I am very pleased to have this opportunity to speak to you today about the new rules of corporate governance. I come at this subject from four perspectives - that of a former regulator, a lawyer, a banker and an up-close observer of Washington. And let me tell you, being a banker was the most challenging of them all.

Joke.

Global Wall Street Settlement

I want to take a few minutes to touch on a significant issue of corporate governance that has been in the news recently: the SEC's global Wall Street settlement. There's been a lot of commentary on whether the $875 million in penalties and disgorgement is sufficient restitution to fit the crimes. My take is that in the long run what matters is whether individual investors think the settlement is sufficient to discourage self-dealing in the future. And no one will know the answer to that for some time to come.

Institutional and other professional investors will invest in securities no matter what. That's what they do. But really robust markets like we had in the 90s require participation from individuals. If their confidence is restored, the settlement will have been sufficient. If not, in one way or another, everyone in the financial services business will pay a price.

The settlement also raises other key issues, which are under the surface right now, that will play out in the future - the outcome of which has the potential to reshape the financial services industry.

At the top of the list of course is private action. Everyone involved in the settlement knows the penalties the firms have agreed to pay are just the tip of the iceberg. Suits by investors will cost the investment firms dearly in terms of money, senior management time, and continued damage to the firm's reputation.

In addition, state attorneys general and plaintiffs' attorneys see that the securities litigation area is a good one in which to build a reputation and career. They will be primed and ready to take on future misdeeds - both real and imagined.

Second, a key underpinning of the settlement is the notion that separating functions - in this case research and investment banking -- will prevent customers from being harmed by corporate conflicts of interest. This argument is, of course, precisely the same one made by those of us who supported Glass-Steagall reform. However, if policymakers begin to conclude that firewalls are ineffective or that they can only be made effective through onerous regulation, much of the efficiencies to be gained from combining banking, securities, and insurance in one firm will be lost.

Third, the requirement that firms publish data on the actual performance of their analysts is consistent with a growing trend for regulators to insist on more transparency and disclosure. Expect more of this in other areas.

Fourth, the congressional hearings on the settlement will inevitably extract more commitments from regulators to prove they are tough and make them wary of agreeing to future settlements that could have the appearance of being soft on the industry.

Sarbanes-Oxley

Every banker knows that economic stress and political vicissitudes cause the regulatory pendulum to swing, and it usually swings back again. But, this time, the Congress permanently changed the rules.

So, while the pendulum will continue to swing over time as it always does, it will do so from a different base.

I'm sure your legal counsel has already told you that the Sarbanes-Oxley Act changes the ground rules for publicly traded financial institutions every bit as much as FIRREA and FDICIA did in 1989 and 1991. The formalization of rules of corporate governance represents a permanent paradigm shift, and exposes corporations, and their managers and directors to substantial new financial and criminal liabilities. There are ways to cope with this new reality, of course, and I'll offer some thoughts on that subject.

Let me give you a few examples of just how much the ground rules for corporate governance are changing. It's critical to view Sarbanes-Oxley within the full context of all the other corporate governance, auditing and accounting, insider trading, and financial disclosure requirements established by the Congress, the bank and securities regulators, the states, the stock exchanges, and the courts. Fundamentally, boards of directors have always had ultimate responsibility for ensuring firms are run in a way that serves the best interests of the firm and its shareholders. Now, the board must make sure the firm's legal compliance is state of the art.

(NEW SECTION:)

These new requirements have greatest application to publicly traded companies.

1. A majority of directors must be independent, and the test for "independence" has become more stringent. However, there is no requirement for a "lead director."

2. Decisions regarding audits, senior management compensation and director nominations must be made by independent directors. Independent directors also may hire outside advisors. NYSE rules propose listed companies to establish compensation and nominating/governance committees.

3. A company's audit committee must consist entirely of independent directors, and must include at least one "financial expert" as defined in Sarbanes-Oxley - unless you can lose and adequately explain why you don't have a financial expert. No member may receive any fees from the company other than director fees. FDIC requires at least two audit committee members (for institutions with assets >$3 billion) to have "banking or financial management expertise."

4. Auditors are to be selected by, and be accountable to, the audit committee. Auditors cannot also engage in certain specified non-audit services for the company.

5. The audit committee must establish procedures for protecting "whistleblowers" from retaliation and for responding to complaints regarding audit, accounting and controls. The audit committee are also permitted to retain outside advisors.

6. Directors and senior management must report stock trades on a more accelerated schedule, and are prohibited from trading during pension fund blackouts.

7. Sarbanes-Oxley generally prohibits loans by publicly traded companies (including financial holding companies) to directors and executive officers; however, banks and savings associations are largely exempted from the restrictions on loans to directors. Prior loans are grandfathered unless materially changed after passage of the Act.

