Chapter I: Introduction
Community banks play a vital role in the nation’s economy and local communities, and a bank’s management including its directors and senior management is perhaps the single most important element in the successful operation of a bank. In 1988, the FDIC issued the Pocket Guide for Directors (Pocket Guide), which is a set of commonsense principles setting forth the basic responsibilities and duties of a bank’s board of directors. Broadly speaking, the Pocket Guide describes a framework for corporate governance that applies to any institution.
Almost 30 years have passed since the issuance of the Pocket Guide. It remains unchanged to this day on the FDIC’s website because the FDIC believes that the core responsibilities of bank directors, and especially directors of community banks, should be presented in a clear and straight forward manner.
While the core principles of being a bank director have not changed materially, any bank director can benefit from staying current on the corporate governance lessons and experiences of other bankers and bank supervisors as industry conditions and challenges evolve. In that spirit, this special issue is intended as a commentary and reflection on the Pocket Guide – one that incorporates more recent guidance and technical resources, including significant bank-governance insights and experiences that have been gained since 1988. This issue ing guidance regarding corporate governance as well as observations and practical tips from supervisory activities, ongoing communications, and outreach efforts that have helped community banks and their directors weather the ups and downs of business cycles. The term “community bank,” as used in this issue, refers to insured depository institutions whose business models reflect a focus on traditional lending and deposit-gathering activities within a fairly limited geography, rather than to banks below a particular asset-size cutoff.
This special issue does not constitute a revised Pocket Guide for Directors. Like other articles published in Super- visory Insights, it is neither supervisory guidance nor required reading for any banker, but is intended as a resource for persons with an interest in bank governance and bank directors’ responsibilities.
This issue is divided into chapters. Discussion includes key governance concepts and the important roles and responsibilities of community bank directors and senior management; an expanded discussion of the principles outlined in the Pocket Guide, particularly as they relate to community bank governance and planning activities; and how FDIC examiners evaluate the effectiveness of a community bank’s board of directors. An Appendix lists resources that are available to assist community bank directors in fulfilling their duties, including links to pertinent regulations, guidance, and FDIC training materials.
Chapter II: Community Bank Corporate Governance
What is Corporate Governance?
Community bank directors and senior management are responsible for establishing and maintaining the bank’s corporate governance framework. Definitions of corporate governance vary, but they often focus on relationships, policies, and processes that provide strategic direction and controls in a company. Strong corporate governance is the foundation for an institution’s safe-and-sound operations. An effective governance framework is necessary to remain profitable, competitive, and resilient through changing economic and market conditions. A corporate governance framework should be functionally sound and appropriate for the size, complexity, and risk profile of the community bank. Community banks should not have to develop elaborate governance frameworks to be effective, or hire consultants to do so.
Responsibilities of the Board and Senior Management
The FDIC expects boards of directors to provide a clear governance framework that incorporates sound objectives, policies, and risk limits. Equally important, the board should monitor the extent to which officers and employees comply with this framework and with applicable laws and regulations. Therefore, effective corporate governance requires a high level of cooperation between a community bank’s board of directors and senior management, as well as a common understanding and awareness of the bank’s risks. At the same time, a director’s responsibility to oversee the conduct of the bank’s business necessitates using independent judgment and providing a credible challenge. This entails engaging in robust discussions with senior management and perhaps challenging recommendations at times, rather than simply deferring to their decisions.
The FDIC’s expectations related to community bank director responsibilities and obligations are based on long- standing common-sense principles. The FDIC Statement Concerning the Responsibilities of Bank Directors and Officers, issued in 1992, reminds directors and senior management of their obligation to comply with federal and state statutes, rules, and regulations and addresses the “duties of loyalty and care” they owe to their shareholders, depositors, and other creditors of the bank (see inset box page 5).
Duties of Loyalty and Care (from the FDIC Statement Concerning the Responsibilities of Bank Directors and Officers, 1992)
“The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.”
When administering the affairs of the institution, directors and senior management should be candid, open and direct; voice their opinions without hesitation; give direct instruction; and most importantly, do so with honesty. The interest and welfare of the institution should take priority over the interests of directors, officers, their family members, and their beneficial interests.
“The duty of care requires directors and officers to act as prudent and diligent busi- ness persons in conducting the affairs of the bank.”
Directors and senior management must act in good faith, with the level of care that an ordinarily prudent person would exercise in similar circumstances, and in a manner they reasonably believe is in the best interests of the organization. The duty of care requires directors and senior management to acquire sufficient knowledge of the material facts related to a proposed transaction, thoroughly examine all information available to them with a critical eye, and actively participate in the decision making process.
