IBA Compliance Connection

Your go to source for compliance!

What training is required for a bank’s Board of Directors?

by

admin

This is not an area where a black-and-white answer is available, but the federal banking regulators have issued some helpful guidance on their expectations for board training and involvement.

Although the resources below are not necessarily from your primary regulator, they are good sources for best practices and advice.

  • The OCC’s Director’s Book contains a section on director orientation and training explaining that “[t]he board should conduct orientation programs for new directors” and that programs should “vary according to bank size and complexity.” The section goes on to state that “at a minimum” orientation programs should explain:
  • the bank’s organizational structure, corporate culture, operations, strategic plans, risk appetite, and significant issues
  • the importance of Bank Secrecy Act (BSA)/anti-money laundering (AML) regulatory requirements, the ramifications of noncompliance with the BSA, and the BSA/AML risk posed to the bank
  • the individual and group responsibilities of board members, the roles of the various board committees, and the roles and responsibilities of senior management.

It also explains that the board should “periodically assess its skill and competencies, . . . identify gaps, and take appropriate actions.” It adds that management can help in the development of ongoing education and training programs “to keep directors informed and current on general industry trends and regulatory developments.”

  • The FDIC’s Pocket Guide for Directors states that directors “must keep themselves informed of the activities and condition of their institution and of the environment in which it operates” and that they should “stay abreast of general industry trends and any statutory and regulatory developments pertinent to their institution.” It also advises directors to work with management to develop programs to keep members informed with periodic briefings by management, counsel, auditors, or other consultants. Additionally, the guide explains that “more formal director education seminars should be considered” and warns that the “pace of change in financial institutions today makes it particularly important that directors commit adequate time to be informed participants in the affairs of their institution.”
  • The Basics for Bank Directors publication (from the Kansas City Federal Reserve Bank) states that bank directors “should be familiar” with the following laws and regulations:
  • Bank Secrecy Act/Anti-Money Laundering (Regulation H)
  • Management Official Interlocks (Regulation L)
  • Loans to Executive Officers (Regulation O)
  • Privacy of Consumer Financial Information (Regulation P)
  • Fair and Accurate Credit Transaction Act (FACTA) (Regulation V)
  • Transactions with Affiliates (Regulation W)
  • Community Reinvestment Act (Regulation BB)
  • Notice of Change in Directors and Senior Executive Officers (Regulation Y)
  • Golden Parachutes and Indemnification (12 CFR 359)
  • Change in Bank Control Act, Banking Holding Company Act (Regulation Y)
  • Lending Limits (Illinois law: Section 32 of the Banking Act)
  • Office of Foreign Asset Control (OFAC)
  • Safeguarding Customer Information (Regulation H)
  • Equal Credit Opportunity Act (Regulation B)
  • Loans in Special Flood Hazard Areas (Regulation H)
  • Truth in Lending Act (Regulation Z)
  • Real Estate Settlement Procedures Act (Regulation X)  
  • The Director’s Primer publication (from the Atlanta Federal Reserve Bank) emphasizes the equal importance of board committees, stating that “committee members should pursue ongoing training that is relevant to their committee responsibilities” (printed page 20, or page 25 in PDF file).
  • The FDIC’s Directors’ Resource Center provides useful information and resources for directors and contains the Technical Assistance Video Program, a series of educational videos for bank directors on topics such as the Bank Secrecy Act, Cybersecurity Awareness, Interest Rate Risk, and the Community Reinvestment Act.

There are several bank regulations (and one guidance) that specifically require training (when relevant) for bank employees, who may include members of your board of directors. Those requirements are noted in the bullets below. The rules and guidance also have some explicit requirements as to board responsibilities and reporting to the board, and those requirements are noted in the sub-bullets below.

  • Bank Secrecy Act regulations: “The [Bank Secrecy Act] compliance program shall, at a minimum . . . [p]rovide training for appropriate personnel.” 12 CFR 21.21 (OCC), 12 CFR 208.63(c)(4) (Federal Reserve), 12 CFR 326.8 (FDIC).
  • Bank Protection Act regulations: Require banks to “[p]rovide for initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a burglary.” 12 CFR 21.3(a)(3) (OCC), 12 CFR 208.61(c)(1)(iii) (Federal Reserve), 12 CFR 326.3(a)(3) (FDIC).
  • These regulations also provide for specific board responsibilities, such as designating a security officer and ensuring a written security program is developed and implemented for the bank’s main office and branches. 12 CFR 21.1, 21.2, & 21.3 (OCC),  12 CFR 208.61(a)–(c)(1)  (Federal Reserve), 12 CFR 326.0, 326.2, & 326.3 (FDIC).
  • The bank security officer also must make annual reports to the board “on the implementation, administration, and effectiveness of the security program.” 12 CFR 21.4 (OCC), 12 CFR 208.61(d) (Federal Reserve), 12 CFR 326.4 (FDIC).
  • Regulation CC: Banks must “[p]rovide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee.” 12 CFR 229.19(f).
  • The guidelines also provide for specific board responsibilities, such as approving and overseeing the written information security program (Paragraph III.A).
  • The guidelines also require annual reports to the board that “describe the overall status of the information security program and the [bank's] compliance with these Guidelines. The report[s] . . . should discuss material matters related to its program, addressing issues such as: [r]isk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program” (Paragraph III.F).