The Financial Crisis 10 Years Later: Lessons Learned

Introduction

The financial crisis was ignited exactly ten years ago: on September 15, 2008, Lehman Brothers filed for bankruptcy. That same day, Bank of America announced its acquisition of Merrill Lynch. On September 16, the Federal Reserve bailed out AIG. On September 17, the markets were in free-fall. On September 18, Secretary Paulson and Chairman Bernanke briefed Congressional leaders on the contours of a massive bailout plan. And on September 19, the Treasury Department took the unprecedented step of guaranteeing U.S. money market funds.

The financial crisis ravaged the U.S. and world economies and required extraordinary government interventions to prevent a major worldwide depression. It spurred a host of legislative, regulatory, enforcement, litigation, and political responses, many of which are still unfolding. It destroyed venerable businesses and commercial activities and spawned others. And it reshaped market dynamics across the global economy, including in such diverse sectors as private funds, derivatives, securitization, M&A, bankruptcy, and real estate.

Ten years later, market participants and other companies across the globe operate in a significantly altered landscape marked by heightened regulatory expectations and punishing compliance costs, increasingly active regulatory and criminal enforcement worldwide, a growing but increasingly fragmented economy paired with new risks and market pressures, and a political and geopolitical environment that is both fragile and uncertain. Even though the current Administration’s approach to financial regulation and enforcement represents a significant departure from the prior Administration’s, many of the practical consequences of the financial crisis for companies operating on a global scale are undoubtedly here to stay.

Drawing on the experience of this firm’s departments, practice areas, and offices, and having counseled numerous clients with diverse business activities across multiple spheres during and in the aftermath of the financial crisis, we discuss the legal and business ramifications of the financial crisis, highlight certain key lessons learned, and provide a roadmap to enable executives and boards of directors to successfully navigate the post-crisis world and deal with the new market and regulatory realities. Many of the practical implications that emerge from this history—including the heightened importance of risk management, board oversight, institutional culture, transparency and disclosure, as well as the increasing politicization of regulatory and criminal enforcement—apply to all companies across all sectors of the U.S. and global economies.

The New Landscape 10 Years Later—and Lessons Learned

The legislative, regulatory, enforcement, litigation, and political responses to the crisis over the past decade suggest a number of important lessons and practical implications. While many of the regulatory responses focused on the financial sector, the heightened expectations with respect to risk management, governance, transparency, and culture—and the more rigorous, sophisticated, interconnected, and politicized enforcement environment—affect corporations across all sectors of the economy.

Regulators, Investors, and the Public Now Have Heightened Expectations for Risk Management, Strong Governance, Transparency, and a Culture of Compliance

Proactive Risk Management. In simplest terms, the conventional wisdom is that the financial crisis was precipitated by risks that were hiding in plain sight and that “dramatic failures of corporate governance and risk management” were a key cause of the crisis. The foundational building blocks for successful navigation of the heightened scrutiny that characterizes the post-crisis business, regulatory, and enforcement environment are thus a comprehensive and effective risk management program, for which the CEO and the senior management team are accountable, and equally comprehensive and effective risk oversight by the board of directors. Post-crisis, regulators, investors, customers, political leaders, and the public now hold financial institutions and other corporations accountable for proactive management of all risks inherent in their business—including, importantly, reputational risk. Risk management cannot be delegated to the risk control function, although a strong risk function is important; business heads, executive management, and the board also must own risk management, and ensure that it is operating effectively from the top down and the ground up across the institution, because ultimately they will be held strictly accountable for any breakdown in controls.

