The first thing we do, let’s kill all the lawyers.
-Dick the Butcher in Shakespeare’s Henry the VI
(Dick the Butcher was a follower of the rebel Jack Cade who thought that if he disturbed law and order he could become king.)
Introduction
The independence and role of the legal department within regulated banking organizations has come under pressure in recent years. This pressure has been exacerbated by a clash of professional silos among legal, risk, and compliance with a thumb on the scale inserted into the mix by the banking supervisors’ mistrust of lawyers and the in-house legal function. It is far beyond the business-as-usual, healthy tension over legal costs. The result is a push by some to contain in-house lawyers and the legal function away from a trusted advisor role into a smaller role and to exclude them from supervisory meetings and management committees. The main drivers of this push have been bank examiners, senior supervisory staff, and economists at the banking agencies, as well as risk-management professionals consisting largely of former examiners, supervisory staff, and economists from banking agencies.[1] By sharp contrast, the trend outside of the banking sector is exactly the opposite—that is, an increased trusted advisory and strategic role for the general counsel and the legal department in large, complex organizations.[2] Given the extraordinarily important role that the general counsel and in-house lawyers play as trusted advisors to senior management and in managing the legal risk of the banking organization, as well as their beneficial impact on corporate culture and reputational risk, this push is dangerous and should be halted. The appropriate role for the general counsel and in-house legal department in the banking organization should be reaffirmed by boards, senior management, and banking supervisors.
Part of the trouble stems from a misunderstanding among the professional silos of the bar, the examination staff at the banking agencies, risk-management professionals, and compliance professionals. A peace treaty, including each professional silo gaining a greater understanding of the professional roles and ethical codes of the other, needs to be struck as soon as possible.
It is critical to fix this situation now, before the transformative changes in the digital age, because if we continue down the current path, there is a danger that the tools of the digital age will not be appropriately programmed or trained with the legal framework embedded within them or take into account the professional ethics applicable to lawyering. We risk coding the mistakes and bias of the present into the more digital future.
Part I of this article explains how the federal banking supervisors have, by focusing on risk management and separating compliance from the legal department, both accidentally and deliberately contributed to the diminishment of the in-house legal function at banking organizations.[3] Since the financial crisis, an unfortunate culture of strong mistrust of lawyers by the supervisory staff has taken hold. At the same time, the concept of the three lines of defense, the inclusion of legal risk into the operational risk component of capital, and the banking regulators’ unusual attitude toward attorney-client privilege have also contributed, as has the traditional senior management view of in-house legal departments as more about managing the costs of legal services as opposed to managing legal risk.
Part II of this article argues that this situation has become dangerous for banking organizations and the rule of law. The strains on the budget and resources of the in-house legal department, tolerating multiple poles of legal interpretation and judgement within the banking organizations, a narrow view of the role of lawyers, and a misunderstanding of the attorney-client privilege in permitting candid internal conversations are all elements that should be reconsidered.
Part III of this article offers some suggestions to improve the situation. Boards of directors, senior managers, general counsels, in-house lawyers, and banking supervisors all have a role to play. It is time for a peace treaty. Working across professional silos and better training in the basics of other professional silos is key to a better path forward to overcome the misunderstandings of the recent past.
Part I: How We Got Here
The Three Lines of Defense
The aftermath of the financial crisis created a paradigm shift in the legal framework that applies to the banking sector.[4] Moreover, it was widely acknowledged that corporate governance in the banking sector had somehow failed. Both board level and internal corporate governance norms were changed as a result of changes in the legal framework or under discreet supervisory pressure.[5] Regulations and guidance were revised to require an independent CRO, making it explicit that this senior manager must report to a board committee as well as to the CEO.[6] In addition, banking organizations have been strongly encouraged to have independent CCOs, both by supervisory guidance and examination staff, as well as by the DOJ’s compliance standards.[7] The supervisory approach also underwent a paradigm shift deeply influenced by the concept of the three lines of defense: first line business, second line risk management, and third line internal audit.[8] A fatal flaw in the original three lines of defense was that it forgot about the legal department and the role of lawyers.
When originally developed in the United Kingdom, the three lines of defense concept was completely unknown in the U.S. legal and regulatory framework for the banking sector until the OCC, under the Obama administration, proposed to place it into its risk-management guidelines. These guidelines are the only place that the concept is used in the U.S. legal and regulatory framework. The Federal Reserve, in its later proposed governance guidelines for board effectiveness and risk management, refused to employ the concept.[9] To the shock of many in the bar, in 2014 the OCC proposed guidelines placed the legal department in the first line of defense, treating it as the equivalent to a revenue-producing line of business.[10] The view, apparently, was that the legal department created risk. Not surprisingly, the American Bankers Association as well as many other lawyers commented on the proposed guidelines, and this characterization was withdrawn.[11] The final OCC guidelines acknowledged that the legal department is not, with rare exceptions, part of the first line of defense.
