Governance

We believe that having a Board that is comprised of members of different backgrounds, skills and perspectives ensures an effective governing body. Our Board values the insights brought through diversity in professional experience and diversity in gender, racial, ethnic and national backgrounds. Our Nominating and Corporate Governance Committee assesses these factors in the director selection and nomination process.

Key Demographics of our 2022 Board:

• Gender Diversity: 33%
• Nationality/Ethnic Diversity: 44%
• Average Age: 64
• Independence: 89%
• C-Suite Experience: 57%
• Average Board Tenure: 7.3 years

Eight of our nine directors are independent. The Board has elected a Lead Independent director who presides over executive sessions at each regular board meeting with the non-management directors.

Our directors are elected annually and by a majority vote standard. A majority vote standard requires that the number of shares voted “for” a director’s election must exceed 50% of the number of votes cast with respect to that director’s election.

 

Our Board of Directors has adopted Corporate Governance Guidelines that, along with our Code of Conduct (the “Code”), the charters of our four committees of the Board (Audit, Compensation, Nominating and Corporate Governance, and Risk), and our Code of Ethics for the Principal Executive and Senior Financial Officers, provide an effective governance framework. The Code applies to all employees of the Company and its subsidiaries, all directors, officers, employees, agents (including consultants and contractors) and temporary help.

Additionally, key governance and management policies, many of which are approved by our Board, provide a foundation to guide our Company’s operations and support our commitment to sound governance. Our Board annually reviews our Corporate Governance Guidelines and the Code to ensure that they reflect best standards and practices.

While our Code, Corporate Governance Guidelines and our Principal Officer Code of Ethics can be accessed on our website, we also maintain an intranet site that our team members can access with all of our governance and corporate policies.

Our Code outlines expectations and provides our team members with information and guidance to carry out their responsibilities with our customers, shareholders, regulators, coworkers and community while maintaining the highest standards of conduct and compliance with all federal, state and local laws and regulations. Our team members must acknowledge receipt of the Code every year.

Our Board members annually complete a self-evaluation with key topics such as board composition and culture; information and resources; and effectiveness and oversight. Through this evaluation process, the directors assess performance, identify areas for improvement and provide feedback.

To build and maintain long-term relationships with the Company’s shareholders, the Board and management engage in shareholder outreach to discuss issues on governance, executive compensation and other matters of concern. Meetings are held with investors on an individual basis and at industry conferences and non-deal roadshows.

The Board has established four committees to facilitate its oversight responsibilities: an Audit Committee, a Risk Committee, a Compensation Committee and a Nominating and Corporate Governance Committee. Each committee consists entirely of independent directors and provides reports to the Board regarding matters reviewed at their committee meetings.

Our Board oversees our risk management framework which establishes enterprise-wide governance and risk management requirements for monitoring nine categories of risk:

• Strategic Risk
• Credit Risk
• Interest Rate Risk
• Liquidity Risk
• Operational Risk
• Compliance Risk
• BSA/AML Risk
• Reputation Risk
• Price Risk

Our Board determines the appropriate level of risk for the Company generally, assesses the specific risks faced by us and reviews the steps taken by management to manage those risks. Although the Board maintains the ultimate oversight responsibility for risk management, the Audit Committee, Risk Committee and Compensation Committee each oversee risk in certain specific areas.

 

The Company's Risk Appetite Statement, which is reviewed and approved by the Risk Committee, sets forth guidelines for the aggregate levels of acceptable risk across multiple dimensions and forms the basis of the Company's enterprise risk management framework. It further defines the boundaries for the type and amount of risk that may be undertaken by the Company in pursuing business objectives and initiatives.

The Company's Risk Management Framework establishes enterprise-wide governance and risk management requirements for monitoring nine categories of risk: strategic risk, credit risk, interest rate risk, liquidity risk, operational risk, compliance risk, BSA/AML risk, reputation risk and price risk.

Our Board of Directors oversees our risk management framework, including the company-wide approach to risk management, carried out by our management. Our full Board of Directors determines the appropriate levels of risk for the Company generally, assesses the specific risks faced by us and reviews the steps taken by management to manage those risks. While our full Board of Directors maintains the ultimate oversight responsibility for risk management, its committees oversee risk in certain specified areas.