Heightened Expectations for Boards of Directors. As we have discussed in several client alerts, regulators’ expectations of boards of directors are higher than ever. Now-Chair of the Federal Reserve Board Jerome Powell noted in 2017, “Across a range of responsibilities, we simply expect much more of boards of directors than ever before. There is no reason to expect that to change.” Some of these expectations are set forth explicitly in regulatory guidance—e.g., the OCC’s July 2016 Director’s Book—but even boards of institutions not subject to such express guidance can expect to be held accountable for comprehensive oversight of the institution’s business, financial performance, management, culture, diversity, compliance, risk, financial reporting, and responsibility to the communities and stakeholders it serves. Boards are now expected to ensure that senior management establishes and maintains an effective risk management structure and that the board receives effective reporting of all material activities and risks, including detailed reports and concrete action plans. Boards must also monitor management’s response to identified problems or red flags.

Boards may be held responsible for establishing and maintaining compliance systems over an increasingly broad range of areas, including market conduct, securities disclosure, cybersecurity, financial crimes, antitrust, privacy/data, and other varieties of what some regulators call “employee misconduct risk.” Additionally, in the wake of scandals over employee treatment and renewed attention to issues of sexual harassment in light of the #MeToo movement, regulators and the public are imposing increasing pressure on companies to take proactive steps to monitor, internally investigate, report, and remediate such potential problems in the area.

While financial regulators in the United States have historically seldom intervened (at least publicly) in board matters, in contrast to some foreign regulators that have few other enforcement tools at their disposal, that is no longer the case. Prudent boards of directors should heed the lessons from the recent Wells Fargo enforcement action, for example, in which the Fed took the extraordinary steps of prohibiting the firm’s growth pending remediation, announcing the replacement of four board members, and issuing public “letters of reprimand,” including letters of reprimand to Wells Fargo’s former CEO and Chair and former Lead Director, for their “failures to meet supervisory expectations.”

Emphasis on Culture and “Tone at the Top.” The financial crisis gave rise to frustration among regulators, political leaders, and the public around the globe concerning the institutional culture that led to enormous levels of risk and apparent serial misconduct. Recognizing that even the strongest regulatory supervision and internal controls cannot prevent all instances of unethical or inappropriate behavior, regulators have touted the importance of a culture of compliance, in which employees self-regulate their behavior to conform to shared values and norms. In repeated speeches and conferences, regulators have emphasized that “tone at the top”—from senior management and the board—is necessary but not sufficient to create a strong culture of compliance. A good “tone at the top” will be ineffective unless it is reflected by an “echo from the bottom” in the form of broad-based staff engagement, including engagement in pockets of the organization that may operate with more autonomy or may go overlooked. Desired conduct should be tangibly rewarded, and bad behavior discouraged and punished, through compensation, promotion, and recognition. In addition, boards should consider creating dedicated ethics and culture committees to advise and assist them in establishing, monitoring, and safeguarding the firm’s culture.

Compensation Structures Should Reward Attention to Compliance. In tandem with their increased focus on culture, financial regulators have directed careful scrutiny to the incentives created by compensation structures, and bank regulators in particular have adopted or proposed rules concerning incentive compensation structures. Whether or not these rules apply to an institution, its compensation incentives and desired business outcomes should be structured to align with the firm’s stated values and its concrete policies intended to reflect those values. Compensation structures should reward attention to compliance and embed disincentives to chase “bad” or “risky” short-term profits. Where local employment law permits, including in the firm’s compensation scheme, the right to claw back incentive compensation upon discovery of misconduct, and exercising that power in appropriate cases, should be strongly considered.

Centralized and Strong Control Functions. Controls break down when control functions become captive to the businesses they are entrusted to monitor. For that reason, a centralized corporate structure with independent audit, risk management, legal, and compliance systems that report to the CEO and corporate function heads and/or the board, rather than to individual lines of business, is essential to transparency and oversight. Centralized controls reduce the risk that individual business units can strong-arm or co-opt control functions, and allow the board and management to identify and address problems systemically across lines of business.

Use of Technology to Facilitate Compliance. Advances in regulatory technology (“RegTech”) promise to make surveillance easier and more thorough. These advances, for example, can harness big data analytics to flag possible violations or highlight potential vulnerabilities. Investment in these technologies as they become available and are proven effective is money well spent. Conversely, regulators have put increasing pressure on firms that fail to make sufficient RegTech investment.

