Equilar Institute

Understanding the Complexities of Regulatory Compliance

An interview with H. Rodgin Cohen, Senior Chairman, Sullivan & Cromwell LLP

---

H. Rodgin Cohen is Senior Chairman of Sullivan & Cromwell LLP, having served as Chairman from 2000 to 2009. The primary focus of Mr. Cohen’s practice is regulatory, enforcement, acquisition and securities law matters for U.S. and non-U.S. financial institutions and their trade associations, and corporate governance matters for a wide variety of organizations.

Mr. Cohen advises the financial services industry on the full range of governance, regulatory, compliance, enforcement and merger and acquisition matters, including multiagency investigations relating to compliance with anti-money laundering and sanctions issues. He frequently works with all the bank regulatory agencies as well as multiple other governmental agencies. Key recent matters include the Volcker Rule, numerous other provisions of the Dodd-Frank Act, international capital and liquidity standards, resolution and resolution planning. He provides corporate governance advice to a large number of financial and non-financial institutions, both regular clients and as special assignments, and is also a frequent advisor on the rise of strategic and corporate governance activism. An increasing part of Mr. Cohen’s advice to senior management, banks and trade associations has related to cybersecurity.

Listen to a short audio clip from this featured interview.

Over the last decade, the ever-changing landscape of corporate governance has prompted corporate America to adjust to and adequately understand the various components of regulatory compliance. The ramifications of Sarbanes-Oxley, Dodd-Frank and the 2008 financial crisis continue to have a lasting impact on the approach corporate boards take in complying with particular rules and regulations. Of course, the many risks associated with compliance failure often cast a dark shadow over boardrooms. C-Suite had the opportunity to speak with H. Rodgin Cohen, Senior Chairman at law firm Sullivan & Cromwell LLP. Cohen shared his experience in assisting firms through the financial crisis, as well as insight and lessons learned from the numerous policies he has covered during his practice that have been integral in shaping current corporate governance and regulatory policies.

---

C-Suite: During your tenure at Sullivan & Cromwell, what specific insights have you gained about how corporate boards have adjusted to the ever-changing regulatory environment?

H. Rodgin Cohen: The regulatory environment is often more a function of supervisory expectations than legislation or formal regulation. I think since the financial crisis, bank boards have recognized that they do need to make changes to meet supervisory expectations rather than just say “Steady as it goes. There will always be a pendulum moving back to the center, and if we just wait long enough, there will be a correction.” I do think bank boards are much more sensitive today to supervisory expectations than they were some years ago. Trying to take this down from 60,000 feet to a bit closer to the ground, clearly, over the last 10 years, the supervisors have demanded, not just asked, that bank boards be more involved and be more informed. The bank boards have, from my perspective, definitely accommodated that. I don’t believe there is empirical research, but I think I could say, without fear of contradiction, that bank boards today spend a multiple of the time they used to spend in fulfilling their directorship duties. Just one more example, 10 years ago, there was little if any mapping of director candidates or existing directors to the skill needs of the individual institution. Today, I think every firm that we advise has a fair degree of mapping. The idea is you don’t have, if you ever did, a board of well-rounded individuals. What you have is a well-rounded board. Each person brings one or more skills to the boardroom.

As you examine what came out of Dodd-Frank in terms of changes and regulations, do you think Dodd-Frank was in any way an evolution of Sarbanes-Oxley?

Cohen: Dodd-Frank was not an evolution from Sarbanes-Oxley, but some of the aspects of Sarbanes-Oxley can be seen in Dodd-Frank. Perhaps, the best example is the concept of the special risk committee. The risk committee and the risk expert in Dodd-Frank are modeled on the audit committee requirement and the audit committee expert in Sarbanes-Oxley. There was some borrowing of ideas, but I think Dodd- Frank is not an evolution, because it was responding to a different set of situations. Sarbanes-Oxley was in response to accounting fraud and insider dealing. Dodd-Frank, in contrast, was in response to what were fundamental laws in both the regulatory system and at some major institutions.

In your experience assisting companies through the financial crisis, what are some key lessons learned that firms should adhere to with respect to regulatory compliance, and what do you believe have been the lasting impacts/ramifications of the crisis? Over and above, what might have been mandated by Dodd-Frank?

