International Banking Regulators Reinforce Board Responsibilities for Risk Oversight and Governance Culture

In October 2014, the Basel Committee on Banking Supervision of the Bank for International Settlements issued its consultative Guidelines [on] Corporate governance principles for banks (the “2014 Principles”). The 2014 Principles revise the Committee’s 2010 Principles for enhancing corporate governance (the “2010 Principles”), in which the Committee reflected on the lessons learned by many central banks and national bank supervisors from the global financial crisis of 2008-09, in particular with regard to risk governance practices and supervisory oversight at banks. The 2014 Principles also incorporate corporate governance developments in the financial services industry since the 2010 Principles, including the Financial Stability Board’s 2013 series of peer reviews and resulting peer review recommendations. The comment period for the 2014 Principles expires on January 9, 2015.

This post highlights certain themes in the 2014 Principles and identifies recent comments by U.S. banking regulators that indicate that supervised financial institutions can expect new regulations to address some of these themes.

Why are the Basel Committee’s 2014 Principles important?

The 2014 Principles were developed to guide the actions of the boards of directors, senior management and risk, compliance and internal control functional heads of financial institutions. Central banks and/or banking supervisors of nearly 30 of the world’s largest economies are members of the Committee, and the 2014 Principles can be expected to inform conduct by banking authorities in both member and non-member jurisdictions.

The 2014 Principles reflect the first general agreement among national banking authorities around the world regarding the role for national supervisory oversight in ensuring that a bank’s board and senior management perform their responsibilities to:

• Establish the key components of effective risk governance infrastructure, including business unit level risk management, board and board committee level risk oversight, internal control functions and independent operation of the internal compliance and audit functions; and
• Develop organizational risk culture as a key component of effective risk management, including by the setting of an appropriate tone at the top, effectively communicating organizational risk appetite and implementing compensation policies that reward prudent risk management.

The 2014 Principles are organized around a risk governance framework that begins at the business unit level as the owner of business activity and its risk management, continues with the second line of defense at the enterprise-wide risk management function, responsible for identifying, monitoring and reporting risk to management and the board, and extends to a third line of defense consisting of internal controls and compliance functions, to provide assurance to the board of the effectiveness of the framework and related policies and procedures.

Although the 2014 Principles are not binding on national banking authorities, they have already been echoed in the United States in the speeches and congressional testimony of senior officials of the Board of Governors of the Federal Reserve System (FRB) and the Office of the Comptroller of the Currency (OCC), and are very likely to be reflected in proposed regulations of U.S. banking supervisory authorities.

What key changes to the 2010 Principles were made by the Basel Committee this year?

The 2010 Principles were intended to enhance the corporate governance of financial institutions supervised by the member central banks and bank supervisory authorities.

The 2010 Principles spoke to the overall responsibility of bank boards for:

• Their own composition and governance;
• Oversight of senior management;
• The adequacy of governance mechanisms for the bank’s legal entity group structure;
• Along with senior management, the business strategy, risk tolerance, risk management governance, methodologies, activities and internal controls;
• Oversight of the design and operation of the bank’s compensation system to incentivize prudent risk-taking behaviors; and
• Transparency of disclosure to stakeholders and market participants of the bank’s governance in order to provide such parties with the information necessary to hold the board and senior management accountable for their actions.

In revising the 2010 Principles, the Basel Committee did not rewrite their governance guidelines entirely. Rather, each individual principle was reconsidered and enhanced to expand upon and explain the language, to broaden some ideas, or to restate or reword principles in a more explicit manner. By releasing the 2014 Principles, the Basel Committee has provided renewed emphasis on the responsibilities of the board and senior management of financial institutions to oversee, govern and manage risk and the direct responsibility of the board for an organization’s corporate risk culture, appetite for risk and compensation system.

