The Rise of Risk Management in Financial Institutions and a Potential Unintended Consequence – The Diminution of the Legal Function

57 Min Read By: Thomas C. Baxter, Jr.

I. Introduction[1] 

After the global financial crisis, a highly respected group of financial supervisors from the industrialized world convened to consider what might have caused the worst financial crisis experienced since the Great Depression.  This group – aptly named the “Senior Supervisors Group” – concluded that a material contributing cause was what they characterized as a “colossal failure of risk management.”[2]  The Senior Supervisors Group was not alone.  Many other bodies have taken up the same topic and reached a similar conclusion.[3]

In the 10 years since the global financial crisis ended, the financial community has responded to the identified causes of the financial crisis, adopting lessons learned and significantly reforming the financial system.  This work has resulted in a financial system with individual institutions that are demonstrably more safe and more sound than before, and a much more resilient banking system overall.  In contrast to what existed on the eve of the crisis – early 2007 – today’s financial system has considerably higher capital and liquidity, as government officials and other commentators have observed.  In addition, and perhaps even more importantly if we accept the conclusion of the Senior Supervisors Group, there has been a revolution in the discipline of risk management and in the “build-out” of processes and procedures for identifying, measuring, monitoring, and controlling risk.  In the United States, for example, one may witness the Dodd-Frank Wall Street Reform and Consumer Protection Act, which President Obama signed into law on July 21, 2010 (the “Dodd-Frank Act”).  The Dodd-Frank Act introduced varied and different requirements for risk management, including a series of “enhanced prudential standards,” as well as governance directed at risk management requirements, like the requirement for a risk committee of the board of directors.

In implementing these and other measures, financial institutions in the United States have overhauled their risk management functions from top to bottom.  Now, after implementation of the Dodd-Frank Act, a financial institution will commonly have a risk committee at the board of directors’ level, a chief risk officer who is a powerful member of senior management, and a risk function populated by experienced risk professionals with expertise in credit, operational, interest-rate, market, compliance, and other types of risk.  The risk professionals will carry out their risk activities in a “three lines of defense” framework, where they will inhabit the so-called “second line.”  This is the line of defense that is empowered to challenge the decisions of the front-line business units, namely those units engaged in generating revenue or those who support the revenue generators.[4]  Perhaps most importantly, the risk professionals now have status and power, so their challenges can no longer be ignored by the front-line units.

In my view, all of this change is very positive.  Like higher capital and more liquidity, the changes in risk management have transformed the post-Dodd-Frank financial institution, and the financial industry.  But in reflecting on any change, particularly one of such scale and size, it is also important to contemplate whether the change has brought with it other, unintended consequences.  This article will discuss whether the rise of the risk management function has had one very specific unintended consequence – the diminution of the legal function.  To place such an important question in a proper context, this article will focus on the potential inverse relationship – it is not only that the legal function has declined in importance, but it is also that the decline has come as the direct result of the rise in risk.

II. The Importance of the Legal Function

Before turning to analyze whether the rise of risk has resulted in a fall of legal, it is useful to take up two preliminary matters.  The first preliminary matter relates to whether any decline in the importance of the legal function might be attributable to something other than the ascendancy of risk – say a decline in the importance of what lawyers do for financial institutions.  If the importance of the work itself has diminished, then the rise of risk might be correlated to the decline of legal but not causative of legal’s decline.  Second, the ascendancy of risk needs to be viewed in a historical perspective.  Risk may be getting so much attention nowadays simply because it is new and not because it is noteworthy.

We begin with the question of whether any potential decline in the legal function is attributable to a decline in the importance of what banking lawyers do.  I do not find any evidence supporting the proposition that the work itself has become less consequential.  Now, as before, legal issues touch every facet of the activities of a financial institution.  While it is true that some legal subjects are less important than before, other legal subjects have taken their place.  For example, when I started my banking law career nearly 40 years ago, the law relating to the collection of checks was a significant subject for banking lawyers.  It is not any longer.  But other areas of substantive law have taken its place, like the law related to privacy and cybersecurity.  These substantive areas are at least as complex as check law, and perhaps much more so. 

The output of the legal function is also just as impactful as it was in earlier times.  A persuasive case can be made that the work of lawyers in a financial institution is even more impactful than before, given the measurable enforcement consequences of a violation of law.  The stakes, at least with respect to penalties, are higher now than they have ever been.[5]  In addition, a material violation will also ordinarily be accompanied by significant reputational damage.

Another topic deserving a brief preliminary discussion relates not to the importance of legal but to the “newness” of risk.  There is a significant difference in longevity between risk, on the one hand, and the legal function, on the other.  The legal function has enjoyed a much longer life in financial institutions than has the risk management function.  Consequently, what is perceived as ascendancy may simply be the attention that something “new” can attract.  If you are in a family that has two cars, you can see this effect in the attention that the new car gets over the old car.  The new car looks different, probably has better technology, and will stimulate olfactory senses with that magical “new car smell.”  The risk function may be like that new car;  it is not overtaking the legal function in importance, it is only the latest and the shiniest new object. 

If you were to examine the financial institution of 20 years ago, you might not find any risk management function whatsoever.  And, if you did find a risk management function, it would likely be much smaller in size, and with rudimentary capabilities.  Most such functions had little in the way of power and even less in terms of sophistication.  If someone from that period were to be magically transported from then to now, he or she would not recognize today’s risk management function.  The financial institution risk management function of today, unlike 20 years ago, is both new and “cutting edge.”

How did such consequential change occur in such a short period of time?  From my vantage point, the financial crisis changed the playing field for risk management.  It highlighted in vivid detail a clear and present need for financial institutions to manage risk better.  And the law reform that turned into the Dodd-Frank Act also transformed risk management into a legal requirement.  That said, this author has the sense that financial institutions were ready, independently of the Dodd-Frank Act, to make real change in the way risk would be managed.  In bank board rooms across the country, there seemed to be a generalized agreement with what the Senior Supervisors Group concluded – we experienced a colossal failure in managing risk and everyone was resolved not to permit it to happen again.

In comparison to the risk management function, which is now in its youth, the legal function is in a very mature state.  Legal functions in financial institutions have been present since they were first chartered.  For example, the Federal Reserve Bank of New York obtained a charter from the Comptroller of the Currency in 1913, and had internal counsel when it opened for business.  The risk function at the Federal Reserve Bank of New York did not arrive until 2008, ninety-five years later.  I use this example to underscore the point that the risk function has become very important in a very short time.  The legal function, in contrast, established itself early and has experienced a lasting legacy.  When we compare one function to the other, we should keep these characteristics in mind. 

Of course, the fact that legal has been a long-time player does not, in itself, make the legal function important.  What is the role of the legal function?  While we will discuss that question throughout this article, the continuous role of the legal function has been to exercise legal judgment, and in the most effective legal functions, the people providing such judgment are made up of experienced and mature lawyers who have the trust of senior management.  In many financial institutions, the chief legal officer is in the “C” suite and in regular contact with the chief executive officer and the board of directors.  

