Corporate Governance Standards Proposed by FDIC
On October 3, 2023, the Federal Deposit Insurance Corporation (“FDIC”) proposed standards for corporate governance and risk management for the institutions it regulates that have $10 billion or more in total assets (“Proposed Standards”).1 The Proposed Standards would establish extensive and rigid requirements for a wide range of state-chartered banks.2 Further, they would reverse decades of reliance on state law for establishing governance and oversight obligations. The FDIC board approved issuing the Proposed Standards by a 3-2 vote with Vice Chairman Travis Hill and Director Jonathan McKernan issuing dissents sharply critical of the proposals.3
The Proposed Standards lean toward a rules-based approach to corporate governance, in contrast to the principles-based approach that is prevalent under state law. Critics will observe that the Proposed Standards are presented as “good corporate governance” without appreciating that what is “good” for one bank may not be “good” for another and that achieving “good corporate governance” results not from uniform regulatory mandates but from default rules that can be tailored and fiduciary duties that can be fit.
The FDIC will accept comments on the Proposed Standards for 60 days after they are published in the Federal Register, which is expected shortly. In this Legal Update, we provide background on governance and risk management at state-chartered banks and discuss the Proposed Standards.
Background
Historically, corporations and other legal entities organized under state law have looked to their organizational law as the source of corporate governance and risk management obligations. Today, we look to state law as the source of the duties of care and loyalty, as well as related concepts such as the business judgment rule and Caremark’s risk oversight obligations. Only in certain specialized areas, such as public company disclosures under the federal securities laws, does federal law intrude on this state domain.
Many say that the genius of American corporation law, led by states such as Delaware, is its combination of statutory default rules that can be tailored to suit and common law fiduciary principles that can be sculpted for fit. Such an approach enables entities to provide optimal arrangements for diverse and dynamic situations rather than imposing one-size-fits-all approaches. Such contextual flexibility contrasts with a rules-based approach that prescribes identical rules for all situations.
Prior to 1994, banks were treated as one of the specialized federal law areas through the application of federal common law corporate governance standards.4 However, starting with the US Supreme Court’s 1994 decision in O’Melveny & Myers v. FDIC and ending with the Court’s 1997 decision in Atherton v. FDIC, the federal common law corporate governance standards were expressly repudiated in favor of state law.5
In the wake of Atherton, banks primarily looked to state corporate governance law, although there remained instances of federal intrusion. For example, federal law imposed audit standards and a gross negligence “floor” on the conduct of bank directors and officers.6 And federal law required that the federal banking regulators impose operational and managerial standards, compensation standards, and appropriate standards relating to asset quality, earnings, and stock valuation.7
This approach changed following the 2008 financial crisis, with federal banking regulators diving even deeper into the governance and risk management of banks. The Office of the Comptroller of the Currency (“OCC”) initially imposed heightened expectations for the governance and oversight of the larger banks that it regulated.8 In 2014, it adopted those expectations as a specialized standard for safety and soundness at larger federally chartered banks (“Heightened Standards”).9 Similarly, in 2014, the Federal Reserve Board (“Federal Reserve”) implemented part of the Dodd-Frank Act by establishing several risk management requirements for larger bank holding companies, including the combined US operations of larger foreign banking organizations.10 This was followed in 2021 by expectations for effective governance by larger bank boards.11 However, differences still exist among regulators and their expectations of banks.
Proposed Standards
The Proposed Standards would apply to state-chartered nonmember insured banks, state-licensed insured branches of foreign banks, and state savings associations that have $10 billion or more in total assets. This covers approximately 60 banks. It is well-known that corporate governance and compliance management systems continue to be an area of focus for federal and state regulators. If an affected bank failed to meet any finalized standard, the FDIC could require it to submit a compliance plan or take other action depending upon the circumstances.
The Proposed Standards would address the obligations, composition, duties, and committee structure that the FDIC expects bank boards to satisfy as part of good corporate governance.