In particular, the Risk Committee plays a key role in the Board of Directors' exercise of its risk oversight function. The Risk Committee assists the Board in overseeing the Company's enterprise-wide risk management framework, including the risk appetite statement, risk tolerances and limits, and risk management infrastructure. The Risk Committee oversees the risk assessment process to assist the Board and management in identifying emerging risks that could potentially impact the Company's strategic objectives and business plan and provides oversight of certain elements of ESG related risk. The Risk Committee reviews regular reporting related to credit, interest rate, liquidity, operational, BSA/AML and compliance risk.

The Audit Committee also has a significant role in the Board of Directors' exercise of its risk oversight responsibilities. The Audit Committee is primarily responsible for overseeing matters involving the Company's financial reporting risks and the guidelines, policies and processes for managing such risks, including internal controls over financial reporting. The Audit Committee conducts its risk oversight in a variety of ways, including reviewing management's assessment of the Company's internal control over financial reporting, and reviewing and approving the Company's significant accounting policies. Additionally, the Company's independent registered public accounting firm regularly discusses risks and related mitigation measures that may come to their attention during its regular reviews and audits of the Company's financial statements with the Audit Committee. To ensure candid and complete reporting, the Audit Committee regularly meets in separate executive sessions with management, the head of the Company's internal audit department and the Company's independent registered public accounting firm.

The Compensation Committee is responsible for overseeing the management of risks relating to our executive compensation plans and practices, as well as the incentives created by the compensation awards it administers. The Compensation Committee reviews our incentive plans to ensure that they appropriately balance risk and reward and do not encourage inappropriate risk takings.

The Nominating and Corporate Governance Committee is responsible for overseeing the management of risks associated with the composition and independence of our Board and management succession.

Our risk management framework is administered through a three line of defense operating model. The first line of defense takes risk, supports the risk taken and is accountable for management of that risk. The second line of defense, our independent risk management function, ensures that risks are properly identified, understood, controlled, and managed within the boundaries established by our Board. The third line of defense, our internal audit and credit review functions, is charged with providing assurance to the Board that all material risks are being managed and controls are functioning appropriately.

The Risk Committee also has responsibility for monitoring risks related to information security and cybersecurity and overseeing management's approach to effectively addressing these risks. On a routine basis, the Risk Committee reviews the Company's Information Security Program and regular reporting related to emerging risks and risk metrics in this area. The Risk Committee receives reports from either the Chief Information Security Officer (CISO) or the Chief Risk Officer and reviews the Information Security Program Annual Report to the Board as well as results of audits and examinations of controls and procedures related to information security.

We have a dedicated information security department led by our CISO who has primary responsibility for establishing, maintaining and overseeing the enterprise-wide information security program. The CISO reports administratively to our Chief Information Officer, who reports directly to our CEO. The CISO also has a direct line of reporting to the Risk Committee. While our information security organization has primary responsibility for the monitoring, detection and containment of internal and external security threats, information security is a shared responsibility. Platform owners and information owners also play critical roles in our information security infrastructure.

Our information security department collaborates with our third-party risk management unit toevaluate the information technology and security programs of significant third party service providers. As applicable, these reviews leverage current SOC 1 or SOC 2 reports that evaluate the design and operational effectiveness of information technology and security related controls employed by service providers. In addition, the third party’s information technology and security policies and procedures are evaluated to form an overall opinion of the third party service provider's technology and information security posture.

In 2022, Clarium Managed Services, LLC (“Clarium”) conducted a Cybersecurity Assessment for BankUnited, N.A. The assessment gauged the overall Cybersecurity Risk Posture of BankUnited, N.A. and resulted in a score of 4.8 on a scale of 0 to 5.

All of our employees are required to participate in regular cybersecurity training and education that educates them on how to detect potential threats and on their responsibilities to help protect the confidentiality, availability and integrity of the Company's information assets, thereby creating a security aware culture. Engaging our employees with security awareness throughout the year, focusing on behavior at both the office and remote work locations, helps to maintain a high level of security awareness. Our cybersecurity training program consists of new-hire training, monthly newsletters, security tips and videos, regular simulated phishing campaigns directed at all of our employees, a "repeat clicker" program required for employees who click on phishing emails after receiving required training, an annual cybersecurity awareness month, a recognition program, gamification exercises and required annual compliance training for all employees. Our board members also participate in cybersecurity training presented by both internal and external subject matter experts, including presentations and reporting related to emerging cybersecurity and information security matters, and updates on technology, regulatory and legal developments.

