Due diligence just doesn’t tell an acquiring bank everything that should be known about a target—the process also shows that the acquirer’s team is committed to the deal. In this video, Stinson Leonard Street Partner Adam Maier explains how to protect the bank from potential losses in M&A.
The Roles of Due Diligence vs. Representations and Warranties
Both the Sarbanes-Oxley Act and later, the Dodd-Frank Act, contain provisions protecting whistleblowers reporting violations of securities laws, and in fact, the Dodd-Frank Act seems to encourage such reporting with well defined monetary rewards for complaints leading to successful fines against a company. In September of 2014, an unnamed whistleblower was awarded a $30 million grant.
In light of a recent $30 million whistleblower award and the Dodd-Frank Act encouraging more people to report problems at their companies to the government, how should a bank board handle a whistleblower claim?
First, have a whistleblower policy/program in place, now, so that if/when a claim arises, the board is prepared to handle it effectively, appropriately and lawfully. All employees should be trained on the policy and encouraged to report up the chain, pursuant to the policy, any corporate misconduct they discover. It is far better in the end if the bank self-discovers and remedies the problem, than if the government does it for you. Second, work hard to maintain the confidentiality of the whistleblower. Maintaining confidentiality, and even anonymity, helps to ensure no retaliatory action is taken against the reporting employee. At all costs, avoid retaliation. Finally, conduct an independent internal investigation, and do so with the understanding that the reported misconduct could lead to criminal and/or civil litigation. Engage your legal counsel early in the process to ensure preservation of evidence and legal privileges.
—Michael Dailey, Dinsmore & Shohl LLP
Banks should handle possible whistleblower complaints very seriously. Regulatory agencies have shown a more severe response to banks over the last few years and whistleblower complaints can reinforce a perception, however inaccurate, that some banks do not have a proactive approach to compliance issues generally. Banks should have procedures for dealing with such claims and allow employees to air their concerns without fear of reprisal. Some may wonder whether this approach may encourage the raising of false claims, but at least banks would have an opportunity to triage employee concerns and demonstrate that they take those concerns seriously.
—Donald N. Lamson, Shearman & Sterling LLP
Bank boards should authorize their audit committees to handle complaints concerning securities law violations. An audit committee’s charter should make clear that the committee may retain appropriate advisors to investigate such complaints. The board should also ensure that management promulgates guidance for internal reporting on violations. Employees should be encouraged to report violations to appropriate representatives of the compliance, internal audit or legal staff. Recipients of complaints about violations should be instructed to forward them to the chairperson of the audit committee. Upon receipt of a complaint, the chairperson should ensure that it is investigated thoroughly. If no violation is found, the complainant should be so informed within 120 days after the complaint was made. If a securities violation is found, the bank should decide whether to report the violation to the Securities and Exchange Commission. A report to the SEC should be made within 120 days after the complaint was made.
—Kathleen N. Massey, Dechert LLP
Both public and private banks have potential exposure to Dodd-Frank and Sarbanes-Oxley whistleblower claims. Therefore, a bank should have proper compliance and anti-retaliation policies in place (reviewed regularly) setting forth behavioral expectations, encouraging reporting, and establishing protocols for handling reports. The bank should also designate a team to investigate and respond to reports. All employees should be thoroughly trained regarding these policies and, in particular, managers should be trained to identify when an employee is reporting and the need to escalate the report within the organization, as many employees do not use “hotlines” or Internet-based reporting mechanisms. Most important, the bank’s senior leadership must lead by example. Senior leadership needs to sincerely and repeatedly promote the virtues of the bank’s compliance, ethics and code of conduct policies. Reporting questionable conduct, no matter how insignificant, must be genuinely encouraged. And finally, senior leaders must demonstrate integrity in all that they do.
—Jonathan J. Wegner, Baird Holm LLP
Whistleblower complaints need to be treated seriously. Avoid the temptation to view all whistleblowers as disgruntled employees who are asserting claims against innocent individuals to further their own selfish goals. Failure to promptly address a legitimate complaint will only exacerbate the problem. Regulators look favorably on companies that take prompt action and see them as having strong and effective management. The opposite is true for companies that are unresponsive or hostile to employees’ concerns. Plus, treating whistleblower complaints seriously sends the message that employees will be treated fairly and sets a tone at the top that should foster stronger ethical behavior within the company. The board needs policies and procedures for investigating whistleblower complaints and coordinating corrective action and must communicate them to employees. Doing so will create the conditions necessary for the effective management of whistleblowing.
