Who should 'own' legal risk at a bank?

Al Uluatam, The Daily Record Newswire

Since the 2008 financial crisis, there has been a great deal of debate on how the risk management structure of banks, particularly large banks, can be modified and enhanced to avoid future financial crises.

Financial regulators have issued guidance on the subject, but one area that has not been adequately dealt with is “legal risks” faced by banks and the role of the banks’ legal departments in managing such risks.

I posit that the current prevalent risk control structure — consisting of the so-called three lines of defense (business unit, independent risk management unit and audit),  in which the business unit of the bank “owns” all risks generated by such business unit’s activities and the role of the bank’s legal department is undefined — is inappropriate for management of legal risks.

The lines of defense risk control model needs to be reconsidered to empower and hold accountable banks’ legal departments for the ownership and management of legal risks faced by banks.

Banks are not typical for-profit businesses. They are, in essence, recipients of a concession from a community, much like a utility. The concession is banks’ ability to engage in activities that are generally prohibited to others in the community (such as collecting deposits from the public). In return, the community limits the types of activities that a bank may engage in and imposes restrictions on how it conducts its business.

As demonstrated by the financial crisis in 2008, failure of banks has the potential not only to cause losses to creditors (including depositors) and shareholders of the failing banks, but also to cause extensive damage to the economy. It is both the public largess in permitting a bank to engage in banking activities and the potential damage that a mismanaged bank may cause to the community that results in banks being required to be operated in a safe and sound manner.

Banks are held to a higher standard in the conduct of their activities when compared to ordinary businesses. This accounts for the extensive and complex laws and regulations applicable to banks. In addition, many complex banking activities, such as commercial lending, are matters determined by contracts negotiated between banks and their customers. In other words, banks (large banks in particular) operate in a world fraught with legal risk.

There is no universally accepted definition of “legal risk,” but for purposes of this discussion, I suggest that it is the risk of loss to a bank resulting from (i) such bank’s failure to comply with applicable laws and regulations; (ii) litigation involving such bank; and (iii) such bank’s entry into contracts that are unenforceable, do not appropriately reflect the terms of the transactions agreed to by such bank, or do not contain appropriately prudent legal provisions (as distinct from business provisions) to protect the bank’s interests.

Recent thinking on managing risk at banks has favored the idea that all risks associated with a particular business activity should be “owned” by such business unit. For example, if a bank is making commercial loans, it is the businesspersons who are finding the borrowers and putting together the loans who are responsible for the risks generated by such business activity.

This approach is intended to clarify who has ultimate responsibility for managing the risks associated with such business. Although that provides clarity on risk ownership, is it the correct approach with respect to legal risks?

I believe that it is a bank’s legal department, rather than the business unit, that should “own” the legal risks generated by a business activity. It is the bank’s in-house attorneys who, because of their positions as employees of the bank, have a deep understanding of the business activity at issue, and because of their legal training, work experience and compensation arrangements are best positioned to correctly and impartially evaluate the legal risks presented and determine if those risks are within the risk appetite of the bank.

It is ideal when the decision to take on a particular legal risk is made by consensus between the business unit and the bank’s legal department. The vast majority of the time, this is in fact the case and a consensus is reached. However, what happens when such a consensus cannot be established and the business unit wishes to engage in an activity and incur the associated legal risk against the advice of the bank’s legal department?

The answer to that question is relatively straightforward when the proposed act produces extreme legal risk (such as engaging in illegal or unethical activities). In such cases, there should be little disagreement that the in-house legal team should own the legal risk, act as a control function, and veto the bank’s engagement in the proposed activity.

A contrary result whereby the business unit can own the legal risk and engage in extremely legally risky activity, which may be justified by extreme profitability, would be inconsistent with safe and sound banking practices and expectations of the community with respect to the behavior of banks.

Daniel K. Tarullo, a member of the board of governors of the Federal Reserve System, observed that it is important for bank employees to understand that their role is to maximize revenues in a manner not only consistent with the law, but also consistent with the purposes and values that underlie the law. Otherwise, he said, “[i]t may not be too great a leap … to a conscious weighing of the profitability of a particular practice that violates laws or regulations against the penalty that would be assessed for the violation, discounted by the probability of enforcement.”

The answer to the above question is less clear when the legal risks presented have less dire and immediate consequences.