Community bank directors sometimes express concern that they are being asked to perform “senior management functions.” Although the recent financial crisis re-emphasized the importance of certain longstanding director responsibilities, the FDIC has not shifted the expectation of senior management responsibilities to directors.
The Uniform Financial Institutions Rating System (UFIRS), also known as the “CAMELS” rating system, was adopted on November 13, 1979, and updated January 1, 1997. It differentiates between director and senior management responsibilities:
“Generally, directors need not be actively involved in day-to-day operations; however, they must provide clear guidance regarding acceptable risk exposure levels and ensure that appropriate policies, procedures, and practices have been established. Senior management is responsible for developing and implementing policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.”
While differentiating responsibilities, the UFIRS also reflects that while directors and officers often work hand-in-hand, their formal roles within the bank are distinct and should not be intermingled. Ultimately, the board is responsible for monitoring senior management and business operations.
The Tone from the Top – Maintaining a Strong Corporate Culture
The FDIC has found that directors who diligently oversee the bank’s operations are critical partners in supervisory efforts. Prudent oversight is rooted in the directors sending a clear message to staff that they value a strong risk management culture that includes a strong ethical culture. A “risk management culture” can be described as the system of goals, bjectives, policies, controls, values and behaviors present in an organization that influence risk decisions. An “ethical culture” can be described as the belief that the interests of customers, investors, the community, and other stakeholders take precedence over short-term profits. Banks rely on trust and public confidence to obtain and maintain depositors and investors.
To maintain that confidence, every depository institution, including community banks, should have a strong risk management culture that incorporates strong ethical values and appropriate conduct. In 2005, the FDIC issued Corporate Codes of Conduct, Guidance on Implementing an Effective Ethics Program, which sets expectations that boards will establish policies on ethics and corporate conduct at all banks that the FDIC supervises, including community banks. Community bank directors should ensure the bank has such policies that address at least the following areas:
- Safeguarding confidential information
- Ensuring the integrity of records
- Providing strong internal controls over assets
- Providing candor in dealing with auditors, examiners and legal counsel
- Avoiding self-dealings and acceptance of gifts or favors
- Observing applicable laws
- Implementing appropriate background checks
- Involving internal auditor(s) in monitoring the corporate code of conduct or ethics policy
- Providing a mechanism to report questionable activity
- Outlining penalties for a breach of the corporate code of conduct or ethics policy
- Providing periodic training and acknowledgement of policy requirements
- Periodically updating policies to reflect new business activities
Chapter III: The FDIC Pocket Guide for Directors – An Expanded Commentary
The subsections in this chapter address the general themes and principles set forth in the Pocket Guide and expand on them based on guidance that has been issued since the Pocket Guide was released in 1988. The expanded observations include effective governance practices at community banks. The chapter also describes additional resources that bank directors may find useful. As the presentation is thematic in nature, it follows closely but does not explicitly adhere to the order and format of the Pocket Guide.
First and foremost, the board and individual directors should establish and maintain the board’s independence. As described in the Pocket Guide, one of a director’s key duties is to provide independent judgment, which requires appropriately challenging senior management’s opinions, recommendations and assessments. To effectively provide independent judgment, community bank directors should make every effort to attend and be prepared for board meetings and assigned board-level committee meetings. Directors should strive to understand reports and summaries and ask questions if they do not.
Critical evaluation of issues before the board is essential. Community bank directors should not be a “rubber stamp.” Directors who routinely approve senior management decisions without exercising their own informed judgment are not adequately serving their institutions, their stockholders, or their communities.
Select and Retain Competent Management – Talent Development and Succession Planning
In hiring and retaining a qualified senior management team, the board of directors is ensuring that the right people are in place to carry out the board’s vision, policies and strategic plan. Community bank directors, especially those in small towns and rural areas, often indicate that hiring and retaining key officers, and those who may step into those roles in the future, can be challenging. Directors should ensure that senior management officials possess the experience and knowledge necessary to fulfill the obligations of each key position, and monitor and evaluate senior management’s performance in effectively carrying out their assigned responsibilities.
Directors should provide for an effective pre-employment screening program to appropriately vet candidates and ensure that the senior management team possesses a high level of integrity. Section 19 of the Federal Deposit Insurance Act (FDI Act) prohibits any person who has been convicted of certain criminal offenses from participating in the affairs of the institution. Additionally, Section 32 of the FDI Act requires FDIC-supervised banks that are not in compliance with minimum capital requirements or otherwise in a troubled condition to seek the FDIC’s approval before hiring directors or senior executive officers.