8. Senior officers must certify the company's financial reports, reporting timetables are shorter, and reporting enhancements have been mandated.

9. Companies listed on the NYSE will be required to establish and disclose corporate governance guidelines and ethics codes; Sarbanes-Oxley also requires a code of ethics for senior financial officers. Ethics codes also are required under banking regulations.

10. Sarbanes-Oxley creates new criminal offenses and raises penalties for some existing offenses.

 

I see many of you listening to me have had all the fun you can stand. I can assure you that I've not touched on everything.

 

Other key banking policy issues

There are some other hot policy issues that are causing the regulatory pendulum to swing in Washington these days. For example, how is the SEC likely to behave post-Enron and Worldcom? Are bank regulators going to get tougher? Will Basel II be adopted? Let me tackle these questions one at a time.

How is the SEC likely to behave post Enron?

The proud SEC has had a rough time. Typically, when an agency goes through the trauma that the SEC has just gone through, the career staff is angry and emboldened. They revert to bright lines and going "by the book" and then some. And that is what is happening at the SEC. In short, we see a tougher, more aggressive SEC. The staff further believe Congress wants that and expects that of them.

Also, SEC actions are likely to be idiosyncratic. Some companies will get more and some less attention than they deserve. This lack of uniformity is a function of an agency that is understaffed, and of course it is a product of individual regulators, even at the same agency, seeing things a different way.

In my view the pendulum will continue to swing a bit in a harsher direction, notwithstanding the arrival of the new chairman. The congressional hearings on the settlement will inevitably extract more commitments from regulators to prove they are tough and make them wary of agreeing to future settlements that could have the appearance of being soft on the industry.

As I said, the bar has been permanently raised for disclosure, corporate governance and accounting. My strong advice to everyone in this room is to take an even more careful look at disclosures, accounting treatments and board involvement issues than in the past.

 

Are bank regulators going to get tougher?

The trend at the SEC I have just described is being played out to a greater or lesser degree at all the federal financial supervisory agencies. All the agencies have significant concern with respect to subprime activities and monolines. They are all focused on compliance. And all the agencies expect banking profits to be lower this year.

In the Federal Reserve System, even though supervision may vary from Reserve Bank to Reserve Bank, the Fed wants to assert itself as a committed financial supervisor. I expect that we will see a trend toward tougher exams and stronger enforcement action at most of the Reserve Banks.

The OCC also has been toughening up. However, the senior supervisors in charge are people of character and judgment, and we will not see a repeat of the overzealous regulators of late 80s and early 90s.

The OTS is clearly swinging in the direction of much tougher exams and a sterner tone. Having been at the center of the maelstrom in the 80s and early 90s, the OTS knows that its survival is tied to its perception as a serious supervisor. At the same time, this toughness is tempered by the fact that the OTS is threatened as an agency by any conversions of the larger thrifts to banks.

At the FDIC we see a similar story, but given the FDIC's baseline, perhaps there is a bit more moderation. Don Powell is a man of moderation and judgment. Nonetheless, this is an agency that reflexively gets tough when the economy sags and we see that today.

Will Basel II be adopted?

Let me turn to Basel II for a minute. Basel II will place great emphasis on sound risk management. Will it or a near approximation eventually be adopted? Yes, probably. The question is when and exactly in what form.

A rift on Basel II has developed between the OCC and the others, with the OCC now publicly questioning just how workable the proposal is. And the Committee working on the proposal has lost the good leadership of former Fed NY President Bill McDonough, who retired from the Fed. Bill is enormously able, and Basel II has been his project. Some wonder if the effort will proceed with as much vigor under a new Chairman.

However, there has been a tremendous amount of work put into Basel II by the U.S. banking agencies; this has created its own momentum. Domestically, issues like this are easily influenced by Chairman Greenspan, and Congress is reluctant to get in front of a speeding safety-and-soundness train.

Here is an area where, if you care enough, bankers can be influential. The proposal as you know is quite complicated and has some new and highly controversial aspects, for example, the operational risk provisions.

Bottom line - Basel II will happen unless bank-pushback is overwhelming. But regardless of what happens, bankers need to commit to building sound risk management systems because regulators will expect that and because other banks will out-compete you if you don't.

So what does all this mean for Maryland bankers?

Right now, nothing is more important than keeping up in the safety and soundness and compliance areas.

Maryland banks have been gradually moving out the risk curve. The FDIC reports that as of September 2002, more than 40 percent of Maryland institutions had concentrations of higher risk loans above 300 percent of capital. That's up from 31 percent four years ago. At the same time, at yearend 2002, ROE was only 68 percent of the national average. So it's not clear how well rewarded Maryland banks are for the risks they are taking.

