As new regulations and slim profit margins challenge the banking industry, the skills and backgrounds of the employees who work in banking must change as well. Bank Director asked legal experts to address the question of how the talent needs of the industry will shift in the next five years.
How will the banking industry’s personnel needs—including executives within the C-suite—change over the next five years?
While banks will continue to rely on service providers for efficiencies, expect a premium to be placed on those middle managers who can negotiate and manage third-party relationships. Encouraged by the regulators, banks have become increasingly attuned to the risk management burdens of outsourcing, particularly with regard to consumer-facing services and information technology. In the bank C-suite, expect to see continued strong demand for those with risk management, compliance, technology, information security and credit risk backgrounds.
—Cliff Stanford, counsel, Alston & Bird LLP
In recent years, we have already seen the need for dedicated Bank Secrecy Act/Anti-Money Laundering compliance officers and Community Reinvestment Act officers. In the information technology area, there will be a need for a chief information officer and possibly a separate chief information security officer. Both the C-Suite and the boardroom will also have a need for individuals with extensive, detailed regulatory and compliance experience to assist with policymaking and strategic planning, especially to keep the compliance burden cost effective.
—Keith Fisher, Ballard Spahr LLP
More bank consolidation is expected in the next five years, so executives in the C-suite need to be prepared to be leaders of change. Along with the board, they need to create and implement a vision that reflects the bank’s brand and corporate culture. Recently, some banks have created a position of chief culture officer that reports directly to the CEO. That position involves much more than simply training the new people on how your systems work. Rather, the focus is on moving the bank forward as one family with one voice and one mission, and overcoming the natural tendency for an “us versus them” culture that often follows an acquisition.
—Norma Sharara, Luse Gorman Pomerenk & Schick, P.C.
The risk management expertise needed by a bank is increasingly dictated by regulatory standards. In addition, regulatory reform and legislative developments will continue to be important on both sides of the Atlantic. Thus, it will be important for banks to maintain personnel, including C-suite personnel, who can maintain relationships with regulators and other relevant policymakers, and effectively communicate with the public about the positive role of banks in the economy. Implementation of new rules and enforcement actions will continue, and therefore compliance and legal staff will continue to play key roles as new policies and systems are designed and banks respond to regulatory inquiries.
—Don Lamson, Shearman & Sterling LLP
Risk management and technology will continue to require executive oversight. Institutions that do not have C-level talent addressing such areas will be expected to add them as they grow. The bigger question is what level of committee and task force infrastructure will be needed to respond to the increasingly interdisciplinary nature of banking? We are getting to the point that bankers are unable to schedule time with customers among the jumble of committee and task force meetings. Unfortunately, I do not see a quick change to such meeting proliferation.
—Peter Weinstock, Hunton & Williams LLP
First, the board of directors must be well informed as to the risks of cyber attacks, the mitigating steps taken by the bank to address the risks, and very importantly, the results of any testing performed on the controls that the bank deployed. Second, the board must make sure that qualified management is in place with the appropriate level of competence, staffing and resources to address the ever-evolving risks of cyber attacks. Finally, the board should study all the enterprise’s insurance policies to make sure that there is in place insurance coverage and/or riders to protect the enterprise (this includes the holding company and all affiliates and subsidiaries) if it becomes the victim of a cyber attack.
Banks should review current systems, physical facilities and processes for vulnerabilities, and adjust as needed. Some important changes might not be that difficult to implement. Consider hiring an outside specialist for this—someone who knows the latest threats and methods. Review the security practices of your vendors, and review vendor contracts to ensure appropriate representations and warranties (and indemnification) around security. Invest in regular training for employees, including what to look for and what to avoid. The bad guys are constantly changing their methods, and regular training helps address new threats and also keeps security top-of-mind. Bonus Answer: Maintain a top-down emphasis on security. Emphasis must come from the C-suite and not just from the technology department.