Cohen: I think, certainly, Dodd-Frank is a part of the key lessons because banks have learned, and to an extent, Dodd-Frank mandates that you need to have robust capital ratios, strong liquidity and strong risk management. Everybody learned or should have learned in 2008 that marketplace survival for a financial institution is highly dependent, maybe totally dependent, on marketplace confidence. You need these building blocks of safety and soundness to retain that confidence.

Furthermore, I think what was learned beyond the metrics-based building blocks is how essential risk management is, and that risk management must begin with a chief risk officer (CRO). Just as the board has to have contact with the chief auditor, the board needs contact with the CRO. The CRO needs to be a person of standing in the institution, and she or he needs the resources to do the job properly.

What advice would you provide to companies that are dealing with an activist investor, and what are some approaches to mitigate the risk of facing one of those investors?

Cohen: First, it begins with preplanning. Understanding that even though it is still highly unlikely that any one institution will wind up with an activist, there is an element of randomness here that I think should lead all corporations, or virtually all corporations, to engage in preplanning a number of considerations. One is to be flexible and to not have what I call a knee-jerk reaction. Second, recognize every activist is different and every activist situation is different. If anybody just tries to pull out the proverbial playbook for dealing with an activist, it would be fortuitous if that playbook worked simply because the playbook is for a standard hypothetical scenario, which is unlikely to be the case.

A point that is often overlooked is how it is absolutely critical to have a united board. If you don’t have a board that has agreed on what the response should be whether to accept, reject or somewhere in between, and you have a divided board, you will go inevitably towards concessions or compromise and that’s often a euphemism for defeat.

So how do you unite a board before you have the threat? There are a number of common threats that can be analyzed. For example some will say, “How can it hurt to have one or two activist representatives on the board?” They can provoke; they can ask questions; but they cannot control the board.” In some cases that is right, but an activist on the board can also be highly divisive and destroy the collaboration and cooperation that otherwise would exist. In addition, if you settle with an activist, the activist will often insist that their representatives be able to take management presentations out of the boardroom and show them to the activist’s analysts. Then, the activist comes back in, armed with reams of paper, which can be used to challenge management and to facilitate the activist’s own agenda. Challenge is good, indeed essential, but challenge is a board issue. It’s not an individual director’s issue.

Then there is the question of diversity, which should be a key consideration for all boards. No question about it, corporate America has a way to go with regard to diversity. However long they have to go, activists are often well behind because they rarely bring diversity to the boardroom. Further, a basic tenet of good corporate governance today is matching skills to the needs of the organization. An activist is often coming on with a skill set of “I’m a very smart investor,” and that is one of the skills that a board needs. Another crucial element of preplanning is creating your team. If you have to spend the first two weeks after you hear from an activist interviewing a banker, interviewing your public relations firm or interviewing your counsel, you’re so far behind, it’s a question of whether you will ever catch up. It would be good to have a team in place that interacts with one another so that they know each other.

Then there are some very interesting regulatory issues, particularly if you’re in a regulated industry. For example, a few months ago, an activist ran a proxy contest against a bank in the Pacific Northwest called HomeStreet. The State Banking Commissioner indicated that the activist needed the Banking Commissioner’s approval before it could vote proxies. As it turned out, although the contest was fairly close, the bank prevailed and that ruling was not needed, but it was there. Again, this is not something you’re going to figure out necessarily in the heat of battle, illustrating that preplanning is really helpful.

Is there a particular model that you think is more effective when engaging an activist or is it really idiosyncratic, varying with the investor and the agenda that they’re trying to accomplish with the company?

Cohen: I think it is idiosyncratic. Just as very few corporations send their entire board out to meet with major institutional investors who would typically own a multiple of the percent of shares that the activists own, it’s hard for me to see why the entire board should go meet with the activist as a general matter. There may be special cases, but I think it should be a one-on-one meeting. But the idea that an activist shows up and you immediately “go to the mattresses” is typically a foolish way to look at it, unless the activist, the first time he or she shows up, is with all guns blazing, and that is not the norm. But it happens. That goes back to the basic point, which is that there are activists and there are activists. That’s a term that covers a wide range of styles and ambitions.

