What To Do When Your Board Gets a Complaint

Both the Sarbanes-Oxley Act and later, the Dodd-Frank Act, contain provisions protecting whistleblowers reporting violations of securities laws, and in fact, the Dodd-Frank Act seems to encourage such reporting with well defined monetary rewards for complaints leading to successful fines against a company. In September of 2014, an unnamed whistleblower was awarded a $30 million grant.

In light of a recent $30 million whistleblower award and the Dodd-Frank Act encouraging more people to report problems at their companies to the government, how should a bank board handle a whistleblower claim?

Dailey-Michael.pngFirst, have a whistleblower policy/program in place, now, so that if/when a claim arises, the board is prepared to handle it effectively, appropriately and lawfully.  All employees should be trained on the policy and encouraged to report up the chain, pursuant to the policy, any corporate misconduct they discover. It is far better in the end if the bank self-discovers and remedies the problem, than if the government does it for you. Second, work hard to maintain the confidentiality of the whistleblower. Maintaining confidentiality, and even anonymity, helps to ensure no retaliatory action is taken against the reporting employee. At all costs, avoid retaliation. Finally, conduct an independent internal investigation, and do so with the understanding that the reported misconduct could lead to criminal and/or civil litigation. Engage your legal counsel early in the process to ensure preservation of evidence and legal privileges.

—Michael Dailey, Dinsmore & Shohl LLP

DonaldLamson.pngBanks should handle possible whistleblower complaints very seriously.  Regulatory agencies have shown a more severe response to banks over the last few years and whistleblower complaints can reinforce a perception, however inaccurate, that some banks do not have a proactive approach to compliance issues generally. Banks should have procedures for dealing with such claims and allow employees to air their concerns without fear of reprisal. Some may wonder whether this approach may encourage the raising of false claims, but at least banks would have an opportunity to triage employee concerns and demonstrate that they take those concerns seriously.

—Donald N. Lamson, Shearman & Sterling LLP

KathleenMassey.pngBank boards should authorize their audit committees to handle complaints concerning securities law violations.  An audit committee’s charter should make clear that the committee may retain appropriate advisors to investigate such complaints. The board should also ensure that management promulgates guidance for internal reporting on violations. Employees should be encouraged to report violations to appropriate representatives of the compliance, internal audit or legal staff. Recipients of complaints about violations should be instructed to forward them to the chairperson of the audit committee. Upon receipt of a complaint, the chairperson should ensure that it is investigated thoroughly.  If no violation is found, the complainant should be so informed within 120 days after the complaint was made. If a securities violation is found, the bank should decide whether to report the violation to the Securities and Exchange Commission. A report to the SEC should be made within 120 days after the complaint was made.

—Kathleen N. Massey, Dechert LLP

Jonathan-Wegner.jpgBoth public and private banks have potential exposure to Dodd-Frank and Sarbanes-Oxley   whistleblower claims. Therefore, a bank should have proper compliance and anti-retaliation policies in place (reviewed regularly) setting forth behavioral expectations, encouraging reporting, and establishing protocols for handling reports. The bank should also designate a team to investigate and respond to reports. All employees should be thoroughly trained regarding these policies and, in particular, managers should be trained to identify when an employee is reporting and the need to escalate the report within the organization, as many employees do not use “hotlines” or Internet-based reporting mechanisms. Most important, the bank’s senior leadership must lead by example. Senior leadership needs to sincerely and repeatedly promote the virtues of the bank’s compliance, ethics and code of conduct policies.  Reporting questionable conduct, no matter how insignificant, must be genuinely encouraged. And finally, senior leaders must demonstrate integrity in all that they do.

