I. INTRODUCTION
The FDIC has observed a limited number of instances in which directors and officers of troubled or failing institutions have made copies of financial institution and supervisory records, and removed those copies from the institution in anticipation of litigation or enforcement activity against them personally.
The copied records have included confidential material such as loan files and other records containing bank customer personally identifiable information, reports of examination and supervisory correspondence, employee records, and suspicious activity reports (SARs). In some instances, the directors or officers were acting on their own volition, and in others, on the advice of counsel. Such material, often stored on unencrypted media, has been placed in unsecured locations such as the homes of directors and officers, public office areas, and offices of counsel.
The FDIC Guidance is a reminder to directors and officers that this activity is a breach of their fiduciary duty to the institution and an unsafe and unsound banking practice, which may also violate applicable laws and regulations and contravene the financial institution's information security program. Attorneys who represent an insured depository institution are also reminded that their fiduciary duty, both legally and ethically, obligates them to act in the best interests of the institution. The FDIC will investigate any matter that appears to violate confidentiality and pursue enforcement actions, as appropriate.
II. GUIDELINES
Directors and officers of financial institutions must adhere to the high standards required of fiduciaries. In fulfilling their fiduciary responsibilities to insured depository institutions, directors and officers must at all times act in the best interests of the institution. Effective management and strategic direction of insured depository institutions require that directors and officers be thoroughly informed about the relevant operations of the institution. In performing their official duties, it is essential that directors and officers have access to the institution’s records. At the same time, it is clear that access to the institution’s records is not appropriate in pursuit of the personal interests of those directors and officers. The vast majority of directors and officers of insured depository institutions recognize the important fiduciary responsibilities they hold and adhere to this vital separation between their official duties and personal interests. Further, legal counsel who represent an insured depository institution are reminded that their fiduciary duty legally and ethically obligates them to advance only the interests of the institution.
A. Duties of Directors and Officers
As fiduciaries, financial institution directors and officers are obliged to act in the best interests of the institution, free of self-dealing or conflicts of interest. Financial institution directors and officers must not use corporate property or assets for their personal pursuits or advantage. Removing confidential material belonging to the financial institution for personal purposes breaches directors’ and officers’ fiduciary duties.
In addition, various federal laws and regulations govern the treatment of information that financial institutions accumulate during the normal course of business and through interaction with regulators. For example:
Financial institution records belong exclusively to the financial institution. When the FDIC is appointed receiver following a financial institution’s failure, the receiver as successor to the institution becomes the exclusive owner of the books and records. The FDIC as receiver has the unrestricted and sole right to possess and use the books, records, and assets of the failed institution. Personal possession of bank and supervisory materials by a former director or officer, under the circumstances described here, is inconsistent with this unrestricted right.
Removing financial institution and supervisory records (originals or copies, in any media format) for personal use, and transporting or storing the records outside the institution’s secure storage system, creates significant risks of disclosure that could have severe consequences for the financial institution, its directors and officers, and its customers. Such actions can violate the Gramm-Leach-Bliley and Federal Deposit Insurance Acts, among other laws and regulations, and constitute a breach of fiduciary duty and unsafe and unsound banking practices. Directors or officers who undertake such actions subject themselves to potential enforcement action by the FDIC pursuant to Section 8 of the Federal Deposit Insurance Act.
B. Duties of Counsel
Attorneys who represent an insured depository institution have a fiduciary duty that legally and ethically obligates them to advance the interests of the institution and the institution alone. “[T]he law firm and its attorneys owe… the duty to exercise the utmost loyalty and fidelity to the bank’s interests.” Further, the “duties owed by lawyers in their representation of insured depository institutions run to the institution, not to the individuals who comprise management of the institution.” Attorneys who represent financial institutions cannot advise directors and officers to take actions that are adverse to the interests of the financial institution or its successor. An attorney who represents the financial institution will be in breach of the attorney’s fiduciary duty to the financial institution if he or she counsels its directors or officers to copy and remove records in order to serve their personal interest. Further, federal law establishes that parties who cause others to violate banking laws and regulations are themselves guilty of those same violations. Thus, financial institution counsel who advise copying and removal of records contrary to the interests of the financial institution may be engaging in violations of law, codes of professional conduct, as well as breaches of fiduciary duty.
The Federal Deposit Insurance Act gives the FDIC the authority to pursue enforcement actions against institution-affiliated parties who participate in conducting the affairs of an insured depository institution and knowingly or recklessly engage in violations of law or breaches of fiduciary duty. The foregoing conduct by counsel for the institution may be sufficient to establish jurisdiction for enforcement actions against them as institution-affiliated parties including civil money penalties, consent orders, or removal and prohibition from the banking industry.
Further, attorneys representing directors or officers must not counsel those directors and officers to copy or remove confidential information or documents in violation of the law or otherwise in breach the directors’ or officers’ fiduciary duties to the institution as described in these Guidelines.
C. Permissible Uses
As noted, the FDIC acknowledges that directors and officers need access to financial institution records to carry out their official duties and operate the financial institution as a going concern. However, this need permits access only as necessary for such official purposes while the financial institution remains open. Directors and officers do not have the right to collect financial institution records for their own personal use in anticipation of or following the failure of a financial institution. Former directors and officers may have a legitimate need to access certain limited confidential financial institution records in order to prepare for, or defend against, litigation that may arise following the placement of a financial institution into receivership. The FDIC is willing to address this need, but any such access must be arranged formally, after the financial institution is taken into receivership, and subject to a suitable confidentiality agreement with the FDIC as receiver, or other acceptable assurance of confidentiality such as a protective order.