Where Does the Legal Department Fit In?
Given its creation by the auditing profession, it is unsurprising that legal departments and general counsels, which have existed at most banking organizations since the New Deal, do not fit neatly into the new, post-financial crisis concept of the three lines of defense.[12] Within the bar, there is a well-developed understanding of the need for the independence of the general counsel and the legal department, as well as the fact that the general counsel reports to the board as well as the CEO.[13] It is also unsurprising that, in the immediate aftermath of the financial crisis, the federal banking supervisors would not feel the need to directly comment on or regulate the organizational or reporting line relationship of the general counsel in the same way they would the CRO or the CCO. Unlike CROs and CCOs, in-house lawyers are already regulated by their state bar associations. They are licensed members of a bar association with requirements to pass exams, follow binding ethics rules, and complete continuing education requirements. The ethics rules are not voluntary guidance, as is the case with risk and compliance professionals, but are binding requirements, supervised by an independent force; in the United States, in-house lawyers can be disbarred or sanctioned by their state bars. The regulatory structure around lawyers is ancient and largely applies at the state level. Federal agencies have largely stayed out of the business of regulating the legal profession.[14]
By sharp contrast, the professional roles of the CRO and CCO are relatively new. There are no licensing standards for entry into the profession, and there is not a long history of independence or reporting to the board.[15] Ethics rules are voluntary and come after taking an online course. The fact that the banking supervisors did not assign the general counsel a board committee or did not state that the legal department is an independent function does not take away the pre-existing nature of the general counsel’s relationship with the CEO and the board and the legal department’s role within the enterprise, which are driven by the ethics rules and the nature of the practice of law.[16] In essence, the best way to think about it is that the banking supervisors were bringing risk management up to the independence of the legal department.
The adoption of the three lines of defense within banking organizations, along with the enhanced intensity of supervision and the spate of large fines and enforcement orders, some of them criminal, on banking organizations, has quite appropriately led to a sharp increase in risk management and compliance professionals at banking organizations.[17] By comparison, there has been a limited increase in the number of in-house lawyers. Quality public figures for the personnel of the banking agencies are hard to come by, but it is apparent that there has been a larger increase in supervisory staff at the banking agencies, while the banking agency legal departments have grown only slightly. At the same time, the banking supervisors have pushed for compliance to be moved out of the legal department at banking organizations and into the newly expanded risk-management departments. This pressure has happened behind closed doors, without any public notice and comment, with little to no active oversight by agency principals and without any meaningful transparency or public accountability, which is essential to the proper functioning of any democratic system of government.[18] Today, almost all of the large banking organizations have placed compliance within risk, while most of the smaller banking organizations keep it within legal.
Professional Silos and Cultural Mistrust
There is a cultural problem of professional silos that has led to mistrust and misunderstandings as one silo looks askance at the work of the other silo. The mistrust begins within the supervisory staff at the banking agencies. The Federal Reserve and the OCC have long been understood to be economist-dominated organizations with relatively small legal staffs of their own. In sharp contrast, the DOJ and the SEC have long been understood to be lawyer-dominated organizations.[19] At some of the banking agencies, there has long been a view by the supervisory staff that their own legal departments should not be involved in policy decisions. Some have taken the view that the agency legal department works for the supervisory staff. There has also been a practice at some of the banking agencies, until recently, that guidance and supervisory letters are published without the agency lawyers commenting on them before publication. This scarcity of lawyers within the banking agencies, and the relative lack of authority and independence of some of the legal departments, is an attitude that former supervisory staff take with them to the private sector when they take jobs in risk, compliance, and audit, as well as in consulting.
Outside counsel have long been scorned by the supervisory staff and deliberately excluded from calls and meetings except in the limited arenas of enforcement.[20] A relatively new trend is agency supervisory staff insisting upon the exclusion of in-house lawyers from supervisory meetings. Another new trend is for compliance or regulatory affairs (when it does not report into the general counsel) to negotiate memoranda of understanding or enforcement orders without bringing in the in-house legal function or the agency legal staff until late in the process.[21]
Since the financial crisis, there has been a growth in the mutual mistrust across professional silos. The supervisory staff view lawyers as withholding of facts, engaging in unsupported defense of the organization’s conduct without regard to the overall situation, overusing attorney-client privilege, careless about conflicts, and weak on pushing back on the business.[22] The bar views the supervisory staff as having forgotten that we live in a constitutional democracy with the rule of law and limited powers of agency staff. There is a deep concern in the bar about the overuse of confidential supervisory information and supervisory discretion. It is not uncommon to hear in-house lawyers speak of Kafka,[23] the Star Chamber,[24] or living under a dictatorship. The cross-cultural mistrust is not healthy.
