Overview of Emerging Regulatory Expectations on Bank Conduct, Culture, Governance

The following materials are from the Bank Conduct, Culture, and Governance panel at the University of North Carolina School of Law’s 2016 Banking Institute. This panel explored diverse topics relating to bank culture and governance, including regulatory developments in the United States and Europe, recent culture initiatives, the G-30 Report on Culture and Conduct, oversight and credible challenge by Boards of Directors, the burgeoning responsibilities of bank directors, and shareholder activism.

Board and senior management should set appropriate “tone at top”

• Culture of compliance
• Define company values
• Define corporate strategy
• Define risk appetite.

Board of directors should be engaged, informed, knowledgeable about banking, credit and finance, diverse demographically as well as in professional experience, and include members with appropriate independence.

Board committees should have clear charters, with independent membership especially in audit, compensation, compliance and risk management.

Board and senior management should establish and document clear lines of responsibility for business units and operations, audit, compliance, with specific persons designated, reporting lines documented and mapped to organization chart.

Clear reporting line from compliance officers to board risk management committee or compliance committee, and audit team to audit committee.

Compensation structure should be aligned with corporate objectives, long-term and not over-reward risk or reward non-compliance.

Effective communication by management of culture, values, risk appetite, strategy throughout organization.

Management accountability for implementation.

Well-developed information systems to track key areas and keep senior management informed.

Regular reporting by senior management to board committees on key areas and issues.

More detailed minutes of board meetings than corporate lawyers would like.  Document depth of consideration by board and committees.

BIS/European model has board owing primary duty to depositors, secondary to other constituencies (one of which is shareholders, but also public, employees and customers).  American/OECD model has board owing primary duty to shareholders while bank is solvent, but also answerable to regulators for risk management, compliance, exercise of due care in oversight of management.

Board oversight of management, not involved in day-to-day.

Business line management accountability for compliance “first line of defense.”

Risk management/compliance “second line of defense.”

Internal audit “third line of defense.”

Internal reporting of violations free from retaliation.

Sufficient resources provided for compliance, culture/values, risk management.

Compliance program established, with:

• named chief compliance officer/team;
• separate reporting line from business unit but working closely with it on real time;
• written compliance policies, procedures and documented internal controls;
• training of key personnel;
• mapping of legal and regulatory obligations to relevant business units and products/activities and gap analysis;
• continuous evaluation and updating of compliance program, policies, procedures and controls to incorporate learning from internal reviews and audit and examiner comments, legal developments, changes to environment, products/services and business;
• independent internal audit of conformance to policies and procedures;
• information and reporting systems on compliance; and
• documentation of each element.

The larger and more complex the banking organization and higher risk the activities, the more elaborate the compliance and control program must be.

CEO attestation required on some elements of compliance and control for larger institutions.

Recent Rules & Rulemaking Proposals With Governance Requirements

OCC Notice of Proposed Rulemaking (Dec. 17, 2015): Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches.

• The proposal would establish enforceable guidelines for recovery planning by insured national banks, insured federal savings associations, and insured federal branches of foreign banks with average total consolidated assets of $50 billion or more.  Specifically, the proposed guidelines provide that management of the covered bank should review the recovery plan at least annually and in response to a material event, and revise the plan as necessary to reflect material changes in the covered bank’s risk profile, complexity, size, and activities, as well as changes in external threats.

OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations (Sep. 11, 2014); 12 C.F.R. 30, Appendix D.

• The guidelines provide that covered institutions should establish and adhere to a written risk governance framework to manage and control its risk-taking activities. The guidelines also provide minimum standards for the institutions’ boards of directors to oversee the risk governance framework.  Independence from holding company board.  Three-year strategic plan.

Volcker Rule Interagency Implementing Rules Compliance Provisions (Jan 31. 2014): 12 C.F.R. § 351.20 (Program for compliance; reporting); Appendix B-III (Responsibility and Accountability for the Compliance Program).

• Each banking entity must develop and provide for the continued administration of a compliance program reasonably designed to ensure and monitor compliance with the prohibitions and restrictions on proprietary trading and covered fund activities and investments.  The compliance program must include a management framework that clearly delineates responsibility and accountability for compliance.

Recent Enforcement Actions With Governance Requirements

NYDFS and FRB Enforcement Action Against Habib Bank Limited (Dec. 17, 2015).

• Action against New York branch office for alleged record of noncompliance with the Bank Secrecy Act required, among other items, the bank’s board of directors and the branch’s management to jointly submit to the DFS a written plan to enhance oversight, by the management of the bank and branch, of the branch’s compliance with the BSA/AML requirements.  The plan must provide for a sustainable governance framework that, at a minimum, addresses, considers, and includes actions the board of directors will take to maintain effective control over, and oversight of, branch management’s compliance with the BSA/AML requirements.

