Since my last report on bank enforcement actions in American Banker in March, the obligations and regulations imposed by new banking laws, including Gramm-Leach-Bliley, USA Patriot, and Sarbanes-Oxley, have begun to impact the financial services business.
The number of enforcement actions closed this year through July by the Office of the Comptroller of the Currency, Federal Deposit Insurance Corp., Federal Reserve Board, and Office of Thrift Supervision is already 322. If that pace continues, 2003 would produce nearly 100 closed actions, or 18% more than 2002.
There are other bank agencies to keep an eye on in the future. The Federal Housing Finance Board has formal enforcement authority similar to that of federal bank regulators, though there are no reported cases on the public record. The Office of Federal Housing Enterprise Oversight undertook a supervisory action in 2003 against Fannie Mae with regard to the risks posed by its duration gap. But as of July 31, it had never taken a formal enforcement action against Fannie Mae or Freddie Mac. On Sept. 4, it did issue a "show cause" directive to Freddie Mac, as the possible prelude to the issuance of a notice of charges for a cease-and-desist order regarding the termination of two officers of the company.
Beyond these numbers, however, there important substantive lessons to be learned from the cases being brought this year.
Enforcement Trends
The criminal aspect. In light of the dramatic changes made in recent years in corporate governance laws, particularly as a result of the enactment of the Sarbanes-Oxley Act, counsel in enforcement actions must be cognizant of the potential criminal liabilities that may arise out of the facts that form the basis for the charges brought by bank regulators. This is particularly important when directors or officers have been personally enriched, even if indirectly, through the appreciation in the value of benefits that they may control. While bank regulators have no jurisdiction to prosecute the violation of criminal laws, criminal referrals by the banking agencies are likely to increase and receive more attention given the breadth and, in some cases, vagueness of new criminal laws that now exist. Experience suggests that today's business decisions and activities are likely to be judged through the prism of tomorrow's latest financial crisis.
As was the case with the Financial Institutions Reform, Recovery, and Enforcement Act of 1989, the Federal Deposit Insurance Act of 1991, and the Crime Control Act of 1990, Sarbanes-Oxley has noticeably continued the trend of criminalizing corporate behavior.
Under federal sentencing guidelines, a corporate officer with no criminal history who is convicted of a single count of securities fraud can receive between 20 years to life in prison. A masked gunman fares much better, receiving only five to six years in prison.
While the long-term impact of this on business in America and the conduct of directors and officers is yet to be fully evaluated, the increased possibility of a criminal investigation or action significantly influence how an individual or company may respond to bank regulatory investigations and actions.
Money-laundering and Bank Secrecy Act considerations. The manner in which deposit relationships are created and maintained has become important because the ability to trace the movement of money to terrorist organizations is now a critical concern. In July the OCC announced an enforcement order entered against Riggs Bank for deficiencies in the Bank Secrecy Act area. The order requires the board of directors to hire a consultant to evaluate the competency of the bank's compliance officer and its capabilities in the laundering and Bank Secrecy Act area. In addition, the board of directors is required to assess:
- Whether it has provided sufficient authority to its Bank Secrecy Act compliance officer.
- The competency of the bank to perform in this area.
- The adequacy of policies and procedures to assure Bank Secrecy Act compliance.
- The adequacy of training programs throughout the bank.
The emphasis on the responsibilities of the board of directors under this order is noteworthy.
In another case in 2003 involving the National Bank of the Great Lakes, which was owned by Saks Inc., the OCC imposed limitations on credit card operations until adequate anti-laundering measures and policies were adopted.Risk control and accounting considerations. In July, the Fed announced enforcement settlements with Citigroup Inc. and J.P. Morgan Chase & Co. resolving charges that they had created unnecessary risk for themselves by facilitating Enron special-purpose entities and prepaid commodity forward transactions. These cases raise serious issues about the ability and duty of financial institutions to evaluate the consequences that structured-lending transactions may have for their customers. In short, they suggest that if a bank participates in a transaction that may ultimately increase its customers' risk exposure, it should understand and underwrite how this creates risk for itself and whether it is appropriate to participate in the transaction.
Internal and external security. The OCC announced an enforcement action against two former employees of a Colorado national bank in April, charging them with e-mailing more than 2,200 customer loan files to a third party over an unsecured Internet connection. According to the OCC these actions violated its privacy regulations regarding customer information, which were adopted pursuant to Title V of Gramm-Leach-Bliley, and so constituted unsafe and unsound banking practices.
Credit card banks and industrial loan companies. Special-purpose banks, such as credit card banks and industrial loan companies, are in the regulatory spotlight on the basis of a string of supervisory and enforcement actions over the last several years involving such institutions. This has led federal bank regulators to develop an enforcementlike approach to acquisitions involving special-purpose banks.
For example, recent approvals of acquisitions involving such entities have included conditions that mandate the execution of operating agreements between the bank and its parent company that require the maintenance of specific levels of capital and liquidity.
However, the existence of such agreements raises the potential for conflicts between the obligations of the board of the bank and that of its parent if and when the requirements of an operating agreement are triggered. The requirement, for example, for a parent to infuse capital into a subsidiary bank pursuant to an operating agreement may be inconsistent with the best interests of the shareholders of the parent and thus raise some very hard choices for the boards of the parent and its bank.
Absent the existence of an operating agreement in the form of a contract between the parent and the bank, the regulators would have to pursue a capital guarantee or infusion under the prompt corrective action authority of section 38 of the Federal Deposit Insurance Act or under their authority to order remediation under 12 USC section 1818 in an enforcement proceeding.
In short, these types of corporate transactions require that the parent company and its subsidiary bank think through the enforcement aspects of the agreements that will be required in return for an approval of the acquisition application.
Enforcement Tools
Internal investigations and operations monitoring. In an increasing number of cases, regulators continue to require that banks hire outside law firms and consultants to investigate themselves once a complex operational or accounting problem is discovered. This requirement has and continues to be used in cases where complex legal or financial issues require the expertise or the objectivity of a third-party expert.
Complex questions are raised when a bank is required to engage outside advisers to conduct an investigation of itself or its employees. The most important of these issues is the extent to which the attorney-client privilege attaches and is waived by disclosure of the findings to the regulator when the outside adviser is an attorney. Such disclosure may determine whether the report can be protected from third-party subpoena, for example.
If the report must be provided to the bank's regulator, an agreement should be reached with the regulator regarding the scope of the attorney-client privilege, the application of the bank examination privilege, and the regulator's ability to deny or disclose the report to the third parties.
At the very least, those conducting investigations of banks and their holding companies and subsidiaries should make it clear whose interests they represent, how information they provide may be used, and that they have the right to enjoy the benefit of and consult with their own counsel at any time.
The combination of new laws, greater scrutiny by regulators and auditors, and the continued incidents of faulty accounting adversely affecting financial institutions and their customers is ample warning to financial institutions to be proactive about their compliance programs.
