What You Don’t Know Can Hurt You: 10 Things to Watch When You’re on a Bank Board

8-8-14-alston-bird.pngThe legal and regulatory climate for a bank is changing on a weekly basis. At least in part due to this, the expectations and liability risk of a bank director are not the same as a year ago, let alone five years ago. To help address this, we crafted a list of some broad themes we believe bank directors should be particularly attuned to now.

Enterprise Risk Management
Risk management is a function, not a committee. Boards need to implement a process to ensure that risks are properly identified and addressed in such a way that the board can demonstrate a “credible challenge” to management. And, beyond creating an effective corporate clearing house for risk, boards need to ensure that the bank possesses a management team capable of carrying out this function.

Third Party Risk
Vendor management has become a hot-button for all banks, as formal and tacit guidance continues to emerge. In addition to performing and memorializing due diligence around vendor selection, banks need to be in a position to understand and properly supervise the work of any vendors. This means having a properly qualified and trained management team that addresses the operational, compliance and other risks potentially resulting from reliance on third parties.

Trust Preferred Securities (TRuPS)
Many banks were forced to defer payments on TRuPS in the aftermath of the 2008-2009 crisis period. With the five year TRUPS deferral period now coming to an end, many bank holding companies don’t possess the funds (and cannot compel a bank dividend) to bring the TRuPS current. Further, regulators have insisted that any proposed capital raise be sufficient not only to pay off the TRuPS, but also to result in a composite CAMELS 2 rating for the bank. Your board needs to understand the resulting threats and opportunities.

Deferred Tax Asset Preservation
Bank regulatory agencies have begun to take issue with rights plans that are designed to preserve deferred tax assets (DTAs), citing the safety and soundness concerns that such plans could present by complicating future capital raises. As regulatory guidance on this point appears imminent, your board needs to understand the implications for your bank and your competitors.

Director Liability
Boards should ensure that they have the benefit of up-to-date exculpation and indemnification provisions in the bank’s charter and bylaws, as well as a robust directors and officers (D&O) insurance policy that is not rendered useless by a host of exemptions. In addition, with so much of the recent banking litigation being focused on process, your board should reconsider and redefine the way that your bank makes, records and polices its deliberations and decisions.

Role of Directors in Lending Decisions
Clearly, directors should be involved in defining the scope of a bank’s lending activities, the delegation of lending authority, and the monitoring of credit concentrations and other risks. But should directors serve on loan committees, and make the actual lending decisions? It’s time to reassess this important issue. Directors making day-to-day lending decisions can blur the lines of proper governance and needlessly expose directors to additional liability risk.

Charter Conversions
Each of the banking agencies seems to be developing a different regulatory mood on key issues, such as business plans, consumer compliance and risk-based regulation. In this post-crisis environment, it is important that you consider whether your bank is appropriately chartered in light of its strategy. Put another way, the trends have changed, and you should consider how these changes affect your bank.

Growth Strategies in a Tough Lending Climate
With traditional loan growth being slow, banks continue to reach for less traditional loan products, such as asset-based lending, factoring, lease finance, reverse mortgages, premium finance, indirect auto lending, warehouse facilities, etc. As always, these products must be considered in light of concomitant compliance risks and capital requirements. Directors should ensure that management performs thorough risk assessments alongside their profit/loss projections.

The Effects of Basel III
Depending upon the size and makeup of your bank, the January 2015 Basel III changes will impact your bank’s regulatory capital position. At a minimum, directors need to understand from the bank’s CFO and auditors that there is a plan anticipating what the pro forma capital position is expected to be under Basel III.

Compliance Issues Can Sink a Strategy
Too many banks with solid strategies have seen their bank’s growth hindered by compliance failures. Bank Secrecy Act/anti-money laundering rules, consumer protection regulations, and poor oversight of third parties can result in enforcement actions and derail growth until the issues are remediated, which can take years. Boards must set a tone at the top with regard to the compliance culture of the bank.

