Last year, Citigroup's board unexpectedly replaced the bank's CEO over reported issues of strategic direction and leadership. More, recently, board concerns about CEO continuity at JPMorgan Chase appear to have played a role in turnover in the executive suite. Beyond banks, boards at Yahoo, Best Buy, Hewlett Packard and others have taken quick steps to replace CEOs when perceived issues have arisen.
This board resurgence has at its roots the reality of rising expectations for banks and public companies—expectations contained in the federal banking and securities laws, but also driven by shareholders, the media, and perhaps as importantly, Capitol Hill and others in Washington.
However, there is a growing dissonance between what policymakers and shareholders want and the corporate law and governance standards enshrined in state law, particularly Delaware law. Without care, state fiduciary standards are increasingly looking toothless, and perhaps even pointless, as banking supervisors continue to define the parameters of banking law and governance.
Corporate law has long been the province of state law. Delaware is the most important state here given its role as the corporate Switzerland of the United States, home to over 60% of the country's public companies. State corporate law and director duties developed organically, and in the context of what academics have called the agency issue.
This issue, articulated by Michael Jensen and others as early as the 1970s, asserts that incentives for boards and management may not be aligned with shareholder interests in the structure of U.S. banks and public companies, and as a result actions fall short of expectations.
Simply put, corporate governance is the stuff that goes into those gaps between expectations and actions. Law and governance bind the system together, and have been defined by the Delaware and other courts for over a century. Unfortunately we have a growing gulf between state and federal law, notably in the area of risk management.
We have been here before. Starting in the late 1970s, federal standards articulated compliance and oversight duties for banks. It was not until the mid-1990s, however, that state law adopted such a duty, and even then, the duty as it exists today is mild at best. In the widely cited 1996 Caremark decision, the Court of Chancery of Delaware held that for a board of directors to be held liable under state law, there must be a "sustained and systemic failure" such as an "utter failure to ensure a reporting system exists" or even "bad faith."
Today we have a similar problem with regard to risk management at banks. In response to risk management weaknesses revealed during the financial crisis, Congress, via the Dodd-Frank Act, required boards to establish overall risk management requirements as part of what are called enhanced prudential standards. Banking supervisors have proposed rules requiring any publicly traded bank holding company with $10 billion or more in total consolidated assets to establish a risk committee. A foreign banking organization with global consolidated assets of $10 billion or more would have similar requirements.
But how do we square this with a state law regime calibrated only to require accountability in the case of a "systemic" or "utter failure"? That the state tool is ill-designed to address contemporary expectations was tacitly acknowledged by a Delaware court in a 2009 shareholder derivative suit against Citigroup. That case was dismissed because the court held that state standards are not designed to hold companies accountable for what the court termed a failure to "properly evaluate business risk."
Federal tripwires are being set higher than the "utter failure" level. Shareholders and Congress are demanding more from banks than ever before, and expect continuous improvement in risk management technology, process and governance.
The good news is that the largest banks appear to be going above and beyond a minimalist view, and will soon have rules and examinations over their risk committees and structures. Even if state law shields these companies from successful shareholder suits for subpar risk management, they'd still be exposed to regulatory actions.
Why, then, should we care about a state standard given a higher federal standard? We care because the new rules apply only to a handful of the largest banking organizations, and not at all to nonbank public companies, many of which, we learned in the financial crisis, can expose the system and customers to significant risk.
Expectations are like opinions—people are entitled to them. It is reasonable to expect banks to continuously develop and improve their risk management processes and governance. We know the largest global banks with U.S. operations will soon be required to meet defined federal standards. We know that shareholders and Congress want a tighter focus on risk management.
So where then, will corporate law fit into the puzzle? State lawmakers should take care not to let their judgment be clouded by the incentives to remain hospitable jurisdictions for corporate incorporation. They should consider carefully the need to rise with the tide of increased expectations, and do so in a way that has a meaningful accountability standard.
Wherever higher standards come from, however, banks, their customers and shareholders deserve a unified system appropriately calibrated to current realities. Perhaps not all banks or public companies need all of the enhanced risk management procedures set forth in federal banking law. But a system in which federal and state standards lack harmony could expose the economy to unnecessary risks at a time when recovery and job creation are paramount for sustained economic growth.
Roger Coffin is associate director of corporate outreach and associate professor of practice at the University of Delaware's Lerner College of Business and Economics. He is formerly a partner at PricewaterhouseCoopers and a senior staff member of the Securities and Exchange Commission in Washington.