Highlights of Expanded Principles

Specifically, the recent revisions include the following additional responsibilities for bank boards of directors:

• Developing the bank’s risk management systems and compliance functions;
• Together with senior management, developing the bank’s risk appetite, taking into account the competitive and regulatory environment, long-term interests, risk exposure and ability to manage risk;
• Monitoring adherence to the bank’s risk statements, policies and limits;
• Approving and overseeing how the bank assesses capital adequacy, capital and liquidity planning, compliance and internal controls;
• Approving the selection of, and evaluating the performance of, senior management;
• Ensuring the bank’s compensation system is aligned with the risk culture and appetite for risk established by the board; and
• Periodically reviewing whether the risk governance framework of the bank continues to be appropriate given changes in the bank’s size, complexity, strategy, regulatory requirements, and market and governance best practices.

The 2014 Principles also expand and amplify the obligations of a bank’s board to ensure appropriate corporate culture, values and ethical behavior among employees, and to oversee a bank’s risk governance framework. The board is additionally expected to:

• Promote a strong corporate culture by setting an appropriate “tone at the top,” by:
  • setting and adhering to an appropriate corporate culture for itself, senior management and other employees and conveying the expectation that the bank’s business will be conducted in a legal and ethical manner;
  • advocating risk awareness and a strong risk culture by making clear the board does not support excessive risk-taking and that all employees are responsible for complying with the bank’s risk appetite and limits;
    • communicating throughout the organization the bank’s corporate values and code of conduct in support of the bank’s risk culture; and
    • ensuring all employees have been advised that violations of the bank’s policies is unacceptable and will result in disciplinary measures;
• Oversee a strong risk governance framework, which includes a strong risk culture, well developed risk appetite articulated through its risk policies and well defined responsibilities for the business line, risk management and internal control functions;
• Develop and convey risk policies that:
  • have quantitative and qualitative considerations;
  • establish individual and aggregate levels and types of risk;
  • define boundaries and business considerations;
  • communicate the board’s risk appetite throughout the bank;
  • drive from the top down by the board and the bottom up by management involvement; and
  • clearly outline disciplinary actions to be taken for breaches of risk limits with notification to the board;
• Play an active role in developing the bank’s risk appetite and ensuring its alignment with its business strategy, capital and financial plans and compensation practices;
• Establish an enterprise-wide risk committee that:
  • is distinct from the audit committee;
  • has an independent chair who is not the chair of the board or any other committee;
  • includes members who are experienced in risk management issues;
  • discusses all risk strategies in the aggregate and by type of risk;
  • reviews the bank’s risk policies;
  • ensures management has processes in place for adherence to approved risk policies;
  • advises the board on the bank’s risk appetite and reports on the risk culture;
  • interacts with and oversees the chief risk officer; and
  • periodically meets with the audit committee and other risk-relevant committees to ensure an effective exchange of information on all risks in light of the risk governance framework, the business plans of the bank and the external environment;
• Establish a compensation committee that:
  • exercises competent and independent judgment on compensation policies and practices; and
  • works closely with the enterprise-wide risk committee to evaluate incentives created by the compensation system.

The responsibilities of senior management of banks were similarly expanded upon by the Basel Committee in the 2014 Principles. Among other things, bank senior management is also expected to recognize and respect the independence of the risk management, compliance and internal control functions of the bank and is expressly cautioned about interfering with the exercise by the control groups of their responsibilities.

Senior management is also charged with keeping the board “regularly and adequately” informed of all material matters, which include business strategy, risk and risk appetite, breaches of risk limits and compliance rules, failures of internal controls and legal and regulatory issues. The revised 2014 Principles also link compensation policies to prudent risk-taking practices by:

• Acknowledging that compensation systems reinforce the bank’s operating and risk culture;
• Stating that compensation programs should facilitate adherence to risk appetite policies, promote proper risk-taking behavior by employees and encourage employees to act in the interests of the company as a whole; and
• Stating that compensation programs should facilitate adherence to risk appetite policies, promote proper risk-taking behavior by employees and encourage employees to act in the interests of the company as a whole; and
• Requiring compensation programs to reflect risk-taking actions by employees and risk outcomes, including breaches of internal procedures or legal requirements.

