Last week, Acting Comptroller Michael Hsu gave a speech describing the OCC’s evolving views on bank supervision.[1] That supervision is the focus of any policymaker’s public remarks is a welcome development; as we have described at length elsewhere, bank examination has expanded significantly in scope in recent years and is now focused largely on immaterial matters as opposed to material financial risk, and frequently works in opposition to regulatory policies established by the banking agencies’ senior leaders.[2] Four aspects of the Acting Comptroller’s speech warrant scrutiny and further discussion.
1. Prioritizing Risk-based Supervision
In discussing the nature of supervision and the OCC’s own evolving practices, Acting Comptroller Hsu stresses the importance of a risk-based approach to supervision that eschews box-checking and checklists, focuses supervisory attention “where it is needed most” and maintains “perspective and proportionality.” As we have described elsewhere, this type of approach to bank supervision is exactly right, and, if practiced, would ensure that bank examiners’ time, attention and demands are focused on real and material sources of risk rather than on immaterial issues and process for process’s sake.[3] Unfortunately, and as we have also described elsewhere, the risk-based approach to supervision that the Acting Comptroller describes is exactly contrary to the lived experience of bankers today, who frequently encounter an examination culture and practices that are increasingly focused on process rather than substance, and on immaterial matters rather than material financial risk.[4]
The Acting Comptroller’s remarks do not acknowledge this yawning gap between aspiration and reality. And while they do identify several steps the OCC is taking to embrace risk-based supervision “head on,” which include strategic planning emphasis on “agility and learning” and “credibility and trust,” the creation of an Office of Financial Technology and eliminating internal barriers to information sharing,[5] these vague references to OCC actions fall well short of specific, concrete measures, including internal governance, transparency and accountability reforms at the banking agencies, that are necessary to ensure that specific cases of ineffective, risk-blind supervision are identified and remediated in a timely fashion.[6]
2. The Asymmetries of Supervision
The Acting Comptroller’s remarks also emphasize that, because the banking agencies impose a shroud of secrecy on bank supervision, the public’s perception of bank supervision is asymmetric – that is, supervision “usually enters the public consciousness only when something has gone wrong,” while “effective supervision is, in contrast, largely invisible to the public.” While public perceptions of supervision are indeed asymmetric, this asymmetry also means that bad supervision is just likely to go unnoticed as good supervision. Supervision is ineffective not only in cases where supervisors miss issues and something goes publicly wrong; it’s also ineffective in cases where supervisors are focused on the wrong issues or immaterial matters, creating significant dead weight compliance burdens and a diversion of resources to immaterial matters and away from material ones. These negative consequences are frequently also invisible to the public because individual banks are barred from speaking of such instances with any specificity, and bank examiners generally have no incentives to be transparent about these kinds of supervisory failures.
Indeed, even in cases where things have gone spectacularly and very publicly wrong, supervisors appear very reluctant to acknowledge this problem, let alone take steps to prevent a recurrence. For example, while the Federal Reserve’s own report on the SVB failure clearly indicates that SVB’s examiners spent far too much time on the wrong things – 25,000 hours of actual scheduled supervisory activities at SVB in 2022, to be exact – the report instead concludes that (i) examiners did not take sufficient steps to ensure that SVB fixed problems quickly enough and (ii) an undocumented and unspoken “shift in supervisory policy” resulted in supervision that was too lax.[7] We should thus, perhaps, not be surprised that in the Acting Comptroller’s remarks, credit is taken for two specific supervisory “successes” – namely, supervisory pressure that kept banks out of cryptocurrency activities and (purportedly) ensured that banks were prepared for the August 2024 CrowdStrike IT incident – while poor supervision that focuses on the wrong or immaterial things remains, as ever, only a hypothetical problem.[8]
3. Horizontal Supervision
The Acting Comptroller’s speech also emphasizes the shift to a “more nimble, ‘team-of-teams’ approach” that relies on horizontal supervisory teams and exams, rather than onsite teams dedicated to individual banks, as an important way that OCC examiners are adapting to remain effective. While it is certainly true that horizontal approaches to supervision may have certain benefits – as the speech notes, onsite teams may lack subject matter expertise in certain areas, and horizontal assessments can help ensure consistency across a range of similar banks that is otherwise often lacking – they also pose risks that the speech fails to acknowledge. In particular, horizontal supervision runs the risk of becoming a mechanism by which examiners review practices across a variety of banks, decide which one they prefer and then require the remainder to adopt what examiners have determined to be best practice, in ignorance of how one bank’s experience, capabilities and operations might differ from another. Such a process is problematic both because it effectively end-runs the open, public process by which new standards should be established, but also because it tends to create examiner-mandated monocultures across the banking industry, particularly in areas like information technology and risk management models and practices where “one-size-fits-all” prescriptions may be especially inappropriate and dangerous. The failure to note this problem is ironic given that the OCC has a strong general reputation among bankers for empowering its onsite examination teams, who know and understand the bank well, in contrast to other regulators that more heavily rely on horizontal teams and supervisory processes.