But it is not the position and longevity of the legal function that makes the work of lawyers so important.  It is the nature of the subject matter – legal judgment – that has so much consequence for the way financial institutions carry out their activities.[6]  Shortly before the global financial crisis started, I had the occasion to make the following observation about the work done by banking lawyers:  “Generally, lawyers acquitted themselves with distinction in assisting their financial institution clients in the management of legal, compliance, and reputational risk.”[7]  Nothing since 2007 has altered my view on the role of banking lawyers or the capability of the class as a whole.

The mismanagement of the risks that resulted in the global financial crisis were largely not legal, compliance and reputational risks, the risks typically associated with the legal function.  The problems that caused difficulties at Bear Stearns, AIG, Lehman Brothers, WAMU, Citigroup, and Bank of America arose out of other types of risk.  No federal judge during the global financial crisis felt the need, as Judge Sporkin did almost 30 years ago with respect to the failed Lincoln Savings and Loan, to inquire, “[w]here were the lawyers?”[8]  In the vast literature about the global financial crisis, there is plenty of blame with respect to how risk was managed, but very little is cast on financial institution lawyers. 

Take, as one useful example, the change in the business model for bank lending.  The industry transformed from an industry that originated and held the loans that banks made, to an industry that originated and distributed these loans to other industry participants.  This change in business model resulted in less discipline among banks, and across the financial industry, with respect to credit risk.  Because there was no longer the same incentive for the bank originating the loan to identify, measure, monitor, and control credit risk (because the risk would soon thereafter be transferred to someone else), there was a significant increase in bad loans.  This contributed to the financial crisis.  Note that this was credit risk and not legal risk.  The blame rightly rests with the business people in the front lines who ignored (or did not understand) the implications of a change in business model and what it might mean for managing credit risk across the financial industry. 

While some lawyers could have done a better job cautioning their clients about the implications of the change in business model, and how it had affected credit risk, there is no case to single out lawyers, and even less of a case for blaming the legal professionals for mistaken legal judgments that resulted in the global financial crisis.  While there may have been a colossal failure of risk management, the mismanaged risks were not the responsibility of the legal function.

With all of that said, let me make an observation about shared responsibility.  Financial institutions exist in a highly regulated ecosystem, and lawyers are an indispensable part of the functioning of a modern financial institution.  Virtually every decision – from the smallest to the largest – has a legal component.  In view of this, there is a shared accountability on the part of the lawyers, and on the part of other people who perform within the ecosystem (regulators, business people, academics, members of Congress, etc.), because they all play a part in shaping the ecosystem.

III. Factors that Might Be Prompting a Diminution in the Legal Function

In this section, I will discuss the factors that might be working in concert with the rise of risk to diminish the legal function.  I begin with the terminology used to speak about risk today.  One major development is that we now categorize risk by type.

Risk Typology

A lesson learned during the financial crisis is that there are different types of risk.  AIG, for example, learned a powerful lesson with respect to liquidity risk in September and October of 2008.  At that time, AIG was the world’s largest insurance company,[9] and did not anticipate that a downgrade by the rating agencies would result in a situation where it could not repay its debts as they came due.  It then learned a very hard lesson about liquidity risk, a risk that is distinguishable from insolvency risk[10] – where the liability side of the balance sheet exceeds the asset side.  In September of 2008, AIG was not balance sheet insolvent but it was illiquid, and the governmental rescue of AIG succeeded because AIG and the United States Government acted together to solve AIG’s liquidity problems.

To return for the moment to the observations that I made in early 2007, I spoke about the role of lawyers with respect to legal, compliance, and reputational risk.  Let’s consider how the OCC currently treats these forms of risks in its Part 30,[11] a set of regulatory measures designed in the post-crisis period to foster better risk management in OCC-regulated financial institutions.  In Part 30, the OCC covers a range of risk types, including compliance and reputational risk.  It does not address legal risk,[12] because the OCC wisely did not want to be challenged as trying to regulate the practice of law.   Instead, the OCC could, and has, monitored how well institutions are handling compliance and reputational risk by reviewing the adequacy of their compliance function.

Another problem relates to how the regulatory community defines legal risk, on the one hand, and compliance risk, on the other.  The definitions are not mutually exclusive.  In fact, the definitions substantially cover the same subject matter.  Let’s consider the Federal Reserve’s SR 16-11, which defines “legal risk” as follows: “the potential that actions against the institution result in unenforceable contracts, lawsuits, legal sanctions, or adverse judgments can disrupt or otherwise negatively affect the operation or condition of a financial institution.”[13]  This risk, as it is cast by the Federal Reserve supervisory staff, is the risk that arises from a contract that is unenforceable or from the institution being subject to a legal sanction.  Now consider how the Federal Reserve defines “compliance risk” in SR 16-11, as “the risk of regulatory sanctions, fines, penalties or losses resulting from failure to comply with laws, rules, regulations, or other supervisory requirements applicable to a financial institution.”[14]   The definitions of legal risk, on the one hand, and compliance risk, on the other, are not mutually exclusive; to the contrary there is considerable overlap between them.

Defining different concepts to mean much of the same thing might not be harmful, depending on how the definitions are used.  However, if the definitions are used to define roles and responsibilities, this can cause considerable mischief.  One might also say that using the definitions to define roles and responsibilities is using the definitions inappropriately.  In my view, an inappropriate use of the defined risk types would be to say, as many do, that the compliance function is responsible for compliance risk and the legal function is responsible for legal risk.  If there is substantial overlap between the two risk types, and there is, this could lead to compliance encroaching onto the functioning of legal.

Encroachment by the compliance function onto the legal function is worrisome because of the core competency of lawyers.  Lawyers are special because of the nature of the judgment entrusted to them.  Lawyers make legal judgments. Under the current definitions of these risk types used by the regulators, compliance risk and legal risk are both, directly and materially, affected by legal judgments. 

Why are legal judgments entrusted to lawyers?  In most financial institutions, legal judgments are entrusted to the lawyers who inhabit the legal function (or, in the case of outside counsel, participate in the work of the legal function)[15] because of their special competency.  In the United States, our respective state laws require that the people exercising such judgment be licensed members of the bar because “it protects the public against rendition of services by unqualified persons.”[16]  Consequently, to assign compliance risk to the compliance function without consideration of the types of judgment that are needed to identify, measure, monitor, and control compliance risk is a mistake.  When compliance risk depends, as it often does, on a legal judgment, you need assistance from a qualified professional and that is a lawyer.  The manner in which the regulators have defined legal and compliance risks has ignored this core concept – that a qualified licensed lawyer needs to provide the necessary legal judgment.

