Accounting fraud, terrorist attacks and economic meltdowns are the catalysts for many of today’s financial regulations. With so much focus recently on the Dodd-Frank Act, many financial institutions may be overlooking the compliance requirements for the Bank Secrecy Act (BSA), or anti-money laundering law. In this video, John ReVeal, attorney for Bryan Cave LLP, shares his insights into how BSA violations are perceived by the regulators.
Last week’s news that Warren Buffett was putting $5 billion into troubled Bank of America Corp. (BAC) might have brought a sigh of relief from those folks who were concerned that the country’s largest bank was in danger of failing, although I doubt the actual risk of failure was very high. I think we can safely assume that the regulators in Washington have been overseeing BAC with the same level of care that the Nuclear Regulatory Commission might give to an ailing nuclear reactor–and I don’t think the dooms-day metaphor is inappropriate here.
If you read the financial headlines or watch the business news shows, you know that BAC is struggling to extricate itself from a host of mortgage-related problems, including continuing credit losses from its 2008 acquisition of Countrywide Financial Corp., which has turned out to be a hellish disaster for the bank. Institutional investors had become increasingly concerned that BAC was undercapitalized and drove the stock price down to around $6 a share. The low share price might not have been an accurate reflection of BAC’s true financial condition, but this is one of those situations where perception can quickly become reality. If enough consumer and business customers had become spooked by the falling share price and began to pull their deposits out of the institution, or if other banks had stopped funding it in the interbank lending market, the result could have been a dangerous liquidity crunch.
And that would force President Obama, Federal Reserve Chairman Ben Bernanke and U.S. Treasury Secretary Tim Geithner to make a really tough call: With the weak U.S. economy in danger of falling into the second trough of a double-dip recession, would they prop up the nation’s biggest bank—or allow it to go under? Supposedly the Dodd-Frank Act brought an end to the unofficial regulatory policy of “Too Big to Fail” by providing the Federal Deposit Insurance Corp. with new liquidation authority that will allow it resolve the failure of a large and complex institution in an orderly manner. But would the White House and the Fed be willing to take the risk that such an event wouldn’t push the economy into another ditch? Would they flinch?
Hopefully, we’ll never find out.
The real significance of Buffett’s $5 billion capital infusion is that it offers BAC a much needed vote of confidence from one of the world’s most successful investors, and that seems to have stabilized the bank’s share price for now. Interestingly, Buffett’s money does little to strengthen BAC’s capital position from a regulatory perspective. What Buffett actually purchased was preferred stock, which won’t count towards its Tier 1 capital ratio. Buffett also received warrants to purchase 700 million shares of BAC common stock at $7.14 a share, so he will most likely be handsomely rewarded for his public service.
The interesting question to me is whether BAC, with $2.26 trillion in assets as of year-end 2010, is simply too big to manage. The bank scored 127th out of the 150 largest publicly owned U.S. banks and thrifts on Bank Director’s 2011 Bank Performance Scorecard, which is a measurement of profitability, capitalization and asset quality. The company scored poorly in all three categories. (To see the 2011 ranking, view our digital issue). CEO Brian Moynihan, who was not responsible for the Countywide acquisition, is trying to revive the bank’s profitability through a program of asset sales and layoffs, although the continued decline in housing prices nationally makes BAC’s home mortgage exposure look like a cosmic black hole.
I think it’s fair to say that risk diversification is viewed by most experts as a good thing. The great majority of banks that have failed in recent years were small institutions that had a high concentration of commercial real estate loans on their books. A little more diversification would have been a good thing for them. But diversification is a double edge sword than can cut both ways. BAC is so big and so diversified that it’s hard to find a meaningful banking business in the consumer, corporate or capital markets sectors that it isn’t in, or a financial product that it doesn’t offer. So when the U.S. economy goes into a deep recession as it did a few years ago, a large and highly diversified financial institution often ends up with an impressive assortment of afflictions that are Job-like in nature.
Perhaps BAC is simply too large for any management team and any board of directors to run effectively. I don’t believe that Congress or the regulators should break up the company into smaller pieces. In a free market economy, BAC should be allowed to seek its own destiny.
But the company’s performance might be twice as good if it were half as large.
Bert Otto has been deputy controller for the central district of the Office of the Comptroller of the Currency since 1997. He is responsible for oversight of 545 community banks and federal savings associations and manages a staff of 480 employees in Chicago. He has worked for the OCC since 1973 and has supervised examiners in Peoria,Illinois; Boston; Washington, D.C.; and Syracuse, New York.
