Overview
The U.S. Office of the Comptroller of the Currency (OCC) has historically
taken the lead among bank regulators in establishing expectations for
bank directors, beginning with publication of its initial Director’s
Book in 1987. Within one year of the OCC’s publication of
The Director’s Book, the Federal Deposit Insurance Corporation (FDIC) and the Federal Home
Loan Bank Board (FHLB) followed suit with their respective publication of the
Pocket Guide for Directors and
The Director's Guide: The Role and Responsibilities of a Savings Institution Director. Thus, the OCC’s recent efforts to further define the role of directors
and establish specific expectations for the board in its Bulletins and
formal rules have ramifications for all banks, regardless of charter.
The Guidelines – New Expectations for Bank Directors
Most recently, on September 11, 2014, the OCC issued formal rules regarding
the duties and responsibilities of the board within a bank’s “risk
governance framework,” as part of
OCC Guidelines Establishing Heightened Standards for Certain Large Insured
National Banks, Insured Federal Savings Associations, and Insured Federal Branches (the “Guidelines”). Although these rules are labeled “guidelines,” the
rules were adopted as an amendment to, and are enforceable under, the
OCC’s Safety and Soundness Standards.[1]
The
Guidelines cover all institutions with assets of $50 billion or more, and may be
applied to smaller institutions, on a case-by-case basis, “if the
OCC determines that such bank’s operations are highly complex or
otherwise present a heightened risk as to warrant [application]. . .”[2] In this regard, the American Association of Bank Directors has pronounced that the
Guidelines may, “begin to be viewed by the [other] banking agencies as ‘best
practices’ that might be applied informally to smaller banks—even
state banks regulated by the FDIC or Federal Reserve.”[3]
A core expectation of the
Guidelines is that the board possess the requisite information, experience, business
acumen, and willingness to, “question, challenge, and, when necessary,
oppose management’s proposed actions that could cause the bank’s
risk profile to exceed its risk appetite or threaten the bank’s
safety and soundness. . .”[4] Meeting this expectation in an environment marked by transformational
changes in the business of banking, and intensified supervisory oversight
in the aftermath of the financial crisis, poses a daunting challenge.
On August 7, 2015, OCC Comptroller Thomas Curry, in addressing the participants
of a bank conference entitled “Leading Toward the Future; Ideas
and Insights for a New Era,” summarized the current state of innovation
in the banking industry, much of which involves third-party technologies
and services, as follows:
Mobile payment services like Apple Pay and Google Wallet could change the
face of retail payments, particularly at the point of sale, while virtual
currencies have the potential to transform the way we think about money.
New online services offer the prospect of a banking relationship that
exists only on a smart phone or home computer, and peer-to-peer lending
has the potential of upending a bank’s traditional role as an intermediary.
Automated systems compete with traditional financial advisors, and crowdfunding
sites are entering the business of raising equity capital for new and
existing companies.
Some of these products represent only incremental changes that don’t
present major regulatory concerns, but others signify real points of departures
that will require a significant amount of scrutiny to ensure that they
can be offered safely and soundly, consistent with applicable laws and
regulations, and in a way that ensures adequate consumer protections.[5]
As is further discussed below, the need for increased scrutiny in response
to above-described changes, appears to be a primary driver of the OCC’s
recent focus on setting new expectations for directors.
Pursuant to the
Guidelines, each individual board member bears responsibility for overseeing compliance
with safe and sound banking practices and must exercise independent judgment
in executing this responsibility.[6] In addition, the board as a collective body “should require management
to establish and implement an effective risk governance framework. . .”
and “actively oversee the bank’s risk-taking activities and
hold management accountable for adhering to [that] Framework. . .”
