The Federal Reserve Board eagle logo links to home page

Testimony of Richard Spillenkothen
Director, Division of Banking Supervision and Regulation
Corporate governance, risk management, and internal controls
Before the Permanent Subcommittee on Investigations, Committee on Governmental Affairs, U.S. Senate
November 20, 2003

Thank you for the opportunity to testify today on the Federal Reserve's continuing efforts to advance corporate governance, risk management and internal controls at banking organizations. I would like to note that my testimony today reflects the views of Federal Reserve supervisory staff, and not necessarily those of the Board of Governors.

Numerous governance, accounting, and legal compliance failings within publicly held companies, including those delineated in this Subcommittee's investigation of the Enron debacle, have been identified over the course of the past two years. The Subcommittee's current investigation into the role of professional firms in the development, marketing, and implementation of abusive tax structures highlights once again the critical need for effective corporate governance, risk management and internal controls to guide organizations' business practices and activities, thereby promoting compliance with all laws and regulations and safeguarding firms' franchises.

Federal Reserve staff has not reviewed the specific abusive tax structures that I understand to be the focus of today's hearing, and, as you know, bank supervisors are not tax experts, nor are they responsible for the oversight of tax compliance by banking organizations or their customers. However, I appreciate the opportunity to talk to you today about our supervisory requirements and expectations for banks involved in complex structured transactions, some of which are tax driven, and about some of the continuing enhancements to our supervisory processes to better address banking organizations' risk management and internal control infrastructures.

Perhaps to an even greater extent than those in other industries, financial services organizations face substantial challenges in ensuring that risk management practices and internal controls are designed to fully address the wide range of traditional and more recently-identified nontraditional risks emanating from the products and services offered by a rapidly evolving financial industry. While these financial products provide many legitimate benefits to bank customers and to the economy as a whole, they can also be misused, and in the process, create risks for banking organizations. With recent events such as corporate accounting scandals and large bankruptcies, banks have learned that involvement in some transactions can result in significant legal costs and reputational damage, in addition to major losses on extensions of credit. All of these risks need to be recognized by senior management of banking organizations and effectively managed and controlled. In this regard, it is the longstanding expectation of the Federal Reserve that banking organizations have comprehensive corporate governance programs to ensure that the entire range of an organization's activities and practices are in full compliance with all applicable laws and regulations.

Banking organizations appear to be actively responding to the lessons of recent events. Supervisory assessments of management processes around structured transactions indicate that various additional control mechanisms, such as internal business review committees and more intense due diligence by key risk control functions within banks, are being instituted to assure appropriate senior-level management attention to proposed transactions, particularly to the legal and reputational risks involved.

Role of Supervisors
At the outset, it is important to provide some background on the Federal Reserve's role as supervisor of banking organizations and our relationship with other supervisory authorities in carrying out our responsibilities. The primary focus of the Federal Reserve's supervision is ensuring an institution's safety and soundness, as well as compliance with banking and consumer laws and regulations, in a way that protects the deposit insurance fund and the consumer, while promoting stability of the financial system.

To accomplish these goals, the Federal Reserve uses a risk-based approach to supervision in which examiners focus primarily on areas posing the greatest risk to the banking organization, and on the overall adequacy of an organization's risk management and internal controls as measured against not only regulatory standards and expectations, but also against the evolving practices of well managed firms. To promote the proper functioning of these systems, examiners review selected transactions across business lines to identify whether written policies and procedures are being followed.

In the case of more complex transactions and business practices that can pose higher levels of operational, legal and reputational risk, examiners seek to determine whether the banking organization has a process in place for obtaining its own legal, tax and accounting approvals from key control functions within the organization and, when appropriate, from third party professionals. Examiners are not legal or tax experts, and as has become increasingly apparent, abusive tax structures are often designed to resemble legitimate tax transactions and, by their very nature, can be highly complex, varied, and extremely difficult to detect. With the exception of the banking and consumer protection laws for which the Federal Reserve has enforcement responsibility, examiners are not trained to identify violations of non-banking laws or compliance with the tax code. Nor are they qualified to perform an independent legal or tax analysis of transactions or business practices.

