The Big Debate: Should Bank Boards Approve Loans?

A majority of banks approve individual loans at the board level, but should they?  

Bank Director’s 2023 Governance Best Practices Survey indicates that while the practice remains common, fewer boards approve individual loans compared to just a few years ago. Sixty-four percent of responding directors and CEOs say their board approves individual loans, either as a whole or via a board-level committee, while 36% say the board approves loan policies or limits. Four years ago, 77% of respondents to Bank Director’s 2019 Risk Survey said their board approved individual loans.

In an environment that’s characterized by economic uncertainty and sluggish loan demand, does this additional layer of review create more risk? Or does it provide a level of assurance that the credit will hold up, should the economy tip into a recession? 

”There’s no firm rule that says a board should be or should not be involved in this decision,” says Brandon Koeser, a senior analyst at the consulting firm RSM US LLP. 

Boards at banks below $10 billion in assets are more likely to be directly involved in approving individual loans. Those loans may be less complex, and board members may be more likely to know the borrower’s character. While it’s valuable to have former lenders in the boardroom who can review loan packages, it can also help to include perspectives from directors with other types of business experience.  

“A lender is going to approach a loan differently than someone who may have been in the actual borrower’s shoes or may still be in a borrower’s shoes,” says Koeser. “They might even give management additional questions to think through when they’re going through that decision.”

Some bankers say the additional board oversight benefits their organization in other ways, by giving directors a clearer window into the risks and opportunities the bank faces. And while it may be more work for lenders, it also allows those bankers to look at the deal several times before it’s finalized. 

At Decatur County Bank, the $270 million subsidiary of Decatur Bancshares in Decaturville, Tennessee, the board approves individual loans over a certain size, says CEO Jay England. Many of the bank’s board members have at least a decade of experience in approving loans, and the board recently added a former banking regulator to its membership. Those directors’ collective experience provides valuable oversight for larger deals, he says.  

Lending has historically been one of the riskiest activities banks engage in and approving loans as a director carries some degree of risk itself. In the aftermath of the 2008 financial crisis, a number of bank directors and officers at failed banks were sued by the Federal Deposit Insurance Corp. for loans they had approved that later went bad. 

If directors could be held liable for bad loans, England says, they “should be getting a look at the decisions we’re making.” 

But that doesn’t mean there isn’t room for some improvement. The bank revamped its lending and approval process several years ago, he says. As part of that, it adopted a board portal. Bankers upload loan packages into that portal so board members can review them on their own time in between meetings. 

The $1.5 billion Cooperative Bank of Cape Cod moved away from loan approvals by the board as part of an overall shift toward an enterprise risk management structure, says Lisa Oliver, CEO and chair of the Hyannis, Massachusetts-based bank. It created an internal loan committee staffed by bank officers — including the chief credit officer, chief risk officer, chief financial officer and chief strategy officer, along with Oliver as CEO — to approve credits and undertake a deeper analysis of the bank’s credit portfolios, trends, policies and risk tolerances.  

At the board level, the bank folded its loan, finance and IT committee functions into one enterprise risk management committee. That committee’s responsibilities around credit include monitoring portfolios for concentration risk, and reviewing each of the bank’s lending areas for trends in delinquencies, nonaccrual rates and net charge-offs. 

Loans up to $2.5 million are approved by the bank’s chief credit officer. Loan relationships over $2.5 million are sent to the bank’s internal loan committee for approval, and relationships over 15% of the bank’s total capital move to the board for ratification, says Oliver. In this context, the committee isn’t digging into the merits of a deal to approve a specific credit. Rather, the board sees an executive summary of the loan to evaluate its impact on concentration risk limits, risk rating levels and construction loan limits. 

Reading one single loan package can take 45 minutes to an hour for a seasoned credit professional, and Oliver says that moving to this structure has freed up board members’ time and resources to focus on the larger picture of risk management and strategy. 

“Everyone’s time is valuable. I don’t want my board to have to spend time reading these deals,” Oliver says. “What I need to do is elevate them out of management, which is really approving loans, and get them into their seat as risk oversight: approving policies, understanding trends, looking at concentrations and developing risk appetites.” 

Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

Article updated on Sept. 15, 2023, to clarify approvals at Cooperative Bank of Cape Cod.

9 Ways to Do Executive Sessions Right

After a long day of meetings, many directors would prefer to adjourn rather than continue on to executive session. Executive sessions are nothing more than a shapeless time slot at the end of the regular board agenda, right?

No. Executive sessions are an important part of good corporate governance. But executive sessions are only worth having when directors take the time to do them right. Below are nine considerations to keep in mind to maximize this time.

