Last month SEC Commissioner Kara Stein said that “gatekeepers" should be the focus of regulatory attention because they are in a position to monitor and promote compliance. Within “gatekeepers” she included directors and management, as well as legal and compliance personnel. Many recent signs continue to indicate that gatekeepers need to get their house in order, now. The consequences of a failure could increase dramatically in the future.
With respect to the board, Federal Reserve Governor Daniel Tarullo recently discussed the role of bank boards in regulatory risk management (see here). More than merely highlighting the need for boards to be aware of regulatory requirements and ensure sound compliance systems, he raised the possibility of expanding fiduciary duties of directors under corporate laws (outside the authority of the Fed) to reflect regulatory risk management concepts. This suggestion was made even though banking regulators have in the past focused on the need for boards to address regulatory issues and ultimately obtained a sledge-hammer in the form of civil money penalties that can reach a million dollars a day in egregious situations. (An aside: with these sums at stake, few U.S. banks risk litigating against the bank regulators.) Tarullo seems to be inviting enforcement efforts by others beyond the regulators and, of course, corporate law changes could open the door for a wider scrutiny by all shareholders and their “advocates.”
In a related development involving cybersecurity, SEC Commissioner Luis Aguilar stated that public-company boards should ensure the adequacy of cybersecurity risk oversight (see here). He recommended that boards at a minimum compare their policies to the NIST Cybersecurity Framework’s guidelines and be sure a detailed incident response plan exists and includes internal and external disclosures. Although this speech was targeted at public companies, view this as an indication of SEC expectations for all regulated entities. (It also validates our prior advice that the NIST Framework will be front and center in these efforts in the U.S.)
When multiple regulators say the same thing, particularly in different contexts, it is a sure sign to take heed. Boards should scrutinize their regulatory risk management efforts before others do it for them.