Buyer Beware: How Banks Can Avoid a Transaction Disaster


acquisition-10-26-15.pngMergers and acquisitions are exciting: they make the news, they show a position of strength to competitors, and most deals promise benefits for customers, employees and shareholders. Transactions have the same kind of excitement one might experience when buying a car. And like buying the car, that new car smell, or in this case, the allure of growth and synergies, can wear off quickly once you realize all of the work required to successfully integrate two institutions. Worse still is the feeling you have bought a lemon. There are, however, strategies that banks can employ before an integration to make sure they are getting a good deal.

Ensure You Have the Right, Experienced Resources
There is a reason that most professional services firms have an M&A practice: mergers and acquisitions are hard. In the middle market, it is even more important to look at current staff or partners that can support integration and bring the much needed experience to the table. No other industry is as complex as banking in terms of converting systems and processes. Banks require a unique set of skills to navigate the complexities of core systems, online banking, debit/credit cards, treasury management and lending.

Conduct an Operational and Technical Assessment of Your Target
Looking at the operational and technical complexities before a deal is made will improve the chances of a successful integration. Assess the scalability and interoperability of your technology and process landscape (as well as the target’s landscape) so that you can identify risks to the integration early and put together a mitigation plan quickly. All too often, middle market transactions focus only on diligence conducted by bankers, lawyers and accountants. Operational and technology diligence are de-prioritized.

Knowing how much car you can afford before even thinking about a deal puts you ahead of other bidders in terms of understanding how a target will fit into your garage. An operational and technical assessment provides the opportunity to understand and potentially implement systems, processes and products that will create a scalable and flexible operating model.

Evaluate Third Party Relationships
Understanding how your service providers can flex (or not) is critical to understanding the level of effort and cost of integration, along with the risks that need to be mitigated. Do your vendors have dedicated conversion teams? Are you the largest client of your core provider? Is there information available from your peers on the pros and cons of particular solutions in terms of integration? What are the service areas that could be improved through an acquisition?

Know Your Customer
Don’t forget the customer. Most transactions are driven by the desire to grow an institution’s customer base. But, in the frenzy of bringing two institutions together, customers often take a backseat to other integration priorities. Reacting to problems once customers start to leave is too late—the damage is already done. You will continue to hemorrhage customers while you course correct. Consider how well you know your customers before a deal is on the table. Do you have a way to make sure the customer’s voice is heard? Mapping the customer impact during diligence will prepare you to monitor (and hopefully improve) customer experience through the integration.

During integration, avoid focusing solely on cost synergies at the expense of customer experiences that could undermine revenue objectives. Whatever the changes, make sure communications to customers are clear, regular and transparent. You can never over communicate change to customers. Lastly, don’t assume that postponing changes is always best for customers. In many cases, making changes early and communicating them effectively will offer the most seamless customer experience across all channels (branches, digital, etc.).

Never Underestimate the Importance of Culture
It’s easy to sweep culture under the rug and consider it too soft and fuzzy for due diligence and integration. Many find it hard to put concrete metrics and plans around culture. Generational changes continue to change the way companies recruit, retain and operate—and that’s forcing companies to rethink their priorities in order to avoid costly turnover.

Having tools in place to implement change management is a best practice. This starts with knowing what your own cultural identity and management style is and what that means in terms of potential deals. If you’re into sports cars, don’t look at SUVs. By having your own cultural assessment up front, you can start analyzing cultural differences earlier in the process.

Assess Your M&A Readiness Before You Buy
If you want to successfully retain customers and key employees while achieving financial synergies, take the time to kick your own tires before looking at a new deal. An internal M&A readiness assessment is not only valuable if you are a buyer, but as a potential seller as well. An assessment will identify both deficiencies and differentiators in your operating model that a potential buyer will notice during due diligence. This knowledge gives you better negotiating power and can put you in the driver’s seat.

Lessons Learned From the Stress Tests


Stress-testing-9-24-15.pngIn the wake of the implementation of the Dodd-Frank Wall Street Reform and Consumer Protection Act stress test (DFAST) regulations, the term “stress test” has become a familiar part of the banking lexicon. The DFAST regulations require midsize banks—those with assets between $10 billion and $50 billion—to project the expected impact of three economic scenarios—baseline, adverse, and severely adverse—on their financial statements and capital ratios. Midsize financial institutions were required to report this year’s stress test results to their regulators by March 31, 2015, the second round of stress tests required for these banks.

