Guest Post How Officers and Directors of Financial Intermediaries Can Avoid Personal Liability in the Post-Dodd-Frank Market
As the current wave of bank failure litigation has unfolded, the directors and officers of banking institutions rightly have become more concerned about the own potential liability exposures and interested in learning more about how they might be able to reduce their risks and exposures. In the following guest post, Joseph T. Lynyak III and Rodney R. Peck of the Pillsbury law firm take a look at the current litigation environment facing directors and officers of financial institutions and provide some practical steps that these officials can take to try to mitigate their risks
I would like to thank Joe and Rob for their willingness to publish their articcle on this site. I welcome guest posts from responsible commentators on topics of relevance to this blog. Any readers who are interested in publishing a guest post on this site are encouraged to contact me directly. Here is Joe's and Rod’s guest post.
In this article, we analyze the steps that officers and directors of bank and non-bank financial companies and their holding companies and affiliates can take to address personal liability for alleged breaches of duty to manage and supervise a financial company’s operations, allegations which are being made in an increasing number by federal and state regulatory agencies, including the federal banking agencies and the U.S. Consumer Financial Protection Bureau (CFPB).
On December 10, 2012, a California jury returned a verdict of $169 million in a case brought by the FDIC against three former IndyMac Bancorp Inc. executives after determining that those officers were negligent in making loans to homebuilders by continuing to push for growth in loan production without proper regard for creditworthiness and market conditions. Soon thereafter, the former CEO of IndyMac Bank agreed to pay $1 million from his personal assets in addition to available insurance proceeds to settle another FDIC claim related to the failure of IndyMac Bank. In an unrelated yet problematic series of developments, the newly formed CFPB recently assessed civil money penalties against three holding companies for aggressive marketing practices in an aggregate amount exceeding $500 million.
Approximately 25 lawsuits were filed in 2012 by the FDIC against former officers and directors of failed institutions, up from 16 in 2011. In total, more than 40 lawsuits have been filed against officers and directors of failed institutions since 2010. Since the beginning of 2007, approximately 467 financial institutions have failed. The FDIC has indicated that it is continuing its investigation of many bank failures and additional actions can be expected. Outside directors, in addition to inside directors and senior officers, were named in 30 of the cases. (See, Cornerstone Research, “Characteristics of FDIC Lawsuits Against Directors and Officers of Failed Financial Institutions,” December 2012.)
These and similar administrative and civil enforcement actions brought by governmental entities have caused considerable concern among officers and directors of financial services companies. Specifically, many individuals have raised questions whether—and in what circumstances—management or members of a board of directors might be held personally liable for similar penalties or damages, and if so, what prudent actions could be taken to mitigate that risk.
Although these issues are complex and the risk will vary based upon differences between the corporate laws of state jurisdictions and the possible applicability of several banking and securities laws (among others), this article presents an overview and proposed approach to analyzing the risk of personal liability. It also includes a methodology to evaluate protections that might be available under current corporate governance provisions.
What follows is a summary of pertinent legal issues relating to the risk of personal liability, distinctions to be drawn between liability arising in the bank and non-bank context, and steps that directors and officers might take to minimize personal liability risk, as well as a methodology for taking an inventory of existing protections available to a board and management.
Overview and Summary—State Corporate Laws
From a traditional corporate law perspective, both officers and directors of a corporation owe a duty to the corporation to avoid self-dealing and conflicts of interest (the “duty of loyalty”) and an affirmative obligation to use reasonable efforts to properly manage and supervise the business of the company (the “duty of care”). The degree or standard by which an officer or director must comply with his or her duty of care is generally governed by the corporate law of the state in which the company is incorporated. That standard can range from an obligation to act in a reasonable manner and avoid negligent actions or decisions, to a diminished level of care that creates personal liability only in the case in which one acts in a grossly negligent fashion.
