From TARP to SARs, AML to BSA, and HMDA to CRA, the alphabet soup of state and federal regulations and banking initiatives continues to grow, and directors continue to be inundated with compliance and risk management matters as opposed to focusing on business opportunities in their oversight role. More compliance responsibilities are on the way with the enactment of the Dodd-Frank federal financial reform legislation package signed into law on July 21, 2010.

The present environment continues to exacerbate the always-perplexing issue for bank directors: Who is my constituency? Is it my institution? My shareholders? The regulators? Which master do I serve?  

In banking, the answer, from a practical perspective, is all of the above. Not perhaps from a strictly legal perspective where the fundamental director duties of care and loyalty to the institution remain the primary rule, but rather from the perspective that, in the banking industry perhaps more than any other, a critical part of the business plan and part of the responsibility of the board, consistent with their duty of care, is to understand and manage the government relationships and the complex plethora of issues relating thereto. Regulatory issues and compliance considerations are an integral part of the business of banking, and especially so in the current environment. In this industry, particularly at this time, the regulatory oversight and compliance burdens that impact and accompany investment in a banking organization is an expected and important (and normal) part of the business of banking. Not a part of the business that bank investors or bankers particularly like, but a very normal and important part of the business nonetheless.  

Opportunities for conflicts abound. When does the interest in safety and soundness from a regulatory perspective, including implementing and enforcing regulatory capital ratios and capital retention, trump the interests of shareholders in receiving a dividend? When does the interest in prudent growth from a regulatory perspective trump the interests of shareholders in expansion that otherwise appears appropriate from a board and management perspective? When does the cost and expense of developing and implementing a detailed enterprise risk identification and management program trump profit opportunities for the institution? When does the financial expense of securing a “1” rating in compliance become a justifiable expense from a shareholder perspective?  

The present reality in the banking industry is that, while these may be interesting issues to ponder from a conceptual perspective, the agencies have sufficient enforcement weapons in their arsenals to provide that failure to pay appropriate attention to regulatory and governance issues will generate a self-fulfilling prophecy in terms of the institution and its constituencies. It is a known, expected and required part of the program in order to operate in this industry. Compliance requirements and the compliance burden, for better or for worse, clearly constitutes part of the business of banking, and part of the risk and expense that accompanies investment in a banking organization.  

Director management of these potential conflicts requires recognition that the facts and circumstances forming the basis for regulatory concerns are typically, from a practical perspective, consistent with concerns that directors need to address anyway as part of their fiduciary duty of care. While the priorities and approach may differ, it is typically difficult to argue against most of the concepts that agency concerns (and restrictions) generally present in the area of safety and soundness. Assuring institutional safety and soundness is consistent with the director duty of care. Given the significant legal authority and tools available to agencies to address their concerns and implement corrective enforcement measures, including the assessment of substantial civil money penalties, boards choosing to ignore agency concerns and compliance issues do so at considerable peril to themselves, to their institutions and ultimately to their constituencies.  

With the significantly enhanced industry, market, and regulatory focus on compliance and risk management, it can be increasingly difficult for directors to spend much, if any, time focusing on their equally important role (and obligation) of promoting and advancing the actual “business” of the institution. Bank board meeting agendas have been (and will continue to be for the foreseeable future) filled with compliance, risk management, examination, and disclosure matters coupled, perhaps, with some actual business considerations assuming there is any time remaining. Not to suggest that attention to those issues isn’t a critical component of a bank director’s obligations to the institution and its constituencies. It’s just that compliance and risk management issues continue to take unprecedented time and attention away from the business issues of banking, which may have seriously adverse long-term consequences as the business of the bank increasingly takes a back seat and the laws of unintended consequences take hold.  

Despite some perceived confusion on the part of the media and others, banks are still private “for profit” organizations. They happen to be required, by the nature of their business, to be licensed (and regulated) in order to conduct the business of banking but are also still expected to provide returns to investors consistent with safe and sound industry principles. The result is an increasingly difficult balancing act as the constantly looming threat of liability related to compliance and risk management tends to generate an environment of fear and concern, detracting from the underlying business objectives for which the board is also equally responsible. There is no easy answer.  

Banks already have the dubious distinction of being one of the most heavily-regulated businesses on the planet. With the additional burdens of expanded regulatory oversight resulting from the current economic and political environment; a plethora of corporate governance, capital, compensation, and shareholder issues under the Dodd-Frank financial reform legislation and related initiatives; mark-to-market accounting challenges; expanded anti-money laundering initiatives; and enhanced risk-based capital and examination focus, the stakes are being raised to a point where it is difficult to see how boards manage to find any time to conduct the business of banking. The increased compliance focus and associated direct and indirect cost can place a significant additional burden on already-strained bank resources as well as board and management relations, and can easily have the effect of distracting directors (and management) from the underlying business objectives of the organization.

Unfortunately, as earnings take a back seat, access to capital can become increasingly difficult.  