What do directors need to know about the regulatory exam and when should they get involved?
The first thing they need to understand is the areas that will be reviewed. It’s kind of the game plan for the examination process for the year. The directors will get a clear understanding of the safety and soundness areas, if it’s CRA (Community Reinvestment Act), if it’s fair lending, they learn what areas will be reviewed.
A lot of times, we will ask the directors how they want to beinvolved in the exam process. A lot of times, we will meet with these directors at their businesses, to make it a little bit informal for them. They can talk about management and we can talk about our assessment of management, too. A lot of directors have taken us up on that.
A lot of times the directors will really share a lot about the community, the bank itself, what their feelings are about management, about the bank’s business model. It’s a good opportunity for them to pick our brains, too, as to what the current issues are. They can do that at a board meeting, too, but a lot of times we will offer to have our examiners come out and talk to them informally.
Another way to get involved is to sit in on a loan discussion. The loan discussion is such a key area of an exam, especially in community banks, that they will get a good understanding of what that’s all about, plus they can get a sense of how much the loan officers know, how they can respond to questions from the examiners and the knowledge they have about their borrowers.
What should bank directors do during the exam?
My suggestion is for a lot of the outside directors to stay plugged into the exam process. They typically run for a couple of weeks. The audit chairman clearly needs to know what is happening with the exam process. There is nothing wrong with a couple of audit committee members meeting with examiners, not every day, but at the end of the week, to stay plugged into what the issues are.
What common mistakes do you see bank directors making?
A lot of times they will jump too quickly to change the institution’s’ business model or strategic plan. A lot of time we tell these directors: “Don’t just do what your competitors are doing.” We saw a lot of that during the last downturn, where commercial real estate in 2004, ’05 and ’06 was really growing, so everybody jumped in it, and jumped in it in big ways.
You need to have a well-conceived business model. You can tweak it some, but some of these institutions have been around for 100 or 150 years, and they’ve done some things right.
A lot of time we see directors not ask enough detail and probing questions of management. At the board meetings, they need to ask questions of management and hold management accountable. They need to have enough time prior to board meetings to review board packages. We see that a lot where directors get two- or three-inch thick packages and they don’t have enough time to review. They need concise summaries that show trends.
In our more problem banks, we have seen directors who are overly trusting of management. They put management in and they have a good working relationship. But not making sure they hold management accountable gets them into trouble.
How much time does the board need to review board packages?
The average board needs two or three days to review a board package, for your average community bank. You just can’t get it to them a day ahead of the board meeting or the day of the meeting and expect them to have a good understanding and ask good questions.
What kind of relationship should banks and their regulators have?
We need to have a good relationship so the bank and management understand why we’re there, and our knowledge for what’s going on in the industry, so we can provide them with some guidance. They might need clarification on guidance from Washington. We want management to pick up the phone and call if there is something that is not clear. I would rather not wait until the exam has already started because some action may have been taken that needs to be unwound. Each party needs to understand each other.
Communication is important because information needs to be shared. During the exam, we are going to be touching management quarterly with questions such as: How are your earnings? How is your capital position? Have you had any changes in management or other changes we need to know about? That helps us put together a supervisory strategy for when we come in. We want a good relationship with management because we will call them at least quarterly and we will be coming in yearly. If there is guidance coming out from Washington that they are not clear on, they need to call their portfolio manager, an individual from the OCC, who should be able to explain what that guidance is or what our expectations are.
How long do exams take and how often are they done?
It depends on the size and condition of the institution. If a smaller institution is (CAMELS) rated 1 or 2 (a good score on regulatory scale), it could happen every 18 months. Larger institutions could be every 12 months. Problem banks, with CAMELS ratings of 3 to 5, you could see us every six months.
How should you handle a disagreement with your regulator?
If it’s a (CAMELS) rating or a classified loan disagreement, the first point of contact should be the assistant deputy comptroller of the local field office. The next step would be coming to me, the OCC deputy controller, or the ombudsman. The ombudsman reports directly to the comptroller. We hope all our disagreements are worked out on a local level, but if they can’t, that’s the process. All of our conclusions should be supported by facts. If we say we have an unsafe and unsound business practice, because the bank is extending loans without satisfactory credit information, those are hard to disagree with. We need to base all our conclusions on facts.
How often would a conclusion from a regulator be reversed after a disagreement?