Because most state legislatures have considered these questions, each state’s Corporations Code has its own version of the duty of care, and in many jurisdictions the courts have further refined that standard by judicial interpretation. For example, in several states, liability for breaching the duty of care can only be actionable when a director or officer is grossly negligent, while in other states the standard of gross negligence protects only outside directors while management is held to the higher standard of mere negligence. Further, in many jurisdictions there is recognition—either by statute, case law or common law—that directors and/or officers may rely upon the so-called “business judgment rule” that protects them against personal liability provided that the officer or director took reasonable steps to come to a decision even when the decision is proven to be wrong.
In addition, several states have authorized limitations of liability for corporate misfeasance by permitting a corporation to adopt provisions in its articles or bylaws that further limit liability for board members or management. Importantly, in recent years, several states have adopted expanded indemnification rights for corporate stakeholders by permitting a corporation to adopt in its articles and bylaws very broad rights to indemnify officers and directors against individual damage claims brought against them in their individual capacities.
The lesson to be learned is that concerned officers and directors should establish a baseline to identify by what state law standard they will be measured when being judged regarding compliance with the duty of care, as well as related state law limitations regarding liability.
Additional Concerns for FDIC-Insured Institutions, Subsidiaries and Holding Companies
In addition to the state law standards regarding a director or officer complying with his/her duty of care, there are several other significant considerations that require attention for an officer or director of an FDIC-insured institution or a bank or savings and loan holding company.
First, an important U.S. Supreme Court decision, Atherton v. FDIC, confirms that there is no federal common law regarding the duty of care for a national bank or a federal savings association. Accordingly, based upon the Atherton decision (which interpreted a provision of the Federal Deposit Insurance Act, or the “FDI Act”, for receivership claims brought by the FDIC following a failure of a bank or thrift), the standard for national bank and federal association officers and directors generally follows state law, except that state law cannot impose a standard lower than gross negligence. Of course, for banks and bank holding companies organized under state corporate laws, the duties of care on the part of officers and directors are governed by such laws (subject to the partial preemption under the Atherton decision).
Second, applicable regulations for national banks and federal savings associations provide a useful alternative that permits a national bank or federal savings association to adopt for corporate governance purposes the Corporations Code of the state in which the institution is located, the Model Business Corporations Act or the Delaware General Corporations Code. This is a potentially valuable option that should be carefully considered. For example, in states in which liability for bank officers is based upon the higher standard of mere negligence, adopting the corporate law of Delaware not only lowers the standard for breach of the duty of care to gross negligence, but may also provide enhanced protection in regard to indemnification and the availability of the Delaware version of the business judgment rule.
However, it should be noted that Section 18(k) of the FDI Act (and thus, FDIC’s regulations) severely (and unfairly) limits indemnification rights of officers and directors of FDIC-insured institutions, their subsidiaries and their holding companies in instances in which civil money penalties and other regulatory enforcement orders are assessed against an “institution affiliated party,” which includes officers and directors of an FDIC-insured institution, its subsidiaries and any parent holding company. Even though defense costs may be paid or advanced by an institution (and commercial insurance may be purchased to pay such expenses), the proceeds of the insurance cannot be used to pay for penalties assessed.
Mitigation Considerations for Officers and Directors
If there is a key conclusion that can be drawn from this discussion, it should be that individuals acting as officers and directors of financial intermediaries should engage in advance planning and clearly understand the nature of their rights in regard to administrative enforcement actions that might be brought by one of the federal banking agencies or the CFPB. Importantly, when complying with his or her duty of care, an officer or director should ensure that the record reflects reasonable steps to comply with that standard.
In that regard, an officer or director should be provided with legal advice as to what degree of diligence and review should be incorporated into the decision-making process, as well as how that process is reflected in the records of the institution. Particularly in the case in which the business judgment rule is available, the business records of the entity should reflect that all appropriate steps were taken prior to decisions being made.
