The seventeenth century French playwright and poet Molière wrote, “It is not only what we do, but also what we do not do, for which we are accountable.” The Office of the Comptroller of the Currency (OCC) and the Financial Crimes Enforcement Network (FinCEN) took a page from Molière recently when those two agencies brought a series of actions against former management of two Top 10 U.S. banking organizations. This report will discuss global supervisory practices related to personal accountability in the financial services industry, the unprecedented recent regulatory actions, and the key takeaways for boards and management of U.S. financial institutions.
Regulators Are Laying the Groundwork for Personal Accountability – In Different Ways
Imposing personal liability on management of financial institutions, or at least the threat thereof, has been on the increase since the Great Financial Crisis (GFC). Beginning in 2016, the UK’s regulators implemented the Senior Managers and Certification Regime (SM & CR), which was designed to reduce financial service consumer harm and strengthen market integrity by making individuals accountable for their conduct and competence. While the conduct rules embedded in the SM & CR apply broadly to most employees engaged in financial services, the legislation also requires pre-approval of the most senior staff at covered institutions, delineated “statements of authority” for these individuals, and annual recertifications by institutions that designated Senior Managers remain suitable for their roles. In addition, staff at covered financial institutions who hold positions that could result in significant harm to the institution, including those with risk management and compliance responsibilities, must also be re-certified annually as “fit and proper” to carry out their responsibilities. The consequences of non-compliance to-date have been financial penalties levied against individuals – the largest to-date being £321,000.
In February 2018, Australia introduced the Banking Executive Accountability Regime (BEAR) to establish clear and heightened expectations of accountability for authorized deposit-taking institutions (ADIs), their directors and senior executives in certain prescribed roles, and to ensure there are clear consequences in the event of a material failure to meet those expectations. BEAR became effective for the four large trading banks and other ADIs effective July 1, 2019. Similar to the SM & CR, accountable persons must have “accountability statements” and must be suitable for their roles, meaning that they may be removed by the regulator if they fail to meet the standards. Non-compliance with BEAR may result in financial penalties for the institution (up to Australian $210 million for a breach of the BEAR, depending on the size of the institution) and disqualification of individuals to serve in the industry. Recent actions taken by the Australian government will result in higher penalties and potential criminal consequences for individual offenders.
Also, in 2018, the Hong Kong Monetary Authority (HKMA) and the Monetary Authority of Singapore (MAS), respectively, opted to adopt or propose personal accountability regimes. Each of these regulators has taken a somewhat different approach but they share the common goal of increasing industry awareness of conduct risk and regulatory expectations for managing it. Enforcement consequences of these initiatives are expected to evolve over time.
While these and other global regulators have chosen to implement formal conduct and accountability programs, the United States has not done so. Instead, the U.S. regulators have focused on moral suasion – embedding elements of conduct risk in other regulatory releases or in speeches made by agency leaders – and, more importantly, have relied on their existing, long-standing authority to levy financial penalties against institutions and responsible parties and to remove officers and directors when circumstances warrant. Historically, most removal actions and personal fines were directed at individuals who were involved in insider dealing and/or whom regulators determined took actions that led to significant financial consequences, including failures, of financial institutions. More recently, actions have also been directed to compliance personnel whom regulators concluded did not carry out their anti-money laundering (AML) obligations responsibly. The recent action taken by FinCEN is one such example. The historical actions were very targeted at an individual or a group of individuals whom regulators believed had acted improperly or did something – an act of commission. The more recent AML-related actions began to introduce the notion of penalizing individuals whom the regulators believe should have done something – an act of omission.
In the OCC case, the bank itself has already faced fines and penalties in the billions. The OCC’s most recent actions target eight former members of the bank’s management team, all allegedly engaged in some capacity with activity that the regulator determined was harmful to the bank’s customers. The facts and allegations specific to this case may be less important than the broad lessons the industry should take away from it and other cases.
Acts of Commission and Omission: Those Who Acted and Those Who Should Have Acted
The OCC’s February actions establish a de facto model for conduct risk management based on two principles:
- The first line of defense is responsible for developing and implementing a business model that promotes appropriate conduct.
- The second and third lines of defense are responsible for ensuring that the business model does not expose the institution to undue risk. The second line does this by providing credible challenge to the first line’s design of the business model and control framework, and the third line carries out its responsibility by assessing, testing and reporting on control deficiencies in the implementation of the business model.
These two principles are not revelatory. On the surface, they are merely restatements of the regulators’ expectations for conduct risk management and the commonly understood roles of the three lines of defense. What made the recent actions notable is their application to and accountability within all three lines of defense.
Representatives of the first line of defense were charged by the OCC with being the architects of a business model that lacked adequate controls, violated laws and regulations and encouraged improper behavior, thereby breaching their fiduciary responsibility.
Second line representatives, according to the OCC, failed to:
- Execute adequate oversight, governance, and escalation responsibilities with respect to incentive compensation plans that allegedly encouraged the bad behavior. (Human Resources)
- Exercise adequate oversight of employee misconduct or appropriate follow-up when numerous sources of information (e.g., information available as a member of the Compensation Committee, access to customer complaints, and receipt of employee criticisms about aggressive sales practices) signaled that there was a problem. (Legal)
- Provide credible challenge to the first line of defense on the inherent risk of the business model and to inform the Board of Directors of those risks. (Risk)
The third line of defense, internal audit, was criticized by the OCC because it knew, or should have known, about the misconduct issues since it had unfettered access to all personnel and records of the bank. Yet, according to the OCC, internal audit failed to identify and escalate the risks and attendant misconduct as required by the bank’s audit charter and the delineated responsibilities of the audit function.