Basic features of effective personnel administration include a clear organizational structure, detailed position descriptions, training and development opportunities, sound compensation policies, and effective communications. Regular evaluation of the management and staffing structure helps to ensure that necessary positions and reporting lines are established and appropriate for the institution’s size, activities, complexity, and risk profile. This evaluation should be updated when new initiatives and product lines are being considered or new risks emerge. Having these systems in place ensures there is accountability for key decisions and strategies.
A management succession and talent development plan is a valuable tool to build bench strength and maintain continuity in the chief executive and other key senior management positions. The succession and talent development plan should start with an assessment of potential successors who may be groomed from within, along with the training, mentoring, and developmental resources needed to do so. Sound planning also addresses the process of identifying potential successors from outside the organization, when necessary. A management succession and talent development plan should generally cover at least a three to five year horizon.
Community banks face strong competition for skilled, experienced staff who know and understand the community bank model. The rewards and opportunities for community bank employees, especially in small or rural communities, may be very different compared to their large bank counterparts. Thus, growth and retention of staff throughout the organization is an important component of the talent development process.
Even the smallest community banks can find ways to motivate employees and expand and diversify their skills through cross-training, service on committees or special projects, attending conferences, and coaching and mentoring relationships. Some community banks have worked with local universities and colleges by supporting banking courses and offering student internships. There is no single approach to employee retention and development, but taking a proactive and innovative approach may be a good first step.
Establish, With Management, the Institution’s Long and Short-Term Business Objectives
A key responsibility for a community bank’s board is to work with senior management to set the future direction of the bank by establishing the institution’s long and short-term business objectives.
Understand the Bank’s Risk Profile
To set appropriate business objectives for the bank and properly monitor the bank’s operations and supervise senior management, community bank directors should have a solid understanding of the bank’s risk profile. Evaluating a bank’s risk profile involves more than looking at its financial condition today. It includes assessing the riskiness of the business model, meaning the types of products and services the bank offers and how they are delivered; evaluating how the bank manages the risks associated with its business model and growth plans; and looking outside the bank to consider potential external threats from the bank’s operating environment.
When the phrase “complexity, nature, scope, and risk” of a bank’s activities is used to describe how rules or guidance should be applied, it refers to this type of assessment of a community bank’s risk profile. As shown in the inset box on page 10, community banks are not all the same. Even those that seem similar at first can have vastly different risk profiles, and the FDIC would expect community banks with a higher risk profile to have stronger risk management practices and a higher degree of board oversight. This does not mean that community bank boards are expected to have an elaborate “enterprise risk management” process or software or formal risk committees, and community banks are not expected to hire consultants in the risk assessment and monitoring process. However, community bank directors and senior management are expected to understand and monitor the bank’s risk profile.
This expectation is discussed in the preamble to the UFIRS as follows:
“The ability of the board and senior management to identify, measure, monitor, and control the risks of its operations is also taken into account when assigning each component rating. It is recognized, however, that appropriate management practices vary considerably among financial institutions, depending on their size, complexity, and risk profile. For less complex institutions engaged solely in traditional banking activities and whose directors and senior managers, in their respective roles, are actively involved in the oversight and management of day-to-day operations, relatively basic management systems and controls may be adequate. At more complex institutions, on the other hand, detailed and formal management systems and controls are needed to address their broader range of financial activities and to provide senior managers and directors, in their respective roles, with the information they need to monitor and direct day-to-day activities. All institutions are expected to properly manage their risks. For less complex institutions engaging in less sophisticated risk taking activities, detailed or highly formalized management systems and controls are not needed to receive strong or satisfactory component or composite ratings.”
An Illustration of Two Banks with a Similar Financial Position, but With Very Different Risk Profiles
Two community banks each have about $500 million in total assets and a Return on Assets (ROA) of approximately one percent. The banks operate in suburban areas of the same mid-sized U.S. city, and have similar capital levels and a similar mix of asset types and funding sources.
Community Bank A’s ROA had been hovering at about 0.8 percent for several years, but increased to one percent very recently due to income from a new program of high-yield but high-risk lending the bank launched about a year ago. The new lending program has grown rapidly. The bank’s loan loss reserve has been decreasing due to increasing loan losses related to the program, and the capital ratio has declined due to the growth. Also, the senior loan officer position has turned over twice in the past year, and senior management has not forecast how large the new portfolio will become. The bank’s board receives regular reports regarding the new portfolio, but has not set objectives for the desired rate of return on the activity or parameters around its growth.