It should be noted, however, that a distinction should be drawn between an FDIC receivership claim and assessment of civil money penalties by the CFPB or one of the federal banking agencies. In the case of a receivership claim following a bank failure, the above-referenced duty of care for personal liability purposes (e.g., negligence, gross negligence, etc.) is most often a determinative factor. However, in the administrative context in which civil money penalties are being assessed, culpability need not be based upon the failure to comply with a duty of care, but rather, can be based upon an institution’s compliance or non-compliance with an enforcement order previously issued in which officers and directors are ordered to take specific remedial steps to achieve compliance.
A Methodology for Determining and Achieving Reasonable Risk Mitigation to Avoid Personal Liability
As even the casual observer can see, being an officer or director for a financial institution—whether FDIC-insured or otherwise—presents a range of challenges. Complicating the situation is the nature of legal representation of companies, in that counsel for a company is usually not deemed to be providing individual legal advice to officers or directors, and hence the use of in-house counsel or a company’s outside lawyers to provide personal advice may not be appropriate or available in all cases.
We suggest that several steps be considered to address the concerns discussed by this article.
First, as noted above, officers and board members should obtain an overview of the rules governing compliance with the duty of care applicable to the company, including how courts and agencies have interpreted those rules. Among other things, identifying process issues and evidencing development of policies and procedures is essential, as well as ensuring that business records reflect robust discussion and reasonable reliance on experts (i.e., to be able to take advantage of the business judgment rule).
Second, a corporate governance review should take place to determine whether corporate documents such as articles and bylaws include the most favorable indemnification rights permitted under applicable law. (In that regard, it is important to note that in most cases such protections are optional under state corporate law and must be affirmatively adopted by a company’s board of directors.)
Third, employment agreements and indemnification agreements should be reviewed and updated on an annual basis to maximize contractual rights for designated officers and directors.
Fourth, extreme care should be exercised when transactions or other matters arise in which the director or officer may be seen as having a conflict of interest. All corporate processes should be followed, including full disclosure of the nature of the conflict, approval of the matter by a majority of disinterested directors, advice of counsel, etc.
Fifth, directors should work with management to establish internal tracking systems on matters requiring attention (“MRA”) arising out of regulatory examinations. Repeat violations of law or failure to remediate troublesome conditions by the next examination can be seen as a lack of proper board oversight. Careful attention should be given to the regulators’ evaluation of management and appropriate action taken when poor ratings are given. However, reliance on the regulators’ evaluations of management alone may not be sufficient because it appears that regulatory evaluations of management in many cases of failed banks have not been significantly downgraded by the regulators until a year or two before the bank’s failure. (Cornerstone Research, supra.)
Finally, a legal review of a company’s directors’ and officers’ liability insurance policies should be conducted and benchmarked against similar institutions in similar circumstances. It should also be noted that the contractual terms of directors’ and officers’ liability policies are frequently negotiable, and can result in valuable additional liability protection.
Other Standards of Liability Impacting Officers and Directors of a Financial Company
Although this article focuses on corporate and banking liability standards applicable to officers and directors of a financial intermediary, other standards of care arise in particular circumstances as part of the performance of the activities of an officer or director of a financial company. For example, in several instances under the federal securities laws, a corporate officer for a registered company can be held liable in civil or SEC actions for material misstatements in offering materials unless the director has engaged in a “due diligence” review. In regard to companies and “institution affiliated parties” that are subject to Section 8 of the FDI Act, liability might be viewed as a strict liability standard if a federal banking agency views the actions of an officer or director as having engaged in a violation of a federal law, regulation, or unsafe or unsound banking practice. Similarly, the newly established CFPB may also directly access civil money penalties and other remedial measures if an officer or director has participated in the violation of a covered federal consumer protection law.
Please note that this article summarizes several complex liability topics and by its nature is a starting point for further inquiry by officers and directors of banks and non-banks participating in the financial services industry.
Joseph T. Lynyak III is a partner in the Finance practice at Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C., and Los Angeles. He can be reached at (213) 488-7265 or firstname.lastname@example.org.
Rodney R. Peck is a partner in the Corporate & Securities practice at Pillsbury in San Francisco. He can be reached at (415) 983-1516 or email@example.com.