About

Comment Policy

Disclaimer

Share or Subscribe



  • Subscribe in a reader

  • Your email address:


    Powered by FeedBlitz


  • Add to Technorati Favorites
  • Mymsn_2

  • Add to My Yahoo!
  • Subscribe with Bloglines
Add me to your TypePad People list

Search BLB


  • Google

Banking Blogs

Law Bloggers

Stats


Blog powered by TypePad
Member since 03/2004

« April 2005 | Main | June 2005 »

May 31, 2005

Limitation of Liability: External Audit Engagements

On May 10, 2005, FFIEC published in the Federal Register a proposed Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions and Certain Alternative Dispute Resolution Provisions in External Audit Engagement Letters.

The federal banking agencies, on whose behalf the proposed advisory was published, are concerned with what they believe are "unsafe and unsound" provisions in engagement letter agreements entered into between financial institutions and their external auditors. FFIEC generally categorizes these "limitation of liability" provisions as ones that require the institution to:

  • Indemnify the external auditor against claims made by third parties;
  • Hold harmless or release the external auditor from liability for claims or potential claims that might be asserted by the client financial institution; or
  • Limit the remedies available to the client financial institution.

FFIEC gives specific examples of such provisions in the proposed Advisory itself, and in Appendix A to the proposed Advisory.

While noting that a majority of engagement letters reviewed by FFIEC do not appear to contain such provisions, FFIEC is seeing such provisions "with increasing frequency." These provisions, in FFIEC's opinion, raise safety and soundness problems inasmuch as they "may weaken the external auditors' objectivity, impartiality and performance and thus, reduce the Agencies' ability to rely on external audits...Accordingly, financial institutions should not enter into external audit arrangements that include any limitation of liability provisions. This applies regardless of size of the financial institution, whether the financial institution is public or not, and whether the external audit is required or voluntary."

The inclusion of such provisions in an engagement agreement with an external auditor will generally be considered an unsafe and unsound practice. As explained in other posts to this blawg, an unsafe and unsound practice can subject the institution, management, the board of directors, controlling persons and certain others, to regulatory sanctions, including civil money penalties. Public institutions (and other institutions subject to 12 CFR Part 363 and 12 CFR 562.4) may also run afoul of the SEC's (and the FDIC's and OTS') requirements for auditor "independence," since the SEC has taken the position that when an auditor is immune from liability, it is not truly "independent."

Financial institutions' boards of directors, audit committees and management should carefully review both existing and proposed external audit engagement agreements discussed in the proposed Advisory to determine whether those agreements contain provisions that might run afoul of the proposed Advisory. Prior to that review, FFIEC expects that the agreement will be carefully reviewed by the institution's legal counsel so that those charged with engaging the external auditor make "a fully informed decision."

As a cautionary note, I believe that financial institutions should also review engagement agreements with "external" auditors who are engaged to provide "internal audit" services to a financial institution, and with any other third party service provider who provides important services to, or on behalf of, the institution in light of these standards. Many of the same arguments as to negative potential effects on auditor's "objectivity, impartiality and [especially] performance" posed by limitation of liability provisions can also logically be applied to such other third party vendor agreements. If a third party service provider is effectively shielded from the major consequences of its failure to perform competently, it may not be adequately motivated to perform as competently as it would be without such a shield.

Financial institutions should read the proposed guidance carefully. Although the financial institution regulators are not likely to penalize institutions severely for failing to heed the guidance until it is adopted in final form (except for the standards already applicable to public insitutions), much of the proposed guidance is arguably already embodied in general safety and soundness standards.

If an institution wishes to comment on any aspect of the proposed Advisory, it should submit those comments by June 9, 2005.
---Kevin Funnell

04:39 PM in Accounting/Auditing, FFIEC, Outsourcing | | Comments (0)

May 22, 2005

Guidelines versus Regulations

The compliance officer of a client, a national bank, recently related to us a story of incredibly bad advice. During a presentation by a large technology "outsourcing" firm, the presenter, a former employee of a federal banking agency, told the management and employees of the bank that it was not necessary for the bank to comply with the Interagency Guidelines Establishing Information Security Standards, because these were "merely guidelines" and not "enforceable regulations." When questioned by the bank's compliance officer on this point, the presenter restated this position and emphasized that he had been employed for several years by a specific federal banking agency, and that this was how the agency interpreted the Guidelines. The bank's compliance officer came to us for guidance.

