Targeting the Board

Desperately Desires Direction

Well-mannered commercial bank in quiet town seeks intelligent, hard-working business professionals with a yen for risk taking to join its board of directors. Have you ever wanted to walk on the wild side? Let’s talk.

OK, so perhaps the job of recruiting independent directors will never become so difficult that publicly owned banks and thrifts will have to place personal ads in funky alternative newspapers, but the days when a directorship was deemed a cushy sinecure for retired executives who no longer wanted to work hard are behind us. The business of corporate governance has become exactly thatu00e2u20ac”a very serious business.

This dramatic change was begat, of course, by high-profile scandals in recent years at Enron Corp., WorldCom, and other corporate miscreants. The Sarbanes-Oxley Act, hastily passed by Congress in 2002 in a fit of reformist fever, was intended to return credibility to the financial statements of public companies. The law imposes stringent new accounting and control requirements and spells out in unmistakably clear language that boards of directorsu00e2u20ac”and audit committees in particularu00e2u20ac”bear ultimate responsibility for the integrity of their companies’ reported results.

There is more going on here than just the stated requirements of Sarbanes-Oxley. There also exists what one might describe as the “Sarbanes environment,” where the governance practices of public companies are receiving greater scrutiny from federal regulators, investors, and the plaintiffs’ bar, even though Sarbanes-Oxley itself is not the driving factor. For example, well-publicized cases involving pay packages of former senior executives at Walt Disney Co. and the New York Stock Exchange have suddenly put the compensation committee under an uncomfortable spotlight.

Because much of Sarbanes-Oxley was modeled closely on the Federal Deposit Insurance Corp. Improvement Act of 1991, conventional thinking holds that it’s something of a nonevent for the banking industry. But banks and thrifts with fewer than $500 million in assets were exempt from FDICIA. Now, regardless of their size, all public institutions must comply with Sarbanes-Oxley. It’s likely that even private banks and thrifts will eventually feel pressure from federal regulators to adopt many of the law’s directives. Approximately 8,500 of the country’s 9,500 insured institutions fall below the $500 million thresholdu00e2u20ac”which suggests that over time, Sarbanes-Oxley’s impact will indeed be quite significant.

For those institutions that must comply now, Sarbanes-Oxley raises the standard of care that directors must exercise in acting as fiduciaries, while greatly expanding the scope of responsibilityu00e2u20ac”and potential liabilityu00e2u20ac”shouldered by board members who agree to serve on the audit committee. The law also requires all publicly owned banks and thrifts to adopt stringent internal control policies and procedures intended to root out some of the reporting abuses that marked the Enron and WorldCom cases.

Less clear at this point is whether, over time, financial institutions will have greater difficulty recruiting board membersu00e2u20ac”particularly for the audit committee, where the workload has risen exponentially. No one is predicting that a crisis is imminent, but the higher expectations set by Sarbanes-Oxley could make it more challenging to attract new directors in the years ahead, especially if their liability increases exponentially as well. Says Lee A. Meyerson, a partner at the New York law firm Simpson Thacher & Bartlett, “Why would anyone want to be a director?”

Although Sarbanes-Oxley is a multifaceted piece of legislation that, for example, created a new Public Company Accounting Oversight Board (PCAOB) to regulate the accounting industry, its overall thrust is to restore integrity to the financial statements that public companies file with the Securities and Exchange Commission. And the new law makes it clear that senior management bears the greatest responsibility for the integrity of a company’s financial statements.

Section 302, which took effect on August 29, 2002, requires the chief executive officer and chief financial officer to “certify” in every quarterly and annual report filed with the SEC that the reports do not contain any untrue statement or omission of material fact. They also must declare that a system of internal controls is in place to make certain that all material information has been made known to them. Furthermore, management must evaluate the effectiveness of those financial controls during each reporting period and include their findings in their company’s 10-Q and 10-K reports. Sarbanes-Oxley establishes a maximum fine of $1 million and jail time of up to 10 years for CEOs or CFOs who knowingly file a false certification. For willful violations, the potential fine and imprisonment jump to $5 million and 20 years.

