Risk & Innovation: Bridging The Gap



In today’s age of innovation, risk management can no longer be the office of ‘no.’ When risk managers are included in strategic discussions, they can help drive innovation and provide additional value to their organizations. In this video, Crowe’s John Epperson explains how successful banks bridge the gap between risk and innovation to truly bring value to their institutions.

  • Why Banks Should Transform Risk Management
  • Creating a Competitive Advantage Through Risk and Compliance

Now Is The Time to Use Data The Right Way


data-6-29-18.pngMost bankers are aware of the changes that are forthcoming in accounting standards and financial reporting for institutions of all sizes, but few are fully prepared for the complete implementation of all of the details in the new current expected credit loss (CECL) models that will take effect over the next few years.

Banks that act now to effectively and strategically collect, manage and utilize data for the benefit of the institution will be better positioned to handle the new accounting requirements under CECL and evolving regulations with state and federal agencies.

Here are three articles that cover key areas where your board should focus its attention before the rules take effect.


credit-data-6-29-18.pngCredit Data Management
Under Dodd-Frank, the law passed in the wake of the financial crisis, banks of all sizes and those especially in the midsize range of $10 billion to $50 billion in assets were required to do additional reporting and stress testing. Those laws have recently been changed, but many institutions in that asset category are opting to continue some form of stress testing as a measure of sound governance. Managing credit data is a key component of those processes.

management-6-29-18.pngCentralizing Your Data
Bank operations are known to be siloed in many cases as a matter of habit, but your data management can be done in a much more centralized manner. Doing so can benefit your institution, and ease its compliance with regulations.

CECL-6-29-18.pngGet Ready for CECL Now
The upcoming implementation of new CECL standards has many banks in a flurry to determine how those calculations will be developed and reported. Few are fully ready, but it is understood that current and historical loan level data attributes will be integral to those calculations.

Advice for New Bank Directors


governance-8-30-17.pngIf you have recently been appointed to a bank board, chances are you’re like most new directors in that you came from outside the industry and have little knowledge of banking other than what you might have learned as a customer. If, for example, you’re the owner of a local business that relies heavily on its banking relationships to keep the enterprise going (as most small businesses do), you will certainly have an opinion about what constitutes good customer service. And also you bring your own judgment and life experience outside of banking to the task, which will no doubt be very valuable to the board. But to be an effective bank director, you’re going to have broaden your knowledge base considerably when it comes to banking. Good judgment isn’t enough. There are certain things that you will need to know.

Learning is a life-long exercise, and for as long as you serve on a bank board there will always be new things to learn. But here are four areas that I think new directors should give extra attention to:

Learn About Regulation.
Banking is a complicated and highly regulated industry, and banks can pay a steep price for their compliance sins. Take the time to understand the industry’s regulatory structure and the expectations of your bank’s primary regulators, which will vary depending on the size of your institution and whether it has a state or national charter. Also, zero in on the regulations that can have the greatest impact on your bank (for example, the Bank Secrecy Act and the various consumer protection rules). The regulators will hold your board accountable for any serious compliance violations, so it’s not a responsibility to be taken lightly.

Learn How Your Bank Works.
Banking is very different from most other businesses like, say, manufacturing and retailing, or professional services like accounting and lawyering. Yours is a governance rather than an operating role, but you should still learn how your bank works inside and out so you can engage fruitfully with management. Learn how your bank makes most of its money and where its greatest risks lie. Service on the board’s audit committee would provide a very powerful introduction to the workings of your bank, because there’s very little that the audit committee doesn’t get involved in.

Learn About Technology and Try to Embrace It.
Technology tends to be a black hole for most boards. Most people in their 60s and 70s, which fits the profile of many directors who serve on bank boards, don’t understand or use technology as comfortably as those who are 20 or 30 years younger. The problem is that banking is undergoing a technological revolution that goes well beyond mobile (which gets most of the attention these days) and touches almost every area of the bank. Directors need to understand how these trends are likely to impact their institution. Some banks try to recruit at least one tech-savvy director to their board, but these people are hard to find—and even if you find one, you can’t delegate the responsibility to understand technology to that person. Regular board-level briefings from your bank’s chief technology officer, attendance at industry conferences and a commitment to read up on the topic can all help educate you. Also, experiment with some of the consumer technology that has come into financial services in recent years. If you have an iPhone, activate its wallet feature. Open a Venmo account and use it. And if you don’t use your own bank’s mobile banking app, shame on you!