1. Executive sessions should be a priority, not an afterthought. Lead independent directors should always include a time slot on the board meeting agenda for executive sessions. They should also take the time to stress to the directors the importance of staying for and participating in executive sessions. Many companies fail to hold effective executive sessions because they don’t leave enough time for them, so make the time.

2. Lead independent directors should use the agenda effectively. Staying in touch with the management team between meetings is useful. Independent directors should use those discussions to compose a short-form agenda for each executive session.

Executive sessions are not simply a time to talk about the management team members in their absence. Executive sessions provide a valuable forum for open discussion on a host of topics on independent directors’ minds.

3. The CEO should be included (and then excluded) from executive sessions. At the onset of an executive session, the non-CEO management team members should recuse themselves. It can be very useful to include the CEO in the first portion of the executive session. And it can be just as useful to exclude the CEO for the rest of the session.

4. The board of directors should adopt a formal executive session policy. The policy should set forth how executive sessions should be conducted. Having a formal policy can eliminate ambiguity, foster trust and make the sessions more productive.

5. Lead independent directors should always keep minutes of the executive sessions and make sure the board gets credit for holding the sessions. The minutes should only generally indicate that the session occurred and summarize the topics discussed. When making a formal decision, the director should keep more detailed minutes.

The director should maintain the minutes appropriately. Inherently, sensitive topics may be discussed in executive session. Knowing this, many companies ask their independent lead director or outside legal counsel to serve as the custodian of executive session minutes to preserve the confidentiality of the matters covered.

6. Post-meeting reporting should be done regularly. After each executive session, the lead independent director should report back out to the CEO on any matters that warrant the CEO’s attention. This reporting-out mechanism ensures there will be follow up to important workstreams and helps to build, rather than erode, the management team’s trust.

7. Leverage all resources. As with any meeting, directors meeting in executive session benefit from having all resources at their disposal. Independent directors should always consider asking management to prepare materials on the agenda’s topics. Using outside presenters is an effective way to bring other expert perspectives to the session.

8. Participants should be encouraged to collaborate but never to conspire. The CEO and the management team should be included in helping the independent directors give shape to the executive sessions and in assisting the directors in following up on the sessions.

Take measures to make clear to management that the sessions are not merely gossip time for the directors to discuss the management team. Rather, the sessions are another forum for independent directors to develop consensus to guide the company for the benefit of all its constituents.

9. The lead independent director and the CEO should follow up on the key executive session discussion points. Follow up can include board training, policy changes and management presentations — even a topic that makes its way onto the agenda of the next regularly scheduled board meeting.

Finally, and maybe most importantly, directors do not need to meet in executive session for a long period of time when there are not any matters that warrant their extended attention. However, it is important to take the time to initiate an executive session to offer up the opportunity for candid discussion, regardless of the topic.

2023 Governance Best Practices Survey: Complete Results

Bank Director’s 2023 Governance Best Practices Survey, sponsored by Barack Ferrazzano‘s Financial Institutions Group, surveys 195 independent directors, chairs and CEOs of U.S. banks under $100 billion of assets. Topics explored this year include risk oversight, director liability and board and composition.

The results find that the vast majority of bank board members and CEOs believe their board proactively addresses the risks and opportunities facing their institutions, and that issues and challenges are adequately reflected in the board’s agenda. But a lack of various skill sets and knowledge could mean the board is ill-equipped to ask questions about key risks or business opportunities at a time when the operating environment looks increasingly tough.

The survey, which regularly explores the fundamentals of board performance, was conducted in April and May 2023. Members of the Bank Services program have exclusive access to the full results, including breakouts by asset category and ownership structure.

Click here to view the complete results.

Key Findings

Focus On Asset/Liability Management
A majority of respondents (83%) say their board revisited its asset/liability management policy over the past 12 months. Almost all (93%) believe their board is somewhat or very effective at monitoring asset/liability risk.

Stamp Of Approval
Sixty-four percent — primarily representing banks below $10 billion in assets — say their board approves individual loans, either as an entity or via a board-level committee, while 36% say their board approves policies and limits but not individual loans.

Finding New Board Members
Fifty-six percent say their board or governance/nominating committee cultivates an active pool of potential board candidates, while over a third (34%) say it does not. When asked what their board does to attract new potential directors, many share in anonymous comments that they rely on personal networks or referrals from existing board members.

Turnover In The Boardroom
Almost half (49%) say that one or two new directors have joined their board since January 2020, while 22% say that three or four new directors joined in that time. Twenty percent say that no new directors have joined their board in that three-year period.