Section 404 of Sarbanes-Oxley also requires that each annual report filed with the SEC include a section on internal controls that not only presents management’s conclusions about the effectiveness of those controlsu00e2u20ac”but also carries an attestation by the company’s external auditing firm that it agrees with management’s conclusions. This section doesn’t take effect until June 15, 2004, which means that companies that file their reports on a calendar-year basis won’t have to comply until yearend 2004.

Much has been made of the similarity between Sections 302 and 404 of Sarbanes-Oxley and Section 36 of FDICIA, implying that many commercial banks and thrifts are already in compliance with the new law. But this greatly oversimplifies the situation as it exists today. Banks that have had to comply with FDICIA for the past 12 years will have the basic control structures in place, but will still have to review their compliance efforts closely to make sure they satisfy Sarbanes-Oxley. “A lot of what they’ve done looks stale,” says Anthony Sirica, national director of risk consulting and advisory services at Chicago-based BDO Seidman LLP. One contributing factor seems to be that many bank examiners at the various federal regulatory agencies did not make Section 36 a priority. “There were varying degrees of interest by the regulators in FDICIA,” says a partner in the consulting operation of a regional accounting firm.

FDICIA also did not apply to the nonbank subsidiaries of bank holding companies, nor to bank subsidiaries under the $500 million threshold level. The law gave bank holding companies the option of extending FDICIA’s provisions to these exempt operations, although bank regulators and outside auditors say that many holding companies chose not to. All subsidiaries of a public bank, however, will have to meet the requirements of Sarbanes-Oxley.

Unfortunately, many public banks with fewer than $500 million in assets will have to do much more to gear up their Sarbanes-Oxley compliance efforts, depending on what their past practices have been. “They have some work to do,” says Jeff Ott, a partner at the Grand Rapids, Michigan-based law firm Warner Norcross & Judd LLP. “I don’t think they are prepared for this, although I do think they are getting better.” One federal regulator points out that the Office of Thrift Supervision has required all public thrifts regardless of size to have an independent auditing committee, and for that committee to have a financial expert. “I can’t think of a board that doesn’t have one,” the regulator says.

Sarbanes-Oxley also requires public institutions under $500 million to have a financial control structure in place to ensure that material information is not omitted from their financial statements and that false information does not get in. It’s the job of the internal auditor to determine, through a process of control testing, that procedures are being adhered to and that control mechanisms are working properly.

The law prohibits accounting firms from simultaneously providing external and internal auditing services to the same company, so small public banks will have to split up the assignments among different firms or bring the auditing function in-house. Ott says that depending on the size and complexity of the bank, it may not make economic sense to hire an auditor, since there might not be enough work to justify a full-time position, and also that smaller institutions may find it difficult to pay competitively. Whichever way they go, small public banks will see their compliance costs jump under Sarbanes-Oxley. “It is going to be more expensive,” says Ott. “That’s the bottom line.”

For those small institutions that lack the necessary financial control environment, Sirica suggests they begin with a thorough risk assessment of all their significant processes and the financial data they create. This should include any process within the bank that produces numbers that eventually find their way into an SEC filing. He also advises them to look at what procedures are in place within individual business units, and to examine the control policies they have in place. A simple example would be requiring at least two signatures on all checks over a specified amount. Finally, the bank must build its control structure to whatever extent necessary, then determine through control testing whether the overall structure is effective. This last phase is complicated by the fact that by mid-September, the Public Company Accounting Oversight Board had yet to issue its final rules on control testing, according to Sirica.

Because Sarbanes-Oxley’s annual auditing and reporting requirements apply only to public companies, private banksu00e2u20ac”defined as institutions that do not file financial statements with the SECu00e2u20ac”are exempt from its provisions. But that state of grace might not last indefinitely. In March of this year, the FDIC released a letter that implied the agency wanted all 5,500 banks under its direct supervisionu00e2u20ac”including private institutionsu00e2u20ac”to adopt many of Sarbanes-Oxley’s provisions. In May, the OTS, Comptroller of the Currency, and Federal Reserve Board announced jointly that they would not apply Sarbanes-Oxley’s requirements to private banks under their supervision. The FDIC seemed to relent two months later when it sent a letter to various banking trade associations indicating that it would not impose those specific reforms on private banks either.