Learn About Cybersecurity.
As banks become more digital, their cyber risk profile will increase ipso facto. Trying to lessen the risk by resisting the push toward digital banking isn’t a rational strategy because your institution will be left behind. The U.S. economy and our national culture are all being profoundly impacted by the digital phenomenon, and it’s a game that all banks simply have to play. Your role as a director is to make sure your bank has a good cybersecurity program and team in place, that the program conforms to the latest industry standards and regulatory expectations, and that the board is being briefed regularly.

These are not the only critical areas that new directors need to understand, of course, but they would be on my short list of things to go to school on if I had just joined a bank board. Congratulations and good luck!

Cybersecurity & Regtech: Defending The Bank



How can financial institutions proactively combat the risks facing the industry today? The 2018 Risk Survey—presented by Bank Director and Moss Adams LLP—compiled the insights of directors, chief executive officers and senior executives of U.S. banks with more than $250 million in assets. According to the survey, the worries keeping top executives awake at night align with the key priorities that banks commonly hear from banking regulators: cybersecurity, compliance and strategic risk.

Cybersecurity
Cybersecurity was the biggest concern by far, reported by 84 percent of respondents.

The survey addressed the confidence that executive and directors have in their institutions’ cybersecurity programs, with an emphasis on staffing and overall effectiveness. Access to the proper talent—in the form of a chief information security officer (CISO) or a strategic partner with the necessary skill set—and associated costs are key to a successful program, and 71 percent of respondents revealed their bank employs a full-time CISO.

While technical skills are valuable in today’s business environment, financial institutions must overcome their dependence on skilled technicians who don’t necessarily have the ability to strategically look at the changing technological landscape. The CISO should build an appropriate plan by taking a full view of the bank’s technology and strategy. Without this perspective, a bank could provide hackers with an opening to breach the institution, regardless of size or location.

Institutions building the foundation of a robust cybersecurity program should also focus on three key areas:

  • Assessment tools: Is the institution leveraging the proper technologies to help maximize the detection and containment of potential issues?
  • Risk assessments: Has management identified current risks to the organization and implemented proper mitigation strategies?
  • Data classification: Has management identified all critical data and its forms, and addressed the protection of this data in the risk-assessment process?

Compliance
Compliance was the second biggest area of concern, identified by 49 percent of respondents. It’s an area that continues to evolve as new regulators have been appointed to head the agencies that regulate the industry, and technological tools—dubbed regtech—have entered the marketplace.

More than half of survey respondents indicated that the introduction of regtech has increased their banks’ compliance budgets, demonstrating that the cost of solutions and staff to evaluate, deploy and support these efforts in an effective manner is a growing challenge.

Because the volume of available data and the ability to analyze that data continues to grow, respondents may have felt this technology should have effectively decreased the cost of operating a robust compliance program.

Executives looking to decrease costs may want to consider the staffing required to operate a compliance program and whether deploying technology would allow for fewer personnel. When technology is properly used and standards are developed to help guarantee efficient use of it, the dilemma of acquiring technology versus adding staff can often be more easily solved.

Strategic Risk
Strategic risk was the third largest area for concern, identified by 38 percent of respondents. Many directors and executives are wrestling with what the future holds for their institutions. The debate often boils down to one question: Should they continue to build branches or invest more in technology—either on their own or by partnering with fintech companies?

Fintech companies are a growing player in lending and payments segments, areas that were historically handled exclusively by traditional institutions. That, coupled with clients who no longer value personal relationships and instead prioritize being able to immediately access services via their devices, increases the pressure to deliver services via technology channels.

Financial institutions have entered what many would call a perfect storm. Every institution will need to make hard decisions about how to address these issues in a way that facilitates growth.

Assurance, tax, and consulting offered through Moss Adams LLP. Wealth management offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

When It Comes to Fintech Partnerships, Look Before You Leap


fintech-5-12-18.pngAt the risk of oversimplification, there are essentially three categories of innovation in banking. There is a small but growing number of banks that have positioned themselves as early adopters of new technology. There are also fast followers, which are not the first banks to try a new technology but don’t lag far behind. Then there are the late adopters.

