The Fed Inserts Itself into Corporate Governance Above State Corporate Law, Federal Law and Stock Exchange Requirements
Much has been written about the increasing responsibilities of the Board of Directors for risk oversight and the changes in corporate governance that these additional responsibilities often require. The question of how management should best be organized to respond to the imperative to more carefully assess, identify and mitigate risk across the enterprise has also received significant attention.
Significant deficiencies in risk management in the banking industry contributed to and exacerbated the recent financial crisis. In response, the Board of Governors of the Federal Reserve System ("Federal Reserve") has issued Proposed Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies to implement Section 165(b)(i)(A) and Section 165(h) of the Dodd-Frank Act (the "Proposed Rule").1 The Proposed Rule introduces enhanced risk management standards for both: (i) "covered companies"; and (ii) bank holding companies with total consolidated assets of $10 billion or more that are publicly traded and are not covered companies ("over $10 billion public bank holding companies").(collectively, "Covered Institutions").2 These standards require all Covered Institutions to establish a Board of Directors level risk management committee, a requirement that is somewhat inconsistent with the corporate governance standards of the various national securities exchanges. Covered companies must also appoint a Chief Risk Officer. These proposed requirements represent clearly emerging trends in corporate governance. If adopted in their current form, over time, they also will likely become best practices for many other companies that are not subject to the Federal Reserve's Dodd-Frank risk management requirements.
Statutory Impetus of the Proposed Rule
As mentioned above, the two primary risk management requirements in the Proposed Rule are issued pursuant to statutory mandates under the Dodd-Frank Act. First, Section 165(b)(1)(A) of the Dodd-Frank Act requires the Federal Reserve to establish overall risk management requirements as part of the prudential standards to ensure that strong risk management standards are part of the regulatory and supervisory framework for covered companies, as defined by the Dodd-Frank Act.3 Second, Section 165(h) of the Dodd-Frank Act directs the Federal Reserve to issue regulations requiring Covered Institutions to establish Risk Committees.4 Section 165(h) of the Dodd-Frank Act further mandates that such Risk Committees be responsible for the oversight of the enterprise-wide risk management practices of the company and include such number of independent directors as the Federal Reserve may determine appropriate. The Risk Committee must include at least one risk management expert with experience in identifying, assessing, and managing risk exposures of large, complex financial firms.
In addition, consistent with Section 165(b)(1)(A)(iii) of the Dodd-Frank Act, §252.126(d) of the Proposed Rule requires covered companies to appoint a Chief Risk Officer and describe the role and responsibilities, expertise, and reporting lines of such Chief Risk Officer.
The specific requirements regarding Risk Committees and Chief Risk Officers are discussed in detail below.
The Proposed Rules requires Covered Institutions to establish an enterprise-wide Risk Committee of the Board of Directors. When reviewing the Risk Committee requirements, it becomes clear that the Federal Reserve borrowed heavily from Securities and Exchange Commission ("SEC") and national securities exchange requirements applicable to Audit Committees..
- Independent Committee Chair. Section 252.126(b) of the Proposed Rule establishes requirements governing the membership and proceedings of a company's Risk Committee and proposes that a Covered Institution's Risk Committee must be chaired by an independent director.5 The Federal Reserve noted that it views the active involvement of independent directors "as vital to robust oversight of risk management and encourages companies generally to include additional independent directors as members of their Risk Committees."6
Director independence is a fundamental concept in federal securities law, the corporate governance listing standards of the national securities exchanges and in corporate governance principles generally. The Federal Reserve recognized this and has proposed to refer to the definition of "independent director" in the SEC's Regulation S-K for companies that are publicly traded in the United States. Under this definition, the Federal Reserve would not consider a director to be independent unless the company indicates in its securities filings that the director satisfies the applicable independence requirements of the national securities exchange on which the company's securities are listed.7
The Federal Reserve goes on to provide that "in the case of a director of a covered company that is not publicly traded in the United States, the Proposed Rule would provide that the director is independent only if the company demonstrates to the satisfaction of the Federal Reserve that such director would qualify as an independent director under the listing standards of a securities exchange, if the company were publicly traded on such an exchange."8 Presumably, these determinations would be on a case-by-case basis, as appropriate, analyzing the indicia of independence in the applicable national securities exchange's requirements, including compensation limitations and business relationship prohibitions, in the same way that Boards of Directors currently make such determinations pursuant to SEC requirements.