Community Bank B has not changed its lending product line for a number of years and has grown steadily, maintaining a one percent ROA during that time, including through several business cycles. Senior management and the board have recently decided to launch a new product line and have forecasted the effects on earnings, the loan loss reserve, and capital over the next three years. The board ensured that sound policies and appropriately skilled staff were in place prior to implementing the new program. The board also placed limits on the size of the new product line and risk tolerance “circuit breakers,” so new lending will stop if the income it produces is not sufficient to build the additional loan loss reserves and capital needed to support the new activity.
Although this is just a high-level summary without all the facts, these community banks appear to be similar on the surface, but have very different risk profiles. Bank A appears to have a higher risk profile than Bank B. The board and senior management of Bank A entered into a new area of lending without establishing risk and return objectives and growth limits for the program, and there is a lack of management stability in the oversight of the program.
Bank B appears to have a lower risk profile. The board and senior management have done an effective job of managing credit risk and maintaining earnings, even through the ups and downs of several business cycles. Moreover, they performed due diligence when planning for a new product launch, and developed a contingency plan if the product does not succeed.
Set Risk Objectives and Parameters
Once a community bank board has a sense of a bank’s risk profile, it should set an appropriate “risk appetite” for the institution. Risk appetite means a set of objectives and risk parameters within which senior management should operate. The FDIC expects community bank directors to establish prudent limits around risk areas that could affect the condition of the bank, which should not require the extra expense of vendor-provided modeling software.
There is no single list of areas for which directors should set risk objectives and parameters. At a minimum, however, the FDIC would expect objectives and parameters for overall credit risk; for asset concentrations, by business line and by borrower or issuer, as appropriate; for the bank’s funding mix; and for interest rate risk. A community bank’s board should also monitor senior management’s adherence to objectives and parameters, ask probing questions, and take early action if the situation changes or if risk management practices are not sufficient to support the risk objectives and parameters.
Community bank directors and senior management face everyday challenges and opportunities related to constantly evolving economic and market conditions, competition, and innovation, along with emerging or unforeseen risks, such as cyber threats or natural disasters. Sound strategic planning is crucial in dealing with uncertainty and change. To be effective, strategic planning decisions must be dynamic and updated as circumstances change.
The FDIC expects its supervised institutions to have a strategic planning process to guide the direction and decisions of senior management and the board. This process is unique to each institution, driven by its culture, mission, business model, risk appetite, resources available (including management talent), risk profile, size, geographic location, communities served, and other considerations. As a result, the formality of the strategic planning process will vary from bank to bank, but a strategic plan should be more than just a piece of paper.
For most community banks, strategic planning should be a dynamic process designed to answer a few basic questions: Where are we now, where do we want to be, how do we get there, and how will we know we are successful?
Where are we now?
The success of any strategic plan begins with a solid understanding of the institution’s mission, vision, business model, risk profile, risk appetite, and positive influences (strengths, opportunities) and adverse influences (weaknesses, threats). This analysis helps prioritize which opportunities should be pursued, and which gaps need to be filled. As an example, if a community bank with a business model that focuses largely on commercial and industrial lending has material credit administration issues to resolve, devoting significant resources to launching a new commercial real estate department before resolving the issues would likely have negative consequences.
Where do we want to be?
This step considers both short and long range goals and objectives. These objectives should align with the core mission and values of the community bank, as well as the board’s established risk appetite and the bank’s policies. The planning time horizon will not be identical for every community bank, but, a three- to five-year planning horizon is generally satisfactory for most community banks.
Directors and senior management should have a solid grasp of the current and future operating environment
FDIC provides a wealth of industry and economic information that banks may use to inform their strategic decisions. For example:
- The Quarterly Banking Profile (QBP) provides a comprehensive summary of financial results for all FDIC-insured institutions, with a report card on industry status and performance that includes written analyses, graphs and statistical tables. The QBP was expanded in 2014 to add data specifically related to community banks.
- Deposit Market Share Reports provide a market share report for any geographic area and allows users to see a specific bank or holding company’s market share in every geographic market in one report.
- State Profiles provide quarterly data sheet summation of banking and economic conditions in each state.
Links to these and other informative reports may be found on the Bank Data Guide page at https://www.fdic.gov/bank/statistical/guide/.
This does not require an elaborate economic forecast or a multitude of charts and graphs, and can probably be done in-house given the abundance of data and resources available online. (See inset box below for some resources available on www.fdic.gov).