In May of 2014, Zurich, Switzerland-based Credit Suisse became the first major bank to plead guilty to criminal charges in the United States, offering a mea culpa to aiding tax evasion on behalf of its American clients. Two months later, the French bank BNP Paribas pleaded guilty to criminal charges involving violations of laws regarding countries sanctioned by the United States such as Iran and Sudan, and settled with U.S. regulators for close to $9 billion. (Banks are not supposed to aid transactions with countries hostile to the United States.) With news of some of the first criminal prosecutions of major banks since the financial crisis, Bank Director decided to ask a panel of legal experts whether smaller banks had cause for concern.
What does the shift toward criminal prosecutions of some of the largest banks mean for smaller or regional banks, if anything?
It is my belief that the criminal prosecutions at the larger banks are intended to have a preventative effect on smaller or regional banks. The idea is that if they can go after the big guys then they certainly can go after those of us that are smaller as well. But, smaller organizations should use it as a marketing strategy to show the differences between the large banks and more community or smaller banks who are not engaged in the types of activities that draw scrutiny.
—Philip K. Smith, Gerrish McCreary Smith
The danger is that smaller banks may conclude that the Department of Justice (DOJ) would consider criminal penalties for only the largest, and possibly non-US banks. In reality, it is very possible that under the right circumstances, the DOJ could seek a criminal conviction of a smaller bank. For example, if a bank has committed [anti-money laundering] violations on several occasions, DOJ might want to make an example for similar institutions. It’s happened at least once before, although with different facts. Moreover, the possible systemic repercussions of such a prosecution could be perceived as relatively minor. There have been complaints that DOJ has not brought enough criminal cases following the financial crisis, so widening the net to include smaller entities may be perceived as a credible response to those criticisms.
—Donald N. Lamson, Shearman & Sterling LLP
Nothing. There’s a rush to say that holding gigantic institutions criminally accountable means that smaller institutions will be next. But that doesn’t apply here, where you have criminal sanctions for conduct that occurred back in 2006 to 2007. Nothing changes this past conduct —the sanctions are aimed at punishment instead of other common goals (like deterrence, incapacitation, rehabilitation, or restitution). The lesson is more subtle: In the big banks’ bad conduct, licensed professionals knew what was going on but didn’t stop it. Absent collusion by the people entrusted to serve as gatekeepers to the financial system, the mortgage-backed securities could not have made their way into the mainstream and contributed to the market crash. So the easiest way to avoid criminal accountability is to maintain the integrity and independence of your gatekeepers. That’s what the big banks failed to do—and why they were held criminally accountable.
—Shamoil T. Shipchandler, Bracewell Giuliani LLP
While it is never comforting to learn that federal prosecutors are turning their investigative and prosecutorial eyes toward your industry, small and regional banks should not lose sleep over the fact that the feds are seeking criminal prosecutions at the biggest banks. The targets have been the largest of the large Wall Street and multinational banks; the ones the media and politicians have conditioned the public to despise. It will be a long time, if ever (most likely), that the criminal focus turns to main street banks.
—Michael Dailey, Dinsmore & Shohl LLP
Attorney General [Eric] Holder famously asserted that while a corporation could be prosecuted just as any other “person,” prosecutors should consider the “collateral consequences” on “innocent third parties” including the “corporation’s officers, directors, employees, and shareholders.” Criminal prosecutions of large banks have potentially huge collateral consequences. These collateral consequences are not as pronounced with regard to a smaller bank, but nevertheless will (and perhaps should) cause the prosecutor to think twice. On the other hand, it is also easier for a prosecutor to prove criminal intent in a smaller institution, which is less layered and siloed.
Did General Motors make a series of bad mistakes in its handling of ignition switch problems on certain vehicles, as well as its handling of recalls? The Detroit automaker has now recalled more than 20 million vehicles worldwide this year, a continuous stream of recalls that has kept the bad news in the headlines. Also, investigations have focused on internal problems that caused the company to keep making vehicles without fixing known problems, according to news reports.
What can we learn from the way General Motors has handled the ignition switch issue?
