This is not an area where a black-and-white answer is available, but the federal banking regulators have issued a lot of helpful guidance on their expectations for board training and involvement.
There are several bank regulations (and one guidance) that specifically require training (when relevant) for bank employees, who may include but are not limited to the board of directors. Those requirements are noted in the bullets below. The rules and guidance also have some explicit requirements as to board responsibilities and reporting to the board, and those requirements are noted in the sub-bullets below.
- Bank Secrecy Act: 12 CFR 208.63(c)(4) requires banks to “[p]rovide training for appropriate personnel.”
- This rule also provides for specific board responsibilities, such as approving a written BSA compliance program and noting the approval in board minutes. 12 CFR 208.63(b).
- Also, see the FFIEC’s BSA/AML Examination Manual.
- Bank Protection Act: 12 CFR 208.61(c)(1)(iii) requires banks to “[p]rovide initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a burglary, robbery, or larceny.”
- This rule also provides for specific board responsibilities, such as designating a security officer and ensuring that a “written security program for the bank’s main office and branches is developed and implemented.” 12 CFR 208.61(a), (b).
- This rule also requires annual reports to the board “on the implementation, administration, and effectiveness of the security program.” 12 CFR 208.61(d).
- Regulation CC: 12 CFR 229.19(f) requires banks to “[p]rovide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee.”
- FCRA Red Flag: 12 CFR 222.90(e)(3) requires banks to “[t]rain staff, as necessary, to effectively implement the Program [the institution’s written Identity Theft Prevention Program].”
- This rule also provides for specific board responsibilities, such as approving and overseeing the written Identity Theft Prevention Program. 12 CFR 222.90(e)(1)–(2).
- Interagency Guidelines Establishing Information Security Standards: Paragraph III.C.2 requires banks to “[t]rain staff to implement the bank’s information security program.”
- The guidelines also provide for specific board responsibilities, such as approving and overseeing the written information security program (Paragraph III.A).
- The guidelines also require annual reports to the board that “describe the overall status of the information security program and the bank's compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program” (Paragraph III.F).
There are also many publications from the federal banking agencies that have further recommendations on board training and responsibilities. Not all of them come from your primary regulator, the Federal Reserve, but the other regulators’ publications are also useful as sources of best practices and advice.
- The Basics for Bank Directors publication (from the Kansas City Federal Reserve Bank) states that bank directors “should be familiar” with the following laws and regulations:
- Bank Secrecy Act/Anti-Money Laundering (Regulation H)
- Management Official Interlocks (Regulation L)
- Loans to Executive Officers (Regulation O)
- Privacy of Consumer Financial Information (Regulation P)
- Fair and Accurate Credit Transaction Act (FACTA) (Regulation V)
- Transactions with Affiliates (Regulation W)
- Community Reinvestment Act (Regulation BB)
- Notice of Change in Directors and Senior Executive Officers (Regulation Y)
- Golden Parachutes and Indemnification (12 CFR 359)
- Change in Bank Control Act, Banking Holding Company Act (Regulation Y)
- Lending Limits (Illinois law: Section 32 of the Banking Act)
- Office of Foreign Asset Control (OFAC)
- Safeguarding Customer Information (Regulation H)
- Equal Credit Opportunity Act (Regulation B)
- Loans in Special Flood Hazard Areas (Regulation H)
- Truth in Lending Act (Regulation Z)
- Real Estate Settlement Procedures Act (Regulation X)
- The Basics for Bank Directors publication also recommends using the Federal Reserve’s Bank Director’s Desktop, which has free, online director training.
- The Director’s Primer publication (from the Atlanta Federal Reserve Bank) emphasizes the equal importance of board committees, stating that “committee members should pursue ongoing training that is relevant to their committee responsibilities” (printed page 20, or page 25 in the .pdf version).
- An OCC publication, Detecting Red Flags in Board Reports, has a full list of all of the reports that bank directors should be receiving.