The OCC's Standards for Bank Directors: Heightened Expectations Extend Beyond Large Banks

Overview

The U.S. Office of the Comptroller of the Currency (OCC) has historically taken the lead among bank regulators in establishing expectations for bank directors, beginning with publication of its initial Director’s Book in 1987. Within one year of the OCC’s publication of The Director’s Book, the Federal Deposit Insurance Corporation (FDIC) and the Federal Home Loan Bank Board (FHLB) followed suit with their respective publication of the Pocket Guide for Directors and The Director's Guide: The Role and Responsibilities of a Savings Institution Director. Thus, the OCC’s recent efforts to further define the role of directors and establish specific expectations for the board in its Bulletins and formal rules have ramifications for all banks, regardless of charter.

The Guidelines – New Expectations for Bank Directors

Most recently, on September 11, 2014, the OCC issued formal rules regarding the duties and responsibilities of the board within a bank’s “risk governance framework,” as part of OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches (the “Guidelines”). Although these rules are labeled “guidelines,” the rules were adopted as an amendment to, and are enforceable under, the OCC’s Safety and Soundness Standards.[1]

The Guidelines cover all institutions with assets of $50 billion or more, and may be applied to smaller institutions, on a case-by-case basis, “if the OCC determines that such bank’s operations are highly complex or otherwise present a heightened risk as to warrant [application]. . .”[2] In this regard, the American Association of Bank Directors has pronounced that the Guidelines may, “begin to be viewed by the [other] banking agencies as ‘best practices’ that might be applied informally to smaller banks—even state banks regulated by the FDIC or Federal Reserve.”[3]

A core expectation of the Guidelines is that the board possess the requisite information, experience, business acumen, and willingness to, “question, challenge, and, when necessary, oppose management’s proposed actions that could cause the bank’s risk profile to exceed its risk appetite or threaten the bank’s safety and soundness. . .”[4] Meeting this expectation in an environment marked by transformational changes in the business of banking, and intensified supervisory oversight in the aftermath of the financial crisis, poses a daunting challenge.

On August 7, 2015, OCC Comptroller Thomas Curry, in addressing the participants of a bank conference entitled “Leading Toward the Future; Ideas and Insights for a New Era,” summarized the current state of innovation in the banking industry, much of which involves third-party technologies and services, as follows:

Mobile payment services like Apple Pay and Google Wallet could change the face of retail payments, particularly at the point of sale, while virtual currencies have the potential to transform the way we think about money. New online services offer the prospect of a banking relationship that exists only on a smart phone or home computer, and peer-to-peer lending has the potential of upending a bank’s traditional role as an intermediary. Automated systems compete with traditional financial advisors, and crowdfunding sites are entering the business of raising equity capital for new and existing companies.

Some of these products represent only incremental changes that don’t present major regulatory concerns, but others signify real points of departures that will require a significant amount of scrutiny to ensure that they can be offered safely and soundly, consistent with applicable laws and regulations, and in a way that ensures adequate consumer protections.[5]

As is further discussed below, the need for increased scrutiny in response to above-described changes, appears to be a primary driver of the OCC’s recent focus on setting new expectations for directors.

Pursuant to the Guidelines, each individual board member bears responsibility for overseeing compliance with safe and sound banking practices and must exercise independent judgment in executing this responsibility.[6] In addition, the board as a collective body “should require management to establish and implement an effective risk governance framework. . .” and “actively oversee the bank’s risk-taking activities and hold management accountable for adhering to [that] Framework. . .” In carrying out this duty of active oversight, the Guidelines provide that the board “may rely on risk assessments and reports prepared by independent risk management and internal audit. . .”[7] Moreover, recognizing the difficulty of digesting and interpreting such information, the preamble to the final rule of the Guidelines notes that: “Some boards of directors periodically engage third-party experts to assist them in understanding risks and issues and to make recommendations to strengthen board and bank policies” and encourages boards to consider such assistance.[8]

The Guidelines additionally require the board to “establish and adhere to a formal, ongoing training program for all directors,” which should include, as appropriate, training on:

1. Complex products, services, lines of business, and risks that have a significant impact on the covered bank;
2. Laws, regulations, and supervisory requirements applicable to the covered bank; and
3. Other topics identified by the board of directors.[9]

Finally, the Guidelines require the board to conduct an annual self-assessment of its own effectiveness.[10] According to the preamble to the final rule, this assessment “should result in a constructive dialogue among board members that identifies opportunities for improvement and leads to specific changes that are capable of being tracked, measured, and evaluated.”[11]

OCC Bulletins Offer More Guidance

As noted above, the OCC has also established specific expectations for directors in its Bulletins. For example, OCC Bulletin 2011-12 (Supervisory Guidance for Risk Model Management), which was issued on April 4, 2011, provides that “Board members should ensure that the level of model risk is within their [established] tolerance and direct changes where appropriate (emphasis added).”[12] The same Bulletin notes an evolution in banks’ use of risk models: “In recent years, banks have applied models to more complex products and with more ambitious scope, such as enterprise-wide risk measurement, while the markets in which they are used have also broadened and changed.”[13] Indeed, since April 2011, both the pace of change and the degree of complexity have accelerated due to an intensified regulatory focus on the risk of disparate impacts on protected classes of consumers and the expanded use of “big data” in predicting customer preferences and performance. Hence, the demand for effective oversight is considerably greater today than what existed four years ago.

