What You Don’t Know Can Hurt You: 10 Things to Watch When You’re on a Bank Board


8-8-14-alston-bird.pngThe legal and regulatory climate for a bank is changing on a weekly basis. At least in part due to this, the expectations and liability risk of a bank director are not the same as a year ago, let alone five years ago. To help address this, we crafted a list of some broad themes we believe bank directors should be particularly attuned to now.

Enterprise Risk Management
Risk management is a function, not a committee. Boards need to implement a process to ensure that risks are properly identified and addressed in such a way that the board can demonstrate a “credible challenge” to management. And, beyond creating an effective corporate clearing house for risk, boards need to ensure that the bank possesses a management team capable of carrying out this function.

Third Party Risk
Vendor management has become a hot-button for all banks, as formal and tacit guidance continues to emerge. In addition to performing and memorializing due diligence around vendor selection, banks need to be in a position to understand and properly supervise the work of any vendors. This means having a properly qualified and trained management team that addresses the operational, compliance and other risks potentially resulting from reliance on third parties.

Trust Preferred Securities (TRuPS)
Many banks were forced to defer payments on TRuPS in the aftermath of the 2008-2009 crisis period. With the five year TRUPS deferral period now coming to an end, many bank holding companies don’t possess the funds (and cannot compel a bank dividend) to bring the TRuPS current. Further, regulators have insisted that any proposed capital raise be sufficient not only to pay off the TRuPS, but also to result in a composite CAMELS 2 rating for the bank. Your board needs to understand the resulting threats and opportunities.

Deferred Tax Asset Preservation
Bank regulatory agencies have begun to take issue with rights plans that are designed to preserve deferred tax assets (DTAs), citing the safety and soundness concerns that such plans could present by complicating future capital raises. As regulatory guidance on this point appears imminent, your board needs to understand the implications for your bank and your competitors.

Director Liability
Boards should ensure that they have the benefit of up-to-date exculpation and indemnification provisions in the bank’s charter and bylaws, as well as a robust directors and officers (D&O) insurance policy that is not rendered useless by a host of exemptions. In addition, with so much of the recent banking litigation being focused on process, your board should reconsider and redefine the way that your bank makes, records and polices its deliberations and decisions.

Role of Directors in Lending Decisions
Clearly, directors should be involved in defining the scope of a bank’s lending activities, the delegation of lending authority, and the monitoring of credit concentrations and other risks. But should directors serve on loan committees, and make the actual lending decisions? It’s time to reassess this important issue. Directors making day-to-day lending decisions can blur the lines of proper governance and needlessly expose directors to additional liability risk.

Charter Conversions
Each of the banking agencies seems to be developing a different regulatory mood on key issues, such as business plans, consumer compliance and risk-based regulation. In this post-crisis environment, it is important that you consider whether your bank is appropriately chartered in light of its strategy. Put another way, the trends have changed, and you should consider how these changes affect your bank.

Growth Strategies in a Tough Lending Climate
With traditional loan growth being slow, banks continue to reach for less traditional loan products, such as asset-based lending, factoring, lease finance, reverse mortgages, premium finance, indirect auto lending, warehouse facilities, etc. As always, these products must be considered in light of concomitant compliance risks and capital requirements. Directors should ensure that management performs thorough risk assessments alongside their profit/loss projections.

The Effects of Basel III
Depending upon the size and makeup of your bank, the January 2015 Basel III changes will impact your bank’s regulatory capital position. At a minimum, directors need to understand from the bank’s CFO and auditors that there is a plan anticipating what the pro forma capital position is expected to be under Basel III.

Compliance Issues Can Sink a Strategy
Too many banks with solid strategies have seen their bank’s growth hindered by compliance failures. Bank Secrecy Act/anti-money laundering rules, consumer protection regulations, and poor oversight of third parties can result in enforcement actions and derail growth until the issues are remediated, which can take years. Boards must set a tone at the top with regard to the compliance culture of the bank.

The themes above are top of mind for us, but the environment remains dynamic. This list likely will look very different in another year.

What’s Sparking the Trend in Recent Section 363 Bank Sales?