Let me use my own past experience as General Counsel of the Federal Reserve Bank of New York to demonstrate the overlap in the definitions.[17]  In the rescue of AIG, a question arose as to whether a so-called “equity participation or kicker” could be offered as partial consideration for the revolving credit facility that rescued AIG from bankruptcy.  This question called for a legal judgment, and I made the judgment that the governing law permitted the Federal Reserve (my client) to receive such consideration.  This legal judgment was challenged in headline-grabbing litigation brought by AIG’s largest private shareholder, who was diluted by the equity participation (hereafter referenced as the “AIG Shareholder Litigation”).[18]  This AIG shareholder claimed that the governing law did not permit such consideration, and that the contractual provisions in the rescue deal relating to the equity participation were not enforceable.  In the Court of Federal Claims, Judge Wheeler ruled for the plaintiff-shareholder on the legal question (contrary to my legal opinion), a ruling that was not sustained on appeal. 

Note that, as the AIG example reveals, a legal judgment can create both legal and compliance risk.  In the AIG Shareholder Litigation, the plaintiff claimed that the Federal Reserve Act did not permit the Federal Reserve to receive an equity participation, which meant that (under plaintiff’s theory) the Federal Reserve had violated its authorizing statute.  This created the risk that an important component of the revolving credit agreement could not be enforced as written, the provision that AIG had to contribute nearly 80% of its equity to a trust for the benefit of the United States Treasury.  A judgment in favor of the plaintiff clearly represented a legal risk but it also created a compliance risk.  At least in theory, an enforcement action could be brought against the Federal Reserve to hold it accountable for the claimed statutory violation.  In simple terms, when there is an error in a legal judgment, or as in the AIG Shareholder Litigation, an alleged error in a legal judgment, it typically creates both legal and compliance risk.  The example also illustrates why the definitions are not fit for the purpose of assigning roles and responsibilities as between legal and compliance.  The question whether the Federal Reserve Act permitted an equity kicker called for a legal judgment.

Another problem with the overlapping definitions of legal and compliance risk is that they obscure what, in many situations, is the key determinant of the risk in a financial transaction or activity.  This key determinant – legal judgment – is a central thesis of this article.  These legal judgments must be made with respect to fuzzy and ambiguous concepts or texts, and take into account interpretations by judges and regulators that morph over time and with changing facts.  The simplistic notion that compliance risk is for compliance and legal risk is for legal does not withstand analysis.  The province and responsibility of the legal function is making legal judgments on behalf of the financial institution.  This is what makes the legal function important.  To the extent that legal judgments are made by another group of professionals, let’s say the compliance professionals, then the importance of the legal function is diminished and a specific type of decision-making gets done by those who are not properly qualified.

With respect to legal risk, there is another development that has occurred among the supervisory community which is relevant to this analysis.  The Basel Committee on Banking Supervision (BCBS) has determined legal risk to be a subcategory of operational risk.  In its seminal manuscript titled Principles for the Sound Management of Operational Risk, the Committee said this plainly:  “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.  This definition includes legal risk, but excludes strategic and reputational risk.”[19]  Of course, the problem with this bold statement is that operational risk describes almost everything.  Every calamity will be caused either by an externality or by a failure on the part of a process, person, or system.   The inherent credit risk in the sale of a portfolio of bad loans fits the definition, and so does the liquidity risk that AIG experienced in September of 2008.

 Of course, if operational risk covers nearly all risks, and the risk management function has responsibility for operational risk, then the risk management function owns nearly all risks.  This would include legal and compliance risks.  Consequently, the BCBS declaration that legal risk is a component of operational risk is a problem.

Returning to the AIG Shareholder Litigation, let us assume for purposes of argument that the court concluded the Federal Reserve Act prohibited receipt of an equity kicker, and the United States had to pay a judgment of more than $20 billion.  An application of the quoted conclusory statement by the BCBS would result in a conclusion that an operational risk had produced this result, attributable most directly and immediately to a bad selection decision with respect to the General Counsel.  Alternatively, one might say the risk arose from the externality of litigation by AIG’s largest shareholder.  In either variant, we have a risk that would qualify as an operational risk fitting the Basel definition. 

If you categorize risk in this fashion, it might lead you to conclude that managing all these risks is within the role and responsibility of the chief risk officer, because the chief risk officer is charged with identifying, measuring, monitoring, and controlling operational risks (and legal risk, according to the BCBS, is operational risk).[20]  But, in my view, that puts this kind of risk into the hands of an unqualified professional because the key determinant is a legal judgment.  Consequently, the BCBS framework turns us in the wrong direction. 

Legal judgments should be made by those who are qualified, namely the lawyers in the legal function.  Legal risk is not operational risk.  Neither is compliance risk when it depends on legal judgment (it can be operational risk when it is determined by technology, such as when compliance is designing a suspicious activity monitoring system).  The BCBS just got this one wrong.

With respect to the AIG Shareholder Litigation, had I concluded that the Federal Reserve Act did not permit the Federal Reserve Bank to receive an equity participation, this legal judgment would have been binding on the policy makers because they are bound by the common internal-affairs constraint that all corporate officers must follow the law.  No Federal Reserve official has the authority, on behalf of the organization, to violate the law.  This is true in nearly all financial institutions (many would say that a deliberate decision by a corporate officer to violate the law constitutes a breach of the officer’s fiduciary duty). 

The General Counsel is, under the rules governing the organization’s internal affairs, the person who gets to say what the law is.  Senior Federal Reserve officials could resort to other external counsel in an effort to obtain a different legal judgment, but they would nonetheless need a competent opinion from a qualified lawyer.  As a result, this theoretical possibility for the “front line” policy makers  – to go to outside counsel for a different legal judgment – is not usually practicable.  The important point is that a properly licensed lawyer – either the General Counsel or outside counsel – gets to say what the law is.  This is not subject matter for a layperson.  In the end, when it comes to legal judgment, the legal function holds the decisional responsibility.  At issue in the AIG Shareholder Litigation was the legal judgment that the Federal Reserve Act permitted the equity kicker.  If the legal judgment were that the Federal Reserve Act prohibited the equity kicker, then no equity kicker would have been a part of the rescue, and there would have been no AIG Shareholder Litigation.

For purposes of this particular discussion, the imprecision in the definitions of legal and compliance risk is a highly consequential factor that may be empowering the risk and compliance functions to the detriment of the legal function.  I look at this as a kind of “original sin” by the regulatory community, which has caused many successive problems.  The problems with the definitions of risk types are compounded further by the mistaken belief of supervisors that legal risk is a form of operational risk

Three Lines of Defense

Another potentially contributing factor to the diminution of legal is the three lines of defense framework, which has become the accepted framework for managing risk in a financial institution.[21]  Under this framework, the front-line business owns the risk and is the first line of defense.  In the second line of defense are the risk professionals who are empowered to identify risks for the front line and help them to manage and control their risks.  The third line is audit, which will ascertain how well the framework is working.[22]

With respect to the second line, the risk function is intended to operate on an enterprise-wide basis across all risk types.  The risk types would include operational and compliance risks.  While legal risk is not usually referenced, the discussion of the overlapping definitions in the preceding section means legal risk can be reached indirectly, as compliance risk or operational risk.  Being outside the framework could have caused the regulators a problem, if some critical risk management function were to fall outside of regulatory purview.  But the regulators found a way to avoid that result, using the loose definitions of compliance and operational risk.

