Author Stephen R. Covey has written, “Management is efficiency in climbing the ladder of success; leadership determines whether the ladder is leaning against the right wall.” With the first quarter in full swing, community banks are preparing proxy statements, finalizing annual meeting agendas, and marshaling items for board attention. Now is the perfect time for bank directors to consider whether their bank’s ladders are leaning against the right walls. Below we discuss five corporate governance and regulatory issues that recently have been receiving particular attention from regulators and investors, selected based on statements by federal banking regulators, corporate governance consultants and experts (such as Institutional Shareholder Services, or ISS), institutional investors, and the SEC. Each of these issues merits board-level attention and direction.

1. Cybersecurity

Given the potential costs to customers, companies, and shareholders of failures in cybersecurity, regulators and investors of all stripes are concerned with how boards oversee cybersecurity risk. Day-to-day implementation and maintenance of cybersecurity measures may be a matter for a bank’s management and IT staff. However, robust cybersecurity is also a product of top-down board focus that requires director engagement, knowledge and training, as well as an innovative and flexible approach to corporate governance.

Because of that, cybersecurity continues to be a supervisory priority for the federal banking regulators. In particular, the FDIC has identified enhanced oversight of bank cybersecurity as one of its top performance challenges for 2019.[2] The OCC has also designated cybersecurity and operational resiliency as one of five key risk areas for its 2019 bank supervision operating plan.[3] In light of the supervisory attention given to cyber incidents and the importance of banks to the U.S. financial system, federal banking regulators have indicated that they expect cybersecurity discussions to be elevated from the IT room to the board room. In response, one bank holding company has come up with a novel solution – Ohio-based Huntington Bancshares recently established a “Significant Events Committee” to be responsible for responding to cybersecurity threats.[4] This committee solves the problem of divergent oversight responsibilities and skill sets by bringing together into a single body Huntington’s CEO, lead director, chairs of the audit, risk and technology committees and a “lead cyber director.” While this particular solution may not work for every financial institution, it is a thoughtful response to cybersecurity risk oversight and demonstrates a flexibility and innovation in corporate governance that other community banks should strive to emulate.

Given that the degree of risk posed by, and frequency of, cybersecurity threats will almost certainly not diminish in the future, we do not expect the regulatory focus on board engagement with the topic to wane, either.

2. Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) Compliance

In December 2018, the federal banking agencies issued a joint statement encouraging depository institutions to explore innovative approaches to both meet their BSA/AML compliance obligations and to further strengthen the financial system against illicit financial activity.[5] Such approaches include the use of innovative technologies (e.g., artificial intelligence) to help banks identify and report money laundering, terrorist financing, and other illicit financial activity. The joint statement reflects an interagency supervisory focus on corporate governance and enterprise-wide risk management of BSA/AML obligations. In effect, the federal banking agencies are opening the door to early engagement on this issue to promote a better understanding of these approaches, as well as provide a means to discuss supervisory expectations regarding compliance and risk management. Boards that begin internal discussions with senior management on innovative BSA/AML compliance now will be better positioned to meet the federal banking regulators’ expectations.

It is important to note that, in issuing the joint statement, the Federal Reserve stated that “[t]he joint statement does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations. The Agencies will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”[6] While not establishing new requirements, the joint statement does clearly invite financial institutions to consider innovative approaches to discharging compliance functions.

3. Current Expected Credit Loss Methodology

As bank directors already know, the final deadline for implementation of the new current expected credit losses (“CECL”) methodology is less than a year away.[7] The looming target is generating industry-wide concern – so much so that it was the subject of a recent roundtable discussion involving members of Congress and the federal regulatory agencies, among other participants.[8] Because of the anticipated impact of CECL implementation, the FDIC has emphasized bank director and senior executive engagement prior to full implementation.[9] To that end (and sooner rather than later), senior bank executives should educate directors on CECL methodology, explain how it differs from the to-be-replaced incurred loss methodology, and develop reasonable and supportable forecasts for board review and approval.[10] It is also recommended that boards and senior management conduct a cost-benefit analysis to determine whether the bank is better served by using a third-party consultant to aid implementation of CECL ahead of the deadline.

4. Board Oversight and Director Quality

Over the past few years, banks and other companies have been confronted with numerous reputation-damaging incidents – think of the cascade of troubles faced by Equifax as just one example. These scandals continue to play out in the media, on stock exchanges, and in the minds of customers.[11] Board oversight (or lack thereof) is often seen as a dominant factor and, consequently, investors and regulators expect directors to understand how the culture of the bank or the company contributed to the problem. One recent example shows how far regulatory authorities are willing to go: a recent Federal Reserve cease-and-desist order against a bank holding company expressly conditioned future bank growth on the satisfaction of governance and risk management goals (including board oversight) and was accompanied by the announced replacement of four board members.

Boards have a duty to shareholders to ensure that their members possess sufficient skills, experience, and judgment to serve the company.[12] In part because traditional board oversight functions are scrutinized more than ever, governance advocates, proxy advisors and institutional investors want measurable ways to assess director competence and ensure quality board oversight.[13] As a result, many boards (whether exchange-listed or not) now conduct regular director evaluations. Rather than seeing this as a burden on directors’ time, boards should view the evaluation process as an opportunity to assess strengths, identify areas for improvement, and discover areas where new skills and perspectives can be brought to bear in support of the company and the board oversight function. Boards may want to consider a multi-faceted evaluation process that includes some or all of the following steps: (i) one-on-one discussions with each director and the chair of the nominating committee; (ii) internal nominating committee review of director self-evaluations; (iii) nominating committee report to the full board; (iv) group discussions of issues raised by the self-evaluations, particularly with respect to the bank’s risk management framework; (v) development and incorporation of feasible action items; and (vi) post-action follow up and feedback in the subsequent year’s assessment program.

5. Board Diversity

More and more investors and proxy advisors emphasize board diversity as a key issue for 2019. For example, in response to a recent ISS policy survey, 82% of investor respondents surveyed considered it problematic if there were no female directors on a company’s board (note: this compares to 69% of investors respondents surveyed in 2017).[14] Investors generally prefer to engage with companies on board diversity, but they are not hesitant to wield their proxy votes to press for change. Consequently, many public companies have seen voting support for nominating committee chairs that lack gender diversity fall.[15] This puts board nominating committees in the hot seat – both with respect to gender and other diversity characteristics. We anticipate this will continue throughout 2019 and have no reason to think that bank boards will be spared.[16]

It is interesting to note that the views of directors and investors converge when it comes to board diversity. According to a 2018 survey of over 700 public company directors, most directors believe a diverse board is beneficial for a company.[17] The overwhelming majority of directors surveyed also believe that diversity brings unique perspectives to the boardroom, enhances board performance, and improves relationships with investors.[18] In this environment, we recommend bank directors consider ways to: (i) stay apprised of shareholder views on board diversity; (ii) formalize board commitment to diversity in governance guidelines and nominating committee charters; (iii) develop networks to find diverse board candidates; and (iv) develop new director orientation/mentoring programs for first-time women and minority board members. It is also useful for the board to combine diversity discussions with its consideration of board refreshment/change management – both at the board level and the ranks of senior management (which is also a focus area for the federal banking regulators).

*******

Banking is essentially a business of assuming and managing risk – and it is up to the board to ensure effective risk governance. With the end of the first quarter in sight, we recommend that directors review these five points to determine if they are comfortable with their bank’s current approach or, alternatively, whether adjustments are needed to navigate the changing risk landscape. Otherwise, as Yogi Berra said, “if you don’t know where you’re going, you might wind up someplace else.”

________________________________________