Banks Aren't Over-Regulated, They Are Over-Supervised

You have no doubt heard the phrase “I’m not telling you what to do, but…” and noticed that the speaker immediately, and typically with no trace of irony, then tells you precisely what to do.

If you enjoy enduring this kind of passive-aggressive bullying, I have an excellent career recommendation: become the CEO of a bank. That’s because “I’m not telling you what to do, but…” has become something of a stock phrase in bank supervision. And it well encapsulates the principal problem at the core of the American financial regulatory apparatus.

But let me step back.

Fifteen years ago, I left Wall Street for what turned out to be a four-year random walk through public policy. After a series of deeply improbable twists and turns, I served as the acting chief of the then-new Consumer Financial Protection Bureau, and then later as the CFPB’s first Deputy Director. In a mostly unsuccessful attempt to build a constructive relationship with the industry, I spent a great deal of time meeting with community and regional bank CEOs. To a man, they would complain, with impressive emotional intensity, about the “over-regulation” of the banking business.^[1]

At the time, in the still-smoldering ruins of the financial crisis, this struck me as bizarre. Banks are the beneficiaries of an array of government privileges: subsidized leverage (through insured deposits), liquidity (through the discount window and the home loan banks), exclusive access to payment rails (both through the central bank and bank-only private networks), and even choice of law (through federal preemption). Given all that, safeguards on capital, liquidity, credit exposure, market and interest rate exposure, cybersecurity, and consumer protection seemed like a fair trade to me.

More than a decade later, I realize that those bank CEOs were not exactly wrong, they were imprecise: Banks are not over-regulated, but they are — quite dramatically — over-supervised.^[2]

Supervision 101

It is difficult for non-bankers, even those within the financial services industry, to appreciate the sheer magnitude and invasiveness of the supervisory process. At least 10,000 examiners serve at the various federal bank regulatory agencies, double that if you include state bank regulatory agencies. And in my experience every examiner requires 10-20 bank, consultant, or law firm employees to prepare for, respond to, and remediate examiner findings.

The expense of this oversight – and believe me it is incredibly expensive – would surely be worth it if our supervisory efforts were laser-focused on critical risks, provided real-time directives to fix problems, and gave banks a clear understanding of the rules of the road.

But that is not the case.

Supervising Everything … Through Process 

Regulatory agencies are just like every other talent-intensive organization: If they focus on too many things, they absolutely will miss the forest for the trees. But regulatory exams are massive in scope and sprawling in nature. This inevitably obscures those issues that are genuinely important to safety and soundness. Indeed, the Federal Reserve’s own post-mortem on the 2023 Silicon Valley Bank failure noted that before its demise SVB had 12 “Matters Requiring Immediate Attention,” precisely zero of which focused on the interest rate risk that ultimately drove its fatal bank run.^[3] 

This lack of focus is compounded by a monomaniacal obsession on process as opposed to substance. Borne out of the quite correct notion that prudential regulators should be guarding safety and soundness, not dictating business strategy, this approach has curdled into a frustratingly diffuse and oblique way of thinking and talking about substantive risks. Rarely does a banker hear a declarative statement like “your bond portfolio’s mark-to-market value is going to be severely and visibly impaired if rates rise quickly, which seems pretty likely.” One would be much more likely to hear something elliptical like “you have insufficiently documented your compliance with your interest rate risk governance and controls, and your second- and third-lines of defense have failed to detect that lack of documentation or escalate it through approved channels to the appropriate executive and board committees.”

An obsessive focus on process, I suppose, need not necessarily result in rote box-checking exercises. But it usually does. As Acting Comptroller of the Currency Michael Hsu just last week noted, “The problem with check-the-box supervision is that there are a lot of boxes to check, and each box is given equal weight. This ensures comprehensiveness, but artificially limits our ability where it is needed most.”^[4]

Yesterday’s News

Beyond obscuring critical substantive issues and burning through immense financial resources, there are also pernicious second- and third-order implications of too broadly scoped and process-obsessed supervision.

Most obviously, managing overly broad examination agendas requires, at least in today’s breathtakingly manual approach to supervision, long cycle times between the activities being supervised and the rendering of final supervisory results. Bank management teams and boards typically receive final exam output not weeks or months after the beginning of the time period examined, but rather quarters or even years later. In a fast-changing market, this guarantees that supervisory remediation demands will feel stale by the time they are finally rendered. Indeed, because preliminary exam results are typically (and wisely) shared informally with bank management, and because bank management typically (and wisely) tries to respond to fix problems that are even informally raised, final exam reports can feel decidedly anachronistic by the time they finally emerge.

Mother May I?

Today’s supervisory approach also encourages sclerosis in what otherwise should be a dynamic and innovative banking sector. Because the “management” component of the so-called CAMELS^[5] ratings is so susceptible to inherently subjective criticism of internal processes and procedures, it becomes a useful tool to stand in the way of — or stonewall through a never-ending series of questions — virtually any bank customer or product strategy that might be novel or innovative or just disfavored, despite not presenting any non-trivial risk to safety and soundness.^[6] As Lieutenant Columbo would have said, had he been at, say, the FDIC instead of the LAPD, “Just one more thing: I’m not telling you what to do as a business matter, but you need to revisit your second-line reviews of your first-line execution of documented procedures.”^[7] Left unchecked, this can lead to a distressing monoculture of bank strategies, a particularly ironic tragedy for a nation that still has more than 5,000 banks and credit unions, and one that is a disservice to customers and businesses alike.

