Federal Agencies Heighten Expectations and Penalties for Bank Directors


regulation-9-21-16.pngThere have been two changes in bank regulatory enforcement that should be interesting to all directors. Recently, the Office of the Comptroller of the Currency released a new examination handbook applicable to institutions of all asset sizes and changed a corresponding handbook for directors, guiding examiners in assessing an institution’s risk strategy and control environment and heightening the responsibilities of bank board directors. The guidance requires directors to be in a position to pose “credible challenges to management” and states a director’s prime duty is to “ensure the bank operates in a safe and sound manner,” altering a director’s previous duty of “protecting the bank.”

Also, recent rulemaking has intensified the sting of civil money penalties (CMPs). Effective August 1, 2016, the list of violations has been augmented and fines have materially increased. CMPs will increase for directors, institutional affiliated parties (IAPs), banks, thrifts, and other financial institutions. CMP statutes that carry three-tiered penalties geared to levels of severity and intent generally have risen 80 percent to 90 percent to $9,468, $47,340 and $1,893,610. Note that regulators forbid banks from making indemnification payments to a director or IAP assessed a CMP.

The changes in the handbooks, coupled with the enhanced CMPs, signal “regulatory creep,” suggesting strongly that less complex institutions will be held to standards expected of complex institutions. This supervisory approach should be noted by a bank and its board. If a federal banking agency decides to proceed with an enforcement action, the target (either the institution or the IAP) will be notified in writing and provided 15 days to explain why a CMP is unwarranted. Additionally, an IAP target will be required to update personal financial statements.

The bank’s response to the agency requires a deep dive into the record of the supervisory communication between the bank and the agency. A thorough legal analysis of the evidence, counsel’s opinion regarding the likelihood of a violation being upheld on appeal, and advice regarding the potential penalty range is critical. The penalty could range from an informal (supervisory) penalty to a public monetary penalty and industry ban. This is the time the target, along with experienced counsel, should meet with the relevant agency officials to seek to resolve the principal supervisory concerns, so the exposure is contained. It’s a good idea to address the possibility of agency referrals for criminal charges. The process of personal interaction with agency officials, and submission of the legal analysis with focused strategic dialog, is paramount.

While it is typically useful that bank management and directors present a unified front, because the federal banking agencies apply different standards and penalties to directors than bank management, a bank must appreciate the potential for conflicts of interest between directors and bank management. It may be necessary to engage independent legal counsel for the board. To the extent there is a uniformity of interests between management and directors, a joint defense agreement can be fashioned. Most bank board protection plans will cover legal fees and costs associated with independent counsel, although, again, the payment of an assessed CMP cannot be indemnified by the bank.

If alleged violations cannot be resolved by settlement, the CMP assessment or other sanctions will be made public. The sanctioned person may request a hearing before an administrative law judge. After the hearing occurs and submissions from counsel are received, the administrative law judge issues an opinion and recommendation to the agency. The administrative law judge’s opinion can be appealed to the agency head. A similar process then occurs before the agency head, and final agency action is rendered. Final agency action may be appealed to the relevant federal court of appeals. The Federal Reserve Board, the Federal Deposit Insurance Corp. and to a certain extent, the Consumer Financial Protection Bureau, use similar procedures.

Now more than ever, it is imperative that a bank director appreciate heightened supervisory expectations, actively provide oversight to management and, importantly, document for the record curiosity and skepticism. A director’s best defense is to be alert to warning signs that a finding of a legal violation is being considered. With management, the board should be proactive in addressing supervisory concerns, and document curative actions taken before the violation is outlined in a written supervisory communication.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.