Zions Bank Grapples with Regulation

In the wake of the financial crisis, all the big banks had to change executive compensation plans to reduce risks. Regulators are keeping a close eye on these plans and sometimes requiring a mountain of paperwork to document them. Here, Scott Law, the executive vice president and director of compensation at $58 billion asset Zions Bancorporation, talks about how the changes have impacted his company.

How Size Matters: Regulatory Considerations for Growth

Growth is good, right? But what about new regulations that apply to your bank after you reach certain asset thresholds? While increasing asset size to new levels is ideal, there could be unforeseen challenges your bank could encounter. Gregory Lyons of Debevoise discusses the nuances of different asset thresholds and what banks must consider.

Mind These Gaps

5-13-15-Al.pngProbably one of the worst moments for a bank board and management team is to make an acquisition and find out it was a bad one. Over the past few years, it strikes me that three pitfalls typically upend deals that, on paper, looked promising:

  • Loss of key talent/integration problems;
  • Due diligence and regulatory minefields; and
  • Bad timing/market conditions.

While timing is everything, I thought to address the first two pitfalls here.

Losing Key Talent
A CEO with experience selling a bank tells me that number one on her list is to “personally reach out to top revenue generators ASAP and let them know they are going to have a great future in the combined company. It always amazes me how key leaders think they can wait on that while they talk to staff folks.”

But don’t stop there. If the merger is designed to significantly reduce costs and there is a lot of overlap, your staff will know that there are going to be significant job losses. “My advice, be honest,’’ the CEO says. “If you have a plan or process, tell them what it is. If you don’t tell them, you will let them know the second you do. Don’t sugar coat it. Call the key ones you know you will need with a retention offer ASAP.”

This advice had me seeking the counsel of Todd Leone, a principal with the management consulting firm of McLagan. Leone suggests those in key positions with change-in-control contracts usually stay as they are going to get paid.  Also, those in true key positions negotiate at the time of the deal to stay on after the merger. However, it can be complicated to retain the next level of staff.  As Todd says, “[It’s best to] negotiate at time of deal.”

Regulatory and Due Diligence Minefields
Now, as much as the drain of talent threatens the long-term success of a deal, there are other minefields to navigate. Bill Hickey, principal and co-head of the Investment Banking Group at Sandler O’Neill + Partners, cautions me that in today’s interest rate environment, significant loan pay-downs could be looming.

Another due diligence matter is an IT contract that requires large termination fees. Aaron Silva, the president and CEO of Paladin fs, says that banks need to implement terms and conditions into their agreements ahead of time that protect shareholders from unreasonable termination risk, separation expense and other obligations that may impact any M&A strategy.

Building on these talent and technology risks, John Dugan and Rusty Conner, both partners at the law firm of Covington & Burling, say that in today’s bank M&A market, “all of the historical issues related to pricing, diligence, and integration remain very relevant, but there are three issues that have taken on new prominence thereby impacting execution and certainty of closing.”  They are:

  • The reaction of the regulators to the proposed transaction—particularly if the acquiring institution is approaching a designated size threshold;
  • Protests by community groups—which can materially delay a transaction even if the complaint is without merit—especially [since] these groups are now targeting much smaller deals than ever before; and
  • Shareholder suits by the acquired institution’s shareholders—which are also increasingly making their way to smaller deals.

As Dugan opines, “parties need to anticipate and build into their pricing and timing the impact of these factors.”

Their views complement those of Curtis Carpenter, managing director of Sheshunoff & Co. He’s of the opinion that in today’s market, “regulatory and compliance matters have become critical components for both the seller and buyer. It is more important than ever for sellers to put in place generous pay-to-stay bonuses for key personnel who are in positions likely to be eliminated in the merger. The heightened regulatory scrutiny surrounding the merger process can result in long approval periods—sometimes many months.” 

Where most bank mergers fail isn’t in the transaction itself. No two deals are alike, but addressing these challenges is simply good business.

Safeguarding Your Institution’s Anti-Money Laundering Compliance Program

12-5-14-Covington.jpgThe Financial Crimes Enforcement Network (FinCEN) earlier this year issued an advisory, FinCEN Bulletin 2014-A007, “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance,” stressing the need for financial institutions to have a strong culture of anti-money laundering (AML) compliance. A financial institution without such a culture, FinCEN asserts, is likely to have shortcomings in its Bank Secrecy Act/AML compliance program.

FinCEN’s advisory is just one of the latest governmental developments that places tremendous pressure on a bank’s board of directors to focus on AML compliance. The advisory attributes a strong compliance culture to, among other factors, the board of directors’ active support and understanding of the bank’s AML compliance efforts.