Cyber Risks and Data Privacy. Regulators and policymakers across the globe are increasingly concerned about risks, threats, and vulnerabilities associated with advances in technology, including virtual currency. These advances in turn raise a range of issues—in the case of virtual currency, how, for example, to protect investors purchasing bitcoin or other virtual currencies or to regulate initial coin offerings. In the case of reliance on computers and connectivity to the internet, the risk is cybercrime or negligent leaks of information. Cybersecurity threats can result from deliberate attacks from, or unintentional events precipitated by, insiders or third parties, including cybercriminals, competitors, nation-states, and “hacktivists,” and may take multiple forms, including the theft or destruction of financial or intellectual property and the disruption of business operations.

Many view cybersecurity risks as potential systemic threats and a possible trigger for the next crisis. The increase in frequency and scope of cyberattacks may increase the costs and potential negative consequences for market participants as well as other companies, including remediation costs, increased cybersecurity protection costs, lost revenues, litigation and legal risks, increased insurance premiums, reputational damage that adversely affects customer or investor confidence, and damage to the company’s competitiveness, stock price, and long-term shareholder value. In addition, financial institutions and other companies’ obligations to protect data have become substantially more onerous under regulatory schemes such as the GDPR, which took effect May 25, 2018’s Part 500 cybersecurity regulation. In the United States, the SEC issued guidance in February 2018 to assist public companies in preparing disclosures concerning cybersecurity risks and incidents and has signaled that this will be an area of enforcement focus, establishing a Cyber Unit “targeting cyber-related misconduct.” Cybersecurity and data privacy risk management policies and procedures should be considered key elements of enterprise-wide risk management.

Tailored Disclosures. With the benefit of hindsight, it is clear that more tailored risk and conflict disclosures would have significantly reduced legal exposure for market participants. The failures of disclosure leading up to the financial crisis occurred at all levels. In the context of RMBS, for example, the use of standard or form disclosures inhibited the accurate communication of the characteristics of the underlying mortgages or the risk profiles of the ultimate derivative products throughout the chain, including to the ultimate retail consumers. The importance of accurate and complete disclosures, not only at the public company level, but also with respect to all securities products, cannot be overstated. Similarly, more robust disclosure concerning the risks, conflicts, limitations, and costs of other financial products, such as payment protection insurance, in marketing and at the point of sale would have avoided or mitigated losses for many institutions.

Whistleblower Incentives and Protections. On the stated basis that the financial crisis might have been averted or at least mitigated if insiders had a greater incentive to report corruption or fraud to the government, Dodd-Frank established rewards and protections for whistleblowers through programs at the SEC and CFTC. Pursuant to these programs, the SEC and CFTC can pay awards to eligible whistleblowers who voluntarily provide information that leads to a successful enforcement action resulting in monetary sanctions exceeding $1 million. Between 2011 and 2018, the SEC paid out more than $275 million to whistleblowers, including more than $100 million in 2017 alone. Information provided by whistleblowers has resulted in $1.5 billion in disgorgement and penalties. Protections of whistleblowers have also been significantly enhanced. Employers may not impede whistleblowing, which may take the form of requiring employees to sign confidentiality agreements that would apply to whistleblowing communications or agreements to waive any right to a whistleblowing award. The SEC has enforced this prohibition aggressively and, in May 2017, the CFTC approved amendments that significantly strengthened its program’s anti-retaliation provisions. Since 2015, the SEC has brought a number of enforcement actions against companies for their use of what the SEC considered to be restrictive clauses in severance agreements or other documents that, according to the SEC, impeded whistleblowers and violated the securities laws. Companies would be well-advised to ensure that their employment, confidentiality, and severance agreements do not interfere with their employees’ ability to alert the CFTC and SEC to possible violations.