OCC Bulletin 2013-29 (Risk Management Guidance - Third Party Relationships), which was issued on October 30, 2013, likewise speaks to the role of directors. Specifically, the Bulletin sets forth the following specific expectations for the board:

• Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent with the bank’s strategic goals, organizational objectives, and risk appetite.
• Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical activities.
• Review and approve management plans for using third parties that involve critical activities.
• Review summary of due diligence results and management’s recommendations to use third parties that involve critical activities.
• Approve contracts with third parties that involve critical activities.
• Review the results of management’s ongoing monitoring of third-party relationships involving critical activities.
• Ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring.
• Review results of periodic independent reviews of the bank’s third-party risk management process.[14]

The OCC additionally notes in Bulletin 2013-29 that “[b]anks continue to increase the number and complexity of relationships” and cautions that “the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”

_____________________________

CFPB - Consent Order Actions

The Consumer Financial Protection Bureau (CFPB) has also provided guidance regarding expectations for bank boards of directors in the form of Consent Order actions against banks.¹

Although such actions are specifically directed to the subject bank and the activities in question (e.g., sales of add-on products), they provide helpful instruction along with bank agency-issued formal rules, bulletins, and consent orders; see CFPB Consent Order against Citizens Bank dated August 15, 2015, requiring the board to establish a three-person Compliance Committee to oversee compliance with the terms of the order.²

In this regard, board members who become signatory to a cease and desist order, including an order entered into by consent, may incur individual liability for which the bank is barred by law from providing indemnification.³

¹ Consistent with its narrow mission to protect consumers, the Compliance Management Systems narrative of the CFPB Supervision and Examination Manual provides that in “a depository institution, the board of directors is ultimately responsible for developing and administering a compliance management system that ensures compliance with Federal consumer financial laws and regulations and addresses and prevents associated risks of harm to consumers (CMR Review, p. 3).” For the most part, the Manual discusses expectations for board of directors and management oversight interchangeably, with little or no distinction between the two. This blurring of responsibilities likely reflects that the Manual is intended to provide guidance to both banks and non-banks, the latter of which may not have a board of directors: “In a non-depository consumer financial services company, that ultimate [oversight] responsibility may rest with a board of directors in the case of a corporation or with a controlling person or some other arrangement.” Id.

² http://files.consumerfinance.gov/f/201408_cfpb_consent-order-rbs-citizens.pdf

³ Federal law prohibits “any payment (or any agreement to make any payment) by any insured depository institution or covered company for the benefit of any person who is or was an institution-affiliated party, to pay or reimburse such person for any liability or legal expense with regard to any administrative proceeding or civil action instituted by the appropriate Federal banking agency which results in a final order under which such person—(i) is assessed a civil money penalty.” 12 U.S.C. § 1828(k)(5)(A)(i).

_____________________________

Conclusion—OCC Sets the Bar High

In sum, in its Bulletins and new Guidelines, the OCC set a high bar for what is expected of bank directors and the board. In its preamble to the Guidelines’ final rule, the OCC justifies the attendant high demands placed on directors as follows:

The OCC believes that the capacity to dedicate sufficient time and energy in reviewing information and developing an understanding of the key issues related to a covered bank’s risk-taking activities is a critical prerequisite to being an effective director. Informed directors are well-positioned to engage in substantive discussions with management wherein the board of directors provides approval to management, requests guidance to clarify areas of uncertainty, and prudently questions the propriety of strategic initiatives.[15]

Although the Guidelines are targeted to banks with assets greater than $50 billion, the Guidelines’ expectations for directors are likely to have a broad influence throughout the banking industry. In this regard, the technological developments and changes in the business of banking that appear to be driving increased expectations for the board are obviously not unique to national banks. Additionally, all banks, regardless of size or charter, are experiencing a marked increase in intensity of examinations, and supervisory oversight generally, in the aftermath of the financial crisis.

Because institutions with assets of $50 billion, but less than $100 billion, are not required to be in full compliance with the Guidelines until March 11, 2016, the OCC has yet to begin examining banks for compliance that were not already subject to the “heightened expectations” that the OCC developed for the largest banks (i.e. with assets of $750 billion or more) during the financial crisis. Hence, the impact of the Guidelines on directors, including “best practices” influences on directors of smaller banks, remains an unknown quantity. As a result, Bridgeforce Law has prepared a questionnaire that solicits information regarding the current ability of directors to satisfy the expectations of Guidelines, as well as other relevant safety and soundness guidance.

In closing, the opportunity to serve as a bank director continues to be an honor with few parallels. Those who are invited to serve as directors at smaller banks are typically leaders in the community at large, not just in business matters. And, those invited to serve as directors at large banks are leaders at the regional or national level, and include some of the nation’s brightest minds drawn from across diverse industries. Along with this significant honor, however, comes significant responsibility and accountability. For example, at least three members of the board of directors must personally attest to the correctness of the report of condition of the bank, and those members may incur personal liability in the form of civil money penalties for material inaccuracies.^[16] In addition, as noted above, a board member may may incur significant personal liability in connection with violations of a cease and desist order and become a signatory to a cease and desist order, or other formal enforcement actions, the violation of which may result in individual liability that the bank is barred by law from indemnifying.[17] The keys to successful and rewarding board service in this challenging, ever-changing environment are: (i) keen awareness of the nature and direction of the applicable risks; and (ii) knowledge and effective use of all available resources, including third-party services.

Use this questionnaire to assess the program you have in place for your Board: Director's Questionnaire