According to the OCC, the failures of the second and third lines to exercise their responsibilities – their failure to do something they should have done – contributed to an environment in which unsafe and unsound practices were allowed to perpetuate for years, leading to material losses for the bank. These concepts also appear in the recent FinCEN action. In FinCEN’s view, a former risk executive allegedly failed to pay sufficient attention and allocate additional resources to an institution’s anti-money laundering compliance function even after the leaders of that function repeatedly escalated concerns regarding insufficient staffing levels and the impact that lack of resources had on the effectiveness of the compliance program. These issues were ultimately identified by the bank’s regulators as well, which led to significant regulatory enforcement action taken against, and civil money penalties imposed on, the bank. It is the focus on the culpability of the second and third lines of defense that has garnered the most attention and will likely lead to some lively discussions in the hallways and boardrooms of financial institutions.
Beyond the overarching lesson that the OCC (and likely other U.S. regulators) will hold individual executives in each of the three lines of defense responsible for their roles in ensuring that a bank develops and maintains an appropriate system to control risk-taking, there are other lessons to be learned from particular control gaps that were identified by the OCC. These relate to the design of incentive compensation programs, the importance of recognizing warning signs, the significance of exercising and acting on credible challenge, and the transparency of board reporting.
The effects of incentive compensation schemes on the conduct of employees has been a much-discussed topic since the GFC, with myriad regulatory releases globally warning of potential risks. In this case, incentive compensation and promotional opportunities depended on employees’ ability to meet stated goals. Employees who failed to meet, or in some cases failed to exceed, their production goals were reportedly terminated. Business leaders were rewarded based on the financial performance of the line of business, including explicit consideration of the incentive performance plans allegedly responsible for the misconduct. Second- and third-line management were also rewarded based on financial performance of the company, even though their roles did not contribute to profitability and were primarily intended to ensure that the bank appropriately managed its risks. The OCC’s assessment contends that bank management failed to question the reasonableness of the incentive compensation program and how its enforcement would influence behavior. It also asserts that performance rewards for second- and third-line management were inappropriately weighted toward financial performance of the bank rather than their efforts to promote healthy risk management practices.
Recognizing the Warning Signs
The case highlighted the importance of aggregating and analyzing all available sources of information to form a complete view of risk. These sources of information may include customer complaints, employee allegations, employee turnover (voluntary and forced), results of internal monitoring and internal audits and the extent to which management responds to each of these. While admittedly the application of 20/20 hindsight, the regulatory view was, there was an opportunity to evaluate the preponderance of these data points and “connect the dots,” so to speak, to formulate insights as to the nature and extent of the internal disfunction. That did not happen. Moving forward, second- and third-line leaders will likely face increased expectations from their boards, audit committees, and regulatory agencies to demonstrate how they are monitoring risk signals from multiple sources, as well as their ability to weave this information together in order to detect emerging issues before they cause significant harm to the institution or its customers.
Importance of Credible Challenge
In 2014, when the OCC released its Heightened Standards for Large Financial Institutions, it highlighted the importance of credible challenge by boards of directors, second and third lines, i.e., the responsibility of each of these groups to ask probing questions to ensure that management is managing risks prudently, and, by inference, taking appropriate steps to address risk management gaps. In this case, the OCC alleged that the second and third lines not only failed to take appropriate action when faced with compelling evidence of control gaps, but in at least one instance took steps to enable the misconduct.
Transparency of Board Reporting
The OCC findings conclude that information provided to the board of the directors by the second and third line failed to identify or deliberately minimized the significance of the control gaps and attendant risks.
What Should Financial Institutions Do?
While some will be inclined to dismiss the OCC actions as relevant only to extreme cases of misconduct, proactive boards of directors and members of management should ask themselves a number of questions including:
- Are we confident that our incentive compensation programs are reasonable and are not putting undue pressure on employees to engage in activities that could put the institution at risk? And do we have an effective process in place to monitor how employees are performing against those goals, breaking down that data by location, line of business, and other variables to be able to detect concerning trends, including the impact on customers?
- Do we have any information from any source that would suggest that our incentive compensation programs are causing unacceptable behavior? If so, what have we done in response to this information?
- Do we have any reason to believe that misconduct is being rewarded, or that personnel who raise allegations are being punished or ignored?
- Are we comfortable that incentive compensation programs for second- and third-line personnel adequately emphasize their risk management responsibilities?
- As members of the board of directors or executive management, how comfortable are we that information provided to us is complete and accurate? Do we understand the processes that the second and third lines use to determine what information should be escalated? And do we react to negative information in a way that does not discourage transparent escalation of future bad news or red flags?
- As a related point, are Boards and executive leaders able to be objective when evaluating whether the current level resources dedicated to compliance and risk management functions are sufficient? If people responsible for those functions are raising concerns regarding headcount or funding, how do we ensure that feedback is elevated to the appropriate levels of the organization? Finally, once elevated, can we differentiate between additional funding requests that are “nice to have” or would move an existing function from an acceptable to a best-in-class level, versus those that truly must be authorized in order to mitigate a critical gap?
- For representatives of the second and third line, can we evidence a clear and reasonable correlation between identified issues and the appropriateness of the actions (or inactions) taken to address these issues. IA risk assessment documentation, for example, should demonstrate how business growth results, employee performance and compensation data, and employee allegations and investigations have informed the audit plan.
The approaches taken by governments to address personal accountability in the financial services industry may vary, but what is clear is there is a global regulatory focus on driving better risk-aware and risk-responsive behavior in the industry. Accordingly, the above questions warrant the closest attention of the leaders of financial institutions.