Tag: Board of Directors

20 Apr 2016

FDIC Targets Board Responsibilities

“A topic is at times of such significant interest to bankers and examiners that it warrants a special issue…”  Whenever something from a regulatory body begins this way all bankers should take notice, and the latest Special Corporate Governance Edition from the FDIC is no exception.  In fact the Guru did a little research and the last time the FDIC released a Special Edition of its Supervisory Insights was the Foreclosure Edition in 2011, which was a post-mortem on the banking crisis.

So all bankers would be well advised to review this latest publication, but particularly community bankers.  In fact the full title is:  A Community Bank Director’s Guide to Corporate Governance: 21st Century Reflections on the FDIC Pocket Guide for Directors.  The emphasis on community banks and bankers is intentional, and the release states right up front that:

“Community banks play a vital role in the nation’s economy and local communities, and a bank’s management – including its directors and senior management – is perhaps the single most important element in the successful operation of a bank.”

[pullquote]…a director’s responsibility…necessitates using independent judgment and providing a credible challenge (to management).[/pullquote]

Although the FDIC states that this does not constitute new guidance (the original Pocket Guide was issued almost 30 years ago, but the basics haven’t really changed), the fact that they chose this topic and this time to release a special issue indicates that this is almost certainly going to be an area of increased focus for examiners going forward.

If there is one common theme that resonates from this issue it is that directors are expected to play a more active role in the day-to-day affairs of their institutions, and NOT be simply a “rubber stamp” for management.  This sums it up pretty well:

“…a director’s responsibility to oversee the conduct of the bank’s business necessitates using independent judgment and providing a credible challenge.  This entails engaging in robust discussions with senior management and perhaps challenging recommendations at times, rather than simply deferring to their decisions.”

I’ve talked about this concept of “credible challenge” before, which also appears several times in the recent FFIEC Management Handbook, and is defined as “being actively engaged, asking thoughtful questions, and exercising independent judgment.”  In order to do that, directors need access to accurate, timely and relevant information.  Board reports, once very high-level, should now include sufficient detail to allow members to comprehend (and if necessary, challenge) management decisions.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why some of the most commonly believed “facts” about IT outsourcing for banks are actually myths.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



Make sure your IT management systems and processes are capable of producing these Board-level summary reports, then get them in front of the Board and in the Board minutes.  And be prepared for 2 things going forward; first, examiners WILL ask for these Board minutes and expect to see evidence of more engagement.  And secondly, expect Board meetings to become a lot more spirited!

03 Jan 2013

FDIC Files Record Number of Lawsuits in 2012 – 2015 UPDATE

UPDATE 2: We in fact did see a significant decrease in O&D lawsuits in the past few years:

O&D 2015

 

[pullquote]“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”[/pullquote]

UPDATE: Apparently one of the most common requests of the FDIC from bankers is for more technical assistance and training.  The FDIC has responded, and I do not believe it is coincidental that the first set of new videos released is a new series titled “New Director Education Series” aimed at bank Directors.

The numbers are in for 2012, and for the fourth year in a row the FDIC has filed a record number of officer and director lawsuits. According to the Statement Concerning the Responsibilities of Bank Directors and Officers adopted in 1992, the FDIC may sue professionals who they believe played a role in the failure of the institution. These individuals can include officers and directors, attorneys, accountants, appraisers, brokers, or others.

 

2012 FDIC Lawsuits

 

The FDIC regulations defining officer and director obligations are explained here, and the key concept to understand is something called the “duties of loyalty and care.”

 “The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.”

So how can your officers and directors (and others) demonstrate the “duties of loyalty and care” and avoid liability claims?  The FDIC spells it out, and it isn’t really that difficult:

“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”

Let’s break that last sentence down a bit.  Officers and directors must demonstrate that they made…

  1. …reasonable business judgments…
  2. …on a fully informed basis, and…
  3. …after proper deliberation.

So working backwards, the key to proper deliberation is that you be fully informed, and that requires accurate, timely and relevant information.   Not just data, but actionable information.

The key then, is that financial institutions must take steps to ensure that officers and directors have the information necessary to carry out their responsibilities, and that the deliberation process is appropriately documented.  I’ve written before (Using Technology to Drive Compliance) about how technology (specifically automation) can enable and/or enhance your compliance efforts.  Technology can help extract useful information from mountains of data, and then present that information in a consistent, easy to understand format.

Management committees like the IT committee and the audit committee can provide both a forum for both the exchange of information, and documentation that the exchange took place.  Make sure all functional units are represented in the committee, and designate someone as the Board representative if possible.  Make sure the committee reports to the Board periodically (preferably quarterly, but at least annually), and don’t underestimate the value of having outside expertise on those committees.  Not only can it add a different perspective, it can also help document that you are truly making an effort to be “fully informed” and that you are “properly deliberating”.

Given the right information, in the right format, and the right setting, perhaps we’ll see this trend slow or even reverse itself in 2013!

16 Feb 2012

FDIC changing annual IT report to Board?

Based on recent examination findings, it would appear that the FDIC is changing what they expect to see in the annual information security report to the Board of Directors.  The requirement for the report is established in the FFIEC Information Security Handbook where it states that a written report to the board should describe the overall status of the information security program, and that at a minimum, the report should address:

  • The results of the risk assessment process
  • Risk management and control decisions
  • Service provider arrangements
  • Results of security monitoring and testing
  • Security breaches or violations, and management’s responses
  • Recommendations for changes to the information security program

However in a recent examination the institution was written up because the FDIC did not believe the report contained enough detail.  They stated that “Board reporting should be expanded and include detail at a minimum for the following areas:

  • The information security risk assessment
  • Service provider agreements
  • Results of testing, audits, examinations or other reviews of the program
  • Any security breaches, violations, or other incidents since the previous report and management responses
  • A summary of information security training provided to employees since the last report
  • Status of the patch management program
  • Status of the Business Continuity Plan and testing results
  • Customer Awareness Program efforts and plans
  • Any recommendations for changes to the information security program”

I’ve highlighted the changes between the original guidance and the examination finding.  I’m not surprised at the training findings, as I have previously identified both employee and customer training as likely 2012 trends.  Nor am I particularly surprised by the inclusion of the status of the BCP and testing results.  This has been a requirement and an area of increased regulatory focus for a couple of years.  However it would appear that examiners may now prefer the BCP status update to be a part of the information security update report to the Board.

The inclusion of a patch management status report was a bit surprising though, as in the past this was not reported separately but simply included as one of your many risk management controls.  Perhaps they are looking for more control detail now?  (I plan to address patch management in a future post.)

I was also a bit baffled by the exclusion of “Risk management and control decisions” from the list of findings.  I had also identified the “Management” element as a probable area of increased regulatory scrutiny in 2012, so I’ll keep an eye on future examination findings to see if this actually represents a shift in focus or simply an oversight by the examiners this time.  (Of course a third possibility is that the examiner felt that the “risk management and control decisions” were present and properly documented, but given the other findings I doubt that was the case.)