The biggest threat to banks today is still the insider threat. Banks should be thoroughly checking the backgrounds of their employees before they are employed. Banks should continue to supervise and be alert to activities once employed. In parts of the world where background checking is not possible, banks should conduct extensive validation using personal local sources and social media sources. Access to systems should be carefully protected, taking into account the sensitivity of the systems and access should be provided only on a “need to know basis.” 
Earlier this year, the Australian Department of Defense, Intelligence and Security released a statement that 85 percent of targeted cyber intrusions that it responds to as an agency could be prevented if companies did the following: 1. Application whitelisting (or preapproving of mobile and traditional applications used by employees). 2. Operating system and application patching (ensuring that the software in use by your organization has the latest security fixes). 3. Administrative password management (minimizing the number of users in the organization with administrative privileges). However, in cyber security, we can’t simply note the technical fixes required. We also ask organizations to become security-aware and foster a meaningful cross-expertise dialogue between business units, legal, IT and security. The technical fixes will only get organizations so far and do not fully protect against social engineering, rogue employees, or customer/employee phishing. At Ballard Spahr LLP, we created a helpful 
Operational and regulatory risks are more inter-related than ever before. Banks still seem extremely mindful of credit risk, but management teams have “gotten used to” those risks, and have been living with the new reality for many years. Now we are seeing a lot of activity relating to regulatory changes and how those changes affect operations. Over the next few years, it will be critical for management teams to stay on top of the regulatory changes and make sure that they are comfortable that their entity’s operations are able to respond to the ongoing regulatory changes. This includes conducting a thorough internal review of internal and external compliance function to ensure that it is appropriately staffed and receiving adequate guidance.
Operational. Since the vast majority of bank management today has operated in the gradually declining interest rate environment since the early 1980s, operating their institutions in a future that virtually guarantees rising interest rates presents a new challenge. Managing earnings without exposing their banks to the same interest rate risk pressures that nearly destroyed the thrift industry in the decade of the 80s will require dedication to sound asset-liability management processes.
Credit Risk. The credit crisis magnified credit risks distinguishing good lenders from poor ones, and banks that survived strengthened internal controls to avoid a repeat scenario. While many banks have cleaned up their loan portfolios, credit risks will remain at the forefront of bankers’ minds across the country for many years to come.
Regulatory. A strong enterprise risk management program covering all aspects of the risk spectrum is essential to managing regulatory risk today. Risk must be managed from the top -down with all members of the board of directors and enior management agreeing on the risk appetite of the organization, what level of tolerance they are willing to accept and what metrics will be utilized to monitor the risks.
Whether one looks at the lost or disrupted business caused by recent cyber-attacks, or the massive regulatory settlements in divers areas involving Libor rigging, AML (anti-money laundering) non-compliance, or failure to supervise third party vendors offering misleading credit products, it becomes clear that financial institutions need to take operational and regulatory risks at least as seriously as they take credit risk.
I believe the biggest risk to financial institutions today is in the regulatory arena. It seems there is something new every day with which banks must comply. It can make your head spin! Having a solid regulatory monitoring function is critical to managing this risk.
Regulatory risks are the primary concern; however, it’s not unusual for there to be elements of operational risk and/or credit risk within the regulatory risk as well.
Operational. There are two fronts. Given margin compression, banks are looking at cost containment. This includes reviewing the process for efficiencies and re-evaluating their delivery network. We are seeing banks take a hard look at their branch network. The second item relates to technology—both from a standpoint of delivery and risk mitigation. If we really understood the regulatory burden in our future, then it would be worth the concern. At this point, it is too nebulous which makes it impossible to address.
In today’s banking environment, where these types of risks are so very interrelated, it seems more difficult than ever to untie operational, credit and regulatory risk from one another and identify one as being more critical than another. From an audit committee standpoint as it relates to BOLI (Bank-Owned Life Insurance), the justification for the asset purchase, the product structure and the ongoing review of the credit of various carriers creates regulatory and credit risk challenges. Add to that additional challenges from BASEL III and Dodd-Frank, along with a tepid economic recovery coming out of the great recession, and a complete, more thorough understanding of the BOLI asset will be critical in the future.