The need for a bank’s board of directors to be involved with AML compliance has been emphasized repeatedly in the past year. Recent enforcement actions against all types of banks, from multinational banking organizations to small community banks, have required boards of directors to play a prominent role in understanding and ultimately executing the enforcement action. Many actions have imposed remedial requirements on the board of directors itself to strengthen board oversight of the bank’s AML compliance program.

However, significant fines, compliance costs, and reputational damage from an enforcement action are not the only risks from a deficient AML compliance program. The federal banking agencies have delayed approval of several mergers, acquisitions, and other corporate transactions due to deficiencies in one of the parties’ AML compliance program. If a federal banking agency withholds its approval for a corporate transaction due to AML compliance, the closing for the transaction can be substantially delayed, thereby having the potential to make public in a highly visible fashion the compliance deficiencies as well as any remedial measures being taken by the bank.

All of these reasons demonstrate the importance of AML compliance to a bank and the imperative that the board of directors plays a significant role in overseeing the AML compliance program.

An effective AML compliance program requires significant resources and consists of several key components. The federal banking agencies’ enforcement actions and guidance have emphasized the following components:

  • Tone at the top—FinCEN Bulletin 2014-A007 stresses the need for a culture of compliance, and this culture starts with a clear expression from the bank’s board of directors that the bank does not engage in money laundering and terrorist financing and will not tolerate deficiencies in its compliance program.
  • Risk assessment—The cornerstone of an AML compliance program is a detailed risk assessment that identifies and measures the various areas of AML risk at the bank. The risk assessment provides insight into the areas of potential exposure to the bank, prioritizes ways to reduce risk within the compliance program, and enables the board of directors to track over time areas of risk and senior management’s implementation of internal controls to reduce risk. An AML risk assessment should be sufficiently detailed, updated periodically, and accessible to functions and business units in the bank with responsibility for AML compliance.
  • Monitoring and reporting—Day-to-day AML compliance requires extensive monitoring of transactions for suspicious activity and compliance with reporting obligations. Aside from compliance with these legal requirements, however, daily monitoring and internal reporting help ensure that bank employees not only react appropriately to overtly suspicious activity but also proactively identify circumstances that, although not facially suspicious, warrant further review.
  • Independent review—An AML compliance program is required to contain a mechanism for an independent review of the program. Independent review is an essential check on the program and those employees who are responsible for its administration.
  • Training—AML training for employees has evolved substantially from its earliest forms as a single presentation made available to all employees on a company intranet page. Training can be customized to the business line or function, include frequent team updates to pass along information quickly and directly, and culminate with a mandatory test that employees must successfully pass.

Boards of directors should have confidence that senior management has taken the necessary steps to implement an effective AML compliance program that includes these components. The potential consequences for AML compliance deficiencies are simply too severe and far-reaching for a board of directors to be passive and not actively engaged with the program.

The Sword of Damocles: Best Practices for Managing Vendor Risk

4-2-14-Vendor-management.pngLike the ancient courtier Damocles who had a sword dangled over his head, banks are in a precarious position. Regulators can and do fine banks who fail to manage the risk posed by third party vendors. This article is a guide for boards wanting to implement a successful vendor management program.


The economics underlying modern banking necessitate that certain operational functions be outsourced to non-bank entities. The prudential regulators recognize the benefits and efficiencies provided by third-party vendors—reduced costs, new product offerings and enhanced performance—but they also bemoan the inherent problems. To combat the risks caused by outsourcing, regulators expect all banking institutions to have in place written risk management programs, which mitigate operational risk, strategic risk, concentration risk, compliance risk, transaction risk, credit risk, legal risk and reputation risk. Federal regulators review these risk management programs during examinations to determine whether a financial institution’s third-party relationships create more risk than that financial institution can identify, monitor, manage and control.

Requiring banks to tailor their risk management plans to include third-party vendors is not a new regulatory initiative. Over the years the various federal regulatory bodies, including the Office of the Comptroller of the Currency, the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC), have published guidance pieces that advise banks on how to best manage their third-party vendors. While the text of the guidance has varied, the crux of the message has remained constant: Boards of directors and senior management must manage third-party vendors to the same extent as in-house operations, and the two groups bear ultimate responsibility for any harm caused by a vendor’s failure to adhere to federal consumer financial law.

Customizing Your Plan

With that edict ringing in their ears, boards of directors and senior management rightfully worry whether their respective institution’s risk management plan adequately meets regulators’ expectations. Regulators have made clear that no single plan works for every bank; instead, each financial institution must customize its plan to address its individual risk profile. As a bank’s size and complexity increases, so must its risk management plan. With that being said, certain elements and qualities are routinely included in successful plans, regardless of the firm’s size. The suggestions listed below provide a framework for a comprehensive and successful risk management plan.