11-4-13-Hovde.pngThe financial crisis left in its wake nearly 500 failed banks and 553 institutions remaining on the Federal Deposit Insurance Corp.’s problem bank list. Undoubtedly, the FDIC will seize some of those “problem” banks in the coming quarters as they fall below the critically undercapitalized leverage ratio of 2 percent. Yet, the financial crisis also left behind banks with sufficient capital whose holding companies are effectively bankrupt. In these unique situations, the holding company owns a valuable asset in the subsidiary bank, yet it may owe creditors—including Trust Preferred Securities (TruPS) holders—substantial sums. Such a scenario places directors and officers of the holding company in an uncomfortable position. Generally speaking, they cannot sell the bank out from underneath the holding company because debt covenants prohibit it or creditors would hold directors and officers personally liable for the debt. What can boards in these situations do to protect themselves and maximize value to stakeholders?

Fortunately, there are some options to consider:

  • With a long enough time horizon, continue to operate business as usual with the holding company slowly building up equity and paying off its debt;
  • Attempt a pre-packaged restructuring under Chapter 11 with creditors, many of whom could be disparate owners of the debt and difficult to organize; or
  • Explore a sale utilizing Section 363 of the Bankruptcy Code, selling the subsidiary bank in a court-supervised auction process designed to maximize proceeds to the holding company.

While every situation is unique—and these options are not exhaustive—Section 363 has become a useful tool for distressed bank holding companies to sell their bank franchises to acquirers free and clear of any liens and encumbrances. When a distressed holding company is unable to negotiate a pre-packaged reorganization with creditors under Chapter 11, then Section 363 may be an attractive alternative.

Since 2010, there have been roughly 15 examples of Section 363 sales in the banking industry, and seven of those transactions have been pursued in 2013, a significant uptick in prevalence from previous years. Recently, Capitol Bancorp, Inc. made news with its sale of four subsidiary banks to Talmer Bancorp, Inc., utilizing Section 363.

The pickup in 363 sales is not surprising. Six years after the credit crisis, several holding companies now hold TruPS debt in excess of their banking assets. According to SNL Financial, 30 holding companies were still deferring interest payments on TruPS as of August 30, 2013. While the number of companies deferring payments has decreased in recent years, there still remain those holding companies so far underwater that their TruPS holders are unlikely to receive deferred interest, let alone the face value of their debt. In these situations, a Section 363 sale of the bank subsidiary or subsidiaries may be the only viable strategic option for the holding company.

A Section 363 sale is similar to a traditional M&A process in which the bank asset is marketed for the highest price, although it involves several nuances, including a stalking horse bidder (i.e., a pre-selected acquirer of the bank with whom the holding company enters bankruptcy), a court-supervised auction with bidding increments designed to increase the price, large break-up fees, several court hearings and, as one might imagine, additional legal expense. Also, a 363 sale process is not without its own inherent risks.

In bankruptcy court, the debtor must demonstrate that the 363 sale was the best option for all stakeholders of the estate: enter the TruPS holders. Many TruPS holders of distressed institutions bought the paper for pennies on the dollar and have been waiting for the holding company to enter bankruptcy so they can argue for additional value. Indeed, many of the 363 bank sales announced thus far have involved objections by TruPS holders. The institutional investors who now own vast quantities of TruPS are very sophisticated, understand the bankruptcy process, and aren’t afraid to put up a fight while lining the pockets of well-heeled attorneys. Surely, they can be formidable adversaries to the friendly, neighborhood community bank in distress.

With the risk of litigation as a backdrop, directors and officers of holding companies with substantial TruPS obligations and a saleable bank asset should consider a Section 363 sale; however, it could be prudent to attempt to contact the TruPS holders ahead of time to see if a restructuring can be negotiated. While it may be unlikely that management will reach an agreement with TruPS holders—assuming they can be found—extending the olive branch should look better in court if they object to a bank sale.