Part II: The Dangers of the Current Path
The current path is a dangerous one for the ability of banking organizations to be effectively counseled and advised on the law at a time of increasing complexity in the legal framework. The path is also unwise for the banking agencies themselves, where the balance between safety and soundness and prudential regulation on the one hand, and the rule of law on the other, has gone askew. A generation of the supervisory staff has been wrongly trained to believe that safety and soundness transcends the legal framework and that they have the ability to act under their “inherent power,” without limits on their individual discretion. Sometimes, senior supervisory staff told examination staff that they “own” any business problems. Lawyers know that no agency of the federal government has any power that is not given to it by an enabling statute; indeed, safety and soundness itself derives from a statute and is part of the law, not outside of it. In our constitutional separation of powers, there is no such thing as a federal agency with “inherent powers.” The fault here lies not with the examiners but with an almost negligent lack of training of the examiners by agency principals and senior supervisory and legal staff. One first place to begin is to provide training on the rule of law, which is not about imposing court-like hearings on every supervisory decision. It is about regaining the understanding that we are governed by a public set of rules that apply equally to all in a process that is fully transparent and therefore accountable to the public, not by ad hoc standards that can be determined by individual discretion behind closed doors without any meaningful transparency or accountability to the public.
As Shakespeare’s advice teaches us, and as experience has shown time and again, killing the lawyers is the crucial first step of any dictator. In today’s environment, an authoritarian can rule a fiefdom within the corporate structure or within the agency. The relatively bloodless modern corporate and supervisory variant on killing all the lawyers is to exclude or diminish the role of lawyers and the rule of law, both within the banking agencies and within the banking organization itself. In good times, business leaders, risk-management professionals, and supervisory staff may wish to do without the lawyers who, in their view, get in the way of swift decisions and who have a troublesome tendency to remind both their corporate bosses and supervisory staff when they are operating outside the bounds of the law or too near the fuzzy boundaries of the complex legal framework. In bad times, however, those same people suddenly realize that they need a strong legal team and the rule of law.[25] In fact, the path to safety and soundness is best achieved by strengthening the legal department within the agencies and within the banking organizations—not by containing the legal function into a smaller space.
At the moment, there are four main methods by which the independence and stature of legal departments is threatened with diminishment: (1) limiting the budget and resources available to the legal department, (2) narrowing the view of the role of lawyers, including regional banking supervisors pushing to exclude in-house lawyers from supervisory meetings or examination responses, (3) tolerating multiple poles of legal interpretation and judgement within the banking organizations, and (4) profoundly misunderstanding the role of the attorney-client privilege in permitting candid conversations.
Limits on Budget and Resources
Restraints on the budget and resources of the legal department, beyond that which is imposed on other enterprise functions, is one way to limit the role of in-house lawyers. Lawyers are visibly expensive in-house talent, and the outdated view of the legal department as largely serving to cut costs incurred by outside law firms has made it easy to limit the budget and resources of the legal department. At the same time, the recent cycle has seen a major increase in the budget and resources of the risk-management and compliance functions.[26] Imagine three nearly identical houses in a small-town neighborhood. Two of the houses, risk and compliance, have benefited from a regulatory command to increase their budgets, resources, and independence. The houses have had major additions, they have been updated for technology, the kitchens have been modernized, and there is a shiny new car in the driveway. In contrast, the legal department house has been lived in by an elderly couple on a fixed income who have been forced by their lack of resources to do only the minimum of upkeep. The underinvestment in technology for in-house legal departments is the most fundamentally striking aspect, especially in light of the massive amounts spent on digital transformation elsewhere in the organization.[27]
There is also a misunderstanding by some of what costs should be genuinely attributed to legal departments. If, as a result of actions in a business line, a reserve must be taken or a large fine or settlement paid, that is not a cost of the legal department. It is a cost created by the business line. Many in-house budgets make this distinction, but its nuance is lost in the media and in the minds of many not familiar with the management of legal risk. Another element that is lost is the use of consultants by risk and compliance as a substitute for legal advice. Many times these services are, in fact, the unauthorized practice of law without the guardrails imposed by legal ethics or the knowledge of how to interpret the hierarchy of the legal framework. As I have written elsewhere, I am not a purist in the unauthorized practice of law.[28] Substituted legal advice by consultants, however, which is neither tracked as part of the legal spend since the hiring is done by risk and compliance nor, more importantly, supervised by any internal lawyers, distorts both the legal spend and the quality tracking of legal advice that is implemented throughout the organization by policy or otherwise. Oftentimes, this substituted legal advice is marketed as “regulatory advice.” Regulations and guidance are not distinguishable from law; they are part of the law. As I have acknowledged elsewhere, there is a clear benefit to having regulatory readers, but the near complete lack of supervision by any lawyers risks compliance violations within the banking organizations. These compliance violations exist both due to the misreading of the legal framework, and due to the banking organizations and the banking agencies permitting the unauthorized practice of law by nonlawyer supervisors and consultants.
