A number of commentators and U.S. regulators have begun pointing to the need to reset the regulatory and supervisory approach to bank board governance by more precisely differentiating between the role of the bank board (oversight and guidance) and that of management (day-to-day execution). Calls for reviewing and updating expectations and requirements to clarify this important distinction coincide with rapid change and transformation in the banking industry.
Increasing cyberthreats and other developments such as growing competition from and alliances with technology firms, as well as increasing use of technology to improve and enhance customer offerings (e.g., mobile banking) and operations (e.g., the use of blockchain or artificial intelligence to change the way banks collect, access, and analyze data), present new opportunities and risks. As technology-related issues requiring board attention have expanded, some industry experts have argued that regulators should consider changes in requirements or expectations with respect to the role and composition of the bank board. Some in this camp believe that boards and individual directors should become more specialized by including experts in technical fields (e.g., in IT security). In effect, some have argued that the role of the board should be refashioned in order to carry out highly technical responsibilities. (Note: See, e.g., Spring 2017 OCC Semi-Annual Risk Perspective. “Strategic planning remains important for all banks as they adopt and implement innovative products, services, and processes in response to the evolving demands for financial services and the entrance of new competitors, such as out-of-market banks and nonbanks. Boards of directors and management should comprehensively understand the benefits and risks of strategic changes before implementation.”
The maintenance of the separate roles of the board and management is essential for boards to perform their unique oversight function.
As regulators continue to reassess and better tailor the balance between the roles of the board and management, an appropriate approach would be to recognize and re-emphasize that the fundamental nature of the board’s role should not fundamentally change even as the industry is reshaped through advances in technology and changes in the marketplace. In other words, as applied in the context of today’s rapidly changing world of banking, while boards will appropriately place an increasing focus on technology-related issues and risks, the responsibilities of the board and the basic approach to board oversight – which are spelled out in The Clearing House’s “The Role of the Board of Directors in Promoting Effective Governance and Safety and Soundness for Large U.S. Banking Organizations” (the “2016 TCH Role of the Board Report”) – should largely remain consistent.
Indeed, especially in times of rapid transformation, both the regulatory community and industry should be alert to the hazards of blurring the lines between the role of the board and management and rigid regulatory mandates around board compliance responsibilities and board composition. Forthcoming regulatory reviews of both (i) the regulatory burdens imposed on bank boards,2 and (ii) the adequacy of certain existing regulations and guidance in the face of transformational changes and related risks provide important opportunities in this regard. (Note: As described in greater detail in Note 5 below, on August 3, the Federal Reserve issued proposed guidance intended to “better distinguish” between the roles and responsibilities of the board of a banking institution and senior management.)
As in any rapidly changing environment, boards of directors that stay abreast of marketplace developments and adopt an “informed and active” approach to carry out their oversight functions as described below should be well-positioned to help guide their institutions through transformational changes.
This article discusses recent statements by regulators and policymakers (and TCH’s Committee on Bank Governance’s dialogue with them) and summarizes a framework for regulators to consider as they navigate the complex supervisory and regulatory implications of technological and business transformations and as boards oversee new forms of risks.
I. Recent Regulatory Focus on Clarifying the Role of the Board vs. That of Management
Although certain regulatory requirements appropriately serve to direct board focus toward fundamental safety and soundness issues, a number also extend beyond core board functions, requiring or potentially setting expectations of board involvement that could divert from these core board functions. The maintenance of the separate roles of the board and management is essential for boards to perform their unique oversight function. When requirements are imposed in a prescriptive way or include ambiguous language that could be interpreted as recasting this separation, they can make it challenging for boards to concentrate on satisfying their larger role of focusing on strategy and emerging risks and trends.
Two reports issued by international organizations in 2015 raised awareness of this issue at international and U.S. levels and spurred additional dialogue.
- 2015 International Monetary Fund Report: An of the U.S. bank supervisory framework points to the concern that U.S. bank regulations and guidance often do not clearly distinguish between the board and senior management, leading to possible confusion between the roles. The IMF noted that there were numerous examples in both U.S. regulations and actual supervision where the term “board and senior management” was used where good practices would dictate that only one of the two be responsible for the task in question. For example, this formulation creates risks that too much day-to-day decision-making will be assigned to the board of directors.
- 2015 Basel Corporate Governance Principles: In July 2015, the Basel Committee on Banking Supervision issued revised guidelines on corporate governance principles for banks. Much of the industry-supervisor dialogue during the consultative process related to the appropriate demarcation between the duties of the board of directors versus senior management. Earlier versions of the guidelines conflated the role of the board and management by requiring the board to “ensure” certain results. An important change to the final version of the document was the general use of the term “oversee and be satisfied with” when referring to board responsibilities.
