Effective Bank Governance in the Age of Heightened Expectations

• by Paul N. Harris,
Secretary and General Counsel, Keycorp

There has been an intense focus in recent years on the corporate governance of banking organizations, including the role of the board of directors. This focus is part of a larger trend that public corporations have seen over the past decade, with Sarbanes-Oxley and related stock exchange requirements initially driving changes in board structure and composition in ways that have favored strong, independent boards with active, independent committees. Following the financial crisis, U.S. regulatory authorities have also sought to expand the level of engagement, independence and expertise of boards, including in the areas of compliance and risk management.

In many ways, this trend has been useful by strengthening boards and helping them fulfill their traditional oversight role in a more effective way, and public corporations, including banking organizations, have generally embraced these enhancements. However, the accumulation of new responsibilities as well as, in certain cases, the concomitant detailed level of expected board involvement, raise the risk of blurring the line between the board and management. That blurring can make it more difficult for boards to serve their critical function of providing independent and active oversight – or “credible challenge” – of management as well as focus on business and strategic matters.

As described below, many of the new requirements imposed on banking organization boards are applicable not only to the G-SIB money-center banks but also to leading regional banks. As the list of director responsibilities for these boards continues to grow, it is important for management and directors of banking organizations, as well as regulators and supervisors, to keep in mind that effective board oversight should not be hampered by a “checklist” or compliance mentality to carrying out these responsibilities.

The purpose of this article is to:

Discuss certain trends in the manner in which regulators and banking organizations have sought to expand the role of the board of directors,
Highlight potential concerns with the aggregate impact of prescriptive regulatory requirements on banking organizations, and
Offer a perspective on how banking organizations can achieve effective governance in the current regulatory environment in a manner consistent with the board’s traditional oversight role.

Enhanced Board Responsibilities

The U.S. regulatory authorities have imposed new responsibilities upon boards of directors of banking organizations and have issued proposals that could further add to those responsibilities. Many of the new responsibilities are intended to promote greater board involvement in risk governance, compliance, and internal controls. In this respect, the new rules have been helpful in reaffirming that risk and compliance program oversight functions are integral components of a board’s responsibilities. In exercising their oversight responsibilities in this regard, boards must receive and sufficiently understand accurate and timely information regarding existing and emerging risks that may have a significant financial or reputational impact on the bank.1

New or proposed U.S. federal requirements intended to enhance board risk management or compliance responsibilities – and/or the ability to execute those responsibilities effectively – include the following:

The Office of the Comptroller of the Currency’s (“OCC”) vendor management guidelines,
The Federal Reserve Board’s (“FRB”) Dodd-Frank Section 165 rules on the risk committee and risk management (the “FRB Enhanced Standards”),
The OCC’s proposal to formalize its “heightened expectations” program for risk governance and boards of directors,
The FRB’s guidance on board and audit committee responsibilities with respect to internal audit, SR 13-1 (January 23, 2013),
The FRB’s supervision and regulation letter on the consolidated supervision framework for large financial institutions, SR 12-17 (December 17, 2012), which applies not only to “LISCC” firms – the largest, most complex institutions – but also other banking organizations with $50 billion or more in assets, and
Risk management and corporate governance components of rules and guidance on capital planning, stress testing, resolution planning, sound incentive compensation, and the Volcker Rule.

Certain of the requirements apply to banking organizations generally, and others apply to organizations with assets over $10 billion or $50 billion, so this is a concern not just for G-SIBs but also for regional banks generally.

Potential Risks Raised by This Regulatory Approach

The maintenance of the separate roles of the board and management is essential for boards to perform their unique oversight function. Where new requirements are imposed in prescriptive ways or include language that could be interpreted as re-casting this well-understood relationship, they can make it challenging for boards to remain focused on satisfying their larger role of providing critical and probative oversight and guidance on strategy and emerging risks and trends.

