• Are Bank Directors and Officers Protected by the Business Judgment Rule? One Court Says Not Necessarily

    Bank directors and officers may be held to a different standard of care from the directors and officers of other business corporations, leaving their actions without the protection of the business judgment rule, according to a recent and highly unusual decision from a Georgia federal court.

    On December 4, 2009, the Buckhead Community Bank failed. The Federal Deposit Insurance Corporation took over as a receiver and subsequently filed suit against nine former directors and officers of the bank. In its complaint, the FDIC charged that the defendants were negligent and grossly negligent in their management of the bank’s loan portfolio, leading to the failure.

    According to the FDIC complaint, the bank’s Loan Committee “took unreasonable risks” and violated bank policy by approving speculative commercial real estate loans without adequate information and participating in loan purchases from other banks without independently reviewing the loans, despite repeated warnings from regulators, according to the FDIC.

    In Georgia, the business judgment rule explicitly holds bank directors and officers to an ordinary negligence standard of care: “[d]irectors and officers of a bank or trust company shall discharge the duties of their respective positions in good faith and with that diligence, care, and skill which ordinarily prudent men would exercise under similar circumstances in like positions.” O.C.G.A. § 7-1-490(a). Other states with the business judgment rule, such as California, only protect directors, not officers, in this way.

    The defendants filed a motion to dismiss the suit. Despite O.C.G.A. § 7-1-490(a), they argued they could not be liable for ordinary negligence under the business judgment rule and their actions did not rise to the level of gross negligence.

    U.S. District Court Judge Thomas W. Thrash, Jr., acknowledged that Georgia federal courts have “uniformly applied the business judgment rule to protect bank officers and directors,” but reached a different conclusion.

    “There is every reason to treat bank officers and directors differently from general corporate officers and directors,” he wrote. “In general, when a business corporation succeeds or fails, its stockholders bear the gains and losses. The business judgment rule is primarily applied in Georgia because ‘the right to control the affairs of a corporation is vested by law in its stockholders – those whose pecuniary gain is dependent upon its successful management.’ But when a bank, instead of a business corporation fails, the FDIC and ultimately the taxpayer bear the pecuniary loss. The lack of care of the officers and directors of banks can lead to bank closures, which echo throughout the local and national economy. To some extent, the failure of bank officers and directors to exercise ordinary diligence led to the very financial crisis that continues to affect the national economy.”

    State courts in Georgia have generally applied the business judgment rule to preclude claims for ordinary negligence against the officers and directors of a corporation, the court said, but “no Georgia state court has explicitly extended the business judgment rule to protect the officers and directors of a bank being sued by the FDIC as a receiver.” With “no clear controlling precedents on this issue by the Supreme Court of Georgia,” and having reached a contrary conclusion from his fellow federal judges, Judge Thrash certified the question “of whether the business judgment rule should supplant the standard of care required of bank officers and directors by O.C.G.A. § 7-1-490 in a suit brought by the FDIC as receiver” to the state’s highest court.

    Even lacking guidance from the state court, Judge Thrash declined to apply the business judgment rule to the FDIC’s ordinary negligence claim. The agency “has set forth numerous allegations indicating the Defendants failed to exercise even slight diligence when acting as directors and officers of the Bank,” he wrote, continuing to approve the questionable loans despite being aware of a decline in housing sales and in contravention of bank policy. “These risky assets led to the Bank’s ultimate crash, and led to the losses incurred by the FDIC.”

    The Financial Institutions Reform, Recovery, and Enforcement Act allows bank directors and officers to be liable for monetary damages based on gross negligence, the court noted, again denying the defendants’ motion to dismiss.

    “The alleged facts show an ongoing tendency to ignore risks while taking on loans that were flagged by regulators. Similarly, the allegations suggest that the Defendants invested the Bank’s loan portfolio in a manner far more aggressive than banks in their peer group. Additionally, the Defendants failed to adhere to procedures that would have identified the deficiencies in the loans, including internal policies concerning diversification and inspection,” Judge Thrash said. “The allegations of such disregard of care and procedures are sufficient for a reasonable jury to conclude that the Defendants were grossly negligent in their management of the Bank.”