As described in the investigative report, GM executives adopted a decision process forever identified as the “GM nod,” where everyone would nod in agreement with a proposal and then leave the room without having established responsibility and accountability for the decision made. The lesson for any company is to insist, from the top-down, on responsibility and accountability. By comparison, Alan Mulally famously reformed Ford’s culture to reward those who accurately reported risks and mistakes and took responsibility. The results have showed up in quality of the products of each company and the perception of these companies in the market. These lessons can certainly inform management at banks, particularly with regard to the bank’s risk culture. The first line of defense in any bank to managing risks is in the line of business itself, which should be held accountable by senior management and the board of directors for appropriately identifying and mitigating risks. This should not be left to the auditors, examiners, and risk managers to instill risk management discipline.
—Cliff Stanford, Alston & Bird LLP
A slow reaction to a problem can result in more than just a bad day in the office. The biggest headline was not the recall. The media focused on the fact that General Motors knew about the problem long before the recall and failed to react resulting in lawsuits, congressional hearings and calls for boycotts, all of which have negatively impacted the automaker’s reputation and bottom line. Bankers should take notice of such missteps in responding to potential cyber-attacks launched at their institutions. It is not enough to simply have security measures in place. Directors also need to ensure that their institutions have proper response policies to react quickly to minimize potential damage to customers and to take corrective measures to address the cyber-attacks head on. Failing to respond in a timely manner can result in more than just a few angry customers and can expose the banks to regulatory and legal penalties.
—Christian Gonzalez, Dinsmore & Shohl LLP
It appears there was little enterprise risk management stressed and in place at General Motors. The General Motors situation has taught us the need to encourage/require employees at any level of a bank hierarchy immediately to report problems so that material issues can be handled and solved by executive management with reports, if necessary going to the full board. Bank employees must not hide material issues. When discovered, the issues may lead to very embarrassing situations for the bank and its parent.
—Bob Monroe, Stinson Leonard Street LLP
GM probably learned a few lessons from the experience of the banking industry and was more prepared to navigate the horror of becoming a public whipping boy. When something has gone terribly wrong inside a large organization, it’s terribly important to get on top of the facts as soon as possible. And that’s not easy. To avoid embarrassment and compounding the problem, you have to resist the temptation to speak before you have assembled the facts. Measure your statements carefully, and support them with facts identified by an investigation by an outside firm and reported to the board or committee of the board charged with overseeing the investigation. [CEO] Mary Barra deserves serious praise for her authentic brand of leadership in the midst of a corporate crisis.
—Mark Nuccio, Ropes & Gray LLP
The GM ignition switch debacle is nothing new and merely underscores a series of well-known precepts that directors should internalize as official bank policy. Playing ostrich never works. Problems must be faced, not ignored in the hope they will disappear. Cover-ups never work either. The underlying problem always comes to light, and the consequences in terms of reputation risk, regulatory risk, and legal risk end up being exacerbated, and any judgments and penalties enhanced. When an issue is identified by any employee, including even the lowest level employee, steps must be taken by management promptly to investigate the issue and, if it is significant, bring it to the board’s attention and implement a strategy to address it. The board should have a crisis management policy in place for handling really serious issues; this will entail assembling a team of specialists to handle the public relations, compliance, security, IT, and legal components of the problem, including where necessary, an internal investigation.
Nearly three years after the creation of the first ever regulatory agency just for consumers of financial products, the Consumer Financial Protection Bureau, or CFPB, has rewritten mortgage rules, targeted debt collectors, auto lenders, big banks and even for-profit colleges. It has been a busy few years. So how has the agency transformed the industry? We asked a panel of bank attorneys.
What has been the impact so far of the CFPB?
I would have to say that the biggest impact, at least from the perspective of community banks, has been the cloud of regulatory uncertainty that the CFPB has cast over those institutions, and the resulting impact on their bottom line. While community banks are not directly regulated by the CFPB, they are still subject to much of the same rulemaking by the agency as are the big money center banks. Even where community banks are specifically exempted from CFPB regulation, those regulations nonetheless tend to serve as standards or competitive baselines for smaller institutions. It is difficult, as a result, to anticipate the infrastructure and resources needed to stay ahead of the regulatory curve. As a result, community banks are forced to beef up their compliance departments, or outsource oversight of those responsibilities, creating disproportionately higher overhead for such banks as compared to larger institutions.
—Patrick S. Murphy, Godfrey Kahn, S.C.