The OCC has adopted the three-lines-of-defense framework in Appendix D to Part 30.  During the notice-and-comment phase that preceded adopting of Part 30, there was a significant clamor over the OCC’s preliminary attempt to force legal into the three-lines-of-defense framework.  In the final guidance, the OCC withdrew from covering legal, and this was the right regulatory response in the view of the author.  Regrettably, however, there has been too little attention to a view expressed by this author that legal stands in its own right.[23]  Instead, legal is too often forgotten when it comes to the risk management framework.  Alternatively, the legal function is subsumed in the risk taxonomy, and placed under the broader category of operational risk.  In a certain respect, it is “as if” the legal function disappeared.[24]

Again, if this factor were alone, it would not likely result in a diminution in the role of the legal function.  But it is not alone, and the absence of legal is amplified considerably by a trend in the way compliance reports within today’s financial institutions.

The Modern Trend for Compliance Reporting – From Legal to Risk

The modern trend for financial institutions is for compliance to report up to the chief risk officer rather than to the chief legal officer.  This is not a trend that has been fostered by regulatory requirements, although there are many bank examiners who mistakenly believe it is.  A financial institution can, if it wishes, have compliance report up to the chief legal officer.[25] 

There is a rich literature articulating the benefits and challenges with respect to either form of structural reporting, and there are also some other options, like having the chief compliance officer report to the chief operating officer or even the chief executive officer.[26]  The considerations that lead financial institutions to select one reporting relationship over another are beyond the scope of this article.  Here, I will address two considerations that may explain some of the modern trend, and state why I think both are mistaken.  Then, with respect to the modern trend, I will explain what I perceive to be an organizational dynamic inherent in any structure where compliance reports to risk.  The organizational dynamic could result in the diminution of the legal function.

One widely offered explanation for the movement of compliance to risk relates to independence.  The Basel Committee on Banking Supervision has declared as a core principle that “[t]he bank’s compliance function should be independent.”[27] Many disciples of independence believe that this means the chief compliance officer must be independent of management, although the BCBS never actually said this.  In fact, the BCBS said that “[t]he concept of independence does not mean that the compliance function cannot work closely with management and staff in the various business units.”[28] 

Further, it is simply erroneous to conclude that the risk function is independent of management while the legal function is not.  In my opinion, the erroneous view rests upon a mistaken notion as to what a financial institution’s legal counsel does.  The mistaken notion is that counsel is the advocate for management, most often the so-called “C” suite or even the chief executive officer.  But bank counsel do not act as the advocate for any particular business person or organizational constituent.  A financial institution’s lawyer represents the organization.[29]  Her obligation is to exercise “independent professional judgment and render candid advice”[30] on behalf of the organization, and this necessarily means that counsel can be “independent” of management.  If compliance reports to counsel who are themselves independent, there is no independence problem.  Of course, this is not a structural independence as we often see with respect to audit (many independent auditors report to the Chair of the Audit Committee of the board of directors, rather than to a member of management).  It is judgment independence, and judgment independence is precisely what is needed for compliance.  In sum, there is no independence problem when compliance reports to the chief legal officer.

Another often unspoken reason why some chief legal officers have not objected to the reassignment of compliance to risk relates to a different kind of risk calculus.  Some chief legal officers look at the roles and responsibilities of compliance as roles and responsibilities likely to lead to problems and to the assignment of blame.  Consequently, when a discussion arises with respect to the appropriate reporting relationship, some chief legal officers see this in terms of a way to limit their own personal responsibility.  In my view, this is the wrong reason to move compliance.  It is not a reason grounded in organizational interest; it is a reason grounded in the chief legal officer’s personal interest.[31]

Putting to the side the reasons underlying the modern trend to have compliance report to risk, it is clearly the trend for banking organizations in the post-crisis period.  And when that organizational move is made, there is a very clear organizational dynamic that follows at the time when compliance moves from legal to risk.  Once compliance moves, the chief compliance officer will naturally realign with the chief risk officer, the officer to whom the chief compliance officer now reports.  If a particular risk issue occupies the sometimes mercurial border between legal, compliance, and operational risk, then the lawyers should anticipate that risk and compliance will form a new coalition.  Remember that a reporting relationship usually entails some other components in the typical financial institution – the chief risk officer will now probably be appraising the chief compliance officer’s performance and determining the chief compliance officer’s compensation.

If there is to be a “turf fight” between risk and legal, once the chief compliance officer starts reporting to the chief risk officer, there will be little daylight between compliance and risk. 

Attorney-Client Privilege

Many of those who are familiar with the examinations process would say that there is a generalized antipathy on the part of examinations staff toward lawyers and the legal function.  I wish that this were not true, and I know that it is not universal.  Yet it is my generalized view that this bias exists.  Why?

One factor is the attorney-client privilege.  Financial institution lawyers will raise privilege with examination staff and examination staff will often see it as an obstructionist tactic.  With respect to compliance staff, who are not functioning in the same capacity as legal counsel, and who typically do not interpose privilege objections (and when they do, they assign, appropriately, responsibility to legal), the examination staff have much more agreeable dealings.  As a result, examiners routinely see compliance staff as more cooperative than the legal function.  Further, there is a symbiotic relationship that often occurs between examination staff and compliance staff. 

For example, when compliance needs more resources, often compliance will receive external support from the examiners.  When a compliance professional is having difficulty with a particular business executive, a hushed hallway conversation with the examiner-in-charge can sometimes work a miracle.  Finally, on an interpersonal level, there will typically be a close working relationship between the examiners and the compliance staff; they will see each other as colleagues.  In contrast, the relationship between examiners and lawyers is generally at arm’s length.

With respect to the attorney-client privilege and the work product doctrine, there is a special provision of federal law that is intended to facilitate the communication of privileged information between the financial institution and its prudential supervisor.[32]  Some look at this provision as evidence of an attempt by government to erode privilege.  As one of the proponents of the provision, which was added by the Regulatory Relief Act of 2006, I can state that this provision was supported by the Federal Reserve and the OCC, but that support was not designed to erode privilege.  The  provision was drafted and enacted to reinforce, and not disable, the attorney-client privilege and the work product doctrine. 

Of course, the operative hypothesis underlying Section 1828 (x) is that sharing with a supervisory authority would be considered as fostering the interests of the financial institution.  If, on the other hand, the financial institution wishes to block the supervisor from seeing the legal advice, an assertion of privilege affords a way to accomplish this objective.[33]  When the privilege is asserted, it is asserted on behalf of the bank by bank counsel.  The examination staff will commonly experience the privilege assertion as a hostile act by bank counsel.  Over time, if the examination staff is regularly confronted with privilege assertions from the legal function, the examiners may come to regard the legal function as obstructionist and obdurate, and contrast that perception with what they experience from compliance and risk.