    To read the opinion in FDIC v. Loudermilk, click here.

    Why it matters: The decision in Loudermilk may strike fear in the hearts of bank executives, particularly those located in the state of Georgia. Under the reasoning of the opinion, the protections of the business judgment rule for liability based on ordinary negligence would not apply to the directors and officers of banks because the Deposit Insurance Fund of the FDIC bears the impact of their actions, which the court said can “echo” nationwide. However, the court failed to recognize that the Deposit Insurance Fund (funded by bank assessments) bears the alleged losses, not the taxpayers. One possible light at the end of the tunnel, however, could be that Judge Thrash certified the question to the Georgia Supreme Court, which could reach a different conclusion.

    back to top

    Fifth Circuit: State Attorney General’s Consumer Protection Suits Not Preempted

    The National Bank Act does not preempt claims brought by the Mississippi Attorney General based on a violation of the state consumer protection act in a suit against Capital One Financial Corp., Citigroup, Discover Financial Services, HSBC Holdings, Bank of America and JPMorgan Chase, the Fifth U.S. Circuit Court of Appeals has determined.

    Alleging that each of the six defendants violated the Mississippi Consumer Protection Act by charging consumers for products they did not want or need, Attorney General Jim Hood filed suit in state court. The defendants removed the case to federal court and filed a motion to dismiss, arguing that the state claims were preempted by the federal National Banking Act.

    A U.S. district judge agreed, but the federal appellate panel reversed and remanded for the district court to determine whether “substantial federal question jurisdiction” existed outside of the National Banking Act or the Class Action Fairness Act.

    At issue in the appeal: Payment Protection Plans offered by the defendants to customers. The state of Mississippi claimed that the defendants committed unfair and deceptive practices by “marketing, selling, and administering” the Plan as an ancillary product to “unwitting” credit card holders. The Plans, as explained by the court, are “an amendment to the credit card loan agreement that suspends or cancels a customer’s obligation to repay credit card debt under certain circumstances – such as death, disaster, disability, unemployment, marriage, divorce, or hospitalization – without adverse consequences to the customer.”

    If the repayment obligation is suspended and the customer does not have to make minimum payments, interest charges and late fees are also relieved. Charges for the Plans are based on a percentage of the customer’s outstanding card balance, and the service is charged as a separate fee each month. The Attorney General estimated that the annual charges for the services were between $68.40 to $162 per customer.

    Importantly, the complaints did not challenge the interest rates charged by the defendants and did not allege that an illegal rate of interest was charged. And the state specifically disclaimed that any federal question subject matter jurisdiction existed over the complaints.

    The defendants raised a number of arguments to remove the case, including a characterization of the suit as a Class Action Fairness Act mass action and the existence of a federal question because the NBA preempted what were really disguised usury claims.

    Removal was inappropriate, the Fifth Circuit said. CAFA provides federal jurisdiction over a “mass action” involving the claims of 100 or more persons and either $75,000 for an individual or an aggregate amount in controversy of at least $5 million – but neither of those requirements was met.

    Individual customers who paid for the Plans are not the real parties in interest, the panel said, as the state is the only plaintiff. “The State expressly denies representing individual customers, and asserts that it does not know how much these individual credit card holders have paid in fees,” although it estimated the range of annual fees to be under $200 for an individual. “Based on the State’s contentions, it would take an individual customer hundreds of years to reach the individual amount in controversy requirement,” the court said.

    Even assuming that the customers were the real parties in interest, the defendants did not present evidence to show that any one of the customers satisfied the individual amount in controversy of $75,000, the court noted. “Defendants have failed to prove that even a single plaintiff here satisfies this requirement.”

    As the defendants – who have ready access to information regarding their own customers and could assert that just one satisfies this requirement – failed to present any evidence, the court declined to require the state to prove a negative.

    Turning to the issue of preemption, the Fifth Circuit again concluded that removal was not required. Although state law usury claims against nationally chartered banks are completely preempted by the NBA, the panel said the defendants failed to conclusively establish that the fees were “interest” and that the state had not made any allegations that the defendants were charging illegal rates.

