of Amarillo National Bank, notes that his family-owned Texas institution has no outside directors. “We’re here every day, working at the bank, so we’re aware of what’s going on,” he says, adding that the steady stream of examiners and auditors that traipse through his $1.1 billion bank’s doors each year actually give him an ironic sense of comfort. “We have a lot of people helping us,” Ware says with a chuckle.

Still, many inside directors say the sense of rising risk is a sensitive issue. For outside directors, many of whom accept a board seat for the prestige or to serve their communities, the liability potential can amount to a surprising slap in the face. “With all the laws that banks operate under these days, it can get a little scary,” says Tod Dawson, a First Busey director and CEO of Insurance Risk Managers, Ltd., a Champaign, Illinois insurance agency.

Fortunately, there are steps that boards can take to shield themselves from liability. A flood of new carriers has made D&O insurance cheaper than ever, and simply taking the time to be diligent and thoughtful when making strategic decisions, asking lots of questions and seeking the opinions of outside advisers when needed, can go a long way toward dodging bullets. Even with those comforts, however, directors sometimes feel tenuous about how safe they really are.

Regulatory scrutiny Banks directors and officers have always been open to lawsuits for breach of fiduciary duty arising from negligence or misrepresentation. Today, however, the potential for employee suits, regulatory actions, and securities litigation can leave them feeling like they are walking a litigation minefield.

Few things are more daunting than the regulatorsu00e2u20ac”both because they wield loads of power and because D&O liability insurance sometimes excludes penalties meted out by the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, or other agencies.

Calvert recalls the recent example of a Florida CEO who opened a brokerage account in the Midwest and decided to treat his bank’s investment portfolio as his own hobby. After racking up $325,000 in losses, a new chief financial officer discovered the discrepancy. The CEO wound up in federal prison, and each of 12 directors was required to pay $25,000 in civil money penalties out of their own pockets for malfeasance of duty. “The board investment committee didn’t have the limits, nor did they require regular reports or the checks and balances in the portfolio that they should have,” he says.

Such enforcement actions aren’t as rare as one might think. Insurers say about 10% of all D&O litigation involves regulatory involvement. Today, nowhere is the risk more apparent than with the dreaded Y2K.

Most banks reportedly are confident that they have licked computer problems tied to the changeover to a new millennium. But insurers and regulators still expect trouble. Speaking at an ABA conference last fall, Sandy Comenetz, the FDIC’s counsel for year 2000 matters, warned that the agency “has the option” to pursue liability lawsuits against directors if a bank fails because of the Y2K bug. Inside directors, she said, could be sued under the simple negligence rule, while outside directors could be liable under gross negligence standards.
Even directors and officers of banks that experience only temporary closures due to Y2K issues could face civil money penalties on the same grounds, Comenetz added. “An uninvolved director cannot claim protection” from a lawsuit, she said.

Shareholder actions

The Securities and Exchange Commission is watching companies more closely, too. In recent years, the SEC has clamped down on public companies’ efforts to manage earnings to meet
analysts’ expectations. And it’s coming down hard on those who selectively disclose important information to analysts or big investors, but not the masses. “The SEC is working hard to create a level playing field for small shareholders,” attorney Bailey explains.

As daunting as the regulators might be, shareholders can be even worse. Well over 50% of all D&O claims today come from securities actions. A study by National Economic Research Associates found that in 1998 alone, 261 class-action suits were filed against boards and/or officers, usually in response to declining stock prices. Today, a publicly traded company’s directors are about 25% more likely to be sued than just three years ago.

The good news for bank directors is that only 7% of the securities suits filed in 1998 were against banks. Still, that’s 18 cases and the message is clear: If your stock drops sharply, you could get sued. And that, more than likely, will mean a settlement at the very least. The NERA figures show that of 1,349 shareholder class actions filed between January 1991 and June 1998, only 16% were dismissed, while 83% were settled out of court. The price tag: a staggering $9.2 billion, according to NERA estimates. Flug estimates that as many as 95% of bank suits are settled before reaching trial.