Dialing Up Diversity
More than half (57%) of respondents say their board has three or more diverse directors, as defined by gender, race or ethnicity — up slightly from last year’s survey. Another 36% this year say their board has one or two directors who fit that definition.

Zooming In
Eighty-three percent of all respondents say their board has established guidelines around virtual meeting attendance.

Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

2023 Governance Best Practices Survey Results: Equipping the Board for a Tough Environment

The vast majority of bank board members and CEOs believe their board proactively addresses the risks and opportunities facing their institutions, and that issues and challenges are adequately reflected in the board’s agenda. But a lack of various skill sets and knowledge could mean the board is ill-equipped to ask questions about key risks or business opportunities at a time when the operating environment looks increasingly tough.

Many boards, particularly at smaller banks, could be lacking expertise in critical areas that may be needed to address today’s challenges, according to Bank Director’s 2023 Governance Best Practices Survey, sponsored by Barack Ferrazzano’s Financial Institutions Group. Many respondents representing banks below $1 billion in assets see gaps in board-level expertise around risk, regulations and technology. Overall, just a third say their board possesses cybersecurity expertise, while 95% say their board has finance and accounting experience.

Given the nature of the industry, accounting and audit expertise aren’t likely to be overrepresented on bank boards, says Robert Fleetwood, a partner in the Financial Institutions Group at Barack Ferrazzano.“The risk of not having specific technology or cyber expertise is that you don’t have someone overseeing management that understands the lingo and knows if what’s getting done is appropriate,” he adds. “You’re gonna have a board that might not have a true understanding of the possible significance of [data breaches or email hacks] and the practical effects of how to fix it if there is an issue.”

Respondents feel confident about their board’s ability to monitor risk, with 94% calling their board very or somewhat effective at executing that responsibility. When asked about duties specific to risk oversight, 81% say the board reviews, approves and monitors the bank’s risk limits, and 73% say they hold management accountable for adhering to the risk governance framework. Two-thirds say their board reviews and approves the bank’s risk appetite statement, which defines the level and types of risk a bank will take on.

While the board can’t be expected to be experts on everything, a diversity of professional backgrounds can help the board as a whole ask better questions and provide a credible challenge to management. In anonymous comments, an independent director at a Midwest public bank offered this view: “Director expertise is essential.”

Key Findings:

Focus On Asset/Liability Management
A majority of respondents (83%) say their board revisited its asset/liability management policy over the past 12 months. Almost all (93%) believe their board is somewhat or very effective at monitoring asset/liability risk.

Stamp Of Approval
Sixty-four percent — primarily representing banks below $10 billion in assets — say their board approves individual loans, either as an entity or via a board-level committee, while 36% say their board approves policies and limits but not individual loans.

Finding New Board Members
Fifty-six percent say their board or governance/nominating committee cultivates an active pool of potential board candidates, while over a third (34%) say it does not. When asked what their board does to attract new potential directors, many share in anonymous comments that they rely on personal networks or referrals from existing board members.

Turnover In The Boardroom
Almost half (49%) say that one or two new directors have joined their board since January 2020, while 22% say that three or four new directors joined in that time. Twenty percent say that no new directors have joined their board in that three-year period.

Dialing Up Diversity
More than half (57%) of respondents say their board has three or more diverse directors, as defined by gender, race or ethnicity — up slightly from last year’s survey. Another 36% this year say their board has one or two directors who fit that definition.

Zooming In
Eighty-three percent of all respondents say their board has established guidelines around virtual meeting attendance.

To view the high-level findings, click here. Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

Bank Services members can access a deeper exploration of the survey results. Members can click here to view the complete results, broken out by asset category and other relevant attributes. To find out how your bank can gain access to this exclusive report, contact [email protected].

Does Your Board Need More Cyber Expertise?

Despite continued and growing anxiety around cybersecurity, boards have long struggled to understand the intricacies of the bank’s security efforts. Instead, they have often left it to the technology and security experts within the institution. But with increased scrutiny from regulators, a shift toward proactive oversight at the board level may be in the works.

According to Bank Director’s 2023 Risk Survey, 89% of bank executives and board members reported in January that their institution conducted a cybersecurity assessment in 2021-22. In response to that assessment, 46% said that the board had increased or planned to increase its oversight of cybersecurity moving forward.

Ideally, that could have the board taking an active oversight role by asking pointed questions about the threats facing the organization and how it would respond in various scenarios. In order to do that, boards could look to add cybersecurity experts to their membership.

