Are Your Board Communications Secure in a Changing Regulatory Landscape?


risk-assessment-process-7-15-15.pngAs recently as March 2015, Hillary Clinton’s use of private email on multiple devices while serving as secretary of state hit the media. Clinton commented, “. . . I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.”

Every board member can fall prey to the Clinton communication example—take the necessary steps to educate your board.

We continue to live in a changing business environment with a backdrop of increasing regulatory pressures and a heightened focus on improving board oversight and communication. Current guidance and regulatory policies and practices are designed to force improvement in risk management and compliance. Along with that comes the responsibility of how we securely communicate and exchange confidential information at the board and committee level.

Technology and security are playing an important role in this change as leadership demands more mobility, flexibility and speed. Armed with multiple mobile devices and an “on-the-go” attitude, some stakeholders, who may not have grown up in the world of IT, are constantly exposing company information to risk.

Practices for managing board communication suggest we may not be keeping up with the requirements for security and compliance.

Take into account the following:

The Organization

  • Think about how many board members are still receiving board and committee information in their personal email accounts. Then layer in the amount of changes and document version control that need to be communicated before the actual meeting. This information often is not encrypted.
  • Interactions with management and the board is continuous. Monthly, quarterly and annual meetings give the board and committee members an opportunity to review company performance, and provide a forum for governance. Information is still being printed, exposing huge amounts of confidential information as directors travel between meetings and between locations.
  • Unsecure dissemination of confidential documents from regulators, investors and management flows from administrators to the board.

The Individual

  • Critical documents are still being stored and shared on a variety of personal devices – computers, tablets and phones.
  • Directors and committee members are still sending their packets to their personal emails so they can print the materials, thereby breaching security.

What do you do?
Security issues continue to be on the front page of the news. How do you prevent a perfect storm from happening where directors with personal communication devices are not handling confidential information in a proper format? Below are four practical steps to address this.

Education: Board members should be educated on a periodic basis as to what their roles and requirements are, from a board and a bank perspective. If you are public, Securities and Exchange Commission regulations should also be reviewed often.

Process: To help prevent damage from occurring, it is also important to setup a process whereby the directors are getting the necessary information in a secure fashion. There should be sufficient documentation of the process in establishing and monitoring board members. Appropriate personnel, including risk-management and IT personnel, should have input.

Review: The risk department should conduct a review and test the entire process to ensure the loop is secure. This should include management, committee members and the entire board.

Evaluate: Evaluate the risk factors affecting the current process. How does it impact the organization overall?

As technology continues to evolve at breakneck speed, the race is on for leaders to move fast enough to deliver a secure environment. It is clear that not enough attention is being focused on the process that is necessary to foster this environment. Board members will need to think ahead before they communicate, and leaders will need to make sure director communications are secure. And there is no magic formula for creating this—it is an ongoing, “live” process that you will need to keep reviewing. While the process needs to constantly be monitored and refreshed, it also must reflect new behaviors and new preferences: look to the success of the Apple Watch. 

This real-time process will aim to keep you secure at all times. And that may end up in your favor as regulators may soon turn their focus to communication within the board room.

CEO Pay Ratio: How It Will (And Won’t) Work


11-15-13-Pearl.pngThe Securities and Exchange Commission (SEC) is now accepting comments on proposed rules that would require public companies to disclose the ratio of the CEO’s pay to that of their median worker. Proponents say it will serve to better highlight excessive pay practices and shame those companies into adopting more shareholder-friendly programs. Detractors argue that the cost and complexity of implementing the new disclosure outweighs the benefits to investors and may actually ramp up pay levels.

The rules would require public companies to disclose:

  • the median employee annual total compensation, excluding the CEO;
  • the annual total compensation of the CEO and
  • the ratio between the two.

Companies exempt from the rules include:

  • emerging growth companies (those who completed their IPO after 12/8/11 and have less than $1 billion in total annual gross revenues);
  • smaller reporting companies (less than a $75 million float); and
  • foreign private issuers (50 percent or less of outstanding voting securities are held by U.S. residents).

Interestingly, the SEC provided flexibility in terms of how median employee compensation would be calculated: Companies can use either the entire employee population, or a statistical sampling. Companies would be able to choose their own methodology, as long as it is clearly outlined in their proxy and is “appropriate to the size and structure of their own businesses and the way they compensate employees.” We anticipate that the methodologies available for calculating this new pay standard will be front and center in the public debate—perhaps even more than the pay ratios themselves.

