I am very pleased to have this opportunity to speak to you today about the new rules of corporate governance. I come at this subject from four perspectives - that of a former regulator, a lawyer, a banker and an up-close observer of Washington. And let me tell you, being a banker was the most challenging of them all.

Joke.

I'm sure your legal counsel has already told you that the Sarbanes-Oxley Act changes the ground rules for publicly traded financial institutions every bit as much as FIRREA and FDICIA did in 1989 and 1991. The formalization of rules of corporate governance represents a permanent paradigm shift, and exposes corporations, and their managers and directors to substantial new financial and criminal liabilities. There are ways to cope with this new reality, of course, and I'll offer some thoughts on that subject.

Global Wall Street Settlement

But first, I want to take a few minutes to touch on a significant issue of corporate governance that was in the news last week: the SEC's global Wall Street settlement. There's been a lot of commentary on whether the $875 million in penalties and disgorgement is sufficient restitution to fit the crimes. My take is that in the long run what matters is whether individual investors think the settlement is sufficient to discourage self-dealing in the future. And no one will know the answer to that for some time to come.

Institutional and other professional investors will invest in securities no matter what. That's what they do. But really robust markets like we had in the 90s require participation from individuals. If their confidence is restored, the settlement will have been sufficient. If not, in one way or another, everyone in the financial services business will pay a price.

The settlement also raises other key issues, which are under the surface right now, that will play out in the future - the outcome of which has the potential to reshape the financial services industry.

At the top of the list of course is private action. Everyone involved in the settlement knows the penalties the firms have agreed to pay are just the tip of the iceberg. Suits by investors will cost the investment firms dearly in terms of money, senior management time, and continued damage to the firm's reputation.

In addition, state attorneys general and plaintiffs' attorneys see that the securities litigation area is a good one in which to build a reputation and career. They will be primed and ready to take on future misdeeds - both real and imagined.

Second, a key underpinning of the settlement is the notion that separating functions - in this case research and investment banking -- will prevent customers from being harmed by corporate conflicts of interest. This argument is, of course, precisely the same one made by those of us who supported Glass-Steagall reform. However, if policymakers begin to conclude that firewalls are ineffective or that they can only be made effective through onerous regulation, much of the efficiencies to be gained from combining banking, securities, and insurance in one firm will be lost.

Third, the requirement that firms publish data on the actual performance of their analysts is consistent with a growing trend for regulators to insist on more transparency and disclosure. Expect more of this in other areas.

Fourth, the congressional hearings on the settlement will inevitably extract more commitments from regulators to prove they are tough and make them wary of agreeing to future settlements that could have the appearance of being soft on the industry.

Fifth, more formal regulation tends to favor big firms. That's because they are more able to bear the costs. And if more independence of research means that investment banks will compete less on the basis of research, this could also favor the large firms because they have the advantage of big distribution networks. Ironically, we might well see more concentration of power on Wall Street as the result of this settlement.

Examples of changes brought by Sarbanes-Oxley (insert)

Let me give you a few examples of just how much the ground rules for corporate governance are changing. It's critical to view Sarbanes-Oxley within the full context of all the other corporate governance, auditing and accounting, insider trading, and financial disclosure requirements established by the Congress, the bank and securities regulators, the states, the stock exchanges, and the courts. Fundamentally, boards of directors have always had ultimate responsibility for ensuring firms are run in a way that serves the best interests of the firm and its shareholders. Now, the board must make sure the firm's legal compliance is state of the art.

The board must be independent. Under proposed NYSE rules, the majority of the board members of cannot have any other material relationship with the company, unless the corporation is majority owned by a parent firm.

Every member of the audit committee must be independent. At least one member of the board audit committee needs to be a financial expert, and the FDIC requires that large banks have two committee members with banking or financial management expertise. In addition, Sarbanes-Oxley requires that the audit committee be able to engage its own advisors and have access to its own outside counsel. Firms would be wise to ensure all members of the audit committee have appropriate credentials that will pass public scrutiny.