For public banks, a requirement to make known the cybersecurity expertise on the board is expected to go into effect soon. The Securities and Exchange Commission announced last year that public companies would need to disclose which board members have cybersecurity expertise, with details about the director’s prior work experience and relevant background information, such as certifications or other experience. The SEC adds that cyber expertise on the board doesn’t decrease the responsibilities or liabilities of the remaining directors. The proposed rules, which also include expectations around disclosing cyber incidents, were first expected to go into effect in April 2023.

The demand for cyber expertise in the boardroom “will eventually trickle down to all community banks,” predicts Joe Oleksak, a partner focused on cybersecurity at the business advisory firm Plante Moran. “Very few [people] have that very specific cybersecurity experience,” he continues. “It’s often confused with technology experience.”

Last year, Bank Director’s 2022 Governance Best Practices Survey found 72% of directors and CEOs indicating a need for more board-level training about cybersecurity. The previous year, 45% reported that at least one board member had cyber expertise.

Often, bank boards seek cyber expertise by adding new directors with that particular skill set; other times, a board member may take ownership over the space and learn how to oversee it. Both approaches come with significant hurdles. An existing board member may not have the extra time required to become the board’s de facto cyber expert. An in-demand outsider may not be willing to financially commit to the bank; board members are typically subject to ownership requirements.

Boards rely on information from the bank’s executives as part of the deliberation process. It’s common for directors to trust the chief technology officer, chief security officer or the chief information security officer to provide updates on cyber threats and tactics. But understanding the incentives and expertise of the executive would ensure that directors understand the value of the information they receive, says Craig Sanders, a partner of the accounting firm Moss Adams, which sponsored the Risk Survey.

Boards leaning on their CSO, for instance, need to understand that these officers solely focus on broad defense of the institution, which includes both physical and digital protection of the bank. The CISO, on the other hand, homes in on securing data. Meanwhile, the CTO should have a broad understanding of cybersecurity, but likely will not be able to dig into the weeds as they’re primarily focused on the bank’s technology.

A third party can help fill in the gaps for the board.

“If you have someone coming in that has seen hundreds of institutions, then you get a better lens,” says Sanders. An outside advisor can educate directors about common security threats based on what’s happening at other institutions. A third party can also provide an external point of view.

Some, however, hesitate in suggesting that a board should seek to add a cyber expert to its membership. “It’s going to taint your board or what the purpose of your board is,” says Joshua Sitta, co-founder and CISO at the cybersecurity advisor Sittadel. “I think you’re going to have a voice driving [the board] toward risk management.”

Sitta explains that those focused on cybersecurity will push for more security. But a board’s role is oversight, governance and providing a sounding board to executive management to keep the bank safe, sound and growing. Having cyber talent at the board level could discourage growth opportunities for fear that any new initiative could pressure security efforts.

Banks should ensure they’re protected against large breaches of critical data, says Sitta, but should avoid complete protection that has them investing to prevent every breach or fraud alert, no matter how insignificant. Understanding what’s a reasonable concern is important for the board to grasp. But cybersecurity experts within the company or advising the board should simply “inform” the board, according to Sitta. With that information, the board can then assess whether the bank has the risk appetite to add a debated service or investment.

Many boards, though, might not have a full awareness of the level of attacks the bank faces. In Bank Director’s 2022 Risk Survey, conducted last year, board members and executives were asked if their bank experienced a data breach or ransomware attack in 2020-21, with 93% noting that they had not. This could indicate that board members and top executives aren’t fully aware of the threats their bank faces on a daily basis, or that they could weather a threat soon.

“They get into a false sense [of security],” says Sanders. “Everyone is going to have some kind of disclosure. Assessing the program and making changes once a year probably isn’t sufficient.”

While 71% of respondents in last year’s Risk Survey said their board was apprised of deficiencies in the bank’s cybersecurity risk program, less than half — 42% — reported that their board reviewed detailed metrics or scorecards that outlined cyber incidents, and 35% used data and relevant metrics to facilitate strategic decisions and monitor cyber risk.

The lack of awareness of a threat or breach could give the board a sense of ease. But this could hold the bank back from making the shifts needed to protect from the largest attacks. Further, a board that remains unaware of the true rates of incidents could underestimate the imperative to build or adjust a cyber response.

Another factor that boards must consider is how they have long prioritized cybersecurity.

“A lot of smaller organizations view cybersecurity as a cost center,” says Oleksak. The 2023 Risk Survey found that banks budget a median $250,000 for cybersecurity, ranging from $125,000 reported for the smallest institutions to $3 million for banks above $10 billion in assets. “It’s like insurance. You understand that it’s not a revenue generation center, [but] ignoring it can significantly affect the organization.”