Multi-Agency Actions, Criminal Resolutions, and a Focus on Individual Accountability Are Here to Stay

Regulatory “Pile-Ons.” Following the financial crisis, no regulator wished to appear weak or inadequately vigilant. Competition among regulators to appear “tough” drove up the cost of resolution with each independent regulator, and higher-cost individual resolutions increased the aggregate cost of resolving the underlying general issue. And the overlapping jurisdiction of various regulators at the state, federal, and international levels frequently subjected financial institutions to multiple penalties for the same conduct. While there have been some efforts to improve coordination, including improvements across borders—most recently, the DOJ announced a new policy in May 2018 concerning the coordination of penalties—cutting the other way is a continuing and widespread public perception that financial institutions have been inadequately punished for bad conduct. For companies subject to the jurisdiction of multiple regulators, this regulatory pile-on is likely to remain the “new normal” and counsels strongly in favor of coordinated inter-business and cross-border controls. Likewise, an important part of managing regulatory relationships is ensuring appropriate and timely reporting on investigations and other developments to all interested regulatory authorities—even where their interest may not be readily apparent—while carefully complying with protocols on confidential supervisory information.

Criminal Prosecution of Financial Institutions. In the immediate aftermath of the financial crisis, major financial institutions were considered effectively off-limits from criminal prosecution, principally because the collateral consequences flowing from a “run on the bank” precipitated by a criminal conviction were viewed as posing systemic risks to the functioning of the general financial markets that a prudent prosecutor would not set in motion. The guilty pleas of both European and U.S. banks in recent enforcement actions—including Credit Suisse, BNP Paribas, Barclays, Citicorp, J.P. Morgan, Royal Bank of Scotland, and UBS—may have somewhat dispelled this notion and shown that a guilty plea, even at the level of a major bank entity or holding company, is a survivable event provided there is appropriate coordination between prosecutors and regulatory authorities. Although it is not a priority under the current Administration, in any future major economic downturn, aggressive prosecutors may not shy away from criminal prosecutions of financial institutions.

Criminal Prosecution of Bank Executives. One of the perceived failures of the Obama Administration’s response to the financial crisis is that no senior bank executives were prosecuted. In the next crisis or scandal, the DOJ may be more amenable to pursuing prosecution of senior officers. This approach would be consistent with the policy expressed in the 2015 DOJ memo by then-deputy Sally Yates, which emphasized individual accountability. At the same time, at least with respect to the current DOJ, its enforcement priorities include violent crime, immigration, and the opioid crisis, and it may be less eager to pursue financial sector executives. Apart from the DOJ, financial regulators have broad powers to pursue enforcement against senior officers for supervisory failures, which they, too, may use more zealously going forward.

The Importance of Prompt Self-Reporting, Cooperation, and Remediation. The DOJ and global financial regulators have embedded in their enforcement policies incentives for institutions to self-report any discovered misconduct, conduct a thorough internal investigation to ensure that the full scope and source of the misconduct have been discovered, cooperate fully with any ensuing investigation by regulators and enforcement agencies, voluntarily undertake enhancements to systems and controls and other remediation, and resolve investigations consensually with the regulators. Even where the benefits of such self-reporting and cooperation are not expressly quantified (as with, for example, the enforcement regime of the U.K.’s Financial Conduct Authority), comparing outcomes across institutions generally suggests that those benefits are material, and that they are both financial and reputational. One of the benefits of a robust control environment is facilitating early identification of problems that can then be appropriately self-reported, rather than risking subsequent discovery of those problems by a supervisory or market-conduct regulator. In the post-crisis enforcement environment, the importance of marrying robust systems and controls with robust and transparent communications with regulators, including self-reporting discovered misconduct in real time, cannot be overstated.

