Although a quick read of this FIL makes it seem that it only addresses the proper use of confidential information after the institution is placed into receivership, it really has implications for the bank officers, directors and legal counsel of all financial institutions. I’ll explain that in a moment, but first the FIL makes the following points:
- Officers and directors have a fiduciary responsibility to act in the best interests of the institution at all times.
- In the pursuit of that responsibility, access to institution records is essential.
- If the institution goes into receivership, the receiver (FDIC) becomes the owner of the institutions’ records.
- Officers and directors of failed or failing institutions who remove FI records in anticipation of litigation or enforcement activity against them may be in breach of their fiduciary duty.
It has been my experience that the vast majority of FIL’s are issued re-actively, instead of pro-actively, so I think it’s safe to assume that the FDIC has actually seen occasions where financial institution records have been removed and used by officers and directors for reasons other than for the benefit of the institution. So if you are an officer or director, the clear message here is that using FI records to prepare for or defend against litigation is acting in your best interests, NOT the best interests of the institution*. And legal counsel representing officers and directors must not advise their clients to copy or remove institution records under penalty of civil money penalties, consent orders, or removal and prohibition from the banking industry.
In addition to the “fiduciary responsibility” argument against possessing records, the FDIC also make an argument from confidentiality (GLBA Part 364b , SAR confidentiality, and Fair Credit Reporting regulations), and this has very real implications for all officers and directors regardless of the financial condition of the FI. Here’s why…how many of your officers and directors receive confidential information? All of them probably, right? Board reports, examination reports, loan packages, audit committee minutes, etc., all are essential to performing their fiduciary duties. Now how many of those records go off-site, and how are those records being secured in transit, use, and storage? Are records stored off-site treated with the same document retention and destruction policies as those stored in-house? The FDIC may not have the same motivation to go after officers and directors of healthy institutions that they do failed ones, but it is clear they expect records to be treated the same regardless of the physical location. How are you distributing this information? We’ve seen an increased interest in institutions using technologies such as iPads and cloud-based portals to distribute director reports, but you must be careful not to let convenience trump security. Use this FIL as an excuse to review your records safekeeping practices and make sure you (and your officers and directors) are adhering to your data confidentiality, security, retention and destruction policies, wherever the data resides.
*The FDIC does recognize that officers and directors may have a legitimate need to access institution records to defend themselves from litigation, but they require that access to be arraigned formally through them, and only after signing confidentiality agreements.