The digital economy is moving so fast that no bank today can afford to be in the final category. Being an early adopter is probably too risky for many institutions, but at the very least they need to be fast followers or risk getting left behind as the pace of the industry’s digitalization begins to accelerate.

How and when to successfully engage with a fintech company was a recurrent theme at Bank Director’s 2018 FinXTech Annual Summit, held May 10-11 at The Phoenician resort in Scottsdale, Arizona. Deciding to work with a fintech company on the development of a new consumer banking app or the automation of an internal process like small business lending is more than just another vendor relationship. Typically, these are highly collaborative partnerships where the fintech will be given at least some access to the bank’s systems and operations—and could be a risk to the bank if all does not go well.

The first piece of advice for any bank contemplating this kind of engagement is to perform a thorough due diligence of your intended partner. As highly regulated entities, banks need to make sure that any third-party service or product provider they work with have security and compliance processes in place that will satisfy the bank’s regulators. And the younger the fintech company, the less likely they have a compliance environment that most banks would (or should) be comfortable with.

Mark P. Jacobsen, president and chief executive officer at Arlington, Virginia-based Promontory Interfinancial Network, cautioned during a presentation that banks should not consider working with an early-stage fintech unless they have “an extremely experienced CIO, a very robust risk management system and access to very experienced legal talent.” It also makes sense for banks, to check a fintech’s references before finalizing its selection. “There are so many new things out there that it’s important to get that outside validation,” said Adom Greenland, senior vice president and chief operating officer at ChoiceOne Financial Services, a $622 million asset bank headquartered in Sparta, Michigan.

Cultural difference was also a recurrent theme at the Summit. Banks with a culture of innovation are more likely to be early adopters or, at the very least, fast followers. “Culture is a huge barrier to innovation,” said Bill McNulty, operating partner at Capital One Growth Ventures, a unit of Capital One Financial Corp., during a presentation on some of the common obstacles to innovation. “And culture always starts with people.”

McNulty said while he senses the urgency around innovation in banking is beginning to change, he knows of large fintech players that originally wanted to partner with banks, but have grown frustrated with the conservative culture at many institutions. “They decided it is too hard and takes too long and they would do it themselves,” he said. “If we don’t address culture, the best fintechs will do it themselves. Some of these companies will build [their own] banks.”

Bank Director announced the winners for its 2018 Annual Best of FinXTech Awards on May 10, choosing from among 10 finalists across three award categories, and while big banks were represented among the finalists—including U.S. Bancorp, Citizens Financial Corp., Pinnacle Financial Partners and USAA—two of the winners were community banks. And that fact underlines an important point when talking about innovation in banking. Small banks can play this game just as well and maybe even better than their larger peers.

Regtech: Reaping the Rewards


regtech-4-24-18.pngAs it evolves, regtech is uniquely poised to save banks time and money in their compliance efforts, and has become a common topic for many in the banking industry. If you’re ready to realize the promise of regtech at your institution, here are a few key steps to take before you start parsing through providers or sending out requests for proposals.

Consider changes to your organizational structure that would place oversight of both legal and compliance transformations under one department. In Burnmark’s RegTech 2.0 report, Chee Kin Lam, the group head of legal, compliance and secretariat for DBS Bank, pointed to his authority over both legal and compliance functions and budgets as a key to the Singapore-based bank’s ability to work with regtech companies.

At first blush, a change to your bank’s internal structure seems like an extreme measure for a precursor to a technology pilot, but that perception misses the big-picture implications of implementing a new regtech solution. If a bank intends to engage meaningfully with regtech, Lam pointed out, there’s a need for an overarching framework for onboarding new technologies to make sure they “speak to each other at a legal/compliance level instead of at an individual function level—e.g. control room, trade surveillance, AML surveillance and so on.”

What’s more, legal and compliance functions are already tied closely together, and any regtech solution would likely impact both areas of the bank. Central management of these two functions can help ensure efficient regtech implementation.