Two simple examples come to mind in the commercial lending context: (a) a loan agreement with extremely weak events of default that will significantly delay the bank’s right to foreclose in case of the borrower’s non-performance, and (b) a borrower refusing to waive its right to a jury trial. Can the business unit decide that it will, contrary to the legal team’s recommendation, agree to incur such legal risks? Is the in-house legal team simply an advisor whose job is done after it has rendered its correct advice, or is the in-house legal team an owner in the management of legal risks of the bank?

I would argue that the bank’s legal team should be an owner and its judgment should be the final word (subject to the CEO’s or the board of directors’ decisions to the contrary) on whether the bank should incur the legal risks. A contrary outcome means the judgment of the in-house legal team with respect to legal risk has been supplanted by the judgment of the business team.

There are several reasons why the legal team’s assessment of legal risk is likely to be superior to that of the business team’s assessment.

First, the business team is unlikely to be as knowledgeable as the attorneys with respect to the significance of the contract provisions at issue and what is customary and prudent in the relevant marketplace with respect to those provisions.

Second, the business team may underestimate the possibility that the contract provisions may actually result in losses to the bank in the future (i.e., arguments are likely to be made about how financially sound and morally upright the borrower is and how improbable it is that the default provisions or jury trial provisions will ever be a concern). Unfortunately, until one has worked on distressed commercial loans or faced the prospect of a complicated civil trial in front of an unsympathetic jury, one does not fully appreciate the significance of such provisions.

Finally, the business team may be under significant pressure to generate revenue, which may color its assessment of legal risks. Assuming that the legal team’s compensation is not directly tied to the financial performance of the business unit that it is advising, I suspect that the in-house legal team will be a more impartial judge of legal risks than the business unit.

What about the contention that a bank, by design, is in the risk-taking business, and it is the business team, the revenue generators, that should ultimately determine which risks a bank should take?

The business unit’s role is to take on prudent business risks (like what business lines to be in, who are the customers, what products/services to offer, how to effectively price/offer such products/services, etc.). Bankers should not be in the business of taking on legal risks, particularly if the experts on legal risk have recommended against such risks.

A hypothetical in which the roles are reversed and the bank’s legal team makes final business decisions — for example, which business lines should be developed by the bank — is unthinkable. Why is having the business team make the final determination on a legal risk not equally inappropriate? Would the discussion be different if there were an accounting issue (an area where there is often room for judgment) and the bank’s accounting department and the business team disagreed on the accounting treatment of certain activities of the bank?  Would the business team have the ability to assume the “accounting risk”? I suspect not.  If not, why then treat legal risk differently?

Another argument against the above model may be that giving the in-house legal team the ability to veto a matter (short of illegality or unethical behavior) will result in an inordinate obstacle to getting business done as the attorneys will see unreasonable legal risks in every activity, transaction or imperfect contract.

For any attorney-client relationship to be successful, the attorney has to show good judgment in assessing the level of legal risk with an eye toward the reality that the business unit needs to generate revenue in order to maintain a healthy and successful bank. As such, it will be very important for a legal department to use its veto power wisely and sparingly.

Being in-house counsel at a bank is a special position for an attorney. In-house legal teams should not simply be cheaper versions of external law firms.

Ideally, the in-house legal team should provide unparalleled understanding of the operations of, challenges faced and goals sought to be achieved by the bank; assist the bank in facing its challenges; and facilitate the bank’s achievement of its business goals, while, concurrent with the foregoing, act as a significant control function within the bank.

As Thomas C. Baxter Jr., general counsel of the Federal Reserve Bank of New York, observed: “… the lawyer serves as an advisor, but now the lawyer is also a key part of the financial institution’s control infrastructure. If the lawyer does not understand this new function and embrace the expanded role, the lawyer will be ineffective and the control structure of the financial institution will be weakened.” (http://apps.americanbar.org/buslaw/blt/2007-03-04/baxter.shtml)

I fear that the current three lines of defense model to risk management used by banks, which does not empower or hold accountable the in-house legal team for management of legal risk, is an inherently weak legal risk control model.

Shouldn’t the lawyers be the fourth line of defense?


Al Uluatam is vice president and senior counsel at State Street Bank and Trust Company in Boston. He prepared the above article in his personal capacity; the opinions expressed are his own and do not reflect the views of State Street Bank or any of its affiliates.


  1. No comments
Sign in to post a comment »