Ninety-nine percent of the disagreements get worked out at the local level; very seldom do we get some at my level or the ombudsman. They get some, but they are more often related to CRA issues or fair lending issues. We haven’t had a lot related to CAMELS ratings. Most of this is a give and take. If there is an unsafe and unsound banking practice, or if there is a violation of law, those tend to not be overturned. There might be a case where there are some new facts that come in on a loan classification, where during an exam the examiner may have looked at a loan as substandard. We may get new information later on where that decision gets overturned, but I don’t have numbers on how many decisions get overturned.
How do you think Dodd-Frank will impact community banks, even though they were exempted from many of the provisions?
There will be some impact. Clearly the challenges facing community banks, just the volume of compliance activities they need to be focused on, it does concern us. Where is the tipping point, causing community banks to exit the business?It depends on how the regulations are going to be written, the Consumer Financial Protection Bureau obviously has the pen, but clearly it’s going to affect all banks.
In terms of unfair, deceptive or abusive practicesandin general all regulations, the larger institutions have a lot more resources to understand these rules than smaller banks do.
Community banks are going to be impacted by Dodd-Frank’s directive that federal agencies modify regulations to remove references to credit ratings for determining creditworthiness. You wouldn’t think that impacts community banks, but it does.
The institutions use credit ratingagenciesfor ratings for permissible investment securities. Dodd-Frank has done away with that, so institutions of all sizes are going to have to do independent analysis, a lot more than what they’ve done in the past, in investment securities.
Are regulators or Congress trying to cut down on the number of community banks in this country?
We don’t want to cut down on community banks; they provide a lot of services to their communities. There are challenges. Interest margins have been cut quite a bit. They are struggling with high concentrations of commercial real estate. Community banks are struggling. I think what’s going to happen, is some banks do very well, and some aren’t going to do very well. That’s why it’s so important to have a strong business model and to stick to what you do well. Some banks become niche players, and there are some risks associated with that, but you get good at something. Quite honestly, with the stresses of the compliance costs from Dodd-Frank, there may be banks that exit the business. We’re not pushing that and Congress isn’t pushing that, but there is some inevitability here: Where is that tipping point for a community bank?
The Community Reinvestment Act (CRA) requires that every insured depository institution meet the needs of its entire community. It also requires the periodic evaluation of depository institutions’ records in helping meet the credit needs of their communities. Proactively monitoring CRA performance is important for several reasons. The record is taken into account when considering an institution’s application for deposit facilities, meaning it will directly impact any contemplated acquisitions and/or branch openings. Additionally, the record will be regularly examined by the federal agencies that are responsible for supervising depository institutions and a rating will be assigned. Since the results of the exam and the rating are available to the public—customers, competitors and community groups—an institution’s CRA performance can impact its reputation. Banks must understand the characteristics of their assessment area and regularly monitor their performance to ensure the equal credit extension throughout their entire customer base.
This paper will explain the purpose and requirements of CRA and how as a board member, you can provide oversight regarding your institution’s CRA obligation.
The law firm Covington & Burling’s involvement in defending financial institutions and their directors and officers dates back to the representation of clients in the savings and loan crisis of the 1980s and is as current as the ongoing representation of the CEO of the former IndyMac Bank.Some of the lawyers have served in high-ranking government positions, such as former Comptroller of the Currency John Dugan.Bank Director magazine talked to Covington & Burling partner Jean Veta recently about what steps officers and directors should take if they are sued and what trends she sees in liability cases.
What are some of the first steps officers and directors should take if their bank fails?
As soon as the bank fails, they should get legal counsel—in fact, they should get counsel when they see the bank is headed toward receivership.The bank’s counsel cannot represent the individuals because the bank counsel’s client is the bank, not the individuals.Counsel for the individual officers and directors can assess the probability of getting sued and assist these individuals in preparing for potential lawsuits.In addition, counsel can help the individuals determine whether they have directors and officers (D&O) liability insurance and, if so, how to seek coverage under those policies.
What kinds of claims does the FDIC make in its lawsuits against officers and directors?
The FDIC brings suits against officers and directors for damages caused by the loss to the deposit insurance fund when the FDIC put the bank into receivership.Although each case is different, the FDIC typically will allege that the officers and directors were negligent or breached their fiduciary duty with respect to some activity that purportedly resulted in the bank’s failure.These claims often focus on such areas as the underwriting for residential mortgage loans, commercial real estate lending practices or insider transactions.
What other kinds of legal exposure do officers and directors face?
In addition to suits by the FDIC, the officers and directors can face other types of lawsuits, including those filed by private plaintiffs, a holding company’s bankruptcy trustee or the bank’s primary regulator.If the bank was publicly held, the individuals may also risk lawsuits by shareholders and the Securities and Exchange Commission. In the worst cases, the Department of Justice or local U.S. attorney’s office may open a criminal investigation.