Resources
Bank Director’s 2023 Risk Survey, sponsored by Moss Adams, surveyed 212 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including interest rate risk, credit and cybersecurity. Members of the Bank Services Program have exclusive access to the complete results of the survey, which was conducted in January 2023.

Bank Director’s 2022 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner, surveyed 234 independent directors and CEOs of U.S. banks below $100 billion in assets to explore governance practices, board culture, committee structure and ESG oversight. The survey was conducted in February and March 2022

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago, June 12-14, 2023.

Banking’s March Madness Postgame

After every significant banking crisis, it becomes clear what transpired and how it could have been avoided.

There are two key takeaways from the March bank failures that directors and their senior management team should capitalize on. They should put on a new set of lens and take a fresh look at:

  1. Enterprise risk management practices.
  2. Liquidity risk measurement and management.

What happened in March resulted mainly from a breakdown in management and governance. It is a reminder that risk management is highly interconnected among liquidity, interest rate, credit, capital and reputation risks. Risk management must be a mindset that permeates the entire institution, is owned by the c-suite and is understood by the board.

Here are a few things for directors to ponder while revisiting enterprise risk management governance:

  • Be realistic about potential risks. Listen to, and address, data-driven model outcomes. Refrain from influencing results to reflect a preferred narrative.
  • Understand key assumptions and their sensitivities. Assumptions matter.
  • Bring data to the surface and breathe life into it; value data analytics.
  • Accept that the days of “set it and forget it” policy limits and assumptions are over.
  • Revisit attitudes regarding validating risk management processes and models: Are they a check the box “exercise” or a strategically important activity?
  • Ask what could go wrong and what should we monitor? How thorough and realistic are preemptive and contingency strategies?
  • Acknowledge that stress testing is not for bad times — by then, it’s too late.
  • Cultivate an environment of productive, effective challenge.

Banks and their asset/liability management committees are under stronger regulatory microscopes. They will be asked to defend risk management culture, processes, risk assessments, strategies and overall risk governance. Be prepared.

Telling Your Liquidity Management Story
The March bank failures accentuated the critical importance of an effective liquidity management process — not just in theory, but in readiness practice. Your institution’s liquidity story matters.

Start with your liquidity definition. Most define liquidity by stating a few key ratios they monitor – but that’s not expressing one’s liquidity philosophy. Bankers struggle to put their liquidity definition into words, which can lead to an inadvertent focus on ratios that conflict with actual philosophy. This can result in suboptimal outcomes and unintended consequences. One definition banks could adopt is: “Liquidity is my bank’s ability to generate cash quickly, at a reasonable cost, without having to take losses.”

A bank can readily construct a productive framework around a meaningful definition. Given the notoriety around unrealized losses on assets and potentially volatile deposits, be clear that how the bank manages its liquidity does not depend on selling assets.

Construct a liquidity framework that supports this notion with four elements:

  1. Funding diversification.
  2. Concentration and policy limits.
  3. Collateral management.
  4. Stress testing and contingency planning.

Funding diversification should consider Federal Home Loan Bank, Federal Reserve programs, repurchase agreements (repos), brokered and listing service deposits and fed funds lines. The ability to manage larger relationships with insured deposit programs, such as reciprocal and one-way, FHLB letters of credit and customer repos is also an integral part of funding diversification. Make sure your institution tests all sources periodically and understand settlement timelines.

Funding concentrations must be on your radar. The board and executives need to establish policy limits for all wholesale deposit and borrowing sources, by type and in aggregate. There should also be limits that apply to specific customer deposit types such as public, specialty/niche, reciprocal and others. The bank should track and monitor uninsured deposits, especially those that are tied to broader, larger relationships, and reflect that in operating and contingency liquidity plans. Take a deep dive into your bank’s deposit data; there is a significant difference between doing a core deposit study and studying your deposits.

Collateral doesn’t matter unless it is readily available for use. Ensure all available qualifying loan and security collateral are pledged to the FHLB and Fed. Determine funding availability from each reliable source and monitor capacity relative to uninsured deposits, especially the aggregate of “whale” accounts.

Also, understand how each funding source could become restricted. Ensure your contingency liquidity management process captures this with well-defined stress tests that simulate how quickly, and to what degree, a liquidity crisis could materialize. Understand what it would take to break the bank’s liquidity, and ensure that key elements fueling this event are monitored and preemptive strategies are clearly identified.

Step back and look at your institution’s risk management policies, keeping in mind that they can become unnecessarily restrictive, despite good intentions. Avoid using “if, then” statements that force specific actions versus a thoughtful consideration of alternative actions. Your bank needs appropriately flexible policies with guardrails, not straightjackets.