Our Current Political Moment

As we reflect on the financial crisis and its important lessons, it bears emphasis that the regulatory pendulum in the United States is starting to swing in the other direction. The Trump Administration is pursuing a broad deregulatory agenda and has already achieved the single largest regulatory roll-back since the financial crisis through the passage of EGRRCPA. And while EGRRCPA left the basic framework of Dodd-Frank in place, President Trump has long vowed to “do a number on” Dodd-Frank. If Republicans retain control of Congress this November, they may well pursue the CHOICE Act or some similar roll-back legislation. A related issue is whether and how the Administration will continue to cooperate with international financial regulatory efforts; in some instances, lack of an effective U.S. voice in these processes could slow the pace of regulation worldwide, while in other instances it could lead to even more fragmented regulation that may ultimately hinder market activity.

In light of this political environment, can financial market participants and other companies relax their focus on strong risk management and compliance? In a word, no. In time, both the political and the economic cycle will turn. It is tempting in good times, and while enforcement is perceived to be more lax, to reduce investment in compliance and put more focus on short-term profits. But that is exactly the mindset that led to the financial crisis and the resulting legislation, enforcement, litigation, and reputational damage. Just as the comprehensive legislation and heightened expectations for market conduct that followed on the 1929 market crash and the Great Depression have been with us ever since, despite tinkering at the margins, so too the regulatory environment and public expectations resulting from the financial crisis are likely, at least in broad terms, here to stay. And despite signs of deregulation, there is still an abiding public perception that large financial entities have not been sufficiently held to account for their roles in the financial crisis, or for bad conduct in the intervening years; President Trump himself has expressed this perception at times. Companies across sectors would be well advised to view comprehensive focus on risk management, corporate governance, transparency, and culture as a critical imperative regardless of which party controls the White House, the Congress, or state houses.

What’s Next?

Looking forward, commentators have pointed to several areas to watch as potential triggers of the next financial crisis. Most ominously, cybersecurity poses unique risks, as financial services are increasingly provided online, taking advantage of new technologies, and thus are vulnerable to the ever-more prevalent disruptive threats by well-financed and uber-sophisticated actors that are difficult to predict and even more difficult to defend against. A successful cyber-attack on a major financial institution could well generate instability across the banking system. Greater coordination between the government and the private sector—and across jurisdictions—is required to safeguard our financial systems against cyberattack. These risks will escalate if cryptocurrency, which largely operates beyond government regulation, becomes a significant alternative system for payments.

Some commentators continue to voice concerns about other, less regulated areas of the financial sector. For example, participants in the shadow banking sector now account for more than $45 trillion in assets and tend to offer loans to borrowers with lower credit scores and higher debt-to-income levels, but remain subject to far less regulation than their traditional counterparts. Likewise, asset managers now control $160 trillion in assets—an amount that exceeds the entire global holdings of banks.

The current wave of deregulation and related backlash from hyper-aggressive enforcement in the immediate aftermath of the financial crisis only exacerbate these risks. While financial institutions on a global basis have diminished in size, risks remain. For example, China is now home to five of the world’s ten largest banks, measured by assets—and China’s bank supervisory regime has different priorities and safeguards than the U.S. regime, and the ratio of corporate debt to gross domestic product in China is above 150%. Further, only a single financial institution deals, clears, and settles repos (a $1.9 trillion market), which raises the prospect of systemic risk in the event that institution were to falter. Moreover, the types of financial instruments and practices that played a role in causing the 2008 financial crisis are again on the rise. For example, the size of the U.S. high-yield bond market is nearly double its pre-crisis level; corporate leverage now exceeds pre-crisis levels; origination of collateralized loan obligations now match pre-crisis CDO market levels; and today’s derivatives market totals more than $500 trillion—more than seven times the global GDP. Add to these potential risks the immense value represented by technology companies and their rapidly growing intersection and interconnection with our global financial markets, the stress on traditional U.S.-international economic alliances and coalitions, the incipient and unpredictable trade wars, and escalating geopolitical instability.

To be sure, our financial system is far better capitalized and less leveraged, its participants have been stress-tested and subjected to unprecedented levels of supervision, and governments and regulators across the globe are far more prepared to deal with systemic threats. But how these enhanced powers and recently instituted protections will operate in real-time, across jurisdictions, in the face of new (and different) crises is unknown and unknowable.