Although the submission that was due in March was round two, most banks felt that it demanded just as much effort as the first round of stress tests.  Regulators focused more on process than results in round one and clearly stated that what was acceptable in the first submission would be insufficient for subsequent examinations. Little formal feedback is in so far, but what we have heard indicates that continuous improvement was definitely expected.

Model Mechanics
In the first round, most banks either used simplistic models or projections that did not capture their risks fully. Banks now are expected to develop enhanced models, and more significant portfolios are being modeled using bottom-up rather than top-down approaches. In assessing models, regulators are questioning assumptions and methodologies and looking for well documented, sound conceptual bases for the modeling choices made. Overly manual modeling processes also are being flagged as impractical for ad hoc use. The message is loud and clear: stress testing models are expected to be integrated into risk management practices.

Documentation
One common area for continued attention appears to be documentation. Whether it’s better organizing information to make it easier to follow the bank’s processes, improving validation documentation, writing user procedures, or better documenting the effective challenge process, the feedback received thus far reinforces that DFAST truly is a formal process. The documentation has to be sufficient for banks to manage, monitor and maintain the overall stress testing program. It also needs to be detailed enough to allow other users, including validators and regulators, to clearly understand the process.

Validation
Validation continues to be a big area of focus, and attention is being paid to both the timing and extent of validation activities. Timing is a critical review point, as the models are expected to be validated prior to the final stress test exercise. Validations have been criticized for having incomplete documentation, for failing to assess data lineage and quality, and for not being comprehensive. As modeling systems become more sophisticated, validations need to provide broader coverage. Validators—whether internal or third-party resources—must be experienced and competent, and they must deliver a sound validation in accordance with the agreed scope.

Sustainability
Banks have been encouraged to shore up organizational structures and procedures to keep their stress testing programs up-to-date and intact. With competition for quantitative resources at an all-time high, many are making choices about hiring statistical specialists and using contractors to keep on track. Banks are focusing on more automated processes, broader business participation, and more detailed user procedures to make sure the loss of one or two employees does not cause a program to fall apart completely.

Life in the DFAST Lane
As with most important business processes, effective DFAST risk management requires significant input from business management, risk management, and internal audit. A collaborative relationship among these three lines of defense results in the strongest DFAST processes. With reporting deadlines for the next cycle in 2016 being delayed from March 31 to July 31, banks have a bit of breathing room to assess the effectiveness and efficiency of their DFAST programs. Banks should use this extra time to further develop documentation, address highest priority issues, and continue to integrate stress testing into routine risk management practices.

The New Regulatory Expectation for Cybersecurity Assessment: What Every Board Must Know & Should Do


cybersecurity-7-29-15.pngEarlier on June 11, 2015, while serving as a keynote speaker on cybersecurity at Bank Director’s Bank Audit and Risk Committees conference in Chicago, I predicted that the regulatory agencies would publish a new cybersecurity assessment methodology by the end of the month.

That prediction came true and the Federal Financial Institutions Examination Council (FFIEC) on June 30, 2015, released the cybersecurity assessment tool. Examiners will start to use the cybersecurity assessment later in the year and there is a regulatory expectation that every single financial institution, regardless of charter type, asset size or complexity, complete a self-assessment and keep it updated.

What Is the Cybersecurity Assessment?
The main purpose is to provide a financial institution with a self-assessment method that is measurable and repeatable to identify risk exposures and cybersecurity preparedness.

The first step is to identify the institution’s inherent risk level (least, minimal, moderate, significant or most) based on five categories of risk factors:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

The next step is to identify the cybersecurity maturity level (baseline, evolving, intermediate, advanced or innovative) for each of five domains:

  • Cyber risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management 
  • Cyber incident management and resilience

FFIEC-image1.PNG Source: FFIEC

The next step is to identify the gaps and the target maturity level necessary for each of the five domains. The chart below depicts the risk/maturity relationship matrix and the “cybersecurity zone” in blue that each financial institution needs to attain and sustain in each domain:

FFIEC-image2.PNG Source: FFIEC

For example, if a financial institution with a moderate inherent risk level determines that its domain 3 or cybersecurity controls maturity level is baseline, then it will need to attain a target maturity level of evolving, intermediate or advanced  (i.e. it will need to get to the “cybersecurity zone”) and sustain it.  Staying at a baseline maturity level for the domain will be unacceptable given the moderate inherent risk level. In some cases, the institution may identify a maturity level below baseline, which will require immediate action.