So how beneficial would this new disclosure really be in determining the appropriateness of CEO pay within the banking industry? We already know that ratios will vary widely across industries, especially among global versus domestic companies and those with a high number of part-time, temporary and/or seasonal workers. Within the banking industry, there also will be a lot of noise to deal with: Banks’ business models, ownership structures, and operational sizes (e.g., number of branches) will influence the CEO pay ratio, making it difficult to make meaningful comparisons. On top of that, pay ratio disclosures would be based on inconsistent methodologies and different definitions of “total annual compensation.” That number could be established using the Summary Compensation Table in the annual proxy, or any consistently used compensation measure such as amounts reported in payroll or tax records.

Given the wide variations in how companies arrive at these ratios, they are likely to be of limited value in helping shareholders assess banks’ pay programs. In some circumstances, however, pay ratios might provide some additional perspective for bank directors. The following serve as examples:

  • How has the relationship between pay for our CEO and other employees changed over time?
  • Are increases/decreases in the ratio commensurate with our performance?
  • Should the ratio remain constant in good and bad times, meaning that there is an equitable distribution of rewards or cost-cutting measures between the CEO (or management team) and the general employee population—or should there be variation?

Fortunately, there is time to consider various options. However, we recommend banks begin now to investigate the methodologies best suited to their own business and prepare a preliminary pay ratio calculation based on the SEC’s current proposal.

Assuming the final rules become effective in 2014, calendar year companies won’t need to provide pay ratio data until the 2015 fiscal year, and they can provide it in the annual report, proxy or information statement that might not get filed until 2016.

A more detailed client alert that addresses the SEC’s proposed CEO pay ratio rules is available by clicking here.

Being Public: Is It Worth It?


Six months after the JOBS (Jumpstart our Business Startups) Act went into effect, making it easier for banks to remain private, we asked lawyers their opinion on the advantages and downsides of public ownership. Although all raise good points, many believe the expense is just not worth it for that size bank. But if the bank is looking at acquisitions and access to capital that the public markets provide, public ownership is a good idea.

Does it make sense for banks with less than $500 million in assets to be public companies? 

Mark-Nuccio.jpgWith increasing needs for capital and a desire to grow, some smaller banks may want to become or remain public companies, in spite of the significant burdens imposed on smaller public company issuers. Access to the public markets and shareholder liquidity, in the right situation, are worth the price of admission. Without a growth agenda, however, small, publicly held banks would be well-advised to privatize.

—Mark Nuccio, Ropes & Gray LLP 

Peter-Weinstock.jpgIt is hard to see many benefits for companies with less than $500 million in total assets to have their shares registered with the Securities and Exchange Commission (SEC) under the Exchange Act.  The accounting costs associated with public company status continue to increase, as do legal and regulatory check-the-box exercises. Perhaps it is worthwhile for boards to consider the issue again at $1 billion in assets, which is when the requirements for Federal Deposit Insurance Corp. Improvement Act certifications and the Federal Reserve’s enterprise risk assessments kick in. It is clear how smaller, publicly traded banking organizations view this issue. After the JOBS Act, the pace of such companies going dark has resembled Pamplona’s Running of the Bulls.

—Peter Weinstock, Hunton & Williams LLP 

Gregory-Lyons.jpgFor many banks with less than $500 million of assets, the burdens of operating as a public company likely outweigh the benefits. The reporting obligations themselves are substantial. Moreover, particularly as many community banks continue to feel the burdens of the financial crisis, the need to satisfy the short-term view of many investors can impede the pursuit of the long-term objective for a return to health. And the public markets often place a discount on the stock price of banks this size, thereby limiting the upside potential of an offering. Despite having said that, if a bank of this size is in comparatively good health, there are many opportunities for acquisitions in the marketplace now.  For these banks, the publicly traded stock can still be a useful currency in a growth strategy.  

—Greg Lyons, Debevoise & Plimpton LLP 

Schaefer_Kim.pngAfter the JOBS Act increased thresholds for registration from 500 shareholders to 2,000 and deregistration from 300 shareholders to 1,200, many banks have been closely examining the practicality of being a public company, especially considering the tremendous expense and additional regulation. However, the sensibility of that decision truly rests in the bank’s strategic plans for its future. How does the bank want to position itself? If a bank wants to expand its market or services, or if it wants (or needs) to raise capital, its prospects for doing so are much brighter as a public company. Some banks also enjoy the prestige and attention that they receive as a public company. Being a public reporting company may add significant expense, but the visibility and flexibility for raising capital is certainly enhanced for a public company, which may turn those expenses into a valuable investment for future growth.