FDIC Enforcement Action Against The Bancorp Bank (Dec. 23, 2015).

• Action against the bank for allegedly engaging in unsafe and unsound practices and engaging in deceptive and unfair acts and practices required, among other items, the board of directors to increase its oversight of the affairs of the bank by approving sound policies and objectives and by supervising all of the bank’s activities relating to the bank’s consumer and commercial deposit, lending, and other products and services consistent with the role and expertise commonly expected for directors of banks of comparable size and complexity and offering comparable banking products and services.

Recent Regulatory Litigation on Bank Corporate Governance Standards

FDIC v. Rippy, (E.D. N.C. Sep. 11, 2014), reversed in part and remanded in part (4^th Cir. Aug 2015).  After remand, the case was settled:  https://www.fdic.gov/about/freedom/plsa/nc_cooperativebank.pdf

• The FDIC sued the former Cooperative Bank D&Os following the closure of the bank in connection with their approval of 86 loans made between January 2007 and April 2008. The FDIC sought damages of at least $40 million, alleging that in approving these loans, the D&Os deviated from prudent lending practices established by the bank’s loan policy, published regulatory guidelines and generally established banking practices. The FDIC also alleged that the D&Os ignored prior regulatory criticisms and warnings pertaining to imprudent underwriting practices.  The U.S. Court of Appeals for the Fourth Circuit upheld the District Court's grant of summary judgment for the directors of the bank in part and reversed in part, and remanded for additional fact finding. The Court considered the business judgment rule as read in conjunction with an exculpatory clause in the bank’s articles of incorporation, and evaluated the standards of care applicable to directors and officers, as well as regulatory criticisms, in evaluating potential liability.

Recent Interpretations and Guidance On Corporate Governance & Culture -- Generally

FRB Supervisory Letter SR 12-17/CA 12-14 on Consolidated Supervision Framework for Large Financial Institutions (Dec. 17, 2012).

• The letter established a new framework for the consolidated supervision of large financial institutions and enumerated certain corporate governance expectations for boards of directors and their committees, such as clearly articulated corporate strategy and institutional risk appetite and ensuring that the firm’s senior management has the expertise and level of involvement required to manage the firm’s core business lines, critical operations, banking offices, and other material entities.

Bank of England/Prudential Regulatory Authority, Supervisory Statement | SS5/16, Corporate governance: Board responsibilities (March 2016)

http://www.bankofengland.co.uk/pra/Documents/publications/ss/2016/ss516.pdf

• Describes expectations of U.K. financial regulators on appropriate governance and board oversight of regulated institutions.

The Basel Committee on Banking Supervision, Guidelines, Corporate Governance Principles for Banks (July 2015).

• The Committee’s revised set of principles supersedes guidance published by the Committee in 2010 and emphasizes the critical importance of effective corporate governance for the safe and sound functioning of banks. It stresses the importance of risk governance as part of a bank’s overall corporate governance framework and promotes the value of strong boards and board committees together with effective control functions.

FINRA Enforcement Priorities Letter (January 2016)  http://www.finra.org/sites/default/files/2016-regulatory-and-examination-priorities-letter.pdf

• Addresses culture, conflicts of interest and ethics; supervision, risk management and controls.

FINRA Meetings on Establishing, Communicating and Implementing Cultural Values (Feb. 2016)

http://www.finra.org/industry/establishing-communicating-and-implementing-cultural-values

• Announces start of series of FINRA meetings with securities firms on how they establish, document and communicate corporate values and how they measure how communicated culture is implemented, check for conformance and address nonconformance and how it affects the compensation, compliance, litigation, and risk of the company.

Recent Interpretations and Guidance On Corporate Governance & Culture -- Cybersecurity

FDIC FIL-21-2014, Webinar on Senior Managements Role in Cybersecurity (Apr. 25, 2014).

• The webinar: (i) provides a plain language presentation for senior management of institutions on current cyber threats and actions that can be taken to protect their customers and institutions; (ii) provides key takeaways to assist in promoting an appropriate tone from senior management on topics that include building a security culture, integrating cybersecurity into the business units, and engaging boards of directors; and (iii) highlights the importance of public/private partnerships, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).

FFIEC Cybersecurity Brochure

• Interagency brochure indicating that a bank’s management should: (i) establish robust governance policies and risk management strategies; (ii) commit sufficient resources including expertise and training; and (iii) establish an enterprise-wide approach to manage cyber risks with a strong cybersecurity culture as its foundation.

