NY to Finance Sector Leaders: Let’s Get Personal

The latest guidance from the New York State Department of Financial Services (DFS), issued earlier this year, is set to impact covered financial institutions beyond their usual annual review of existing compliance programs. Broadly characterized, the department’s industry letter suggests more frequent “character and fitness” inquiries using a “proportional risk-based approach,” of senior-level personnel and boards of directors. Institutions covered by the enhanced reporting guidance include New York-regulated banking organizations and regulated non-depository financial institutions (including insurance companies and digital asset companies), licensed or chartered under the New York Banking Law.

Focused on “regular and rigorous” vetting, the guidance affects senior officers, defined as “every officer who participates or has authority to participate in major policy-making functions.” This includes top talent and key leadership positions at covered institutions. These institutions, subject to DFS oversight, should revisit their current policies and vetting procedures both for designated personnel during onboarding and on a continuing regular basis thereafter. 

A list of 20 suggested questions intended to facilitate the initial and ongoing assessment of designated individuals accompany the new DFS guidance. Some examples of suggested DFS questions include whether an individual has been the subject of any professional disciplinary actions, denied a license and/or had a license suspended or revoked or whether an individual owes outstanding child support in connection with any unemancipated children. While not compulsory, DFS has emphasized the importance of these suggested new measures that necessitate a thorough understanding to consider organizational impact and to ensure compliance.

Transparency 

At a time when corporations are carefully considering their approach on the balance between transparency and trust with their workforce, the new guidance will require both. In a recent survey, Deloitte reported that 86% of leaders believe the more transparent an organization is, the greater the workforce will trust that organization. Deloitte focused its reporting on areas of corporate transparency like worker performance, compensation, policymaking and financials. 

The study also suggests there is an optimum level of transparency by corporations which will increase the level of trust by their employees. In this instance, although employees at highly regulated financial institutions are already subjected to due diligence, executives, certain managers and board members must have trust in the process (and their compliance departments) because they will now be subject to enhanced due diligence efforts. 

And to gain their trust, compliance teams at covered institutions will need to be transparent about exactly what new information will be collected, who will have access to it, how it will be used and how it will be protected.

Expectations set forth in the DFS guidance are focused on an institution’s ability to control and mitigate risks tied to potentially compromised personnel who may threaten the “organization’s safety and soundness at any time during that individual’s service.” 

Governance

Board Game: 3 Important Questions About Composition & Culture

by Amy Rojik

March 27, 2024

Boards need culture in which fiduciary responsibility can thrive

Read moreDetails

It’s not personal (or is it?)

Although many covered institutions likely have long-standing diligence programs in place, they should not set aside recommended enhancements. It’s time to kick the tires and re-evaluate who, when and how often diligence is performed. Updated reporting should occur more frequently — at least annually. Covered institutions should strive to encourage reporting on a rolling basis for certain management roles or events. The focus moving forward will necessitate more tailored contextualized search criteria, which will inherently require increased disclosures and trust in compliance departments by affected staff.  

Factors to consider when tailoring new enhanced due diligence include:

• Institution type
• Individual’s level of policy-making and decision-making authority
• Type of transactions or events that reasonably can be identified as entry points for compromised activities

For example, absent suspicion or allegations of nefarious acts by a manager, pending litigation involving an immediate family member may not usually be of concern or included in a due diligence review. For a director or board member, however, pending litigation involving close family members has a higher probability of revealing potential conflicts that may affect the business and the board member’s fiduciary obligations, such as when the spouse of a director or board member is engaged in business that is the subject of litigation with an entity that provides a benefit to or receives a benefit from the covered institution. This connection would give rise to further inquiry, a potential conflict or appearance of impropriety and a reasonable basis to expect disclosure.

A director or board member may believe that certain personal matters have little relevance or that information need not be disclosed because of the personal nature of the information. But these are the very issues that covered institutions must better understand to ensure cooperative compliance. 

This includes already reportable events, such as being the subject of disciplinary proceedings, litigation, investigation or sanctions, among other things. But it also may include business transactions or life events that one may not realize are relevant. Depending on the nature of business the covered entity is engaged in, examples of more invasive due diligence questions may include buying into a closely held venture, receiving a bequest from a deceased non-family member or volunteering/donating to certain charities. 

Striking a balance

Instinctively, there is an aversion to report negative events or more sensitive matters that could potentially impact an individual’s reputation. Beyond simply focusing on ensuring compliance, covered institutions will be best-served by considering the human factors involved in implementing an inevitably more intrusive look into the private matters of personnel. 

Striking the correct balance will be a challenge. The true question for these institutions is, in an era of heightened regulatory scrutiny and organizational complexities, how to earnestly comply when employees at every level are increasingly reluctant to share personal data. One solution for chief compliance officers and their compliance departments is to consider developing an enhanced reporting rubric collaboratively with those who will be subjected to additional oversight and reporting. This can be accomplished through a board committee. 

Alternatively, ensuring a feedback loop between the members of the board and affected directors with the chief compliance officer as new policies are considered will be key. By working side by side with those in managerial and fiduciary roles to review and consider new policies that will meet DFS guidelines, compliance departments will build the required trust to succeed. This approach will encourage participation and provide a forum for concerns to be expressed by impacted staff. It will also give compliance departments a platform to encourage proactive self-reporting on a rolling basis, an ideal state for any covered institution. Ultimately, this may provide an opportunity for compliance departments to improve how they are addressing new DFS guidance and make the task of compliance easier for all involved.

Covered institutions can also focus on building trust with affected staff by communicating how guardrails will help to protect private information. For example, reviewing policies and procedures to ensure the lowest possible number of individuals have access to privately reported information. Another consideration may include segregating reported information from usual business channels by storing the information externally or having a vendor or an outside consultant acquire, store and analyze information reported by impacted personnel. This would demonstrate a commitment by these institutions to protect access to their employees’ sensitive information and help to mitigate privacy concerns.

New DFS guidelines have provided an opportunity for corporate leadership and board members to lead by example, through their own participation in voluntary and meaningful disclosure, thereby promoting a culture of corporate compliance. Key executives at covered institutions can make a strong statement about their culture by joining in the development of new policies and by setting an example through participation. Collaboration between the chief compliance officer and their compliance departments, executives, and board members to develop and implement additional measures recommended by DFS will ideally result in thoughtful participation, improved reporting and a strong message about trust and company culture.