CRA Comes to Life

WK-CRA-WhitePaper.pngExecutive Summary

The Community Reinvestment Act (CRA) requires that every insured depository institution meet the needs of its entire community. It also requires the periodic evaluation of depository institutions’ records in helping meet the credit needs of their communities. Proactively monitoring CRA performance is important for several reasons. The record is taken into account when considering an institution’s application for deposit facilities, meaning it will directly impact any contemplated acquisitions and/or branch openings. Additionally, the record will be regularly examined by the federal agencies that are responsible for supervising depository institutions and a rating will be assigned. Since the results of the exam and the rating are available to the public—customers, competitors and community groups—an institution’s CRA performance can impact its reputation. Banks must understand the characteristics of their assessment area and regularly monitor their performance to ensure the equal credit extension throughout their entire customer base.

This paper will explain the purpose and requirements of CRA and how as a board member, you can provide oversight regarding your institution’s CRA obligation.

What Directors and Officers at Failed Banks Should Know


The law firm Covington & Burling’s involvement in defending financial institutions and their directors and officers dates back to the representation of clients in the savings and loan crisis of the 1980s and is as current as the ongoing representation of the CEO of the former IndyMac Bank.  Some of the lawyers have served in high-ranking government positions, such as former Comptroller of the Currency John Dugan.  Bank Director magazine talked to Covington & Burling partner Jean Veta recently about what steps officers and directors should take if they are sued and what trends she sees in liability cases.

What are some of the first steps officers and directors should take if their bank fails?

As soon as the bank fails, they should get legal counsel—in fact, they should get counsel when they see the bank is headed toward receivership.  The bank’s counsel cannot represent the individuals because the bank counsel’s client is the bank, not the individuals.  Counsel for the individual officers and directors can assess the probability of getting sued and assist these individuals in preparing for potential lawsuits.  In addition, counsel can help the individuals determine whether they have directors and officers (D&O) liability insurance and, if so, how to seek coverage under those policies.

What kinds of claims does the FDIC make in its lawsuits against officers and directors?

The FDIC brings suits against officers and directors for damages caused by the loss to the deposit insurance fund when the FDIC put the bank into receivership.  Although each case is different, the FDIC typically will allege that the officers and directors were negligent or breached their fiduciary duty with respect to some activity that purportedly resulted in the bank’s failure.  These claims often focus on such areas as the underwriting for residential mortgage loans, commercial real estate lending practices or insider transactions.

What other kinds of legal exposure do officers and directors face?

In addition to suits by the FDIC, the officers and directors can face other types of lawsuits, including those filed by private plaintiffs, a holding company’s bankruptcy trustee or the bank’s primary regulator.  If the bank was publicly held, the individuals may also risk lawsuits by shareholders and the Securities and Exchange Commission. In the worst cases, the Department of Justice or local U.S. attorney’s office may open a criminal investigation.

Because the officers and directors can face a number of different lawsuits, it is important to develop a legal strategy that deals with all the potential areas of exposure.  You need to make sure, for example, that the individuals’ defense theory in an FDIC case doesn’t adversely affect the individuals’ defense against claims being asserted by the holding company’s bankruptcy trustee or the bank’s primary regulator.

You made reference to the bank’s primary regulator.  What role do they play?

It is now becoming apparent that in addition to the traditional suits by the FDIC, the bank’s primary regulator may also seek to go after individual officers and directors if the regulator believes the individual’s conduct was especially problematic.  In those circumstances, the bank’s primary regulator typically will seek civil money penalties and/or prohibition orders that would bar the individual from participating in the banking industry.

What should an officer or director know about D&O insurance?

The availability and amount of D&O insurance is often important in determining whether the individuals have adequate resources available to mount a defense against the various threatened claims. Although most financial institutions have D&O insurance, the insurance carriers may seek to limit the amount of coverage available, so the individuals need to know how to respond to the carrier’s position. D&O insurance also is an important factor in the FDIC’s decision to sue the officers and directors.  Unless the individuals were really bad actors, the FDIC typically is not interested in suing an individual with modest personal assets and little or no D&O coverage.  In contrast, the primary bank regulator may well go after an officer and director—regardless of the level of personal assets or D&O insurance—if the regulator believes the individual’s conduct was especially bad.  In these circumstances, the primary regulator is not looking for substantial monetary damages (as is the case in an FDIC lawsuit), but rather a prohibition order or civil money penalty that comes out of the individual’s own pocket.