The themes above are top of mind for us, but the environment remains dynamic. This list likely will look very different in another year.

Emerging Regulatory Risks & How to Prepare for Them

As regulators and requirements continue to evolve, today’s bank boards need to proactively prepare for the potential impact emerging risks will have on their institution. In this video, Lynn McKenzie of KPMG reviews the latest regulatory trends and outlines some simple steps for boards to effectively manage those risks.

Coverage Options for Civil Money Penalties

The Federal Deposit Insurance Corp. (FDIC) issued guidance saying banks should not offer coverage for civil money penalties under directors and officers (D&O) liability insurance policies. In this video, Dennis Gustafson of AHT Insurance advises how boards can modify their policies in order to stay in compliance and still cover defense costs.

Silver Lining for Community Banks: Using New Regulations to Your Advantage

4-18-14-Crowe.pngIn recent days and months, there has been much discussion about the challenges small banks face to comply with increased regulatory requirements, particularly those stemming from the Dodd-Frank Wall Street Reform and Consumer Protection Act. Though the costs of compliance have increased and can prove burdensome, especially to small banks, industry observers and participants who approach the requirements with a glass-half-empty attitude are missing an important opportunity: If community banks take a strategic approach to compliance, they can differentiate themselves from the competition.

Going Beyond the Minimum
The benefits of thoughtfully implementing new regulatory requirements have been demonstrated in the past. Consider the know-your-customer requirements that mandated that banks obtain more information about their customers’ behavior to better verify customer identities, which in turn helps identify suspected money laundering activities. When the requirements went into effect, some banks simply did the minimal amount that was required.

Other banks took a more strategic approach. Some saw the new information-gathering requirements as the chance to truly get to know their customers better and enhance the level of service they provide. For example, some institutions developed dynamic discussions with account applicants, with bank staff varying their follow-up questions based on the information new customers provided. These fluid conversations were designed to create better account-opening experiences and to yield insightful data to better serve customers and support new product and service development.

Setting a Community Bank Apart
Community banks can take steps to successfully combine compliance efforts with a focus on enhancing customer service.

  • Fully integrate new regulations for a consistent customer experience. Given the multitude of regulations being implemented during the next several years and their potential impact on bank customers, compliance efforts must be embedded into existing processes. An approach that bolts new systems or processes onto existing ones typically is inefficient and leads to inconsistency that could have a negative effect on customers’ experience with the bank and the bank’s ability to effectively comply with new regulations.
  • Spread compliance-minded professionals bank-wide. It is no longer cost effective or time efficient for a community bank to rely exclusively on its compliance department as the sole line of defense in the bank’s efforts to comply with new regulations. Regular communication with and training of existing personnel is critical to instituting a culture of compliance. When hiring new employees, community banks should seek out professionals who are operationally focused and capable of integrating new regulations and compliance activities into operations.
  • Create open lines of communication. When all those at a community bank expand their focus to include new regulatory requirements, continuous communication is necessary to prevent duplicating efforts. Consider the example of a proactive underwriting manager who invested in a fair-lending tool to boost his department’s compliance activities. Unfortunately, the manager did not inform the bank’s compliance officer, who had already implemented a different fair-lending tool. Regular meetings between lines of business and members of the compliance team will foster more effective and efficient systems of compliance.
  • Seek input from business leaders who understand customer needs. The leaders who manage a bank’s lines of business are accountable for day-to-day activities and are in the best position to recognize how regulatory changes could affect customers. Bringing business leaders into the decision-making process early and often can make the difference between a problematic compliance framework and a solid program that operates as designed and fosters growth of the business.
  • Focus on what the bank does well. Some community banks are jettisoning lines of business that are no longer profitable, especially as they analyze overall rising expenses as well as costs specifically associated with compliance. This is an opportunity to focus exclusively on areas where the community bank excels in serving clients.