The conversation on risk management and related governance at banks needs to change. Start with a fresh set of lens and a willingness to challenge established collective wisdom. Dividends will accrue to banks with the strongest risk management cultures and frameworks, with an appreciation for the important role of assumption sensitivity and overall stress testing. Ensure that clarity drives strategy — not fear.

Why the Duty of Cybersecurity is the Next Evolution for Fiduciary Duties

Bank directors know they can be personally liable for breaches of their fiduciary duties.

Through cases like In re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del. Ch. 1996), Stone v. Ritter, 911 A.2d 362 (Del. 2006), and Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), Delaware courts have held boards responsible for failing to implement systems to monitor, oversee and ensure compliance with the law.

Recently, the Delaware Court of Chancery formally expanded those rules in In re McDonald’s Corporation Stockholder Derivative Litigation, Del. Ch. Ca. No. 2021-0324-JTL. The ruling established that the fiduciary duties of the officers of a Delaware corporation include a duty of oversight that is comparable to the responsibility of directors. These cases make clear that when the duty of oversight meets with the immense cybersecurity responsibilities of financial institutions, a duty of cybersecurity is added to the fiduciary responsibilities of directors and officers.

The lawsuit by 25 former McDonald’s employees alleged that corporate executives failed to address systemic harassment, leading to a hostile work environment. By allowing failure to oversee and monitor claims against the officers in that case, all corporate executives are now forced to take a leadership role in monitoring and addressing company-wide issues.

Given prior rulings in Delaware courts concerning the duty of oversight and officer fiduciary duties, the McDonald’s decision reiterates the importance of implementing robust compliance programs. It also clarifies that officers and directors must actively address compliance.

Cybersecurity is paramount among the myriad of compliance issues that all corporate officers and directors must address. For example, in 2019, In re Google Inc. Shareholder Derivative Litigation, the proceedings against Google’s parent company involved claims that the company’s board of directors and officers failed to discharge their oversight duties related to the 2018 Google+ security vulnerability. That suit settled for $7.5 million and the company agreed to implement significant governance reforms to address data privacy issues. Similarly, In re Yahoo! Inc. Shareholder Derivative Litigation, multiple cybersecurity breaches between 2013 and 2016 led to a shareholder derivative lawsuit, which settled for $29 million in 2019.

And, in the past year, multiple financial institutions, including Wells Fargo & Co., JPMorgan Chase & Co., and Bank of America Corp., faced lawsuits also seeking to hold their officers and directors personally liable for, amongst other things, failing to:

1. Protect customer data adequately.
2. Oversee the bank’s cybersecurity practices.
3. Prevent data breaches that exposed customer personal information.

In these cases, and many others, cybersecurity and data breaches have caused reputational damage for officers and directors and damaged the corporation’s relationships with customers and partners. In addition, these corporate leaders risk:

Breach of fiduciary duty claims. If directors or officers do not take reasonable steps to protect the corporation from a data breach, they risk breaching their fiduciary duties and could be held personally liable for the damages caused by the breach.
Accusations of Negligence. Directors and officers can be accused of negligence for failing to implement appropriate security measures, train employees on cybersecurity best practices and respond to a breach in a timely and effective manner.
Criminal prosecution. If directors and officers intentionally or recklessly cause a breach or fail to report it to the authorities, they may face criminal prosecution.
Regulatory penalties. Government or financial regulators can impose significant fines for cybersecurity failures.

And, just as the risks for directors and officers explode, they face an insurance whipsaw. First, directors’ and officers’ (D&O) insurance policies may include specific exclusions for cyber-related claims or require separate cyber insurance to cover these risks. Next, increased personal exposure for officers and directors will increase the likelihood facing lawsuits, increasing the premiums for D&O insurance. To protect themselves, directors and officers should insist on increased corporate governance protection, including:

• The prioritization by boards of cybersecurity and data privacy as crucial risk management areas, including putting proper reporting and monitoring systems into place.
• Requiring directors and officers to actively understand the evolving landscape of cybersecurity and data privacy risks and regulations.
• Corporate investment in appropriate cybersecurity measures and employee training to minimize the risk of data breaches as well as the associated legal and reputational risks.

To mitigate their risk of personal liability, corporate officers and directors must understand, implement and monitor the cybersecurity safeguards their financial institutions need. And, the courts have sent a clear message to bank directors and officers: To discharge your duty of cybersecurity, you must actively oversee and monitor institutional cybersecurity and data privacy programs.

