Board Members: Keep an Eye on Internal Controls
It’s not every day a bank board is held responsible for basic board governance, but that’s exactly what’s happened in a recent consent order.
A Texas bank recently entered into a consent order related to weaknesses in board and management oversight, among other issues. Loans to insiders and role-based IT security controls were among the issues the FDIC and Texas Department of Banking cited. Consent orders like these are a good reminder of how important it is for a bank to choose inquisitive, proactive board members that understand their responsibilities—and take them seriously.
Bank directors have two primary responsibilities:
- The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.
- The duty of care requires directors and officers to act as prudent and diligent business persons in conducting the affairs of the bank.
Strengthen the Board. Ideally, the bank should have a diverse mix of directors that promote director independence. Why is this important? Board members need to be able to provide a credible challenge to bank management’s actions and decisions. External directors are those that are not tied to the bank or its management. Many bank failures are attributed to weak or passive board oversight and governance
Conflicts of interest. Board members have an obligation to act in the best interest of the financial institution they serve on. That doesn’t always happen though.
In this case the consent order requires the board to develop and commit to a code of ethics. Board members should be required to disclose conflicts of interest, including transactions with insiders and family members. These transactions should be pre-approved by the board and conducted at an arms-length. If a board member has a conflict of interest, they should abstain from voting.
The bank is also required to bring on a majority of external directors. An external director isn’t an officer of the bank, shouldn’t own more than 5 percent of the bank, or shouldn’t owe the bank more than 5 percent of its Tier 1 capital or allowance for loan and lease losses. An external director also shouldn’t be married, related to, or finally connected to these insiders.
The board should proactively govern bank activities. From approving bank policies and objectives to overseeing executive and senior management, board members should approve a process to monitor all a bank’s activities and compliance.
This is accomplished with monthly meetings to monitor the overall condition of a bank, its risk profile, and compliance. It should review and approve documents and internal controls such as
- Transactions with affiliates
- Audit reports
- Reports of income and expenses
- Waived and refunded account fees
- Overdraft reports
- Investment activities
- Operating policies and procedures
- Committee actions
- Bank Secrecy Act / Anti-Money Laundering reports
- Information technology /cybersecurity reports
- Exceptions to law and internal policies.
Review internal controls. A good board should review risk assessments and internal controls with an eye for areas of increased risk. In the case of this bank, it means taking a closer look at the bank’s cybersecurity program (and actually putting a program in place).
The consent order says the board needs to develop and implement procedures that prevents insiders from circumventing internal routines and controls. It also needs to revoke non-employee access to bank systems and develop a cybersecurity program and IT audit program.
Training. The consent order requires board training. This training must be ongoing, updated, and held at least annually.
3 lessons for bank board members
While we don’t know the details of what happened at the bank, there are still plenty of takeaways for bank directors.
1. Know what’s going on. A board member isn’t typically expected to understand the minutia of a bank’s IT program, but they should be sure there is a cybersecurity program in place and know enough to ask if an IT audit has demonstrated any significant weaknesses in the program. This holds true for all areas of risk management. A board member doesn’t need to be an expert, but they need to know to ask the right questions.
2. Take ethics seriously. Key components of a good ethics policy address conflicts of interest, insider activities, accountability and consequences. Board members must behave ethically and hold their fellow board members to the same high standards. There should be systems in place that make it extremely difficult for one bad actor to take advantage of the institution.
3. Provide a credible challenge. Ask questions and stay informed. Board members should expect management to provide them with all the reports and documentation it needs to understand the risks, challenges, and opportunities an institution is facing. Know what reports to expect and take the time to review the key points. If something doesn’t make sense, ask questions and push back.
Remember, examiners will be looking at your board to determine how they’re handling matters of strategy, performance, and risk oversight.