The real question is not how should boards respond, but if they are legally required to respond. That depends on the nature of the proposed unsolicited offer. If it is a mere cocktail conversation or even a friendly overture during lunch, typically there is no duty to respond at all.
Boards must make an informed, good faith decision and can’t just ignore the offer. The record must reflect directors’ thoughtful consideration, including reviewing the bank’s strategic plan and value remaining as a standalone entity.
For public companies, the public announcement of an unsolicited acquisition proposal can place the target at a significant disadvantage. This is particularly true where the putative buyer announces the offer directly to stockholders, rather than first approaching the board in an attempt to reach a negotiated transaction. In these instances, boards are well-advised to adopt a stockholder rights plan in order to afford ample time to obtain adequate information and advice and, on that basis, to consider an appropriate response.
A board must exercise its business judgment as that is defined under the law of its state of incorporation. For example, in Delaware, the Revlon doctrine may drive a board’s consideration. In essence, the board must exercise its fiduciary duties with the specific goal of maximizing shareholder value.
As a threshold matter a board needs to understand that it, as a body, must make decisions that enhance shareholder value. A board cannot shift its decision making responsibility to the shareholders. The board must consider through a financial analysis whether the unsolicited offer is one that could put the shareholders in a better position than holding the existing bank shares. If the board’s conclusion is that the offer is legitimate and could put the shareholders into a more favorable position than maintaining the status quo, then the board has decided to sell to some entity.
With increasing needs for capital and a desire to grow, some smaller banks may want to become or remain public companies, in spite of the significant burdens imposed on smaller public company issuers. Access to the public markets and shareholder liquidity, in the right situation, are worth the price of admission. Without a growth agenda, however, small, publicly held banks would be well-advised to privatize.
For many banks with less than $500 million of assets, the burdens of operating as a public company likely outweigh the benefits. The reporting obligations themselves are substantial. Moreover, particularly as many community banks continue to feel the burdens of the financial crisis, the need to satisfy the short-term view of many investors can impede the pursuit of the long-term objective for a return to health. And the public markets often place a discount on the stock price of banks this size, thereby limiting the upside potential of an offering. Despite having said that, if a bank of this size is in comparatively good health, there are many opportunities for acquisitions in the marketplace now. For these banks, the publicly traded stock can still be a useful currency in a growth strategy. 
There is no one-size-fits all response to this question. For the institution that sees itself generating enough capital to pay dividends and sustain growth and does not see itself expanding its footprint, then it should seriously consider deregistering with the SEC. There is a unique ability for a bank or bank holding company (and a savings bank and savings and loan holding company) to continue to trade on the bulletin board without having to be registered with the SEC. This is not available for non-financial institutions.
Standard Chartered Bank, a part of United Kingdom-based Standard Chartered PLC, last summer quickly settled a complaint brought by the New York State Department of Financial Services (DFS) to the tune of $340 million over allegations that it had violated anti-money laundering laws. The bank still faces wide-ranging investigations from various state and federal regulators, pursuant to their respective anti-money laundering (AML) authority.
In the context of banks that are too big to fail and too big to govern, the rules will have only a marginal impact. Clearly Jamie Dimon was as surprised as anyone when the London whale caused the bank a multibillion dollar portfolio trading loss, but to say that compensation rules lead to reckless speculation is to miss the point. The losses suffered by J.P. Morgan Chase & Co. were not a result of misplaced compensation incentives, but a lack of sufficient controls over activities which are culturally risk intensive. It is doubtful that the London whale would have avoided speculative trades if his contract penalized his poor performance or risk taking. Performance-based compensation trends and regulatory restrictions on incentive based compensation are in conflict. It is ironic that during a time when incentive-based compensation is on the rise, and scrutiny over peer comparisons and total shareholder returns is increasing, regulators would blame compensation arrangements as a cause of the crisis.