But in interviews with Bank Director, regulators at the OTS and FDIC stressed that many of Sarbanes-Oxley’s provisions are vital to the safety and soundness of every financial institution. “The reality is that good corporate governance [and] good internal control procedures have always been a part of our oversight,” one senior FDIC official says. “[Private banks] don’t get a bye.” Clearly it is within the authority of the FDICu00e2u20ac”which oversees the most private banks of any federal bank regulatoru00e2u20ac”to extend Sarbanes-Oxley’s auditing and governance requirements to all banks. And there seems to be a widespread belief within the banking industry that this will gradually occur.

“We’ve spoken to a couple of banks under $500 million [in assets] that aren’t public and they want to do this because they figure it’s coming,” says Sirica.

Ott makes the argument that private banks should consider adopting the Sarbanes-Oxley provisions if they intend to grow and go public at some point, or if their long-range business plans include the option of selling out to a large public bank. A private institution’s financial results will have to be incorporated into the acquirer’s financial statements on a pro forma basisu00e2u20ac”and both its CEO and CFO will have to certify that those numbers are correct. Smaller banks that lack a robust financial control structure might find they are suddenly less attractive as takeover candidates.

One private institution that is well prepared for Sarbanes-Oxley is Los Angeles-based American Business Bank, a $350-million commercial bank established in 1998. “When we started this company, I set things up so we would have these things in place, because we planned on growing quickly,” explains Vice Chairman and Chief Operating Officer Wes Schaefer, who also serves as the company’s CFO. For instance, the bank has a system of internal controls in place and has complied with various provisions concerning the makeup and duties of the audit committee. Schaefer says that maintaining good auditing and governance practices is just good business. “And the reality is that the FDIC, your primary regulator, wants you to be in compliance with all the important aspects of Sarbanes-Oxley,” he adds.

If management bears the greatest responsibility for ensuring the integrity of financial statements, then Sarbanes-Oxley makes it equally clear that the board of directorsu00e2u20ac”and the audit committee most of allu00e2u20ac”is responsible for supervising management’s performance. The law also firmly establishes the concept of independence for external auditors with another set of requirements that took effect in January 2003.

The audit committee now has the direct responsibility for the appointment, compensation, and oversight of a company’s outside accounting firm. In a departure from what had been a common practice for years, external auditors are now prohibited from concurrently providing their corporate clients with nonaudit consulting services unless the audit committee has approved the assignment in advance. Outside firms may no longer withhold material information from the board of directors and are required to make timely reports to the auditing committee.

Sarbanes-Oxley also mandates that each member of the audit committee be an independent director. And all public companies must disclose in their annual financial statement whether the audit committee includes at least one director who qualifies as an “audit committee financial expert.” The law does not require that public companies have a financial expert on its audit committee, although they must disclose it publicly if they choose not to appoint such a person. The audit committee also must establish procedures to handle whistle-blower information from company employees regarding questionable accounting and auditing matters.

The job of managing the company’s relationship with its outside auditor and supervising its work has greatly increased the workload of audit committee members. “The information the committee is getting is just overwhelming,” says Roger W. Raber, executive director of the National Association of Corporate Directors in Washington, D.C. “I’ve seen [audit] committee [briefing] books 300 to 400 pages thick. It’s taking up so much time. I don’t think it’s good.”

Smaller public banksu00e2u20ac”particularly those that don’t happen to be located in or adjacent to large urban centersu00e2u20ac”may have trouble recruiting even one financial expert to serve on their audit committees. Ironically, the SEC modified its original definition of “financial expert” to enable more people to qualify, after receiving a slew of complaints. “Everybody threw up their hands and said no one could meet the requirements,” explains Meyerson at Simpson Thacher.