Information gathering should focus on the current operating environment and determine what is needed to support the community bank’s goals and objectives. The emphasis should be on quality, not quantity. Board members should consider different scenarios and what would be necessary to operate successfully under varied economic, market, and interest rate conditions.
Again, the FDIC does not expect community banks to have complicated stress test processes and programs that must be provided by vendors, but it does expect that community bank directors and senior management understand how external changes can affect their banks.
How do we get there?
The ability to translate these goals and objectives into an achievable plan will depend on the tactics chosen and whether the institution has (or can reasonably acquire) the necessary personnel, financial, and other resources and information systems. For institutions that plan significant growth, new products or locations, or other initiatives, this step is particularly important. It also is important that planning addresses the need to maintain adequate capital and liquidity as the operating environment evolves in potentially unpredictable ways. Internal communication of the strategic plan and accountability by officers and staff for each area are essential for effective implementation. Finally, backup plans will help minimize disruption and reactive decision making if things do not go as expected.
How will we know we are successful?
A well-designed plan may still fail if its implementation is inadequate. This is why the primary focus should be on the ongoing process of strategic planning as opposed to the production of a static, written document. Well-supported goals and performance measures should be built in and reviewed periodically to ensure senior management’s execution meets the board’s expectations. Regular review also allows the board and senior management to adjust tactics as needed to accommodate changing market and economic factors. Board reports should provide sufficient information to accurately assess whether the institution is on track.
As described in the Pocket Guide, supervision of senior management is the broadest of the board’s duties, and the scope of appropriate supervision will vary from bank to bank. The board must ensure that senior management has established, and the board has adopted, policies for the most important areas of the bank. The board must also monitor implementation of the policies and provide for independent review and testing of compliance with its policies and applicable laws and regulations. Finally, board members are expected to personally review any reports of examination or other official supervisory communications and heed the recommendations and comments therein.
Adopt Operating Policies
The board should ensure that all major operational areas and activities are covered by clearly communicated policies that can be readily understood by all employees and that are appropriate for the bank’s size. The Pocket Guide indicates that specific policies should include, at a minimum:
- Loans, including internal loan review procedures
- Asset-liability/funds management
- Profit planning and budget
- Capital planning
- Internal controls
- Compliance activities
- Audit program
- Conflicts of interest
- Code of ethics
A community bank’s board should also ensure that senior management has established appropriate policies and procedures for the areas covered in the Interagency Guidelines Establishing Standards for Safety and Soundness (Safety and Soundness Standards), which were issued in 1995 to implement Section 39 of the FDI Act. Although some of the Safety and Soundness Standards overlap with the minimum areas of operating policy coverage outlined in the Pocket Guide, risk management expectations set forth in the Safety and Soundness Standards are more descriptive and forward-looking in that they are intended to identify emerging problems and deficiencies before capital becomes impaired. The following areas are covered by the Standards:
- Internal controls and information systems
- Internal audit system
- Loan documentation
- Credit underwriting
- Interest rate exposure
- Asset growth
- Asset quality
- Compensation, fees, and benefits
Additional expectations for these areas and expectations related to other specific risk areas are embedded in topical guidance and within published examination manuals. In addition to covering areas outlined in the Pocket Guide and Safety and Soundness Standards, community bank directors should ensure that senior management has established appropriate risk management policies and procedures in Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) compliance, information technology and cyber risk, and compliance with the Community Reinvestment Act and consumer protection laws and regulations.
Of course, depending on the community bank’s business model, risk profile, location, and other factors, a community bank’s board of directors may choose to require policies and procedures for additional areas of the bank.
Monitor Operations and Oversee Business Performance
Although community bank directors are often not experts in banking or finance, they need to remain current with changes in the bank’s financial condition and risk profile. To do this, community bank directors should make sure the bank’s senior management provides periodic reports and summaries of the bank’s financial position and conformance with its policies and procedures. The frequency and content of reports and summaries will vary among community banks, and some community bank boards may choose to assign more detailed monitoring and oversight of particular risk areas to board-level committees.
Additionally, community bank directors should review the bank’s periodic reports of examination. These reports provide the regulator’s assessment of the bank’s operations, financial condition, and risk profile through the assigned CAMELS individual component ratings and the overall composite rating of the bank as well as through the comments and analysis contained within the report. The FDIC also encourages directors to participate in the examination process by meeting with examiners and asking questions. At the start of examinations, bank directors will be invited to participate in regularly scheduled meetings between FDIC examiners and directors. The CAMELS ratings definitions provide the roadmap for how examiners assess a bank’s risk profile. Some directorates have found it useful to use the definitions in a “self-rating” exercise, where they act as if they were examiners and rate the bank between examinations as part of the risk profile monitoring process.