4. Designating “Domestic Systemically Important Banks”
Pointing to the purported increase in the number of large banks and the failures of SVB, Signature, and First Republic Bank in 2023, the speech also suggests that the U.S. banking agencies should “consider a framework for formally identifying domestic systemically important banks,” (DSIBs) as doing so would “clarify the stakes involved of weakly supervising and regulating such institutions.”[9] This suggestion is curious, as such a framework has already existed for some time. As amended in 2018, Section 165 of the Dodd-Frank Act requires the Federal Reserve to establish enhanced prudential standards for large bank holding companies where appropriate “to prevent or mitigate risks to the financial stability of the United States.”[10] Consistent with that requirement, the Federal Reserve and other U.S. banking agencies have established by rule a tiered framework that identifies four different categories of covered large banks and applies varying levels of enhanced prudential standards to each category.[11] Three of those categories encompass banks that are not global systemically important banks, which are identified through use of five indicators (i.e., size, cross-jurisdictional activity, weighted short-term wholesale funding, nonbank assets and off-balance-sheet exposure) that “provide a basis for assessing a banking organization’s [domestic] financial stability and safety and soundness risks.”[12] As a result, there are today 30 banks that are already effectively identified and subject to enhanced regulation in the United States as domestic systemically important banks.[13] Thus, while one could argue about whether the existing framework strikes the right balance or uses the right metrics of systemic importance – and indeed, we have argued elsewhere that, if anything, this framework warrants greater tailoring, not less – there is no question that such a framework already exists.[14]
This suggestion is also misguided insofar as it suggests that the failure of SVB, Signature and First Republic Bank are cause to rethink the agencies’ views as to what constitutes domestic systemic importance. It is certainly true that, in the case of Silicon Valley Bank and Signature Bank, the FDIC, Federal Reserve and U.S. Treasury Department ultimately decided to bail out those banks’ uninsured depositors on the basis that failure to do so would have had serious adverse effects on U.S. economic conditions or financial stability.[15] However, none of these agencies or their principals have ever provided any public explanation as to why they concluded that failure to bail out these uninsured depositors would have serious systemic consequences. The closest we have to a public explanation is the Government Accountability Office’s April 2023 review of these bank failures, which reports that internal memoranda prepared by the FDIC and Federal Reserve at the time concluded that “a least-cost resolution of SVB and Signature Bank would intensify deposit runs and liquidity pressures on other U.S. banks” because (i) “many other financial institutions that derive large portions of their funding from uninsured deposits also were under considerable pressure” and (ii) “the deposit run at SVB already had caused stress at other banks with similar clients, despite material differences between the firms.”[16]
These motivating concerns over contagion appear to have had nothing to do with the size, nature, or customer base of either SVB or Signature Bank itself, and everything to do with other, similarly situated banks and the market’s more general concern that uninsured deposits would in fact be treated as uninsured deposits in a bank failure. Put simply, it does not appear that Silicon Valley Bank and Signature Bank had any intrinsic systemic importance to U.S. financial stability, but rather that the particular circumstances of their failure (a loss of market confidence generally in firms with significant unrealized losses on government securities and reliance on uninsured deposits for funding) was the basis for regulators’ fears of systemic risk.[17] They were akin to the Reserve Primary Fund or Northern Rock in the 2008 Global Financial Crisis – canaries in a coal mine, yet still canaries. In any event, it would certainly seem helpful, at a minimum, for the relevant regulators to better articulate publicly a precise view as to why either bank posed systemic risk before using their failures as a predicate for rethinking the current paradigm to identifying and regulating U.S. DSIBs.
[1] Acting Comptroller of the Currency Michael Hsu, Evolving Bank Supervision (Sept. 3, 2024) [hereinafter “Acting Comptroller Speech”], available at https://www.occ.gov/news-issuances/speeches/2024/pub-speech-2024-95.pdf.
[2] See Greg Baer, The Examination Problem, and How to Fix It (July 17, 2024), available at https://bpi.com/the-bank-examination-problem-and-how-to-fix-it/; see also Bill Nelson , Pat Parkinson & Brett Waxman, Clear Recognition of the Discount Window Would Improve Liquidity Rules (Jan. 25, 2024), available at https://bpi.com/clear-recognition-of-the-discount-window-would-improve-liquidity-rules/ (describing examiner discouragement of use of the Federal Reserve’s discount window).
[3] Id.
[4] Id.
[5] Acting Comptroller Speech at 15.
[6] For a range of concrete reform ideas in this area, see Baer, supra n. 2.
[7] See Jeremy Newell & Pat Parkinson, A Failure of (Self-) Examination: A Thorough Review of SVB’s Exam Reports Yields Conclusions Very Different From Those in the Fed’s Self-Assessment (May 8, 2024), available at https://bpi.com/wp-content/uploads/2023/05/A-Failure-of-Self-Examination-A-Thorough-Review-of-SVBs-Exam-Reports-Yields-Conclusions-Very-Different-From-Those-in-the-Feds-Self-Assessment.pdf.