—Kim Schaefer, Vorys, Sater, Seymour and Pease LLP               

John-Gorman.jpgThere is no one-size-fits all response to this question.  For the institution that sees itself generating enough capital to pay dividends and sustain growth and does not see itself expanding its footprint, then it should seriously consider deregistering with the SEC.  There is a unique ability for a bank or bank holding company (and a savings bank and savings and loan holding company) to continue to trade on the bulletin board without having to be registered with the SEC. This is not available for non-financial institutions.

For many small-cap banks, bulletin board trading may provide as much liquidity as NASDAQ OMX, and provides insiders with an outlet for their shares, which is one of the major downsides of deregistering (i.e., it is difficult for insiders to sell their shares).  For an institution that sees itself accessing the public markets for additional capital or expanding through mergers and acquisitions, continuing with an SEC registration could prove critical, despite the costs and burdens. And as the market cap of a bank/holding company increases, the need to maintain a trading alternative is also important for shareholders. 

—John Gorman, Luse Gorman Pomerenk & Schick PC

The Dodd-Frank Whistleblower Program: What Publicly-Traded Banks Should Know


whistle.jpgOn August 12, 2011, the Securities and Exchange Commission’s (“SEC”) final rules implementing the sweeping whistleblower program in the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) became effective.  Like all entities within the SEC’s jurisdiction, publicly-traded banks and their compliance officials should take the time now to understand the whistleblower provisions and the new challenges they pose.

The Dodd-Frank Whistleblower Provisions

The Dodd-Frank whistleblower provisions are quite broad.  They extend to people who share information with the SEC or the Commodity Futures Trading Commission (“CFTC”) concerning misconduct that falls within the jurisdiction of these agencies — including accounting fraud, insider trading, stock manipulation, and violations of the Foreign Corrupt Practices Act. 

The whistleblower provisions authorize cash rewards to whistleblowers for original information leading to a recovery exceeding $1 million.  A key condition is that the tip is “derived from the independent knowledge or analysis of the whistleblower.”  The SEC and CFTC have discretion to decide the exact amount of the award based on the “significance” of the information and the level of assistance provided by the whistleblower, as long as the award is between 10 and 30  percent of total recovery.

The Final Rules

The SEC’s final rules  exclude certain individuals from receiving awards, including:

  • officers, directors, trustees, or partners of an entity who learn information about misconduct from another person or in connection with the company’s processes for identifying misconduct;
  • employees whose main duties involve compliance or internal audit, or persons associated with a firm hired to perform similar functions; and
  • employees of public accounting firms performing an engagement required by the securities laws, when the information relates to a violation by the client or its officers, directors or employees.

However, these individuals are still eligible for a reward under Dodd-Frank if:

  • they have a reasonable belief that (a) disclosure to the SEC is necessary to prevent the company from engaging in conduct that could cause substantial injury to investors, or (b) the company is acting in a way that would interfere with an investigation of the misconduct; or
  • one hundred twenty days have passed since they escalated the information to their company’s audit committee, legal/compliance officer, or supervisor, or since they received the information and the circumstances indicate that the audit committee, legal/compliance officer, or supervisor was aware of the information.

The Dodd-Frank whistleblower provisions do not impact the obligation of publicly-traded banks under certain circumstances to report suspected wrongdoing, such as in connection with suspicious activity reports or when the bank is notified by its outside auditors under Section 10A of the Exchange Act of a suspected illegal act that has not been adequately remediated.

Although the final rules do not require that employees report suspected wrongdoing through internal corporate compliance channels before disclosing information to the SEC in return for a bounty, the rules do try to encourage internal reporting:

  • A whistleblower who reports wrongdoing to the SEC within 120 days of lodging a complaint internally will be deemed to have reported to the SEC as of the date of the internal disclosure.
  • If a whistleblower reported original information internally before or at the same time that the whistleblower reported it to the SEC, and the company discloses the whistleblower’s information or the results of an investigation initiated by the whistleblower’s information to the SEC leading to a successful enforcement action, the whistleblower will receive credit for the information provided by the company and will be eligible for an award.
  • When deciding whether to increase the amount of a whistleblower’s award, the SEC will consider whether the tipster reported through internal channels and assisted with any internal investigation.

Dodd-Frank prohibits retaliation not only against whistleblowers who provide information under the award program but also against employees engaged in offering consumer financial products who provide information about what they reasonably believe to be a violation of federal consumer protection laws, even if these employees are not pursuing a Dodd-Frank whistleblower award.

Looking Ahead

Beyond enhancing existing internal compliance measures designed to identify potential misconduct (such as employee ethics hotlines), the Dodd-Frank whistleblower rules make it more important than ever for publicly traded banks to promptly review all claims of wrongdoing.  Doing so will increase the opportunity to remediate any problems and self-report the conduct to bank regulators and other authorities before a whistleblower contacts the SEC first.