Provide for Independent Reviews
Banks operate within a regulatory framework based on state and federal laws and regulations that are designed to protect the bank’s stakeholders (depositors, borrowers, investors, creditors, employees, and others). Examples include legal lending limits, rules limiting insider and affiliate transactions, capital requirements and consumer protection laws. This framework is supplemented by interagency and FDIC-only policy statements and regulatory guidelines that are approved by the FDIC’s Board of Directors, and examination guidance. Examples of interagency and FDIC-only policy statements include the previously discussed UFIRS, the Interagency Policy Statement on the Allowance for Loan and Lease Losses, the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations, and the FDIC Statement of Policy for Section 19 of the FDI Act. Examples of guidelines that have been approved by the FDIC’s Board of Directors and codified into a regulation include the Interagency Guidelines Establishing Standards for Safety and Soundness and Interagency Guidelines Establishing Information Security Standards. Examples of guidance include the FDIC’s Financial Institution Letter 46-2013, Managing Sensitivity to Market Risk in a Challenging Interest Rate Environment and Financial Institution Letter 84-2008 Liquidity Risk Management.
What Is the Difference Between Rules, Regulations, Policy Statements, Guidelines and Guidance?
Examiners cite apparent violations of laws and regulations in the “Violations of Laws and Regulations” section of the examination report. Violations may be technical in nature, indicating the need to simply correct the noted issue, or systemic, indicating a problematic practice or flaw in the bank’s processes or controls. Depending on the facts, violations of laws and regulations may be the basis for a formal enforcement action or civil money penalties. Nonconformance with regulatory guidelines that have been issued as part of a rule and are generally cited in a separate section on the Violations page of the examination report. The FDIC and other federal banking regulators also issue various other supervisory documents, including Statements of Policy that are not incorporated into regulations. Supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject area. Supervisory guidance often provides examples of practices that the agencies generally consider consistent with safety-and-soundness standards or other applicable laws and regulations, including those designed to protect consumers. Examiner concerns about a bank’s policy or practice that is inconsistent with the safety-and-soundness principles are usually referenced in applicable sections of the examination report, depending on the topic. These concerns may result in recommended action on the part of management to mitigate the identified risks.
Community bank directors are not expected to have detailed knowledge of applicable laws, regulations, and regulatory expectations. However, they are expected to monitor operations to ensure that they are controlled adequately and are in compliance with laws and regulations.
In general, the board should establish a mechanism for independent third-party review and testing of compliance with board policies and procedures, applicable laws and regulations, consistency with safety-and-soundness principles and accuracy of information provided to senior management. These reviews might be accomplished by an internal auditor reporting directly to the board, or by a committee of the board.
In the FDIC’s experience, some bankers will seek examiners’ views about how their bank compares with its peers in a variety of specific respects, or how other banks have handled issues similar to those faced by their bank. These discussions can help inform bankers about sound risk management practices observed at other banks. Such informal discussions, however, are not the channel by which the FDIC conveys supervisory recommendations. Agency recommendations and findings are conveyed through the report of examination and other written correspondence from the FDIC.
Community bank directors should also ensure that the bank has a strong system of internal controls. An important element in ensuring the effectiveness of the internal control system is establishing an internal audit function. As described in the Safety and Soundness Standards, all institutions should have an internal audit function that is appropriate for its size and the nature and scope of its activities. A small institution with few employees and non-complex operations can ensure that it maintains an effective and objective internal audit function by implementing a set of independent reviews of key internal controls. Directors should also make sure that the bank has appropriate policies, procedures, and training programs to ensure that directors, officers, and employees are familiar with applicable laws, regulations, and regulatory expectations.
Some FDIC and interagency policies and guidance describe expectations for independent reviews. For example, an independent review is a critical component of the control processes for BSA/AML, interest rate risk, the allowance for loan and lease losses methodology, and compliance with consumer protection laws, regulations, and internal compliance policies and procedures. The FDIC does not expect community banks to hire consultants to conduct independent reviews. Rather, FDIC and interagency policies and guidance state that independent reviews will vary substantially in form and scope for institutions, depending on the business model and complexity of operations and generally may be conducted by one of the following:
an institution’s staff or board member, provided the individual is qualified and independent of the function under review; the institution’s internal audit function; or the institution’s external auditor or some other qualified third party.