Create a solid, detailed problem statement before you ever look for a solution. Lam suggests identifying the top legal and compliance risks your bank is facing, and working from there to identify pain points for your employees and customers when they interact with that risk area. One way to go about this process is to utilize design thinking, which looks at products and experiences from the point of view of the customers and employees who utilize them.

By seeking out pain points and working through the design-thinking process to find their root cause, bank leadership can identify specific, actionable areas for improvement. As tempting as it can be for an institution to attempt a total overhaul of its regulatory processes, banks should pursue modular regtech solutions to solve specific, defined problem statements instead. As Peter Lancos, CEO and co-founder of Exate Technology, points out in RegTech 2.0, “[f]ragmentation makes a regulatory strategy impossible—especially due to geographic spread and banks having separate teams set up to deal with individual regulations.”

Leverage outside expertise. The risks of implementing regtech can be daunting, so bank leaders need to use every tool in their arsenal to get deployment right. Banks should involve regulators in the conversation early on in the process of working with a regtech company. According to Jonathan Frieder of Accenture in The Growing Need for RegTech, “[r]egulators globally have continued to accept and, ultimately, to embrace regtech” making 2018 “a pivotal year.”

In addition to getting regulators on board, banks should consider enlisting outside assistance from consultants or other regulatory experts. Such experts provide assistance with assessing problem statements or potential regtech vendors. Lancos states that he feels “it is essential for banks to have regulatory expertise support to actually write the rules that go into the rules engine of regtech solutions.”

Regtech implementation is a lot more involved than an average plug-and-play fintech product. However, when a bank considers the cost efficiencies, improved compliance record and decreased customer and employee frustration, the upside of regtech can be well worth the planning it requires.

How Technology Alters the Reality of Regulatory Compliance


regtech-4-18-18.pngIn case you haven’t noticed, regulatory compliance is expensive. The banking industry spends an estimated $60-$70 billion a year on compliance, and many banks complain they have been forced to expand their compliance staffs in recent years just to keep up with the increase in regulations. Indeed, compliance-related activities can account for nearly 20 percent of a bank’s overhead.

The compliance function is also critically important. The three federal prudential bank regulators consider a poor compliance track record to be an indictment of a bank’s overall management capability, and they will severely punish any bank that has a significant compliance violation, especially of the Bank Secrecy Act (BSA) and related anti-money laundering (AML) regulations. Among the negative ramifications of a serious BSA violation is the inability to consummate an acquisition or execute a major business expansion. The poster child for this nightmare scenario is probably M&T Bank Corp., which acquired Hudson City Bancorp in July 2012 but was prevented by the Federal Reserve from completing the acquisition until November 2015 after the Fed uncovered deficiencies in M&T’s BSA program after the deal had been announced.

These and other issues will be topics of discussion at Bank Director’s 2018 The Reality of RegTech event, which takes place at the Nasdaq MarketSite April 18 in New York’s Times Square. Presentations focusing on regtech include an examination of some of the technologies impacting AML and know-your-customer (KYC) rules, and how artificial intelligence can be incorporated into a bank’s compliance program.

Compliance requirements like BSA, the Community Reinvestment Act, the Fair Lending Act, the Home Mortgage Disclosure Act and vendor management lend themselves well to the use of technology because they often involve large amounts of data and repetitive tasks, and the application of regtech solutions to these activities can lead to improvements in accuracy, efficiency and costs.

However, the promise of lower compliance costs may take longer to materialize since the initial investment in new technology, the time to train the compliance staff with the technology and for them to become proficient could actually raise a bank’s compliance costs in the short run. In fact, in Bank Director’s 2018 Risk Survey, 55 percent of the participating directors and senior bank executives say their compliance budget actually increased after the introduction of new technology, while 27 percent say it had no effect and just 5 percent said it decreased.

The compliance function is not the only area where technology is increasingly being used to improve bank performance. Advanced tools also help senior executive teams and boards of directors improve their management and oversight of a variety of risk exposures. The risk management challenge is not unlike the compliance challenge in that there are often large amounts of data to manage and analyze—particularly in an area like credit risk—and technology can both accelerate and improve data aggregation and analysis. The Reality of RegTech event will also offer presentations on the integration of solutions to manage credit risk, emerging enterprise risk management solutions, and advancements in operational risk management.