It is the responsibility of each banking organization to develop an appropriate control structure to ensure that all transactions entered into are legal and in the long-term best interest of the banking organization, and that they do not compromise the organization's financial condition. While banking organizations have the responsibility to perform their own due diligence of transactions and business activities, it is important to note that banking organizations, of necessity, rely to a considerable extent on other parts of the financial and legal infrastructure. Accounting and legal firms are key components of that infrastructure. To the extent these important components of the financial system are not performing their appropriate duties, the operations of banking organizations will inevitably be affected.

When weaknesses in corporate governance or risk-control infrastructures are identified by the Federal Reserve, other bank supervisors, functional regulators, or law enforcement authorities, the Federal Reserve stands ready to use its full complement of supervisory and enforcement tools. The supervisory objective is to ensure that banking organizations implement appropriate corrective actions to address any financial weaknesses, promote compliance with laws and sound banking practices, and protect the federal deposit insurance fund.

Supervisory Requirements and Expectations for Banking Organizations
Some basic principles and expectations for banking organizations guide our work in assessing business activities and risks. First, and most obviously, banking organizations must obey the law. In particular, they must have policies and procedures in place that are followed by their employees to ensure that they are in compliance with all laws and regulations. The laws most commonly applicable include banking, consumer, securities and tax laws, whether federal, state or foreign.

Second, banking organizations should perform thorough due diligence on the transactions or business activities that they are involved in and check with key legal, accounting and tax authorities within their own organizations, as well as independent third-party professional experts when appropriate. However, banking organizations ordinarily should not be held legally responsible for the judgments, actions or malfeasance of their customers, or third-party professional advisers. Nor, as a general rule, should they be required to second guess their customers' accountants, tax or legal experts, or to police their customers' and third-party professionals' business activities. Such an expectation would require, inappropriately, banking organizations to assume management responsibilities outside of their control, create potential legal liability that would compromise their ability to perform their role as financial intermediaries or threaten their safety and soundness, and place significant costs on banking organizations to audit the activities of their customers and professional advisers.

On the other hand, banking organizations should not, of course, participate in activities that they know or suspect to be illegal, and they must maintain controls and procedures to ensure that they are not knowingly facilitating illegal activities by their customers or business associates. Moreover, banking organizations should not engage in borderline transactions that are likely to result in significant reputational or operational risks to the organization.

Third, in those cases where a banking organization does become aware of fraudulent or criminal activities by their employees, customers, or business associates, they are required by federal law and the Federal Reserve's and other bank regulators' regulations to file Suspicious Activity Reports (SARs). If for any reason a banking organization does not fulfill this obligation, the SAR would be filed by the bank's supervisor. SARs are available electronically to all the federal, state, and local law enforcement agencies with interests in investigating and prosecuting crimes involving banking organizations. This includes the Criminal Investigations division of the Internal Revenue Service.

Fourth, the role of banking organizations is to assume and manage all the attendant risks related to their activities as financial intermediaries. Before banking organizations offer new products and engage in new activities, they should evaluate all the dimensions of risks, including credit, market, legal, operational and reputational risks. In light of recent events, banking organizations are re-evaluating the risks related to both their traditional and their new products, recognizing that as financial markets and practices change, legal and reputational risks may manifest themselves in new ways or in magnitudes not previously recognized. Moreover, as practices and products change, banking organizations must build appropriate mitigating controls to manage the evolving risk exposures and ensure that a process is in place to assess the effectiveness of those controls over time.

Finally, banking organizations must recognize that although they are not directly accountable for the actions of their customers or the third-party legal and accounting professionals with whom they have business dealings, to the extent their names or products are implicitly associated with misconduct by those parties, additional legal and reputational risks may arise. Such risks may ultimately lead to significant costs and if these risks are not recognized and addressed, they could affect an organization's financial health. Banking organizations should be particularly vigilant that any business relationships with third-party legal and accounting professionals do not cloud the independence of those professionals, rendering their opinions and recommendations unreliable. Moreover, a banking organization must also seek to ensure that any non-audit or other business relationships with the external audit firm engaged to opine on the organization's public financial statements do not contravene the auditor independence standards.