Update on FDIC Lawsuits: Pace Increases While Few Settle


9-18-Cornerstone-Research.pngThis is the sixth in a series of reports that analyzes the characteristics of professional liability lawsuits filed by the Federal Deposit Insurance Corporation (FDIC) against directors and officers of failed financial institutions (D&O lawsuits). *

  • At least 32 FDIC D&O lawsuits have been filed in 2013: 10 in the first quarter, 15 in the second quarter, and seven so far in the current quarter. The pace of filings in the second and third quarters of 2013 has exceeded the rate of new filings compared with any equivalent period in the previous three years. If the filing of new lawsuits in 2013 continues at the pace observed through August, 53 lawsuits will be filed this year—more than double the 26 filed in 2012. Since 2010, the FDIC has filed 76 lawsuits against the directors and officers of failed institutions.
  • Financial institution failures were most common between the third quarter of 2009 and the third quarter of 2010. Given the three-year statute of limitations for tort lawsuits and the likely existence of tolling agreements allowing the FDIC additional time to determine if it will file a lawsuit, this year has seen, as expected, an increased amount of filing activity. Of the 32 lawsuits filed so far in 2013, nine were against institutions that failed in 2009 and the remaining 23 were against institutions that failed in 2010.
  • Of the 76 filed lawsuits, 10 have settled and one has resulted in a jury verdict. Three settlements have occurred this year, with four in 2012, and three in 2011.
  • Chief executive officers continue to be the most commonly named defendants. They have been named in 88 percent of all filed complaints and 28 of the 32 lawsuits in 2013. Chief financial officers, chief credit officers, chief loan officers, chief operating officers, and chief banking officers are also commonly named defendants. Outside directors have been named, frequently along with inside directors, in 75 percent of all filed complaints and 24 of the 32 lawsuits filed in 2013.
  • To date, the FDIC has claimed damages of $3.6 billion in the 69 lawsuits that have specified a damages amount. The average damages amount has been $53 million, with a median value of $27 million. Lawsuits filed in 2013 have had a lower average claim than lawsuits filed in 2011 and 2012. In the aggregate, the largest claims have related to the failure of California institutions, while the largest number of D&O lawsuits have targeted failed institutions in Georgia.
  • Of the failed financial institutions in 2009, the directors and officers of 57, or 41 percent, either have been the subject of an FDIC lawsuit or have settled claims with the FDIC prior to the filing of a lawsuit. For institutions failing in 2010, the comparable figure is 39, or 25 percent.
  • FDIC seizures of financial institutions continued to decline in 2013 compared with 2012. After only four seizures in the first quarter of 2013, there were 12 in the second quarter and four in the third quarter through August 27, 2013. In total, 20 institutions have been seized so far in 2013 compared with 51 in 2012. Since 2007, 488 financial institutions have failed.

For a full report, click here.

*The FDIC may also file lawsuits against other related parties, such as accounting firms, law firms, appraisal firms, or mortgage brokers, but we generally do not address such lawsuits here.

Do You Need Cyber Insurance?


8-21-13-AHT.pngAHT Insurance often gets questions about cyber security and cyber insurance policies. It is very confusing to figure out if your bank even needs a cyber policy separate from a general liability policy, for example. What really is the risk and do you need coverage for it?

Dennis Gustafson, a senior vice president at national brokerage firm AHT Insurance who specializes in financial institutions, described in a previous article what cyber policies cover. Here, he answers some of the most commonly asked questions about cyber insurance policies.

Aren’t cyber exposures covered by other insurance products such as general liability or fidelity bond?

Unfortunately there is very little, if any, coverage overlap between the cyber liability policies and these other insurance policies. The general liability policies almost always include some type of data or network exclusion. And when it comes to a fidelity bonds, a good principal to always consider is that fidelity bond policies react to theft of tangible property (money/securities), while the cyber liability policy reacts to theft of intangible property (social security or credit card numbers).

We use a third party to handle our website or credit card processing. Does this remove the need for cyber insurance?

While utilizing a third party for those activities definitely mediates the risk, don’t forget that the client often doesn’t know about the third party, and as such, will bring the lawsuit against the bank. The bank would be responsible to defend itself against the lawsuit and hope to then subrogate against the third party. Also, if a third party is hacked, your bank would be one of many clients impacted, all of whom could be trying to collect from the vendor. Having an insurance carrier step in from the moment of the breach removes all of that leg work and financial risk.

Is the purchase of a cyber liability policy a cumbersome process, especially for a first time purchase?