RegTech: A New Name for an Old Friend


regtech-3-20-18.pngWith all of the buzz around regtech, it’s easy to forget that banks have leveraged technology for compliance and reporting for decades. But thanks to recent developments in data architecture, artificial intelligence and more, regtech is on the rise, and it’s evolving into something a lot more sophisticated.

The definition of regtech is simple. According to New-York-based analytics firm CB Insights, regtech is “technology that addresses regulatory challenges and facilitates the delivery of compliance requirements.” Regtech can be as simple as using an Excel spreadsheet for financial reporting or as complex as using adaptive algorithms to monitor markets. By studying the evolution of regtech, banks can begin to decipher which technologies are aspirational and which ones are crucial to navigating today’s demanding regulatory regime.

Regtech has and is evolving in three key phases, according to the CFA Institute Research Foundation, a nonprofit research group in Charlottesville, Virginia. The first phase was focused on quantifying and monitoring credit and market risks. A powerful illustration of the forces driving this initial phase can be seen in the Basel II accord, which was published in 2004. Basel II focused on three pillars: minimum capital requirements, supervisory review by regulators and disclosure requirements meant to enhance market discipline.

Despite the enhanced regulatory requirements of Basel II, the global financial crisis of 2008 exposed serious deficiencies in capital requirements that spurred the second and current phase of regtech’s evolution. New anti-money laundering (AML) and Know Your Customer (KYC) laws have drastically increased compliance costs. According to Medici, a financial media company, financial institutions spend more than $70 billion annually on compliance. In addition, increased fines for banks, new capital requirements and stress testing have resulted in a heavily burdened banking system. With increased regulatory requirements, we have seen a corresponding increase in technology solutions poised to meet them. The following are a few key areas banks should explore:

  • Modeling and Forecasting: Even if your bank is not subject to the Dodd-Frank Act Stress Test (DFAST) or Comprehensive Capital Analysis and Review (CCAR), it should still be able to leverage modeling and forecasting tools to manage liquidity, meet CECL (current expected credit loss) accounting standards and monitor important trends.
  • KYC/AML: Regulatory requirements that require your financial institution to “know your customer” when you onboard them often rely heavily on paper-based processes and duplicative tasks. In addition, the Bank Secrecy Act requires banks to perform intense transaction monitoring to help prevent fraud. Both of these obligations can be curtailed through the use of technology, and solutions are available to digitize client onboarding and use AI to monitor transactions.
  • Monitoring Regulations: Rules and regulations are being promulgated and revised at a rapid pace. Instead of hiring a cadre of attorneys to keep up, banks can use regtech to monitor requirements and recommend actions to keep the bank in compliance.

Banking is, by necessity, a risk-averse industry. As such, taking a leap with companies that will touch bank data, gather information from back-office software or deploy AI can seem like a scary proposition. Some regtech providers on the marketplace today are new, but some were forged through the fires of the financial crisis, and others are time-tested vendors that have been around for decades. Whether a regtech partner is established or emerging, banks can (and should) hedge their bets by communicating with their regulators and forming a plan to monitor the new technology.

The CFA Institute Research Foundation posits that we are on the precipice of phase three in the evolution of regtech. This future state will be marked by a need for regulators to develop a means of processing the large amounts of data that regtech solutions generate. In addition, regtech has the potential to enable real-time monitoring. Both advancements will require a rethinking of the regulatory framework, and more openness between banks and regulators.

Despite the portmanteau (which is usually reserved for new or unfamiliar concepts), regtech is an old friend to the banking industry. Its future may hold the keys to a new conceptualization of what oversight means. For now, though, regtech represents an opportunity for banks to leverage technology for what it was intended to do: Save humans time, labor and money.

2018 Risk Survey: Technology’s Impact on Compliance


regtech-3-19-18.pngIn addition to better meeting the needs of consumers, technology’s promise often revolves around efficiency. Banks are clamoring to make the compliance function—a significant burden on the business that doesn’t directly drive revenue—less expensive. But the jury’s out on whether financial institutions are seeing greater profitability as a result of regtech solutions.