Supervisory Activities
For its part, the Federal Reserve focuses its supervisory activities on reviewing the methods used by banking organizations to identify, evaluate, and control all dimensions of risk associated with the organization's business activities, including operational, legal and reputational risks. Safety and soundness is dependent on strong overarching corporate governance programs that clearly establish an organization's risk appetite and tolerance levels. Such programs must be fully supported by written policies and procedures and well-developed control infrastructures that dynamically evolve to maintain effectiveness as new products and risk combinations or conflicts of interest emerge and new business initiatives are undertaken. Active independent risk management, internal audit, and compliance functions are crucial elements of each banking organization's control process.

Recent events have influenced the thinking of supervisors as well as banking organizations on effectively targeting resources toward more vulnerable points within an organization's risk-management structure. In particular, events have reemphasized that in developing the scope of a supervisory review, factors used to prioritize reviews should go beyond standard balance sheet measures of risk to include an individual customer's or business line's overall contributions to revenues or profits. Highly profitable or rapidly growing business lines, relationships, or new products and services, in addition to large credit or market exposures, are also activities for which the adequacy of internal checks and balances needs to be appropriately tested and, where warranted, reinforced.

Clearly events of the past two years have focused banking organizations' and bank supervisors' attention on the legal and reputational risks associated with complex structured transactions. For its part, the Federal Reserve has initiated a number of actions to strengthen our supervisory processes and to promote the remediation of identified problems.

As a result of our examination of banking organizations' relationships with Enron, the Federal Reserve, along with other bank and securities regulators, conducted special reviews of banking and securities investment firms to develop a more complete understanding of how each institution oversees its structured financing activities and controls the associated risks. In conducting these reviews and in our supervisory follow-up, the Federal Reserve has been clear regarding our expectations that banking organizations should have effective internal controls that comprehensively assess the risks associated with legal compliance, including compliance with tax laws. Formal, Enron-related supervisory enforcement actions taken publicly by the Federal Reserve last summer, in coordination with other regulatory and law enforcement authorities, underscore supervisory expectations regarding the need for banking organizations to address weaknesses in internal controls and risk management relating to complex structured transactions. In addition to ongoing supervisory efforts, we are also working with other bank and securities regulators to develop supervisory guidance on appropriate controls and risk management systems relating to complex structured transactions, including those specifically designed for tax purposes.

The Federal Reserve has used the lessons learned over the last couple of years to make some refinements to our risk assessments and supervisory programs for large complex banking organizations. Specifically, we have increased our emphasis on, and review of, organizations' management of legal and reputational risks. Among other things, increased focus has been put on the adequacy of new product approval processes, the management of large or highly profitable customer relationships, and controls over the use of special purpose entities. Examiners are also increasing efforts to review basic internal control infrastructures at banking organizations, including examination of board and management oversight and reporting, corporate-wide compliance activities, and internal audit functions.

In closing, it is clear that effective corporate governance programs and internal control processes will continue to be crucial to the success of banking organizations and corporations more broadly. These programs and processes must be rigorous and they must adjust to ensure the detection and control of all risks stemming from new products and services and from their interactions with existing businesses. Equally important to the effective identification and management of new and emerging risks, however, is a robust internal control infrastructure that enables organizations to maintain compliance with all laws and regulations, including tax laws.

Supervisors will continue to focus on risk management and control processes in order to foster safety and soundness, financial stability, and compliance with applicable laws and regulations. Supervisory activities will continue to reinforce recent actions taken by banking organizations to address weaknesses and, whenever necessary, require further corrective action. Supervisory efforts are directed at encouraging banking organizations to enhance their new product review and approval procedures, and to strengthen their overall approach to identifying, managing and controlling legal, reputational and other operational risks.

Of course, no system of official oversight is failsafe, and supervisors cannot detect and prevent all control or management failures. However, strong and effective supervision, including the use of supervisory enforcement tools, bank managements' recognition of the need to maintain sound corporate governance, risk management and internal control infrastructures, and the workings of market discipline, should result in continued improvements in the management of legal and reputational risks.

Return to topReturn to top

2003 Testimony

Home | News and events
Accessibility | Contact Us
Last update: November 20, 2003, 9:00 AM