Examiner antipathy toward the legal function is never a good thing.  But it can be especially destructive when there is a conflict between risk/compliance and legal.  The examiners will likely side with risk/compliance and the conflict may be resolved with a legal loss.  Again, this can contribute to a diminution of the legal function. 

Legal “Meremanship” as an Advocacy Tool

One of the most surprising factors contributing to the diminution of the legal function may relate to the arguments that financial institution lawyers make about their own roles.  There are many examples, but perhaps the clearest and the most obvious occurred recently in the United Kingdom with respect to the Senior Managers Regime.

The Senior Managers Regime is designed by regulatory authorities in the United Kingdom to encourage senior managers in covered financial institutions to manage the risks that they are responsible for.  Consequently, the regime is designed to elucidate for senior managers what they are responsible for, that there is a proper focus on skills, capability and conduct within the firm, that a set of conduct rules provide a foundation for behavior, that practices and policies within covered firms provide for a necessary sense of accountability, and that the Financial Conduct Authority can hold the senior officials accountable if they should fail. 

A question arose under the Senior Managers Regime as to how to treat the senior staff of the legal function.  Were the lawyers to be considered within the scope of the Senior Managers Regime and held accountable as officials who had significant responsibility for risk management?  In the comments that were received, “[m]ost respondents argued that the [legal] function was purely advisory” and that a determination otherwise might be compromising to privilege.[34]  Accordingly, the Financial Conduct Authority has now proposed “to exclude the Head of Legal from the requirement to be approved as a Senior Manager.”[35]  Of course, the chief risk officer and the chief compliance officer are included.  What does this contrasting position say about the relative importance of risk/compliance vis-à-vis the legal function?  I believe the answer is obvious.

The argument made in the United Kingdom is an argument that is often heard from counsel in the United States.  It is the “meremanship” argument – to the effect that all lawyers do is give legal advice.  The purpose of this result-oriented argument is to deemphasize lawyer importance.  It is a variation on the argument that “don’t worry about us, we do not really matter.”  One problem with the argument is that it is not really true.  For the reasons stated above, the lawyers within a financial institution do matter, because they are the group that renders legal judgments that have a material effect on how the financial institution carries out its activities.  Returning to the AIG Shareholder Litigation example, when I opined that the Federal Reserve Bank could receive an equity participation as consideration for a rescue loan, that legal judgment enabled the deal to go forward with that particular component which turned out to be worth more than $20 billion.  A decision otherwise would have resulted in a different deal, with considerably less upside for the taxpayer.  As the AIG Shareholder Litigation example demonstrates, legal judgment matters.  Legal judgment can determine the consideration for a material transaction, or the contours of a permitted activity.  The legal function does much more than just whisper advice.

Another problem is that such advocacy becomes a self-fulfilling prophecy.  The essence of the argument is that “lawyers don’t matter.”  More problematic is that the argument is occurring in a context where the role of lawyers is juxtaposed against the role of risk and compliance professionals, who are covered by the Senior Managers Regime.  And, with respect to the risk and compliance professionals, the conclusion reached with those professionals speaks to the following conclusion, that “these people really do matter.”  This returns us to the overall purpose of the Senior Managers’ Regime – to hold those who have material decision making authority responsible for their decisions.  Risk and compliance professionals need to be responsible.  Why not senior personnel exercising legal judgments?

Risk Governance

In the new, post-financial-crisis world, financial institutions are expected to identify, measure, monitor, and control all of the risks they face.  The supervisors of such institutions expect that there will be processes and procedures for governing these risk functions across all of the risk types, and that these governance procedures will encompass risk-appetite statements and a risk-governance framework.

The processes and procedures will be developed under the supervision and control of the risk committee of the board of directors.  The risk committee will be the body that typically approves the risk appetite and the risk-governance framework.  Ordinarily, the senior management will create an internal management committee to perform these tasks, before these kinds of determinations reach the risk committee of the board (or to the full board).

Note that risk governance will typically encompass the following risk types: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputational risk.[36]  Once again, the absence of legal risk and the legal function may be problematic, if this absence gives rise to an inference that legal risk and the legal function are not important (or are subsumed under the umbrella of other risk professionals).  The concern is a variant on the concern that I have expressed about meremanship advocacy, except here it is that an inference might be drawn – legal risk and lawyers do not need a framework because they are not important.

This does not mean that we should invite regulators to make legal judgment a part of the risk governance that they are reviewing as a component of enterprise risk management.  An alternative possibility is for the legal function to create its own risk governance framework for matters requiring legal judgment.  This framework would require that lawyers be the core professional staff, and not the risk function.  But, for anyone who has engaged in this exercise, it is not facile and will often be met with a healthy skepticism as to why legal is different from all other risk types. 

If a risk-appetite statement is prepared for legal risk, it will look decidedly different from the appetite statements for other risk types.  Let us hypothesize that we are creating a risk appetite statement for violations of the Volcker Rule.[37]  Having gone through such an exercise, it is likely to result in the only practicable conclusion – that there is a zero appetite for such a violation.  Would the answer be different for sexual harassment, a Truth-in-Lending Act violation, and so on?  No.  Every financial institution will seek to conduct its activities within the bounds of the law, meaning that it has zero risk appetite for violations of law.  Having no appetite for legal violations will be consistent with what most banking organizations practice; it is a permutation on the internal affairs policy referenced earlier that no corporate officer has the authority to violate the law.  When a bank official intentionally violates a legal prohibition, nearly all banks will take disciplinary action against the official.[38]  The goal of such disciplinary action will, of course, be aspirational and designed to send a message that the bank conforms its activities to the bounds of the law.  With that said, in nearly every financial institution, including the  most carefully controlled and the best governed, the goal will not be attained and there will be episodic violations.

Those with experience in these matters will know that legal and compliance risks are different in nature from risks like credit risk and liquidity risk.  Governance practices that work for the later risk types are not easily adapted to the former.  Perhaps what is needed is for the legal profession to intervene with regulators and make sure there is awareness that the legal function is sui generis in its risk management endeavors.

The alternative course – remaining silent with respect to the legal function – has its own potentially destructive consequence.[39]  In a world where risk governance is seen as exceptionally important to the health of the financial institution and the stability of economic ecosystem, being marginalized is a form of diminishment.