To illustrate just how prescriptive requirements have become, NYSE listed firms -- and I think eventually all publicly traded firms - must have board committees for compensation and for nominating/governance. Sarbanes-Oxley requires firms to reveal whether they have a code of ethics covering the chief financial officer and that audit committees establish procedures for receiving complaints and tips from whistleblowers. The practical effect of these provisions is to increase the level of professional responsibility for directors and top executives. It's a good idea to consider establishing a Chief Ethics Officer.

As a practical matter, all the new requirements add up to making board membership a serious commitment of time and attention. Holding board meetings in the morning and leaving after a nice lunch won't cut it any longer.

More complete and accurate disclosure will be necessary. For instance, the SEC will adopt rules forcing disclosure of material off-balance sheet transactions and rules ensuring that pro forma financial information included in reports to the SEC or company press releases are not misleading.

Management must formally certify key financial reports and statements of compliance. The new "fairly presents standard" covering financial information is broader than the GAAP requirements. In essence, management is declaring that this information provides investors with an accurate and a materially complete picture of the firm's financial condition. And key managers who report to those who sign the certifications will be on the hook too. Some offensives are subject to significant criminal penalties.

The SEC is required to review all company's filings at least once every three years. And bank regulators are already requires examining banks at least every 18 months. Of course, all certifications will be "Exhibit A" in regulatory reviews and in civil lawsuits when things go wrong.

I see many of you listening to me have had all the fun you can stand. I can assure you that I've not touched on everything or necessarily on those requirements that will have the greatest impact on your institution.

Every banker knows that economic stress and political vicissitudes cause the regulatory pendulum to swing, and it usually swings back again. But, this time, the Congress permanently changed the rules.

In many ways, these changes approach the scale of what happened after the 1929 market crash, the 1987 market crash, and the savings and loan crisis. So, while the pendulum will continue to swing over time as it always does, it will do so from a different base.

So how is the SEC likely to behave post-Enron and Worldcom? Are bank regulators going to get tougher? Will Basel II be adopted? Let me tackle these questions one at a time.

How is the SEC likely to behave post Enron?

The proud SEC has had a rough time. Typically, when an agency goes through the trauma that the SEC has just gone through, the career staff is angry and emboldened. They revert to bright lines and going "by the book" and then some. And that is what is happening at the SEC. In short, we see a tougher, more aggressive SEC. The staff further believe Congress wants that and expects that of them.

Also, SEC actions are likely to be idiosyncratic. Some companies will get more and some less attention than they deserve. This lack of uniformity is a function of an agency that is understaffed, and of course it is a product of individual regulators, even at the same agency, seeing things a different way.

In my view the pendulum will continue to swing a bit in a harsher direction, notwithstanding the arrival of the new chairman. As I said, the bar has been permanently raised for disclosure, corporate governance and accounting. My strong advice to everyone in this room is to take an even more careful look at disclosures, accounting treatments and board involvement issues than in the past.

Are bank regulators going to get tougher?

The trend at the SEC I have just described is being played out to a greater or lesser degree at all the federal financial supervisory agencies. All the agencies have significant concern with respect to subprime activities and monolines. They are all focused on compliance. And all the agencies expect banking profits to be lower this year.

In the Federal Reserve System, even though supervision may vary from Reserve Bank to Reserve Bank, the Fed wants to assert itself as a committed financial supervisor. I expect that we will see a trend toward tougher exams and stronger enforcement action at most of the Reserve Banks.

The OCC also has been toughening up. However, the senior supervisors in charge are people of character and judgment, and we will not see a repeat of the overzealous regulators of late 80s and early 90s.

The OTS is clearly swinging in the direction of much tougher exams and a sterner tone. Having been at the center of the maelstrom in the 80s and early 90s, the OTS knows that its survival is tied to its perception as a serious supervisor. At the same time, this toughness is tempered by the fact that the OTS is threatened as an agency by any conversions of the larger thrifts to banks.

