LEGAL RISK MANAGEMENT IN A CRISIS
For the first time since the last financial crisis started in August 2007, issues of systemic financial risk have come to the fore. Legal analysis, and an assessment of legal rights, obligations and liabilities, is vital for the efficient functioning of compliance, risk management and strategic decision-making at financial institutions in a crisis environment. Without adept legal risk management, firms can face institution-threatening exposures and liabilities, miss major opportunities to manage or mitigate risk and incur unnecessary expenses. Ensuring an effective system requires the integration of legal advice and perspective into all aspects of decision-making. This short paper seeks to address how to manage legal risk effectively in the four key circumstances in which it arises:
ensuring proper management interactions between all control functions;
managing the overlap between legal and compliance;
ensuring adequate legal thinking in "risk"; and
managing the feedback loop with internal audit.
Proper integration of legal into risk and compliance, and a strong interaction with internal audit, plays an important role in minimizing an institution’s potential exposure to regulatory and other liability. The control functions, legal, compliance, risk and internal audit, are all vital to the business. They should interact at different levels, and each should have a direct line of report to the board or a committee of the board, since that helps to guarantee their independence.
It is important that the board establishes a relationship of trust with the control functions. This can be developed by fairly regular personal contact between the heads of the control functions and a non-executive board member—perhaps the most appropriate member in this context would be the chair of the risk or audit committee. The board member will also generally seek to know the next line down in each function, so that the structure clearly permits personnel to push matters up the chain. Effort needs to be made to ensure those involved are comfortable with this approach and that there is sufficient trust for it to work. It also gives board members the ongoing opportunity to assess the quality of the leadership of the control functions.
In addition, the control functions of risk, compliance, legal and internal audit ought to be meeting regularly amongst themselves so that each can learn and issue spot matters important to the other, heading off issues and managing them on a cross-disciplinary basis early on. Meetings should be held both formally, at scheduled times, and informally, on an ad hoc basis, so that all involved feel comfortable in sharing ideas, best practices, and issues they have spotted. These meetings should be encouraged at all levels; meetings between senior personnel are clearly important, but collaboration at the more junior end can often head off problems at an early stage. Properly managed, this should significantly reduce the possibility for a box-ticking culture to take root.
Such an approach means a number of touch points for the legal department:
It should be represented in the various risk fora within firms.
It should involve itself actively in the work of compliance departments and their related risk assessments. While there are a few specific legal-owned risks in any institution (e.g., litigation, contractual interpretation), most risks allocated to compliance have a legal flavor—and many other control function risks do also. It is important that the legal department should be involved in risk assessments which would facilitate direct inquiry and discussion with the business and other control groups focusing on current risks and horizon-scanning.
The legal function needs to ensure it adopts a holistic approach, which takes into account a practical understanding of the firm’s transactions, as well as relevant areas of law. Firms should avoid an approach which is overly specialist without the surrounding levels of understanding of the practicality of a firm’s business.
It is vital to remember the necessity for integrated legal input in these areas and beyond. The current circumstances may require adjustments to be made. For some, the prospect of adding additional legal expense to existing architecture may be hard to swallow. Such a mindset can be enhanced by a perception of the inevitability of the status quo for some institutions, which may fear dynamic re-adjustment in this context and any moves that might be out of step with what they have perceived to be the position of the rest of the industry on legal and regulatory matters. Such an impression may have been reinforced by the apparent satisfaction of regulators with the overall architecture of firms’ current arrangements and indeed by the making of certain regulations buttressing that architecture. Nonetheless, ensuring a central role for legal at all times repays the costs in terms of reducing risk and enhancing efficiency—and it potentially provides savings in identifying unnecessary workstreams or methods.
Through the compliance function, firms seek to ensure adherence to the requirements regulators impose on how firms conduct business. A central role of compliance is to advise on regulatory requirements; design and develop processes and procedures to ensure the firm complies with those requirements; and to test the operational effectiveness of those processes and procedures. It would be a mistake to attempt to establish a bright-line distinction between legal and compliance, with one department or the other “owning” a particular matter. The reality is that the best firms recognize that both departments must have an active role in all matters touching on these two disciplines, and should work collaboratively towards commonly-identified goals.