Risk Reporting

The final factor leading to a potential diminution in the role of the legal function concerns risk reporting.  In today’s financial institution, it is typical for a bank’s highest legal authority, the board of directors, to also have a risk committee either because it is legally required or because it is considered to be a better governance practice.  The risk committee’s principal task will be risk oversight.  To perform its risk-oversight function in a competent manner, the risk committee will need information from the management about risk in the organization.  This ordinarily leads the board’s risk committee to turn to the chief risk officer and request a risk report, or a risk “dashboard,” that will enable the risk committee to perform its risk-oversight functions.  In its IRM Guidance, the Federal Reserve proposes the principle that independent risk management “should provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.”[40]

An effective risk-reporting mechanism will typically show the risk committee the different types of risk that the organization faces, and will try to gauge trend lines.  The trend lines will show whether risk of a particular type is increasing, decreasing, or remaining constant.  Often, when presented in dashboard form, the risk report will highlight risk trends in colors, where green is good, red is bad, and yellow is a warning sign.  A good risk report will identify “emerging risks” and provide “forward-looking perspectives.”[41]

In most organizations, the risk committee will look to the chief risk officer to provide this kind of information.  The risk committee typically will not want to receive information from many different people.  It will want to hold accountable for risk reporting a key senior officer, and usually that officer is the chief risk officer.  This can place the chief legal officer in an uncomfortable position, particularly with respect to legal and compliance risks.  Often, compliance risk reports will reference legal judgments, and, again, legal judgments are the province of the legal function.  For example, compliance may believe that there has been a violation of the Truth in Lending Act, which involves a legal determination and a legal judgment.  If this view should be written into a risk report, this encroaches on the legal function because it is the province and duty of the legal function to say what the law is and whether the law has been violated.

If there is a legal memorandum from the legal function stating this judgment, it could be appended to the risk report and the problem is solved.  But often these reports do not follow this  practice, and that has consequence.  For example, if a legal conclusion is stated in a report from the chief risk officer or the chief compliance officer, it will not be privileged.[42]  There will likely be significant pressure to get the board books done timely, and not to distinguish this “legal” matter from all the other risk issues that warrant the attention of the risk committee.  In addition, if the legal function should demand special treatment, there may be a perception that legal is “too defensive” or that legal is “causing trouble.”  All of these considerations may create pressure on the legal function to acquiesce, and permit the chief risk officer to follow the path of least resistance and treat a legal risk issue just as it would treat say an information technology risk.  If this should occur, it is another encroachment by risk on what should be legal’s territory.

IV. Diagnostic: Is the Legal Function Being Diminished?

In the preceding section, I summarized seven risk management conditions that might be causing a diminution in the role performed by the legal function.  Is it actually happening?  I try to answer that question in this section. 

Turning to one of the tools used in the discipline of risk management, we need to confront a measurement problem.  How can we measure an amorphous concept like diminution?  Without spending much time on the question, the short answer is we have no quantitative measure of the power and effect within financial institutions of the legal function.[43]  We have identified the risk of diminution, but we have no good quantitative measure of whether it is actually occurring.

Is there qualitative or anecdotal evidence that the power and effect of the legal function is in decline?  I believe that there is evidence this is happening, but it is very early in the process to be drawing firm conclusions.  This is a current topic of conversation among senior internal lawyers within financial institutions.  The degree of concern varies from person to person and from institution to institution, but the topic is often front of mind.  There is also considerable interest among legal and compliance professionals in defining roles and responsibilities, largely driven by concerns about who does what, but especially influenced by structure wherever compliance reports to risk. 

For purposes of this article, my personal perspective is the legal function has, in fact, been diminished by the ascendancy of the risk management function.  I have a sense that this has started to occur, and I hope this article will foster vigorous discussion of that question by the banking bar.

One can also ask, if the legal function has started to decline, how far has it declined?   

Assuming that my perspective of decline is accurate, and further assuming that some impairment has already occurred, can we reverse the trend and repair the damage?  I think the answer is yes.  

V. Taking Affirmative Actions to Reverse the Decline and Repair the Damage

If a conclusion is reached that the legal function in financial institutions is being diminished and that this is a negative trend that needs correction, what remedial actions are needed?  If I have correctly identified the conditions that are causing the diminution, then the future remedial action becomes clear.  We need to focus on the seven conditions that are working in concert to diminish legal.

The first condition concerns risk typology.  The legal function is certainly focused on legal risk.  But this does not mean that this is the exclusive interest of the legal function.  The legal function should be interested in any risk type that is affected by the exercise of legal judgment.  At a minimum, that would include compliance and reputational risk, but we should not stop there.  Legal judgment affects other types of risk, including credit risk.  In fact, when you consider various risk types, legal judgment likely impacts the majority of them (misconduct risk, for example, is heavily influenced by legal factors whereas model risk is probably not).  Lawyers need to be much more assertive about their expertise and their expertise is legal judgment.  But lawyers also should not be shy when rendering judgment and advice.  As the Model Rules frame it, lawyers should feel free to “refer not only to law but to other considerations such as moral, economic, social, psychological, and political factors that may be relevant” to the financial institution’s situation.[44]  In this regard, the legal function brings to the table not only depth of knowledge with respect to legal judgment, but a breadth of knowledge that can be meaningful with respect to managing other risk types.  As legal professionals, we do more than merely give legal advice.  In the best-in-class legal functions, the senior members of the function are typically considered as business partners who are valued for their legal judgment and business acumen.

The next condition is the three-lines-of-defense framework.  This framework is fine for creating a conceptual model for the work of risk professionals, but it should not be either a model or a constraint on lawyers.  We have to continue functioning as we always have, and, as I said in the article in the Business Law Today, the legal function within banking organizations has worked well for more than a century.  With respect to the three lines of defense, the lawyers may move from line to line, depending on the function performed.  If a lawyer is drafting transactional documents at the direction of a front-line business person, the lawyer (as an agent) will be in the first line (assuming that the lawyer is not exercising legal judgment but simply codifying the intention of the business personnel).  If the lawyer is assisting in identifying the risks in a potential new product, to inform a senior management committee that is deciding whether to greenlight or redlight the new product, and authorize it to be offered by the financial institution, the lawyer will be in the second line.  The lawyer is performing a second-line function by informing the decision-makers about risk.  There may also be times when lawyers are assisting internal audit – let’s say they are auditing some kind of human resource practice or procedure.  When acting in this capacity, the lawyers may be in the third line.  The important point is the three lines of defense mode does not neatly fit the work of a legal function; it does not matter where the lawyers are found, so long as they are performing their historical role and making the necessary legal judgments.  And, perhaps most importantly, the lawyers often perform a hugely consequential function that does not fit into any one of the three lines of defense.  Consider the role performed by a senior lawyer who is handling “bet the company” litigation.  Such a lawyer is not in any line of defense but is performing a classic function in managing and controlling the legal risk presented in the litigation.  To avoid a diminution of legal, we must become more assertive about the role of lawyers in risk management, and how they stand apart from the three lines of defense.

Moving to reporting relationships, we need to develop a more realistic understanding that organizational dynamics will change when (and if) compliance moves from legal to risk.  In a certain respect, this is like stating rain is wet.  When the reporting line of the chief compliance officer changes from the chief legal officer to the chief risk officer, who but a fool would ignore the change in organizational dynamics?  Yet this point is hardly mentioned in the literature.  Further, because the distinction between legal, compliance, and operational risks is often obscure, there will be inevitable conflict as to roles and responsibilities.  Having sensitivity to the organizational dynamics is important, because it permits those who are on the playing field to discuss the subject matter and do what is required – namely, work it out.  Alternatively, if they cannot work it out, then they can escalate the dispute to a higher authority who must likewise be sensitive to organizational dynamics.  These dynamics should also be considered when senior officials resolve the inevitable conflicts that come with an escalated matter.