- Risk Management Expertise. Similar to federal securities laws and national securities exchange requirements for Audit Committees, the Proposed Rule requires at least one member of a Risk Committee to have risk management expertise that is commensurate with the company's capital structure, risk profile, complexity, activities, size, and other appropriate risk-related factors. The term "risk management expertise" means: (i) an understanding of risk management principles and practices with respect to bank holding companies or depository institutions, or, if applicable, nonbank financial companies, and the ability to assess the general application of such principles and practices; and (ii) experience developing and applying risk management practices and procedures, measuring and identifying risks, and monitoring and testing risk controls with respect to banking organizations or, if applicable, nonbank financial companies. However, the Federal Reserve goes on to note that, given the importance of risk management oversight, the Federal Reserve expects that all Risk Committee members will have an understanding of risk management principles and practices relevant to the company. Risk Committee members are also required to have experience developing and applying risk management practices and procedures, measuring and identifying risks, and monitoring and testing risk controls with respect to banking organizations (or, if applicable, nonbank financial companies).9 The Federal Reserve reiterated its view that the requisite level of risk management expertise for a Risk Committee can vary depending on the risks posed by the company to the stability of the U.S. financial system and Risk Committee members should have risk management expertise commensurate with the company's capital structure, risk profile, complexity, activities, size and other appropriate risk-related factors. This is a critical conclusion that could allow the Federal Reserve to "second guess" expertise determinations by a Board of Directors and insert the Federal Reserve into the boardroom.
Procedural Requirements. The Proposed Rule also would establish certain procedural requirements for Risk Committees. This is also consistent with national securities exchange requirements for listed companies.10 The Proposed Rule requires:
- the Risk Committee to have a formal, written charter that is approved by the company's Board of Directors
- the Risk Committee to meet regularly and as needed
- the Covered Institution to fully document and maintain records of such proceedings, including risk management decisions.
- Responsibilities of Risk Committee. Section 252.126(c) of the Proposed Rule generally requires a Risk Committee to document and oversee the enterprise-wide risk management policies and practices of the Covered Institution. Consistent with the enterprise-wide risk management requirement in Section 165(h)(3)(A) of the Dodd-Frank Act, a Risk Committee would be required to take into account both U.S. and foreign operations as part of its enterprise-wide risk management oversight.
Once again, the Federal Reserve notes that while an appropriate risk management framework must be commensurate with the company's capital structure, risk profile, complexity, activities, size, and other appropriate risk-related factors, there are certain components that a risk management framework must include. These include:
- risk limitations appropriate to each business line of the company
- appropriate policies and procedures relating to risk management governance, risk management practices, and risk control infrastructure
- processes and systems for identifying and reporting risks, including emerging risks
- monitoring compliance with the company's risk limit structure and policies and procedures relating to risk management governance, practices, and risk controls
- effective and timely implementation of corrective actions
- specification of management's authority and independence to carry out risk management responsibilities
- integration of risk management and control objectives in management goals and the company's compensation structure.11
Section 252.126(b)(5) of the Proposed Rule sets forth three additional requirements for Risk Committees of Covered Institutions based on the Federal Reserve's conclusion that the requirements should be commensurate with the risk an organization poses to the U.S. financial system:
- The Risk Committee must not be housed within another committee and must not be part of a joint committee;
- The Risk Committee must report to the Board of Directors
- The Chief Risk Officer must report to and provide regular reports to the company's Risk Committee.
The Federal Reserve noted that it "does not currently impose regulatory risk management standards on bank holding companies generally and that it has addressed risk management through supervisory guidance." The standards set forth in the Proposed Rule are more stringent for Risk Committees of covered companies than for Risk Committees of over $10 billion public bank holding companies. This is consistent with the Federal Reserve's conclusion that the expertise of the Risk Committee membership should be commensurate with the complexity and risk profile of the organizations.