One important impact CFPB has had thus far on the banking industry is the creation of a renewed fervor among the bank regulatory agencies in the area of consumer protection. Since the inception of CFPB after the enactment of Dodd-Frank, those in leadership positions at CFPB have noisily and frequently made it clear that the bureau believes consumers have been, and are currently being, taken advantage of by financial institutions, both bank and non-bank institutions. Given the preeminent position the CFPB holds in the consumer compliance regulatory arena, the other agencies (Office of the Comptroller of the Currency, Federal Deposit Insurance Corp., the Federal Reserve, and the state regulators) understandably are following CFPB’s lead. Some effects on the banking industry of this heightened interest in consumer compliance include increased overhead costs, uneasiness about upcoming regulatory examinations, diversion of senior management attention from revenue generating activities, and degradation of the working relationship between bankers and field examiners.
—Michael G. Dailey, Dinsmore & Shohl LLP
In a word – UDAAP. The CFPB’s “gotcha” approach to exercise of its regulatory enforcement authority over unfair, deceptive, or abusive acts or practices (UDAAP) took many of our clients aback. As they try to develop new products and procedures designed to accommodate changing consumer preferences (for example, in connection with mobile services and prepaid cards), the chilling effect that the enforcement actions have had on those business units has been notable. Some bankers have gone back to the drawing board with current products while others have grown skittish about rolling out new offerings. At a time when the marketplace is demanding innovation, the CFPB’s UDAAP enforcement actions against major financial institutions have caused the mentality among some bankers to shift from “What shall we do next?” to “Are we next?”
—Jonathan Wegner, Baird Holm LLP
The CFPB’s biggest impact has not been through any regulations it has enacted, nor has it been through its own enforcement of consumer protection laws. No, its biggest impact has been indirect—by heightening the emphasis on consumer protection and leading to a dramatic increase in civil money penalty (CMP) actions by federal bank regulators for alleged unfair or deceptive acts or practices (UDAP). In 2013, the FDIC imposed CMPs against banks 89 times, 16 of which were for alleged UDAP violations. At 18 percent of all bank CMP actions, this is a near doubling from 2012 and three times the percentage in 2011. Expect these percentages to keep growing. Once bank regulators have identified an industry “problem,” they do not change course until the next flood, financial crash or other newsworthy event redirects their attention. And the CFPB has barely begun its own enforcement actions under the new unfair, deceptive, or abusive acts or practices law.
—John ReVeal, Bryan Cave LLP
It is always important to remember that the CFPB was established to be immune from regulatory capture by the industry, and the CFPB will be quick to tell you that it’s not about the bank, but about the consumer. For banks, the rule-writing, supervision, data gathering, and enforcement activity of the CFPB has elevated the status of consumer compliance within the hierarchy of concerns of senior management and boards. While issuing a range of new and complex rules, the CFPB has also emphasized third party oversight and principle-driven versus rule-driven compliance (think unfair, deceptive or abuses acts or practices, or UDAAP). Moreover, the CFPB has influenced the prudential supervisors in their oversight of community banks, where consumer compliance is also getting heightened attention.
There has been an enormous upswing in shareholder litigation following acquisitions. A survey by Ohio State University professor Steven Davidoff and Securities and Exchange Commission fellow Matthew Cain found that 97.5 percent of acquisition deals of a publicly traded company in 2013 resulted in a shareholder lawsuit, an increase from 39 percent in 2005. Why all the lawsuits? Well, there is money to be had in settling such lawsuits, as the acquirer and seller are very eager to carry on with their deal and not be held up by expensive litigation. Bank Director asked a panel of attorneys whether banks should settle such lawsuits, or fight them to avoid encouraging more lawsuits.
Should banks settle when they are hit with a M&A lawsuit?
The question of whether a bank should settle when hit with a lawsuit in connection with an M&A deal, and if so when, depends heavily on the circumstances. The reality is, however, that these shareholder class action suits are essentially a given in any transaction involving a publicly traded seller. In nearly all cases, regardless of the circumstances, the plaintiffs’ lawyers will assert, first, that the directors breached their fiduciary duties in connection with the sales process that was followed and in accepting the deal terms that were agreed and, two, that the disclosure in the proxy statement issued in connection with the shareholder meeting to approve the transaction is deficient. A well advised board will be aware of this reality and plan accordingly. As a practical matter, these suits rarely are an impediment to a transaction and should certainly not dissuade a board from pursuing a transaction that is in the best interests of the shareholders.
