Following the collapses of certain regional banks in March 2023, the Financial Services Group at Aon discussed the potential for heightened regulation. The U.S. Federal Deposit Insurance Corporation (FDIC) recently approved proposed guidelines establishing corporate governance and risk management standards for covered financial institutions. This development accentuates the scrutiny and risk exposure that financial institutions’ directors and officers (D&Os) face. The comment period for the proposed guidelines will close on February 9, 2024.

Key Takeaways

Among other heightened requirements, the proposed guidelines would impose the following:

• Covered institutions must follow a “three lines of defense” risk management approach involving oversight from frontline business units, as well as independent risk management and internal audit functions.
  
  
• Covered institutions must develop written risk management programs, risk appetite statements, and processes for identifying and escalating breaches of such statements.
  
  
• Covered institutions’ boards of directors are deemed responsible for and must: actively oversee their banks’ risk management; be comprised of a majority of independent directors (with more stringent requirements regarding “independence”); set an appropriate tone from the top; adopt a written code of ethics; adopt processes to document violations of law and report them to appropriate enforcement authorities; and establish certain board committees (including risk, audit, and compensation).
  
  

Applicability: The proposed guidelines would apply to (among others) all insured state non-member banks with assets greater than $10 billion, including such banks that do not meet this asset threshold on the day the proposed guidelines become effective but later meet it on two consecutive call reports. The FDIC will reserve the authority to apply the proposed guidelines to banks with less than $10 billion in total consolidated assets if the FDIC deems such banks’ operations as high-risk or highly complex.

Enforcement: If a bank fails to meet a standard within the proposed guidelines, the FDIC can require the bank to submit a plan outlining the steps it will take to comply with the standard. If a bank fails to submit or implement such a plan in any material respect, the FDIC may: require the bank to correct the failure; impose on the bank increased capital requirements, or restrictions on growth or interest paid on deposits; or, ultimately, bring an enforcement action against and seek civil money penalties from the bank.

Insurance Considerations

The proposed guidelines’ heightened requirements bring additional risks to covered institutions and their D&Os. These risks include potential regulatory investigations concerning banks’ corporate governance and risk management practices, as well as related or follow-on securities and/or derivative lawsuits should such practices be found insufficient. Similar risks already have materialized with financial institutions (for example, Silicon Valley Bank as alluded to above). Examples also include one of the largest financial institutions in the world recently paying historic settlements, fines, and penalties to resolve shareholder and government claims concerning well-publicized alleged branch-level malfeasance brought about by deficient internal controls that thwarted the bank’s “tone at the top” and “three lines of defense” risk management model. Exposures surrounding internal controls such as those required by the FDIC’s proposed guidelines are particularly acute given the SEC’s recent novel claims tied to allegedly insufficient controls concerning corporate assets and internal reporting, as well as recent Delaware case law confirming that corporate officers (and not solely directors) have a duty to implement and oversee their company’s internal controls.

The FDIC’s proposed guidelines highlight the importance of implementing sound risk management practices that are bolstered by robust internal controls. D&O insurance can be a vital component of a strong risk management program. Although these guidelines would apply to financial institution insureds, all insureds should be prepared to discuss their corporate governance and internal controls during the D&O underwriting process. Insureds should work with an experienced broker to optimize D&O coverage in the event of regulatory investigations and other D&O matters such as shareholder litigation that may arise out of corporate governance and internal control issues. Although policy language varies, notable D&O coverage provisions may include the definition of “Loss,” choice of law and/or “most favorable venue” terms, the priority of payment clause and conduct exclusions (including any carvebacks). Equally notable considerations, insureds should examine and understand overall program limits, structures, and allocations across pertinent coverages and the availability of and terms surrounding entity coverage in the event of a government investigation.

If you have any questions about or are interested in obtaining coverage, please contact your Aon broker.

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.