Notably, the Federal Reserve emphasizes that "the Risk Committee and overall risk management requirements contained in the proposed rule supplement the Federal Reserve's existing risk management guidance and supervisory expectations."12
Chief Risk Officer
Consistent with Section 165(b)(1)(A)(iii) of the Dodd-Frank Act, Section 252.126(d) of the Proposed Rule requires covered companies to appoint a Chief Risk Officer and describe the officer's role and responsibilities, expertise, and reporting lines. Specifically, the Proposed Rule requires:
- Appointment. The Appointment of a Chief Risk Officer to implement and maintain appropriate enterprise-wide risk management practices for the company
Responsibilities. Specified roles and responsibilities for the Chief Risk Officer, which include:
- Designation of specific responsibilities and direct oversight for allocating delegated risk limits and monitoring compliance with such limits
- establishing appropriate policies and procedures relating to risk management governance, practices, and risk controls
- developing appropriate processes and systems for identifying and reporting risks, including emerging risks
- managing risk exposures and risk controls; monitoring and testing risk controls
- reporting risk management issues and emerging risks
- ensuring that risk management issues are effectively resolved in a timely manner.
- CRO Expertise. The Chief Risk Officer must have risk management expertise that is commensurate with the covered company's capital structure, risk profile, complexity, activities, size, and other appropriate risk related factors.
- CRO Reporting lines. The covered company's Chief Risk Officer must report directly to the Risk Committee and the chief executive officer.
- CRO Compensation. The Chief Risk Officer must be appropriately compensated and incentivized to provide for an objective assessment of the risks taken by the covered company.
Oversight. The Chief Risk Officer must directly oversee the following responsibilities on an enterprise-wide basis:
- Allocating delegated risk limits and monitoring compliance with such limits;
- Implementation of and ongoing compliance with, appropriate policies and procedures relating to risk management governance, practices, and risk controls and monitoring compliance with such policies and procedures;
- Developing appropriate processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging risks, on an enterprise-wide basis
- Managing risk exposures and risk controls within the parameters of the company's risk control framework
- Monitoring and testing of the company's risk controls
- Reporting risk management deficiencies and emerging risks to the enterprise-wide Risk Committee
- Ensuring that risk management deficiencies are effectively resolved in a timely manner.13
Restructuring Board Committees. In order to comply with the Proposed Rule, companies will have a significant amount of corporate governance work to undertake at both the management and Board level. A review of public filings by public companies reveals a wide variety of approaches at the Board of Directors level for risk responsibility with a separate Risk Committee being a minority practice but trending up since 2009. Based on public filings, Board of Directors' risk management responsibilities have been either:
- dispersed functionally in several committees based on the functional expertise of the committee
- in the Audit Committee, consistent with national securities exchange corporate governance guidelines
- jointly in the Audit Committee and one other committee
- at the full Board, with no single committee having responsibility
- in a separate Risk Committee.
However, applicable national securities exchanges Corporate Governance Listing Standards generally specify that the Audit Committee must bear responsibility for risk management policies and procedures. Even when the Board's of Directors has delegated risk management responsibility, such responsibilities often remain under the Audit Committee's charter responsibilities.
The Proposed Rule requires companies to make significant changes to the corporate governance structures at the Board of Directors level and raises a number of issues including some issues about whether a single Risk Committee is the best way to promote the objectives that prompted the Proposed Rule's issuance. For example, some companies had decided to divide responsibility for risk management among committees with the appropriate functional areas of expertise. Under this method, IT risk would be addressed with an IT Committee, credit and financial risk with a Financial Committee, HR risk in a HR and Compensation Committee, financial reporting and disclosure risk in the Audit Committee and so on. These committees, the experts in their respective areas, then report to the Board of Directors under the oversight of the Audit Committee pursuant to the applicable national securities exchange rules. The Proposed Rule would force a new committee to replicate what, in many cases, these other Board Committees are already doing and could require:
- the rewriting of all Committee charters;
- creation of a new charter for the Risk Committee consistent with the requirements of the Proposed Rule;
- independence testing and analysis of directors (although already being done for Audit Committees) and certification as part of the appointment
- expertise and qualification determinations (with Board of Directors oversight and subjective assessment)
- Director Liability. The determination of roles and responsibilities for the Risk Committee will over time raise a number of new director liability issues under state corporation law as courts apply business judgment rules to these newly prescribed responsibilities that have no precedent. Adoption of the Proposed Rule will create new standards of care to which directors will be held as well as well as new potential exposure under federal banking law enforcement statutes. In addition, the prescriptive nature of the responsibilities of the Risk Committee and the Chief Risk Officer clearly move the Board of Directors beyond its traditional role of oversight into a higher, more proactive role in management - this also, raises new potential director liability concerns.