Heed Supervisory Reports
The recent crisis showed that for “turn-around banks” – those that were troubled, but returned to satisfactory condition – the board and senior management’s responsiveness to supervisory concerns was a key differentiating factor between those banks that survived, and similarly situated banks that ultimately failed. Board members should personally review reports of examination or other supervisory activity and other correspondence from the institution’s supervisors. Findings and recommendations should be reviewed carefully. Progress in addressing problems should be tracked, and directors should discuss issues of concern with the examiners.
In particular, when reviewing the report of examination, directors should pay heightened attention to any Matters Requiring Board Attention (MRBA) cited by examiners. MRBA are intended to highlight and prioritize for directors the most important or immediate examiner concerns and criticisms. Examples of MRBA include, but are not limited to:
- Emerging issues with which the board needs to be more proactive in establishing policy and risk management parameters;
- Policy weaknesses that, if left unaddressed, could increase the risk profile or adversely impact the condition of the institution;
- Ineffective management;
- Repeat examination recommendations or regulatory, audit or risk management criticisms that have continued to escalate in importance;
- Enforcement action provisions requiring continued attention; or
- Significant noncompliance with laws and regulations or the bank’s own policies.
Directors are expected to ensure that senior management develops and implements timely corrective measures to address all MRBA. FDIC case managers will follow up shortly after the examination on the board and senior management’s progress in addressing MRBA.
To maintain independence, directors must keep themselves informed of the activities and condition of their institution and of the environment in which it operates. They should attend board and assigned committee meetings regularly, and should be careful to review closely all meeting materials, auditor’s findings and recommendations, and supervisory communications. Directors also should stay abreast of general industry trends and any statutory and regulatory developments pertinent to their institution. Directors should work with senior management to develop a program to keep members informed.
The pace of change in financial institutions today makes it particularly important that directors commit adequate time to be informed participants in the affairs of their institution. The FDIC has developed many resources and programs to help directors and senior management stay up-to-date on changes to banking laws, regulations, and supervisory expectations. In particular, the FDIC encourages all community bank directors to explore the “Directors’ Resource Center” on the www.fdic.gov website.
There, community bank directors will find links to training resources, including a virtual Directors’ College, a series of New Director Education Videos, and a number of technical assistance videos related to important operational, risk management, and compliance areas. The FDIC has also developed the Cyber Challenge, a series of scenarios and vignettes designed to assist community banks in dealing with the potential impact of information technology disruptions. Furthermore, the FDIC created a regulatory calendar that alerts directors and other stake-holders to critical information, such as comment and compliance deadlines relating to new or amended federal banking laws and regulations, and the issuance of supervisory guidance. The calendar includes notices of proposed, interim and final rulemakings, and provides information about banker teleconferences and other important events related to changes in laws, regulations, and supervisory guidance. The Appendix to this special issue provides resources that can assist community bank directors with staying informed.
Ensure that the Institution Helps to Meet its Community’s Credit Needs
Community bank directors should be aware of their institutions’ responsibilities under the Community Reinvest- ment Act (CRA). Congress enacted the CRA in 1977 to encourage insured depository institutions to help meet the credit needs of the communities in which they operate, including low- and moderate-income (LMI) neighborhoods, consistent with safe-and-sound banking operations. The CRA requires that each insured depository institution’s record in helping meet the credit needs of its entire community be evaluated periodically by one of the federal bank regulatory agencies, including the FDIC.
The federal banking agencies have responsibility for evaluating how insured depository institutions serve their local communities, taking into account the size and capacity of each institution and the credit needs of its communities, and that examination criteria and data collection vary by bank type and size categories. Based on this performance evaluation, the agencies assign institutions a rating of “outstanding,” “satisfactory,” “needs to improve,” or “substantial noncompliance.” The federal banking agencies are required to consider an institution’s CRA rating when it submits an application to expand or acquire another institution.
Directors should also be aware that their institutions must maintain and update a public file that contains specific information regarding its CRA performance. In addition, each institution must post a notice in its lobby of the availability of the public file and providing consumers with contacts at the bank and its appropriate regulator in order to provide comments regarding the bank’s CRA performance.