At the FDIC we see a similar story, but given the FDIC's baseline, perhaps there is a bit more moderation. Don Powell is a man of moderation and judgment. Nonetheless, this is an agency that reflexively gets tough when the economy sags and we see that today.

Will Basel II be adopted?

Let me turn to Basel II for a minute. Basel II will place great emphasis on sound risk management. Will it or a near approximation eventually be adopted? Yes, probably. The question is when and exactly in what form.

A rift on Basel II has developed between the OCC and the others, with the OCC now publicly questioning just how workable the proposal is. And the Committee working on the proposal has lost the good leadership of former Fed NY President Bill McDonough, who retired from the Fed. Bill is enormously able, and Basel II has been his project. Some wonder if the effort will proceed with as much vigor under a new Chairman.

However, there has been a tremendous amount of work put into Basel II by the U.S. banking agencies; this has created its own momentum. Domestically, issues like this are easily influenced by Chairman Greenspan, and Congress is reluctant to get in front of a speeding safety-and-soundness train.

Here is an area where, if you care enough, bankers can be influential. The proposal as you know is quite complicated and has some new and highly controversial aspects, for example, the operational risk provisions.

Bottom line - Basel II will happen unless bank-pushback is overwhelming. But regardless of what happens, bankers need to commit to building sound risk management systems because regulators will expect that and because other banks will out-compete you if you don't.

So what does all this mean for Alabama bankers?

Because financial services is so strongly influenced by globalization and technological change, new instruments, new competition, and new rules -- nothing is more important than keeping up in the safety and soundness and compliance areas. Not to do so means that sooner or later the markets will kill you if the regulators don't get to you first.

You don't need me to tell you that has been a tough couple of years for the economy in Alabama. It entered the downturn before the rest of the nation.

But what has been impressive is that despite this, net income for community banks increased by 15 percent, spurred by a rise in net interest margin of 24 basis points. I know this didn't just happen by accident.

This is the time to pay special attention to risk management. Don't make the mistake I've seen other bankers make and cut costs in this area. If anything, you must increase vigilance. Noncurrent loan levels in Alabama are now rising along with the personal bankruptcy rate.

From the work of my company, Promontory Financial Group, with dozens of banks, we have seen how the lack of visionary leadership, weak corporate governance, and inadequate systems and controls have gotten institutions into serious trouble. We've repeatedly seen:

• Failure to take the regulators seriously.
• Failure to have sufficient, well-trained control personnel.
• Lack of accountability.
• Repeated underestimation of risks and how much one has to check mathematical risk models
• Taking on new businesses and/or new teams who had run businesses at other companies and expecting that you can do better than they did. This is a particularly bad thing where there is a lack of controls.

Risk Management

To be fair, banks have made significant advances in assessing risk. Banks generally have gone into this economic downturn with their balance sheets in better shape than in the past. More sophisticated loan evaluation, formal risk pricing, and internal capital allocations may have helped banks avoid the worst excesses that took place during past periods of economic expansion, although we cannot be certain of that.

We're still in the early days for credit risk and operational risk measurement modeling. Research shows that people tend to underestimate catastrophic risks, and overestimate more familiar risks. Many banks that have suffered huge losses did not think they had significant exposure. The view of their managers was that "it can't happen here."

Sophisticated quantitative models cannot overcome the inherent limitations and deficiencies of the information that is fed into them. Most banks have only experienced high-end routine losses, so their internal data only contains routine losses. Typically, there are only limited data covering tail risk because the bank has never experienced a tail risk event. But that doesn't mean it can't happen. You must plan for the worst plausible case.

It's critical that there is a well-staffed, central risk management group at the corporate level that is able to take a comprehensive view. Bankers need to understand how risks across products and business lines relate to one another - which risks tend to offset one another and which risks tend to accentuate exposure. Viewed separately some risks may seem manageable, but are massive when aggregated across the enterprise. Product-line or business-line managers simply may not recognize the risks they create for others in the firm.