The regulatory expectation is that once the initial cybersecurity assessment is completed, there will be an action plan identified to attain target maturity levels and to sustain it. Also the cybersecurity assessment will be updated and revaluated periodically as threats, vulnerabilities and operational environments change (e.g. launch of new products or services, new connections, etc.)

What Should the Board Do?
Examiners will be using the cybersecurity assessment to evaluate a financial institution’s risk level and cybersecurity preparedness and scoping examinations. Failing to complete the cybersecurity assessment and sustaining it may be deemed an unsafe and unsound practice and examiners will closely evaluate the board’s role and ultimately hold it accountable. Failing to complete an assessment may lead to unmitigated risks, a cyber disaster and a conclusion that the board failed to exercise its risk oversight and fiduciary duty.

Ultimately, the board is responsible for ensuring the organization completes the cybersecurity assessment and maintains a repeatable process to update it periodically. The cybersecurity assessment provides critical forward looking intelligence that the board should use to guide the organization to attain optimal cyber risk management performance, mitigate risks to a tolerable level and maximize shareholder value. The stakes are very high. Cybersecurity must remain top of mind and the board must lead.

Here are seven critical steps the board should take:

  1. Assign a target date for the completion of the cybersecurity assessment and reporting of results to the board, well in advance of the next examination. Provide necessary support to complete it properly and in a timely manner.
  2. Obtain independent review of cybersecurity assessment to validate results. Make sure there is proper support for inherent risk level and maturity level determinations. Pay extra attention to validation of baseline levels, because in reality, the bank may be below baseline.
  3. Review, approve and support action plan for addressing risk management and control weaknesses and attaining and sustaining target maturity levels.
  4. Make sure any levels below baseline are immediately addressed.
  5. Require that a repeatable and sustainable process be implemented so that the cybersecurity assessment is revaluated and updated periodically (based on board approved triggers) and results are reviewed with the board.
  6. Assign implementation of regular risk dashboard reporting to the board with leading, not lagging, key risk indicators mapped to the cybersecurity assessment.
  7. Require a cybersecurity assessment be completed as part of due diligence in a merger or acquisition and reviewed with the board.

A Five-Pronged Approach to Dealing with the New Regulatory Landscape


bsns-maze.jpgWhen it comes to compliance, the first step in preparing for the year ahead is to look at the immediate past. Regulators now have higher expectations. There is very low tolerance, if any, for regulatory infractions. Banks face a high degree of pressure to keep residual risk in check while still conducting business profitably. There will likely be mistakes, but the mistakes must be kept to manageable ones that do not fundamentally affect consumer rights. Examinations are tougher. The supervisory focus is on fairness to consumers. Regulators scrutinize data for accuracy and meaning.

The consequences of noncompliance are severe.  In 2011 and 2012, we saw financial institutions reach settlements with the Consumer Financial Protection Bureau (CFPB), the Department of Justice, and the prudential bank regulators for violations of consumer protection and other laws in excess of $1 billion. Not only are the settlements larger than ever, but they include refunds to affected customers as well as penalties. Even more than in the past, the reputational damage from enforcement actions can take years to recover from.

The Year Ahead

The year 2013 will bring continued concern about the daunting challenges posed by regulatory change for U.S. financial institutions. Of the nearly 400 rules required by the Dodd-Frank Act, only about one-third have been finalized, and another third have yet to be proposed, according to Davis Polk & Wardell LLP.  The new requirements are likely to trickle out for years to come. They, along with the adjustments financial institutions must make to accommodate the newly-formed CFPB, will surely test the mettle of even the strongest companies and keep continued pressure on the bottom line. During the year ahead, this consumer-focused scrutiny will take the form of not only deeper and more probing examinations, but more expensive penalties for noncompliance. 