—Jonathan J. Wegner, Baird Holm LLP

Kaslow-Aaron.pngWhistleblower complaints need to be treated seriously. Avoid the temptation to view all whistleblowers as disgruntled employees who are asserting claims against innocent individuals to further their own selfish goals. Failure to promptly address a legitimate complaint will only exacerbate the problem. Regulators look favorably on companies that take prompt action and see them as having strong and effective management. The opposite is true for companies that are unresponsive or hostile to employees’ concerns. Plus, treating whistleblower complaints seriously sends the message that employees will be treated fairly and sets a tone at the top that should foster stronger ethical behavior within the company. The board needs policies and procedures for investigating whistleblower complaints and coordinating corrective action and must communicate them to employees. Doing so will create the conditions necessary for the effective management of whistleblowing.

—Aaron Kaslow , Kilpatrick Townsend & Stockton LLP

Bank Board Risk Committee: What Every Board Should Do

5-14-14-FIS.pngOnly a fraction of the nation’s banks are required to have a board-level risk committee. Under the Federal Reserve’s enhanced prudential standards coming out of the Dodd-Frank Act, publicly traded bank holding companies with assets of $10 billion or greater and all other bank holding companies with assets of $50 billion or greater must have a risk committee.

But banks of all sizes are going ahead and adding risk committees anyway. The Bank Director 2014 Risk Practices Survey, sponsored by FIS, identified that 76 percent of banks with assets between $5 billion to $10 billion and 54 percent of banks with less than $5 billion in assets had proactively implemented a board-level risk committee even though they did not have to by law.

A key finding from the survey was that banks that implemented a separate board-level risk committee performed better financially and reported a higher median return on assets (ROA) of 1.00 and median return on equity (ROE) of 9.50, compared to banks that govern risk with a combined audit/risk committee or within the audit committee. Having a board-level committee focused on how risks can be mitigated to enable attainment of financial and strategic plan objectives will result in a higher level of performance.

The other key benefit that a separate board-level risk committee can provide is proactive oversight of risk management. Effective risk management is identifying and mitigating risks before they become a material problem. It is forward-looking, not reviewing after the fact. So trying to oversee risks with a combined audit/risk committee or within an audit committee is extremely challenging and conflicting, since the focus of the audit committee is looking in the rear view mirror and after the fact. A risk committee can stay focused on overseeing risk limits and tolerances, and look for systemic risks and emerging risk trends. This way, material problems and surprises can be avoided before they arise and negatively impact earnings, capital or reputation.

So how can one go about implementing a highly effective board-level risk committee? The key to success is to get it right from the beginning. Start with the committee charter. The charter sets the tone and is the foundation for a highly effective risk committee.

The following PDF is a risk committee self-assessment checklist based on the Federal Reserve requirements for bank holding companies and industry best practices. A Yes answer will confirm either compliance with a regulatory requirement or a best practice. A No answer will identify a weakness. So if you have a risk committee, use the checklist to identify gaps and areas for improvement. If you do not yet have one, use the checklist below to jump start devising the risk committee charter.

Download the checklist in PDF format.

Bank Boards Making Progress on Risk Governance: Results of the 2014 Risk Practices Survey

3-17-14-risk-survey.pngThe banking industry has made great strides over the last few years in the management of risk, and a number of important best practices have begun to emerge, according to Bank Director’s 2014 Risk Practices Survey, sponsored by FIS. While the Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers, smaller banks are proactively following suit. By taking a more comprehensive approach to risk management, these institutions are reaping the benefits with improved financial performance.

The 2014 Risk Practices Survey reveals how these banks govern risk, and that a best-practice approach can positively impact financial performance. Creating and properly using a comprehensive risk appetite statement challenges many boards. Many see room for improvement in the quality and comprehensiveness of the bank’s enterprise risk management program. Tying risk management to the strategic plan and measuring its impact on the organization is difficult for many institutions, although those that have tried to measure the risk management program’s impact report a positive effect on financial performance.

Conducted in January, the survey is based on 107 online responses from independent directors and senior bank executives, primarily chief risk officers, of banks with more than $1 billion in assets.