Yes. Keep in mind, the carrier is underwriting based on the quality of the entire network’s security. The applications can be lengthy and there are often additional questions asked after the underwriter reviews the application. Our advice is to coordinate a conference call with the chief security officer or information technology director and the insurance carrier. A 30-minute discussion can save hours of research.

Conclusion

All signs point to the fact that in the not-too-distant future, banks will take on more losses from cyber crimes than they will from physical robberies. It is the responsibility of the board and the executive team to put the right people, processes, technology and insurance in place to mitigate new risk exposures.

The Bank’s Liability for Cyber Theft on Commercial Accounts


3-12-13_Graves_Bartle_Marcus__Garrett.pngThe amount of financial loss that cybercrime inflicts on banks and their customers is staggering.  In the case of Patco Construction Company v. People’s United Bank (formerly Ocean Bank), fraudsters correctly supplied Patco’s answers to security questions and made six fraudulent withdrawals that totaled about $588,000.  When the U.S.  Court of Appeals in Boston last year found the bank’s security procedures didn’t meet the standard for commercially reasonable, the bank was forced to reimburse the company’s losses from the theft.

The take away from this and other similar rulings is that bank security procedures matter — to customers, to the brand and to the bottom line.  Banks can take steps to dramatically reduce the amount of financial loss to customer accounts and avoid or mitigate the risk of footing the bill for commercial account takeovers.

Here are five steps that banks can take to avoid having commercial account takeovers damage their bottom line:

Implement Commercially Reasonable Security Procedures

The Uniform Commercial Code (UCC) requires that banks have “commercially reasonable security procedures” to protect commercial customer accounts. Without these procedures, banks could most certainly be left holding the bag in the event of an account takeover.

To qualify as “commercially reasonable,” the bank’s security procedures should fall in line with procedures used by similar customers and banks, adhere to customer instructions, and take into account the circumstances and banking patterns of each commercial customer.

When a financial loss leads to litigation, the court will ultimately decide whether a bank’s security procedures are commercially reasonable.  Banks that can respond with current and ironclad procedures will be in the best position to protect against liability.

Train Employees to Follow Security Procedures

In the case of Patco Construction Company, the court faulted the bank because it did not follow its own security procedures.  The bank’s security system had flagged six transactions as unusually high-risk, but the bank failed to monitor the transactions or notify the customers before completing the transactions.  Unattended procedures, no matter how “reasonable,” do little good.

Train your employees on the bank’s procedures and demand strict adherence.  Employees on the front line of transactions are in the best position to impact this potential liability.

Perform Annual Review of Customer Agreements

A key pivot point on the question of liability is the content and nature of the bank’s customer agreements.

Customer agreements are often used as evidence of the security procedures agreed to by banks and their commercial account holders, and the agreements can be helpful to prove that the bank kept its side of the bargain. In certain circumstances, banks may shift the risk of loss for unauthorized payment orders to commercial customers if there was an agreement that payment orders would be verified using a particular security procedure.  This increased protection is available if the bank proves that it accepted the payment order in good faith and in compliance with the specified security procedure.

Schedule an annual review of your customer agreements and update them before you offer a new service or change your security procedures.  While not always protecting you against liability, customer agreements play a key role.

Develop and Test an Incident Response Plan

Without a plan, a bank’s chances of capping the loss and favorably positioning itself are slim.  An incident response plan equips employees with knowledge of whom to call and what to do when they suspect fraud.

The contents of an incident response plan should be tailored to the individual bank.  The format must be user-friendly, so that employees can easily follow the instructions in a stressful situation. The plan should include steps such as notification of the bank’s fraud department, designated management, and the customer, shutting down an online session, reversing payment orders, and invalidating online credentials that have become jeopardized.

Just as fire drills are practiced, so, too, should a bank exercise its employees’ understanding of the response plan. Time is of the essence in limiting loss and the bank’s reaction to the occurrence will be replayed in great detail. 

Promptly Conduct an Investigation of the Fraud

A prompt investigation is necessary to determine the cause of the security breach.  An investigation should include a customer interview by a trained bank employee and, to the extent it is accessible and permitted, a forensic examination of the customer’s computer.  The bank should contact its security provider to find out if the system was functioning properly at the time of loss.  Obtain documents from your security provider that show the customer’s online account activity, the IP address that initiated the fraudulent transfer, and whether the perpetrator used the customer’s credentials.