After many years of vigorous growth in employment, Maryland has steadily declined in this area since mid-2000. Job growth now is hovering around the level of the rest of the nation. But, importantly, increased federal defense spending should provide a strong boost for the Washington, D.C. region generally.

What has really benefited Maryland banks is the low interest rate environment, which has kept interest expense very low. It's what allows Maryland banks to have a net interest margin that is above the national average by 17 basis points. And it's critical that you attract additional, stable, low interest rate funds now.

From the work of my company, Promontory Financial Group, with dozens of banks, we have seen some of the common problems that have gotten institutions into serious trouble. These are: a lack of visionary leadership, weak corporate governance, and inadequate systems and controls. We've repeatedly seen:

• Failure to take the regulators seriously.
• Failure to have sufficient, well-trained control personnel.
• Lack of accountability.
• Repeated underestimation of risks and how much one has to check mathematical risk models
• Taking on new businesses and/or new teams who had run businesses at other companies and expecting that you can do better than they did. This is a particularly bad thing where there is a lack of controls.

Risk Management

To be fair, banks have made significant advances in assessing risk. Banks generally have gone into this economic downturn with their balance sheets in better shape than in the past. More sophisticated loan evaluation, formal risk pricing, and internal capital allocations may have helped banks avoid the worst excesses that took place during past periods of economic expansion, although we cannot be certain of that.

We're still in the early days for credit risk and operational risk measurement modeling. Research shows that people tend to underestimate catastrophic risks, and overestimate more familiar risks. Many banks that have suffered huge losses did not think they had significant exposure. The view of their managers was that "it can't happen here."

Sophisticated quantitative models cannot overcome the inherent limitations and deficiencies of the information that is fed into them. Most banks have only experienced high-end routine losses, so their internal data only contains routine losses. Typically, there are only limited data covering tail risk because the bank has never experienced a tail risk event. But that doesn't mean it can't happen. You must plan for the worst plausible case.

It's critical that there is a well-staffed, central risk management group at the corporate level that is able to take a comprehensive view. Bankers need to understand how risks across products and business lines relate to one another - which risks tend to offset one another and which risks tend to accentuate exposure. Viewed separately some risks may seem manageable, but are massive when aggregated across the enterprise. Product-line or business-line managers simply may not recognize the risks they create for others in the firm.

The increasing sophistication and range of products and services invariably demands new risk-management techniques, even in traditional parts of the banking businesses. A good example is operational risk. These risks are growing as banks do more outsourcing, the size of individual transactions increases, operations become more far flung, and markets become more integrated.

Improving risk management is a modeling challenge, but it's an even greater cultural challenge. Mangers and the board need to receive regular briefings of the bank's risk posture, and insist on full disclosure of risks. And they need to be presented with modeling results and their limitations in a manner they can understand.

What should banks do?

Well, it's just like a lawyer and a regulator to take all the fun out of the day. I understand. When I was Vice Chairman of Bankers Trust, I had people coming to me all the time with problems. And I already had plenty of problems. What I wanted was solutions.

I do have three suggestions today for you in dealing with this new environment.

1. First, having a competent and independent board is absolutely critical. In addition, it's imperative that there be a board risk committee whose members have a keen grasp of risk measurement and risk management. They must receive regular briefings and accurate reports from the Chief Risk Officer.

Finding qualified board members will not be easy. Under the new rules, board members are exposing their personal wealth and their reputations should anything go wrong. Lawyers and accountants, who typically are part of professional partnerships, are exposing their outside colleagues to potential liability. Insurance will not fully shield board members from inadvertent mistakes.

2. Second, each of you should have an outside safety and soundness audit periodically, just like an annual physical exam. I know none of us like to eat our spinach when we don't have to. I am the same way.

Here are some important rules to follow:

• When you smell the first signs of smoke, jump right on the problem, whatever it is.
• This is not the era in which you want to cut corners on disclosure.
• Do not go cheap on controls.
• Beware the seemingly easy audit or exam.
• Assess as quickly as possible how changed circumstances, e.g., interest rate changes, will affect you.
• Even if Basel is beaten back, take operational risk seriously.
• Never underestimate the power of any of your regulators to cause trouble.

3. Third, reputation risk issues are here to stay. As all financial intermediaries get into new businesses and baskets of businesses they don't understand as well as they think, reputation dangers abound.

 

Conclusion

In sum, as you know as well as I, finance is at its heart about change and risk management. In the end the companies that prosper will be those that understand this deeply and continually make efforts to accommodate the changes and stay on top of managing the risks in their businesses.