The rules and regulations applied by compliance departments have legal force through primary and secondary legislation, which means that financial regulations are ultimately a form of law, and legal analysis is essential. Legal analysis plays a pivotal role in interpreting the meaning of regulations and how best to apply them, and in day-to-day terms, legal analysis is an area in which the legal function should play a central role. This is true whenever regulations and any other form of law are being interpreted and whenever policies and procedures are being developed to ensure compliance with regulation.
Legal analysis is not just relevant in a contentious context. Of course, if an issue becomes contentious, its resolution takes place in legal proceedings, in which the rights or wrongs of the situation would be argued over by lawyers in front of a judge. Even then, however, the compliance department will likely have a role in providing to the counsel involved a full understanding of the firm’s practices; so, even in this most “legal” of areas, there should be no sense of one department claiming jurisdiction or dominion, to the exclusion of others.
However, legal analysis is also key to developing appropriate frameworks and processes and reviewing risks as well as resolving any issues that arise. Legal interpretations are critical to understanding regulation and achieving desired outcomes in the most efficient and effective manner. Otherwise, more efficient methods of achieving desired outcomes may be overlooked, and understandably, mistakes may be made if interpreting the law and predicting legal outcomes are not properly integrated or where the legal function is only fully engaged when matters are disputed.
The balance of involvement of the legal function has shifted over the years. For 20 years prior to the financial crisis, the legal functions of global financial institutions grew significantly. The legal function provided support across all facets of firms’ businesses and operations. Inevitably, in recent times, that support has focused on a firm’s transactions, both for itself and for its clients, as well as litigation and enforcement matters. Yet the recent emphasis on the use of legal analysis should not be allowed to mask its underlying role and importance.
Any proper evaluation of compliance needs, therefore, to involve the firm’s internal legal department. This point can be overlooked. Significant expense has been incurred on new post-crisis risk and compliance functions, adding staff and technology, and deploying consultancies to conduct audits and provide support to those functions. The Financial Times reported in 2015 on the increases in headcount and regulatory compliance costs of six of the largest banks. So there may be a reluctance to consider further dynamic adjustment. But the integration of legal analysis can add focus and reduce cost.
Structurally, the General Counsel should report to the CEO but have access to the Board, for instance, through private periodic meetings with the non-executive directors. However, the General Counsel also needs an active role in an integrated partnership with compliance. As a senior practicing lawyer with the ability to innovate and be legally thoughtful, the General Counsel should be at the center of early issue identification, strategic evaluation and decision-making. This does not necessarily mean that compliance should report ultimately to the General Counsel, as it does in some organizations, but there needs to be proper integration of legal thinking into compliance.
The role of Outside Counsel. The other aspect of legal support is the use of outside counsel. The value of outside counsel is their objectivity and the breadth of experience they bring (given that they will likely have other clients facing similar problems), and their ability to benchmark behavior across industries and draw on the expertise of a large multi-disciplinary legal organization with visibility across markets and geographies.
Compliance performs an invaluable function, and is intended to perform a different function from legal. The use of compliance within firms has evolved significantly since the 2007―08 financial crisis, which drove firms to establish new means of internal oversight. An extraordinary and unprecedented quantity of new regulations were made, the level, detail and extent of which are difficult for management to stay on top of, on an all-encompassing basis.
Compliance now stands as an integral part of firms’ businesses and as a separate discipline:
The compliance function gets into the operational details of the business in the way that most lawyers do not.
Compliance increasingly has a technology and systems component that lawyers do not seek to comment on, except from a legal perspective.
The compliance function has grown to be materially larger in size than the legal function, with a significant requirement for internal management across many non-legal areas, which is a function not necessarily performed by lawyers.
Many compliance officers have legal training, albeit they are not practicing lawyers, and are able to wrestle with what are essentially legal questions.
Some see lawyers as advocates and compliance as not. Conversely, some see compliance as being at risk of “front office capture,” which renders legal interaction key, and requires careful structuring of compliance reporting lines, authority and compensation.