Prepare, plan, practice and perform.  Your bottom line is at stake.

FDIC Lawsuits Increase in Fourth Quarter, Many Target Smaller Banks and Thrifts


cstone-dec12-wp.pngThis is the fourth in a series of reports that analyzes the characteristics of professional liability lawsuits filed by the Federal Deposit Insurance Corporation (FDIC) against directors and officers of failed financial institutions.

Report Summary

  • The pace of FDIC D&O lawsuit filings has increased in the fourth quarter of 2012 compared to earlier in the year. The number of lawsuits filed in 2012 exceeds the total filed in 2010 and 2011.
  • On December 7, three former officers of IndyMac’s Homebuilder Division were found liable for $169 million in damages in connection with 23 loans. This was the first FDIC D&O lawsuit associated with the 2008 financial crisis to go to trial.
  • While there has been a continued decline in FDIC seizures throughout 2012, the number of problem financial institutions has not declined as rapidly.
  • Institutions that are subject to D&O litigation have historically been larger (in terms of assets) with higher estimated costs of failure than the average failed financial institution. The FDIC’s recently filed D&O lawsuits have targeted smaller institutions.
  • Named defendants primarily continue to be CEOs, then (in declining order of frequency) chief credit officers, chief loan officers, chief operating officers, chief financial officers, and chief banking officers. Outside directors continue to be named along with inside directors in a large majority of the new filings.
  • Regulatory management ratings and composite CAMELS (capital adequacy, asset quality, management, earnings, liquidity, sensitivity to market risk) ratings of institutions that are subject to D&O lawsuits do not appear to have deteriorated until one to two years before failure.

The Bank Director’s Approach to M&A: Stay Out of Hot Water


trouble.jpgIn today’s environment, many bank directors are faced with difficult strategic decisions regarding the future of their organizations.  We have been involved in many great board discussions of whether it is best for the bank to continue to grind away at its business plan in this slow growth environment or to look for a business combination opportunity that will accelerate growth.  There is rarely a clear answer in these discussions, but some guidelines are helpful: All directors must respect the conclusion of the full board of directors and follow the appropriate process established by the board with respect to merger opportunities.

Over the years, we have seen a number of instances in which one or more bank directors conduct merger discussions with potential partners without bringing the opportunity to the full board of directors immediately. In many cases, these directors are acting in good faith and simply leveraging relationships they have with other bankers or bank directors. In other cases, these directors may feel the need to engage in these discussions because they disagree with the full board’s strategy of remaining independent. However, all directors should understand that it is in the bank’s best interest, and the director’s own personal best interest, not to take matters into their own hands without authorization by the board of directors.

As a result, we have long recommended that bank and holding company boards adopt a formal policy regarding corporate change. This formal policy establishes guidelines for all bank directors and members of management to follow when they become aware of merger opportunities. Specifically, the policy requires:

  • that all merger and other strategic business opportunities be presented to the full board of directors or a designated committee thereof before any substantive discussions take place;
  • that no officer or director initiate such discussions without authorization of the full board of directors; and
  • that no confidential information regarding the bank be shared with a third party without the authorization of the full board of directors.

The policy also provides talking points for each director or officer to follow if he or she is presented with an opportunity. We find that these talking points are helpful to directors who are not often involved in merger discussions. The policy may also set forth certain procedures to be followed, including requirements for the timely entry into confidentiality agreements and the identification of a designated spokesperson for the bank in the discussions.

We believe there are numerous benefits to adopting and following such a policy.  Those benefits include the following:

  • ensuring that the board of directors speaks with “one voice” and does not cloud the market with mixed signals, which often helps the bank achieve more favorable terms if it enters into a transaction;
  • ensuring that only accurate and up-to-date information is provided to interested parties, which can reduce reputation risks and legal risks; and
  • helping to insulate the directors from personal liability with respect to the transaction by following an appropriate process.