Findings include:

  • Ninety-seven percent of respondents report that the bank has a chief risk officer or equivalent on staff, and 63 percent oversee risk within a separate risk committee of the board. Moreover, respondents whose banks have a separate board-level risk committee report a higher median return on assets (ROA), at 1.00, and higher median return on equity (ROE), at 9.50, compared to banks that govern risk within a combined audit/risk committee or within the audit committee.
  • Of those that oversee risk within a separate risk committee, 64 percent of respondents review the bank’s strategic plan and risk mitigation strategies, while the remaining 36 percent do not yet do so.
  • Tools like the risk appetite statement, the enterprise risk assessment and risk dashboard aren’t fully used. Only one-third of respondents feel that the bank’s risk appetite statement covers all the risks faced by the institution, and less than half use it to provide limits to board and management. Just 13 percent analyze the risk appetite statement’s impact on financial performance.
  • Just 17 percent of respondents review the bank’s risk profile and related metrics at the board and executive level monthly. Almost half review these metrics quarterly, while 23 percent review twice a year or annually.
  • Fifty-seven percent of directors feel that the board could benefit from more training in understanding how new regulations impact and pose risk to the bank, and 53 percent want a deeper understanding of emerging risks, such as risks associated with cyber security or Unfair, Deceptive or Abusive Acts or Practices (UDAAP). Conversely, senior executives feel that the board needs more training in overseeing the bank’s risk appetite, and understanding risk oversight best practices and how other banks govern risk.
  • The regulatory environment continues to challenge bank boards. Fifty-five percent cite the volume and pace of regulatory change as the environmental factor most likely to cause risk evaluation failures at the bank.
  • More than half of bank officers, and 40 percent of respondents overall, say that maintaining the technology and data infrastructure to support risk decision-making is a top risk management challenge.

Download the summary results in PDF format.

View the video: Five Risk Management Best Practices for 2014

The Regulatory Agenda and the Board: Five Key Issues

2-17-14-Dinsmore.pngThe Dodd-Frank Wall Street Reform and Consumer Act has been in effect for nearly four years, and almost 75 percent of the required regulations have been written or proposed. Issued regulations help to clarify requirements, but the climate created by expectations of regulators continues to create additional challenges for boards.

Boards must first understand these regulatory expectations and then balance them against shareholder interests at a time when it is increasingly difficult to meet earnings expectations. As a result, financial institution directors are asking, “What should I know?” and “What may be coming next?” While it is impossible to know exactly what may be next, there are themes that are emerging from the current environment to which directors should pay particular attention.

Stress Testing
This will continue to evolve for the larger banks. Models for credit are changing to take into account improving credit statistics. Models for pre-provision net revenue and operational losses continue to be refined. Smaller banks without stress testing should be developing their testing. Banks with more than $10 billion in assets are required to stress test, so boards must ensure that their models continue to be challenged and validated. Simultaneously, similar testing for liquidity is being developed, and the regulatory pressure to understand liquidity positions and make progress toward achieving required liquidity ratios will be significant. The board should understand where the bank’s testing stands along the developmental curve and be prepared to challenge findings and address changing needs.

Compensation and Human Resource Practices
Dodd-Frank requires financial institutions to review incentive plans and eliminate rewards for risky activities. At the same time, the so-called horizontal review of pay practices at the largest financial institutions are creating regulatory expectations and standards that may not be as apparent, but will require more board involvement in pay decisions and structures. There is no area that will be more difficult to get right, as many of the regulatory requirements are inconsistent with the expectations and demands of shareholders. Risk and compensation committees will need to interact more as it relates to pay practices. The board should be prepared to challenge reporting structures that could increase risk or negatively impact controls in the financial institution.

Mortgage Lending Requirements and CRA Performance
It remains to be seen how the new ability-to- repay and qualified mortgage rules may impact a bank’s Community Reinvestment Act (CRA) performance. Directors will need to keep a close eye on CRA performance at their institutions, as it may be more difficult to generate loans in the more underserved communities.

Third Party Providers
Guidance issued by the Federal Reserve in December on managing outsourcing risk made clear that responsibility for the activities of third party providers remains with the financial institution. The board also must ensure that clear policies for managing these relationships are in place and followed. Less obvious are newly issued proposed rules related to diversity. These rules require boards to ensure that there are policies and practices in place to promote diversity in the supplier base as well as the financial institution’s workforce.