Recently, Federal Reserve Governor Jerome Powell, the Chair of the Federal Reserve Board Committee on Supervision and Regulation, said that U.S. supervisory expectations should be reviewed to ensure boards can continue to be effective in their role in setting the overall strategic direction of the banking institution, while overseeing and holding senior management accountable for operating the business profitably, safely, soundly, and in compliance with applicable laws. The Federal Reserve has launched an effort to reassess whether Federal Reserve supervisory expectations for boards need to change to ensure that these principles, and not an ever-increasing checklist, are the basis of supervisory work related to bank holding company boards. (Note: On August 3, 2017, the Federal Reserve took an important step with respect to this initiative by issuing for public comment a proposalconsisting of the following three parts: (1) proposed guidance on supervisory expectations for boards of directors of bank holding companies with at least $50 billion in assets, (2) a proposal to eliminate or amend certain existing Federal Reserve guidance for boards that contains redundant, outdated, or irrelevant supervisory expectations, and (3) proposed guidance to clarify expectations for communicating supervisory findings to the board and senior management. The Federal Reserve indicated that the proposed guidance is intended to “better distinguish” between the roles and responsibilities of the board of a banking institution and senior management. The Federal Reserve also indicated that it will continue its review of guidance (including, interagency guidance) and Federal Reserve regulations, and make revisions thereto as it considers appropriate, in order to better align regulatory requirements or expectations with appropriate board responsibilities. This is a significant step in recognizing a key issue for boards. We anticipate that thoughtful public comments will assist the Federal Reserve in fashioning its final guidance and continuing its efforts to support the ability of boards to focus on their core board functions.)
Boards should make a meaningful commitment to carrying out their oversight functions in a strong, independent, and proactive manner – i.e., oversight isn’t passive.
In addition, the June 2017 U.S. Treasury Report entitled “A Financial System That Creates Economic Opportunities: Banks and Credit Unions” (the “Treasury Report”) articulated concerns regarding the blurred lines between director oversight and the role of management and overburdening of the board with compliance responsibilities. The Treasury Report recommended an “inter-agency [bank regulatory] review of the collective requirements imposed on Boards in order to reassess and better tailor these aggregate expectations and restore balance in the relationship between regulators, Boards, and bank management.” (Note: The Treasury Report cited to the 2016 TCH Report on the Role of the Board noting that according to the TCH Report “blurring of this distinction [between the role of the board and senior management] detracts from effective governance by potentially reducing the Board’s ability to focus on its core oversight functions, and therefore impairing the Board’s ability to perform its critical oversight role, and creating uncertainty as to roles and responsibilities.”)
We applaud recent reports and statements by public sector officials such as these as well as efforts by regulators to deepen their understanding of these critical points through retrospective reviews of existing guidance and policy statements.
In addition to retrospective reviews of requirements imposed on the board, future regulatory pronouncements imposing responsibilities on or conveying expectations with respect to bank boards should also reflect, embrace, and emphasize the performance of core board functions. In TCH’s view, and as described in the 2016 TCH Role of the Board Report, these functions are:
- Function 1: Reviewing and approving the strategic objectives and plans
- Function 2: Monitoring financial performance and condition
- Function 3: Talent management for the CEO and other senior executives
- Function 4: Overseeing the risk management and internal control frameworks, including top-tier policies and plans in fundamental areas
- Function 5: Reinforcing, demonstrating, and communicating the “tone at the top” for the values and culture of the organization and overseeing enterprise-wide approaches/programs intended to promote organizational values, culture, and reputation
In this regard, there is a real opportunity to clarify the important distinction between the role of the board and that of management as U.S. bank prudential regulatory authorities undertake to review and, in some cases, modify guidance in various areas to take into account emerging technologies and new marketplace trends and risks.
- For example, a specific opportunity exists in the area of outsourcing to third-party providers and partnering with financial-technology (FinTech) firms. U.S. federal banking agency officials have recently noted that they are actively reviewing third-party risk management guidance to determine whether any adjustments or clarifications may be appropriate in view of developments such as those brought about by FinTech and FinTech partnerships with banking institutions.
- Bank boards oversee certain third-party risk management processes in order to have appropriate line of sight into, e.g., operational, reputational, and strategic risks arising from strategically and/or operationally important relationships. Several aspects of existing third-party risk management guidance, however, do not clearly distinguish between the role of the board and the role of management. (Note: By way of illustration, Federal Reserve guidance prescribes that “The board of directors and senior management of a financial institution should determine whether proposed limitations [of contractual liability in service provider contracts] are reasonable when compared to the risks to the institution if a service provider fails to perform.” (FRB, Guidance on Managing Outsourcing Risk, SR 13-19 (December 5, 2013)). In addition, OCC guidance prescribes that: “The OCC expects the bank’s board of directors and management to: develop appropriate alternative ways to analyze . . . critical third-party service providers, establish risk-mitigating controls, be prepared to address interruptions in delivery . . . retain appropriate documentation of all their efforts to obtain information and related decisions, ensure that contracts meet the bank’s needs” (emphasis added). (OCC, FAQs to Supplement OCC Bulletin 2013-29 (June 7, 2017)).