—William L. Taylor, Davis Polk & Wardwell LLP
Like so many questions the answer lies in the particular facts and circumstances. But the automatic inclination to settle these strike suits has dissipated somewhat as management, and more importantly judges, have shown less patience with these types of suits, and as a consequence, awarded increasingly nominal amounts of attorney fees, if any at all. This cottage industry of the plaintiffs’ bar grew up in the era of large bank mergers where these types of suits and settlement amounts were viewed simply as mere nuisances. As the transactional activity has moved to the smaller bank market, so have the plaintiffs lawyers. But these suits have also taken on greater meaning for middle market transactions. The CEO of a bank that intends to engage in multiple acquisitions should seriously consider contesting the first strike suit to send the signal to the plaintiffs’ bar that this bank will not be easy prey.
—Michael Reed, Covington & Burling, LLP
While these actions ostensibly seek monetary relief, such as an increase in the merger consideration, most of them ultimately settle on terms that call for some additional disclosures to the shareholders in advance of the vote on the transaction, and, of course, an attorney’s fee award for the plaintiffs’ lawyers. There are two primary reasons for these settlements. First, the risk, however small, of having a large transaction enjoined or otherwise disrupted is often seen as outweighing the relatively minimal nature of the settlement relief. Second, a settlement is not without its benefits, as, once approved by the court, the settling defendants can obtain a full and complete release of any claims that were or could have been brought by the shareholders in connection with the merger transaction.
—John Bielema and Mike Carey, Bryan Cave LLP
Unfortunately, settling these suits is a necessary evil. Judges are often reluctant to dismiss shareholder suits on the basis of a pre-trial motion, so settling is the only way to avoid the risk of an injunction that blocks the deal or the expense of litigating through trial. Refusing to settle and hoping the plaintiff goes away is probably more of a gamble than the parties are willing to take. The good news is that judges are beginning to doubt the value of many of these disclosure-only settlements in which the companies agree to provide additional disclosure to shareholders, and they are knocking down the attorney’s fees. Reducing the fees that accompany these settlements is the best way to discourage these questionable suits.
—Aaron Kaslow, Kilpatrick Townsend & Stockton LLP
The decision to settle depends, in part, on the nature and size of the deal. Why settle an unmeritorious lawsuit? The threat of delaying a merger transaction can kill the deal, so settling by agreeing to provide some additional disclosures, paying the plaintiffs’ attorneys’ fees and making a token payment to shareholders often makes sense. Acquirers often factor this so-called merger tax into their purchase price considerations to assure that the transaction gets completed. Be careful, though—paying the merger tax can result in higher future directors and officers (D&O) insurance premiums, or larger retentions under those policies. On the other hand, some acquirers in states with favorable business judgment statutes and a reasonable judiciary are fighting unmeritorious lawsuits. Those challenges show an impressive win-loss ratio for boards. Also encouraging is that some courts have dismissed the suits outright or refused to approve settlements and the attorneys’ fees provided in them.
There are a lot of complaints about the complexity of the new Basel III rules, which increase minimum capital ratios, establish a new set of risk weights for certain assets and increase liquidity requirements. All banks and thrifts, plus thrift holding companies, are subject to the new rules. Bank holding companies also are included, unless they have assets of fewer than $500 million. But will the new rules be good for banking, when all is said and done? Bank Director asked a panel of experts to weigh in on the new rules, which were finalized earlier this year.
Is Basel III good for banking?
More and more, I find myself to be in [Federal Deposit Insurance Corp. Vice Chairman] Tom Hoenig’s camp. Regulations have become monstrously complex. The Basel III regulations are more than 900 pages. If the question is whether higher minimum capital ratios and liquidity requirements make sense, I would say sure, but 900 pages? Beyond the complexity, there is considerable administrative burden even for community banks. I laugh when I read what amount of time regulators say is needed to comply with new regulations. They must all be masters of Evelyn Wood’s Reading Dynamics. I needed over two weekends just to read the first 280 pages of regulation.
— Peter Weinstock, Hunton & Williams LLP
Basel III is good for banking in that it directs the industry back into the more conservative role of a traditional financial intermediary rather than the high growth, boom or bust mentality that was so pervasive in the industry in the early to mid-2000s. The Basel III rules, in a general sense, promote more modest risk-taking by banks. The rules also moderate growth through limiting leverage for those institutions that have more aggressive asset mixes. By doing this, the rules will help curb competition that is strictly based upon which institution is willing to take the most risk. Hopefully, these rules will lead the industry back into an environment in which the most successful institutions are the smartest, not just the most aggressive.