[8] Acting Comptroller Speech at 4, 6. As concerns cryptocurrency activities, the speech credits “a long ground game of supervision seeking to ensure that crypto activities banks engaged in were safe, sound, and fair,” but fails to note that the OCC’s approach to doing so was to prohibit banks from engaging in any cryptocurrency or related whatsoever absent examiner approval, rather than actually discern and make public its views as to which activities were and were not safe, sound and fair. See OCC Interpretive Letter #1179 (Nov. 2021). As concerns CrowdStrike, while the role of supervision in banks’ preparedness for that incident is impossible for the public to independently ascertain, it is hard to reconcile claims of supervisory prescience here with the OCC’s recently publicized view that the very largest banks, who have thousands of IT security staff and invest [billions] of dollars in cybersecurity, are ten times more likely to have deficient information technology systems than community banks, which is counterintuitive at best. See Acting Comptroller Speech at 4, fn. 4 (noting that 33% of large banks but only 3% of community banks are “adversely IT-rated”). Barring some evidence to the contrary, it seems highly unlikely that it was examiner intervention that protected the industry from CrowdStrike’s problems. See Greg Baer, U.S. Banking Agencies Have an Operational Risk Problem, Int’L Banker(August 29, 2024), available at https://internationalbanker.com/banking/us-banking-agencies-have-an-operational-risk-problem/.
[9] Hsu Speech at 12.
[10] See 12 U.S.C. § 5365(a)(1), (2)(C)(i)(I). These statutory provisions, which are self-evidently focused on domestic systemic importance, require the Federal Reserve to establish relevant standards for all bank holding companies with $250 billion or more in assets, and permit the Federal Reserve to apply such standards to bank holding companies with between $100 billion and $250 billion in assets where appropriate. Id. By statute, such standards must “differentiate among companies on an individual basis or by category, taking into consideration their capital structure, riskiness, complexity, financial activities (including the financial activities of their subsidiaries), size, and any other risk-related factors that the Board of Governors deems appropriate.” 12 U.S.C. § 5365(a)(2)(A).
[11] These standards include enhanced capital and liquidity requirements that are applicable to the depository institution subsidiaries of large banks under joint Federal Reserve, OCC, and FDIC regulations and a broader suite of enhanced prudential standards that are applicable to large bank holding companies under Federal Reserve rules. See 12 C.F.R. parts 3 and 50 (OCC), parts 324 and 329 (FDIC), and parts 217, 225, 238, 242, 248, and 252 (Federal Reserve).
[12] Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation, Proposed Changes to Applicability Thresholds for Regulatory Capital and Liquidity Requirements, 83 Fed. Reg. 66024 at 66028 (Dec. 21, 2018) (proposed rule).
[13] This number includes all U.S. bank holding companies and intermediate holding companies of foreign banks that were subject to Category II, III, or IV standards and thus required to file FR Y-15 Systemic Risk Reports with the Federal Reserve as of the first quarter of 2024, the most recent date for which such information is available.
[14] For examples of how recent regulatory proposals would inappropriately and insufficiently tailor enhanced prudential standards for these banks, see the Bank Policy Institute’s recent comment letters on the Federal Reserve and FDIC’s proposed long-term debt requirement for certain large banks (available at https://bpi.com/wp-content/uploads/2024/07/BPI-Long-Term-Debt-Supplemental-Comment-June-5-2024.pdf) and on the Federal Reserve and FDIC’s proposed resolution planning guidance for certain large banks (available at https://bpi.com/wp-content/uploads/2023/11/BPI-Comment-Letter-165d-Proposed-Guidance-11.30.23-1.pdf).
[15] Under Section 13 of the Federal Deposit Insurance Act, although the FDIC generally is required to resolve failed banks on a least-costs basis, it also provides a “systemic risk exception” that permits the FDIC to ignore this requirement if the Secretary of the Treasury determines, upon the written recommendation of the two-thirds of the FDIC board and two-thirds of the Federal Reserve board, adherence to the least-cost requirement “would have serious adverse effects on economic conditions or financial stability.” 12 U.S.C. § 1823(C)(4)(G)(i).
[16] Government Accountability Office, Preliminary Review of Agency Actions Related to March 2023 Bank Failures (April 2023) at 29.
[17] The GAO report also notes that the FDIC and Federal Reserve also “noted that many of the uninsured depositors of the banks were corporate enterprises … [and] [t]herefore, losses to these firms or an inability to access their funds for even a short time could put these firms at risk of not being able to make payroll and pay suppliers, potentially causing disruptions to U.S. market and industrial operations.” Id. at 30. It is difficult to assess whether these concerns were a significant basis of the systemic risk exception determination – it appears from the GAO report they were after-the-fact explanations offered by agency staff, and not documented in internal memorandums prepared at the time of the determination – but if potential disruption to corporate depositors alone constitutes a serious risk to U.S. financial stability or the U.S. economy, it is hard to imagine a U.S. bank failure that wouldn’t warrant a systemic risk exception.
