On April 19, 2024, Richard Ostrander, the general counsel and head of the Legal and Compliance Group at the Federal Reserve Bank of New York (“FRBNY”) expressed his personal views on how the legal function can (or should) be integrated into a banking organization’s risk management framework.[1] This is a notable development because his views appear to give guidance on how banking organizations should manage legal risk but leave unresolved longstanding questions regarding how legal risk should be defined and its placement in legal risk taxonomies.
Below we provide background on certain legal risk management expectations and how they are affected by FRBNY’s views.
Background
Since at least the mid-1990s, the Federal Reserve has expected banking organizations to adequately manage legal risk. For these purposes, it has defined legal risk as the risk that arises from the potential that unenforceable contracts, lawsuits, or adverse judgements can disrupt or otherwise negatively affect the operations or condition of a banking organization. Notably, this definition diverges from that of the Basel Committee on Banking Supervision, which defines legal risk as a component of operational risk that includes exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements. And, yet further, many organizations adopt a wide variety of definitions.
As the risk management profession matured, the issue of integrating and managing risk categories through a single framework came to the fore. For example, the Office of the Comptroller of the Currency developed a single set of heightened risk management standards and defined certain risk categories.[2] Among other issues, these standards require large banks to implement quantitative limits, organization-wide data aggregation capabilities, and an appetite for all risk categories, including non-financial risks such as compliance risk and reputation risk. As Mr. Ostrander noted, this is a problem for legal risk because banks should have “virtually no appetite to knowingly violate applicable law” even though the law inherently presents a degree of uncertainty or ambiguity that creates legal risk (e.g., lawsuits involving matters of first impression and unclear regulatory expectations).
Further, one widely accepted model, the three lines of defense, has be interpreted to require banking organizations to assign all functions and personnel to a “line.” As we previously have discussed, the first line of defense involves business unit managers. The second line of defense consists of risk management and compliance functions. The third line of defense is an independent audit function. The three lines model raises a question: Which line should the legal function be assigned to and how should its activities be reviewed?
Where should the legal function sit in the three lines of defense?
Mr. Ostrander separated his views into two parts: (i) the concepts of legal risk and legal risk management and (ii) the structure of legal risk management within a banking organization.
The concepts of legal risk and legal risk management
First, he discussed FRBNY’s internal definition of legal risk and explained how banking organizations should think about identifying and managing legal risk. While he admitted that it is not perfect, he defined legal risk as the:
- Risk that FRBNY exceeds its legal authority or fails to fulfil its obligations under law, contract, or other legal duty;
- Risk of a legal dispute based on an allegation that FRBNY exceeded its legal authority or on an alleged failure by FRBNY to fulfil its obligations under law, contract, or other legal duty[;] and
- Risk that FRBNY fails to take the steps it has deemed necessary to protect its legal interests.
Mr. Ostrander explained that while a banking organization should not view violations of law and fines as a cost of doing business, its legal risk tolerance should not be zero. This is because legal risks manifest in different ways, can be mitigated in different ways, and sometimes, are in the best interests of the organization to accept.
For example, he explained that a lawyer might analyze a new financial product and determine that there are good arguments that offering the product does not require a particular license. Depending on the strength of those arguments, the organization may decide to accept the risk and offer the product without obtaining the license. Even if it turns out that a license was required and the organization is fined, the legal risk may acceptable if the lawyer properly analyzed the ambiguity in the law, explained the risk to the business decision-maker, and ensured that the risk was accepted by the proper decision-maker and documented in accordance with the organization’s risk management procedures.
Mr. Ostrander also noted a cultural aspect to legal risk management. An organization must build a culture in which business units consult with the legal function to identify and mitigate legal risks. This is a two-way street that requires that the business unit to communicate with legal but also that legal act as a partner helping the business unit achieve the organization’s goals. He highlighted that a legal department that fails to understand the business and speak its language, be responsive to requests, and have a problem-solving mentality is just as culpable as a business unit that ignores legal advice.
The structure of legal risk management within a banking organization
Second, Mr. Ostrander addressed the critical question of how legal risk and the legal function may fit into the three lines of defense model. In his view, the legal function “does not fit neatly into the three-lines-of-defense framework.” Instead, he believes that a more realistic view is that the legal function operates across and outside of the three-lines model.
Among other reasons, he noted that legal risk is the one category that requires the first line to consult with another function about the existence of the risk because the first line is not qualified to perform legal analysis.[3] Therefore, the legal function must be responsible for identifying and analyzing risks.
However, the legal function also has a second line function in that it ensures the first line is following proper procedures for managing legal risks that the legal function has identified. Further, the legal function is the only part of an organization that is licensed to provide legal advice. Therefore, legal judgments cannot be reviewed by another function, such as the third line, because that would require the third line to inappropriately provide legal advice.[4] However, the second and third lines should still review the legal function for adherence to organizational processes, budgeting decisions, and other corporate issues.
Conclusion
Mr. Ostrander’s views, while not those of the FRBNY, accord with our long-standing position that a banking organization’s legal function should have sole ownership of legal risk and sit outside of the three lines of defense. However, as illustrated in his comments on an organization’s culture, the legal function must act as a partner to the business and advisor to the three lines of defense to ensure that it is effectively identifying and measuring risk, supporting the organization’s goals, and protecting its interests. Achieving this balance requires thoughtful structuring of the organization’s risk management framework, policies and procedures, management committees, and reporting lines.
Megan Webster is a partner at Mayer Brown
Matt Bisanz is a partner at Mayer Brown
Jeff Taft is a partner at Mayer Brown
Larry Cunningham is Special Counsel at Mayer Brown
[1] He explicitly noted that the views expressed “are my own and do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System.”
[2] 12 C.F.R. pt. 30, app. D § II.B.
[3] Even the OCC’s heightened standards recognize that the first line “does not ordinarily include an organizational unit or function thereof within a covered bank that provides legal services to the covered bank.” Id.
[4] Mr. Ostrander also noted that lawyers are subject to professional obligations for providing legal advice, which are enforced by external licensing authorities.