    Conversely, competitors eliminating lines of business also can provide community banks with an opportunity to fill a market void and strengthen their competitive position. These types of decisions should be made in the context of market analysis that identifies opportunities and risks.

Small but Mighty
Every bank, regardless of size, will encounter challenges in meeting new regulatory requirements. Finding the silver lining in increased compliance efforts and costs can position community banks as stronger, more competitive, and more focused on their customers’ needs than ever before.

Making Outsourcing Work for Your Bank

With increased regulatory compliance demands, many financial institutions are looking to relieve the pressure by outsourcing their non-core functionality. In this video, Beth Merle of Sutherland Global Services provides insight into which services can be outsourced, how much banks can save and the best way to hold providers accountable.

M&A: Avoiding Compliance Sinkholes

11-11-13-Moss-Adams.pngWith interest rates on loans at an all-time low and fee income significantly diminished as a result of a new focus on consumer protections, many banks, credit unions and other financial services companies are looking to acquisitions to supply needed growth in balance sheets and income sources. But along with acquisitions come many potential regulatory pitfalls, including consumer protection risks.

Without appropriate levels of due diligence, your bank could end up with a number of hidden compliance nightmares, such as violations of the Truth in Lending Act, Real Estate Settlement Procedures Act, or flood insurance rules that result in consumer restitution, fines or civil monetary penalty assessments from your banking regulator.

Here are a few key compliance considerations to keep in mind during your preliminary evaluation of an acquisition target. Think about these things well before seeking approval of the acquisition from regulators and shareholders.

Institutional History

Has the acquisition target historically had regulatory issues? Be sure to check for published enforcement actions regarding products, services or practices that may affect the combined institution’s compliance and reputational profile. Don’t forget to use simple Internet searches, including social media outlets, through readily available search engines. You might be surprised by the results of your searches.

Compliance Management

Does the acquisition target have a well-run compliance management system? Include an evaluation of key compliance management components in your due diligence. Always consider risk assessments, policies, monitoring schedules, training, and complaint-management practices. Is the institution’s program comprehensive? Is reporting to the board regarding program activities concise and detailed? Are issues reported and resolved in a timely manner?

Third-Party Service Providers

Does the acquisition target offer a large inventory of consumer products, and does it use third-party service providers to sell and deliver some or all of those products? With consumer products come a variety of laws, rules and regulatory expectations regarding consumer protection. Significant levels of risk may reside in third-party relationships the institution has developed to sell and service consumer products.

Evaluate management’s assessment of risks associated with service providers and the strength of the institution’s vendor management program as well as key provisions of contracts, including recourse related to noncompliance. Allocating time in this area could help prevent significant issues after a transaction has been completed.

Product Sets and Features

Does the target institution have multiple deposit and lending products with complex features? Conversion of products is a significant risk factor related to consumer compliance. The more complex features become, the more challenging converting accounts and providing accurate disclosures will be.

Stories of failed customer account conversions and public relations disasters are all too common. Address details regarding conversion of products as early as possible in acquisition planning. Include consideration of required timing of consumer disclosures and alternatives for accommodating customers when eliminating or adding key products and services.

Post-Conversion Compliance Activities

How will the acquisition affect your current compliance management activities? How will your institution ensure appropriate staffing is maintained in the compliance function after the merger is complete?

Compliance management activities change considerably in the months following an acquisition or merger. Besides the fact the merged institution will have an expanded customer and employee base, there are a number of factors that affect the personnel requirements after a merger, including heightened customer service activities, monitoring new employees and changes in procedures and processes.

Budget significant time for your compliance department to review consumer disclosures, particularly periodic statements, after conversion of the acquired institution’s accounts. For example, are interest accruals correct and in accordance with the contractual requirements of the loan or deposit account agreement? Are payments being applied as originally disclosed and properly allocated between interest and principal? Are Web sites and mobile applications functioning as planned and are consumer disclosures accurate?