What can spark a securities suit? Pretty much anything that impacts the bottom line. Higher-than-expected expenses, a big loan gone bad, or overly optimistic revenue projections can trigger an earnings and stock price shortfallu00e2u20ac”and a lawsuit.

For banks’ shareholders, and the board, Y2K concerns pose the biggest risk right now. “It’s the absolute, number-one bogey on directors’ radar screens for the remainder of the year,” says Evan Rosenberg, vice president of financial institutions at insurer Chubb & Sons. “The public is nervous, and that raises the risks.”
Tom Zacharopoulos, a Marsh senior vice president, offers the scenario of a bank that spends $3 million to address Y2K issues in-house, rather than hire outside advisers. The changes are tested and appear to work, but when the changeover occurs, the system collapses. “Now you’ve got to get consultants in, and it will cost $30 million and take six months to fix.” During that time, half of the bank’s customers flee, and share prices drop from $35 to $2. “You’ll see a big D&O lawsuit alleging, ‘You guys misrepresented that you were on track, and now shareholders have lost a ton of money.’ ”
Far-fetched? Nope. Indeed, D&O liability resulting from Y2K system failure could stretch beyond the bank’s own systems to those of its customers. If a third-party vendor or large corporate borrower winds up suffering from Y2K troubles, a bank’s directors could be sued by shareholders for that, too. “Even if it was a great-performing loan as of the fourth quarter of 1999, if they go out of business and the loan goes bad, you could be liable,” Flug points out.

Liability triggers

Up to this point, most of the securities actions have emerged out of mergers or acquisitions that have failed to produce as advertised. Here, even the big guys aren’t immune. First Union Corp., which has had trouble digesting its 1998 acquisition of CoreStates Financial Corp., failed to meet earnings expectations in both the first and second quarters of 1999. Since reaching a high of near $66 last August, First Union’s share price has plummeted to as low as $37. The result: A fistful of class-action suits filed on behalf of shareholders.

“Whenever you have a change-in-control transaction, someone [on either the buyer’s or seller’s side] is probably going to be unhappy,” Bailey says. Directors are on the hot seat in those deals and can be subject to allegations that they didn’t conduct adequate due diligence. In July, for instance, shareholders filed two class-action suits against National City Corp.’s directors, saying that the Cleveland company’s recent agreement to acquire credid card processor National Processing Inc. was to “the detriment of… public shareholders,” and that directors failed “to exercise independent judgment” in approving the deal.

Given the current climate, “directors have to be super-cautious when it comes to making acquisitions,” agrees attorney Ron Glancz, head of the financial institutions group at the Baltimore law firm Venable, Baetjer & Howard LLC. “Any time you have securities offerings, there’s increased liability to directors, because you have public disclosure. They need to ask a lot of questions of their legal counsel and financial advisers.”

M&A deals also have opened the door to suits from jaded

ex-employees who are promised positions in the post-merger institution, only to be shut out. Other employee suits, charging harassment, discrimination, or wrongful termination are on the rise, too, observers say. Accused officers are often the subject of such suits, but directors, too, can be charged with failing to provide proper policies or oversight.
And if that’s not enough, customers and their proxies are becoming more assertive. New technologies that allow banks and others to slice, diceu00e2u20ac”and shareu00e2u20ac”proprietary insights on customers and their finances have made privacy a red-flag issue. In July, U.S. Bancorp was sued by the State of Minnesota for allegedly selling information on nearly one million customers to a marketing firm. The case was settled out of court, after the Minneapolis-based bank, while admitting to nothing, agreed to stop sharing information and to pay $3 million. Attorneys predict more such suits. (See For Your Review, page 10.)

New products and services pose much the same risk. If someone breaks into your bank’s website and makes off with money and customer information, who’s responsible? It’s not clear yet, but rest assured that some customers, not to mention shareholders, will blame the bank. The same could go for brokerage operations. If the bank (or its outsourcing partner) executes a trade for a client in a speculative stocku00e2u20ac”even if it’s unsolicitedu00e2u20ac”the institution could be held liable if the price of those shares tank.

