A Regulatory Enforcement Roundup

A periodic review of regulatory enforcement actions is a useful guide to what not to do in the financial services sector.  This post focuses on several recent enforcement actions – one by the Federal Reserve Board (the “FRB”), one by the Federal Deposit Insurance Corporation (the “FDIC”) and two by the Securities and Exchange Commission (the “SEC”) – which may be of particular interest to financial sector companies trying to stay on the right side of the regulators.

Farmington State Bank – The Risks of Charter Stripping

"Charter stripping” is a transaction in which investors acquire an existing bank, often a small community bank, with the intent of following a business plan that usually differs significantly, if not dramatically, from the bank’s prior business strategy.  A charter stripping transaction is often considered as an alternative to the formation of a de novo bank, which typically has a lengthier timeline to completion.  In addition, a charter stripping transaction may avoid the restrictions that apply to de novo banks during their initial years of operation.

Farmington State Bank was a community bank that served rural communities in Eastern Washington until it was acquired by a cryptocurrency entrepreneur based in the Bahamas and renamed as Moonstone Bank.  When the FRB approved the acquisition, the new owner committed to the bank’s traditional community bank business strategy.  However, behind the scenes, the bank quickly pivoted to the digital asset sector.  Not coincidentally, the Bahamas was also the headquarters of Sam Bankman-Fried’s FTX digital market and the related Alameda Research investment fund.  Moonstone received an $11.5 million capital investment from Alameda and a $50 million deposit from FTX.  When FTX and Alameda imploded in November 2022, federal investigators honed in on the relationship between the Bankman-Fried entities and Moonstone and seized the $50 million deposit which, when combined with other deposit outflows, reduced Moonstone’s deposits to about $16 million.  Subsequently, the bank announced that it would wind down operations and the remaining deposits and loans would be transferred to another community bank.

On July 23, 2023, Farmington entered into a cease-and-desist order with the FRB that highlights the risk of ignoring commitments undertaken at the time of a bank acquisition, particularly where the regulators are concerned about a possible foray into the digital asset market.  At the time of the acquisition, the holding company formed to acquire Farmington made specific commitments to, among other things, maintain the bank’s business plan, including serving the needs of the bank’s historical customers, or to move any operational or risk management activities from the bank to the holding company.  Specifically, the holding company agreed not to develop digital banking products without prior approval.  At the same time, the bank’s Washington State regulators also mandated that prior approval would be required for any significant changes in operations, including digital banking operations.

As subsequent events demonstrated, these commitments quickly went by the wayside as the operations of the holding company and Farmington/Moonstone became increasingly intertwined with FTX and its affiliates.  With the collapse of FTX, the bank’s unauthorized digital asset activities, which included the bank’s agreement with a third-party to facilitate the issuance of stablecoins to the public in exchange for a cut of certain fees, came to light and hastened the bank’s demise.

The FRB order may have only limited practical significance as Farmington continues to wind down operations.  But the fate of Farmington is a case study of the potentially negative impact of a so-called “charter stripping” transaction on an institution that had quietly attended to the banking needs of the community since 1897.  While “charter stripping” may sometimes be an appropriate alternative to a de novo bank formation, close adherence to the business plan approved by the regulators is a prerequisite to the avoidance of the kind of difficulties that befell Farmington.

Vermont State Bank -- Managing BSA Risk

When banks run afoul of regulatory requirements, the usual remedy is a cease-and-desist order that identifies a path to correction of deficiencies and, in some cases, imposes monetary penalties on the institution and/or management personnel or board members.  However, in the case of Vermont State Bank (located in Vermont, Illinois), an institution with less than $30 million in assets and only 13 employees, an apparent failure to resolve, among other things, serious deficiencies in the bank’s Bank Secrecy Act (“BSA”) compliance program, has resulted in the unusual step of a filing of a notice of charges against the bank that will have to be addressed in a formal proceeding before an administrative law judge.

A safety and soundness exam uncovered serious gaps in the bank’s BSA compliance program, including the absence of an adequate system of internal controls.  Many of the issues revolved around the bank’s cash management program that included remote deposit capture and remote check creation services.  The tiny bank had launched these services as part of an effort to increase earnings.  According to the notice of charges, the cash management program was focused on two Florida-based customer relationships.  The FDIC determined that the bank failed to conduct adequate customer due diligence on an initial and ongoing basis “to assess the risk of illicit activities” for these customers.  Moreover, the FDIC found that the board-approved policy covering the cash management program did not identify any underwriting criteria for customers that used the program and that the policy set an unrealistic threshold of $500,000 to trigger an internal review of monthly cash management account activity, a level that, according to the FDIC, was unlikely to be triggered.

The deficiencies also extended to the members of the tiny bank’s BSA team who were deemed to lack the necessary experience and training to perform their tasks and who were not tasked with oversight of the bank’s flawed cash management program.  The FDIC found that the bank executive committee, which consisted of the bank’s sole owner and the bank board chairman, had sole oversight of all BSA-related compliance for the cash management program and that they lacked the training necessary to maintain compliance.

Many small banks struggle to meet the rigorous demands of BSA compliance.  However, the case of Vermont State Bank confirms that the regulators have an expectation of compliance regardless of the size of the institution.  In addition, the demands of compliance are particularly acute where a small bank ventures into new products and new markets to develop new revenue streams.  The Vermont State Bank case is a reminder that, at the core of sound BSA compliance, is a risk-based system of internal controls that includes well-documented policies and procedures, effective customer due diligence, and staffing that has the knowledge and experience to manage the compliance process.  These basic requirements apply to every financial institution, regardless of size.

