The year-end bank compliance checklist is long, and in light of recent enforcement actions by the Securities and Exchange Commission (“SEC”) and further regulatory developments slated to take effect in the near term, close collaboration between regulatory and disclosure teams at banking organizations will be key to getting upcoming SEC disclosure right. In planning ahead for 2015, it is worth highlighting for our clients and friends several disclosure issues that are of particular importance:
- SEC Focus on Management’s Discussion and Analysis of Financial Condition and Results of Operations (“MD&A”) Disclosure
- Internal Control over Financial Reporting
- Pillar 3 Disclosures
- Impact of Regulation
- Sanctions and anti-money laundering (“AML”)
SEC FOCUS ON MD&A DISCLOSURE
The SEC continues to scrutinize the MD&A disclosure of banking organizations. In August 2014, the SEC entered into a settlement with a large banking organization in which the institution admitted that it failed to disclose to investors known uncertainties potentially adversely affecting future income arising from exposure to repurchase claims on securitized mortgage loans. In its settlement, the SEC emphasized its longstanding position that disclosure of a known trend, demand, commitment, event or uncertainty is required unless management determines it is not reasonably likely to occur or, if management is unable to make that determination, it is not reasonably likely to have a material adverse effect on the company’s financial condition or results of operations. This settlement and SEC Enforcement Division commentary in recent weeks about its renewed focus on financial disclosure are timely reminders for banking organizations to review and reinvigorate the disclosure controls and procedures underpinning the preparation of MD&A, including by employing a clean slate approach. Each business unit should be required to identify and report the factors that affect their business units to senior management, who should in turn substantively review and provide input on MD&A based on their understanding of broader trends and uncertainties. Finally, the staff of the SEC has provided guidance on a host of MD&A topics, and strong disclosure controls and procedures should include regular review of a banking organization’s MD&A against SEC guidance.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Like MD&A, banking organizations’ internal control over financial reporting (“ICFR”) has also come under SEC scrutiny. As recently as September 2014, the SEC entered into a settlement with a large banking organization for failure to deduct realized losses on structured notes and other financial instruments when calculating regulatory capital, resulting in overstatements in regulatory capital and related ratios in the banking organization’s periodic reports. According to the SEC, the banking organization did not “adequately consider whether its internal process for computing its regulatory capital was operating as intended or required.” As a result, the institution “failed to make and keep accurate books and records, and failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions were recorded as necessary to permit preparation of financial statements in conformity with GAAP.” Recent news reports suggest that many banking organizations have been challenged to maintain effective ICFR. Increased scrutiny of internal controls may also come from within banking organizations, as the SEC’s whistleblower bounty program continues to encourage whistleblowers to come forward by providing ever larger cash payments based on the amount that the SEC recovers. Finally, in May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) updated its framework that is used by most issuers, including banking organizations, for evaluating the design and effectiveness of ICFR. Banking organizations will need to ensure that plans to adopt the 2013 framework are on track and that the framework used is clearly identified when disclosing their annual assessments of ICFR in SEC reports.
PILLAR 3 DISCLOSURES
For periods beginning January 1, 2015, U.S. banking organizations with total consolidated assets of $50 billion or more that are not advanced approaches banking organizations (or that are advanced approaches organizations, but have not yet completed their “parallel run”) will be required to make so-called “Pillar 3” disclosures addressing various qualitative and quantitative aspects of their regulatory capital positions. For many regional banking organizations, this will be the first disclosure exercise of this nature, and it merits advance planning on several fronts, such as what to disclose in Pillar 3 reporting and when and how to make Pillar 3 disclosures. While the final Basel III rules set out a series of required tabular disclosures, covered banking organizations will need to consider how to manage different or additional disclosures in Pillar 3 reporting compared to SEC reporting. With respect to timing of disclosures, the preamble to the final Basel III rules provides guidance that should facilitate synchronizing Pillar 3 reporting with SEC reporting. In addition to quarterly Pillar 3 reporting, the final Basel III rules require publication of an interim report in the event of a “significant change” from the prior Pillar 3 report. Covered banking organizations will want to firm up their processes for identifying and disclosing a “significant change” that occurs between quarterly Pillar 3 reports.