Compliance functions are generally staffed by non-lawyers and some personnel who trained as lawyers. Historically, compliance departments often reported to the head of legal, but many of these departments now have separate reporting lines, reflecting their increased significance and scope following the financial crisis. The function typically reports directly to the Board through the Head of Compliance, on a dotted-line basis, as well as to the CEO. Such separate reporting potentially increases the risk that the legal function is not always involved in all issues where legal analysis and review is required—and therefore the involvement of the legal function needs to be addressed in another way.
Without great care, legal learning and authority can remain unidentified and unaddressed. Examples of situations where sophisticated legal analysis of a particular topic has proven crucial include:
Client money and assets issues, where regulations are based on heavily technical legal areas
An understanding of the operation of the U.K.’s client money and client asset rules in any particular circumstances, in addition to familiarity with the black letter of regulation, requires an understanding of: (i) relevant contractual provisions agreed with clients; and (ii) trust laws.
In the case of Lehman Brothers, for example, it was discovered after the financial crisis of 2007―08 that the firm had not properly followed the U.K.’s client money and client asset regime. Some clients, entitled to the protection of their assets, had those assets placed in unsegregated accounts; some clients with no entitlement to the protection of their assets had those assets placed in segregated accounts; and the Courts were asked to sort out the mess. Complex litigation ensued. The U.K. conduct regulator, the FCA, launched an in-depth review on all client money firms, imposing large fines on major banking institutions. For example, one institution was fined £33 million in 2010, and another was fined £126 million in 2016.
Cross-border issues, where conflicts of law questions abound:
The legal complexity of cross-border business and the overlay of different legal and regulatory systems require detailed legal analysis.
Highly-complex, multi-faceted transactions, whether financing, M&A transactions, securitizations or project financing typically require additional internal and external legal resource, coordinated by the legal department.
Technical and Specialist law:
Legal specialization is required in technical areas, both contentious and non-contentious. This includes planning and horizon-scanning, as well as responding to situations as they arise. Examples include regulatory, tax, employment, antitrust and other specialist areas. Input will often involve coordination across legal, compliance and external advisors, including accountants and auditors.
Issues arising from market and other changes:
Evolving compliance situations often require heavy legal input, for instance, recently in relation to cryptocurrency, initial coin offerings and other fintech innovations, developments in AML requirements and in sanctions, for instance, in relation to Russia and Iran
Laws and regulations need to be interpreted in accordance with legal reasoning techniques that derive both from rules and principles, but also their practical application in a legal context, meaning that a purely literal reading of provisions is often misleading. In civil law systems the purposive method of interpretation introduces an additional pressure in some cases to consult officials before obtaining comfort as to the intended application of the rules to a given situation, although this practice can also sometimes be helpful in common law countries in instances where the more self-executing laws and regulations nevertheless permit very different interpretations on critical points.
Any failure fully to integrate legal analysis is likely to lead to risk, inefficiency and unnecessary expense. As is the case for all laws, qualitative compliance involves a principled understanding and experience of not just a specific rule but a framework of rules, and the interplay between principles and rules of different levels of hierarchy, including the common law, constitutional law, legal interpretation and how issues arise and are addressed both by regulators and in court proceedings. The necessary reasoning is subtle and has a language of its own. It is taught and teachable—and it is the same reasoning that is necessary in order to understand and apply concepts and rules contained in the applicable underlying legal systems—but it requires the hands-on application of practical experience for complex situations.
It is also important to consider interactions with regulators in reaching a common understanding as to the importance of thoughtful management of compliance (and the other control functions) across the firm and the need to avoid a box-ticking approach. This involves spending time talking to regulators, evaluating and demonstrating the efficacy of a particular approach and the need for regulators to be open to such extensive and thoughtful interactions, particularly when interactions are taking place electronically. The smart use of both the compliance and legal teams in the correct role in these discussions is critical to ensure that an effective approach is followed.
Firms’ risk functions undertake a largely quantitative and rules-driven evaluation of risk, framed by the Basel Rules, at least as regards capital exposures. Legal risk is not directly captured in the Basel Rules, but is dealt with on a broad-brush basis as part of the operational risk capital charge.