In carrying out this duty of active oversight, the
Guidelines provide that the board “may rely on risk assessments and reports
prepared by independent risk management and internal audit. . .”[7] Moreover, recognizing the difficulty of digesting and interpreting such
information, the preamble to the final rule of the
Guidelines notes that: “Some boards of directors periodically engage third-party
experts to assist them in understanding risks and issues and to make recommendations
to strengthen board and bank policies” and encourages boards to
consider such assistance.[8]
The
Guidelines additionally require the board to “establish and adhere to a formal,
ongoing training program for all directors,” which should include,
as appropriate, training on:
- Complex products, services, lines of business, and risks that have a significant
impact on the covered bank;
- Laws, regulations, and supervisory requirements applicable to the covered bank; and
-
Other topics identified by the board of directors.[9]
Finally, the
Guidelines require the board to conduct an annual self-assessment of its own effectiveness.[10] According to the preamble to the final rule, this assessment “should
result in a constructive dialogue among board members that identifies
opportunities for improvement and leads to specific changes that are capable
of being tracked, measured, and evaluated.”[11]
OCC Bulletins Offer More Guidance
As noted above, the OCC has also established specific expectations for
directors in its Bulletins. For example,
OCC Bulletin 2011-12 (Supervisory Guidance for Risk Model Management), which was issued on April 4, 2011, provides that “Board members should
ensure that the level of model risk is within their [established] tolerance and
direct changes where appropriate (emphasis added).”[12] The same Bulletin notes an evolution in banks’ use of risk models:
“In recent years, banks have applied models to more complex products
and with more ambitious scope, such as enterprise-wide risk measurement,
while the markets in which they are used have also broadened and changed.”[13] Indeed, since April 2011, both the pace of change and the degree of complexity
have accelerated due to an intensified regulatory focus on the risk of
disparate impacts on protected classes of consumers and the expanded use
of “big data” in predicting customer preferences and performance.
Hence, the demand for effective oversight is considerably greater today
than what existed four years ago.
OCC Bulletin 2013-29 (Risk Management Guidance -
Third Party Relationships), which was issued on October 30, 2013, likewise speaks to the role of
directors. Specifically, the Bulletin sets forth the following specific
expectations for the board:
- Ensure an effective process is in place to manage risks related to third-party
relationships in a manner consistent with the bank’s strategic goals,
organizational objectives, and risk appetite.
- Approve the bank’s risk-based policies that govern the third-party
risk management process and identify critical activities.
- Review and approve management plans for using third parties that involve
critical activities.
- Review summary of due diligence results and management’s recommendations
to use third parties that involve critical activities.
- Approve contracts with third parties that involve critical activities.
- Review the results of management’s ongoing monitoring of third-party
relationships involving critical activities.
- Ensure management takes appropriate actions to remedy significant deterioration
in performance or address changing risks or material issues identified
through ongoing monitoring.
-
Review results of periodic independent reviews of the bank’s third-party
risk management process.[14]
The OCC additionally notes in
Bulletin 2013-29 that “[b]anks continue to increase the number and complexity of
relationships” and cautions that “the quality of risk management
over third-party relationships may not be keeping pace with the level
of risk and complexity of these relationships.”
_____________________________
CFPB
- Consent Order Actions
The Consumer Financial Protection Bureau (CFPB) has also provided guidance
regarding expectations for bank boards of directors in the form of Consent
Order actions against banks.1
Although such actions are specifically directed to the subject bank and
the activities in question (e.g., sales of add-on products), they provide
helpful instruction along with bank agency-issued formal rules, bulletins,
and consent orders; see CFPB Consent Order against Citizens Bank dated
August 15, 2015, requiring the board to establish a three-person Compliance
Committee to oversee compliance with the terms of the order.2
In this regard, board members who become signatory to a cease and desist
order, including an order entered into by consent, may incur individual
liability for which the bank is barred by law from providing indemnification.3
1 Consistent with its narrow mission to protect consumers, the Compliance
Management Systems narrative of the CFPB Supervision and Examination Manual
provides that in “a depository institution, the board of directors
is ultimately responsible for developing and administering a compliance
management system that ensures compliance with Federal consumer financial
laws and regulations and addresses and prevents associated risks of harm
to consumers (CMR Review, p. 3).” For the most part, the Manual
discusses expectations for board of directors and management oversight
interchangeably, with little or no distinction between the two. This blurring
of responsibilities likely reflects that the Manual is intended to provide
guidance to both banks and non-banks, the latter of which may not have
a board of directors: “In a non-depository consumer financial services
company, that ultimate [oversight] responsibility may rest with a board
of directors in the case of a corporation or with a controlling person
or some other arrangement.” Id.
2 http://files.consumerfinance.gov/f/201408_cfpb_consent-order-rbs-citizens.pdf
3 Federal law prohibits “any payment (or any agreement to make any
payment) by any insured depository institution or covered company for
the benefit of any person who is or was an institution-affiliated party,
to pay or reimburse such person for any liability or legal expense with
regard to any administrative proceeding or civil action instituted by
the appropriate Federal banking agency which results in a final order
under which such person—(i) is assessed a civil money penalty.”