Tolerate Multiple Poles of Legal Interpretation and Judgment within the Organization
Most banking organizations have a clear policy that lawyers and the legal department should own the ultimate legal judgment and interpretation for the banking organization, but in practice, multiple competing poles of legal interpretation and judgment have been permitted to flourish within the organization in recent times. The separation of legal and compliance has led to confusion by many within the organization about the interpretations of the legal framework. For many, the former lawyers or nonlawyers in compliance are a source of legal judgement, and any tension or distance between legal and compliance creates an arbitrage opportunity for forum shopping for a more business-friendly answer (if sought by the business) or a less business-friendly answer (if sought by risk or audit).[29] There has also been an unfortunate tendency of some in the newly formed compliance profession to increase their own professional standing by advocating for oddly limited roles for lawyers.
The increase in the complexity of the legal framework has also led to an increase in sophisticated regulatory readers: those within the organization such as in Treasury, regulatory relations, and the risk function who must read the legal framework as a core part of their job. The fundamental tension between the bar and the regulatory readers is that lawyers read the legal framework from the top down, beginning with the statute, moving to the regulation, then guidance, with analysis infused by important principles of legal interpretation. Regulatory readers, by contrast, read the legal framework from the bottom up, beginning with guidance, moving to regulations, and then looking at the statute and using the practical tools of normal reading, even though they are often inapplicable in the legal framework. Combined with the tendency to look up answers by unreliable googling, these different ways of reading encourage multiple competing interpretations within the banking organization. Legal interpretation is not like ordinary reading, and regulatory readers need basic training on the difference.[30] I have written in detail about this cultural mismatch elsewhere.[31] Finally, the growth of the consultant-industrial complex and the large budgets that have been given to the risk function and the compliance function over the last 10 years has led to a situation where many consultants are, in effect, giving untrained legal advice under the guise of “regulatory advice.” That advice impacts risk decisions and technology without any oversight by the legal department or any trained lawyers.
Narrow View of the Role of Lawyers
Another dangerous tendency is to take a narrow view of the role of lawyers and exclude them from meetings or decision making. Part of this may be driven by the shortage of trained and experienced in-house lawyers in the financial regulatory space, but this narrow view is also driven by other root causes, some of which are barely appropriate in a constitutional democracy. There has been a recent push by some regional banking supervisors across a range of sizes of banking organizations to deliberately and loudly exclude in-house lawyers from supervisory meetings and to narrow the role of the in-house legal department to one of pure advocacy. The view of in-house lawyers as solely about advocacy is fundamentally mistaken. The result is to diminish the stature and independence of the legal department vis-à-vis the risk-management function, the compliance function, and regulatory relations (to the extent it does not report to legal). There is a lot of jostling at the top for the role of trusted advisor, and many within a large organization have their own institutional or self-interested reasons for excluding the lawyers from the room.
Suspicious View of Attorney-Client Privilege and Constraints on Candid Conversations
Another way to narrow the scope of legal representation is to narrow the scope of attorney-client privilege or to otherwise limit candid conversations within the banking organization. In the banking sector, the agencies, with the agreement of their general counsels, have long taken the view that attorney-client privilege does not apply in the supervisory context. In this view, they are at odds with other agencies such as the DOJ and the SEC. As a memo from multiple law firms has argued, the statutory basis for this claim is shaky at best. In reality, the legal departments of most banking organizations appropriately waive attorney-client privilege in the supervisory context for good and valid reasons.[32] In response to that memorandum, the OCC revised its examination handbook to make it easier for examiners to overcome attorney-client privilege.[33] The cultural mismatch and mistrust is real. There has, however, grown to be a critical cultural point. Regulatory readers and banking supervisors have been under-briefed on the role of the attorney-client privilege in a constitutional democracy. As a result, in these days of competing poles of legal interpretations within banking organizations, some outside of the legal department may have been misusing the concept of attorney-client privilege because of their confusion about its role and nature. It is important to reset these misunderstandings. A major reason for the confidentiality of the supervisory relationship is to encourage candid conversations. The attorney-client privilege serves the same goal.