The next condition is privilege.  Financial institution lawyers should closely examine privilege assertions that withhold information that would otherwise be seen by their regulators.  This action has real consequence, and it can and does breed examiner resentment directed toward lawyers.  When privileged matter is solicited by a regulator who is performing prudential oversight (and not acting in an enforcement capacity),[45] sharing privileged information with an appropriate legend will not result in a waiver and likely will not have any negative consequence.  In fact, it might reveal to the examiners just how well the legal function has helped the organization to function in a safe and sound manner.  Providing such material to a prudential supervisor, certainly in a context where there is no likelihood of enforcement action, might be one small, additional step.  While inevitably there will be certain occasions that warrant a privilege assertion, the assertion of privilege in response to a regulator’s request should not be reflexive; if privilege is not asserted, the hidden benefit could be the avoidance of examiner enmity. 

As for legal “meremanship,” I am reminded of what President Obama said “[T]he first thing we do is stop doing stupid things.”  We should stop arguing that the legal function is not important.  We are important – we make legal judgments and, almost every day, those judgments directly and materially affect the way in which banks conduct their activities.  Arguing we merely give legal advice now threatens to turn us into advisors about nothingness.  If it were true that we are unimportant, then I would have no objection.  But it is not true and we know it.  This could, of course, mean that we will be held accountable for our legal judgements, perhaps even to regulators.  Is that necessarily a “bad” outcome?

With respect to a risk governance framework, lawyers should work to fashion our own unique framework with respect to the exercise of legal judgment.  We should not remain in a kind of twilight zone, because this is not in the interest of the financial community and diminishes the rule of law in society.  And when we finally start to analyze our framework, we will likely discover that we actually have one.  We just have never codified it or conformed our practice to a written policy and procedure. 

With respect to risk reporting, I am reminded of the situation in 2006 that needed to be remedied with Section 1828 (x).  Having the chief risk officer recite a legal judgment in a risk report creates a non-privileged record that could be subject to discovery in third-party litigation against the financial institution.  This is a problem that needs attention.  It is also a problem that perhaps needs some creativity and initiative.  What about a risk report from both the chief risk officer and chief legal officer?  What about a risk report that contains an addendum with legal memoranda?  The problem can be addressed if it receives proper attention.

Finally, the whole of these seven conditions is more than the sum of its parts.  Yet, if we address each one individually, we can reverse the potential diminution and start to repair the damage.  The legal, compliance and risk functions can work together seamlessly, with each being cognizant of their unique roles and responsibilities, and each regarding the other with mutual respect.

VI. Conclusion

The ascendancy of risk management and the chief risk officer is one of the truly noteworthy changes in financial institutions since the end of the global financial crisis.  In the view of the author, the change has materially contributed to the safety and soundness of banks and banking.  There is anecdotal evidence that this change has produced an unintended consequence, and the unintended consequence is a relative diminution in the role of the legal function.  This unintended consequence is dangerous, particularly if the diminution becomes material.  The legal function performs a hugely consequential role in the functioning of financial institutions.  The role needs to be better understood and appreciated.  The rise of the risk function should not mean there will be a decline in the legal function. 

[1] I gratefully acknowledge the invaluable assistance of my Sullivan & Cromwell colleagues, Camille Orme and Cristina Liebolt.  The views, thoughts, and opinions expressed in this article belong solely to the author, and do not necessarily reflect the views of Sullivan & Cromwell, or anyone affiliated with the firm.

[2] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (October 21, 2009).

[3] See, e.g., David Moss, “An Ounce of Prevention: The Power of Public Risk Management in Stabilizing the Financial System,” Harvard Business School (working paper) (Jan. 5, 2009); Tobias Adrian, Risk Management and Regulation, International Monetary Fund: Monetary and Capital Markets Development (2018); Risk and Insurance Management Society, Inc., “The 2008 Financial Crisis:  A Wake-Up Call for Enterprise Risk Management,” (2008); Federal Reserve Bank of New York, “Economic Policy Review: Special Issue: Behavioral Risk Management in the Financial Services Industry The Role of Culture, Governance, and Financial Reporting,” August 2016, Vol 22:1; Society of Actuaries, the Casualty Actuarial Society and the Canadian Institute of Actuaries, “Risk Management: The Current Financial Crisis, Lessons Learned and Future Implications,”  The Financial Crisis Inquiry Edition, Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States, submitted pursuant to Public Law 111-21, January 2011; Anil K Kashyap, Lessons from the Financial Crisis of Risk Management, University of Chicago, Booth School of Business and NBER (paper prepared for the Financial Crisis Inquiry Commission) (February 27, 2010); Daniel Zéghal and Meriem El Aoun, Enterprise Risk Management in the US Banking Sector Following the Financial Crisis, Modern Economy, 7, 494-513 (April 29, 2016); OECD, Corporate Governance and the Financial Crisis: Key Findings And Main Messages, June 2009; Permanent Subcommittee on Investigations, United States Senate, Wall Street And The Financial Crisis: Anatomy of a Financial Collapse (April 13, 2011); Philippe Jorion, Risk Management Lessons from the Credit Crisis, European Financial Management (2009).

[4] See, e.g., the definition used by the OCC for a “front-line unit.”  12 C.F.R. Part 30, App. D, at I(E)(6).  The Federal Reserve has recently used the expression “business line management” to refer to “the core group of individuals responsible for the prudent day-to-day management of the business line and who report directly to senior management.”  Board of Governors of the Federal Reserve System, Proposed Supervisory Guidance – Independent Risk Management and Effective Senior Management, 83 Fed. Reg. 1351 (Jan. 11, 2018) (hereafter “IRM Guidance”).

[5] A recent report by the Group of Thirty notes that, since the financial crisis, the “banking industry has paid an estimated US$350 billion to US$470 billion in penalties (including fines and litigation/settlement charges) for conduct-related matters . . . .”  Banking Conduct and Culture – A Permanent Mindset Change at 3 (November 2018).

[6] See E. Norman Veasey & C. DiGuglielmo, Indispensable Counsel:  The Chief Legal Officer in the New Reality (2012).

[7] Thomas C. Baxter, Jr. and Brian Baxter, The Financial Institution Lawyer:  Four Flavors of Failure, Bus. Law Today vol. 16, no. 4 (March/April 2007).

[8] Lincoln Sav. & Loan Ass’n v. Wall, 743 F. Supp. 901 (D.D.C. 1990).