    Looking for guidance on whether the fees are “interest,” the court said the NBA does not indicate that the Plan fees are interest while regulations from the Office of the Comptroller of the Currency offer a broad definition of interest to include “any payment compensating a creditor or prospective creditor for an extension of credit, making available a line of credit, or any default or breach by a borrower of a condition upon which credit was extended.”

    Not all fees associated with loans are interest, the panel said, and sided with the Attorney General that the charges are better viewed as fees associated with providing a separate credit service, rather than fees for the extension of credit. “Customers can receive the loan without signing up for the Protection Payment Plans, and may continue to use the line of credit even if they stop participating in the Plans,” the panel wrote. “Customers pay a separate monthly fee in order to receive this service. Thus, the fees for the Payment Protection Plans can be viewed as charges specifically assigned to cover an ancillary service, rather than general charges for the extension of credit.”

    Adopting the defendants’ line of thinking would essentially include all fees associated with ancillary products or plans affecting the repayment terms of the loan as interest, the court said. “At best, defendants have only shown that the Payment Protection Plan fees could conceivably fit within the definition of ‘interest.’ Defendants have failed to show that a clear rule demands removal, and remand is therefore appropriate.”

    Further, the state failed to make “any assertions about Defendants’ rate of interest,” the court said, instead complaining about unfair and deceptive practices. “Indeed, the gravamen of the State’s complaints is that the customers do not actually understand that they have agreed to purchase these services and are charged without their consent, not that they are being charged too much.”

    To read the decision in Hood v. JPMorgan Chase, click here.

    Why it matters: The Fifth Circuit opinion is the latest in a circuit split over whether state attorneys general parens patriae actions constitute “mass actions” that are removable under the Class Action Fairness Act. For state attorneys general, the Fifth Circuit’s narrow reading of the National Banking Act and the Class Action Fairness Act may inspire more suits under state consumer protections laws, particularly in the financial services area.

    back to top

    Bitcoin Reaches a New Milestone: Fraud

    Digital currency Bitcoin may not be recognized by traditional financial markets yet, but the rising profile of the digital currency has yielded appreciation from one audience: fraudsters and scammers.

    Recently, a Twitter user with the handle “Fontas” urged his followers to take part in a Bitcoin-based pump-and-dump scheme, tweeting “For insane profits come and join the pump.” In an online chat with The New York Times, Fontas (who refused to divulge his identity) said, “the lack of regulations allows everything to happen,” with no fear of legal action.

    Because the currency – created by algorithm and currently valued at more than $12 billion – is unregulated, legal enforcement based on deceptive offers or financial regulations is impossible. The NYT reported that dozens of instances of Bitcoin theft (such as an illegal transfer) have occurred in recent months; some incidents involved millions of dollars in Bitcoin value.

    Digital currency has appeared on the docket in a handful of cases in the United States but only when the currency has caused real-world problems. And because the Bitcoin realm remains a legal gray area, theft and hacking leave victims without much recourse.

    In one example, European payment processor BIPS acknowledged in November that it lost roughly $1 million in Bitcoins after being hacked. With the lack of legal resources, BIPS wrote on its website that the company is “unable to reimburse Bitcoins lost unless the stolen coins are retrieved.” While the Danish police are “examining the case,” the company noted that the authorities could “not classify this as a theft due to the current nonregulation of Bitcoin.”

    The scams are not without some repercussion, however. Efforts like Fontas’ resulted in an announcement from officials in China cautioning consumers that they assumed their own risks with Bitcoin; the Bank of France also issued a warning to investors.

    And as Bitcoin’s profile continues to rise, so has the potential for attention from regulators. Federal agencies in the United States have indicated they are keeping an eye on virtual currency while “digital currency” made the list of the top ten threats to investors as compiled by the North American Securities Administrators Association for the first time in October.

    The question of jurisdiction remains, however: who should be policing fraud or theft of Bitcoin? As is typical in the law, the answer depends. If Bitcoin is deemed to be currency or commodity, the Commodity Futures Trading Commission would be in charge, but the Securities and Exchange Commission would have authority if the decision were made that Bitcoin is a security.