The reality is that the compliance burden tends to have a greater relative impact on smaller institutions with limited resources. Most are simply not equipped to maintain an extensive in-house staff to oversee compliance and risk management issues, and the costs associated with outside assistance can be significant. Larger institutions typically are able to maintain in-house staffs to address the myriad compliance and risk management issues confronting their organizations. Despite the well-intended discussion of regulatory relief for smaller institutions and “tiered” regulation there really isn’t much difference between the compliance needs and obligations of the small institution and the larger institution. As a result, smaller institutions can be disproportionately impacted by this phenomenon.  

Not that that’s news to them.  

With increasing frequency, institutions are dealing with oversight and enforcement activities from an expanded menu of agencies which is likely to expand even further under the current administration proposals. FinCEN’s involvement in BSA oversight and enforcement, the heightened role of the Fed in systemic risk issues, the increased focus on executive compensation, the new involvement of the SIGTARP for TARP recipients, a new federal consumer protection agency for financial institutions, and the heightened involvement of the SEC in investment management activities (as well as in securities enforcement for publicly-held institutions), all serve to increase the already-daunting list of governmental concerns and dictates that banks (and their boards) need to consider for compliance and risk management issues. It’s hard to blame boards for turning their focus to the regulatory topics that pose the most immediate and visible threat, and the most clear and present danger - particularly in this environment.

Potential director conflicts of interest can and sometimes do arise when, for example, the regulatory interest in preserving or increasing capital is juxtaposed against the shareholder interest in maintaining the dividend stream. Part of the expectation and understanding in this industry, however, is the ability of regulatory agencies to strongly “suggest” and, in some instances, demand that dividends be reduced or eliminated in order to preserve capital. The regulatory consequences to the institution of failing to follow the “suggestion” or the order can be more costly to the institution (and its shareholders) in the long run. While there may be a difference of opinion as to the appropriate level, directors typically have, or should have, the same (or similar) concern(s) in exercising their duty of care. The same issues arise in conjunction with day-to-day compliance costs. The reality is that there is no easy answer, and that this is the environment that banks operate in at the present time.  

The impact of continuing economic issues make it unlikely that the present focus on compliance and risk management will abate in the near term. Bankers must take care to maintain an ongoing dialogue with agency representatives and keep them apprised of their compliance and risk management efforts and activities. Sometimes perception becomes reality, so it is important to forestall unfounded concern by making regulators aware of compliance efforts and to address any concerns early. Credibility is key. There is no doubt that assuring the adequacy of controls and compliance with laws and regulations is a vital part of the business of banking, and ascertaining that those issues are appropriately addressed and implemented is a critical part of the responsibility of each and every board member, whether as a result of regulatory compliance directives or in exercising their own fiduciary responsibilities.  

Like it or not, this is the environment in which banks now must operate in order to survive and directors are compelled to react accordingly. The threat (and the exposure) is very real, and boards must ascertain that adequate compliance and risk management programs are in fact in place. Further, they must take care to monitor and vigorously enforce those programs to make certain that the programs are adequate to address the needs and exposure of their particular organization. There is no “one-size-fits-all” when it comes to compliance and risk management programs and each must be tailored to the risk profile of the individual institution and its operations, products and services.  

At the same time, directors must take care not to overreact to the current environment and lose sight of the business of the organization and shareholders they serve. And therein lies the challenge.  

It is, without a doubt, a difficult balancing act, and one that even the most seasoned, concerned, attentive, dedicated, and accomplished bank director may find challenging. It is no surprise that boards are sometimes unable to be “distracted” by business issues when facing the pressures of the current compliance environment.  

While the current compliance environment is arguably the most severe ever, these things tend to cycle. Banking remains, by necessity and very appropriately, a highly-regulated industry. Bad facts make bad law, and the “splash” effect of a few bad players tends to taint the entire industry. Regulatory agencies and legislatures react to what they perceive to be the important issues at hand (or at least the issue receiving the most attention) and, in well-intended response, enact laws and adopt regulations intended to protect the public and to remedy those matters. The present banking environment is certainly reflective of those situations.  

Care must be taken so that the cure does not become as bad, or worse, than the disease, and lead to even more significant problems.  

Conclusions

In the meantime, bank directors should continue to focus on setting the tone at the top to emphasize the importance of compliance and risk management, while at the same time keeping their collective eyes on the business of the institution. Of course, easier said than done. The potential financial and reputation risk downside is far too great to do otherwise and, consistent with the board’s duty of care, it’s the right thing to do. Unfortunately there is no “magic formula” or “silver bullet” to provide safe harbor guidance with regard to prioritization and where to focus time, attention and resources. As a practical matter, institutions with the best compliance and risk management systems, but insufficient and inadequate capital, asset quality, management, earnings, and liquidity (sound familiar?) won’t be around long. Neither will those who ignore important compliance and risk management issues and responsibilities. It is a critical balancing act that can change daily. Failing to adequately address each of those issues can unfortunately be fatal, however, and can result in a self-fulfilling prophecy for the institution, its board, and its stakeholders.