 

New Guidance Raises the Bar for Bank Internet Security


it-security-article.pngOn the morning of January 22, 2009, an employee of Experi-Metal in Macomb County, Michigan, a manufacturer for the auto industry, received an email forwarded from a colleague. It appeared to come from the company’s financial institution, Dallas-based Comerica Bank, and said: “Comerica Business Connect Customer Form.”  The employee followed the link to another web site, where he complied with instructions to type in his secure login for the company’s bank account and other identifying information.

Sometime between the hours of 7:30 a.m. and 2:02 p.m. that day, 93 fraudulent payment orders totaling $1.9 million were executed on the company’s account.

Comerica eventually recovered all but $561,399. Experi-Metal sued the bank for its loss and won the case last month, putting Comerica on the hook for the fraud.

A Comerica spokesman, Wayne Mielke, said the company is considering alternatives, including a possible appeal.

U.S. District Court Judge Patrick Duggan wrote in his opinion that he considered multiple factors as to whether the bank acted in “good faith,” using “commercially reasonable” security measures. Among clues that something was going wrong at Experi-Metal: The sheer volume and frequency of the fraudulent transactions; a $5 million overdraft executed on an account with normally a zero balance; a history of limited wire activity on the part of the company; and the destinations and beneficiaries of those funds (banks in places such as Russia or Estonia, long known as hubs for such fraud).

That case emphasizes the importance of looking for anomalies in accounts—missing those could make a bank liable for fraud. There are other reasons why providing customers with a log in and password is not enough.

Michael Dunne, an attorney with Day Pitney in Parsippany, New Jersey, thinks the new guidance issued last month from federal regulators—the Federal Financial Institutions Examination Council—raises the bar much higher in terms of what’s “commercially reasonable,” the legal standard for what a bank is supposed to provide in terms of Internet security for customers.

No longer can banks rely on dual-factor security, typically a log in, password, plus something like a security token that recognizes a computer or other device that is logging in. That dual-factor security was OK in the 2005 guidance on Internet security, Dunne says. Now, banks will have to introduce even more layers of security on top of that, which many of them already are doing.

An example of an extra layer would be email notifications to the customer every time payments are requested on the account.

At a minimum, banks will now be required to have a process that detects anomalies and responds to them, such as a customer suddenly initiating 93 payment orders for $1.9 million in one day, where few such transactions occurred before.

Banks also must have controls for system administrators on business accounts. Such a person could have the ability to approve all transactions on a commercial account when multiple employees have access to the account.

The guidance goes into effect in January for bank examinations, but Dunne thinks it could have an impact much earlier, in terms of the lawyers bringing up the new standard in court cases where banks get sued by victims of fraud.

Audit Committee Members Face New Challenges


Audit committee members who participated in two separate roundtable discussions for public community banks at the Bank Director Peer Group sessions, held as part of the Bank Director Audit Committee Conference in Chicago on June 13, were able to let down their guard and share with their counterparts their experiences, uncertainties and pearls of wisdom. Despite being separated by thousands of miles, participants in both roundtable discussions shared their views on similar issues as if they were next-door neighbors.

audit11-peer.jpg

It quickly became clear that the institutions represented in both groups are very focused on responding to an increase in regulatory scrutiny of how audit committees oversee the management of certain risks. This increasing level of scrutiny is being experienced now and is expected only to increase further in the foreseeable future.

Historically, audit committee members have focused primarily on their institutions’ higher-level financial measures and performance against budgets. In addition, audit committees have devoted a significant amount of attention to the results of exams such as internal audit, regulatory safety and soundness, and external audit findings.

