Regulatory Intensity

July 2023

Regulators have ‘set out flares’ signaling their expectations for meeting heightened standards and the supervision of risk management. So, what will this mean for banks?  What will their boards and managements need to focus on? How might they be constrained by the heightened standards and intensified supervision and examinations, or might they be able to use them as an advantage for growth?

The regulators’ focus on heightened standards spotlights:

1. “Persistent weaknesses” – failure to correct deficiencies or meet supervisory expectations in a timely manner will drive exam intensity and possible ratings downgrades
2. “Repeat offenders” - failure to make “sufficient” progress toward correcting deficiencies is an indicator of “persistent weakness”
3. “Too big to manage” – when size and complexity give way to persistent/repeated weaknesses, simplification via divestiture is the regulators’ “big stick”

The signals are clear.  Heightened standards from the past are now front and center with a new complexion, expectations are rising, and patience is waning.  How will the industry respond?

Growing supervisory scrutiny of “persistent weaknesses” at banks is focusing on management, and in particular, their ability to adequately identify and mitigate risks as well as remediate supervisory concerns or identified deficiencies, MRAs, or enforcements in a timely manner. While guidance around supervisory examinations and ratings is established, mounting intensity around “weaknesses” in risk management and compliance, especially with regard to correcting deficiencies, could lead to more stringent evaluations and potential ratings downgrades.

Why it Matters

Regulators expect banks to correct identified deficiencies in a timely manner. Boards are expected to ensure compliance with enforcement actions within required timeframes by:

• Holding management accountable for the firm’s deficiencies.
• Directing management to develop and implement corrective actions.
• Approving necessary changes to the firm’s policies, processes, procedures, and controls.
• Establishing processes to monitor progress and verify and validate the effectiveness of management’s corrective actions.

When deficiencies are “continuing, recurring, or increasing for a prolonged period,” regulators may consider additional and increasingly severe action(s), such as assessing civil money penalties (CMPs) or other enforcement actions, including requirements for board oversight of enterprise-wide action plans for resolving the “persistent weaknesses”, restrictions on growth or business activities, or directives for specific actions such as making certain investments or additions to capital or liquidity.

If a firm continues to fail to correct its persistent weaknesses in response to enforcement actions or other measures, regulators will consider further action(s) to remediate the weaknesses, such as requiring the firm to simplify or reduce operations (e.g., reducing asset size, divesting of subsidiaries/business lines, exiting from market(s) of operation).

While repeat offenses in all forms raises regulatory concerns, regulators evaluate the severity of the violations across a variety factors, including a company’s intent, continuation of offenses after notification, history of violations and tendency toward violations, the duration and frequency of violations prior to notification (i.e., pattern or practice), and loss or harm to consumers.

Regulators have said that violations of formal court or agency orders are “especially egregious because [the offender] often consented to the terms as part of a settlement and clearly understand the laws and provisions to adhere to but failed to comply due to dysfunction or calculated risk.”¹

Regulators further suggest that when a bank is subject to multiple enforcement actions executed or outstanding for an extended period of time, the bank’s repeated failures to address the deficiencies “become, by themselves, presumptive evidence that it is at the limits of its manageability”; failure to make sufficient progress toward correcting the deficiencies is thus an indicator of “persistent weakness”.²

Regulators will consider the evaluations, ratings, and enforcement actions a company receives from other regulators when evaluating and assigning their own ratings. Actions by one regulator deemed to be “repeat offenses” very likely will have implications to examinations by other regulators, including the prudential regulator.

Why it Matters

A number of regulatory and enforcement agencies (e.g., CFPB, OCC, DOJ) have specifically called out a focus on reining in “repeat offenders”, including increased monitoring of those companies deemed to be repeat offenders and actions to hold those companies (and their boards and management) accountable for consistently failing to meet compliance requirements. 

As a general rule, when initially identified concerns or deficiencies go unaddressed and lead to repeat offenses, regulators may consider escalation to more formal enforcement actions. If repeat offenses continue, regulators will often terminate an existing enforcement action and replace it with a more comprehensive or severe action (e.g., from an MOU to a formal agreement, or from a formal agreement to a consent order).  Supervisory evaluations, enforcement actions, court or agency orders, settlements, and remediation timeframes imposed by other regulators and across applicable laws and regulations may also be factored into the regulator’s response.

For some companies, repeated offenses, repeated delays in meeting established remediation milestones, or new violations related to similar laws or regulations (so-called “recidivist” outcomes), can ultimately paint a picture of a company that is stretched to the limits of its manageability.

Companies, however, may proactively influence, and potentially minimize, the severity of regulatory actions by:

• Improving self-identification of deficiencies and violations.
• Providing proactive disclosure to supervisory authorities.
• Establishing timely and complete remediation processes that address root causes of problems.
• Providing customer restitution, where applicable.
• Holding responsible individuals accountable.

Several dynamics are driving regulatory scrutiny of firms that deemed “too big to manage” (TBTM), including inadequate oversight of controls (observed in recent enforcement actions), banking industry volatility leading to enhanced risk assessments, and intensified capital, liquidity, and recovery planning reviews.

Deficiencies identified in MRAs and/or enforcement actions, coupled with repeat offenses or failures to remediate them, are driving regulators to closely examine the size and complexity of companies, and the adequacy and limits of their manageability.

Why it Matters

Regulators employ escalation frameworks to ensure that deficiencies are clearly identified, banks are given opportunities to address them, and that failures to do so are met with proportionate, fair, and effective consequences. Escalation frameworks effectively use the threat of restrictions and divestitures “to force banks to prove that they are manageable and to then let the effectiveness or ineffectiveness of their actions speak for themselves.”

Regulators may consider and prescribe any combination of several options to promote remediation of “persistent weakness” or “repeat offenses”, including:

• Changing senior management.
• Increasing remediation budgets.
• Developing better action plans.
• Hiring more risk and control function personnel.
• Imposing fines
• Capping growth
• Divesting certain activities or business lines.

The regulators suggest, however, that as companies become larger and more complex, the most effective and efficient way to fix issues is to simplify them – divest businesses, curtail operations, reduce complexity. These are “bright line structural remedies” that “meaningfully change business incentives”.