While the time spent by bank boards has increased in recent years, there is still necessarily a finite amount of time and attention that the directors can spend on their duties. Spending a significant amount of time on specific compliance responsibilities necessarily means that the board will have less time to spend on major business issues and the strategic direction of the company.2 Also, the detailed, prescriptive nature of some of the requirements creates the risk of blurring the line between the oversight role of the board and management’s responsibility to manage the day-to-day operations of the business. This could potentially compromise the board’s functioning as an independent oversight body. This is not simply a theoretical risk but a real-world risk with significant governance implications.

Moreover, the confluence of the fiduciary responsibilities that directors have under state laws and the prescriptive requirements under federal laws and regulations may create contradictory expectations for the boards of banking organizations. As an example, regulatory expectations, with respect to approval of corporate policies and contracts that are routine but deemed to involve significant risks, will invariably limit a board’s time to address emerging business issues that the board must consider to fulfill its fiduciary responsibilities under state law.

Finally, increasing regulatory expectations may adversely impact a financial institution’s ability to recruit talent. In a dynamic and challenging environment, it is ever more important that boards be able to attract diverse talent, including directors with experience outside of the financial services industry. In this regard, it is important to note that boards often recruit from the same pool of talent as commercial entities who are not subject to the same level of supervisory expectations.

These concerns have been recognized by a number of commentators and, in some cases, regulators:

The final FRB Enhanced Standards, while still placing significant specific responsibilities on the board, reflect changes from the proposal that were expressly in recognition of the distinct roles played by the board and management with respect to risk management.3
The Group of Thirty (G30) reports on corporate governance (2012) and interaction between boards and supervisors (2013) stress that boards should “focus on strategy, risk governance, and the quality of management, and guard against spending too much time on compliance activities.”4
As discussed further in the next section, maintaining the appropriate role of the board is a significant focus of NURFS’s Guiding Principles for Enhancing Banking Organization Corporate Governance (the “NURFS Guiding Principles”), which NURFS initially published in 2012 and is in the process of updating.

While direction from the regulatory community on matters that warrant board attention is important for boards to carefully consider, flexibility in how boards implement regulatory requirements can, likewise, lead to several benefits. For example, in general, boards should have the flexibility to allow board committees (rather than the full board) to exercise oversight responsibilities, as the board may determine, with committees reporting back to the full board as appropriate. This can allow more focused and efficient board oversight on specific topics.

Allowing such flexibility is consistent with the view that an essential component of effective governance is for individual institutions to determine which governance structures make the most sense for their particular circumstances. Put simply, flexibility emphasizes that “one size does not fit all.” Different institutions have different business models and risk profiles, and what works best for one institution may not work best for another. This is a fundamental precept of the NURFS Guiding Principles.

Perspectives on Achieving Sound Governance Practices in the Current Regulatory Environment

The concerns discussed above with regard to overly prescriptive regulations are not intended to downplay the critical role of supervisory guidance and input regarding the role of the board. They are meant to outline considerations that should be taken into account as banking organizations work in collaboration with their regulators to further enhance their governance structures. In this regard, banking organizations have made substantial progress in recent years in enhancing their corporate governance practices, including with regard to the oversight of risk management and compliance with laws and regulations.

Set forth below are a number of areas of focus that can help banking organizations and their boards further enhance their governance processes and comply with regulatory requirements in a manner consistent with the traditional oversight role of the board. These are generally consistent with the NURFS Guiding Principles, which are currently being updated to reflect U.S. and global supervisory guidance and regulations imposing new requirements or expectations on bank boards of directors as well as emerging practices in the area of corporate governance.

The NURFS Guiding Principles were designed to provide guidance on core corporate governance issues for U.S. banking organizations and to inform the global dialogue on governance topics. As previously noted, particular areas of focus of the NURFS Guiding Principles are preserving the distinct and critical role of the board, with responsibilities different from those of management, and providing flexibility to address different business models and risk profiles.