— Jonathan Hightower, Bryan Cave LLP
Yes and no. People generally accept that banks should have had more capital prior to the recent financial crisis, but Basel III has clear weaknesses. The problem lies in recognizing that overly complex rules and prohibitively high capital levels can be incompatible with increasing economic activity or at least contribute to driving borrowers to the shadow banking environment. The key is to understand the interrelationship of new requirements in addition to Basel III, both national and international, both imposed by Dodd-Frank and independently by bank regulators, to recognize that the cumulative effect of those rules may be more onerous than at first supposed.
— Donald Lamson, Shearman & Sterling LLP
It’s a mixed bag. Since all U.S. banks will be required to hold more capital, especially common equity, than under the existing rules, they will be more likely to absorb significant losses and thus may be less likely to fail. However, in order to raise or maintain additional common equity, banks still have to deliver attractive returns to their shareholders. The cost of additional capital, plus the compliance burden arising from more complex rules, makes it too early to tell whether banks will succeed without cutting back on the availability of credit. The Basel III rules also create disincentives for smaller U.S. banks to expand through M&A transactions instead of organic growth. That could act as a brake on consolidation and affect the competitive landscape between banks of different sizes.
— Luigi L. De Ghenghi, Davis Polk & Wardwell LLP
The application and implementation of Basel III to community banks is unnecessary. Community banks were not the cause of the troubles leading up to the Great Recession. Then, as now, most healthy community banks have more capital than will be required in 2015. When deemed necessary for safety and soundness, troubled institutions often have increased capital ratios imposed on them by their regulators. This has not changed, nor should it. Basel III may have the undesired effect of driving more consolidation of healthy community banks because they will not be able to profitably keep up with increased regulatory compliance costs, new CFPB rules, information technology advances, along with maintaining higher capital standards. This will be our loss.
— Susan B. Zaunbrecher, Dinsmore & Shohl LLP
We believe Basel III will be good for banking, so long as the rules are clearly set out. Basel III will require banks to maintain higher capital levels, even though there are changes to what can be included in Tier 1 capital.
— Bob Monroe, Stinson Morrison Hecker LLP
Basel III implementation risks pushing banks to pursue similar business strategies to manage their regulatory capital burdens (which contributed to the 2008-2009 systemic crisis as well). Regulators have pushed banks to adopt model risk management practices to ensure that each institution does not slavishly follow underwriting, valuation, or risk management models without routine and independent validation. However, these same model risk management principles have not been built into the Basel III standards themselves, which are static and risk similar effects.
One perplexing aspect of board minutes is the level of detail that is required. Regulators seem to want more detail in board meeting minutes that show a thorough discussion took place on important matters, and that board members are engaged and exercising good corporate governance. On the other hand, minutes can also provide fodder for shareholder lawsuits and regulatory action. So how much detail is enough? Bank Director asked a panel of attorneys that question.
How complete should board minutes be, and should they ever be audio recorded and saved?
Board minutes should be detailed enough to indicate the matters addressed and determinations reached. Objections by individuals to the group decision should also be noted. Meetings should never be recorded, nor should minutes be the equivalent of a transcript. Bankers who are tempted to have minutes that are so comprehensive that they imply that nothing else was covered if it were not in the minutes might go ahead and start kicking themselves rather than wait for the plaintiff lawyers to do so later.
—Peter Weinstock, Hunton & Williams LLP
Recent years have shown that board minutes are more than just a record in the corporate minute book; they may become evidence in lawsuits or regulatory enforcement actions. It is essential that board minutes accurately reflect the proceedings, and they should be reviewed and approved by the full board at the following meeting. However, individual notes generally should be excluded from board minutes, and drafts should be discarded. As a general rule, meetings generally should not be recorded so that board members do not feel inhibited or constrained from engaging in frank discussion about sensitive corporate governance matters. In the end, the written minutes should be the definitive record of the meeting.