Avoid Preferential Transactions
Financial transactions with insiders, including compensation, must be above reproach. Insider transactions should be in full compliance with laws and regulations concerning such transactions, and judged according to the same objective criteria used in transactions with non-insider customers. The basis for decisions relating to insider transactions must be fully documented. Directors should never use their influence with senior management for personal advantage or wrongfully use confidential information concerning the bank’s clients. Directors and senior management officials who permit preferential treatment of insiders breach their responsibilities, can expose themselves to serious civil and criminal liability, and may expose their institution to a greater than ordinary risk of loss.
Chapter IV: Assessing Community Bank Board Effectiveness
The quality of management and the manner in which directors and senior management govern a bank’s affairs are perhaps the most important factors in the successful operation of a bank. Studies of failed and troubled banks indicate that ineffective leadership and oversight by directors and senior management are often the root cause of a bank’s problems. Because the consequences of governance failures may be serious, FDIC examiners carefully assess an institution’s corporate governance framework at each onsite examination.
This governance assessment takes place as part of the review of bank management, including the performance of the board of directors and senior management in conducting an institution’s activities in a safe-and-sound manner, effectiveness of risk management processes, and compliance with applicable laws and regulations. The findings of this assessment are incorporated into the “Management” rating component of the CAMELS rating.
Examiners assess the Management component relative to the institution’s size, complexity, and risk profile. This assessment focuses on the effectiveness of the board and senior management in identifying, measuring, monitoring, and controlling the risks of an institution’s activities. These elements are addressed in the definition of the “Management” component rating, as well as in the Safety and Soundness Standards. Elements that factor into the Management component review include, but are not limited to:
- Oversight by the board of directors and senior management
- Skills and competence of directors, officers, and staff
- Strategic planning, policies, processes, and controls, taking into consideration the size and sophistication of the institution
- Audit program and internal control environment
- Risk monitoring and management information systems
- Ability to plan for, and respond to, risks that may arise from changing business conditions or the initiation of new activities or products
- Compliance with laws and regulations
- Responsiveness to recommendations from auditors and supervisory authorities
- Management depth and succession
- Effect of dominant management influence
- Reasonableness of compensation policies and avoidance of self-dealing
- Willingness to serve the legitimate banking needs of the community
Strategic Planning Considerations
The quality of the institution’s planning process is a key consideration in the appraisal of bank management, earnings, and capital. Examiners evaluate the adequacy of a bank’s planning process by considering issues such as:
- The formality of the planning process compared to the bank’s size and complexity
- Whether the right people are involved, accountable, and capable
- Reasonableness of assumptions regarding the bank’s present and future financial condition, market area(s) and competitive factors
- The extent to which the bank monitors changes in the operating environment and preserves flexibility to change direction in response to changing conditions
- The personnel, capital, liquidity resources, operating circumstances, and conditions unique to the bank being examined
Examiners will review the reasonableness of the goals and objectives developed by directors. They will also review the bank’s profit plan and budget to determine the reasonableness of the underlying assumptions, taking into consideration asset quality concerns; capital and liquidity adequacy and future projections; inter- est rate risk or other examination findings that would impact earnings; and the ability to meet plan projections.
When to Adjust the Level of Board Oversight
The appropriate level of board oversight will vary from institution to institution and must evolve along with changes in the nature and complexity of the bank’s operations as well as in response to external factors. The following non-exhaustive list provides a few examples of conditions evident at community banks where the FDIC would expect a higher level of board oversight:
- A CAMELS composite or component rating of 3, 4 or 5, the existence of an enforcement action, or both
- Elevated asset or funding concentrations
- Complex or highly specialized products or activities
- High levels of historical or planned growth
- Rapidly shifting balance sheet structure
- Low or shrinking levels of liquid assets
- Plans to change the business model or enter into significant new lines of business
- Deviations from bank policy or prudent banking practice, violations of laws and regulations, or heightened examiner or auditor criticism
- Poor operating results
- Low capital levels or poor access to new capital
- Operational problems in BSA/ AML, information technology, and cybersecurity
- Deterioration in local economies or in business line fundamentals
- Low Community Reinvestment Act or consumer compliance ratings, or high levels of consumer complaints
The FDIC strongly encourages community bank directors to be involved in the examination and supervision process. In addition to reviewing reports of examination, this includes attending board meetings where results are being discussed, and following up with the examiner-in-charge, field supervisor, or case manager with any questions or concerns about FDIC expectations on any aspect of the supervisory process.
Risk Management Policy
Division of Risk Management Supervision
Laura B. Newbury
Senior Examination Specialist
Division of Risk Management Supervision
Judy E. Gross
Senior Policy Analyst
Division of Risk Management Supervision
Chief, Supervisory Policy Section
Division of Depositor and Consumer Protection