12 U.S.C. § 1828(k)(5)(A)(i).
_____________________________
Conclusion—OCC Sets the Bar High
In sum, in its Bulletins and new
Guidelines, the OCC set a high bar for what is expected of bank directors and the
board. In its preamble to the
Guidelines’ final rule, the OCC justifies the attendant high demands placed
on directors as follows:
The OCC believes that the capacity to dedicate sufficient time and energy
in reviewing information and developing an understanding of the key issues
related to a covered bank’s risk-taking activities is a critical
prerequisite to being an effective director. Informed directors are well-positioned
to engage in substantive discussions with management wherein the board
of directors provides approval to management, requests guidance to clarify
areas of uncertainty, and prudently questions the propriety of strategic
initiatives.[15]
Although the
Guidelines are targeted to banks with assets greater than $50 billion, the
Guidelines’ expectations for directors are likely to have a broad influence throughout
the banking industry. In this regard, the technological developments and
changes in the business of banking that appear to be driving increased
expectations for the board are obviously not unique to national banks.
Additionally, all banks, regardless of size or charter, are experiencing
a marked increase in intensity of examinations, and supervisory oversight
generally, in the aftermath of the financial crisis.
Because institutions with assets of $50 billion, but less than $100 billion,
are not required to be in full compliance with the
Guidelines until March 11, 2016, the OCC has yet to begin examining banks for compliance
that were not already subject to the “heightened expectations”
that the OCC developed for the largest banks (i.e. with assets of $750
billion or more) during the financial crisis. Hence, the impact of the
Guidelines on directors, including “best practices” influences on directors
of smaller banks, remains an unknown quantity. As a result, Bridgeforce
Law has prepared a questionnaire that solicits information regarding the
current ability of directors to satisfy the expectations of
Guidelines, as well as other relevant safety and soundness guidance.
In closing, the opportunity to serve as a bank director continues to be
an honor with few parallels. Those who are invited to serve as directors
at smaller banks are typically leaders in the community at large, not
just in business matters. And, those invited to serve as directors at
large banks are leaders at the regional or national level, and include
some of the nation’s brightest minds drawn from across diverse industries.
Along with this significant honor, however, comes significant responsibility
and accountability. For example, at least three members of the board of
directors must personally attest to the correctness of the report of condition
of the bank, and those members may incur personal liability in the form
of civil money penalties for material inaccuracies.[16] In addition, as noted above, a board member may may incur significant
personal liability in connection with violations of a cease and desist
order and become a signatory to a cease and desist order, or other formal
enforcement actions, the violation of which may result in individual liability
that the bank is barred by law from indemnifying.[17] The keys to successful and rewarding board service in this challenging,
ever-changing environment are: (i) keen awareness of the nature and direction
of the applicable risks; and (ii) knowledge and effective use of all available
resources, including third-party services.
Use this questionnaire to assess the program you have in place for your Board:
Director's Questionnaire
[1] The
Guidelines are codified at 12 C.F.R. Part 30, Appendix D.
[3]
OCC’s Heightened Risk Management “Guidelines” for Bank
Director’s -
Where is the Due Process? (November 21, 2014), p. 2. http://aabd.org/occs-heightened-risk-management-guidelines-bank-directors-due-process/
[4] 12 C.F.R. 30, Appendix D, Paragraph (III)(B).
[6] 12 C.F.R. 30, Appendix D(III)(C).
[7] 12 C.F.R. 30, Appendix D, Paragraph (III)(B).
[9] 12 C.F.R. 30, Appendix D, Paragraph (III)(E).
[12]
OCC Bulletin 2011-12, Attachment, p. 17.
[14]
OCC Bulletin 2013-29, p. 12.
[17] Federal law prohibits “any payment (or any agreement to make any
payment) by any insured depository institution or covered company for
the benefit of any person who is or was an institution-affiliated party,
to pay or reimburse such person for any liability or legal expense with
regard to any administrative proceeding or civil action instituted by
the appropriate Federal banking agency which results in a final order
under which such person—(i)
is assessed a civil money penalty.” 12 U.S.C. § 1828(k)(5)(A)(i).