The Challenging Role of a Director

The Challenging Role of a Director
Security and internal controls now begin in the board room. Two laws have been passed by Congress, the Gramm-Leach-Bliley Act of 1999 (GLBA) and the Sarbanes Oxley Act of 2002 (SOX), which have refocused the spotlight on a financial institution’s board of directors. The role of a board member has grown in importance and complexity since the adoption of these two laws. GLBA re-emphasized the board’s involvement in overseeing operations and implementing the appropriate policies, procedures, and controls to ensure the security, confidentiality and integrity to customer’s financial information. Under GLBA a financial institution must develop a comprehensive written security program that encompasses administrative, technical, and physical controls. Board involvement is imperative in the development, implementation and maintenance of this program. The key elements of this program include:

• Board involvement
• Assessment of risks
• Management and control of the risks
• Oversight of service provider arrangements
• Adjusting the program
• Reporting to the board of directors
• Implementation of regulatory standards

Examiners will be scrutinizing board involvement in all phases of the program from development through on-going maintenance. GLBA is enforceable under section 39(a) of the FDI Act, which means that informal or formal enforcement actions may be requested or issued for non-compliance with the Act. In addition, regulators may assess civil monetary penalties against specific individuals, including directors within the institution.

Sarbanes Oxley (SOX) has also redirected attention to the need for a strong and independent board. Emerging technology may change the way a financial institution conducts its business, but the principles of corporate governance have not changed and remain valid.

Because of SOX, the role of the board in overseeing the financial institution’s operations is no longer standard best practice but required. The board’s role must include:

• Selecting and retaining competent management
• Establishing strategic long-term and short-term goals
• Monitoring operations to ensure adequacy and compliance with laws and policies
• Overseeing business performance
• Ensuring community credit needs are met

For corporate governance to be effective there must be a high level of cooperation between the board and management; however, the board as a whole and the directors individually must maintain independence in evaluating management’s actions. To fully exercise their fiduciary responsibility, directors must understand the environment in which the bank functions, regulatory requirements, and the financial condition of the institution.

Oversight of the institution includes establishing policies, clearly communicating these to employees, and monitoring them for compliance with laws and regulations, economic changes, and the institution’s environment. In addition to establishing polices, the board must ensure that the appropriate controls are in place and that processes for monitoring the institution’s condition, compliance with internal policies, regulation and laws are effective. One method of monitoring would be establishing reporting requirements. The appropriate level of reporting will be dependent on each institution’s individual operations and circumstances.

Providing for independent reviews and testing of compliance with board policies, regulations and laws, and the integrity and adequacy of the information reported to the board and maintained by the institution is not only a standard best practice, but required by SOX. These reviews may be performed by qualified independent internal auditors, by an examining committee of the board, or by a qualified CPA. The board must have the direct responsibility in the hiring, firing, and evaluating the institution’s auditors. The auditors should report directly to the directorate or audit committee to maintain the required independence.

All insider financial transactions must be above reproach. Directors must avoid any preferential transactions involving insiders or their related interests. Insider transactions will be judged using the same criteria as an ordinary customer of the institution. These transactions must be completely above board and in compliance with all laws and regulations. Directors who permit preferential treatment breach their fiduciary responsibilities and can be subject to civil and criminal liability.

Last but not least, the board should review all reports of examination, supervisory actions, and/or correspondence from the institution’s primary supervisory agency. Findings and recommendation should be reviewed and a process for addressing the findings implemented and tracked.

The role of the board has always been to oversee operations; however, the adoption of these two laws emphasizes the old adage “the buck stops here.”


About the Author

Susan Orr, CISA, CISM, CRP

Susan Orr, CISA, CISM, CRP

CISA, CISM, CRP

Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise. During her 14 year tenure as a bank examiner, Susan held lead positions including Regional IT Examination Specialist, Special Assistant to the Regional Director, Special Assistant to the Director of DSC, and Special Assistant to the Vice Chairman of the FDIC. Susan was also a lead instructor for the FDIC’s technology school and was instrumental in key industry initiatives such as the FDIC E-Risk Strategic Initiatives Risk Monitoring Committee, the Chicago Region Interagency Technology Group, and the Federal Financial Institutions Examination Council (FFIEC) IT Handbook rewrites. Prior to launching her consulting practice, Susan was Vice President of Regulatory Compliance at for an Internet security company. Susan retains close relationships within the FFIEC agencies as well as industry trade groups to stay abreast on new technologies, best practices, and regulatory issues.




Around the Network