Establishing a Tone-at-the-Top

NURFS member organizations acknowledge the crucial role that the board of directors should play in providing oversight for a banking organization’s risk governance framework and its compliance with laws and regulations and in establishing a “tone-at-the-top” for the ethical, compliance, and risk culture of the organization. The NURFS Guiding Principles recognize that the board of a banking organization should set the ethical “tone at the top” by overseeing the development of a code of conduct applicable to directors, officers, and employees of the organization and should oversee management’s establishment and implementation of a system designed to promote compliance with applicable laws and regulations, including internal and external audit processes and controls.

It is also critical for organizations to create an environment where business personnel are fundamentally responsible for the risks in their businesses. A risk or control function should not be seen as an “opponent” or impediment by those individuals who can expose the company to significant risks. This is a component of establishing the right “tone-at-the-top” from a risk and compliance standpoint. Regulators, too, have indicated that the boards of banking organizations should play a key role in establishing the culture for their institutions. This is reflected in SR 12-17 and is frequently emphasized in speeches made by regulatory officials.

Enhancing the Risk Focus of Boards

In recent years, banking organizations have increased their focus on risk management structures at the board level and within management. The NURFS Guiding Principles reinforce the crucial role that the board should play in reviewing the nature and level of risk that the organization is willing to assume in order to achieve its business objectives and in overseeing the framework for managing and controlling risk-taking.

An increasing number of banking organizations have established stand-alone risk committees, but even those who have not have worked to improve risk oversight by the board or board committees.5 The NURFS Guiding Principles suggest that the board of the top-tier entity within a banking organization should have a committee to monitor its risk management systems and control procedures for identifying, assessing, and managing its risk exposures. In addition, the NURFS Guiding Principles provide that this committee should include at least one member with substantial risk management knowledge and experience.

Banking organizations with multiple entities have, in many cases, developed comprehensive risk management and control frameworks that take into account the risks and requirements applicable to specific entities, including bank subsidiaries, but that also monitor firm-wide exposures and leverage centralized risk management expertise. The key role played by the Chief Risk Officer (“CRO”) with respect to enterprise risk management is now widely accepted, and in recognition of that role, it is common for the CRO to report to the Chief Executive Officer and, in some cases, to a board committee.6

Material risk-related information should be presented to the board in a manner that allows board members to perform their oversight function effectively, but the appropriate reporting and control structures will differ for each organization. It is most helpful for the development of effective governance structures if regulations do not crystallize particular structures in a way that forestalls future improvement or limits flexibility.7 Each institution should work with its examiners to make sure that the examiners are comfortable that the governance structure being used is appropriate for that institution and should consider changes, as appropriate, to reflect feedback from the examiners.

Additional Supervisory Interaction with Boards of Directors

One of the most sensitive corporate governance issues concerns the appropriate degree of interaction between regulators and directors. Open and honest communication between board members and regulators can help directors and regulators fulfill their responsibilities more effectively. Communication between banking organizations and regulators should be a two-way street. Regulators can learn more about the banking organization from directors, and regulators can provide directors with useful information about industry trends and supervisory expectations.

Recognizing the need for such interaction, the NURFS Guiding Principles provide that the board of a banking organization should seek to meet with the organization’s principal regulators on a regular basis and should indicate to each principal regulator its willingness to meet with the regulator at any time, including in executive session. On the other hand, the presence of regulators at regularly-scheduled board or committee meetings focused on bank business matters can have a chilling effect on vigorous discussions at these meetings. Accordingly, as a general matter, examiner attendance at board or committee meetings should be reserved for special sessions of the board or committee focused on specific issues that warrant heightened interaction.

Once again, the larger, overarching point is that each institution should constructively work with its examiners to make sure that they are comfortable with the particular governance structure being employed by the institution. Changes should be made, as appropriate, to reflect feedback from examiners. It is hard to imagine an effective regulatory system where there is not collaboration between banking organizations and regulators on governance matters; conversely, a prescriptive, punitive environment may discourage collaboration and, therefore, be counterproductive.

Quality of Information Provided to the Board

One of the key challenges for any banking organization and its board is to manage complexity and increased regulatory and supervisory requirements without risking board overload. The board must work with management to develop a streamlined and well-thought-out information flow to allow the board to make informed, strategic judgments and effectively challenge management’s performance and decision making. Too much detail can obscure the important trends and key information while too little detail can prevent the board from having a sufficient understanding of the issues being addressed.