- Other aspects of the guidance (e.g., that the board should “approve” a number of operational standards, methodologies, and agreements) are so granular and operational in nature that they risk diverting board focus and attention from critical oversight functions (i.e., the five core board functions cited above). (Note: By way of illustration, OCC guidance prescribes that the board of directors “approve[s] contracts with third parties that involve critical activities” (OCC Bulletin 2013-29 (October 30, 2013)). OCC supplemental examination procedures also suggest that board minutes should generally indicate that the board “reviews and approves” third-party risk management due diligence results and various methodologies, contracts and management plans. (The OCC Supplemental Examination Procedures for Risk Management of Third-Party Relationships (January 2017)).
There is no question about the importance of understanding and effectively managing risk in a rapidly evolving environment. The problem is how to do so in a way that does not blur the distinction between oversight and management and that preserves a board’s ability to exercise its oversight in an independent fashion.
Boards and regulators have an important function to carry out in a rapidly changing and complex environment.
We encourage regulators to specifically recognize in future updates and “modernization” of guidance the authority, and utility of the board designating – whether formally or informally – senior management and/or management committees to address tasks that do not warrant board time or approval.
II. Informed and Active Board Oversight
Over the past several years, representatives of TCH’s Committee on Corporate Governance have engaged in a constructive dialogue with regulators and thought leaders in the U.S. and Europe around bank governance and the role of the bank board.
During these conversations, we regularly discuss what it means for a board to be “effective” and “engaged.” As TCH’s “Guiding Principles for Enhancing U.S. Banking Organization Corporate Governance” (2015) (the “GPs”) and the 2016 TCH Role of the Board Report note, effective corporate governance is determined by the quality, skills, expertise, and judgment, individually and collectively, of the members of the board. Further, an informed and actively engaged board is a core element of effective governance.
Boards should make a meaningful commitment to carrying out their oversight functions in a strong, independent, and proactive manner – i.e., oversight isn’t passive. The 2016 TCH Role of the Board Report terms this approach “informed and active” engagement, and the report sets forth a playbook that boards may employ regardless of the nature of the threat or risk at issue (e.g., in assessing the benefits and risks of adoption of a new technology platform or management’s determinations relating to the institution’s cybersecurity preparedness).
Although the approaches taken by individual boards and board committees will appropriately vary, the following are illustrations of how boards may perform an active oversight role in three aspects of a board’s playbook. Various considerations, including the board’s assessment of management’s capabilities and its confidence in the openness with which management approaches issues, may be relevant to how boards opt to apply these aspects of the “playbook” in the context of their own institutions. (Note: The TCH GPs and the 2016 TCH Role of the Board Report collectively provide a more comprehensive discussion on how banking organization boards may approach carrying out their core board functions. References to the term “board” in this section refer to either the board or a board committee, as applicable.)
1. The Oversight Delegation-Reporting Feedback Loop: The oversight feedback loop (where the board delegates responsibility to management, management reports back to the board, and the board provides feedback to management on reports) becomes particularly important where the risk landscape changes rapidly. Active oversight may be exhibited through actions, including directors who do the following:
- Convey expectations to management relating to ongoing (e.g., periodic updates) and special reporting to the board on what the board believes it needs to know for effective oversight (generally, timely, well-presented, and understandable information that a nonspecialist can understand on the material risks and areas where corrective action is required), and a “no-surprises” approach to escalation that addresses what the potential problems are (not just what is going right).
- Provide feedback to management on the format and content of information presented to the board.
- Engage in discussions outside of the formal board meeting to gain additional perspectives on the views of management and other personnel. (Note: As a practical matter, most board engagement will be with senior management, although directors may find it useful to periodically meet with and/or receive information from other members of management/personnel, risk officers, internal auditors, outside advisers and consultants, and bank examiners.)
As an example, if the board becomes aware of material deficiencies or opportunities for enhancements in management’s operation of the business, in reporting or compliance systems, in risk management or otherwise, this approach provides a flexible framework for the board to be informed of management’s planned responses and for periodic progress updates in the course of its oversight of the company. If progress lags, the board has the opportunity for more frequent and/or deeper involvement, as it determines appropriate.