Obligations. Covered directors would have a duty to safeguard the interests of the bank and confirm that the bank operates in a safe and sound manner and in compliance with applicable federal and state law. A board, in supervising the bank, should consider the interests of all its stakeholders, including shareholders, depositors, creditors, customers, regulators, and the public.
Composition. Covered boards would be required to consider how the selection of and diversity among board members collectively and individually may best promote effective, independent oversight of bank management and satisfy all legal requirements for outside and independent directors. A bank board should include a majority of outside and independent directors.
Duties. Covered boards would need to (i) set an appropriate tone and establish a responsible, ethical corporate culture; (ii) evaluate and approve a strategic plan; (iii) approve and annually review policies; (iv) establish and annually review a written code of ethics; (v) actively oversee the bank’s activities, including all material risk-taking activities; (vi) exercise independent judgment; (vii) select and appoint qualified executive officers; (viii) establish and adhere to a formal training program; (ix) conduct an annual self-assessment of its effectiveness; and (x) establish and annually review compensation and performance management programs.
Committee Structure. Covered boards would be required to implement an organizational structure to keep directors informed and provide an adequate framework to oversee the bank. At a minimum, a board would need to have an audit committee, compensation committee, trust committee (if it has fiduciary powers), and risk committee. It also should have any other committees that are necessary for the board to perform its duties. Each board committee would need a board-approved written charter outlining its purpose and responsibilities that is reviewed annually.
The Proposed Standards would impose expectations for the risk management program that a bank should develop and maintain. These expectations largely track the OCC’s Heightened Standards. For example, like the Heightened Standards, the Proposed Standards would require a bank to adopt the three-lines-of-defense model for risk management.12 However, as noted in Director McKernan’s dissent, the Proposed Standards do deviate in certain significant ways that would increase the compliance burden and decrease clarity for affected banks. These deviations are particularly notable because Acting Comptroller Michael Hsu, who oversees the application of Heightened Standards at the OCC, is a member of the FDIC’s board and voted in favor of the Proposed Standards.
The Proposed Standards also go into considerably more detail than the Heightened Standards and impose more extensive obligations. For example, the Heightened Standards require a board to review and approve a risk appetite statement at least annually, while the Proposed Standards would require banks to review and approve risk appetite statements at least quarterly. Further, a bank would be required to notify the FDIC in writing of a breach of a risk limit or noncompliance with the risk appetite statement or risk management program.
Additionally, a board would be required to establish a process for identifying, assessing, documenting, and internally reporting known or suspected violations of law. Further, a bank would be required to report violations of law to the agency with jurisdiction over that law, even if the bank has filed a Suspicious Activity Report regarding the activity.
Questions Raised and Expected Challenges
Most FDIC-regulated banks are small in size and simple in structure. Only four FDIC-regulated banks have more than $100 billion in total assets, and most of the banks that would be subject to the Proposed Standards have less than $30 billion in total assets. Few FDIC-regulated banks engage in international activities, markets/trading activities, or extensive nonbank activities. Almost all banks with large or more complex risk profiles are regulated by the OCC or Federal Reserve. Therefore, one might reasonably question why the FDIC has decided to take the lead in imposing such detailed and prescriptive governance and risk management obligations.
The Proposed Standards would require many small, community banks to establish and operate extensive, formal risk management frameworks. The financial cost and time required by the board and management to stand up such programs, build relevant systems, and sustain them would impose a significant burden on affected banks. Even more significantly, many affected banks are located outside of major metropolitan areas, making it difficult to recruit and retain talent with the specialized experience needed to satisfy the FDIC’s expectations.13
It is notable that the Proposed Standards would apply to banks with $10 billion or more in total assets, while the OCC’s Heightened Standards generally apply only to banks with $50 billion or more in total assets and the Federal Reserve’s Enhanced Prudential Standards generally apply only to banks with $100 billion or more in total assets.14 If the Proposed Standards are finalized at the $10 billion trigger point, there is the risk of a disparate burden on FDIC-regulated banks and that could reduce the attractiveness of being or remaining a state nonmember bank. One also might question Acting Comptroller Hsu’s decision to support the $10 billion threshold in the Proposed Standards while continuing to apply a $50 billion threshold to the banks he regulates under the OCC’s Heightened Standards.