Step by Step

Step 1 List of Vendors:
The board should assemble a comprehensive list of all existing third-party vendors. This list may include only a few dozen vendors for smaller banks, or up to several thousand for larger institutions. For those institutions that are not able to query this information from their IT systems, enterprise-wide surveys offer a relatively cheap and time-friendly method of compiling the necessary data. Once the vendor list is completed, the board should implement a system to ensure that new vendors are added to, and all old vendors are removed from the list as necessary.

Step 2 List of Potential Risks:
The board and management should develop a comprehensive list of potential risks that result from vendor relationships. Understanding the inherent risks is critical to the board enacting the proper audit routines and measures that will be used to track the vendor’s adherence to applicable standards. In its white paper addressing this topic, consultants McKinsey & Company suggested that banks should establish certain “breakpoints” for each category of vendor and then assign a relative weight and importance for each breakpoint. For example, a bank could assemble a list of potential violations of the Fair Debt Collection Practices Act, which the bank would apply to any relationship with a third-party debt collector.

Step 3 Risk Categories:
Leveraging its master lists of vendors and potential risks, the board should assign a relative risk factor to each existing and potential supplier based on the supplier’s ability to disrupt and negatively impact the bank’s normal operations. Such a risk assessment is known as risk-based segmentation or third-party stratification. The board is free to establish as many categories as it sees fit, but a simple three-tiered scale of “high-medium-low” or “critical-material-minor” should be adequate. By assigning a relative risk factor to each supplier, the board can ensure that its bank’s resources are allocated efficiently and effectively. A simple but effective way to compile the information necessary to make the assignment is for the bank to create a questionnaire and require each vendor to supply certain answers. The vendor’s responses and supplied documentation should then be reviewed by an independent third party within the institution.

Step 4 Due Diligence:
According to McKinsey & Co., the nature of the due diligence required of banks has expanded beyond the traditional assessments for supplier, operations and IT security risks. Banks must perform due diligence for potential vendors that is commensurate with the vendor’s assigned risk category. Comprehensive due diligence involves a review of all available information about a potential third party, with a specific focus on the entity’s financial condition, relevant experience, knowledge of applicable laws and regulations, reputation, and scope and effectiveness of its operations and controls.

Step 5 Contract Structuring and Review:
After selecting a new vendor, management should ensure that both parties outline their specific expectations and obligations in a written contract. The board of directors also should establish a policy requiring its approval for any contract deemed to be above a certain risk threshold, which likely should be anything categorized as high/critical or medium/material. The FDIC’s guidance advises institutions to seek legal counsel for any significant contract, and also recommends contractual provisions that prohibit assignment, transfer or subcontracting by the third-party vendor to another entity “unless and until the financial institution determines that such [action] would be consistent with the due diligence standards for selection for third parties.” The board must also remain cognizant that indemnity agreements, no matter how strongly written, cannot obviate its ultimate responsibility for the actions of the financial institution’s third-party vendors. Finally, senior management should implement a system to track contract related events such as maturities and renewal dates.

Step 6 Oversight:
Much like the due diligence required before selecting a new third-party vendor, banks also are tasked with monitoring their existing relationships. The FDIC’s guidance requires monitoring of vendors that are considered to be “significant” or “material,” which includes: a new relationship or one that involves implementing a new bank activity; a function that will have a material effect on the bank’s revenues or expenses, or potentially could significantly affect earnings or capital; a vendor that will perform a critical function, market a bank product or service, or provide a product or perform a service related to subprime lending or card payment transactions; or a vendor that will store, access, transmit or perform transactions on sensitive customer information. Typical risk management plans call for due diligence annually for suppliers listed as high/critical, every 18 months to two years for suppliers listed as medium/material, and every three years for suppliers categorized as low/minor. The bank also should employ rules-based testing to ensure that only those areas that cause a potential risk are tested.

The board also should ensure that those employees tasked with monitoring are given the proper training, and that senior management regularly updates the board regarding the bank’s risk management program. Banks also should maintain a list of critical suppliers as part of their disaster contingency plans. Finally, banks should implement a quality assurance function, whereby the institutions track consumer complaints against their affiliated third party vendors. Only through such monitoring can banks recognize troubling patterns or high frequencies of complaints against particular vendors.

While the federal regulators have not specifically exempted community banks from the third-party vendor monitoring requirements, those entities recognize that community banks have simpler business models and fewer resources. Thus, the level of due diligence expected from a $50-billion asset bank will differ greatly from that of a $500-million asset bank. As explained by the FDIC, “The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.”

In summary, the federal regulators have tasked each board of directors with determining the proper level of due diligence and oversight required for the institution’s third party vendor management program. After consulting with its bank’s federal regulator and its own senior management, the board must rely upon its business acumen and understanding of the bank’s operation to implement a system that is commensurate with the inherent risks.

For more guidance from regulators on how to choose and oversee outside vendors, click here.