New Products and Services
As the earnings environment faces declining revenue streams (like mortgage) and increased compliance expenses, financial institutions will search for new ways to grow revenues. Boards will need to pay close attention to strategic plans and include risk reviews of strategies (including new products and services) to ensure that they align with their institution’s risk appetite.

Any of these topics could be the subject of its own article on the role of the board and its committees, and there are endless other issues that could (and must) be considered. It is clear that the responsibility and time commitment of boards of financial institutions will continue to expand and evolve at a rapid pace for the near future. Keeping abreast of regulatory interpretations and expectations has never been more important to the success of a financial institution and its board.

Small Banks and Stress Testing: Five Steps to Taking the Anxiety Out of Highly Anticipated Requirements

2-12-14-Crowe.pngAs banks with $10 billion to $50 billion of assets scramble to meet federal regulators’ new stress-testing requirements mandatory for 2013 reporting, smaller banks can breathe a fleeting sigh of relief. Although banks with less than $10 billion in assets currently are not subject to the stress testing required by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), experts widely believe that the new regulations eventually will apply to these smaller banks.

Time Is an Asset

An April 2013 Crowe Horwath LLP survey revealed that only 20 percent of banks with assets between $10 billion and $50 billion considered themselves ready to comply with Dodd-Frank Act stress testing (DFAST). It is likely that if—or when—new regulations are applied to smaller banks, they, too, will find themselves racing to meet requirements.

Small banks can take advantage of a benefit their larger counterparts no longer have: time. Before facing tight deadlines, small banks should prepare now for what many industry participants see as inevitable.

Be Proactive and Prepare

The following are five important activities small banks can initiate to prepare and position themselves for compliance with stress-testing requirements:

  1. Consistently capture data. All relevant loan data, including collateral descriptions, current appraised values and risk ratings, should be captured digitally as soon and as quickly as possible. This effort to assess your data ahead of time will be a tremendous benefit down the road.
  2. In addition, many small banks do not take advantage of advanced credit technology such as probability of default measures to evaluate loans. These types of financial technologies are essential to integrating enterprise loan data with complex econometric forecast models. Small banks that have not done so should implement credit risk metrics with granular capabilities.

  3. Create a cross-functional team. A stress-testing framework should capture an entire institution’s exposures, activities and risks. This enormous task must involve departments that typically operate independently from one another—risk, finance, treasury and credit. A designated cross-functional team can break down any existing silos and put its institution’s process on track.
  4. Include business-line heads. The back office on its own cannot create a road map for stress testing. Heads of each line of business must have input and a critical stake in the process. For example, if forecasts show an unfavorable capital position for a business unit, its leader and team likely will face constrained opportunities. Each business unit leader’s perspective is important, particularly in budgeting, planning, providing data, reporting and challenging forecasts.
  5. Expand budget forecast horizons. Banks with $10 billion to $50 billion in assets are required to stress test budget forecasts for two to three years into the future. Small banks, which typically forecast budgets that extend from six months to a year, need to start planning further ahead. Adding consideration of scenario-based budgets—alternative business plans based on potential events—also will need to become part of the regular planning process.
  6. Educate the board of directors. Preparing for effective stress testing involves extensive internal resources as well as potentially engaging external experts to assist with modeling and providing stress-testing support or systems. Boards of directors should have a strong understanding of the investment necessary to accomplish this effort successfully.
  7. Directors also should have full knowledge of their own role in the process. Boards of directors at banks with assets greater than $10 billion must approve their bank’s stress-testing results, so it is reasonable to conclude that directors at small banks could be required to do the same. Stress-testing results relate directly to directors’ responsibilities because the analysis can help set the strategic direction of a bank or should align with the strategy and risk appetite the board of directors already has established.