—Jonathan Wegner, Baird Holm LLP
There is no perfect formula for board minutes. They should be complete enough that they fully memorialize the actions of the board. For routine matters, they may be fairly brief, but for extraordinary matters, they should be more thorough and possibly detail discussions with experts and/or financial analyses. I would advise against audio recording board meetings. The minutes should be the only retained record to eliminate discrepancies or inconsistencies. This also goes for directors’ notes which should not be retained following a meeting. A seasoned litigator once told me that if there is a legal issue, every page of notes taken by a director and retained after a meeting equaled one hour of deposition time for that director.
—Susan Zaunbrecher, Dinsmore & Shohl LLP
Audio recording of board minutes is antithetical to their purpose, which is to record the business transacted and accomplished at the meeting and substantiate that proper procedure was followed (i.e., notice, quorum, etc.) and not be a transcript of conversations. Perhaps most importantly, minutes are legal documents that are generally discoverable in a lawsuit no matter in what form they are maintained. Institutions need to consider whether they would want to have their audio recorded minutes played in a court room for all to hear.
Maintaining needlessly detailed minutes is a horridly unsophisticated practice. In the context of banks and bank holding companies, board and committee minutes should be purposeful and set forth the essentials. The minutes of meetings are not intended to, nor should they, be transcripts. The proceedings at a meeting have legal significance to an organization and its directors if votes are required for action or nuanced consideration of board-required actions must be demonstrated. Recording and saving the recordings is inadvisable. On rare and sensitive occasions, recording the meeting to assist the note taker prepare the minutes might be warranted, but the recordings never should be saved. In my experience, recording meetings also discourages useful give and take. To the extent that activity in a board meeting becomes legally relevant, litigators protecting an organization would prefer a boiled down written record and prepare witnesses based upon it.
—Mark Nuccio, Ropes & Gray LLP
We generally recommend that, particularly for community bank holding companies, the board try and maintain only a very general summary of discussion points. The primary exception to this general principle is that where a board is making a significant shift in policy or taking a strategic action with a relatively high degree of risk, we recommend taking care to include information sufficient to demonstrate that the board has satisfied its fiduciary duties—but even in those cases, erring toward the side of omitting unnecessary detail. Examples of these situations commonly include the consideration and approval of M&A and capital markets transactions, but increasingly we have also included more thorough summaries of factors that support adoption of or changes in dividend policies, branch expansions and similar decisions.
As new regulations and slim profit margins challenge the banking industry, the skills and backgrounds of the employees who work in banking must change as well. Bank Director asked legal experts to address the question of how the talent needs of the industry will shift in the next five years.
How will the banking industry’s personnel needs—including executives within the C-suite—change over the next five years?
While banks will continue to rely on service providers for efficiencies, expect a premium to be placed on those middle managers who can negotiate and manage third-party relationships. Encouraged by the regulators, banks have become increasingly attuned to the risk management burdens of outsourcing, particularly with regard to consumer-facing services and information technology. In the bank C-suite, expect to see continued strong demand for those with risk management, compliance, technology, information security and credit risk backgrounds.
—Cliff Stanford, counsel, Alston & Bird LLP
In recent years, we have already seen the need for dedicated Bank Secrecy Act/Anti-Money Laundering compliance officers and Community Reinvestment Act officers. In the information technology area, there will be a need for a chief information officer and possibly a separate chief information security officer. Both the C-Suite and the boardroom will also have a need for individuals with extensive, detailed regulatory and compliance experience to assist with policymaking and strategic planning, especially to keep the compliance burden cost effective.
—Keith Fisher, Ballard Spahr LLP
More bank consolidation is expected in the next five years, so executives in the C-suite need to be prepared to be leaders of change. Along with the board, they need to create and implement a vision that reflects the bank’s brand and corporate culture. Recently, some banks have created a position of chief culture officer that reports directly to the CEO. That position involves much more than simply training the new people on how your systems work. Rather, the focus is on moving the bank forward as one family with one voice and one mission, and overcoming the natural tendency for an “us versus them” culture that often follows an acquisition.
The risk management expertise needed by a bank is increasingly dictated by regulatory standards. In addition, regulatory reform and legislative developments will continue to be important on both sides of the Atlantic. Thus, it will be important for banks to maintain personnel, including C-suite personnel, who can maintain relationships with regulators and other relevant policymakers, and effectively communicate with the public about the positive role of banks in the economy. Implementation of new rules and enforcement actions will continue, and therefore compliance and legal staff will continue to play key roles as new policies and systems are designed and banks respond to regulatory inquiries.