Lessons Learned from HBO’s “Succession”

My wife and I recently completed watching all three seasons of HBO’s “Succession.” It’s a wild ride on many levels, full of deceitful and dysfunctional family dynamics, corporate political backstabbing, and plain old evil greed. Despite this over-the-top intertwined family and business drama, there are quite a few relevant lessons worthy of attention from bank leaders and board members. Three in particular stand out to me.

First: Succession planning is always vital, and never more so in an organization (public or private) with any element of familial involvement. As is well known, all boards of directors should be paying close attention to succession for the CEO role and other key leadership positions. In the HBO show, there is no clear line of succession, and the company’s 80-year-old patriarch (who experiences major health issues early in season 1) has not only failed to plan for his eventual departure but has all four children thinking they can and should take over the “family” business. Only one of the four is even close to qualified, and he becomes compromised by external events. Meanwhile, daddy plays each sibling against each other. It is a mess which devolves into chaos at various times, seriously impacting both the fortunes and future independence of the business.

Second: Where is the board of directors? In this instance, the company, Waystar Royco, is a publicly traded global media and entertainment conglomerate, but the board is not governing at all. The single most important responsibility of any board of directors is the decision of “who leads”. This goes beyond the obvious CEO succession process, ideally in a planned, orderly leadership transition or worst case, a possible emergency situation. It more broadly relates to an ongoing evaluation of the CEO and his or her competency relative to the skills, experiences, leadership capabilities, temperament and market dynamics. Too many boards allow CEOs to determine when their time is up, rather than jointly crafting a plan for a “bloodless transition of power,” that encourages (or even forces) a constructive change of leadership. In “Succession,” the board is comprised of cronies of the patriarch — and his disengaged brother — who are both beholden to and intimidated by their successful and highly autocratic CEO.

Lastly, in any company with a sizable element of family ownership, the separation of economic ownership and executive leadership is vital. While at times the progeny of a successful founder and leader prove extremely capable (see Comcast’s Brian Roberts), this is often the exception rather than the rule. Therefore, the board and/or owners ideally will address this dynamic head-on, accepting that professional management is indeed the best way to enhance economic value for shareholders and family members while encouraging the offspring and descendants to keep their hands off and cash the checks. Many privately held banks grapple with this same dynamic.

Such decisions, of course, are fraught with peril for those involved, which “Succession” endlessly highlights. Creating the proper governance structure and succession plans is rarely easy, especially when personal and financial impacts weigh heavily on the individuals involved. Still, with the board’s prime directive of leadership selection top of mind, and a commitment to candor and transparency, the outcome will likely be much better than simply ignoring the elephant in the room.

When season four of HBO’s “Succession” rolls around, it will surely provide more examples of how not to govern properly.

Community Banks Fuel the Future of Renewable Energy

The transformational Inflation Reduction Act (IRA) contains a number of provisions designed to entice a large numbers of community and regional banks to deploy capital into renewable energy projects across the US.

Large U.S. banks and corporations have made significant renewable energy tax credit investments for over a decade. Through the IRA, there is greater opportunity for community and regional banks to participate.

The act extends solar tax credits, or more broadly renewable energy investment tax credits, (REITCs) for at least 10 more years, until greenhouse gas emissions are reduced by 70%. It also retroactively increases the investment tax credit (ITC) rate from 26% to 30%, effective Jan. 1, 2022. This extension and expansion of ITCs, along with other meaningful incentives included in the act, should result in a significant increase in renewable energy projects that are developed and constructed over the next decade.

Community banks are a logical source of project loans and renewable energy tax credit investments, such as solar tax equity, in response to this expected flood of mid-size renewable projects. REITCs have a better return profile than other types of tax credit investments commonly made by banks. REITCs and the accelerated depreciation associated with a solar power project are fully recognized after it is built and begins producing power. This is notably different from other tax credit investments, such as new markets tax credits, low-income housing tax credits and historic rehabilitation tax credits, where credits are recognized over the holding period of the investment and can take 5, 7, 10 or 15 years.

Like other tax equity investments, renewable energy tax equity investments require complex deal structures, specialized project diligence and underwriting and active ongoing monitoring. Specialty investment management firms can provide support to community banks seeking to make renewable energy or solar tax credit investments by syndicating the investments across small groups of community banks. Without support, community banks may struggle to consistently identify suitable solar project investment opportunities built by qualified solar development partners.