In terms of the personal liability of directors, it is very important for the bank and its directors to be able to defend the decision to shareholders to enter into a transaction, given the current environment where pricing may not meet investor expectations. From a legal standpoint, many states have a “business judgment rule” that will insulate directors from personal liability regarding such decisions so long as they are related to a rational purpose and so long as the directors acted with loyalty and due care. Courts carefully review the process followed by boards of directors in determining whether the business judgment rule should be applied. We believe following the steps outlined above provides a critical start to establishing an appropriate process for obtaining the protection of the business judgment rule, and judicial decisions confirm this notion.

Many bank directors are currently facing very interesting and challenging times with respect to the long-term strategies of their organizations. Through respecting the processes established by the full board of directors, bank directors can help ensure the best possible outcome for their banks and for themselves.

Is Banking’s Future in the Cloud?


Cloud_Puzzle_Pieces.jpgThe buzz on cloud computing is growing louder, leaving bank chief information officers—and the boards they report to—to examine whether cloud computing is a good fit for their banks. Broadly defined, it is the storage and management of data, which can then be accessed from virtually anywhere—on the road, from your home or from the office—via the web. According to Tom Garcia, CEO of InfoSight, Inc., an IT security firm based in Miami Lakes, Florida, the cloud is “really in its infancy” but “growing exponentially.” While regulators seem to be approaching cloud like any other vendor-provided service, a lot of bankers today are taking a wait and see approach, wondering, “Am I going to open up Pandora’s box with an examiner if I do this?” explains Garcia.

Atlanta-based SunTrust Banks, a $178.2-billion institution, is one banking company that is already on the cloud, using a private cloud that is unique to the company for customer relationship management software that allows the company to keep track of sales leads. Anil Cheriyan, SunTrust’s chief information officer, says the board of directors is actively engaged in a discussion about cloud computing, and SunTrust sees benefits in cost savings, efficiencies and flexibility. “The speed and agility [cloud computing] provides is of significant benefit,” he says, and it “clearly enables us to get our products and services to market much quicker.” He declined to describe the exact cost savings as those numbers vary.

Due to its ability to expand and contract quickly based on usage, Garcia adds that banks can see “great economies in cost savings” with cloud—as high as 40 percent for applications like hosted email over a traditional in-house solution. 

SunTrust has been steadily increasing oversight of vendor-provided services in general since the financial crisis began in 2008, Cheriyan says, so cloud computing has not directly resulted in any increases in oversight.

“We’ve taken that task of increased oversight anyway,’’ states Cheriyan, and continue to be “more and more aggressive [in terms of] how our data is protected.”

BNC Bancorp’s Bank of North Carolina, a $2.4-billion institution based in High Point, North Carolina, is at a fork in the road when it comes to the cloud, says Michael Bryan, the bank’s chief information officer. The bank outsources 90 percent of its core and ancillary systems already, and he feels good about cloud computing for core systems, seeing several benefits, particularly from a business continuity aspect in regards to disaster recovery. With cloud, if something happens to Bank of North Carolina’s operations center, “all I have to do is restore an Internet connection.”  As it is now, Bryan has to “spend more money” to acquire and maintain hardware. However, benefits found in cost, time and continuity are, to Bryan, not worth the loss of control if there is a security breach. Cloud vendors are not going to take on liability, “So if something goes wrong there; it’s up to you. Well, you don’t have any control over it,” Bryan says. “How do I explain that to my regulator?”

Once the security issues are worked out, Bryan sees tremendous opportunity. “Life would be a lot simpler,’’ he says.

SunTrust’s Cheriyan shares some of Bryan’s security concerns, and won’t trust everything to the cloud. “I wouldn’t trust our bank data on the public cloud at all,” he says. While SunTrust’s directors and management might read about exciting developments in the retail space, “You certainly have to weigh that against all the security concerns and manage core banking systems on much more secure environments.”

Due to the higher levels of regulation required in the financial industry, public cloud adoption rates will be slower. Can the benefits outweigh the risks? In areas like human resources and customer relations management Garcia believes so, and cautions that retail banks that hesitate to take advantage of the cloud may do so at their peril.

As the cloud industry grows, bankers’ trust in it—and their need for a competitive edge—could evolve. Can bank boards eventually trust their data to the public cloud?  In the world of technology, Cheriyan says, “Never say never.”