In response to the expected increase in the level of regulatory oversight, however, additional areas of focus are now becoming part of the regular responsibilities of audit committees over and above their past approach. These include:

  • Monitoring credit concentrations
  • Monitoring classified loans
  • Compliance-related issues
  • Monitoring the remediation of exceptions noted by regulatory examiners, as well as internal and external audit
  • Understanding new initiatives and their related risks

Furthermore, to remain current on new issues, audit committee members are using tools such as self-assessment checklists, while also seeking out educational opportunities about new and emerging regulatory and accounting matters. Clearly, expectations are rising regarding engaging in and documenting participation in learning activities.

audit11-peer2.jpg

The members also discussed their interactions with and expectations of management. Because their relationships with management are generally collegial, it can be challenging at times to maintain the fierce independence that is expected of audit committees. Members agreed that reminding each other on a regular basis of their responsibilities helps them meet this challenge.

In addition, roundtable participants considered other approaches to holding their colleagues accountable for being productive committee members including attendance and participation requirements and peer evaluations. They also agreed that maintaining a culture of open and frank communication is vital in maintaining effective audit committee performance.

A few distinctions emerged between the two community bank roundtable groups, which were divided by size of institution. For example, members representing larger institutions (generally with more than $1 billion in total assets) have heard more from their regulators about formally documenting the identification and measurement of risks their institutions face as well as the mitigation of those risks – in other words, enterprisewide risk management. Members from smaller institutions indicated that risk identification, measurement, and mitigation were being documented less formally and generally their regulators have not asked them to do more.

 

Audit Committee 101: Back to Basics


Duty of care, loyalty and good faith are the basic foundations for every board member as they strive to increase revenue and shareholder value for their institutions. As the regulatory requirements continue to expand, the role of the audit committee is quickly following suit, leaving many bank audit committee members concerned about their effectiveness.

At Bank Director’s Bank Audit Committee conference in Chicago on June 14-15th, Robert Fleetwood, partner for Chicago-based law firm Barack Ferrazzanno’s financial institutions group and Todd Sprang, partner at the certified public accounting firm Clifton Gunderson, took a crowded room of audit committee members back to basics during their Audit Committee 101 session.

audit-fleetwood-sprang.jpg

Cautioning that these are not one-size-fits-all requirements, Fleetwood and Sprang outlined a list of fundamentals and best practices for today’s audit committee members.

1.       Understand your duties. Sprang suggested if you are unsure of your role or responsibilities, seek a tutorial from outside counsel to ensure that every member is comfortable with their duties.

2.      Recognize the reputational risk to the organization and you as an individual. At the end of the day, you want to do the right thing by all parties. It’s never a good situation when a director has to admit that he/she didn’t read the materials or didn’t know what was going on at their institution.

3.      Oversight. The primary role of the audit committee is to evaluate the audit process, oversee financial reporting, and assess the risk and control environment. To do this effectively, committee members should be asking lots of questions, requesting feedback and regularly discussing concerns.

4.      Committee composition. Most boards typically look to local CPAs to fill their audit committee seats, yet having members with a wide range of expertise provides additional perspective and beneficial feedback.

5.      Yes, you need a committee charter. Not only should the charter be reviewed on a regular basis to ensure that the board is complying, but it happens to be a great tool for setting agendas.            

6.      To rotate or not to rotate? Fleetwood recommended that if you do implement a rotation requirement, that it take place after an extended period of time. The audit committee has a steep learning curve and rotating frequently creates the risk of losing members before they had a chance to peak.

7.     Build a relationship with the external auditors. Communication is the key.  Review your reports and materials ahead of time, and use the review session to ask them questions, get their perspectives on market trends, and request recommendations.

8.   Internal audit reviews. Whether your institution uses in-house resources or outsources this process, a major red flag is a report with no findings. Ask why. You should always be finding ways to improve, rather than just going through the motions.                

9.      Setting the agenda. The agenda should follow the committee charter as well as include an annual checklist to work through regularly. Delegate the legwork to your experts and include them on the agenda periodically.

10. Attend the meetings. Distribute materials ahead of time, whether in print or through board portals, and include only what is necessary to review. Read the materials beforehand and attend in person at least quarterly.