FDIC seal

AABD opposes an FDIC proposal to require bank boards to certify that their banks have “successfully” tested their information technology systems for compliance with new informational requirements on depositor ownership for deposit insurance purposes.

The FDIC has proposed amendments to section 370 of its deposit insurance regulations, which are designed to facilitate the payment of insured deposits when certain insured banks fail.  The proposal generally would require covered banks (those with two million or more deposit accounts) to maintain data on each depositor’s ownership and IT systems capable of calculating the deposit insurance coverage applicable to each owner.

These laudable goals are complicated by a provision that specifically requires affected bank boards to sign an attestation letter that states that the institution has implemented and successfully tested its information technology system for compliance to the new requirements; and the effects of all approved or pending applications for exception or extension on the ability to determine deposit insurance coverage using the bank’s information technology system.

Bank directors are not in a position of knowledge or expertise to attest to the successful testing of their bank’s information technology.  They can and should exercise their oversight responsibilities, but should never be placed in a position of guaranteeing that the testing was successful.  Under fiduciary standards adopted in all 50 states, corporate directors may rely reasonably on management, advisors, auditors and others, but the proposed regulation is silent on a bank director’s right to rely reasonably on these parties for any determination that the board may make.

The proposed regulation reminds banks that they are subject to FDIC enforcement action in the form of civil money penalties and cease and desist orders, among others, for infractions of the rule.  But Section 8 of the FDI Act also authorizes the FDIC to take enforcement action against institution-affiliated parties, including directors.  Presumably, that would include action against directors who attested to the fact that the bank “successfully” tested its information technology system for compliance with the new requirements which, in hindsight, turned out to be incorrect.

This provision is a more direct way to pursue enforcement against bank directors than the traditional path of proving dereliction of fiduciary duties.  It also makes it easier to support an enforcement action, since the FDIC would no longer have to prove that directors breached their fiduciary duties.  All that the FDIC would need to do is prove that the bank did not “successfully” test its information technology system for compliance.

AABD has filed comments with the FDIC objecting to tasking boards with these new attestation requirements on the following grounds:

  • The proper role of a board of directors is oversight of management. However, in order to accurately perform the proposed certification, the board necessarily would be implicated in management operations in violation of  the core corporate governance principle of separation of management responsibilities and board oversight;
  • The existing fiduciary obligations for boards to: i) establish operational policies and ii) hold management responsible for compliance already establishes a basis for regulators to enforce compliance with regulatory provisions, and imposition of the proposed attestation requirement is redundant, overly burdensome, and increases the risk of potential personal liability;
  • The board attestation requirement is not statutory, unlike the attestation requirements for call reports, and therefore is not required by law;
  • Implementation of the proposed attestation requirements, because of the time and effort required to perform them satisfactorily, would divert the attention and energy that board members must apply to their legitimate oversight duties and obligations; and
  • Bank boards are already overburdened by 800 plus provisions in law, regulation and bank regulatory guidance, as documented in AABD’s Bank Director Regulatory Burden Report, Second Edition. The banking agencies should be focused on reducing, not increasing the burdens placed on bank directors.

On these grounds, the AABD urged the FDIC to replace the board attestation requirements in the proposed rule with a provision specifically directing the board to oversee the bank’s establishment of proper systems and policies in compliance with the rule, but with the caveat that the board may rely reasonably on the work and advice of management, advisors and on board committees.