The FDIC’s Proposed Standards for Corporate Governance and Risk Management
POMERANTZ MONITOR | NOVEMBER DECEMBER 2023
On October 11, 2023, the Federal Deposit Insurance Corporation published for comment in the Federal Register proposed standards for corporate governance and risk management (“Proposed Standards”) for the financial institutions it regulates that have $10 billion or more in total assets (“covered institutions”). Under its safety and soundness powers in Section 39 of the Federal Deposit Insurance Act, the FDIC is able to publish such standards that go beyond mere guidance. The new standards are part of the FDIC’s regulatory response to the bank failures that took place in the spring of 2023. Referring to the post-mortem evaluations conducted by the FDIC and the Federal Reserve Board following the Signature Bank and Silicon Valley Bank failures, the preamble to the Proposed Standards asserts that poor governance and risk management practices were contributing factors that led to the collapse of those banks.
The FDIC’s Proposed Standards are based on the principles set forth in the Office of the Comptroller of the Currency’s Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches (the “Heightened Standards”), but with key differences. The Proposed Standards include more details on what the FDIC expects from the boards of directors as well as the banks that the FDIC regulates. They also set a notably lower minimum asset threshold (five times lower) than the OCC’s Heightened Standards to determine which banks are covered.
The Proposed Standards were approved 3-2: Chairman Gruenberg, CFPB Director Chopra, and acting Comptroller Hsu voted in support; Vice Chairman Hill and Director McKernan voted against the proposal.
Comments on the Proposed Standards are due by February 9, 2024. (This date was extended from the original deadline of December 11, 2023).
Background
The FDIC’s Proposed Standards delve into legal issues that—in the case of banks that do not have a federal charter—have typically been determined by state law. These include the duties and responsibilities of bank boards, directors, and management, including their duties of care and loyalty, as well as related concepts such as the business judgment rule.
While banks are primarily governed by state corporate governance law, there are instances in which federal oversight is enforced. For example, federal law imposes audit standards and a gross negligence “floor” on the conduct of bank directors and officers. Federal law also requires that federal banking regulators impose operational and managerial standards, compensation standards, and appropriate standards relating to asset quality, earnings, and stock valuation.
Specifically, following the poor risk management that led to the 2008 financial crisis, federal banking regulators enacted increased oversight of the governance and risk management of banks. The OCC initially imposed heightened expectations for the governance and oversight of the larger banks that it regulated and, in 2014, it adopted those Heightened Standards as a specialized standard for safety and soundness at larger federally chartered banks. Also in 2014, the Federal Reserve implemented part of the Dodd-Frank Act by establishing several risk management requirements for larger bank holding companies. This was followed in 2021 by expectations for effective governance by larger bank boards.
Proposed Guidelines
Note that in some specific instances, a covered institution may leverage its parent company’s risk management program or board to meet the standards of the Proposed Guidelines.
Obligations Covered directors would have a duty to safeguard the interests of the bank, confirming that the bank operates in a safe and sound manner and in compliance with applicable federal and state law. In supervising the bank, a board should consider the interests of all of its so-called stakeholders, going beyond shareholders and depositors to include creditors, customers and even the regulators themselves.
Composition The Proposed Guidelines set out minimum standards for board composition, requiring a majority of its members to be independent and outside directors. Boards would also be expected to consider the diversity of their members, including social, seniority, and educational differences, among others. The Proposed Guidelines also caution against excessive influence from a “dominant policymaker.”
Duties Covered boards would need to (i) set an appropriate tone and establish a responsible, ethical corporate culture; (ii) evaluate and approve a strategic plan; (iii) approve and annually review policies; (iv) establish and annually review a written code of ethics; (v) actively oversee the bank’s activities, including all material risk-taking activities; (vi) exercise independent judgment; (vii) select and appoint qualified executive officers; (viii) establish and adhere to a formal training program; (ix) conduct an annual self-assessment of its effectiveness; and (x) establish and annually review compensation and performance management programs.
Committees The Proposed Guidelines require boards to maintain a risk committee and compensation committee in addition to the audit committee required by Section 36 of the FDI Act and Part 363 of the FDIC’s regulations. Risk committees would need to meet at least quarterly and maintain records of their proceedings, including risk management decisions.
Risk Management The Proposed Standards would impose expectations for the risk management program that a bank should develop and maintain. These expectations largely match the OCC’s Heightened Standards. For example, like the Heightened Standards, the Proposed Guidelines would require covered institutions to adopt a three-lines-of-defense risk management framework with a front-line unit (exclusive of the legal department), an independent risk management unit led by a Chief Risk Officer, and an internal audit unit led by a Chief Audit Officer.
The Proposed Guidelines provide that the risk management program would need to address a wide variety of potential risk categories, ranging from credit, interest rate, and liquidity risks to anti-money laundering and third-party partnership and outsourcing risks. Further, material breaches of risk limits and emerging risks would need to be reported in a timely manner to the board and the chief executive officer.
Identifying and Reporting Violations of Law The Proposed Guidelines would require a covered institution’s board to establish and annually review processes that would require either front-line units or the independent risk unit to report all violations of applicable laws and regulations to law enforcement or any appropriate federal or state regulatory agency. This would represent a shift from the FDIC’s current practice of encouraging, but not requiring, self-reporting of violations.
Questions The FDIC asks multiple questions in order to scope banks that should be subject to the Proposed Guidelines, including whether FDIC-supervised institutions with $10 billion or more in total consolidated assets is an appropriate threshold and whether other financial institutions should fall under the definition of a covered institutions.
Implications and Objections
Collectively, the escalation of reporting requirements imposed by the proposal would appear to increase the likelihood of FDIC enforcement actions. The rule passed by a 3-2 vote of the FDIC Board. Each of the two Republican-affiliated Board members (Director McKernan and Vice Chairman Hill) issued a public dissenting statement.
Critics such as Director McKernan have pointed out that certain requirements in the Proposed Standards would exceed, or simply differ from, the Heightened Standards in prescriptiveness and stringency, creating confusion. For example, the FDIC sets its threshold for application ($10 billion or more in consolidated assets) much lower than the Heightened Standards (federally chartered banks with at least $50 billion in consolidated assets). The Proposed Standards also lean toward a rules-based approach to corporate governance, in contrast to the principles-based approach that is prevalent under state law. Critics have asserted that the Proposed Standards are presented as “good corporate governance” without appreciating that what is “good” for one bank may not be “good” for another with FDIC Vice Chairman Hill saying regulators need to resist “one-size-fits-all” best practices.
FDIC Director McKernan also asserted in his dissent that the requirement that the bank board “consider the interests of all its stakeholders, including shareholders, depositors, creditors, customers, regulators, and the public” could be at odds with bank directors’ fiduciary duties under applicable state law, for example, if a director voted against the interests of shareholders in order to serve the interests of customers or the “public.”
As mentioned above, the period for comment was extended to close on February 9, 2024.