Also plan an increased budget for compliance training. It should be tailored and conducted in person with new staff regarding key regulatory requirements and your institution’s procedures regarding handling of customer inquiries, complaints and other important aspects of your compliance program.


In the push for new revenue, it can be easy to see acquisitions as the path of least resistance, especially as other financial levers (fees and loan interest rates) cease to be as powerful as they once were. But clearly, for those who haven’t taken the time and care to evaluate the details well ahead of time, taking the plunge with another institution is fraught with risk. Only by performing sure-eyed due diligence can you hope to make the combination a happy marriage.

What’s Under the Hood: The Audit Committee’s Role in M&A Due Diligence

As the regulators become more inquisitive about the due diligence process during an M&A deal, audit committee members should play a role when reviewing a proposed transaction.  In this video, Justin Long, a partner with the Bracewell & Giuliani law firm, discusses some key areas and red flags that the board should focus on when evaluating a target bank’s compliance environment.

Fifth Third CEO: We Have 335 People Working Full Time in Risk Management

6-18_5th3rd.pngThe $122-billion asset Fifth Third Bancorp learned the hard way that risk management is important.

“As recently as 2000, when we were a $40 billion bank, we operated with a limited degree of sophistication in enterprise risk,’’ said Kevin Kabat, Fifth Third’s CEO and vice chairman, speaking at Bank Director’s Bank Audit Committee Conference June 6 in Chicago. “I guess you could say we didn’t really even have such a function. We learned the hard way, early in the last decade, that we needed to do something about that.”

After regulators including the Federal Reserve Bank of Cleveland came down on the bank in March of 2003 and ordered a review of risk management and internal control practices, Cincinnati-based Fifth Third got to work.

“Looking now in the rear-view mirror, it was a watershed event for the bank,’’ said Kabat, who was president of the Michigan operation at the time, and was promoted to CEO in 2007.

Regulatory compliance moved into the enterprise risk function. Fifth Third started a risk and compliance committee of the board, appointed a chief risk officer who reported directly to the board and also gave each business unit its own risk officer. The bank created a full risk dashboard in 2004 that enabled senior management and the board to assess its risk profile in different areas, years before many other banks. The code of conduct was revised to build a risk culture among the bank’s more than 21,000 employees. By 2006, Internet fraud threats such as phishing were identified as emerging threats and comprehensive training for employees was developed to address them.

Fifth Third avoided exposure to subprime mortgages. It started to do stress tests of its balance sheet before the government required it for other big banks.

Although no banks walked unscathed through the financial crisis of 2007-2008, Fifth Third already had a risk team in place when the crisis hit and was able to take action early, suspending lending to homebuilders and cutting off home equity lines created by brokers. The bank cut its dividend by two-thirds, conserving $665 million of common equity, and it raised $3 billion in capital in 2008, making itself the last bank to raise trust preferred securities that year.

“To our knowledge, we were the first large institution in the United States to get in front of the crisis by announcing our internal stress test, including our expectation for 2009 losses, and a capital plan to meet it,’’ Kabat said.

The bank made it through the financial crisis well capitalized. However, it has been extremely costly to have such a huge risk management function. In 2003, maybe a dozen people worked in risk management for the bank. Now, about 335 people work full time in risk management, not counting the credit staff, or about 1.5 percent of the workforce.

For Kabat, such a function has been absolutely necessary. And it hasn’t diminished profitability.

Last year, Fifth Third had its second most profitable year in its 155-year history, with profits of $1.5 billion. Return on assets was 1.3 percent and return on average common equity was 11.6 percent.

“While deficiencies in a bank’s financial statements, or poor oversight of them, can create major problems, you are at as much risk, arguably greater, due to poor management of the enterprise risk function,’’ he said.

Meet Rising Compliance Costs with Untapped Internal Resources

5-29-13_Crowe_Post.pngAs almost everyone in the financial institution trenches knows, ever-expanding compliance requirements are taking a toll on banks of all sizes, and some banks are simply resigning themselves to the need to hire additional employees to help shoulder the burden. But many institutions might be able to avoid, or at least reduce, the associated costs by looking within for a solution.