The Company has a Business Continuity Management (“BCM”) Policy governing the oversight and implementation of the Company's resilience, continuity and response capabilities during business interruptions impacting our operations, systems, services or employees. The Policy is supported by the BCM Program. The BCM program incorporates four interconnected components - business continuity, crisis management, IT recovery and resilience testing. These components are designed to identify, manage and adequately respond to the impact of potential events that could disrupt our operations and systems or adversely affect the well-being of our employees. The foundation of the business continuity risk management framework includes risk assessment and business impact analysis. The BCM department also assesses the resilience of our significant third party service providers, including assessing the ability to respond to service disruptions or degradations resulting from natural disasters or information security incidents.

The Ethics Committee of BankUnited (the “Committee”) was formed with the purpose of overseeing and helping to define the Bank’s culture of ethics and ethical responsibility. The Committee serves as the central repository for the reporting and review of possible “unethical” behavior throughout the organization. The Committee which provides periodic reports to the Audit Committee of the Board, may recommend to senior management and the Board of Directors policies, procedures, and practices that best serve the Company’s interests in maintaining a business environment committed to high standards of ethics and integrity, corporate responsibility, and legal compliance.

The Company has a 24 hour ethics hotline which can be used to report suspected violations of the Code of Conduct, accounting, audit or internal accounting control matters.

The Company encourages any team member to report such conduct openly, if desired, or anonymously, without fear of retaliation. The Company will not discipline, discriminate against or retaliate against any team member because of a good faith report of suspected misconduct.

Any concerns regarding accounting, internal accounting controls or auditing matters should be reported to the Audit Committee of the Board and may be reported anonymously.

To contact any director, or any Committee of the Board, correspondence should be sent to:

c/o Corporate Secretary BankUnited, Inc.
14817 Oak Lane
Miami Lakes, Florida 33016 (305) 569-2000

 

We routinely engage with our regulators through regularly scheduled meetings with senior management, examinations, on-going supervisory activities and an established reporting framework. We believe our regulatory relations are strong.

BankUnited is committed to protecting our customers through our privacy policies. Our Privacy Notice and Online and Mobile Privacy Policy Statement explain what personal information we collect about consumers, why we collect it, how we protect it and how and why in certain cases we may share it.

We maintain security standards and procedures to help prevent unauthorized access to confidential information about our customers and update and test the technology to improve the protection of our information.

Details of our commitment to privacy can be found on our website at https://www.bankunited.com/privacy.

As the banking industry evolves with new technology and changes to the traditional ways people engage with their bank, we believe having well-trained team members builds trust with our customers and the communities we serve.

Compliance risk is the risk to current or projected financial condition and resilience arising from violations of laws or regulations, or from nonconformance with prescribed practices, internal policies and procedures, or ethical standards. The Company has a dedicated compliance function, headed by the Chief Compliance Officer, that promotes a disciplined risk culture and monitors and facilitates compliance with applicable laws and regulations, as well as regulatory expectations articulated in formal guidance by the banking regulators. The Company’s compliance management program includes risk-based testing and monitoring programs, issue identification and reporting, and regulatory change management. Quarterly updates on the compliance program are provided to the Board Risk Committee. The compliance department develops and delivers a comprehensive bank-wide employee training program tailored to job functions, focused on applicable laws and regulations including but not limited to consumer protection, fair lending, and the Community Reinvestment Act.

BankUnited has established and maintains an enterprise-wide BSA/AML/OFAC Policy and Program to ensure that the Bank is in compliance with applicable laws, rules and regulations related to money laundering (“ML”) and terrorist financing (“TF”) activities, sanctions programs and rules administered and enforced by the U.S. Treasury Department’s Office of Foreign Assets Control. The Bank has designated a BSA/OFAC Officer responsible for coordinating and monitoring day-to-day compliance with the BSA/AML/OFAC Policy and Program and applicable laws, rules and regulations. As part of the program, the Financial Crimes Compliance Committee provides cross-business line executive level oversight of the Bank’s compliance with the BSA/AML/OFAC Policy and Program and is chaired by the BSA/OFAC Officer.

The Bank’s BSA/AML/OFAC training program utilizes a combination of in-person, online, and external courses to train employees on BSA/AML/OFAC policies, procedures, and regulations. There is a formal BSA/AML/OFAC training plan that includes job-specific training and all employees, including the Board of Directors, receive BSA/AML/OFAC training annually.

Independent testing of the BSA/AML/OFAC Program’s compliance with applicable BSA/AML laws and its overall effectiveness is a critical control function performed annually by Internal Audit or with assistance of qualified outside consultants. The scope, frequency, and level of testing are risk-focused and commensurate with the Bank’s BSA/AML/OFAC risk profile.