Every Bank Could Need to “Stress”

Federal regulators already say that all banks should be able to analyze how they would perform under a variety of scenarios and if they have sufficient capital to weather those situations. In addition, scrutiny of small banks making acquisitions has increased, with regulators asking acquirers to demonstrate the effect of a given transaction on their bank’s capital position.

Regardless of the impetus for readying to comply with stress-testing requirements, small banks should be realistic in setting goals. For many institutions, it can take between 18 and 24 months to prepare. With that in mind, now is the best possible time to get started.

Stress Testing Crib Sheet for Board Members

1-24-14-Trepp.pngA bank’s board of directors has the role of fundamental oversight in stress testing. The most recent guidelines released for the Federal Reserve’s Comprehensive Capital Analysis and Review (CCAR 2014) under the Dodd-Frank Act include several directives for bank boards. Although the guidelines are mandated for banks with between $10 billion and $50 billion in assets, stress testing will likely be broadened, making current guidance a good foundation for banks below $10 billion in assets. Looking to get started? Here are some key takeaways for board members as they prepare for future stress testing compliance.

  1. The buck stops… with you.
    Perhaps the most significant expectation for boards of directors is that they are “ultimately responsible” for the bank’s stress tests. Board members should be receiving summary information from their stress tests, including results from each scenario. Beyond this awareness, the board should also be evaluating the results to ensure they appropriately reflect the company’s risk appetite and overall strategy.
  2. It’s a framework, not the SATs.
    The goal of capital adequacy stress testing is not just to pass a test, but rather to ensure that the bank could withstand major challenges to its viability—and having enough capital is a major factor. For larger banks, the board “must consider the results of the stress test in the normal course of business, including, but not limited to, the company’s capital planning, assessment of capital adequacy, and risk management practices.” Stress testing should be an integral part of the bank’s business planning process, and direct involvement of senior management and the board are essential. The role of the board in responding to existing challenges is similarly important, and incorporating stress testing into business planning demonstrates that the board is doing its part in disaster preparedness.
  3. Get and stay involved.
    While it is management’s responsibility to design and implement stress testing, the board needs to be involved in order to ask the necessary questions to provide an effective challenge process. In doing so, board members should always be in a position “to assess and question methodologies and results,” including model assumptions, limitations, and uncertainties, all of which should be sufficiently documented.
  4. Keep up with the times.
    The board “must approve and review the policies and procedures for DFA stress tests to ensure that policies and procedures remain current, relevant, and consistent with existing regulatory and accounting requirements and expectations.” While this mandate is rather open-ended, there are a few things to bear in mind about the newer Dodd-Frank-mandated stress testing for capital adequacy. Stress testing results should be produced for a minimum of the three required scenarios. Board members should not be hesitant to request additional scenarios. Capital adequacy stress testing goes well beyond stressing certain loan segments, which is the most common form of stress testing already in place at many banks. Rather, capital adequacy stress testing is comprehensive and involves impacts throughout the income statement and balance sheet exposures. Impacts (such as losses) should be estimated by drawing relationships between economic factors (like GDP growth) and the line items being projected. Current practice at many firms typically assumes that stressed losses would be a multiple (e.g., 2x) of historical losses, but these results are arbitrary.
  5. Get it in writing.
    The board should examine documentation annually (at a minimum) to confirm that it is adequate and shows that the bank has a robust process for producing and evaluating results. At banks with more than $10 billion in assets, the board or a board committee “must approve and review the policies and procedures of the stress testing processes as frequently as economic conditions or the condition of the company may warrant, but no less than annually.” With that said, thorough documentation is essential.
  6. Make it add up.
    For the purpose of consistency with the bank’s strategy as well as the board’s history, projected capital actions should coincide with the scenarios and internal practices in the bank’s stress tests. For example, dividend policy in each scenario should be consistent with any corporate restrictions and the board’s decisions in historical stress periods.

While these directives can be easily delegated to members of management, bank regulators have made it clear that the bank’s board of directors is accountable for successful stress testing implementation, results, and integration into future planning. As stress testing becomes more frequent and rigorous, the process should already be in the forefront of board members’ minds and corporate agenda. Eventually, stress testing results will become public. Banks that score well and do so cost-effectively will be rewarded in the marketplace.