Malvern Bancorp, Inc. – The Price of a Material Misstatement

Malvern Bancorp, Inc. (“Malvern”), the parent of Malvern Bank, one of the oldest banks headquartered on the Philadelphia Main Line, was acquired by a New Jersey bank in late July 2023.  However, the closing of the acquisition did not deter the SEC from imposing significant penalties on Malvern and its chief financial officer in August 2023 for repeatedly failing to timely recognize and account for impairments related to several commercial real estate loans.

The problems began in 2017 when Malvern failed to classify certain modifications to a problematic loan as a troubled debt restructuring (“TDR”), notwithstanding the fact that the CFO was aware of facts (the borrower’s lack of cash flow, the borrower’s unwillingness to pay the loan on the original terms, the borrower’s delinquency, etc.) that supported the TDR classification.  Although with prodding from the bank’s regulators, the loan was reclassified as a TDR in 2018, the CFO failed to classify the loan as an impaired loan.  The result was a material misstatement of Malvern’s financials in several quarters during 2018 and, in October 2018, the misstated financials were incorporated into an offering prospectus for a $25 million stock sale.  To quantify the effect of the misstatement, had Malvern properly accounted for the impairment of the loan in the company’s June 30, 2018 10-Q, income before taxes would have decreased from the reported $2.3 million to $1.3 million.

Although the loan was ultimately charged off in December 2018, the SEC concluded that the charge-off should have occurred in September 2018 when the bank was negotiating a “deed in lieu” with the borrower, and, therefore, the company’s September 30, 2018 10-K overstated income before taxes for the quarter by 67 percent.  These deficiencies were compounded by accounting missteps in subsequent quarters that were based on the bank’s failure to obtain timely appraisals of the property once it was classified as “other real estate owned”, resulting in misstated income for multiple quarters through 2020.

The SEC uncovered similar issues with two other loans that further compounded the 2020 misstatements.  The company’s earnings release for the fourth quarter of the 2020 fiscal year reported net income of $2.2 million.  But, in February 2021, after finding that a material weakness was present in the bank’s internal controls over financial reporting, the company filed an amended 10-K for the 2020 fiscal year that reported a fourth quarter loss of $3.5 million.

Without admitting or denying the SEC’s allegations, Malvern and its CFO consented to a cease-and-desist order relating to these violations, and the SEC made a specific finding that the CFO’s actions were the cause of Malvern’s violations.  The agency imposed a civil money penalty of $350,000 on Malvern and $40,000 on the CFO.

To those who might think that routine securities filings fly below the radar of the SEC, the Malvern case suggests otherwise.    The Malvern case should be required reading for bank personnel who participate in the preparation of financial statements and particularly those who are involved with the classification of loans.

Stanley Black & Decker, Inc. -  Perquisite Problems

A recent SEC enforcement action involving a company outside of the financial sector should be required reading for any public company.  It is relatively rare to see an SEC enforcement action based on inaccurate proxy disclosure.  For most companies, proxies are filed and largely forgotten until the next proxy season begins.  But a recent SEC order involving Stanley Black & Decker, Inc. (“SBD”) and one of its executives shows that it can happen.

In proxy statements filed from 2018-2021 that disclosed compensation for the period 2017-2020, SBD reported an average of $1 million as “All Other Compensation” for four named executive officers and one director.  However, the SEC determined that, in each proxy, the company underreported “All Other Compensation” for the four executives and the director by approximately $325,000 annually by failing to include the value of certain perquisites, including corporate aircraft use.

In a separate enforcement action, the SEC singled out a former SBD executive who underreported “All Other Compensation” by the value of a variety of perquisites (corporate aircraft use, chauffeur services, apparel, car repair services), omitting an average of $162,000 in each of the years at issue.  On an annual basis, the executive completed a standard proxy data questionnaire that the company used to collect information on perquisites, and the executive was provided with the opportunity to review and validate the disclosure in the draft proxy statement.

The proxy rules require disclosure of “perquisites” received by a named executive officer, but the line between a reportable perquisite that provides personal benefit and a nonreportable perquisite that is provided in support of a business purpose is not always clear and many companies struggle to identify reportable perquisites.  The SEC describes the distinction as “an item that a company provides because the executive needs it to do the job, making it integrally and directly related to the performance of duties, and an item provided for some other reason, even where that other reason can involve both company benefit and personal benefit.

Ultimately, SBD avoided harsher consequences by self-reporting the disclosure violation to the SEC.  According to the SEC order, upon learning of the omissions, SBD initiated an internal investigation through outside counsel and advised the SEC regarding the inaccuracy of the “All Other Compensation” disclosure.  However, the SEC took a dimmer view of the executive.  The agency imposed a $75,000 civil money penalty on the executive after concluding that his conduct “caused” SBD’s disclosure violation.

One take-a-way from the SBD situation is that self-reporting of disclosure omissions will always be a mitigating factor when the SEC considers the consequences of a violation.  But while SBD’s actions may be applauded as an exercise in good corporate governance, it is somewhat odd that the SEC excused SBD’s reliance on the executive’s annual self-reporting of perquisites and penalized the executive.  Certainly the executive’s actions cannot be excused but it is also certain that SBD had full access to corporate records that documented the executive’s expenses and presumably SBD could have validated his responses.  It is one thing to rely on self-reporting of information that is only known to the executive and quite another thing to rely on self-reporting of information that is easily obtained from corporate records.  It is curious that the SEC did not focus on this point and effectively excused a violation that highlighted a failure of internal controls.

While the SEC did not penalize SBD for its misplaced reliance on the executive’s self-reported perquisites, it would be a mistake to assume that such reliance always insulates the company from the consequences of flawed disclosure.  The most important take-a-way from these orders that is that proxy preparation should always occur in the context of a strong system of internal controls that include review of proposed disclosure by persons with a thorough knowledge of the disclosure rules and access to the raw data that supports the disclosure.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their