Recent Interpretations and Guidance On Corporate Governance & Culture – Other Topics

Interagency Statement on Prudent Risk Management for Commercial Real Estate Lending (Dec. 18, 2015)

• The letter states that institutions should maintain underwriting discipline and exercise prudent risk-management practices to identify, measure, monitor, and manage the risks arising from CRE lending, and should have risk-management practices and maintain capital commensurate with the level and nature of their CRE concentration risk.  Such practices include providing bank boards and management with information to assess lending strategy and policies and having policies and procedures approved by the board or designated committees.

Interagency Advisory on External Audits of Internationally Active U.S. Financial Institutions (Jan. 2016)  http://www.occ.gov/news-issuances/bulletins/2016/bulletin-2016-2a.pdf

Discusses U.S. bank audit requirements, including role of audit committee and board, and how they relate to Basel Committee 2014 guidance on bank audit practices.

Recent Speeches by Regulators on Corporate Governance & Culture

Gov. Tarullo, Corporate Governance at Regulated Institutions, Association of American Law Schools 2014 Midyear Meeting (Jun. 9, 2014).

• Federal Reserve Board Governor Tarullo suggested how the nature of finance and financial regulation affects corporate governance and why, in turn, special corporate governance measures are needed as part of an effective prudential regulatory system.

Gov. Tarullo, Good Compliance, Not Mere Compliance, Federal Reserve Bank of New York Conference (Oct. 20, 2014).

• Federal Reserve Governor Tarullo discussed two topics as it relates to bank employee behavior: (i) what regulators have learned about the shaping of behavior within the firm from the FRB’s work on risk management; and (ii) the role of reward and punishment systems in affecting employee behavior.

William C. Dudley, President and Chief Executive Officer, Federal Reserve Bank of New York, Enhancing Financial Stability by Improving Culture in the Financial Services Industry, Remarks at the Workshop on Reforming Culture and Behavior in the Financial Services Industry, Federal Reserve Bank of New York, New York City  (October 20, 2014)

https://www.newyorkfed.org/newsevents/speeches/2014/dud141020a.html

• Alberto G. Musalem, Executive Vice President, Federal Reserve Bank of New York, Why Focus on Culture? Remarks at Towards a New Age of Responsibility in Banking and Finance: Getting the Culture and the Ethics Right, Goethe-Universität Frankfurt am Main, Frankfurt, Germany (Nov. 23, 2015)

https://www.newyorkfed.org/newsevents/speeches/2015/mus151123

Federal Reserve Bank of New York, webpage on corporate culture and governance materials

https://www.newyorkfed.org/governance-and-culture-reform/index.html

Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism (SSM), Towards a New Age of Responsibility in Banking and Finance: Getting the Culture and the Ethics Right (Nov. 23, 2015).

• Nouy discussed the current state of risk culture among financial institutions, the tools at the disposal of the SSM to assess and address risk culture issues, and SSM expectations as to what good practice entails.

SEC Chair Mary Jo White, A Few Things Directors Should Know About the SEC, Stanford University Rock Center for Corporate Governance Twentieth Annual Stanford Directors’ College (June 23, 2014)

https://www.sec.gov/News/Speech/Detail/Speech/1370542148863

• Discusses role of directors in establishing compliance culture.

SEC Commissioner Luis Aguilar, The Important Work of Boards of Directors, 12th Annual Boardroom Summit and Peer Exchange, New York, NY (Oct. 14, 2015)

https://www.sec.gov/news/speech/important-work-of-boards-of-directors.html

Bank for International Settlements archives many speeches by regulators from around the globe on culture issues:

Ravi Menon: Building a culture of trust in the financial industry

Opening address by Mr Ravi Menon, Managing Director of the Monetary Authority of Singapore, at the Monetary Authority of Singapore-Singapore Academy of Law Conference, Singapore, January 23, 2015.

http://www.bis.org/review/r150126d.htm

Thomas C Baxter: The rewards of an ethical culture

Remarks by Mr Thomas C Baxter, Executive Vice President and General Counsel of the Federal Reserve Bank of New York, at the Bank of England, London, January 20, 2015.

http://www.bis.org/review/r150121a.htm

Andreas Dombret: Why focus on culture?