High Risk Areas with Increased Vulnerability

Indications are this trend of focusing on consumer risk will continue in 2013.  We will continue to see supervisory interest in a number of key areas, such as:

  • Fair and responsible products and services
  • Mortgage origination and servicing
  • Treatment of consumer complaints
  • Data integrity
  • Servicemembers Civil Relief Act issues
  • Lender compensation
  • Overdraft protection programs
  • Student lending
  • Reverse mortgage lending
  • Compliance management systems

Governance Guidance for 2013

Successfully navigating the consumer-focused scrutiny in 2013 will depend on whether your institution adopts an integrated, proactive approach to compliance risk management.  To get started, directors must set the tone. First, take responsibility and ownership of your bank’s risks. Know where your bank’s risks are. Understand what your data says about you—including consumer complaints. Wherever possible, control and prevent problems; be confident that you will know where the next problem will surface. And we can’t emphasize this point strongly enough: Manage risks on an integrated basis across the enterprise.

Five Prong Approach to Preparing for 2013

There are a number of actions institutions can take to prepare themselves for 2013 and the regulatory and supervisory deluge to come. We recommend a five-prong strategy for preparing your institution to successfully meet these challenges.

One: Compliance Culture.  Instill a culture that embraces a consumer-centric, principles-based regulatory model. 

Two: Compliance Management System.  Build an integrated system of compliance management with board oversight, a comprehensive program, complaint management, and compliance audit.  

Three: Risk Assessments. Assess risk to the institution as well as the impact of products and services on the consumer.

Four: Fair Lending Risk Assessments. Subject lending data to in-depth statistical analysis, and give products and practices intensified review.

Five: Enterprise Reporting.  Implement a system of compiling information across the risk spectrum on an integrated basis and reporting the right level of detail to the right audience.

Understanding risk is an essential component of any proactive program. When it comes to predicting what will happen in 2013, we can all reasonably expect today’s trends to continue into the foreseeable future. The best strategy is to proactively prepare.

The Cheesecake Factory and Banking: What a Successful Restaurant Knows About Risk Management


menu.jpgWhen eating out at a chain restaurant, food consistency is important. Restaurant patrons know what their favorite meal tastes like and expect a consistent product.

But, have you ever taken a moment to think about all of the processes and procedures a chain restaurant must have in place that enables them to deliver the exact same meal to the table no matter what the geographical location? In an August 13, 2012 article in The New Yorker, Dr. Atul Gawande, a professor of public health at Harvard, examined how the Cheesecake Factory consistently and efficiently implemented an updated menu twice per year in all of its restaurant chains across the country without sacrificing quality or disrupting service.

Impressed with the Cheesecake Factory’s ability to quickly and effectively distribute information to its geographically dispersed restaurants, enabling each chain to follow exactly the same protocols to deliver the same quality product, Dr. Gawande wondered if a similar business model might successfully be applied to the health care industry. Using the Cheesecake Factory’s model for information distribution and quality control, could the medical industry operate more efficiently and provide better service while simultaneously offering higher-quality care?

For the financial services industry, things are growing more complex everyday. However, like the Cheesecake Factory, the financial institutions that are successful are those that have implemented consistent processes and standards across the entire organization, and then effectively communicated this information throughout all levels. 

Key Steps in the Enterprise Risk Management Process: A Recipe for Success

To address unknown risks, financial institutions must adopt a systematic approach to emerging risk identification, assessment, monitoring and reporting. Following a consistent approach to managing risk can prevent unexpected and detrimental events from occurring and enable financial institutions to pinpoint areas of opportunity.

Step 1: Risk Identification

Financial institutions can better protect themselves and even further their business strategies and objectives by approaching risk management in a much more disciplined way. At every Cheesecake Factory restaurant, the kitchen manager inspects every dish before it leaves the kitchen to identify whether the dish meets the restaurant’s standards or needs to be redone. Much like the kitchen manager, a financial institution’s risk manager should identify potential risks not only for each business line, but also at a very high level throughout the organization as a whole.

Step 2: Risk Assessment

At each restaurant, the kitchen manager rates the food on the line using a scale of one-to-ten.

Similarly, while it is common for financial institutions to face a variety of risks, it is important to gather a manageable list of what are collectively seen as the most significant risks. Once the risks are identified, they can be scored or rated, and then prioritized based on their significance.

Step 3: Risk Monitoring

The fact each dish is inspected before it reaches the customer at the Cheesecake Factory, kitchen managers can coach their staff to aim for a score of 10 and provide customers with a consistent product.

Financial institutions should also be coaching their business line managers on how to understand and monitor their risk profiles. Risk monitoring protocols should be scheduled on a regular basis, so that risks can be reviewed, re-prioritized and controls can be tested and tweaked.