[9] See, e.g., Emilios Avgouleas, A New Framework for the Global Regulation of Short Sales:  Why Prohibition is Inefficient and Disclosure is Insufficient, 15 Stan. J.L. Bus. & Fin. 376, 380; Lila Zuil, “AIG’s Title as World’s Largest Insurer Gone Forever,” April 29, 2009, available at

[10] Today, AIG is a publicly traded company which has no continuing dependence on the United States Government.

[11] See 12 C.F.R. § 30.

[12] In Appendix D to Part 30, the regulation expressly provides that a “[f]ront line unit does not ordinarily include an organizational unit or function thereof within a covered bank that provides legal services to the covered bank.”

[13] Board of Governors of the Federal Reserve System, Supervisory Guidance for Assessing Risk Management at Supervised Institutions With Total Consolidated Assets Less Than $50 Billion, SR 16-11 (June 8, 2016).

[14] Id.  In the more recent IRM Guidance, the Federal Reserve uses the terms compliance risk and legal risk, but does not define those terms.  IRM Guidance, supra n. 4.

[15] I am mindful that there are some financial institutions that are very small in asset size, and do not have lawyers.  For these institutions, whose official staff are charged with knowledge of the law’s restrictions and requirements, the official staff must do the best that they can.  But in the vast majority of financial institutions, the chief legal officer or General Counsel is the official charged with making legal judgments.  Other officials are authorized to take action within the scope of their authority; ordinarily, no official has authority to violate the law, which empowers the chief legal officer because she is the person who gets to say what the law is.

[16] See New York Rules of Professional Conduct Rule 5.5, Comment 1 (January 1, 2017).

[17] This example is not protected by the attorney-client privilege because the Court of Federal Claims determined that privilege was waived.  Starr Int’l Co. v. United States, Order of Jan. 6, 2015 (Court of Federal Claims, Doc. No. 417) (filed Jan. 6, 2015).  All of the legal judgments are from the public record in the litigation.

[18] Starr Int’l Co., Inc. v. United States, 121 Fed. Cl. 428, 430 (2015), aff’d in part, vacated in part, 856 F.3d 953 (Fed. Cir. 2017).

[19] Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk at 3n.5 (2011).

[20] In the Federal Reserve IRM Guidance proposal, the text provides that “Business line management should incorporate appropriate feedback from [independent risk management] on business line risk positions, implementation of the risk tolerance, and risk management practices, including risk mitigation.”  IRM Guidance, supra n. 4 at 1358.  The IRM Guidance says nothing about the legal function.

[21] The Institute of Internal Auditors (IIA) announced that it will seek public comment from May 28 to July 30, 2019 on an updated model of the Three Lines of Defense.  See IIA, “IIA Sets Exposure Period for ‘Three Lines of Defense’ Update,” (Jan. 29, 2019), available at; see also IIA, “IIA Launches Global Review of ‘Three Lines of Defense’”, (Dec. 5, 2018), available at  The IIA originally released a position paper on the model in 2013.  See IIA, IIA Position Paper:  The Three Lines of Defense in Effective Risk Management and Control, (Jan. 2013), available at

[22] Internal auditors would be quick to say that they have other responsibilities, and their role in the three lines of defense describes only one part of a multi-faceted audit function.

[23] Thomas C. Baxter, Jr. and Won B. Chai, Enterprise Risk Management:  Where is Legal and Compliance?, The Banking Law Journal, Volume 133, Number 1 (2016).

[24] In the Federal Reserve’s IRM Guidance, this is literally true.  There is no reference whatsoever to a General Counsel, a Chief Legal Officer, or any lawyer whatsoever.  The legal function is never mentioned, notwithstanding a repeated refrain that senior management should be attentive to “compliance with internal policies and procedures, laws, and regulations, including those related to consumer protection.”  IRM Guidance, supra n.4 at 1356.

[25] While every organization is different, I note that, at the Federal Reserve Bank of New York, the chief compliance officer reported to me when I was General Counsel.  This organizational fact should aid in rebutting the mistaken notion on the part of some supervisors that this structure is not permitted because of independence concerns.

[26] See M. DeStefano, Creating a Culture of Compliance: Why Departmentalization May Not Be The Answer,  10 Hastings Bus. L.J. 71 (Winter 2014); C. Bagley, M. Roellig, and G. Massameno, Who Let the Lawyers Out?:  Reconstructing the Role of the Chief Legal Officer and the Corporate Client in a Globalizing World, 18 Univ. of Penn. J. Bus. L. 419 (Winter 2016).

[27] Basel Committee on Banking Supervision, Compliance and the Compliance Function in Banks at 10 (April 2005).

[28] Id. At 10.

[29] E.g., New York Rules of Professional Conduct, Rule 1.13 (Jan. 2017) (“[T]he lawyer is the lawyer for the organization and not for any of the constituents.”).

[30] New York Rules of Professional Conduct Rule 2.1 (Jan. 2017).

[31] In a prior position when the author served as General Counsel and Executive Vice President of the Federal Reserve Bank of New York, the Chief Compliance Officer reported to me and not to the Chief Risk Officer.

[32] 12 U.S.C. §1828 (x).

[33] Last year, seven major law firms, including Sullivan & Cromwell, released a white paper relating to whether or not the federal financial regulators could compel the production of privileged information.  Bank Regulators’ Legal Authority to Compel the Production of Material that is Protected by Attorney-Client Privilege (May 16, 2018).  A potential collateral consequence of the assertion of that legal right is the effect that it might have on bank examiners.  In some respects, it is analogous to how a jury might consider a criminal defendant’s exercise of the right not to testify in her own defense. 

[34] Financial Conduct Authority, Optimizing the Senior Managers & Certification Regime at 9-12 (January 2019).

[35] Id. at 13.

[36] 12 C.F.R. Part 30, App. D, at II (B).  See also IRM Guidance, where the Federal Reserve identifies “credit, market, operational, liquidity, interest rate, legal and compliance” as risk types.  IRM Guidance, supra n.4 at 1361.

[37] See 12 U.S.C. § 1851.

[38] Where there is controversy, the controversy typically relates to the degree of discipline, contrasting the “slap on the wrist” to the so-called “capital offense.”

[39] It is noteworthy that in the Federal Reserve’s proposed IRM Guidance, the legal function is no where mentioned.  Further, there are extensive discussions of the Chief Risk Office and the Chief Audit Executive , but no reference whatsoever to the Chief Legal Officer or General Counsel.

[40] IRM Guidance, supra n.4 at 1311.

[41] Id. at 1361

[42] The privilege protects communications between an attorney and her client, not between a risk or compliance professional and its Risk Committee.

[43] Some might look at the number of people working in the risk function at various times over the last 10 years, and compare it to the number of people working in the legal function.

[44] New York Rules of Professional Conduct Rule 2.1 (Jan. 2017).

[45] This is not always clear.  Regulators should be candid about the function they are performing, and if the information is going to be shared with enforcement or if enforcement staff are accompanying an examination team, this should be transparent to the financial institution.

By: Thomas C. Baxter, Jr.

Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.