It’s true that the bank, not its directors or officers, is more likely to be named in such suits, but if the cost of a settlement gets big enough to adversely impact earnings, a D&O suit could follow. “We’re living in a very litigious society, and any time a board’s action (or inaction) has a material impact on the bottom line, it sparks a suit,” says Jason Hawkins, an assistant vice president for Reliance National Insurance Co.

Protective measures

There’s no getting around it: It’s almost impossible to dodge the vast array of liability threats now confronting the average bank’s management and board. Fortunately, diligent directors can shield themselves from most personal liability with some thoughtful preparation and foresight.

The obvious first step is D&O liability insurance, which a soft market has made cheaper and easier to get than at any other time in recent memory. A decade ago, the savings and loan crisis and other factors made D&O insurance tough to come by as well as expensive. In recent years, however, stepped-up competition has pushed rates to their lowest levels ever.

In 1998, the average bank paid $14,366 annually for each $1 million in D&O coverage, according to a study by Marsh. Premiums were greater for higher coverage limitsu00e2u20ac”about $29,000 per-million for policies offering more than $100 million in limits, compared to about $18,000 per million for levels between $50 million and $100 million (see Figures 1 and 2).

Most D&O policies offered today cover Y2K-related problems, which is crucial. And many banks have taken advantage of the soft market to purchase multiyear, blended policies, which lock in a variety of related coveragesu00e2u20ac”D&O, employment practice litigation, professional liability, and moreu00e2u20ac”with higher limits for up to three years. According to the Marsh study, 48% of banks have multiyear D&O policiesu00e2u20ac”well above the all-industry level of 29%. Some experts warn, however, that while blended policies seem efficient on the front end may not be so when it really countsu00e2u20ac”when the personal liability of the directors and officers is at stake. If a large claim, such as an employment-related class-action suit occurs within the coverage period, it could eat up the limit amount quickly, leaving the directors’ portion bare for future claims.

How important is D&O liability insurance? That’s a matter of debate. While First Busey CEO Kuhl doesn’t expect to use his policy from Cincinnati Insurance Co., it’s nice to know it’s there. “The risk is that someone will sue you frivilously,” he says. “That’s where I feel comfortableu00e2u20ac”not having it to pay off if we’re found guilty, but to [help] defend us against someone who thinks they can make a quick buck suing us.”

Dawson, the Busey director, is more emphatic: “With all the risks, I don’t think that I would be willing to serve on the board if it didn’t have [insurance].”

Most directors feel the same way. But Chubb’s Rosenberg cautions that insurance should be viewed as “just one leg of the stool,” that includes aggressive risk-mitigation policies. And Calvert says that D&O insurance often provides directors with a false sense of security. Many policies exclude regulatory actions, for instance, and most won’t cover “derivative” actions (where an employee or shareholder sues directors on behalf of the company). None cover criminal actions or gross negligence.

“If you want to prevent liability, forget the D&O insurance,” he says. “The main thing is, know what’s going on in your bank, monitor it, and have the right kind of systems in place so that when you have something out of kilter, you’re able to identify it and fix it.”

Managing the risk

Under the law, directors and officers are afforded protection from many lawsuits emerging from poor decisions by the so-called business judgment rule. But interpretations of the rule have changed over time. Where once directors could merely say they made a business decision that appeared to be prudent, now it must be supported by documentation that the decision was made in good faith, with the proper due diligence and counsel and that it aimed at benefiting shareholders.

The foundation for such proof is found in management and board processesu00e2u20ac”the “M” in the CAMELS ratings all banks are assigned by regulators. Boards that focus intently on those areas, asking insightful questionsu00e2u20ac”and capturing the diligence of their deliberations in their minutesu00e2u20ac”might not be any less likely to face a lawsuit. But they will be much more likely to prevail in court, experts say.

“[Bank] directors are still going to make mistakes, and they’re still going to get sued. That’s part of the business,” Rosenberg says. “But if they have a solid paper trail that shows they did everything a reasonable, prudent person would do, they have a solid defense.”