As this issue of C-Suite centers on the theme of board performance, what are some risks board members must address in the near future that they may not have had to worry about in the past, and how does that affect performance? Specifically, as boards transition to becoming more diverse, what are some of the more prominent risks that you would counsel boards to be educated on?

Cohen: As far as board composition is concerned, I think a board and the nom/gov committee need to figure out ahead of time what they want in terms of board membership. You need to figure out what the required skills are and what are the different views that you need. You try and find the people who fit those needs and bring the cognitive diversity into the boardroom. If you go back, not all that many years ago, before Enron, board members used to often be friends of the CEO. That went away. Then there was a period of time when boards consisted very largely of sitting CEOs of other corporations. Now, I think the expertise of a sitting CEO can be very valuable. You should probably ideally have at least one or two seated CEOs, because that’s a valuable skill set. After that, you want to again look at what the needs of the company are. That could be accounting, risk management, regulatory relations or technology. Again it depends a lot on the company. There’s maybe more focus on diversity now because you have the major institutional investors, as well as some thought leaders, pushing for it. I think that this is a secondary factor compared to what I think is the critical factor. If you want the most talented board, you cannot limit the talent pool. If you want the best board, you need to have a meaningful number of women or else you’re just not getting the best people that you could have. So there are fundamental reasons, as well as shareholder pressure.

Recently, President Trump requested the SEC to study the impact of moving from quarterly earnings reports to a semi-annual model. What are your thoughts on the benefits and risks to that? What do you think the boardroom view of that request would be or the impact of that change?

Cohen: I suspect it would be applauded by many because of what I refer to as the tyranny of quarterly earnings reports. Not only do quarterly earnings require substantial amounts of time and effort by senior management, the finance department and the board, but it subjects companies to litigation risk in respect of each report. Having said that, I do not know whether a change from this long-accepted norm would be acceptable by the investing public. Perhaps the ultimate question is whether such a change would encourage longer-term investing. One potential downside of going to semi-annual is that there will be enormous pressure now from the analyst community. They’re just not going to sit back and wait. They’re going to be putting pressure on companies to give interim reports and investor conferences.

Some companies have said, “We’re just not going to do quarterly guidance.” Do you think that’s a model that other companies possibly should think about?

Cohen: I think they should, but it’s a lot harder for a company that does not have a commanding market position. It’s more di􀃚cult, for example, for a bank to take that position than an Amazon or Microsoft.

Is there a particular legal matter or topic that you covered over the years that you believe was integral in shaping corporate/board governance policies today? If so, what was it and can you describe its long-term impact?

Cohen: I think one aspect we have learned about and stressed is the issue of culture. Often it is really more an issue of subcultures. If you look at most of the major problems in an industry, there has been a relatively small group of individuals who have been responsible for them. It can be a business unit, it can be a trading desk, but it’s small. What happens all too typically is this particular unit or small group of people starts churning out enormous profitability, and no one wants to then look all that carefully. You don’t want to kill the goose that’s laying the golden egg. In fact, that’s where I think boards should be looking with greater scrutiny. Generally, there is not a group of people that is so much smarter than everyone else that they can accomplish something far more than everybody else. What we try and urge boards and management to do is to really look at the potential for subcultures that are contrary to the corporate culture.

Is there anything else that you’d like to comment on further that we did not get a chance to cover with regard to corporate governance, boardroom risk or regulatory compliance?

Cohen: If I mentioned one issue, and this is going to harken back just a bit to planning for activists, it’s preplanning for crisis. Again, there are a number of people who say, “You never know what a crisis will be. Every crisis is different. Why pre-plan?” Understanding that the predicate is right, while the conclusion is not, is important. What has happened, and I think is not well-documented or understood, is that problems can accelerate into crises far faster than ever before because of social media. Where in the past you would have days if not weeks to react to a problem that you discover, now your time can be measured in minutes or hours. I personally believe that boards should do crisis planning. Again, it’s not to plan for a particular crisis, but to plan for a way of thinking and a way of reacting if a crisis hits. If a crisis hits, you don’t want to then try to figure out what the process is for dealing with it before you figure out the substance. One area that every corporation needs to focus on is cybersecurity. Every corporation is somewhat different. A hack at Sony is not going to be the same as a hack at a large bank, but each institution should be able to figure out what its principal vulnerabilities are and what could happen to the institution. Again, the more fundamental point is crisis planning.