Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed reiterates supervisory guidance on risk management
On December 10, the Federal Reserve Board announced SR Letter 21-19, which reiterates the Fed’s supervisory expectations for large banks’ risk management practices related to investment funds. The letter applies to institutions supervised by the Fed that have large derivatives portfolios and relationships with investment funds, and follows a review by the Fed of the high-profile default and failure of one investment firm, which resulted in losses of more than $10 billion for several large banks. Among other things, the Fed warned firms that poor communication frameworks and inadequate risk management functions hinder their potential to identify and address risk, and that “[r]isk management and control functions should have the experience and stature to effectively control risks associated with investment funds.”
The Fed also reminded firms that, consistent with the guidance in Interagency Supervisory Guidance on Counterparty Credit Risk Management, they should: (i) “[r]eceive adequate information with appropriate frequency to understand the risks of the investment fund, including position and counterparty concentrations, and either reconsider the relationship or set sufficiently conservative terms for the relationship if the client does not meet appropriate levels of transparency; (ii) “[e]nsure the risk-management and governance approach applied to the investment fund is capable of identifying the fund's risk initially and monitoring it throughout the relationship, and ensure applicable areas of the firm – including the business line and the oversight function – are aware of the risk their investment fund clients pose to the firm and have tools to manage that risk”; and (iii) “[e]nsure that margin practices remain appropriate to the fund's risk profile as it evolves, avoiding inflexible and risk-insensitive margin terms or extended close-out periods with their investment fund clients.”
Delaware Chancery Court rules hotel corporation plaintiff failed to allege particular facts
On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he failed to show that the directors faced a substantial likelihood of liability on a non-exculpated claim.
The data breach, which exposed the personal information of approximately 500 million customers, took place via the reservation database of a property company that the corporation had acquired two years prior. The plaintiff alleged that the directors breached their fiduciary duties by failing to adequately conduct due diligence of cybersecurity technology for the property company in the pre-acquisition time period. For the post-acquisition period, the plaintiff alleged that the defendants continued to operate the property company’s deficient systems, failed to timely disclose the data breach, and that the directors breached their duty of loyalty under In re Caremark Int’l Inc. Derivative Litigation, a 1996 Delaware Chancery Court decision establishing a standard for oversight liability for board members.
With respect to the pre-acquisition time period, the court held that the plaintiff’s claims were time-barred and that was no basis for tolling. As to the post-acquisition claims, the court concluded that the directors do not face a substantial likelihood of liability under Caremark. Although the court noted that “[c]ybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors,” the allegations “do not meet the high bar required to state a Caremark claim. According to the court, the plaintiff has not shown that the directors completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures.” The court acknowledged that the data breach was “momentous in scale and put the data of hundreds of millions of people at risk,” but concluded that the actions were “at the hands of a hacker,” saying that “[the corporation] was the victim of an illegal act rather than the perpetrator.”
FDIC finalizes securitization safe harbor
On January 30, the FDIC adopted the Final Rule to Revise Securitization Safe Harbor Rule (rule) as recommended by FDIC staff in a memorandum dated January 23. In July, as previously covered by InfoBytes, the FDIC approved a proposal to remove the requirement that, for safe harbor treatment, “the documents governing a securitization issuance require compliance with Regulation AB” of the SEC Regulation AB, “in circumstances where Regulation AB is not, by its terms, applicable to that transaction.” The proposal suggested that “it is no longer clear that compliance with the public disclosure requirements of Regulation AB in a private placement or in an issuance not otherwise required to be registered is needed to achieve the policy objective of preventing a buildup of opaque and potentially risky securitizations such as occurred during the pre-crisis years, particularly where the imposition of such a requirement may serve to restrict overall liquidity.” The final rule—which is unchanged from the proposal—eliminates the “significant disclosure requirements” to no longer mandate that private placements of securitization obligations provide Regulation AB disclosures. With the adoption of the final rule, only those transactions that are subject to Regulation AB are required to make the disclosures. The rule is expected to increase the securitization of residential mortgages and will become effective 30-60 days after it is published in the Federal Register.