The tradeoff between risk and reward rules all things financial. That’s particularly true in credit union boardrooms, where rewards for directors, in the form of new rules allowing compensation, are rising in lockstep with liability risks. The trend has incited many boards to get more serious about internal fraud, data breaches, increasingly complex regulatory oversight, rapidly changing technology and other serious risks.
“The more consumers become aware of the board’s fiduciary responsibility, the more they can include board members in lawsuits,” Mitchell Stankovic & Associates CEO Susan Mitchell said. “Volunteer boards have a certain perception and are less likely to be named as responsible. However, with the trend to pay volunteers, I believe this could change the dynamics.”
These days, the biggest board vulnerabilities are often structural, according to Mitchell and two other industry pros. Mitigating those vulnerabilities could require some fundamental changes.
“Most credit unions are not doing a good enough job with having a proactive, accountable nominating committee who’s not just going through the motions, but is actually recruiting and searching for the right directors to fill those roles,” Filene Managing Director of Research Ben Rogers said. He will host a board leadership session at the CU Directors conference in August.
“If it’s been a long time since there was a competitive election, that’s probably a red flag. I would also say if it’s been a long time since there’s been a new nominee, that’s a red flag,” he explained. “If you haven’t had new applications, you haven’t had new nominees, you haven’t had a competitive election for a couple of years, then I think that that means that the nominating committee is not doing its job of keeping an evergreen list, of having active conversations with potential directors.”
Rogers also noted that longer-tenured board members who may feel tired or disengaged often remain on boards simply because there’s no one to replace them.
“That’s a very human-service-oriented reaction, but I think it’s a signal that the nominating committee is not taking its job seriously,” he said.
Mitchell said part of the problem is that director candidates should reflect the membership rather than simply be friends of other directors. Credit unions need to be more diligent about avoiding candidates that present conflicts of interest. She said she expects regulators to start scrutinizing relationships among directors more closely.
Sometimes some board members either don’t grasp or forget the serious nature of their legal responsibilities, organizational strategist and Stuart Levine & Associates CEO Stuart Levine said.
“Sometimes they think, ‘Well, gee whiz, I’m just a volunteer.’ That’s not really helpful,” he said.
Providing formal education and training for new directors is a must, Mitchell added. Information about bank secrecy and other core business practices can be done online, but specialized services such as member business lending or student lending should be done in person, she said.
After that, credit unions should lead annual refresher discussions about duty of care, duty of loyalty and ethics policies, Levine added. Those discussions should be led by a third party who doesn’t work for the credit union, he said.
That third party is ideally an attorney who has litigated or defended financial institutions, Rogers added. A person with enterprise risk management expertise could be a good substitute.
“I think just, pedagogically, it’s a lot more fun to learn about that stuff when you’re talking to somebody who’s been there, as opposed to just reading through the documents — because you can glaze over,” he said.
Inadequate IT Knowledge
CU boards that don’t include directors who understand technology and can’t have strategic discussions about deploying capital around technology — particularly with regard to cybersecurity — may have a hard time, Levine said.
“They think it’s some conversation behind the curtain that only the Wizard of Oz knows,” he said. “If you believe in the mission … then you have to understand we have to embrace change and learning. That means understanding products and services that are delivered through technology, because that’s the only way to compete today.”
Another reason to get more IT expertise on the board, Rogers added, is that losses involving technology (such as data breaches) increasingly affect perceptions about directors’ competence.
“Cybersecurity has finally made its way out of IT, so to speak, and into the mainstream consciousness of leaders and officers, so thinking about those new threats is a big one,” he warned.
Old D&O Policies
Cyberliability and data liability issues change so frequently that reviewing the directors and officers liability policy often is just good risk management; but, many credit unions don’t do it, Rogers said.
“I think that is human tendency. You bought a policy, the policy was good when it was written, you just keep paying the premiums and you put it on the back of your agenda,” he noted. “But I would say if you haven’t looked at it in more than two years, you’re definitely doing yourself a disservice. If the new directors are not familiar with it, not only is it a good practice, but it’s probably good training for directors to be looking at it once a year.”
But even with great insurance coverage, the stakes are high.
“Even though most of the credit union boards are populated with volunteers, that doesn’t give you a pass,” Levine said. “You’re dealing with hundreds of millions of dollars of member assets. This is family money. People are counting on you to get it right.”