—Don Lamson, Shearman & Sterling LLP
Risk management and technology will continue to require executive oversight. Institutions that do not have C-level talent addressing such areas will be expected to add them as they grow. The bigger question is what level of committee and task force infrastructure will be needed to respond to the increasingly interdisciplinary nature of banking? We are getting to the point that bankers are unable to schedule time with customers among the jumble of committee and task force meetings. Unfortunately, I do not see a quick change to such meeting proliferation.
Bank Director asked legal experts to address a question that is top-of-mind in bank boardrooms lately: cyber security. What really is the role of the board in overseeing this potential threat? Big banks are getting hit with denial-of-service attacks that are taking down their web sites for hours. Even smaller banks are getting reports of constant attempts to hijack their online security. It seems time to address that question.
What are the three most important steps that banks should take to protect themselves from cyber attacks?
First, the board of directors must be well informed as to the risks of cyber attacks, the mitigating steps taken by the bank to address the risks, and very importantly, the results of any testing performed on the controls that the bank deployed. Second, the board must make sure that qualified management is in place with the appropriate level of competence, staffing and resources to address the ever-evolving risks of cyber attacks. Finally, the board should study all the enterprise’s insurance policies to make sure that there is in place insurance coverage and/or riders to protect the enterprise (this includes the holding company and all affiliates and subsidiaries) if it becomes the victim of a cyber attack.
—John Podvin, Haynes Boone LLP
In December 2012, the Office of the Comptroller of the Currency issued an alert about the recent cyber attacks. The OCC’s alert said that banks need to have a “heightened sense of awareness” about cyber attacks and take actions that include: Ensuring sufficient staffing for the duration of an attack; ensuring that the response effectively involves appropriate personnel across multiple lines of business and external partners; and, conducting due diligence on service providers to ensure that these providers have taken steps to identify and mitigate risks from attacks. The OCC also emphasized that banks should consider the recent attacks as a part of their ongoing risk management program, and should be prepared to provide timely and accurate communication to their customers. The OCC expects banks that are victims of attacks to report the information to law enforcement authorities, to notify their supervisory office, and file suspicious activity reports if appropriate.
—Don Lamson, Shearman & Sterling LLP
Banks should review current systems, physical facilities and processes for vulnerabilities, and adjust as needed. Some important changes might not be that difficult to implement. Consider hiring an outside specialist for this—someone who knows the latest threats and methods. Review the security practices of your vendors, and review vendor contracts to ensure appropriate representations and warranties (and indemnification) around security. Invest in regular training for employees, including what to look for and what to avoid. The bad guys are constantly changing their methods, and regular training helps address new threats and also keeps security top-of-mind. Bonus Answer: Maintain a top-down emphasis on security. Emphasis must come from the C-suite and not just from the technology department.
—Bobby Turnage, Venable LLP
The biggest threat to banks today is still the insider threat. Banks should be thoroughly checking the backgrounds of their employees before they are employed. Banks should continue to supervise and be alert to activities once employed. In parts of the world where background checking is not possible, banks should conduct extensive validation using personal local sources and social media sources. Access to systems should be carefully protected, taking into account the sensitivity of the systems and access should be provided only on a “need to know basis.” Data silos need to be broken down. Systems were originally designed to solve particular problems. Criminals have figured out that these silos prevent organizations from seeing the true picture of fraudulent activity. Big data tools are available in the market that can help organizations thwart potential problems without the massive data warehousing effort that was required just a few years ago.
—Vivian Maese, Dechert LLP
Earlier this year, the Australian Department of Defense, Intelligence and Security released a statement that 85 percent of targeted cyber intrusions that it responds to as an agency could be prevented if companies did the following: 1. Application whitelisting (or preapproving of mobile and traditional applications used by employees). 2. Operating system and application patching (ensuring that the software in use by your organization has the latest security fixes). 3. Administrative password management (minimizing the number of users in the organization with administrative privileges). However, in cyber security, we can’t simply note the technical fixes required. We also ask organizations to become security-aware and foster a meaningful cross-expertise dialogue between business units, legal, IT and security. The technical fixes will only get organizations so far and do not fully protect against social engineering, rogue employees, or customer/employee phishing. At Ballard Spahr LLP, we created a helpful checklist for organizations to improve the cyber security dialogue within their organizations. An effective cyber security program and dialogue will not protect against all cyber theft, but it will help put your organization in a better position to detect, respond and control costs once events occur.