FDIC Lawsuits: Avoiding the Worst Outcome


hard-hat.jpghard-hat.jpghard-hat.jpgIn the wake of over 400 bank failures since the beginning of 2008, the Federal Deposit Insurance Corp. is well underway with its process of seeking recoveries from directors and officers of failed banks who the FDIC believes breached their duties in the course of managing those institutions. As of mid-May 2012, the FDIC had filed lawsuits against almost 30 groups of directors and officers alleging negligence, gross negligence and/or breaches of fiduciary duties. While the litigation filed by the FDIC tends to sensationalize certain actions of the directors and officers in order to better the FDIC’s case, there are lessons to be learned.

Some of the take-aways from the FDIC lawsuits are fairly mechanical:  carefully underwrite loans, avoid excessive concentrations and manage your bank’s transactions with insiders. However, there are two major themes that are more nuanced and which are present in almost all of the lawsuits. Those themes relate to the loan approval process and director education.

Develop a thoughtful loan approval process. As evidenced by the recent piece published on BankDirector.com, a spirited debate among industry advisors is currently taking place with respect to whether directors should approve loans or not. On the one hand, many attorneys believe directors have a duty to consider and approve (or decline to approve) certain credits that are or would be material to their banks. Regulation O requires approval of certain credits, the laws of some states require approval of some loans, and there is a general feeling among many bank directors that they should be directly involved in the credit approval process. In addition, many bank management teams believe that directors should “buy in” with them to material credit transactions.

On the other hand, the FDIC litigation clearly focuses on loan committee members who approved individual loans that did not perform. This should give pause to directors in general and loan committee members in particular. It is now the belief of many legal practitioners that the practice of approving individual loans when the loans are not otherwise required to be approved by the directors paints a target on the backs of the loan committee members. The FDIC may be able to target directors who participated in the underwriting of a credit (or were deemed to have done so given their involvement in the approval process) when they did not have the expertise necessary to do so. Some practitioners argue that the directors should instead focus on the development and approval of loan policies that place appropriate limits on the types of loans—and the amounts—that the bank is willing to make. This policy would be consistent not only with safe and sound banking principles but also with the board’s risk tolerance, and it would be appropriate to seek guidance from management and outside advisors on the development of the policy. The idea is that it is much more difficult to criticize a policy than an individual credit decision with the benefit of hindsight.

No matter the approach that your board chooses, the common theme is that the board and the loan committee should expect and receive all relevant information from management about material credits. If directors are actually approving loans, they should get detailed information in a timely fashion that allows them to review and approve the underwriting of the credit. If the directors aren’t approving loans, they should still get information that confirms that the loans conform to the bank’s loan policy and the board’s risk appetite.

Directors should be educated and informed. Above all else, the FDIC lawsuits make clear that the bank board is certainly no longer a social club. Bank directors are charged with very real responsibilities and face the very real prospect of personal liability if their banks are not successful. Indeed, being a bank director is a job.

Because the bank’s shareholders and regulators demand that the directors do a job for the bank, the bank should offer appropriate training to do that job well. Bank directors should be offered the opportunity to engage outside consultants to provide training for the directors to develop the skills they need, particularly at the committee level. In addition, directors should attend conferences that allow them to familiarize themselves with industry trends and best practices. We suggest that there is no better expense for the bank than ensuring that its directors are equipped with the education and tools they need to fulfill their duties.

In addition to more general training, the FDIC lawsuits bring focus to the fact that some directors simply did not understand the material risks to their banks. We have encountered directors who do not fully understand the material risks their institutions face, even at high performing banks. As a result, we recommend that at least annually the directors have a special session to focus on enterprise risk management and discuss the key risks that face the institution. These sessions can be conducted by the chief risk officer or, at smaller banks, by an outside consultant who has helped to manage the enterprise risk management process. This understanding of material risks should better inform the decision making of the board.

While the FDIC lawsuits paint a picture of inattentive, runaway directors and officers, a number of the practices that the FDIC found objectionable could be found at many healthy institutions. By learning from the situations that led to many of these lawsuits, even the best performing banks can enhance the performance of their boards, which will ultimately result in greater value to the shareholders of the bank.