2. Procedural Checks, Reviews, and Internal and External “Challenge” of New Initiatives/Risk Management of Emerging Risks: In an environment where risks continue to evolve quickly, boards may find it useful to understand and oversee the use of independent assessments and/or industry benchmarking to vet and inform new managerial initiatives, recommendations, and findings presented to the board. Active oversight may be exhibited through actions, including that directors do the following:
- Ask informed, probing questions of management regarding the institution’s use of internal and/or third-party assessments (i) of risk management programs addressing new sources of risk as well as examination findings and resources being dedicated to risk management, and (ii) important initiatives.
- Articulate an approach to assure that there is appropriate coverage of developing risks (e.g., adequate internal and/or external expertise) to provide a level of comfort that the bank is organized appropriately and prepared to address potential threats.
3. Periodic Review and Evaluation of Whether the Board is Using Its Time and Resources Most Effectively: Especially in times of technological and business model transformation, directors may periodically ask themselves (e.g., through an assessment process), whether they are using their time and resources most effectively. Active oversight may be exhibited through actions, including that directors do the following:
- Articulate an approach for determining what matters should be addressed at the board and committee level.
- Allow time for “deeper dives” focused on new initiatives and sources of risk.
- Consider the need for updated, refocused, and/or expanded board education/training.
There continues to be an ongoing debate over whether bank boards need directors with greater technical expertise in the “digital age.” The debate sometimes misses the point that “experts” may not have other critical experience or capabilities complementing skill needs/gaps for the board on a collective basis. (Note: See GPs (Commentary to Section 7(a)) for a discussion regarding board composition and the merits of having a board with a diversity of experiences and perspectives to draw upon.) An assessment of the collective capabilities of the board and how the board works together is more meaningful than an assessment of individual skills. Accordingly, boards themselves should make their own determinations on how best to ensure an appropriately knowledgeable perspective on technology-related matters for purposes of carrying out their oversight responsibilities – i.e., whether for (i) one or more board member(s) to have particular expertise, (ii) the board to retain external experts for briefings or guidance or education (e.g., for board members to be brought up-to-date on key developments and, more generally, maintain an appropriately knowledgeable perspective and awareness on technology-related issues), and/or (iii) the board to rely on their access to the financial institution’s own resources or staff with such expertise, as well as assessments by third parties engaged by management. (Note: Many institutions employ teams of professionals who are highly knowledgeable in technical areas such as IT security. As noted above, board members may well want to understand the processes for periodic third-party assessments (or benchmarking) of the institution’s approach even in cases where internal teams are at the frontier of knowledge in a given area.)
The board’s role should be to provide informed oversight, and the board should have the flexibility to choose which source(s) to draw upon, in light of the facts and circumstances, to ensure it has an appropriately knowledgeable perspective to do so.
III. Conclusion
Boards and regulators have an important function to carry out in a rapidly changing and complex environment. We are encouraged to see continued discourse around the need to clearly distinguish the role of the board versus that of management at a time when board stewardship and strategic guidance has never been more important for the banking industry.
There is perhaps a natural temptation to consider new risks as somehow different from existing ones – requiring new structural approaches or prescriptive solutions such as a fundamentally different approach to board governance. Experience has shown that the hot topics on the board agenda today may change over time, but the distinction between the role of the board versus that of management remains a core precept for effective governance.
About the Authors:
Paul Harris is Secretary and General Counsel of KeyCorp and oversees the corporation’s legal and government relations functions. Prior to joining KeyCorp in 2003, Harris served as partner-in-charge of the Cleveland office of Thompson Hine LLP. Harris serves on behalf of KeyCorp as a member of The Clearing House Association Managing Board of Directors and is a past Chair of the Association and current Chair of the Association’s Governance Committee. He is a past President (2007–2008) of the Ohio Chapter of the Society for Corporate Governance (formerly known as the Society of Corporate Secretaries & Governance Professionals, Inc.). Harris received a bachelor of arts degree from the University of Chicago and his jurisprudence degree from Stanford Law School.
Gregg Rozansky is Managing Director and Senior Associate General Counsel of The Clearing House. Rozansky leads the policy efforts of TCH on an array of bank regulatory, compliance, and corporate governance-related issues affecting large financial institutions. He is a frequent presenter on bank corporate governance and regulatory issues at leading financial industry events and has written extensively on the regulation of major banking institutions and regulatory reform, including the Dodd-Frank Act. Prior to joining TCH in 2013, Rozansky advised financial institutions on U.S. bank regulatory and compliance issues in private practice at Cleary Gottlieb Steen & Hamilton and Shearman & Sterling. He is a graduate of Harvard Law School and earned his B.A. in economics and government at Cornell University.