Step 4: Risk Reporting

Efficient communication is a key factor in the Cheesecake Factory’s ability to implement new menu items quickly and consistently. Most ERM programs should also have a robust reporting/communication component in place.

With all of the information at hand, knowing the full range of risks the financial institution faces as well as the controls at its disposal, the organization can use the risk data to implement practical business decisions.

Lessons Learned

For financial institutions, the end result is a strong risk management culture that will encourage innovation in business lines without exposing an organization to the kinds of risks that contributed to the financial crisis. Giving more thought as to how information is actually managed and distributed throughout an organization will only lead to more intelligent risk-taking that is more effectively communicated across the financial institution.

With the New Focus on the Consumer, the Buck Stops (And Starts) with the Board


stop-start.jpgForward-thinking financial institutions are future-proofing their risk and compliance programs. They are detecting tracking and understanding not only emerging issues, trends and regulatory requirements, but also the next big areas of potential vulnerability. We are hearing from our bank clients that regulatory risk is at the top of the list. While bank directors do not need to be technical compliance experts, they do need to actively oversee compliance management and have an understanding of the changes coming.

Board members can play a central role in the process of re-focusing compliance on what’s important to regulators, and a key trend is a new focus on “fairness” or “impact” to the consumer.  This concept is being led by the Consumer Financial Protection Bureau (CFPB), but quickly accepted by the other agencies. On September 25th the Federal Deposit Insurance Corp. (FDIC) released FIL-41-2012 which “reorients” the consumer examination score to be “based primarily on the impact to consumers.” During regulatory examinations, regulators will evaluate the board’s involvement (or lack thereof) in ensuring that programs are properly articulated and followed.

The Role of the CFPB

The Consumer Financial Protection Bureau has tremendous supervisory and enforcement authority and is already changing the mindset for what compliance means. The CFPB, which examines banks above $10 billion in assets, wants institutions to develop a “culture of compliance,” that focuses more on the risk to the consumer than the potential fines or violations a bank may receive if a violation is found. With the changes in the Dodd-Frank Act to the definition of Unfair, Deceptive, or Abusive Practices (UDAAP), which is now under the domain of the CFPB and applies to all banks and thrifts, it isn’t enough for financial institutions to simply meet regulatory requirements. Now, the way banks relate to customers is important. This dramatically changes the role and responsibilities of not just the compliance department, but of everyone within the bank. In addition, although CFPB is leading this effort, the new FDIC change highlights the need for institutions of all sizes to pay attention to this shift.

There is hope, however, for banks willing to be proactive in addressing the consumer-centric approach.

Culture Change

To be successful, the board needs to embrace an integrated approach to compliance risk management that reflects a consumer-centric viewpoint. This consumer centric approach should be so woven into your business that your employees do not think of it as compliance—instead they look at it as fundamental to their jobs.  This culture needs to promote proactive and forward thinking. In a culture of compliance, the consumer is not the province of a single department, but rather the responsibility of the entire organization.

Compliance Management System

Expect Change. Your compliance program needs to adjust to address the four interdependent parts of the CFPB’s compliance management system, including board and management oversight, compliance program, compliance audit and the enterprise approach to responding and analyzing consumer complaints. The complaint management system may need to be revamped to ensure that management is utilizing the consumer complaint data to understand how products and services impact consumers. In addition to the standard complaint resolution process, your institution will need to ensure they are capturing both written and verbal complaints at all consumer touch points, feeding them into a system that allows for trending analysis, and ultimately changes in processes, supports, controls, and or products.  Don’t forget that your program needs to hold your partners and vendors to the same standards that you hold your own business to.

Consumer Risk Assessments

The first thing the CFPB will do is conduct a compliance risk assessment that evaluates the risks to consumers arising from products, polices, procedures and practices. In preparation, your enterprise risk management and/or compliance risk program needs to be able to identify and respond to risks to the consumer. This risk assessment will likely illuminate risk areas not previously a focus of compliance, raise questions about activities that may currently be considered standard in the industry, and accordingly require changes in operations that staff may resist.

Your systems need to be able to identify risks to both the bank AND to the consumer.  In order to accomplish this, compliance can no longer operate in isolation. Business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks.

Staff members in different business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks. To support a change in culture, compliance or risk management cannot be the only areas that the board holds accountable. 