I've seen dumber interpretations of federal law, but not many. This view, while having some surface appeal, is a foolish and erroneous one to take in the present regulatory environment.

The Guidelines were adopted by the regulatory agencies as part of regulations required by federal law. Congress required the federal banking agencies to adopt standards for safety and soundness. The Guidelines are attached as appendices to the safety and soundness regulations adopted by the federal banking agencies in response to that Congressional direction. The OCC's regulation, for example, provides that a bank that does not adhere to the Guidelines can be required to submit a plan to bring itself into compliance with the Guidelines and if it fails to do so, it can be sanctioned by the OCC, which could include the imposition of civil money penalties.

While it may have been true that at one time agency-issued "guidelines" were considered to be "informal advice," and that they did not have the force of regulations, that view has all but disappeared over the last few years among knowledgeable compliance officers and counsel. Bank examiners consider them to have the force of regulation, and apply them in the course of their examinations as such. The consequences of violating them can lead to regulatory sanctions on the basis that the bank is engaged in an unsafe and unsound practice, which is a violation of regulation.

Although guidelines are, in many cases, more general and flexible than regulations, they should be accorded the same respect. No sensible banker will treat them in any other manner.
---Kevin Funnell

08:31 PM in Electronic Banking, Federal Legislation, FFIEC, Outsourcing, Privacy, Web/Tech | | Comments (0)

May 09, 2005

OCC to Banks: Just Do The Right Thing

In her last major speech as Acting Comptroller of the Currency, Julie Williams Juliewilliams2once again hammers home to banks the need to "do the right thing."

In her remarks to a conference sponsored by the Federal Reserve Bank of Chicago last Thursday, Ms. Williams addressed what she called "today’s most elusive, difficult to manage and perhaps most feared risk: reputation risk." According to a survey conducted by PriceWaterhouseCoopers, the majority of bank risk managers state that "reputation risk" is the "biggest risk they face."

Ms. Williams outlined how the OCC judges a bank's "reputational risk." First, while the OCC doesn't “regulate corporate ethics, we can and we will notice and comment on whether a banking organization has a corporate organizational framework, and policies or practices that support – or undermine – sound corporate values and an ethical climate within the organization. It is our experience that if such values and the ethos of the organization are not strong, institutional soundness and a bank’s good name and reputation can suffer in unpredictable ways."

The OCC expects to see not only enterprise-wide risk management controls, but also "some form of risk management function and accountability within each major line of business." The OCC does not "dictate to national banking organizations that one or the other type of risk assessment function should predominate over the other. But we do absolutely expect that the combination will be an effective risk management function for the organization’s lines of business."

The OCC also expects that risk management controls will include solid compliance and audit (internal and external) programs, backed up by upward and downward information flow, will be in place. "All these functions – business line risk management, enterprise risk management, compliance management, and internal and external audit, supported by effective internal information flow and communication – are vital components of a banking organization’s 'defensive line' against reputation risk. But that defensive line of corporate functions will be fundamentally incomplete if the organization is not grounded in a sound corporate culture and value system understood by all its employees."

Echoing Amy Brinkley, Chief Risk Executive of Bank of America, Ms. Williams sets forth the core question: "“How do you hard-wire values and ethics into the character, the very DNA, of a company?” Answering this question involves matters not only of proper structuring of compensation and financial incentives, but a "top down" ethical climate that promotes ethical behavior.

As we've said repeatedly on this blog, banks can save themselves much grief if they simply start with the basic proposition that the institution needs to "do the right thing." Obviously, the top regulators agree, and will be increasingly looking to make sure that banks "do the right thing" as a matter of "safety and soundness."
---Kevin Funnell

10:34 AM in Banking Law-General, Ethics, OCC | | Comments (0)

Recent Posts

Archives

More...

Categories

Business News

Regulators

Resources