Because the officers and directors can face a number of different lawsuits, it is important to develop a legal strategy that deals with all the potential areas of exposure.You need to make sure, for example, that the individuals’ defense theory in an FDIC case doesn’t adversely affect the individuals’ defense against claims being asserted by the holding company’s bankruptcy trustee or the bank’s primary regulator.
You made reference to the bank’s primary regulator. What role do they play?
It is now becoming apparent that in addition to the traditional suits by the FDIC, the bank’s primary regulator may also seek to go after individual officers and directors if the regulator believes the individual’s conduct was especially problematic.In those circumstances, the bank’s primary regulator typically will seek civil money penalties and/or prohibition orders that would bar the individual from participating in the banking industry.
What should an officer or director know about D&O insurance?
The availability and amount of D&O insurance is often important in determining whether the individuals have adequate resources available to mount a defense against the various threatened claims. Although most financial institutions have D&O insurance, the insurance carriers may seek to limit the amount of coverage available, so the individuals need to know how to respond to the carrier’s position. D&O insurance also is an important factor in the FDIC’s decision to sue the officers and directors.Unless the individuals were really bad actors, the FDIC typically is not interested in suing an individual with modest personal assets and little or no D&O coverage.In contrast, the primary bank regulator may well go after an officer and director—regardless of the level of personal assets or D&O insurance—if the regulator believes the individual’s conduct was especially bad.In these circumstances, the primary regulator is not looking for substantial monetary damages (as is the case in an FDIC lawsuit), but rather a prohibition order or civil money penalty that comes out of the individual’s own pocket.
On the morning of January 22, 2009, an employee of Experi-Metal in Macomb County, Michigan, a manufacturer for the auto industry, received an email forwarded from a colleague. It appeared to come from the company’s financial institution, Dallas-based Comerica Bank, and said: “Comerica Business Connect Customer Form.”The employee followed the link to another web site, where he complied with instructions to type in his secure login for the company’s bank account and other identifying information.
Sometime between the hours of 7:30 a.m. and 2:02 p.m. that day, 93 fraudulent payment orders totaling $1.9 million were executed on the company’s account.
Comerica eventually recovered all but $561,399. Experi-Metal sued the bank for its loss and won the case last month, putting Comerica on the hook for the fraud.
A Comerica spokesman, Wayne Mielke, said the company is considering alternatives, including a possible appeal.
U.S. District Court Judge Patrick Duggan wrote in his opinion that he considered multiple factors as to whether the bank acted in “good faith,” using “commercially reasonable” security measures. Among clues that something was going wrong at Experi-Metal: The sheer volume and frequency of the fraudulent transactions; a $5 million overdraft executed on an account with normally a zero balance; a history of limited wire activity on the part of the company; and the destinations and beneficiaries of those funds (banks in places such as Russia or Estonia, long known as hubs for such fraud).
That case emphasizes the importance of looking for anomalies in accounts—missing those could make a bank liable for fraud. There are other reasons why providing customers with a log in and password is not enough.
Michael Dunne, an attorney with Day Pitney in Parsippany, New Jersey, thinks the new guidance issued last month from federal regulators—the Federal Financial Institutions Examination Council—raises the bar much higher in terms of what’s “commercially reasonable,” the legal standard for what a bank is supposed to provide in terms of Internet security for customers.
No longer can banks rely on dual-factor security, typically a log in, password, plus something like a security token that recognizes a computer or other device that is logging in. That dual-factor security was OK in the 2005 guidance on Internet security, Dunne says. Now, banks will have to introduce even more layers of security on top of that, which many of them already are doing.
An example of an extra layer would be email notifications to the customer every time payments are requested on the account.
At a minimum, banks will now be required to have a process that detects anomalies and responds to them, such as a customer suddenly initiating 93 payment orders for $1.9 million in one day, where few such transactions occurred before.
Banks also must have controls for system administrators on business accounts. Such a person could have the ability to approve all transactions on a commercial account when multiple employees have access to the account.
The guidance goes into effect in January for bank examinations, but Dunne thinks it could have an impact much earlier, in terms of the lawyers bringing up the new standard in court cases where banks get sued by victims of fraud.
Audit committee members who participated in two separate roundtable discussions for public community banks at the Bank Director Peer Group sessions, held as part of the Bank Director Audit Committee Conference in Chicago on June 13, were able to let down their guard and share with their counterparts their experiences, uncertainties and pearls of wisdom. Despite being separated by thousands of miles, participants in both roundtable discussions shared their views on similar issues as if they were next-door neighbors.
