This is not an area where a black-and-white answer is available, but the federal banking regulators have issued some helpful guidance on their expectations for board training and involvement.
Although the resources below are not necessarily from your primary regulator, they are good sources for best practices and advice.
- The OCC’s Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches state that boards of directors of covered banks should establish formal, ongoing training programs for all directors that include training on “(1) complex products, services, lines of business, and risks that have a significant impact on the covered bank, (2) laws, regulations, and supervisory requirements applicable to the covered bank; and (3) other topics identified by the board of directors.” (Paragraph III.E).
- The OCC’s Director’s Book contains a section on director orientation and training explaining that “[t]he board should conduct orientation programs for new directors” and that programs should “vary according to bank size and complexity.” The section goes on to state that “at a minimum” orientation programs should explain:
- the bank’s organizational structure, corporate culture, operations, strategic plans, risk appetite, and significant issues
- the importance of Bank Secrecy Act (BSA)/anti-money laundering (AML) regulatory requirements, the ramifications of noncompliance with the BSA, and the BSA/AML risk posed to the bank
- the individual and group responsibilities of board members, the roles of the various board committees, and the roles and responsibilities of senior management.
It also explains that the board should “periodically assess its skill and competencies, . . . identify gaps, and take appropriate actions.” It adds that management can help in the development of ongoing education and training programs “to keep directors informed and current on general industry trends and regulatory developments.”
- The FDIC’s Pocket Guide for Directors states that directors “must keep themselves informed of the activities and condition of their institution and of the environment in which it operates” and that they should “stay abreast of general industry trends and any statutory and regulatory developments pertinent to their institution.” It also advises directors to work with management to develop programs to keep members informed with periodic briefings by management, counsel, auditors, or other consultants. Additionally, the guide explains that “more formal director education seminars should be considered” and warns that the “pace of change in financial institutions today makes it particularly important that directors commit adequate time to be informed participants in the affairs of their institution.”
- The Basics for Bank Directors publication (from the Kansas City Federal Reserve Bank) states that bank directors “should be familiar” with the following laws and regulations:
- Bank Secrecy Act/Anti-Money Laundering (Regulation H)
- Management Official Interlocks (Regulation L)
- Loans to Executive Officers (Regulation O)
- Privacy of Consumer Financial Information (Regulation P)
- Fair and Accurate Credit Transaction Act (FACTA) (Regulation V)
- Transactions with Affiliates (Regulation W)
- Community Reinvestment Act (Regulation BB)
- Notice of Change in Directors and Senior Executive Officers (Regulation Y)
- Golden Parachutes and Indemnification (12 CFR 359)
- Change in Bank Control Act, Banking Holding Company Act (Regulation Y)
- Lending Limits (Illinois law: Section 32 of the Banking Act)
- Office of Foreign Asset Control (OFAC)
- Safeguarding Customer Information (Regulation H)
- Equal Credit Opportunity Act (Regulation B)
- Loans in Special Flood Hazard Areas (Regulation H)
- Truth in Lending Act (Regulation Z)
- Real Estate Settlement Procedures Act (Regulation X)
- The Basics for Bank Directors publication also recommends using the Federal Reserve’s Bank Director’s Desktop, which has free, online director training.
- The Director’s Primer publication (from the Atlanta Federal Reserve Bank) emphasizes the equal importance of board committees, stating that “committee members should pursue ongoing training that is relevant to their committee responsibilities” (printed page 20, or page 25 in PDF file).
- An OCC publication, A Pocket Guide to Detecting Red Flags in Board Reports, lists reports that bank directors should be receiving.
- The FDIC’s Directors’ Resource Center provides useful information and resources for directors and contains the Technical Assistance Video Program, a series of educational videos for bank directors on topics such as the Bank Secrecy Act, Cybersecurity Awareness, Interest Rate Risk, and the Community Reinvestment Act.
There are several bank regulations (and one guidance) that specifically require training (when relevant) for bank employees, who may include members of your board of directors. Those requirements are noted in the bullets below. The rules and guidance also have some explicit requirements as to board responsibilities and reporting to the board, and those requirements are noted in the sub-bullets below.
- Bank Secrecy Act regulations: “The [Bank Secrecy Act] compliance program shall, at a minimum . . . [p]rovide training for appropriate personnel.” 12 CFR 21.21 (OCC), 12 CFR 208.63(c)(4) (Federal Reserve), 12 CFR 326.8 (FDIC).
- These regulations also provide for specific board responsibilities, such as approving a written BSA compliance program and noting the approval in board minutes. 12 CFR 21.21(c)(1) (OCC), 12 CFR 208.63(b)(1) (Federal Reserve), 12 CFR 326.8(b)(1) (FDIC).
- Bank Protection Act regulations: Require banks to “[p]rovide for initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a burglary.” 12 CFR 21.3(a)(3) (OCC), 12 CFR 208.61(c)(1)(iii) (Federal Reserve), 12 CFR 326.3(a)(3) (FDIC).
- These regulations also provide for specific board responsibilities, such as designating a security officer and ensuring a written security program is developed and implemented for the bank’s main office and branches. 12 CFR 21.1, 21.2, & 21.3 (OCC), 12 CFR 208.61(a)–(c)(1) (Federal Reserve), 12 CFR 326.0, 326.2, & 326.3 (FDIC).
- The bank security officer also must make annual reports to the board “on the implementation, administration, and effectiveness of the security program.” 12 CFR 21.4 (OCC), 12 CFR 208.61(d) (Federal Reserve), 12 CFR 326.4 (FDIC).
- Regulation CC: Banks must “[p]rovide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee.” 12 CFR 229.19(f).
- FCRA Red Flags Rule: Banks must “[t]rain staff, as necessary, to effectively implement the Program [the institution’s written Identity Theft Prevention Program].” 12 CFR 41.90(e)(3) (OCC), 12 CFR 222.90(e)(3) (Federal Reserve), 12 CFR 334.90(e)(3) (FDIC).
- This rule also provides for specific board responsibilities, such as approving and overseeing the written Identity Theft Prevention Program. 12 CFR 41.90(e)(1)–(2) (OCC), 12 CFR 222.90(e)(1)–(2) (Federal Reserve), 12 CFR 334.90(e)(1)–(2) (FDIC).
- Interagency Guidelines Establishing Information Security Standards: Paragraph III.C.2 requires banks to “[t]rain staff to implement the bank’s information security program.” 12 CFR 30, Appendix B (OCC), 12 CFR 225, Appendix F (Federal Reserve), 12 CFR 364, Appendix B (FDIC).
- The guidelines also provide for specific board responsibilities, such as approving and overseeing the written information security program (Paragraph III.A).
- The guidelines also require annual reports to the board that “describe the overall status of the information security program and the [bank's] compliance with these Guidelines. The report[s] . . . should discuss material matters related to its program, addressing issues such as: [r]isk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program” (Paragraph III.F).