In Bank Director’s 2018 Risk Survey, 55 percent of directors, chief executive officers, chief risk officers and other senior executives of U.S. banks above $250 million in assets say that the introduction of technology to improve the compliance function has increased the bank’s compliance costs, forcing them to budget for higher expenses. Just 5 percent say that technology has decreased the compliance budget.

Regtech solutions to comply with the Bank Secrecy Act, vendor management and Know Your Customer rules are widely used, according to survey respondents.

Accounting and consulting firm Moss Adams LLP sponsored the 2018 Risk Survey, which was conducted in January 2018 and completed by 224 executives and board members. The survey examines the risk landscape for the banking industry, including cybersecurity, credit risk and the impact of rising interest rates.

Fifty-eight percent say that the fiscal year 2018 budget increased by less than 10 percent from the previous year, and 26 percent say the budget increased between 10 and 25 percent. Respondents report a median compliance budget in FY 2018 of $350,000.

Additional Findings

  • Cybersecurity remains a top risk concern, for 84 percent of executives and directors, followed by compliance risk (49 percent) and strategic risk (38 percent).
  • Respondents report that banks budgeted a median of $200,000 for cybersecurity expenses, including personnel and technology.
  • Seventy-one percent say their bank employs a full-time chief information security officer.
  • Sixty-nine percent say the bank has an adequate level of in-house expertise to address cybersecurity.
  • All respondents say that their bank has an incident response plan in place to address a cyber incident, but 37 percent are unsure if that plan is effective. Sixty-nine percent say the bank conducted a table top exercise—essentially, a simulated cyberattack—in 2017.
  • If the Federal Reserve’s Federal Open Market Committee raises interest rates significantly—defined in the survey as a rise of 1 to 3 points—45 percent expect to lose some deposits, but don’t believe this will significantly affect the bank.
  • If rates rise significantly, 45 percent say their bank will be able to reprice between 25 and 50 percent of the loan portfolio. Twenty-eight percent indicate that the bank will be able to reprice less than 25 percent of its loan portfolio.
  • One-quarter of respondents are concerned that the bank’s loan portfolio is overly concentrated in certain types of loans, with 71 percent of those respondents concerned about commercial real estate concentrations.

To view the full results to the survey, click here.

Avoiding Hot Water: Complying with Regulation O


regulation-3-14-18.pngIf a director wants to get into hot water—and their financial institution as well—violating Regulation O is a good place to start. It’s “one of the three things that makes bank examiners see red,” says Sanford Brown, a partner at the law firm Alston & Bird (the other two being the violation of lending limits and noncompliance with Regulation W, which governs transactions between a member bank and its affiliates). Designed to prevent insider abuse and ensure the safety and soundness of the bank through good lending practices, it’s a violation that examiners have zero tolerance for, and often results in a civil money penalty, adds Brown. It’s no wonder that bank directors often err on the side of caution when it comes to compliance with the rule.

Regulation O “governs any extension of credit made by a member bank to an executive officer, director or principal shareholder of the member bank, of any company of which the member bank is a subsidiary, and of any other subsidiary of that company.” Loans made to covered individuals, or businesses that these individuals have an interest in, must be made on par with what any other bank customer would receive, with the same terms and underwriting standards. The covered loans are subject to the bank’s legal lending limits, and the aggregate credit for all covered parties cannot exceed the bank’s unimpaired capital and unimpaired surplus. The extension of credit must be approved by the majority of the board, with the affected person abstaining from the discussion. Executive officers are limited further and may only receive credit to finance their child’s education, and to purchase or refinance a primary residence.

Essentially, Regulation O ensures that directors, officers and principal shareholders aren’t treating the institution like their own personal piggy bank. But directors also want to drive business to their bank. “Most directors want to know where [the] line is and stay away from it, but some believe that their job is to drive all the business they can to the bank, and that’s one of the things that great directors do,” says Brown. “But do it right.” Here are a few things to keep in mind to avoid compliance gaps in Regulation O.

Know Who All Are Affected
“With all the various corporate structures that banks can have, having a strong process for the identification of covered individuals is the No. 1 thing a bank can do to help the compliance process,” says Asaad Faquir, a director at RSK Compliance Solutions, a regulatory compliance consultant.