    Why it matters: The law is notoriously two steps behind when it comes to keeping up with technology and fraud. Bitcoin presents a combination of the two that currently leaves consumers and financial institutions willing to trade in it without recourse in the risky world of virtual currency. For now, investors in the burgeoning digital money world should use caution given the lack of regulation and law enforcement.

    back to top

    CFPB’s Expanding Portfolio: ACH Network and Credit Card Reward Programs

    Now that the Consumer Financial Protection Bureau has finalized most home loan regulations and otherwise has completed initial rulemakings under the Dodd-Frank Act, the agency is casting about for additional areas to regulate, as shown by recent pronouncements regarding the automated clearinghouse network and credit card reward programs.

    In a speech to The Clearing House Association, CFPB Director Richard Cordray said the electronic payment system hasn’t kept pace with technology and needs to be modernized. “We are all aware of consumers who find unexpected debits on their bank statements, or are victimized by third parties who may take inappropriate advantage of the efficiency and trust on which these systems are built,” he said. “We all know that consumers do not fully understand how these systems work, which leaves them vulnerable to abuses.”

    The first step in the process: gather information. Cordray said the CFPB will reach out to the industry for input and would also like to improve the agency’s understanding of computer analytics to look for potential payment trends to identify “outliers” that could be recurring sources for irregular or failed claims for payment.

    “Working together, we would be better able to identify and enforce the law against illegitimate firms that are otherwise able to reduce their own costs by hitching a free ride on the payments system,” Cordray said. Increased comprehension by the agency would also place it “in a better position to consider changes in law or practice that may be needed,” he added.

    In his remarks, Cordray also acknowledged a recent proposal by NACHA – The Electronic Payments Association, the organization that establishes the rules for the ACH network. NACHA proposed changes including reducing the level of permissible unauthorized debit entries from 1 percent to 0.5 percent, setting the return threshold for all causes at 15 percent, and creating new requirements for reinitiated debit entries.

    Another newly announced area of focus for the Bureau: credit card reward programs, specifically the sufficiency of program disclosures and whether additional consumer protections are required.

    In an e-mail to Bloomberg news, Cordray said the CFPB “will be reviewing whether rewards disclosures are being made in a clear and transparent manner, and we will consider whether additional protections are needed,” adding that consumers often face “detailed and confusing rules” about how to use their rewards.

    According to Bloomberg, the agency’s interest was piqued not by consumer complaints but concern that the rewards offered by a given card are the primary motivation behind a consumer’s decision to obtain it.

    The story tracks a report issued by the CFPB in October in which the Bureau specifically referenced credit card rewards programs as an “area of concern” that “may pose risk to consumers and that will warrant further scrutiny by the Bureau.”

    Program terms such as the value of reward points and forfeiture and redemption rules may be too confusing for consumers, the report noted, and better disclosures may be warranted for topics such as how rewards are earned and the formula for calculating rewards.

    Why it matters: The CFPB has grown over a short period of time to become a large, well-funded federal agency with a singular focus on consumer financial protection. As it completes issuance of regulations mandated by the Dodd-Frank Act, the agency will not rest, and will look for other financial services provided to consumers that the agency believes are in need of further regulation. Its pronouncement regarding the ACH network and credit card rewards programs provides two examples of this expansive view of the CFPB’s authority. Accordingly, all participants in consumer financial services, including merchants using such services, such as receiving payments from consumers through the ACH network, and card issuers offering rewards programs, should pay close attention to CFPB pronouncements, and should consider submitting comments on proposed regulations.

    back to top

    The OCC and Third-Party Relationships

    Third-party relationships between banks and other entities – such as payment processors, affiliates, consultants, security providers, and joint ventures, among others – are the subject of recent guidance issued by the Office of the Comptroller of the Currency.

    As banks “continue to increase the number and complexity of relationships with both foreign and domestic third parties,” the OCC expressed concern that “the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”

    With this in mind, the agency released bulletin 2013-29, updating its advice to banks with a “life cycle” approach, setting forth the necessary risk management during each stage of a relationship with a third party, from planning and due diligence to ongoing monitoring to termination. Given the variety and range of potential relationships – with some more risky than others – the bulletin recommended that financial institutions take a risk-based approach, depending upon the relationship at issue. Certain “critical activities” (such as significant bank functions) that pose greater risks would therefore be subject to heightened standards, such as board approval of the relationship and involvement in the negotiation and monitoring.