It quickly became clear that the institutions represented in both groups are very focused on responding to an increase in regulatory scrutiny of how audit committees oversee the management of certain risks. This increasing level of scrutiny is being experienced now and is expected only to increase further in the foreseeable future.
Historically, audit committee members have focused primarily on their institutions’ higher-level financial measures and performance against budgets. In addition, audit committees have devoted a significant amount of attention to the results of exams such as internal audit, regulatory safety and soundness, and external audit findings.
In response to the expected increase in the level of regulatory oversight, however, additional areas of focus are now becoming part of the regular responsibilities of audit committees over and above their past approach. These include:
Monitoring credit concentrations
Monitoring classified loans
Monitoring the remediation of exceptions noted by regulatory examiners, as well as internal and external audit
Understanding new initiatives and their related risks
Furthermore, to remain current on new issues, audit committee members are using tools such as self-assessment checklists, while also seeking out educational opportunities about new and emerging regulatory and accounting matters. Clearly, expectations are rising regarding engaging in and documenting participation in learning activities.
The members also discussed their interactions with and expectations of management. Because their relationships with management are generally collegial, it can be challenging at times to maintain the fierce independence that is expected of audit committees. Members agreed that reminding each other on a regular basis of their responsibilities helps them meet this challenge.
In addition, roundtable participants considered other approaches to holding their colleagues accountable for being productive committee members including attendance and participation requirements and peer evaluations. They also agreed that maintaining a culture of open and frank communication is vital in maintaining effective audit committee performance.
A few distinctions emerged between the two community bank roundtable groups, which were divided by size of institution. For example, members representing larger institutions (generally with more than $1 billion in total assets) have heard more from their regulators about formally documenting the identification and measurement of risks their institutions face as well as the mitigation of those risks – in other words, enterprisewide risk management. Members from smaller institutions indicated that risk identification, measurement, and mitigation were being documented less formally and generally their regulators have not asked them to do more.
Duty of care, loyalty and good faith are the basic foundations for every board member as they strive to increase revenue and shareholder value for their institutions. As the regulatory requirements continue to expand, the role of the audit committee is quickly following suit, leaving many bank audit committee members concerned about their effectiveness.
At Bank Director’s Bank Audit Committee conference in Chicago on June 14-15th, Robert Fleetwood, partner for Chicago-based law firm Barack Ferrazzanno’s financial institutions group and Todd Sprang, partner at the certified public accounting firm Clifton Gunderson, took a crowded room of audit committee members back to basics during their Audit Committee 101 session.
Cautioning that these are not one-size-fits-all requirements, Fleetwood and Sprang outlined a list of fundamentals and best practices for today’s audit committee members.
1.Understand your duties. Sprang suggested if you are unsure of your role or responsibilities, seek a tutorial from outside counsel to ensure that every member is comfortable with their duties.
2.Recognize the reputational risk to the organization and you as an individual. At the end of the day, you want to do the right thing by all parties. It’s never a good situation when a director has to admit that he/she didn’t read the materials or didn’t know what was going on at their institution.
3.Oversight. The primary role of the audit committee is to evaluate the audit process, oversee financial reporting, and assess the risk and control environment. To do this effectively, committee members should be asking lots of questions, requesting feedback and regularly discussing concerns.
4.Committee composition. Most boards typically look to local CPAs to fill their audit committee seats, yet having members with a wide range of expertise provides additional perspective and beneficial feedback.
5.Yes, you need a committee charter. Not only should the charter be reviewed on a regular basis to ensure that the board is complying, but it happens to be a great tool for setting agendas.
6.To rotate or not to rotate? Fleetwood recommended that if you do implement a rotation requirement, that it take place after an extended period of time. The audit committee has a steep learning curve and rotating frequently creates the risk of losing members before they had a chance to peak.
7.Build a relationship with the external auditors. Communication is the key.Review your reports and materials ahead of time, and use the review session to ask them questions, get their perspectives on market trends, and request recommendations.
8.Internal audit reviews. Whether your institution uses in-house resources or outsources this process, a major red flag is a report with no findings. Ask why. You should always be finding ways to improve, rather than just going through the motions.
9.Setting the agenda. The agenda should follow the committee charter as well as include an annual checklist to work through regularly. Delegate the legwork to your experts and include them on the agenda periodically.
10.Attend the meetings. Distribute materials ahead of time, whether in print or through board portals, and include only what is necessary to review. Read the materials beforehand and attend in person at least quarterly.