Basel Committee Principles Consistent with Recent U.S. Bank Regulator Statements

Each of the FRB, the Federal Reserve Bank of New York (FRBNY), the OCC and the Federal Deposit Insurance Corporation is a member of the Basel Committee and participated in the process by which the 2014 Principles were adopted. While U.S. banking regulators have not yet addressed the 2014 Principles, recent public statements suggest that U.S. banking regulators have similarly embraced an emphasis on corporate culture as a key component of effective risk management at banks.

• In remarks on October 20, 2014, FRB governor Dan Tarullo noted that corporate culture will inform the behavior of employees within a bank. In implementing the FRB annual Comprehensive Capital Analysis and Review (i.e., the stress test), Mr. Tarullo has noticed meaningful differences in the attitudes of senior and mid-level managers toward the risk function in different banks. Mr. Tarullo observed that some firms tend to view the interaction with the regulator as a mere compliance exercise, whereas others seek to meaningfully engage with the regulators and learn from identified weaknesses in risk management. Like the Basel Committee, Mr. Tarullo pointed out that excessive compensation based primarily on stock options can undermine the right organizational culture, and serve to intensify the conflict between shareholder and regulatory interests.
• Since the financial crisis, many large banks have been subject to well-publicized regulatory actions, including relating to LIBOR manipulation and violations, U.S. sanctions and tax laws. William Dudley, the president of the FRBNY, and Thomas Baxter, the general counsel of the FRBNY, have each commented publicly this year that such incidents are attributable in part to a failure of organizational culture.13 Both Messrs. Dudley and Baxter indicated that the right rules, absent the right values, are simply not sufficient to cause the right employee behavior. They highlighted that the potential for employee misconduct is greatest in those organizations where employees do not see the rules as being consistent with an organization’s values. This past July, Mr. Baxter attributed recent failures of foreign banks to adhere to U.S. sanctions or tax laws to a perception within those banks that such rules were not rooted in values shared by the bank and by extension, its employees.
• OCC Comptroller, Thomas Curry, remarked earlier this year that the most significant losses in the years since the financial crisis stem not from poor credit decisions but from lapses in operational risk management and the ensuing legal judgments, regulatory fines and reputational damage. Mr. Curry posited that such lapses have been made possible by continued weaknesses in risk management and risk culture.

What To Expect In the Near Term

The Basel Committee’s 2014 Principles and recent public statements by U.S. banking authorities concerning necessary improvements in bank risk governance each emphasize the role of bank boards of directors and senior management in the oversight and management of a bank’s risk culture. Further, they suggest that U.S. and international bank supervisors will be examining banks closely for the tone at the top established by the board of directors, as regulators more closely scrutinize risk policies, procedures and approved risk appetite at a bank. Where failures in risk management occur, bank supervisors will likely review intently the proper functioning of the bank’s system of risk management and internal controls, including as to bank risk culture, information flow from the board and senior management to all employees as to prudent risk-taking behaviors (including through an appropriate compensation system) and the clear communication of risk management roles and responsibilities.
In public comments, regulators have already floated various proposals to reform the corporate risk culture of banks, including:

• Reforming the compensation structures by tying compensation to returns on debt and equity, or the imposition of more meaningful and longer claw-back and forfeiture provisions;
• Enacting a scoring system for banks to evaluate misconduct risk by establishing methodologies for assessing credit risk taking into account factors historically associated with conduct issues;
• Encouraging greater transparency in the process for disciplining or firing employees in cases of misconduct, including by creating a central registry to track the hiring and firing of financial professionals similar to the U4 and U5 forms in the broker-dealer industry;
• Creating a new fiduciary duty of bank board directors and senior management with respect to regulatory obligations owed to the banking regulators.

Before the next supervisory examination of your institution, it is advisable to conduct a governance and compliance audit to confirm that the roles, responsibilities and governance structure of your board of directors and relevant committees have been updated to be consistent with the 2014 Principles and your committee charters and corporate governance principles reflect the same; that the proper tone at the top as to risk culture and risk appetite and the related messages are communicated appropriately throughout your institution; that your compensation system encourages prudent risk-taking behaviors and is in sync with your overall risk culture and policies; and that your risk management, compliance and internal control functions have been structured to be independent in fact in terms of reporting lines and operations, and management has been appropriately cautioned not to interfere with the exercise of their responsibilities.