In fact, legal risk arises throughout any firm’s business, since law underpins almost all of the relationships, products, contracts, property and behaviors which are involved in a financial institution’s business. Involvement of legal expertise is therefore necessary in reducing risk, at least as a general business proposition and also under the Basel Rules. At any bank, its assets and liabilities are legal constructs. They owe their existence, nature and essence to the law. This includes:
how the arrangements for the firm’s relationships, assets and liabilities have been drafted;
how they fit with applicable law and regulation; and
how to apply laws, regulations and judicial decisions from around the world.
There are many assumptions embedded in the risk regime as to how contracts operate and the business behaves. Most importantly, it is generally assumed that contracts are to be performed in accordance with their terms.
In common law systems especially, the law permits for parties’ choice of action: freedom of contract is generally respected, subject to some fairness exceptions, which are applicable mostly only when dealing with consumers, although such exceptions are sometimes even embraced in institutional dealings, particularly in the United States. Clarity of thinking and in contractual drafting is key. Nevertheless, the involvement of lawyers is critical to understanding a firm’s contractual rights, and more importantly how a court may co
nstrue them given a particular fact pattern, since non-lawyers might seize upon irrelevant terms or fail to take into account other relevant legal requirements, such as terms implied by law or unfair contract terms legislation, if they seek to interpret a firm’s contracts without involving those qualified to do so.
The sorts of situations in which involvement of lawyers reduces risk in the risk function include:
collateral management issues that can arise when addressing leverage and/or liquidity concerns. With a sound legal structure that mitigates the risks, the business can achieve greater cross-margining, reduced client collateral requirements (creating a competitive advantage), reduced costs of exposures to clearing houses and increased flexibility in the use of collateral. These techniques include:
the use and legal enforceability of guarantees to mitigate counterparty risks;
legal opinions on close-out netting;
capital structure optimization, and how relevant instruments are drafted to comply with applicable rules on capital eligibility;
structuring around bankruptcy issues;
validity and risks of using different kinds of collateral, for instance title transfer as opposed to mortgage, lien or pledge; and
the legal structuring of off-balance-sheet assets.
Opportunities for netting, which can arise through “cat’s cradle” cross-guarantee structures and the consolidation of exposures into the smallest number of corporate entities, potentially breaking off exposures from other legal and documentary aspects of transactions;
Regulatory booking, where consideration of the most capital-efficient arrangement for business lines, such as derivatives booking business, involves an analysis of differences in capital and tax rules in different jurisdictions; and
Terms and conditions, rationalizing legal and regulatory exposures through standardization and the careful crafting of terms
Internal audit provides a check on risk and compliance and essential business processes—a “third line of defense,” after businesses processes, then risk and compliance. The process is one of checking and should not generally be interpretative, so there is no immediate nexus with the legal department. However, constant interactions between internal audit and the legal department are important for the identification of significant or recurring issues, the risks that they may indicate and the steps that an institution ought to be taking to mitigate those risks and avoid future regulatory or other liability for failing to do so. A more thorough understanding of Internal Audit’s processes can assist the firm as a whole to develop plans and adopt practices that make the entire legal, regulatory and compliance environment more efficient.
Overall, with careful integration of legal support it will be possible to optimize a firm’s response to minimizing risk while ensuring compliance. Many firms have given considerable thought to this matter already but now is the time to give the matter particular attention, given what is at stake.
 See “Banks face pushback over surging compliance and regulatory costs,” Financial Times, 28 May 2015.
 In the U.K. there has been lengthy discussion in the industry about whether the legal function should be a “senior management” function, bringing with it personal responsibility for failure and increased regulatory supervision for individuals. Many lawyers in financial institutions resisted this, citing concerns about legal privilege, and the FCA ultimately decided not to proceed with this aspect of its proposals: Discussion Paper, “Overall responsibility and the legal function,” DP16/4, September 2016, Consultation Paper, “Optimising the Senior Managers & Certification Regime and feedback to DP16/4—Overall responsibility and the legal function,” CP19/4, January 2019, and Policy Statement, “Optimising the Senior Managers & Certification Regime—Feedback to CP19/4 and Final Rules,” PS19/20, July 2019. It could alternatively be argued that, for the legal function to be taken seriously, it needs “skin in the game,” and needs to be regarded as important by regulators. Without this level of scrutiny, the implication of regulators is that legal departments stand nowadays as little more than a “hired gun for sale,” or worse, an irrelevance.