The role of boards of directors – especially at large, complex banks - has been under scrutiny since the financial crisis. 

As 2012 ended, the Federal Reserve Board of Governors, with little public fanfare, dramatically increased its expectations for active board engagement to unprecedented heights.

Boards of large institutions – bank holding companies and S&L holding companies with assets greater than $50 billion as well as foreign banking organizations with U.S. assets of $50 billion – need to be fully aware of these rising supervisory expectations. Then, they can take at least three actions to stay in step with, and hopefully ahead of, their financial regulators. 

Soon after the passage of the Gramm-Leach-Bliley Act of 1999, which authorized financial holding companies, the Board issued a supervisory letter on its new risk-focused supervision of large complex financial institutions.  Boards were mentioned briefly only twice; no specific board action was required.

In the continuing fallout from the financial crisis, however, the Federal Reserve now has issued a new manifesto with rising demands for large firms, instituting new and extraordinary obligations for boards. 

The Federal Reserve's 1999 guidance was designed simply to promote a safe and sound banking system while assuring financial stability. The 2012 guidance goes much farther. 

Its new twin objectives are: "enhancing the resiliency of a firm to lower the probability of its failure or inability to serve as a financial intermediary"; and "reducing the impact on the financial system and the broader economy in the event of a firm's failure or material weakness." The new framework strengthens its traditional microprudential role, while incorporating its new macroprudential role as the economy's financial stability regulator under Dodd-Frank.

Corporate governance is just one of four pillars to enhance a firm's resiliency.  Now, boards are expected to provide "effective corporate governance with the support of senior management." Boards obviously did before, but the new emphasis is important, with management in a supporting role, and the board no longer leading behind the scenes. The board – not management – is expected to "establish and maintain the firm's culture, incentives, structure, and processes" that promote compliance. 

Here's where it gets really interesting. Note the strikingly active verbs for a board of directors – as opposed to more passive words like "review" or "oversee" – used to describe this newly redefined role (emphasis added):

  1. "Maintain a clearly articulated corporate strategy and institutional risk appetite."
  2. "Ensure that the firm's senior management has the expertise and level of involvement required to manage."
  3. "Maintain a corporate culture that emphasizes the importance of compliance."
  4. "Ensure the organization's internal audit, corporate compliance, and risk management and internal controls functions are effective and independent."
  5. "Assign senior managers with the responsibility for ensuring that investments across business lines and operations align with corporate strategies, and that compensation arrangements and other incentives are consistent with the corporate culture and institutional risk appetite. …"
  6. "Ensure that MIS support the responsibilities of the board of directors to oversee the firm's core business lines, critical operations and other core areas of supervisory focus."

Taken to the extreme, boards will need to evolve into something close to shadow management to fulfill these new mandates. At a minimum, the traditional and distinct lines of corporate governance between boards and management continue to blur in our post-Dodd-Frank regulatory reality. Every director of every large bank needs to read the full letter. 
The Federal Reserve's recent consent order with JPMorgan Chase is illustrative of these new demands. In addition to the board's reaffirmation of the obligation of the parent holding company to serve as a source of strength to its national bank, the order then directs the board to submit an "acceptable written plan" within 60 days to continue ongoing enhancements to board oversight of risk, internal audit and finance in considerable detail. This is a board plan, not a management plan, which is required separately.

So what can board directors do? 

First, they need to take a complete inventory of all – and any future potential – regulatory and supervisory actions, to start 2013 on the right road and avoid unnecessary collisions with this new guidance.

Second, potential economic, market and even regulatory risks need to be fully assessed by directors. The list of risks published by the Office of the Comptroller of the Currency in its Semiannual Risk Perspective is a good starting point.

Finally, directors also need to read and internalize the Institute of International Finance's new Governance for Strengthening Risk Management (October 2012), which methodically details risk culture, appetite, governance, and organization.  Firms don't have to be globally active banks to benefit from reading the IIF's latest work in a string of thoughtful risk reports.

Gregory P. Wilson is the author of "Managing to the New Regulatory Reality: Doing Business under the Dodd-Frank Act" and a consultant based in Great Falls, Va.