The standards go to new heights
Regulators have ‘set out flares’ signaling their expectations for meeting heightened standards and the supervision of risk management. So, what will this mean for banks? What will their boards and managements need to focus on? How might they be constrained by the heightened standards and intensified supervision and examinations, or might they be able to use them as an advantage for growth?
The regulators’ focus on heightened standards spotlights:
The signals are clear. Heightened standards from the past are now front and center with a new complexion, expectations are rising, and patience is waning. How will the industry respond?
What Are “Persistent Weaknesses”? The OCC states that “persistent weaknesses” may include:
Further, the OCC states that it may take additional and increasingly severe supervisory or enforcement action(s) when a bank exhibits “persistent weaknesses” or “continuing, recurring, or increasing deficiencies for a prolonged period.”
Source: OCC PPM 5310-3, Appendix C, May 2023
Growing supervisory scrutiny of “persistent weaknesses” at banks is focusing on management, and in particular, their ability to adequately identify and mitigate risks as well as remediate supervisory concerns or identified deficiencies, MRAs, or enforcements in a timely manner. While guidance around supervisory examinations and ratings is established, mounting intensity around “weaknesses” in risk management and compliance, especially with regard to correcting deficiencies, could lead to more stringent evaluations and potential ratings downgrades.
Regulators expect banks to correct identified deficiencies in a timely manner. Boards are expected to ensure compliance with enforcement actions within required timeframes by:
When deficiencies are “continuing, recurring, or increasing for a prolonged period,” regulators may consider additional and increasingly severe action(s), such as assessing civil money penalties (CMPs) or other enforcement actions, including requirements for board oversight of enterprise-wide action plans for resolving the “persistent weaknesses”, restrictions on growth or business activities, or directives for specific actions such as making certain investments or additions to capital or liquidity.
If a firm continues to fail to correct its persistent weaknesses in response to enforcement actions or other measures, regulators will consider further action(s) to remediate the weaknesses, such as requiring the firm to simplify or reduce operations (e.g., reducing asset size, divesting of subsidiaries/business lines, exiting from market(s) of operation).
“Repeat offenders” are companies (or their directors, employees, and affiliates) that engage in unsafe and unsound practices or exhibit deficiencies related to, or violations of, the law “over and over”. Examples may include violations of terms or conditions in formal court or agency orders, repeated violations of specific laws or regulations, and violations of law or regulations across different business lines with the same root cause.
Repeated failure to address deficiencies or correct violations heightens examiners’ concerns and may lead to additional scrutiny of management and compliance weaknesses.
While repeat offenses in all forms raises regulatory concerns, regulators evaluate the severity of the violations across a variety factors, including a company’s intent, continuation of offenses after notification, history of violations and tendency toward violations, the duration and frequency of violations prior to notification (i.e., pattern or practice), and loss or harm to consumers.
Regulators have said that violations of formal court or agency orders are “especially egregious because [the offender] often consented to the terms as part of a settlement and clearly understand the laws and provisions to adhere to but failed to comply due to dysfunction or calculated risk.”1
Regulators further suggest that when a bank is subject to multiple enforcement actions executed or outstanding for an extended period of time, the bank’s repeated failures to address the deficiencies “become, by themselves, presumptive evidence that it is at the limits of its manageability”; failure to make sufficient progress toward correcting the deficiencies is thus an indicator of “persistent weakness”.2
Regulators will consider the evaluations, ratings, and enforcement actions a company receives from other regulators when evaluating and assigning their own ratings. Actions by one regulator deemed to be “repeat offenses” very likely will have implications to examinations by other regulators, including the prudential regulator.
A number of regulatory and enforcement agencies (e.g., CFPB, OCC, DOJ) have specifically called out a focus on reining in “repeat offenders”, including increased monitoring of those companies deemed to be repeat offenders and actions to hold those companies (and their boards and management) accountable for consistently failing to meet compliance requirements.
As a general rule, when initially identified concerns or deficiencies go unaddressed and lead to repeat offenses, regulators may consider escalation to more formal enforcement actions. If repeat offenses continue, regulators will often terminate an existing enforcement action and replace it with a more comprehensive or severe action (e.g., from an MOU to a formal agreement, or from a formal agreement to a consent order). Supervisory evaluations, enforcement actions, court or agency orders, settlements, and remediation timeframes imposed by other regulators and across applicable laws and regulations may also be factored into the regulator’s response.
For some companies, repeated offenses, repeated delays in meeting established remediation milestones, or new violations related to similar laws or regulations (so-called “recidivist” outcomes), can ultimately paint a picture of a company that is stretched to the limits of its manageability.
Companies, however, may proactively influence, and potentially minimize, the severity of regulatory actions by:
Regulators evaluate progressive levels of severity and culpability when determining an enforcement response to examination deficiencies or violations of laws or regulations. Factors that may weigh heavily against a company include:
Mitigating factors that regulators may also consider include levels of self-identification and remediation/corrective action.
“Enterprises can become so big and complex that control failures, risk management breakdowns, and negative surprises occur too frequently – not because of weak management, but because of the sheer size and complexity of the organization. In short, effective management is not infinitely scalable. This axiom underpins the TBTM problem, as well as its solution.”– Acting Comptroller of the Currency (Jan. 17, 2023)
Several dynamics are driving regulatory scrutiny of firms that deemed “too big to manage” (TBTM), including inadequate oversight of controls (observed in recent enforcement actions), banking industry volatility leading to enhanced risk assessments, and intensified capital, liquidity, and recovery planning reviews.
Deficiencies identified in MRAs and/or enforcement actions, coupled with repeat offenses or failures to remediate them, are driving regulators to closely examine the size and complexity of companies, and the adequacy and limits of their manageability.
Regulators employ escalation frameworks to ensure that deficiencies are clearly identified, banks are given opportunities to address them, and that failures to do so are met with proportionate, fair, and effective consequences. Escalation frameworks effectively use the threat of restrictions and divestitures “to force banks to prove that they are manageable and to then let the effectiveness or ineffectiveness of their actions speak for themselves.”
Regulators may consider and prescribe any combination of several options to promote remediation of “persistent weakness” or “repeat offenses”, including:
The regulators suggest, however, that as companies become larger and more complex, the most effective and efficient way to fix issues is to simplify them – divest businesses, curtail operations, reduce complexity. These are “bright line structural remedies” that “meaningfully change business incentives”.
The Heightened Standards establish standards for the design and implementation of a bank’s risk governance framework to manage and control the bank’s risk-taking activities, as well as standards for the bank’s board of directors to provide oversight of that design and implementation. The expectations, which are extensive, matter today more than ever.
Standards for a Risk Governance Framework, including such areas as:
Standards for the Board of Directors, including such areas as:
Source: 12 CFR 30, Appendix D
Take the regulatory signals—show that your organization “gets it” by establishing, sustaining, challenging, and continuously improving risk management and risk governance.
No board or executive management team wants to be deemed ‘persistently weak’, a ‘repeat offender’ and/or ‘too big to manage’. And it’s very clear that the regulatory supervisory and enforcement “levels” have ‘shifted up’.
Being able to both demonstrate and sustain the elements of "Heightened Standards"—regardless of your size and complexity—will be imperative to allow your organization to be in a position in the future to more easily expand and grow.