There are other constraints developing on candid conversations within the banking organization. It has long been understood that all e-mails are subject to being read by the banking supervisors. What is not so widely understood is a push to keep change logs of drafts of materials created within the banking organizations. In a world of track changes and multiple comments by rushed people who are multitasking, it may come as a surprise that comments on drafts are being kept just in case the banking supervisors might want to view them. This is happening both in consent order remediation and otherwise, and both in an attorney-client privileged environment and otherwise. It seems to be happening without much forethought.
Part III: A Path to a More Stable Solution
The current path of mistrust and misunderstanding is a poor way to manage legal risks in the banking sector, and it could become much worse with the digital transformation. There should be a rethink within the banking agencies and banking organizations about the role of the legal department and lawyers. There also must be a truce between banking supervisors and risk-management professionals on the one hand, and the legal profession on the other, which will require openness to understanding each other’s professional silos on both sides. In this section of the article, I set forth some recommendations for a more stable equilibrium and a better path to the digital transformation. I will suggest best practices and actions within the banking organizations and by banking supervisors as well as some ways to foster better working relationships among the professional silos. We should also be conscious that there are no innocents here. The organized bar and lawyers have been both too self-protective and asleep at the switch. Risk-management and compliance professionals have been aggressively engaging in the unauthorized practice of law. Supervisory staff have been poorly trained about our constitutional form of government and the rule of law and are happy to exclude those who might challenge their position of “inherent authority.” Risk and compliance professionals have their own institutional or self-interested incentives to limit the role of in-house lawyers both at meetings and in legal interpretation. Agency principals have not, until recently, been paying enough attention to the links among transparency, public accountability, democracy, and the role of lawyers for many years. It is not enough for agency principals to assert that they have really smart people working for them, which is certainly true, and therefore these really smart people will know to do the right thing, which history tells us is very much not true.
Within the Banking Organization
1. Independent Legal Department and General Counsel Reporting Lines
There should be a recommitment to an independent and well-resourced legal department, with an explicit general counsel reporting line to the board as well as the CEO. There should be a clear tone from the top that the general counsel and the legal department have the appropriate stature, budget, and resources. It has long been accepted as a best practice, at least in theory, that the general counsel reports directly to the CEO and to the board, and that the legal department is an independent control function. In the United States, in-house lawyers are full members of the bar, have passed at least one bar exam, are regulated and licensed by the appropriate state bar, and subject to ethics obligations. In practice, however, it is easy to fall into a path of passively undermining the independence of the legal department and the general counsel by viewing it primarily as a cost center and not as the manager of legal risk, and by limiting its technological resources and budget. Moreover, the stature of the legal department is passively undermined when it is not made clear that the general counsel has a dotted reporting line to the board and that she and her delegates are solely responsible for the reporting on legal risks to the board. It is not appropriate, for example, for other functions to report on legal risk to the board. It is an unintended consequence of the federal banking regulators’ focus on the independence, stature, and budget of the risk function and the separate compliance function that legal departments, by comparison, have been diminished. It would be better if boards made this clear as part of their oversight of risk governance.
2. Tighter Coordination Among Risk, Legal, and Compliance
There should also be a renewed commitment to tighter coordination among legal, risk, and compliance functions, with a clear view that although there may be many regulatory readers, only the legal department and the general counsel can make the ultimate legal judgements.[34] This tighter coordination should also involve more legal oversight and supervision of outside consultants and technology vendors hired by risk and compliance, who are providing advice that is mischaracterized as “regulatory advice” but which actually involves legal interpretation and judgment not supervised by lawyers. A new equilibrium should be established that acknowledges the existence of multiple regulatory readers but that also makes clear that there are not coequal, multiple poles of legal interpreters within the organization. The right answer for complex legal risk and legally infused reputational risks is not that any person who can read and Google can assess legal risk. Another path to a solution is tighter coordination among legal, risk, and compliance both on the alignment of interpretive views as well as the hiring of outside vendors and consultants who are regulatory readers. There should be a reaffirmation of the important principle that although there quite appropriately may be many regulatory readers, only the legal department and the GC can make the ultimate legal judgments. This tighter coordination also should involve more legal department input, and sometimes supervision of, the “regulatory advice” that is infused with legal interpretations and provided by outside consultants and vendors to risk and compliance, and greater coordination of the budgets so that outside consultants and vendors are not duplicating work by internal legal and outside lawyers.
Within the Banking Supervisors
The supervisory staff at the banking agencies have grown to mistrust and dislike lawyers and the in-house legal function, whether at a banking organization or within their own agency. With the increase in the complexity and intensity of the legal framework, the move to compliance with law examinations, and the coming wave of digital transformation, a reset is necessary. Many of the banking supervisors’ concerns are mitigated by strengthening, not weakening, the banking organization and agency in-house legal department.