As previously noted, the issue of informational overload also comes up with respect to the common regulatory requirement that boards “approve” various policies or processes (or, in certain cases, even certain contracts). As a practical matter, such board approvals will need to be at an appropriate level of oversight, and this requires management to provide suitable summary material to allow the board to understand the key elements of these policies, processes or contracts that are relevant to their approval decision.

Many banking organizations have made tremendous strides in recent years in working with their boards to ensure that board materials present an appropriate level of detail and allow the board to make informed judgments. Directors should think critically about the form and scope of information provided to them and raise with management the need for any additional information or alternative presentation formats that would be helpful.

Continued Development of Bank Governance

The increased focus on boards of directors of banking organizations has, as a general matter, resulted in improved governance at banking organizations. Banking organizations and their regulators can best advance the development of bank governance by emphasizing areas of appropriate focus for bank boards and management in ways that do not impose management-type responsibilities on boards.

Banks and their supervisors should engage in continuing dialogue on the ways in which a particular bank’s governance structure suits its own particular circumstances. Two-way dialogue between banks and supervisors should be a productive tool to achieve this end. •

1 See generally, Herlihy, Edward D. and Makow, Lawrence S., A Federal Reserve Wake-Up Call to Directors of Financial Institutions (noting that the “. . . the flow of regulatory initiatives from the Federal Reserve and the other banking regulators is significantly altering supervisory practice, including regulatory expectations of the roles of the board and of individual directors”).

2 This point was addressed by Federal Reserve Governor Daniel Tarullo in a June 9, 2014 speech, in which he notes that it has “perhaps become a little too reflexive a reaction on the part of regulators to jump from the observation that a regulation is important to the conclusion that the board must certify compliance through its own processes” and that regulators “should probably be somewhat more selective in creating the regulatory checklist for board compliance and regular consideration.” Governor Tarullo noted as an example the Federal Reserve’s supervisory guidance regarding board review of “Matters Requiring Attention” (MRAs), noting that “[t]here are some MRAs that clearly should come to the board’s attention, but the failure to discriminate among them is almost surely distracting from strategic and risk-related analyses and oversight by boards.” Speech by Governor Daniel K. Tarullo at the Association of American Law Schools 2014 Midyear Meeting, Washington, D.C. (June 9, 2014).

3 For example, the final FRB Enhanced Standards require the board’s risk committee to approve and periodically review the enterprise-wide risk management “policies” of the company rather than document, review, and approve the risk management “practices” of the company under the proposal.

4 The Group of Thirty is an international body composed of senior representatives of the private and public sectors and academia. See Group of Thirty, “A New Paradigm: Financial Institution Boards and Supervisors” (2013) at 33. See also Group of Thirty, “Toward Effective Governance of Financial Institutions” (2012) at 40: “[I]t is essential that the board remain independent and allow management to execute the day-to-day activities of the organization.”

5 For the largest banking groups subject to the risk committee requirements of Section 165 of Dodd-Frank, the initial compliance deadline for the establishment of a stand-alone risk committee is January 1, 2015. See The FRB Enhanced Standards, 79 Fed. Reg. 17240 at 17317-17318 (March 27, 2014).

6 The dual reporting requirement (to both the Chief Executive Officer and the board’s risk committee) for the CRO under Section 165 of the Dodd-Frank Act is effective January 1, 2015. See The FRB Enhanced Standards at 17317-17319. The Chief Risk Executive would be required to report to the Chief Executive Officer under the OCC’s proposal to formalize its “heightened expectations” program. See OCC, Proposed Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations and Insured Federal Branches, 79 Fed. Reg. 4282 at 4297 (January 27, 2014).

7 See generally, Cohen, H. Rodgin, Message From the Senior Chairman of Sullivan & Cromwell (noting that “…superior risk management cannot ultimately be legislated or regulated… [but] must be a function of a company’s own culture and commitment”).