The increasing sophistication and range of products and services invariably demands new risk-management techniques, even in traditional parts of the banking businesses. A good example is operational risk. These risks are growing as banks do more outsourcing, the size of individual transactions increases, operations become more far flung, and markets become more integrated.

Improving risk management is a modeling challenge, but it's an even greater cultural challenge. Mangers and the board need to receive regular briefings of the bank's risk posture, and insist on full disclosure of risks. And they need to be presented with modeling results and their limitations in a manner they can understand.

Compliance

Now, let me turn to the all-important issue of compliance. In the clubby old Wall Street of yesteryear, it was clear just how important reputation was to maintaining franchise value. Over time, that focus seems to have diminished. But supervisors have been beating the reputation-risk drum for at least the last decade.

With the emphasis on fees and the pressure to produce immediate returns, investment bankers have viewed deals through a very near-sighted lens and tarnished the reputations of their firms in the process.

Failure to comply with the requirements is likely to end the careers of managers and ruin them financially. In a highly competitive financial services business, the survival of companies whose reputations are damaged by wrongdoing will be in serious doubt.

What should banks do?

Well, it's just like a lawyer and a regulator to take all the fun out of the day. I understand. When I was Vice Chairman of Bankers Trust, I had people coming to me all the time with problems. And I already had plenty of problems. What I wanted was solutions.

I do have four suggestions today for you in dealing with this new environment.

1. First, having a competent and independent board is absolutely critical. In addition, it's imperative that there be a board risk committee whose members have a keen grasp of risk measurement and risk management. They must receive regular briefings and accurate reports from the Chief Risk Officer.

Finding qualified board members will not be easy. Under the new rules, board members are exposing their personal wealth and their reputations should anything go wrong. Lawyers and accountants, who typically are part of professional partnerships, are exposing their outside colleagues to potential liability. Insurance will not fully shield board members from inadvertent mistakes.

2. Second, each of you should have an outside safety and soundness audit periodically, just like an annual physical exam. I know none of us like to eat our spinach when we don't have to. I am the same way.

Here are some important rules to follow:

• When you smell the first signs of smoke, jump right on the problem, whatever it is.
• This is not the era in which you want to cut corners on disclosure.
• Do not go cheap on controls.
• Beware the seemingly easy audit or exam.
• Assess as quickly as possible how changed circumstances, e.g., interest rate changes, will affect you.
• Even if Basel is beaten back, take operational risk seriously.
• Never underestimate the power of any of your regulators to cause trouble.

3. Third, reputation risk issues are here to stay. As all financial intermediaries get into new businesses and baskets of businesses they don't understand as well as they think, reputation dangers abound.

4. Fourth, the key challenge for financial institutions from a safety and soundness as well as commercial perspective will be just keeping up. New manifestations of risks and new combinations of risks will appear constantly as markets change.

More specifically, major challenges I see are the following:

• Keeping a highly motivated, stable, well-trained and risk-averse work force. Too frequently I am seeing shallow and tired bench strength at some institutions.
• Finding and motivating a chief risk officer who has the background and ability to take an enterprise-wide view of risk, and can manage a team of risk professionals and business leaders.
• For larger institutions, understanding new complex areas of finance with which institutions have to deal is a major challenge. By this I mean derivatives, and derivative modeling, interest rate risk modeling, credit portfolio modeling and operational risk modeling. Let's face it, how many people in senior management really read and understand their own risk reports, let alone the trading models used by their own teams?
• Getting sufficient return for the risks taken on what may even be traditional businesses. Margins are under pressure in many businesses. On a risk adjusted basis, many CEOs would be shocked at what they are really earning.
• The difficulties of managing ever larger groups of people, too many of whom can cause the institution harm for a whole host of reasons from ineptness to venality.
• For some banks, the difficulties of measuring and managing cross border risk.

Conclusion

In sum, as you know as well as I, finance is at its heart about change and risk management. In the end the companies that prosper will be those that understand this deeply and continually make efforts to accommodate the changes and stay on top of managing the risks in their businesses.