The interagency rules implementing Section 956 of Dodd-Frank limiting compensation in banks larger than $1 billion in assets are not finalized yet. It remains to be seen whether these rules will change the product mix offered by banks going forward under the guise of restricting compensation. It also remains to be seen whether there will be “trickle-down” of these rules to banks with assets of less than $1 billion. Another unintended consequence might be if the rules restrict compensation to an extent that some of the best and brightest minds leave the banking industry for greener pastures. Does that actually make the banking industry safer? 
The regulation of incentive-based compensation practices is a key aspect of the Dodd-Frank Act. It is based on the view that executive and senior manager compensation practices at financial institutions during the years leading up to the financial crisis failed to properly align compensation with appropriate risk-taking, and may have led to practices and activities that were inconsistent with the long-term health of financial institutions. The financial regulatory agencies proposed incentive compensation standards and disclosure requirements 18 months ago, and these rules are expected to be adopted in final form in the relatively near term. To the extent that these rules encourage financial institutions’ directors and senior management to pay closer attention to the risk incentives created by compensation practices and activities, and take appropriate action to better reward behaviors that emphasize the longer-term health of a financial firm while discouraging activities that do not accomplish this objective, the new rules should assist in reducing inappropriate risk in financial firms.
Yes. Community banks need to be exempted from the Consumer Financial Protection Bureau’s proposed rules on mortgage disclosure and qualifying mortgages, as community banks have been and are subject to regulatory oversight on mortgage disclosures rules. There is no need for the CFPB to be involved in the supervision of community banks. Why do we need two regulators to oversee this issue and many other banking issues when federal bank regulators were adequately doing their jobs? One major problem that lead to the current crisis revolved around unregulated mortgage originators, not disclosure rules. Let bankers and their prudential regulators continue with regulatory oversight of mortgage disclosure rules and keep the CFPB out of community banks.
Small banks are struggling to keep up with the new rules, and already, we’ve seen some small institutions enter into what amounts to mortgage referral relationships with bigger banks that have enough horsepower in their compliance departments to keep up with all of the new rules. The CFPB needs to implement reasonable accommodations for these smaller institutions. Otherwise, they may very well regulate these banks out of a fundamental piece of their business.
Regulatory compliance costs have always fallen more heavily on community banks than on large banking companies because of the smaller volume of transaction over which community banks must distribute compliance costs. These costs make it more difficult for community banks to compete with larger banks on the basis of price. These considerations argue in favor of exempting community banks from proposed rules on mortgage disclosure and qualifying mortgages. On the other hand, when dealing with consumer protection issues, consumer advocates may argue that it is unfair and confusing to consumers to exempt anyone from consumer protection requirements. Despite these arguments, the presence of unregulated providers in a market provides a point of reference and a practical check on the potential for regulatory requirements to lead to a diminution in, or even unavailability, of key services and should ultimately benefit consumers.
I don’t think anyone has made a persuasive case that breaking up the banks will reduce systemic risk. Breaking them up could actually increase systemic risk. For example, take a bank with $1 trillion in assets. Suppose it were broken up into 10 banks of $100 billion each. If the 10 smaller banks continue to engage in the same activities—e.g., taking deposits and making loans—all 10 would be just as likely to fail simultaneously and cause just as much systemic risk. Moreover, if they are less efficient risk managers, they may be more likely to fail. We will also lose the benefits of having banks with balance sheets and global footprints that match those of their customers.
Economic crises (e.g., United States 2007-2009 and East Asia in the ‘90s) have generally originated from common exposures to risks (such as a fall in housing prices or a currency depreciation), rather than from the failure of a large bank bringing down others. Moreover, initiatives underway, including those to improve internal risk management processes and impose greater market discipline on large institutions, show promise as a means to reduce systemic risks. In light of the foregoing—and considering the unknown consequences of a forced break-up on the functioning of the financial system, the valuable services only being provided by the largest institutions, and the broad legal authority U.S. regulators already have to force a downsizing on a case-by-case basis—sound policy considerations underpin a more modest approach to “too big to fail.”