Should Bank Directors Approve Loans?


Following several lawsuits where the Federal Deposit Insurance Corp. sued directors of failed banks who serve on the loan committee, Bank Director decided to ask bank attorneys for their insight on whether directors should be involved in approving loans. It turns out there are a variety of opinions on this. Some think the FDIC’s lawsuits clearly point to the hazards of bank directors getting involved in loan decisions. Others say with a prudent approach, directors need to be involved in a way that shows their due diligence and expertise.

Q. Should directors be directly involved in approving loans, and what are the important liability issues to keep in mind?

Harold-Reichwald.jpgNo. Given recent experience with the FDIC, directors who served on a directors’ loan committee and actually approved loans (as opposed to a mere recommendation) are being singled out for allegations of liability while other non-loan committee directors get a pass. A theory of liability being espoused by the FDIC is that directors’ loan committee members acted in a quasi-executive role when approving loans and hence should be treated differently with perhaps a standard of care of mere negligence, not gross negligence.

—Hal Reichwald, Manatt, Phelps & Phillips, LLP

Heath-Tarbert.jpgTo involve directors in directly approving individual loans that are not to insiders or are otherwise routine can needlessly conflate the role of directors with that of management. As the institution grows in size, such a practice is a recipe for diminished—rather than enhanced—corporate governance. What is critically important, however, is that every director become confident that the bank’s overall lending and credit policies are sound in substance and in practice.

—Heath Tarbert, Weil, Gotshal & Manges LLP

Chip-MacDonald.jpgMany loans require director approval to comply with Regulation O and securities exchange corporate governance rules, among other things. It is customary bank practice to require director approval of larger credits. Board or director loan committee consideration of loan requests are the first line of risk control and corporate governance, and properly conducted, provide better assurance of compliance with laws and bank policies, including credit quality and asset concentrations. Loan decisions are subject to the business judgment rule and generally should not be second-guessed by the courts. The recent Integrity Bank decision that held directors cannot be liable for negligence should be very helpful in limiting liability in this area.

—Chip MacDonald, Jones Day

Jonathan-Wegner.jpgState law often drives whether or not directors are required to be involved in large loan approvals, but the reality is that—whether required by law or not—bank directors often do become involved in approving loans. If you’re engaged in approving loans, the most important thing to understand is that you are going to have a Monday-morning quarterback looking over what you’ve done, so it is crucial that you strictly adhere to your bank’s lending and risk management policies, as well as any laws or regulations applicable to your bank’s loans (such as loan limits or transactions with affiliates). If a loan goes bad that complies with law and fits within your bank’s policy parameters, chances are regulators will find something to blame besides your decision to authorize the loan.

—Jonathan Wegner, Baird Holm, LLP

Mark-Nuccio.jpgIn light of the FDIC’s publicized lawsuits against former directors of failed banks, it has become fashionable to suggest that directors curtail their involvement in lending decisions that are not specifically required by law. In my mind, that’s like throwing the baby out with the bath water. Directors would be unwise to eschew responsibility for a business unit that is the key revenue driver for most banks. Directors first need to focus on establishing sound credit and risk policies appropriate for the size and complexity of their organization. Those policies should delineate when a board level loan committee is required and what it should do. A recent spate of lawsuits by the FDIC against directors involved in lending approvals is probably more about shaking a recovery out of a directors & officers insurer than it is about trying to take personal assets away from bank directors.

—Mark Nuccio, Ropes & Gray LLP

Kathryn-Knudson.jpgWhile directors should have a significant role in establishing loan policies and procedures, especially from a risk management perspective, they should not have additional potential liability from “approving” loans. This is particularly true when the director has no specific loan underwriting training and his or her involvement with a given loan may be a 5- to 15-minute presentation by the bank’s senior loan officer. It is still appropriate for directors to have factual input. For example, at the directors’ loan committee meeting, if a director has information concerning a borrower that may not have been available to the lending team, the director should tell the team. The lending team still makes the ultimate decision. Moreover, the directors should verify with the lending team (and have documented) that the loan meets all of the legal and risk appetite parameters set forth in the bank’s loan policy.

—Kathryn Knudson, Bryan Cave LLP