The FDIC recently issued guidance to regulated financial institutions emphasizing the importance of an effective internal corporate Code of Conduct or Ethics Policy to the promotion of fair and ethical actions that are a fundamental basis to good business practices. In FIL-105-2005, released on October 21, 2005, “Corporate Codes of Conduct – Guidance on Implementing An Effective Ethics Program,” the FDIC has taken the opportunity to expressly remind Boards of Directors/Trustees of the importance of written standards to promote honest and ethical conduct, and compliance with applicable laws and regulations, by all individuals involved with an institution.
The nature of banks as regulated institutions imposes special obligations upon a bank, its directors, officers and employees to respect and protect the rights and assets of others, whether customers, shareholders, other employees or affected companies. The FDIC is looking directly to the respective Boards of Directors/Trustees to establish, communicate and monitor the policies and standards of conduct within the institution that encourage integrity and the ethical values that foster acceptable business practices, and prohibit conflicts of interest and other violations of law.
The FDIC’s guidance provides a “checklist” of issues that should be addressed in such a corporate Code of Conduct or Ethics Policy in order to provide clear guidelines to affected persons on acceptable and unacceptable business practices. The guidance recommends that such a policy apply to (and be acknowledged in writing by) the entire organization, including subsidiaries, and all employees, officers, directors and agents (banks should consider having outside parties acknowledge some or all of their Code depending generally on the relative importance of the agent or consultant’s services to the institution and whether the third party is covered by a professional code or standard that prescribes ethical conduct). Training and compliance monitoring should be integral parts of the Code or Policy. Violators should be subject to specific and appropriate actions to deter wrongdoing, compel accountability, and promote adherence to the Code or Policy.
The FDIC’s guidance includes by reference many other pre-existing laws, regulations, FDIC Statements of Policy, and other guidance. Codes of Conduct may take the form of separate statements of ethical principals or standards of behavior for affected persons, supplemented with attachments or by cross-references to relevant policies or procedures designed to help individuals make ethical business decisions in a specific situation. Every bank should review all of the elements contained in this guidance and compare them to its existing Code of Conduct or Ethics Policy to ensure that all elements are appropriately addressed.
The FDIC’s guidance provides that of a Code of Conduct or Ethics Policy should address the following areas:
Safeguarding Confidential Information – In accordance with the Gramm-Leach-Bliley Act of 1999, financial institutions are required to have administrative, technical and physical safeguards to protect sensitive customer information. All affected persons must comply with the established procedures to safeguard the confidential information of others.
Ensuring the Integrity of Records – Internal accounting information and customer records must be accurate and maintained with reliability and integrity. Transactions must be reflected in an accurate and timely manner.
Providing Strong Internal Controls over Assets – All affected persons must comply with the internal control procedures established by the institution for the safeguarding of assets and proper reporting and disclosure of financial information.
Providing Candor in Dealing with Auditors, Examiners, and Legal Counsel – All officers, directors and employees should be required to respond honestly and candidly when dealing with internal auditors, independent auditors, regulators and attorneys.
Avoiding Self-Dealings and Acceptance of Gifts or Favors – Financial institutions should adopt guidelines that include the provisions of the Federal Bank Bribery Law, and among other things, prohibit self-dealing and conflicts of interest among directors, officers, employees, customers and suppliers to the financial institution. See FDIC Statement of Policy, “Guidelines for Compliance with the Federal Bank Bribery Law.”
Observing Applicable Laws – Financial institutions work in a highly regulated environment. The Board of Directors/Trustees should ensure that bank management and relevant employees are aware of all applicable laws and regulations. Compliance by the Board and executive officers with the applicable rules governing management in the operation of the financial institution sets a prime example for the conduct and behavior of all employees. This section of the Code of Conduct might address, among other laws or regulations, the following:
Implementing Appropriate Background Checks – Financial institutions are encouraged to develop a risk-based approach in determining when pre-employment background screening is appropriate and the level of screening or review based upon the position and responsibilities of the subject employee. Institutions should also address the use of prescreening by subcontractors. See FIL-46-2005, “Guidance on Developing an Effective Pre-Employment Background Screening Process.”
Involving Internal Auditor in Monitoring Corporate Code of Conduct or Ethics Policy – The financial institution should create an effective audit program to monitor the operation of internal controls against self-dealing, conflict of interests and other violations of the Code of Conduct, identify weaknesses, and ensure corrective action is taken.
Providing a Mechanism to Report Questionable Activity – The FDIC suggests that a financial institution consider establishing a hotline or other avenues to allow employees, suppliers, third party service providers and customers to report questionable activity to the financial institution or instances where the Code is not being followed, and to have their concerns addressed in a confidential manner. See FIL-80-2005, “Guidance on Implementing a Fraud Hotline.”
Clear Penalties for a Breach of the Code of Conduct or Ethics Policy – The Code of Conduct should contain specific and appropriate consequences that would serve to deter wrongdoing and unacceptable business practices, and promote accountability amongst employees and others to the Code.
Providing Periodic Training and Acknowledgment of Policy – The Code should contain internal requirements for training of staff, the allocation of internal resources to this area, and for the acknowledgment of the Code or Policy by all affected persons. Management should take the opportunity on at least an annual basis to communicate the importance of the Code of Conduct to staff and management’s clear expectations of acceptable business behavior by all employees.
Periodically Updating Policies to Reflect New Business Activities – The Code of Conduct should contain internal provisions for periodic review to determine its ongoing viability and applicability; provisions should also be made for the addition of new sections of the Code when circumstances arise, and the re-acknowledgment of the Code following any material revision.
The guidance set forth by the FDIC in FIL-105-2005 provides a competent, relevant source of best practices – base guidelines to assist national banks regulated by the Comptroller of the Currency, and savings associations regulated by the Office of Thrift Supervision, in developing their own respective Code of Conduct or Ethics Policy. National banks should refer generally to the following additional resource: “Comptroller’s Handbook – Insider Activities.” Savings Associations should refer generally to the following additional resource: “Directors Responsibilities – Guide,” issued October 1999 by the Office of Thrift Supervision.
Every bank should review its Code of Conduct or Ethics Policy to ensure that the Code addresses the material elements set forth in the FDIC’s guidance AND that the bank’s implementing procedures (including training, monitoring, testing, reporting, etc.) are structured to best ensure compliance. Fair and ethical practices by all individuals involved within the banking institution are a fundamental basis to support the bank’s mission and its business operations.