Not all solar projects are created equally; and it is critical for a community bank to properly evaluate all aspects of a solar tax equity investment. Investment in particular types of solar projects, including utility, commercial and industrial, municipal and community solar projects, can provide stable and predictable returns. However, a community bank investor should perform considerable due diligence or partner with a firm to assist with the diligence. There are typically three stages of diligence:

  1. The bank should review the return profile and GAAP financial statement impact with their tax and audit firm to validate the benefits demonstrated by the solar developer and the anticipated impact of the investment on the bank’s earnings profile and capital.
  2. The bank should work with counsel to identify the path to approval for the investment. Solar tax equity investments are permissible for national banks under a 2021 OCC Rule (12 CFR 7.1025), and banks have been making solar tax equity investments based on OCC-published guidance for over a decade. In 2021, the new rule codified that guidance, providing a straightforward roadmap and encouraging community banks to consider solar tax equity investments. Alternatively, under Section 4(c)(6) of the Bank Holding Company Act, holding companies under $10 billion in assets may also invest in a properly structured solar tax equity fund managed by a professional asset manager.
  3. The bank must underwrite the solar developer and each individual solar project. Community banks should consider partnering with a firm that has experience evaluating and underwriting solar projects, and the bank’s due diligence should ensure that there are structural mitigants in place to fully address the unique risks associated with solar tax equity financings.

Solar tax credit investments can also be a key component to a bank’s broader environmental, social and governance, or ESG, strategy. The bank can monitor and report the amount of renewable energy generation produced by projects it has financed and include this information in an annual renewable energy finance impact report or a broader annual sustainability report.

The benefits of REITCs are hard to ignore. Achieving energy independence and reducing carbon emissions are critical goals in and of themselves. And tax credit investors that are funding renewable energy projects can significantly offset their federal tax liability and recognize a meaningful annual earnings benefit.

CECL Model Validation Benefits Beyond Compliance

The current expected credit loss (CECL) adoption deadline of Jan. 1, 2023 has many financial institutions evaluating various models and assumptions. Many financial institutions haven’t had sufficient time to evaluate their CECL model performance under various stress scenarios that could provide a more forward-looking view, taking the model beyond just a compliance or accounting exercise.

One critical element of CECL adoption is model validation. The process of validating a model is not only an expectation of bank regulators as part of the CECL process — it can also yield advantages for institutions by providing crucial insights into how their credit risk profile would be impacted by uncertain conditions.

In the current economic environment, financial institutions need to thoroughly understand what an economic downturn, no matter how mild or severe, could do to their organization. While these outcomes really depend on what assumptions they are using, modeling out different scenarios using more severe assumptions will help these institutions see how prepared they may or may not be.

Often vendors have hundreds of clients and use general economic assumptions on them. Validation gives management a deeper dive into assumptions specific to their institution, creating an opportunity to assess their relevance to their facts and circumstances. When doing a validation, there are three main pillars: data and assumptions, modeling and stress testing.

Data and assumptions: Using your own clean and correct data is a fundamental part of CECL. Bank-specific data is key, as opposed to using industry data that might not be applicable to your bank. Validation allows for back-testing of what assumptions the bank is using for its specific data in order to confirm that those assumptions are accurate or identify other data fields or sources that may be better applied.

Modeling (black box): When you put data into a model, it does some evaluating and gives you an answer. That evaluation period is often referred to as the “black box.” Data and assumptions go into the model and returns a CECL estimate as the output. These models are becoming more sophisticated and complex, requiring many years of historical data and future economic projections to determine the CECL estimate. As a result of these complexities, we believe that financial institutions should perform a full replication of their CECL model. Leveraging this best practice when conducting a validation will assure the management team and the board that the model the bank has chosen is estimating its CECL estimate accurately and also providing further insight into its credit risk profile. By stripping the model and its assumptions down and rebuilding them, we can uncover potential risks and model limitations that may otherwise be unknown to the user.

Validations should give financial institutions confidence in how their model works and what is happening. Being familiar with the annual validation process for CECL compliance will better prepare an institution to answer all types of questions from regulators, auditors and other parties. Furthermore, it’s a valuable tool for management to be able to predict future information that will help them plan for how their institution will react to stressful situations, while also aiding them in future capital and budgeting discussions.

Stress testing: In the current climate of huge capital market swings, dislocations and interest rate increases, stress testing is vital. No one knows exactly where the economy is going. Once the model has been validated, the next step is for banks to understand how the model will behave in a worst-case scenario. It is important to run a severe stress test to uncover where the institution will be affected by those assumptions most. Management can use the information from this exercise to see the connections between changes and the expected impact to the bank, and how the bank could react. From here, management can gain a clearer picture of how changes in the major assumptions impact its CECL estimate, so there are no surprises in the future.