The Federal Reserve Bank of Minneapolis has estimated the relative number of new employees that banks of different sizes might need to hire in response to the same regulatory requirement. It estimated that hiring one additional employee would reduce the return on assets by 23 basis points for the median bank in the group of smallest banks, those with total assets of $50 million or less. Such a decline could cause about 13 percent of the banks that size to go from profitable to unprofitable.

Banks with total assets between $500 million and $1 billion would have to hire three employees and would experience a decline of about 4 basis points in return on assets as a result, according to the Minneapolis Fed. Although very few banks in the larger group would go from being profitable to unprofitable as a result of the heightened regulatory burden, 4 basis points is still a significant reduction in return.

In response to complaints about the dramatic potential effect on “smaller” banks, regulators have indicated that certain new regulations might apply only to big banks or, alternatively, they might adopt a tiered approach. Even if the regulators do demonstrate some flexibility on how new regulations are applied, smaller banks still will need to meet a rising compliance burden for rules and regulations already in place.

In the past five months, for example, relatively small community banks have been hit with severe penalties for fair-lending violations. Three or four years ago, regulators wouldn’t have focused on such institutions, but fair-lending oversight has taken on a new dynamic, and now banks of every size are expected to have robust fair-lending programs. Similarly, oversight of unfair, deceptive or abusive acts or practices (UDAAP) has expanded to cover a much broader scope of activities in the past two years.

While certain sections of the recently implemented servicing amendments to the Real Estate Settlement Procedures Act (RESPA) and the Truth in Lending Act (otherwise known as Reg Z) apply only to banks that handle at least 5,000 mortgage applications a year, nearly every other aspect of these regulations treats all banks the same, regardless of size, and imposes the same fines for violations.

In short, regulators have raised their compliance expectations for every bank these days.

Look Inside First
The bottom line is that your bank, whatever its size, needs someone to be responsible for and well-versed in the regulatory requirements and also to manage the compliance program. Instead of going out and hiring an additional compliance subject-matter expert (SME) to complement your existing compliance manager, though, consider working from within your organization.

You might already have on staff individuals who are qualified to assist with tasks such as monitoring and testing, perhaps an experienced credit analyst, personal banker or loan originator who has shown a strong ability to learn and interest in a long-term career in the banking industry.

For example, you could “borrow” a credit analyst or someone else who is adept at using spreadsheet software and could spare five hours a month to run some spreadsheet sorts of loan application data—both real estate and consumer—for the compliance manager to use for a high-level fair-lending data analysis. Or a personal banker who has shown an understanding of the common deposit regulations could do occasional testing of check holds and error resolution with the appropriate testing spreadsheets.

Don’t limit your consideration to employees with college degrees in finance and accounting. After all, you would be hard-pressed to find compliance SMEs who took a Reg Z course during their college days, even if they majored in finance or accounting. That expertise accrues through real-life experience and continued education. Once you look, you’ll likely find that your front-line people harbor extensive knowledge waiting to be tapped.

Make It a Team Effort
With a strong management structure—including representation and a commitment from all lines of business and senior management—compliance can become a cost-efficient team effort built upon existing resources.

Ongoing monitoring can be conducted within each line of business, with the compliance department merely reviewing it to see that the trends aren’t of concern. Occasional loan data analyses can be conducted by someone outside the compliance department, with the compliance manager providing guidance to confirm the analyst understands the basic concepts of fair lending.

And monthly meetings can be held to recap compliance activities, be they forthcoming new rules, testing and monitoring results, new training requirements or similar topics, and those meeting minutes can be presented to the audit committee. Ultimately, compliance is a long-term commitment, and you might be able to meet your institution’s rising compliance requirements if you look for ways to leverage the talent and experience of your existing personnel.