The Proposed Standards add another agency rulemaking to the list of recent federal rulemakings that run into the Supreme Court’s newly strengthened and evolving major questions doctrine.15 This principle limits agency power to address major questions of public policy without clear congressional authority. While Congress has clearly authorized federal banking agencies to supervise banks and promulgate related standards (including those related to safety and soundness), the evolving doctrine may reduce the degree of deference federal courts give to agency discretion, absent clear and specific congressional authorization. If the corporate governance of banks, including for whom directors are fiduciaries and what those duties require, is classified as a major question of public policy, then federal banking authorities would need to point to clear congressional authorization for them to prescribe corporate governance mandates as the Proposed Standards would do.
The Proposed Standards were issued by a vote of 3-2 among the FDIC directors. Vice Chair Hill dissented, citing in part the “one-size-fits-all” approach to the Proposed Standards as well as the imperative for regulators to focus “more on banks’ core financial condition rather than micromanaging these types of processes.”16 Director McKernan also dissented, citing deviations from the OCC's Heightened Standards, confusion of the roles of directors and senior management, concerns with requiring consideration of non-shareholder constituencies, and questions raised by the required self-reporting provisions.17 The self-reporting provisions in particular would go far beyond anything required by current regulation and are likely to draw considerable criticism.
Affected banks should consider engaging during the comment period, which will end 60 days after the Proposed Standards are published in the Federal Register (expected imminently). Mayer Brown regularly assists clients in writing comment letters and engaging with regulators on developing issues and stands ready to help with the Proposed Standards.
1 FDIC Board Meeting (Oct. 3, 2023), https://www.fdic.gov/news/board-matters/2023/board-meeting-100323-notational.html.
2 The FDIC regulates state-chartered nonmember insured banks, state-licensed insured branches of foreign banks, and state savings associations. 12 U.S.C. § 1813(q).
3 Statement by Vice Chairman Travis Hill (Oct. 3, 2023), https://www.fdic.gov/news/speeches/2023/spoct0323b.html; Statement by Director Jonathan McKernan (Oct. 3, 2023), https://www.fdic.gov/news/speeches/2023/spoct0323c.html.
4 E.g., Briggs v. Spaulding, 141 U.S. 132, 165 (1891) (“directors must exercise ordinary care and prudence in the administration of the affairs of a bank”).
5 Atherton v. FDIC, 519 U.S. 213 (1997); O’Melveny & Myers v. FDIC, 512 U.S. 79 (1994). Atherton did leave open the federal law door with its statement that “Congress and federal agencies acting pursuant to congressionally delegated authority remain free to provide to the contrary” (i.e., adopt a federal law for bank governance).
6 12 U.S.C. §§ 1821(k), 1831m; 12 C.F.R. pt. 363.
7 12 U.S.C. § 1831p-1; 12 C.F.R. pts. 30, 208, 364.
8 See Remarks by Thomas Curry, Comptroller of the Currency (Dec. 7, 2012).
9 79 Fed. Reg. 54,517 (Sept. 11, 2014); 12 C.F.R. pt. 30, app. D.
10 79 Fed. Reg. 17,240 (Mar. 27, 2014).
11 Federal Reserve, SR 21-3 / CA 21-1 (Feb. 26, 2021). See our Legal Update on the board effectiveness expectations: https://www.mayerbrown.com/en/perspectives-events/publications/2021/03/us-frb-finalizes-board-effectiveness-guidance.
12 See our Legal Update on the three-lines-of-defense model: https://www.mayerbrown.com/en/perspectives-events/publications/2020/07/the-blurred-lines-of-organizational-risk-management/.
13 E.g., Bank Administration Institute, Top Banking Trends and Challenges for 2023 (Apr. 21, 2023) (listing talent as the third most significant challenge for banks).
14 This may be because there are only six state nonmember banks with assets above $50 billion.
15 E.g., West Virginia v. EPA, No. 20-1530 (June 30, 2022).