The final Basel III rules also provide banking organizations with flexibility on how to make Pillar 3 disclosures – from posting on a single place on the banking organization’s web site to making disclosures in more than one public financial or regulatory report, as long as the banking organization publishes a summary table tying together the location of the various disclosures. This flexibility, however, raises questions for banking organizations to consider, including whether to include Pillar 3 disclosures in SEC reports and whether to furnish or file Pillar 3 disclosures with the SEC as well as whether and how to incorporate Pillar 3 disclosures into securities offering documentation. In light of these questions, it comes as no surprise that the final Basel III rules require a formal disclosure policy that is approved by the board of directors and that addresses the covered banking organization’s approach for determining Pillar 3 disclosures, including related internal controls and disclosure controls and procedures.
Finally, all banking organizations will want to monitor developments related to the consultative document published June 2014 by the Basel Committee on Banking Supervision that proposes changes to Pillar 3 disclosure requirements.1 The Committee’s review focuses on Pillar 3 disclosure requirements in the areas of credit, market and counterparty credit risks as well as equity risk and securitization. The comment period was extended to October 10, 2014. As proposed, banking organizations would be required to comply with revised Pillar 3 requirements from the first reporting period on or after April 1, 2016.
IMPACT OF REGULATION
Regulation and its impact on banking organizations has long been a core component of the SEC disclosure of banking organizations. By year end, 2014 will have proven to be another busy year for regulation of banking organizations, including the Volcker Rule, the liquidity coverage ratio, the Federal Reserve’s enhanced prudential standards and the Office of the Comptroller of the Currency’s “heightened expectations.” In addition, the Consumer Financial Protection Bureau continues to publish regulations at a rapid pace and regulators continue to raise their expectations for both the confidential and public versions of living wills. Given this increased activity, regulatory and disclosure teams at banking organizations and their advisers will want to collaborate to review carefully existing SEC disclosure to ensure that the substance and material impact of historical, new and pending regulation is accurately reflected in upcoming SEC reports. Banking organizations may want to structure this effort more aggressively than the customary update exercise delegated to a limited working group. A revised and updated summary of material regulation, usually found in the “Business” or “Regulation” section of SEC reports, can serve as a starting point for considering what other updates may be required throughout the report, such as in “Risk Factors” and in the key trends and uncertainties analysis as well as each of the results of operations, financial condition and liquidity discussions in MD&A. One size will not fit all, and part of the challenge for regulatory and disclosure teams is to tailor their analyses of the regulation and its impact to the business of the individual banking organization. This will require greater coordination between the securities and banking law experts at banking organizations and their advisers than has occurred in the past.
SANCTIONS AND AML
Banking organizations of all sizes face a regulatory environment increasingly focused on sanctions and AML compliance issues. With respect to sanctions, the Iran Threat Reduction and Syria Human Rights Act of 2012 requires SEC reporting companies to disclose certain Iran-related activities. In addition, the SEC’s Office of Global Security Risk monitors company reports to ensure disclosure of material information regarding global security risk-related issues, including with respect to Iran. Despite recent reports of increased dialogue between the U.S. and Iran in connection with events in the Middle East,
no changes have been announced to Iran activity reporting requirements. As a result, banking organizations should continue to consider carefully whether the activities in which they or their affiliates engage potentially trigger additional SEC reporting obligations.
This year also saw the imposition of sanctions against Russia, a country that, unlike other sanctioned countries, is well integrated into the global economy and financial markets. In recognition of this interconnectedness, the United States (as well as the European Union and others) has tailored its sanctions program to target certain financial activities involving several of Russia’s largest corporations. This tailoring creates complexity and presents compliance challenges for banking organizations that do business in Russia or with Russian customers. Banking organizations engaged in Russia-facing business need to consider the implications of the Russian sanctions and whether they have a material effect on activities such that they trigger SEC disclosure obligations.
This year has also seen a trend in enhanced scrutiny of AML compliance. Recent press reports suggest that money laundering activity is moving from larger banking organizations to regional and community banking organizations and, in line with this trend, Comptroller Curry has stated publicly that the Office of the Comptroller of the Currency will place increasing emphasis on AML compliance when examining and supervising banking organizations. Regional banking organizations are encouraged to review their AML compliance programs and consider how potential or actual AML enforcement actions could trigger disclosure obligations in this environment.