Under Regulation O, “executive officers” are defined as bank employees that participate, or are authorized to participate, in major policymaking functions—regardless of that person’s title within the organization. This generally includes the president, chairman of the board, cashier, secretary, treasurer and vice presidents. There can be some grey area as to which officers are covered under Regulation O, and some banks provide a broader definition than the rule requires to ensure compliance.

Principal shareholders are defined as those that own more than 10 percent of the organization. The definition of director, as a general rule, doesn’t include advisory directors.

An ill-defined population for Regulation O can raise the risk of noncompliance with the rule, says Tim Kosiek, a partner with the accounting and advisory firm Baker Tilly. The law is relatively black-and-white, as legislation goes, but the holdings of bank directors and principal shareholders can be complex, which heightens the compliance challenge. Banks should not only identify the officers, directors and principal shareholders covered by the law, but also family and business interests. The bank’s governing policy should define that process, and indicate how often it will be reviewed, he says.

Covered individuals are required to prepare an annual statement of related interests, and Brown says this is an area where a well-meaning director can easily trip up. “Full disclosure of every business relationship that the director has is critical. And it’s a pain—some of these people really do have their fingers in lots of pies,” he says. These interests should be communicated throughout the organization, to ensure that a loan officer doesn’t unintentionally conduct business as usual with a company that has a relationship with a covered individual.

If the terms of a covered loan are modified, the modification should go back through the bank’s Regulation O process, says Kosiek. And if a director acquires an interest in a company with a preexisting credit relationship with the bank, that should also be reviewed due to the director’s involvement.

Document Everything
A director, officer or principal shareholder must ensure that he or she is seen as having no influence on the process for the approval of a loan in which the covered individual has any interest. It’s a good practice for the affected director to just leave the boardroom before the related loan is discussed, says Faquir. “It protects the directors themselves, it protects the institution, and it’s a cleaner process.” He provides one example where a director explained to the board his own involvement in a loan, and then recused himself—with the good intention of being transparent about the process. From the point of view of the bank’s regulator, however, this was perceived as influencing the board in the loan’s approval. It’s best for the recusal to be immediate, so the regulators, upon reviewing the documentation, find no cause to believe that there was undue influence.

The law requires that each bank maintain records that identify covered parties, and document all extensions of credit to directors, principal shareholders and executive officers, to prove that the bank followed the letter of the law. “If you are to demonstrate compliance with the regulation, you have to make sure that your minutes reflect, No. 1, that the individual did not participate in the discussion” and that the rate and terms offered are the same as what would be offered to any other bank customer, says Scott Coleman, a partner at the law firm Ballard Spahr. Document the credit analysis to ensure the loan received the appropriate terms and underwriting standards. The board should also deliberate annually on who is covered by Regulation O, particularly which officers are involved in policymaking. Recordkeeping in this case can help address questions that come up in an exam, says Coleman.

Handle Violations Proactively
Mistakes can happen, so pay attention to quarterly loan reports. A director may find that a business she is involved in but doesn’t run daily received a loan from the bank. Own the error and make it right by disposing of the loan. Assuming it’s a good loan—which it should be—pay it off in full, at no loss to the bank, and move it to another (unconnected) bank. “That’s the easiest way to remedy it, and to show that there were systems in place to prevent these sorts of things from happening, [and] it just was an honest mistake,” says Brown.

Coleman recommends that banks self-report inadvertent infractions, as the penalties are likely to be less severe. “Contact [the regulator], indicate what was discovered, how the error was made, how the error was corrected and what the bank intends to do in the future to monitor Reg O,” he says.

More serious Regulation O violations can suggest to regulators that other abuses are occurring, and they may go looking for larger problems, adds Coleman. And a violation will almost certainly result in civil money penalties, for the covered individual as well as the board that approved the loan or the loan officer responsible for underwriting the loan. In extreme cases where a violation was seen as intentional, there can be criminal implications in addition to the fine, says Coleman, and regulators could seek the removal of that officer.

Brown believes that regulators under the current administration will focus more on safety and soundness and less on social issues, like consumer risk. “I think the current policymakers are going to focus on where banks make money and where banks lose money, and the real risk in the balance sheet is the loan portfolio,” he says. Banks tend to fail due to bad loans or fraud, so that could mean a heightened focus on Regulation O.