Start with the basics of long-term strategic planning. What business lines is the bank entering, and why? How will it spend its marketing dollars? How will the board measure the progress of bank initiatives? Updating that blueprint annually, and determining how its success will be gauged, are important indicators of a board’s rigor and diligence and could prove valuable in any legal defense.

So, too, is implementing appropriate policies and procedures. While it’s management’s duty to run the bank’s day-to-day operations, the board is responsible for providing guidance, direction, and ground rules that it and management understand. “Adequate policies that make sense and are written in easily understood language are critical,” Calvert says. “If you have a lot of ‘bankerese’ in there, and the director who sits on the loan committee doesn’t understand it, you could be in trouble.”

Ironically the group most responsible for protecting directors from liability is the board itself. Directors are most likely to be sued when their bank begins offering new noncore products and services that they don’t understand and can’t manage. Do you have reasonable expectations for the product? Have you agreed upon how to measure success or failure? “If [a product or service] is not on the radar screen, and there aren’t good controls or experienced management, that’s where you can get into trouble,” Glancz says.

Most banks, for instance, now offer brokerage products and services, many of them on an outsourced basis. To directors, the distinction between the bank’s main business and what the outsourced provider offers may seem cut-and-dried, and they might feel comfortable leaving management of that operation to the provider. But the customer who loses money trading a speculative stock could view the bank and service provider as one in the same, since the relationship was initiated under the bank’s corporate umbrella.

“As an outside director, you have to ask what liability the bank [incurs] having an outsourced business under its roof,” Dawson says. And watch for conflicts of interest. First Busey once had an officer-owned travel agency operating under its corporate umbrella. As the business grew, directors raised questions. “I said, ‘Hey, we’ve got a conflict of interest here,’” Dawson recalls. Eventually, the bank took over the business itself. “Sometimes you can get so close to things, you don’t see that there might be a conflict.”

Prodding these fronts is the board’s responsibility. Another example is Internet banking. While directors aren’t expected to understand the code by which their bank’s computers run, they are required to have a good understanding of its implicationsu00e2u20ac”and to have made a demonstrable effort to educate themselves. For banks that haven’t done so already, Glancz recommends devoting a meeting specifically to technology issues. “I’ve heard some board members say, ‘Well, look, I don’t understand this.’ That’s not a good answer,” he says. “Directors need to bring in senior management and the techies to explain what they’re doing and how it works.”

Ask tough questionsu00e2u20ac”lots of themu00e2u20ac”to make sure you understand what’s going on, Glancz adds. “And if you don’t [understand], then make them simplify it enough so that you do, because you’re on the hook for it, and if you don’t understand it, you shouldn’t be doing it.” Also, make sure those deliberations are noted thoroughly in the board’s minutes. Many boards have good debates, but the minutes show only consentu00e2u20ac”a mistake that could come back to haunt them.

Lending and fraud remain two other areas of vulnerability. All banks have external auditors, but does yours have an internal auditor to serve as the eyes and ears of the board, watching for embezzlement and other forms of employee misconduct? Does it have a solid loan review program to monitor loan quality? Once a loan is approved, many banks stick it in the drawer, dealing with it only if it’s past due. Is there a mechanism in place to watch borrower cash flows? “The first sign of trouble for most loans isn’t when it becomes past due,” Calvert says. “It’s when [the borrower] overdraws his checking account.”

The voice within

These points might sound like common senseu00e2u20ac”and they areu00e2u20ac”which brings us to the best defense of all: your own instincts. Many directors are already successful business leaders with their own experiences to draw on. “If you don’t understand something, or your instincts tell you there’s something wrong, then you have to pursue it,” Glancz says. “It’s not right to say, ‘I’m going to defer to [bank management] because I don’t know this area.’” Adds Calvert: “Your first and most important duty is to be independent. Don’t vote like your friends or blindly trust the CEO. That’s not what you were elected to do.”

Tough advice, to be sure. But as Dawson notes, these are potentially tough times for directors. “It’s very easy to defer to management,” he says. “But at the end of the day, I’m not a director to be a rubber stamp. I’m there to question practices I think we shouldn’t do, or ask why something is the way it is.” Drawing that line in the sand is the best defense directors have in the liability minefield.