Even in their modified form, the criteria are exacting. To qualify as a financial expert, individuals must understand generally accepted accounting principals and corporate financial statements, have sufficient experience “preparing, auditing, analyzing, or evaluating” financial statements that they will be able to understand their company’s statements, be familiar with internal controls and procedures for financial reporting, and know how audit committees are supposed to function.

This requirement affects a significant number of banks, since a similar provision in FDICIA only applied to banks and thrifts over $3 billion in assets. Schaefer sympathizes with small banks in markets that don’t offer a large pool of qualified candidates. In the case of American Business Bank, the institution’s four-member audit committee already had someone who qualified as a financial expert. “We’re in Los Angeles and have 13 million people to draw from in the immediate area,” he says. “We’re OK with [the requirement], but I could see where it might be a problem.”

Some bank attorneys are concerned that audit committee members might face a higher level of liability under Sarbanes-Oxley than other board members. The law does create a safe harbor for financial experts on the audit committee, stipulating that their liability is no greater than any other board member. But it does not create a safe harbor for the audit committee itself.

Opinions on this question are mixedu00e2u20ac”and a clear answer must await the litigation that is sure to come. In an interview with Bank Director that also appears in this issue (see page 26), H. Rodgin Cohen, managing partner at New York-based Sullivan & Cromwell, raises the possibility that audit committee members could be singled out in shareholder suits. “I think it does create [more] liability,” he says. “There are various provisions in Sarbanes-Oxley, particularly the whistle-blower [provisions] and the up-ladder reporting by attorneys, which are going to create opportunities for the plaintiffs’ bar.”

For his part, Meyerson agrees that audit committee chairmen are more likely to be singled out in lawsuits, although he does not believe that Sarbanes-Oxley subjects audit committee members to a higher level of liability per se. “I’m not sure it’s reasonable for four or five directors to fully understand a company’s financial statements,” he says. Brian W. Smith, a partner at Washington, D.C.-based Mayer, Brown, Rowe & Maw and former general counsel at the OCC, says that even if audit committee members do have a greater level of liability, it doesn’t get the rest of the board off the hook. “I don’t think it absolves the other directors from the obligation to oversee the performance of this committee,” he says.

Indeed, Smith believes strongly that the entire board must have a far more thorough understanding of the company’s operationsu00e2u20ac”not only because of Sarbanes-Oxley, but also due to the overall environment that surrounds the issue of corporate governance today. For example, federal bank regulators recently have been focusing increased attention on the problem of operational risk and say it’s vital that all directors understand what their company’s material operations are and have a system in place to monitor them. “Ignorance of the situation in your institution is no longer a defense,” Smith says.

A tougher, less forgiving attitude toward corporate governance can be seen in other ways as well. The well-publicized contretemps involving a controversial $140 million compensation package of former New York Stock Exchange Chairman Richard Grasso, as well as a noted case involving ex-Disney President Michael Ovitz, has focused attention on the compensation committee. In the latter, a judge in the Delaware Chancery Court ruled in June that a shareholder suit filed against Disney over Ovitz’s outsized severance package after he left the company in 1997 could proceed to trial.

The judge found that if the plaintiffs are able to prove their case, it will suggest that the Disney directors were “consciously indifferent” to the terms of Ovitz’s agreement.

And both Meyerson and Cohen say that another emerging source of liability that could affect directors at public banks and thrifts stems from the Enron case. Citigroup and J.P. Morgan Chase & Co. agreed to pay SEC fines of $120 million and $135 million, respectively, over their roles in helping Enron manipulate its financial statements through a series of misleading financial transactions, involving complex derivatives, that were designed to inflate the company’s earnings.

Both attorneys say the SEC settlements make it clear that banks are now responsible for the actions of their counterparties. And as Meyerson notes, “It’s very hard to know what your counterparty is doing.”

Problems such as theseu00e2u20ac”combined with Sarbanes-Oxley itselfu00e2u20ac”are sure to make the lives of all directors at publicly owned banks and thrifts much more difficult in the years ahead. Indeed, it’s enough to make one wonder why anyone would want to be the director of a public company nowadays. Says Meyerson, “That would certainly be my reaction.”

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.