A Postcard From the Compensation Conference

BEBC13-Postcard-article.pngIt wasn’t that long ago that a bank’s CEO proposed his own pay and the board of directors for the bank approved it with few questions asked.

That practice continues at many small, privately owned banks. But increasingly, boards are the drivers of the bank’s executive compensation, including the CEO’s. They are asking difficult questions, getting pressure from proxy firms and regulators to adjust pay, and positioning themselves not only as the decision makers, but crafting the bank’s executive pay plan from day one.

Attending Bank Director’s Bank Executive and Board Compensation conference in Chicago this year, which was held Nov. 4-5, I was struck by how the job of the board in setting pay has changed.

The increasingly powerful proxy firms, such as Institutional Shareholder Services (ISS) and Glass Lewis, are making a difference in the pay practices not only of big, publicly traded banks, but smaller banks as well. One key emphasis of these firms is to tie executive pay with shareholder returns.

Although many banks don’t have much institutional ownership of their stock, and therefore don’t necessarily need to worry about ISS’ view of their pay plan, many of them do want to implement pay practices that will balance the need to recruit and retain great talent, as well meet the demands of shareholders and regulators. Banks increasingly give restricted stock to executives that vests when multiple performance measures for the bank and the individual are met.

In addition to the proxy firms, regulators are putting pressure on boards to assess the risk in all their incentive programs, including loan officer pay, in keeping with the 2010 joint regulatory guidance on incentive pay. Boards seem to be increasingly involved in the minutiae of pay structures for all levels of staff, a job that was previously left up to management. Boards are simplifying and cutting the number of pay plans at their banks, which sometimes run to 20 or 30 different bonus programs.

Another change noted in the conference was the increasing use of deferrals of executive bonuses over a three or five-year period, even for banks below $50 billion in assets, as a way to mitigate risk, an awfully interesting development since only those above $50 billion in assets will be required to defer pay under the 2010 Dodd-Frank Act.

The fact that regulators haven’t finalized many pay rules under Dodd-Frank, including the deferral rule, is making the job of the board harder. Attendees at the conference told me they want to design a program that will last three or five years down the road without having to be revamped every time a new rule comes out. Michele Meyer, legal counsel for the Office of the Comptroller of the Currency’s Central District, explained during a panel discussion that multiple regulatory agencies, each with a different mission statement, have to sign off on the new rules, which has delayed the process.

All these headaches combined might be a reason why directors are getting paid more for the work they do for the bank—director pay increases at public banks below $15 billion in assets varied from 8 percent to 15 percent in 2012, as reported in 2013 proxy statements and analyzed by compensation consulting firm McLagan. As an example, the average total director compensation in cash and stock was $43,946 in 2012 for publicly traded banks between $1 billion and $5 billion in assets, an 8 percent increase from the year before. Many banks had frozen pay during the financial crisis, and now directors want to get paid in line with increasing shareholder value, said McLagan principal Gayle Appelbaum, a presenter at the conference.

BEBC13-Postcard-article2.pngThe conference didn’t focus only on executive and director pay. Steve Steinour, the chairman, president and chief executive officer of $56-billion asset Huntington Bancshares in Columbus, Ohio, was the keynote speaker and didn’t talk about the frustrating issues of proxy advisor firms and regulatory guidance. Instead, he urged the audience to think about what kind of bank they wanted to run, and how to attract young people to work in banking. “There are fewer people seeking careers in banking than there were years ago,’’ he said, noting that the industry has been pilloried, sometimes deservedly. (Huntington Bank’s recruitment and training video features images taken of Occupy Wall Street demonstrations and pledges the bank will operate on the simple principle of doing the right thing.)

Steinour offered a different perspective on the issue of pay and retention: How do you make sure you have the staff you need so you can excel in the coming years? It was a question very much on the minds of some of the more than 250 attendees of the conference.