Statement by Dr Andreas Dombret, Member of the Executive Board of the Deutsche Bundesbank, at the Institute of Law and Finance conference "Towards a New Age of Responsibility in Banking and Finance: Getting the Culture and the Ethics Right", Goethe-University, Frankfurt am Main, November 23, 2015.

http://www.bis.org/review/r151126c.htm

William C Dudley: Improving culture and conduct in the financial services industry

Opening remarks by Mr William C Dudley, President and Chief Executive Officer of the Federal Reserve Bank of New York, at "Reforming Culture and Behavior in the Financial Services Industry: Workshop on Progress and Challenges", Federal Reserve Bank of New York, New York City, November 5, 2015.

http://www.bis.org/review/r151111a.htm

Newspaper Articles on Corporate Governance

Compliance ‘Culture’—A Timeline of Regulator’s Comments, The Wall Street Journal (Feb. 5, 2016).

• The article identifies six quotations from financial regulators around the world vocalizing the importance of “culture.”  For example, Commissioner Greg Tanzer of the Australian Securities & Investments Commission stated, “[g]ood conduct means not just ensuring compliance with the law and not just avoiding the boundaries or grey areas of the law.”

OCC Says Boards Responsible for Overseeing Banks’ Culture, The Wall Street Journal (Jun. 9, 2015)

• Following the release of Comptroller Curry’s prepared remarks before the Prudential Bank Regulation Conference, the article discusses how Curry’s suggestion that banks’ boards of directors are responsible for their firm’s culture is the latest indication that regulators are expecting boardrooms to help keep Wall Street out of trouble.

White papers on Corporate Governance and Culture

Financial Stability Board, Guidance on Supervisory Interactions with Financial Institutions on Risk Culture (April 7, 2014) 

http://www.fsb.org/wp-content/uploads/140407.pdf?page_moved=1

• Sets out effective practices for building a sound risk culture and implementation at corporate level.

The Clearing House Association updated Guiding Principles for Enhancing U.S. Banking Organization Corporate Governance (July 24, 2015)

https://www.theclearinghouse.org/issues/banking-regulations/dodd-frank/corporate-governance/20150624-tch-revises-guiding-principles-on-corporate-governance

G20/OECD Principles of Corporate Governance (Nov. 30, 2015)

http://www.oecd-ilibrary.org/governance/g20-oecd-principles-of-corporate-governance-2015_9789264236882-en;jsessionid=r317qbh1e8gq.x-oecd-live-02

• Describes a well-developed traditional model of shareholder rights, disclosure, limitations of conflicts, fair secondary markets, management accountability to shareholders, independent audit, board oversight.  Closer to U.S. model than BIS.

G-30 Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, G30 Working Group (Jul. 2015).

• The report addresses the governance challenges facing the world’s largest banks, their boards, their management, and the supervisors who oversee the health of the financial system as a whole, and the economic sustainability and strength of individual firms.  Describes effective practices for defining and implementing a strategy, culture, ethics, compliance program.

Ethics & Compliance Initiative, Principles and Practices of High Quality Ethics & Compliance Programs,  (Dec. 2, 2015).

• The report defines the principles and practices of high-quality ethics and compliance programs, noting that high-quality programs distinguish themselves because they not only seek to comply with legal and regulatory expectations; they integrate ethics and compliance thinking and practice into everyday operation of the organization, they are not satisfied with a mere “check-the-box” effort, they assess and mitigate risk and prioritize the creation of a culture where concerns can be raised, they hold themselves accountable – both internally and externally – for prompt, responsible action when misconduct occurs, and they implement strategies that are continually documented, measured, evaluated and improved.

Relevant Older Regulatory Materials

12 C.F.R. 363 (FDIC audit rule defining director “independence”): 

https://www.fdic.gov/regulations/laws/rules/2000-8500.html

FDIC Risk Management Manual of Examination Policies, Section 9.1 – Bank Fraud and Insider Abuse (Apr. 26, 2005).

• This section of the risk management manual identifies that complete dominance of an institution’s policies and administration by one or a few directors may lead to inept management at lower levels and establishes certain warning signs of corporate culture problems.

FDIC Pocket Guide for Directors

https://www.fdic.gov/regulations/resources/director/pocket/

12 U.S.C. 1831p-1 (standards for safety and soundness)

12 C.F.R. 30 and Appendices (OCC Safety & Soundness Standards, including governance control and compliance program requirements)

https://www.gpo.gov/fdsys/pkg/CFR-2010-title12-vol1/pdf/CFR-2010-title12-vol1-part30.pdf

OCC Directors Book, booklet for national bank directors on role and duties of a bank director:  http://www.occ.gov/publications/publications-by-type/other-publications-reports/The-Directors-Book.pdf

OCC Director’s Toolkit

http://www.occ.treas.gov/publications/publications-by-type/other-publications-reports/directors-toolkit.html

Federal Reserve, Commercial Bank Examination Manual, Section 5000 (Duties and Responsibilities of Directors).  http://www.federalreserve.gov/boarddocs/supmanual/supervision_cbem.htm