1. Tone at the Top
The principals of the banking agencies should communicate a clearer tone from the top about the rule of law, due process, and data-driven evidence. Many of the current principals are both lawyers and banking supervisors and are in an excellent position to help bridge the professional and cultural silos that have developed.
2. Strengthen the Agency Legal Divisions
The critical shortage of lawyers within the banking agencies as well as the relative lack of budget and resources for the agency legal departments has exacerbated the problem of mistrusting lawyers. Wherever the happy medium between the lawyer-driven and economist-driven agencies should be, there is no doubt that the banking agencies suffer from a shortage of legal services. A side effect of this internal shortage of legal staff is that the supervisory staff has no choice but to publish guidance and take decisions about compliance with law examinations or matters requiring attention without sufficient access to their own legal advice.[35]
Better Communication and Training
Another side effect is the lack of training for supervisory staff on the legal framework. Training on the legal framework has been nonexistent or devolved to the regions.[36] As set forth below, cross-professional silo training is a key to finding a solution. I have previously written about how the hierarchy of the legal framework can be misunderstood by the many regulatory readers and even some digital native lawyers.[37] There should be a commitment to appropriately train all nonlawyer personnel, vendors, and consultants who are regulatory readers.[38] Basic training should be implemented to help regulatory readers understand the hierarchy of authority within the legal framework, the basic legal interpretive principles, the risks associated with free internet legal sources, including material available on agency websites, and when to consult an experienced lawyer. It does not take three years of law school to get the basics.[39] The medical profession has long accepted the need for nurses and other assistants. The key difference is that when the nurse gives us an injection, we know that he has been trained to do so. In the clash of the silos among risk, compliance, supervisory, consultants, and legal professionals, however, that lesson has been lost. Legal interpretation is not like normal reading, and knowing how to read is not enough to interpret the law. A clear understanding of the hierarchy of the legal framework and the basics of legal interpretive canons is needed. There is no reason not to widely share this knowledge. The rise of risk management and compliance has even led to college majors in this area. Strikingly, descriptions of college majors in compliance mention accounting, economics, and statistics but nothing about the law. Popular trade association certifications for risk and compliance professionals contain little or minimal training on the law.[40]
The legal profession has not helped itself by its lack of focus on basic legal training for nonlawyers. Just as lawyers who enter the corporate world need basic training in accounting without becoming CFAs, those who work in risk and compliance need a better understanding of the legal framework. More cross-silo training is urgent for the digital transformation. Many nonlawyers believe that if only the legal rules were clearly known, all will be well in transforming them into augmented intelligence. That will be true for those legal rules that are clear, but for the many legal norms that are deliberately ambiguous and which balance social and economic trade-offs, natural language and augmented intelligence will not be the advance that so many believe.
By the Legal Profession
Recalling the SEC’s appearing and practicing rules, and even worse, the OTS’s early 1990s aggressive foray against Kaye Scholer, many lawyers take the view that it is better that the federal banking regulators do not, as they do with risk and compliance, attempt any direct regulation of legal departments.[41] It is also the case that lawyers, at least in the United States, are directly regulated by state bar requirements with binding professional ethics obligations and do not need an additional federal regulatory overlay. There is a naivety in this belief, and lawyers, including the organized bar, must be aware that continuing to ignore the growing regulatory trends is hurting them rather than helping them.[42] If in-house lawyers do not define themselves, they will be defined by others in the organization who have every incentive to push the contradictory lines that “lawyers are not special” or that lawyers are limited to advocacy. In reality, the exercise of legal judgement is special, and lawyers are not limited to advocacy. That said, the argument that lawyers are “special” can be taken too far.
Conclusion: Toward a Peace Treaty
The current situation of mutual mistrust, diminishment of the in-house legal function, silence by the organized bar, and lack of training in the legal framework for supervisory staff as well as lack of understanding of the basic principles in risk management by lawyers must stop. It is time for a peace treaty. That means more cross-training, more conversations to understand the other professional silos, and more working together within the organization, not less. The time to do so is now because the next step is augmenting basic legal interpretation by algorithms. If we are not doing it properly in human brains, how will the algorithms know, and who will train them? We need to fix the situation now.
* Margaret E. Tahyar is a partner in Davis Polk’s Financial Institutions Group. The author wishes to thank all of her many colleagues who have commented on this article, most especially the in-house lawyers and agency and supervisory staff, in particular Tyler X. Senackerib, who helped with the research for this piece. This article reflects the views of the author and does not necessarily reflect the views of Davis Polk & Wardwell LLP. All errors and any sentences that cause any person to take offense are solely the fault of the author.
[1] See Thomas C. Baxter, Jr., The Rise of Risk Management in Financial Institutions and a Potential Unintended Consequence—The Diminution of the Legal Function, Bus. L. Today, Apr. 2, 2019.