Matching Human Capital to Capital

I am also personally quite concerned about the long-term damage to the talent base in the banking industry, and indeed within the bank regulatory agencies themselves, as a consequence of today’s process-mad approach to supervision. The banking business — where success should be about being smart about business strategy, and customer and community needs, and psychology, and technology, and finance — should be fun. It should appeal to the desire to help people and businesses to do more to thrive. It should focus on how to deal with substantive risk; it should not obsessively focus in too-long meetings with too-numerous participants on how we should monitor the policies by which we dictate the processes by which committees will govern risk decisions.

Thinking about risk is not the same as thinking about risk processes. The former feels challenging and rewarding; the latter feels too frequently like a giant expensive waste of time. Great talent notices that difference, and great talent matters for the future of the industry. We are lucky to have terrific talent within both banks and within bank regulatory agencies today, but we must not take it for granted. It can and will change faster than you expect.

Fixing It

So what do we do, when should we do it, and how?

The luxury of this moment, actually, is that the first two questions have answers that have, I should hope, quite broad appeal. Both the Acting Comptroller of the Currency and the leader of the trade association for the largest banks seem to agree that we should focus our supervisory efforts on issues material to safety and soundness.^[8] I obviously agree. And given that agreement the obvious answer to “when” is right now. Difficult change must either happen when the industry is performing well in a resilient economy or in a crisis, usually one precipitated by the failure to take action when things were good. I would very much prefer acting now.

The much harder question is “how.” The regulatory agencies are, probably justifiably, proud of their long histories of public service. But that pride breeds cultures that are strikingly conservative and resistant to change. As importantly, unlike private sector firms, they do not have the crucible of a profit imperative to burn away unproductive practices and orthodoxies. And it shows. It is not as though bank examiners cannot articulate the most important issues facing their regulated charges; it is just that they often just have no reason to stop working on things other than the most important issues.

The only solution is strong top-down leadership that imposes ambitious goals. Without stretch goals that will feel strikingly out of reach at the outset, real change will not be possible. If it were me, I would set out, in a pilot with a handful of mid-sized banks, to structure a supervisory exam strategy that costs 75% less (in combined bank and agency costs) and is 75% faster from first-day letter to final report than today’s norms.^[9] I would embrace pilot uses of new technology tools in pursuit of those goals. And then I would iterate on those initial (almost certainly unsuccessful) results.

This will be difficult, and even painful. But I very much believe it will be worth it.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

^[1] And they were, overwhelmingly, men. They still are.

^[2] This imprecision echoes the confusion reflected by banks' frequent complaints that fintech firms are not subject to regulation. Fintech firms very much are subject to regulation, it is bank-style supervision that they do not face. (Although, notably, the Dodd Frank reforms extended CFPB supervisory authority to thousands of non-bank firms).

^[3] See J. Newell and P. Parkinson, “A Failure of (Self-) Examination: A Thorough Review of SVB’s Exam Reports” (May 8, 2023), & analyzing M. Barr, “Review of the Federal Reserve’s Supervision and Regulation of Silicon Valley Bank,” at Table 2 (April 28, 2023)

^[4] M. Hsu, “Evolving Bank Supervision,” Remarks Before the Joint European Banking Authority and the European Central Bank International Conference (September 3, 2024)

^[5] For those so lucky to be new to the acronym: Capital, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market and interest rate risk.

^[6] Greg Baer, who leads the Bank Policy Institute, has gone so far as to suggest that “reformers at the agencies could simply eliminate the wholly subjective and standardless Management rating and instead focus a new, less catchy ‘CAELS’ rating system on objective, material matters.” G. Baer, “The Bank Examination Problem, and How to Fix It” (July 17, 2024). Mr. Baer is a smart and experienced person, but he is bad at anagrams. His proposed new rating system would obviously be called “SCALE.”

^[7] While not, strictly speaking, relevant to bank supervision, fellow Gen-Xers may be interested in this from the ever-reliable Wikipedia: “Columbo's signature catchphrase, 'just one more thing,’ originated when [the screenwriters] were writing a scene in which Columbo interrogated a criminal before leaving his apartment. The scene was too short, however, and they could not add conversation into the middle of the scene as they were using a typewriter, and that would require rewriting the scene from the beginning. They decided to fix this by having Columbo stick his head back through the door and say ‘just one more thing’ as if he had forgotten something.”

^[8] Compare M. Hsu, supra note 4, with G. Baer, supra note 6.

^[9] It is not, in fact, me. But the very premise of Open Banker means that I get to have my say anyway.

Open Banker curates the perspectives of top policy professionals in the evolving landscape of financial services in the United States.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].