Client Alert: Professional Liability and the FDIC; The IndyMac Decision

As all bankers know, the FDIC as receiver has "ramped up" it’s efforts to bring actions against directors, officers and "institution-affiliated parties" (IAPs) of failed institutions during the current banking challenges.  The FDIC may elect to bring suit against former IAPs and others based upon simple negligence or gross negligence, and actions for both are often included in the complaint.  While the Supreme Court has ruled that the FDIC may take action based on either simple or gross negligence, federal law preempts state laws that attempt to shield directors and officers from gross negligence.  The "business judgment rule" still provides protection for directors acting basically in good faith with the care that an ordinarily prudent person in a like position would exercise in similar circumstances and in a manner which the director reasonably believes to be in the best interests of the bank.  However, despite the "business judgment" defense, directors and other IAPs may well find themselves on the receiving end of an FDIC lawsuit as receiver for the institution should the institution fail.

Current FDIC Statistics

According to FDIC statistics, the recently decided IndyMac action referenced below was the first professional liability lawsuit authorized or filed by the FDIC as receiver in the current banking cycle.  Not all bank failures result in FDIC lawsuits, however, and during the period beginning in 2009 through December 11, 2012, suits have been authorized or filed by the FDIC against 742 banking professionals in 39 cases involving 89 failed institutions.  Suits filed include 41 filed D&O actions naming 324 former officers and directors.  There have been four settlements to date and one favorable jury verdict.  The FDIC as receiver has also authorized 46 lawsuits for fidelity bond, insurance, attorney/appraiser/accounting malpractice and RMBS claims as well as 172 residential mortgage malpractice and fraud lawsuits.  Targets include not only directors and officers but also other professionals who played a part in the failure of an institution including officers, directors, attorneys, accountants, appraisers, brokers and others.

The FDIC as receiver must bring tort-based actions within three years of the failure and appointment, and six years for contract breach claims unless the state provides for a longer period. Again, not all failures result in FDIC lawsuits.

IndyMac

As a possible harbinger of things to come, the FDIC has secured its first victory in a series of lawsuits involving former banking executives in its claims against former IndyMac residential mortgage executives.

Three former IndyMac executives were held liable by a jury for loan losses incurred by the former institution of more than $168 million.

The court found that the executives failed to implement sufficient controls to address the risks involved in a decision to lend to a different type of builder than had been the case in the past. The failures included ineffective controls over the credit and lending functions, insufficient borrower due diligence, as well as inappropriate high risk incentive programs for lenders.

Attempts by the defendants to assert defenses based on arguments that the regulators had in effect "signed off" on the processes and that the "bursting" of the housing “bubble” had been responsible for the losses incurred by the lender were unsuccessful.

According to reports, many of the loans were in fact made in 2006 during the height of the housing “bubble”.

A former IndyMac CEO reportedly recently settled an initial $600 million claim by the FDIC for $12 million, consisting of $1 million of personal funds and $11 million from insurers. The settlement purportedly includes a lifetime industry bar.

Again, many of the loans and other activities took place several years prior to the economic downturn in 2007.  The IndyMac decision and settlements are indicative of the ability and power of the agencies in asserting claims against directors and officers of failed institutions, and the importance of focusing on identifying risk and mitigating risk relating to operations that may result not only in current issues for an organization, but those which by their nature may result in future issues as well.

In Florida, directors of a failed bank were recently sued by the FDIC for negligence and gross negligence based primarily on CRE and ADC transactions entered into by the bank from 2006 to 2009.  Again while each of these cases are fact-specific, the lessons learned are that when it comes to responsibility for losses resulting from loans that took place during a period of high and aggressive industry-wide growth, the FDIC will still look at whether there was compliance by the lender with its own internal policies and procedures, concentrations of credit, and whether there was adequate risk management in place to identify and mitigate risk to the institution.

The Importance of Risk Management

While the fact patterns can and do change from case to case, it is important for institutions, their executive management and their boards to document efforts at risk identification and mitigation, and to avoid concentrations of risk as well as incentive compensation programs that do not include sufficient risk-mitigating controls.  The common thread in the FDIC actions relate to failure to identify and mitigate risk, failure to follow policies and procedures, and failure to follow up once potential issues have been identified.  In many cases, the records of the institution are replete with “red flags” and obvious instances where management and the board were made aware of issues and concerns by regulators, auditors, employees, market conditions and/or other sources, and failed to act.  Directors should take care to document their consideration, the basis for their decisions and proper exercise of the "business judgment rule" in the decision-making process.  Adherence to "safe and sound banking practices" has broad implications, and the basis for the current regulatory focus on risk management, which includes the ability to look in the regulatory rear-view mirror at past actions, is apparent.