- Reconciliation with Exchange Rules. Certain provisions of the Proposed Rule are inconsistent with national securities exchange rules even though the Federal Reserve explicitly made its independence test the same as the SEC and the exchanges. For example, pursuant to Section 303A.07 of the NYSE Corporate Governance Standards, the Audit Committee has responsibility although not exclusive, to discuss policies with respect to risk assessment and risk management. The Commentary to Section 303A.07(b)(1)(B)(iii)(D) of the Proposed Rule states:
"While it is the job of the CEO and senior management to assess and manage the listed company's exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company's major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee."
- Reconciliation with Disclosure Requirements. There are a number of risk disclosure requirements in proxy and periodic reporting requirements, such as compensation policy, risk factor disclosure and disclosure regarding internal controls over financial reporting assigned to other committees pursuant to Exchange Rules and the various Board of Directors committee responsibilities, which are not consistent with the Proposed Rule. These will have to be resolved and coordinated.
- Evaluating Company Infrastructure. While many companies have a Chief Risk Officer, the underlying infrastructure at the company level may be inadequate given the new responsibilities or, the Federal Reserve may determine, after reviewing a company's risk management infrastructure and processes, that changes and enhancements are necessary.
- Applicability to Foreign Banks. Section 165 and 166 of the Dodd-Frank Act apply to any foreign nonbank financial company designated by the FSOC for supervision by the Federal Reserve with respect to its U.S. activities and subsidiaries and any foreign banking organization with total consolidated assets of $50 billion or more that is or is treated as a bank holding company for purposes of the Bank Holding Company Act of 1956 pursuant to Section 8(a) of the International Banking Act of 1978. However, the Federal Reserve specifically indicated that this proposal does not apply to foreign banking organizations, and the Federal Reserve expects to issue a separate proposal that would apply the enhanced standards of Sections 165 and 166 of the Dodd-Frank Act to foreign banking organizations. The definition of "covered company" for purposes of the proposal would nonetheless include a foreign banking organization's U.S.-based bank holding company subsidiary that on its own has total consolidated assets of $50 billion or more.
The Proposed Rule included a series of questions on which comments were sought. While the comment period on these questions and the Proposed Rule has expired, the questions themselves are instructive and provide helpful insight into the subjects in which the Federal Reserve is most interested, such as:
- Should the Federal Reserve specify additional qualifications for director independence? If so, what factors should the Federal Reserve consider in establishing these qualifications?
- Should a Board of Directors ever be required to include more than one independent director on its Risk Committee?
- Should the Federal Reserve specify minimum qualifications for risk management expertise on a risk committee or minimum qualifications for a Chief Risk Officer? If so, what type of additional experience or education is generally expected in the industry for such positions?
- What is the appropriate role of risk committee members in overseeing a company's enterprise wide risk management practices and is that role effectively addresses by the Proposed Rule?
- Is the scope of review of a company's ERM practices that the Proposed Rule would require appropriate for a committee of the Board of Directors?
- How can the Federal Reserve ensure that a company's risk committee has sufficient resources to effectively carry out the oversight role described in the Proposed Rule?
- Are there alternative structures for the risk committee or alternative approaches to implementing the risk committee requirements that the Federal Reserve should consider?
Whether or not the comments submitted in response to these questions result in any changes to the Proposed Rule, there is no question that the requirements of the Proposed Rule will require significant efforts at the management and Board of Directors governance levels. It is imperative that management and Boards of Directors assume a leading role in ensuring that all risks facing a company are identified and assessed, and that a risk management and compliance system is in place to facilitate the proactive identification, assessment, management and mitigation of those risks. The Board of Directors must make sure that it is fully apprised of risks faced by the company, and that it can make an independent determination that management has implemented and maintained effective enterprise-wide integrated risk management policies and procedures, including internal controls and compliance.