[2] Emma Cueto, ‘Age of the CLO’ Sees Counsel’s Influence Expand: Report, Law360, Jan. 30, 2019.
[3] Tom Baxter has also made this point. See Baxter, supra note 1.
[4] Michael Barr, Howell Jackson, & Margaret Tahyar, Financial Regulation: Law and Policy Ch. 1, 8 (2d ed. 2018).
[5] Office of the Comptroller of the Currency, Comptroller’s Handbook: Corporate and Risk Governance (July 2016); Proposed Guidance on Supervisory Expectation for Boards of Directors, 82 Fed. Reg. 37,219 (Aug. 9, 2017).
[6] 12 C.F.R. § 252.33(b)(3)(ii).
[7] See, e.g., U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Apr. 2019); Office of the Comptroller of the Currency, Comptroller’s Handbook: Consumer Compliance (June 2018); Consumer Compliance Examinations—Compliance Management System, FDIC Consumer Compliance Examination Manual (June 2019).
[8] The three lines of defense was created by the U.K. auditing profession and designed to bolster the role and independence of internal auditors. Soon after the financial crisis, it was adopted by the U.K. supervisors and enthusiastically embraced by internal auditors, risk management, and others outside of the legal profession who were, quite understandably, trying to enhance the reputation and professionalism of their skillsets.
[9] Proposed Guidance on Supervisory Expectation for Boards of Directors, 82 Fed. Reg. 37,219 (Aug. 9, 2017).
[10] OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration and Regulations, 79 Fed. Reg. 4,282, 4285 (Jan. 27, 2014).
[11] Comment Letter in Response to OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration and Regulations, American Bankers Association, Financial Services Roundtable, SIFMA and the Institute of International Bankers (Mar. 24, 2014).
[12] Indeed, some have begun to question the utility of the lines of defense, and there is now a greater reliance on the senior management regime. IIA Launches Global Review of ‘Three Lines of Defense,’ The Institute of Internal Auditors (Dec. 5, 2018). The Federal Reserve’s more recent proposed management effectiveness guidelines, which do not use the three lines of defense, illustrate this trend. Proposed Guidance on Supervisory Expectation for Boards of Directors, 82 Fed. Reg. 37,219 (Aug. 9, 2017).
[13] The literature is vast. Two of the very best are: Ben Heineman, The Inside Counsel Revolution: Resolving the Partner-guardian Tension (2016); Thomas C. Baxter, Jr. & Won B. Chai, Enterprise Risk Management Where Is Legal and Compliance?, The Banking L. J. (Jan. 2016).
[14] Lawyers are by and large still a self-regulated profession, although there are some federal agencies that regulate lawyers in limited ways. For example, the SEC implemented regulations governing the professional conduct of attorneys who appear and practice before the agency. 17 C.F.R. § 205 et seq. In contrast, accountants are regulated in many ways by the SEC through its oversight of the Financial Standards Accounting Board, which promulgates U.S. generally accepted accounting principles, and the Public Company Accounting Oversight Board, which oversees the audits of public companies.
[15] A hodgepodge of certifications are available for compliance and risk professionals, most of which are offered by for-profit industry trade groups. Although there are a few exceptions, the certifications are generally based on past work experience and passing a multiple-choice exam that is often based on online study materials without any live instruction or training. Many of the programs attempt to describe the relevant laws and regulations, but they provide light to nonexistent training on the overall legal framework or legal reading. Margaret E. Tahyar, Legal Interpretation is Not Like Reading Poetry—How to Let Go of Ordinary Reading and Interpret the Legal Framework of the Regulatory State (2019).
[16] There is vast, confusing, and irrelevant literature comparing the in-house legal function to that of outside law firms. The role of independent outside counsel does not mean that the internal legal department does not play a role within the corporation as independent as that of the risk function and the compliance function.
[17] Even in 2018, around 61 percent of financial institutions reported plans to increase their compliance budget, and 46 percent of large banks planned to grow the size of their compliance staff. Beecher Tuttle, Compliance Hiring and Pay to Increase, but Not Everyone Will be Winning, eFinancial Careers, June 29, 2018. This increase seems to have swung too far, and many banking organizations are now looking to automate many of these processes in the coming years.
[18] See Randall D. Guynn, A Case for Full Model, Scenario and Results Transparency in the Federal Reserve’s Stress Testing Process, Presentation at Stress Testing: A Discussion and Review, Federal Reserve Bank of Boston (July 9, 2019).
[19] Rory Van Loo, Regulatory Monitors, 119 Columbia L. Rev. 369 (2019).