So how do you achieve a culture of compliance, where all employees are held accountable for risk?

The compliance program must change from focusing on past errors and the latest hot topics to evaluating and managing the potential risk to the organization—and to the consumer—generated by both internal and external sources. A forward-thinking organization can identify the next hot issue by proactively evaluating potential risks and adapting compliance programs to mitigate the risks to both the bank and the consumer. The proactive risk-based approach will put you ahead of the new consumer-centric examination approach and ensure the new hot issue doesn’t impact you or your customers.

Sharing Directors Brings Added Experience to Your Board, But Could Cause Problems


DropFiles.jpgMany financial institutions, particularly community banks, have enhanced the experience level of their boards by adding a director who is a banker or serves on the board of another financial institution.  In general, utilizing a director who has current experience with another financial institution is a great way to add valuable perspective to a variety of issues that the board may encounter.  In addition, as private equity funds made substantial investments in financial institutions, they often bargained for guaranteed board seats.  The individuals selected by private equity firms as board representatives often serve on a number of different bank boards.  As market conditions have led to increased bank failures, however, a problem has resurfaced that may cause some financial institutions to take a closer look at nominating directors who also serve other financial institutions: FDIC cross-guarantee liability.

The concept of cross-guarantee liability was added to the Federal Deposit Insurance Act by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA).  The pertinent provision states that any insured depository institution shall be liable for any loss incurred by the FDIC in connection with:

  • the default (failure) of a “commonly controlled” insured depository institution; or
  • open bank assistance provided to a “commonly controlled” institution that is in danger of failure.

This means that if two banks are “commonly controlled” and one of them fails, the other bank can be held liable to the FDIC for the amount of its losses or estimated losses in connection with the failure.  As many of us see each Friday, the amounts of these estimated losses are often quite high.  In fact, the FDIC’s estimated losses for 2011 bank failures were approximately 20 percent of total failed bank assets for the year.  Accordingly, the prospect of cross-guarantee liability can be a tremendous financial issue for the surviving bank.

The concept of cross-guarantee liability was developed in response to some perceived abuses by multi-bank holding companies during the 1980s.  In those instances, one or more institutions owned by a multi-bank holding company failed, causing significant losses to the FDIC, while the other subsidiaries of the multi-bank holding remained open and viable, allowing the holding company to continue to profit from their operations while the FDIC was stuck with the losses from the failed institutions.  With authority to assess cross-guarantee liability now in hand, however, the FDIC has shown a willingness to assert cross-guarantee liability under facts that would not be considered by most to be abusive.  In this cycle, the FDIC appears to be willing to take full advantage of the assessment authority granted to it by FIRREA, using cross-guarantee liability as a “sword” to provide a recovery to the Deposit Insurance Fund.

The imposition of cross-guarantee liability starts with an assessment of control.  Whether institutions are “commonly controlled” for purposes of determining cross-guarantee liability depends upon whether each institution is under the control of a common entity under the Bank Holding Company Act of 1956, as amended (BHC Act).  Because the determination of control is made under the BHC Act, the Federal Reserve’s BHC Act control guidance is a useful guide. However, this guidance is very dense and can be quite complicated, requiring a review of the ownership structure, management practices, and other business affiliations of the two institutions.  However, one thing is clear:  In questions of control, institutions that share “management officials”—common directors and/or executive officers—are generally more likely to be found to be under common control than those that do not, all other factors being similar.

As a result, institutions with directors who serve on other bank boards or as officers of other banks should assess potential cross-guarantee risk through the director nomination process.  Nominating committees (or other committees of the board reviewing director qualifications) should ask the following questions:

  • Does the individual serve on as a director or officer of another financial institution?
  • Is there a basis for determining that the two institutions are under common control?  Answering this question will likely require consultation with legal counsel.
  • Is the other financial institution in a financial condition that is less than sound?

If the answer to all of these questions is “yes,” the nominating committee should think carefully about whether nominating that individual is a good idea.  In addition, institutions guaranteeing board seats to investors (such as in connection with a private equity investment) should consider an exception to the nomination requirement when the election of the representative could create a risk of assessment of cross-guarantee liability.

A risk assessment requires an in-depth factual, legal and financial analysis. There are few organizations that will find out this issue places them at risk, but it’s worth attention because the consequences can be severe. As a result, an assessment of this risk should be an integral part of the annual nomination process.