Bank regulation: Are we going to lie to ourselves?

When it comes to compliance, the difference between saying and doing can be exacerbated by an excess of regulation.

In 2015 the Army War College produced a courageous paper: Lying to Ourselves: Dishonesty in the Army Profession. It summarized research into how soldiers had felt forced to respond to a “deluge” of operational compliance demands imposed from above.

These process and reporting requirements built up incrementally, eventually becoming so overwhelming that well-intentioned soldiers felt the need to “prioritize which requirements will actually be done to standard” and those which would “only be reported as done to standard.” As it became impossible to function effectively and to comply with every demand, it became necessary to lie about having done so. Time magazine captured the report’s main message: “Too many regulations lead to too many lies.”

Dodd Frank

Bank regulators and legislators would do well to give the Army paper a read. The 2009 Dodd Frank legislation dramatically increased the already extensive regulatory burdens on banks. Its main premise was well conceived: regulation should be tiered, based on bank size and the complexity of its operations.

The top tier, including the largest and most complex firms, became known as Global Systemically Important Banks (GSIBs). These are subject to very high touch, high levels of stress testing and relevant disclosures. While costly – GSIBs have thousands of employees and sophisticated information systems dedicated to regulatory reporting and compliance – this level of rigor is not controversial and is now working well.

But questions arise when we start talking about significantly smaller banks, operating domestically only, with far fewer product offerings and far less operational complexity than the GSIBs. How should these banks be regulated? Certainly not as GSIBs: a $10 billion bank cannot spend $100s of millions on regulatory compliance and reporting.

We need to take a nimbler, “tailored” approach. So, let’s start by considering what these banks do.

Four key risk management factors

First, they try to attract deposits – most of which can be withdrawn at any time, based on depositors’ needs and comfort with the institution. Once in hand, banks lend some of those monies out, seeking to make a higher return than the interest they are paying on those deposits. Our economy is driven by this credit creation, via home mortgages, auto, school and credit card loans, etc.

This lending takes place against two assumptions central to the banks’ business model; depositors will leave a large portion of their deposits in the bank and borrowers will repay monies borrowed. While the business of smaller banks has and will continue to evolve, these have proven to be realistic assumptions: absent some triggering event, we have no reason to expect that depositors would, all at once, seek to withdraw the entirety of their deposits (a “bank run”); and absent outright fraud, it is reasonable to expect that borrowers will act in good faith and seek to maintain their creditworthiness by repaying borrowed monies.

Two assumptions central to the banks’ business model; depositors will leave a large portion of their deposits in the bank and borrowers will repay monies borrowed.

This brings us to the core of banking risk management and regulation – avoiding triggering events. Viewed through this lens, we believe there are four key risks that need constant monitoring. If you monitor and manage them well, you will have a financially sound bank and the risk of a triggering event will be remote.

  • First is liquidity risk, the risk that you have enough in liquidity – cash and instruments with stable value that can be quickly sold for cash – to accommodate all the withdrawals you would normally expect to see in a short period, plus a reasonable cushion to accommodate, for example, an economic downturn. No bank is equipped for a mass exodus of deposits, but daily liquidity management is central to prudent banking through the ups and downs of economic cycles.
  • Second is credit risk. Banks must make sure they are lending to people who will pay them back, or that they can take steps to collect as much as possible should a borrower’s circumstances shift unexpectedly.
  • Third is interest rate risk. Banks have a cost for deposits – and a floating one, for the most part. If interest rates rise and the cost of funding your bank becomes higher than the interest on the loans the bank had previously made, the bank loses money.
  • And the last main challenge is capital risk – does a firm have enough equity, enough of a cushion, to absorb potential losses should they manifest?

This is Banking 101. Regulators will have a say, but a demonstrated ability to manage these four risks effectively is table stakes for anyone wishing to run a bank.

Good practice and social responsibility

But now let’s consider all the other regulatory requirements that banks of any size are asked to contend with. There are literally hundreds that must be dealt with daily. Some are relatively obvious and reflect good practice and important social responsibilities – such as anti-money-laundering and know-your-customer rules. But others are mind­ numbingly impractical and, collectively, nearly impossible to meet.

Consider, for example, the insistence that banks monitor, manage and report on risks that may be posed by any one of their vendors. Should it really be the case that every vendor providing a service to a regulated bank must be managed by the bank? On the face of it, this includes the pizzeria that delivers lunch, the utility that delivers electricity, and the landlord. Banking regulations are being used to monitor and manage climate risk, a global issue where the operational activities of any smaller bank, or even all small banks combined, are irrelevant. This is folly. Yet, we have little doubt politicians will continue to call for more climate-related regulation of smaller banks.

There are other requirements, including financial controls assessments, operational effectiveness assessments, and information technology assessments, operational effectiveness assessments that, on their face, seem sensible. But in their implementation costs, and with the implicit requirements of systems buildout and third-party auditors and consultants, they are simply impracticable for smaller banks. A well-run fishing boat does not need the bridge of the Starship Enterprise.

Banking regulatory reform

We agree with Fed Governor Michelle Bowman’s view that calls for radical reform of our banking regulatory framework are “incompatible with the fundamental strength of the banking system”. Smaller banks don’t need more rules, they need efficient rules focused on key risks. And this is not just a matter of cost; it is also a matter of new and unnecessary rules producing increased risk. The realities of impractical regulation are not lost on employees and, as a result, they can have a corrosive effect on culture and performance.

The Army’s 2015 paper opened with a fundamentally sound observation that bears repeating: “One of the hallmarks of a true profession is its ability to assess and regulate itself.” This is true of banking. As Governor Bowman rightly emphasizes, “regardless of the business model, the culture of a bank must also prioritize the values and rules that make banks successful over time.”

It is up to bank leaders to prioritize an effective risk management culture.

As we have observed previously, such a culture cannot be imposed bluntly from outside. It is up to bank leaders to prioritize an effective risk management culture, to set the drivers of that culture purposefully, to appreciate fully the employee conduct that such a culture rewards, and to anticipate accurately the performance outcomes that will result. (See Clayton speech on Observations on Culture at Financial Institutions and the SEC and article The Coronavirus crisis is increasing the risk of bank fraud by Cohn, Scott and Cooke).

When faced with a rule book that has grown so fat that it can’t be lifted – one that includes rules that seem trivial, impractical, or both – it is human nature to focus limited attention and resources on only the most significant or most tractable regulatory requirements, and to set others aside and hope for the best. When we ask well­-intentioned people to comply with onerous and inconsequential regulations, government increases the risk that good people will be forced to ignore bad regulation. And regulators are then forced to devote time and attention to those lapses, reducing the bandwidth available for overseeing core banking risks.

Last year, the authors of the Army paper issued a retrospective piece, Still Lying to Ourselves. Their 2015 paper, they note, met with defensiveness and denial on the part of the Army’s leadership. More junior officers, however, “marvelled not at the study’s arguments, but rather that it had taken so long for anyone to point out the obvious”.

It’s time to stop lying to ourselves.

This article first appeared in Starling’s Compendium. Please visit Starling Insights to read the fully annotated report.

Stephen Scott, Starling Trust Sciences Founder & CEO, Gary Cohn, former Director of the US National Economic Council and former COO of Goldman Sachs, and Jay Clayton, former head of the US SEC.

Starling Insights publishes original research and covers events related to the governance and supervision of cultural, behavioral, and other non-financial risks and performance outcomes.