Issue link: https://digital.shearman.com/i/1512772
Shearman & Sterling LLP 47 | SVB Fallout: Banks Face Heightened Corporate Governance and Risk Management Scrutiny WHAT BANKS SHOULD BE DOING NOW The dramatic downfall of SVB in March of this year sparked questions on the resiliency of the banking sector and what will be in the pipeline for banking regulation and supervision going forward. While the full impact of the recent bank failures is still unfolding, there are lessons for banking organizations that they should consider to heed now. Make Exam Preparation and Open-Issue Remediation Top Priorities Banking organizations should brace and prepare for faster and tougher supervision and examination. Failure to do so will leave them open to increased regulatory sanctions, including enforcement actions. • In reflecting on the failure of SVB, Vice Chair Barr indicated that the Federal Reserve's "first area of focus will be to improve the speed, force, and agility of supervision." Banking organizations should plan on there being a lower threshold for the issuance of matters requiring attention (MRAs) and matters requiring immediate attention (MRIAs), exam downgrades, and enforcement actions. They also should expect reluctance on the part of examiners to close-out open MRAs/MRIAs until issues have been fully remediated (with sufficient validation testing in some cases). Demonstrating incremental progress on open compliance issues will not be enough. • Some of the post-mortem reports were unique in their direct criticism of examiners for acting too slowly. Examiners did not issue exam downgrades despite widespread evidence of weaknesses and did not escalate supervisory actions quickly enough. For example, SVB's examiners found repeated breaches of internal risk limits for interest rate risk and "foundational" risk management and board oversight failures, yet examiners did not issue, or were too slow in issuing, MRAs/MRIAs. SVB's examiners also were criticized for viewing positive financial performance and the lack of realized risk outcomes as "offsets to underlying concerns related in governance and risk management." They myopically viewed "progress on remediation of [gaps] as positive developments on a relative basis, rather than citing the gap that continued to exist relative to baseline expectations." As an example, the Federal Reserve's report noted the failure of SVB's holding company to have a CRO, which should have been cited as a violation of Reg. YY using an MRIA, yet examiners held off on the basis that the firm was actively searching for a CRO. Given the public scrutiny surrounding the causes and consequences of the recent bank failures, including the role of examiners at the failed banks, regulators are motivated to pursue weaknesses in governance and risk management as well as in other areas. Take Stock of Existing Governance and Risk Management Practices Banking organizations should undertake a fresh and robust assessment of their existing governance and risk management practices. The post-mortem reports provide a useful framework for such an assessment. Indeed, given the rapidly evolving challenges facing the regional and mid-size banking sector, there is increasing urgency to be proactive—by taking stock of existing practices, identifying areas for controls enhancement, and implementing necessary changes. • Banking organizations should consider implementing a shorter-term targeted review as well as a longer- term comprehensive review, in each case, based on issues raised in the reports and in their own exam reports. • Sensitive areas pertaining to a banking organization's legal, governance and risk management functions, including other areas that may be of heightened scrutiny by examiners and investors, should be evaluated now. Among other things, banking organizations may find merit having an independent legal review of: • Board and committee minutes and charters to assess whether and how certain compliance and supervisory issues are being addressed and if the board is providing a "credible challenge" to management • Open supervisory/exam ratings and open MRA/MRIAs against progress reports and other materials to assess whether remediation is being made • Board materials and reports to assess whether directors and relevant committees are receiving adequate and timely information from management on critical areas • D&O questionnaires to assess whether new directors and management are being evaluated for experience or expertise in certain critical areas, such as audit and financial risk management • Intercompany agreements between bank and non-bank affiliates (e.g., broker-dealer, insurance) to understand key dependencies • An independent review by outside counsel would help a banking organization in preparing for greater regulatory and shareholder scrutiny and demonstrating proactivity in risk identification and remediation. It would also provide directors with an independent assessment of critical areas to support its oversight responsibilities.