    Management of risk begins at the inception of a third-party relationship, the OCC said, with planning. Even before the relationship commences, senior management should assess the risks and complexity of the activity at issue, conduct a cost-benefit analysis of the relationship, and assess the potential impact on employees, customers, and strategic initiatives. For example, the financial institution’s plan should evaluate the laws and regulations that might apply to the outsourced activities (e.g., the Bank Secrecy Act) and the necessary compliance. A contingency plan for an alternative third party should also be included.

    The next steps in the life cycle are due diligence and selection of the third party. The bulletin noted that banks should not rely on prior experience or knowledge of the third party in lieu of an “objective, in-depth assessment of the third party’s ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.”

    Specifically, due diligence – which should be commensurate with the level of risk and complexity presented by the relationship – should consider the third party’s overall business strategy and goals to ensure alignment with the bank’s interests, evaluate the entity’s legal and regulatory compliance, assess the financial condition of the third party (including growth, earnings, pending litigation, and audited financial statements), and review the third party’s business experience and reputation, including reference checks with external organizations and agencies as well as the company’s website and marketing materials.

    Other considerations include the third party’s fee structure and incentives, the qualifications, backgrounds, and reputations of company principals, insurance coverage (as incident-reporting and management programs) and overall risk management. Senior management should review the due diligence to make a decision about whether to proceed with the third-party relationship.

    Once the decision has been made to move forward with a third party, the bank enters the third stage: contract negotiation. The bulletin advises financial institutions that the document should clearly specify “the rights and responsibilities of each party,” with board approval for relationships involving critical activities. Topics to be addressed in the contract include a defined nature and scope of the arrangement between the parties (including ancillary services such as technology support and maintenance or employee training, the OCC noted) and performance measures or benchmarks, although care should be used so as not to incentivize undesirable performance (e.g., encouraging process volume or speed without ensuring accuracy).

    The bulletin set forth a list of responsibilities for providing, receiving, and retaining information that should be enumerated in the contract, suggesting that the parties specify the frequency and type of reports as well as details about the thresholds for notification before making significant changes to the contracted activities or notice of financial difficulty or catastrophic events.

    Contracts should also delineate issues such as OCC supervision, the right to audit and require remediation, and compliance with applicable laws and regulations (e.g., the Gramm-Leach-Bliley Act), ensuring that the bank has the power to conduct compliance reviews of the third party.

    The next phase of the relationship is ongoing monitoring. This requires dedicated staff to oversee the third party in line with the level of risk and complexity of the relationship. Regular on-site visits may be useful, the OCC suggested, as well as performance reports, audit reports, and control testing. Because relationships change over time, the bank should be prepared to respond to changes with the third party (e.g., shifts in financial condition or a revised business strategy).

    The final phase of the life cycle is termination of the relationship. Efficiency is key when terminating the relationship, the OCC said, and in the event of a contract default, the bank should have a plan in place covering the necessary capabilities, resources, and time frame to transition the activity, how to handle joint intellectual property that may have been developed during the course of the relationship, and any reputational risks to the bank if the termination involves the third party’s inability to meet expectations.

    The bulletin also offered guidance on oversight and accountability, and a breaking down of responsibilities, from the board of directors to senior management to employees. The need for documentation and reporting, periodic independent reviews, as well as supervisory reviews were also noted by the agency.

    “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organization structure of the bank may be an unsafe and unsound banking practice,” the OCC emphasized.

    To read OCC 2013-29, click here.

    Why it matters: With two bulletins addressing the oversight of third-party relationships in recent months (in addition to 2013-29, the OCC released 2013-33 on the use of independent consultants for enforcement actions), financial institutions are on notice that the agency is keeping a close eye on risk management relating to third parties. Both bulletins note that the failure to adopt the OCC’s recommendations could result in enforcement actions or a downgrade in rating. As the agency cautioned in 2013-29, “[a] bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” In light of this focus, financial institutions should review their policies and procedures with regard to management and oversight of third-party relationships.

    back to top