[20] See William H. Simon, The Kaye Scholer Affair: The Lawyer’s Duty of Candor and the Bar’s Temptations of Evasion and Apology, 23 L. & Soc. Inquiry 243 (1998). As a result, there is a body of consultants, many of them former supervisors, who advise banking organizations on examination responses.
[21] On both the agency and banking organization sides, this trend raises serious compliance issues due to the unauthorized practice of law.
[22] To be fair, some of these complaints, such as those relating to conflicts, should be leveled solely at outside counsel, not the agency lawyers or in-house counsel who have only one client.
[23] Franz Kafka’s writings, such as The Castle, in which a man attempts to establish residency and work in a village only to be subject to a barrage of mysterious and impenetrable administrative decisions by the bureaucrats in the local castle, have given rise to the use of the phrase “Kafkaesque” to describe bureaucracies that are labyrinthine in their processes and unpredictable and incomprehensible in their decision-making.
[24] The Star Chamber was a court established in 15th-century England. By the time of its abolition in 1641, the Star Chamber had become infamous as a tool of political oppression and deeply arbitrary decisions.
[25] David Brooks, The Lawyers Who Did Not Break, N.Y. Times, Feb. 21, 2019.
[26] Some of that increase in budget and resources is not called into question, but fundamentally what is happening is a recalibration and automation. Legal department budget and resources are still far behind risk management and compliance.
[27] The legal trade press is full of articles by in-house counsel calling upon law firms, themselves thinly capitalized, to develop legal technology, but the technology needed by an in-house legal department and that used by a law firm to provide more efficient advice to a company would be different. The technology budget at J.P. Morgan is approximately $11.4 billion. Michelle Davis, Dimon Sounds a Cautious Note as JPMorgan Prepares for Recession, Bloomberg, Feb. 26, 2019. The largest law firm in the United States had revenues of $3.76 billion in 2018. Ben Seal, The 2019 Am Law 100: Gross Revenue, Am. Law., Apr. 23, 2019. This mismatch speaks volumes about the false consciousness of the legal trade press. Its call is more a result of the lack of appropriate resources for the legal department than any realistic hope that law firms will create the technology.
[28] Margaret E. Tahyar, Legal Interpretation is Not Like Reading Poetry—How to Let Go of Ordinary Reading and Interpret the Legal Framework of the Regulatory State, Bus. L. Today, July 24, 2019.
[29] One area of concern is the maintenance of a regulatory inventory or regulatory change management. In some banking organizations, it is run by compliance, and lawyers play a secondary role, if they are involved at all. The wiser banking organizations have created structures where legal and compliance collaborate.
[30] Tahyar, supra note 28.
[31] Id.
[32] Memorandum regarding Bank Regulators’ Legal Authority to Compel the Production of Material That Is Protected by Attorney-Client Privilege, Cleary Gottlieb Steen & Hamilton LLP; Covington & Burling LLP; Davis Polk & Wardwell LLP et al. (May 16, 2018).
[33] Office of the Comptroller of the Currency, Comptroller’s Handbook: Litigation and Other Legal Matters (Version 1.1, Dec. 2018).
[34] Tahyar, supra note 28.
[35] Former banking agency staff have informed the author that supervisory guidance in the last few years has frequently been issued with no review by agency lawyers.
[36] Richard K. Kim, Patricia A. Robinson & Amanda K. Allexon, Financial Institutions Developments: Revamping the Regulatory Examination Process, Wachtell, Lipton, Rosen & Katz (Nov. 26, 2018).
[37] Tahyar, Legal Interpretation is Not Like Reading Poetry—How to Let Go of Ordinary Reading and Interpret the Legal Framework of the Regulatory State, Bus. L. Today, July 24, 2019.
[38] See Guidance, Supervisory Expectations, and the Rule of Law: How Do the Banking Agencies Regulate and Supervise Institutions?, Hearing Before the United States Senate Committee on Banking, Housing, and Urban Affairs, Statement of Margaret E. Tahyar (April 30, 2019).
[39] See id. The author began her legal career as a paralegal after taking a paralegal certificate course of several weeks.
[40] For example, the American Bankers Association Certified AML and Fraud Professional requirements do not cover basic understanding of the legal framework or legal reading. The materials for the privacy specialist certification are a jumble on the legal framework.
[41] In the early 1990s, the then-OTS froze the assets of Kaye Scholer after a disagreement about advocacy in the examination context. Michael Barr, Howell Jackson & Margaret Tahyar, Financial Regulation: Law and Policy Ch. 8 (2d ed. 2018).
[42] Thomas C. Baxter, Jr., The Rise of Risk Management in Financial Institutions and a Potential Unintended Consequence—The Diminution of the Legal Function, Bus. L. Today, Apr. 2, 2019.
