“If you have ever played the game of Jenga -- where you pull blocks from a tower and add them to the top -- you know that eventually the structure falls down. It can’t handle the twin pressures of lost foundational support and additional weight,” ABA Chairman-elect, Albert Kelly declared in one of his past posts in the ABA’s Washington Perspective. Personally, I love Jenga, even though my daughter beats me every time. Albert Kelly’s reference to Jenga when comparing the burden of new regulations and the onslaught of over reaching regulatory exams is perhaps an excellent analogy to describe the current landscape at the community banking level.
I hear a lot from many of our clients about the regulatory overreach during the safety and soundness examinations. So what we are saying is that the regulators are either ignorant of the burden or have a concerted plan to close down small community banks. I get asked this question a lot at many of the Audit Committee Meetings: “Amit, what do you see out there? Are the regulators trying to close us down?”
I recently attended a conference hosted by the Financial Manager’s Society in Boca Raton, FL where I was asked to be on a panel with two regulators one from the FDIC, and one from the OTS (soon to be the OCC) to discuss TDRs (I am sure that I was asked only because they couldn’t get anyone else). I have to admit that both of the regulators, however, were extremely smart and perceptive.
Now you’re probably saying, “Et tu, Amit? You’ve joined the other side as well?” No, don’t give up on me yet! Hear me out.
When I meet individuals like them, it gives me hope that the regulators understand the regulations and the pain and burden on small community banks in particular. What I find interesting is that many of the regulators in charge of policy and technical pronouncements are indeed very knowledgeable. They actually understand the meaning of “commensurate to the complexity and size of the institution”. You will notice more and more that the regulatory policy statements provide guidance and structure, rather than specifics on implementation. While it is frustrating to not get a clear and concise methodology, the vagueness can actually be an advantage if used properly. No specifics can impact our ability to correctly implement a regulation. Similarly, a lack of specifics can actually be advantageous because it allows us the flexibility to implement that same regulation in a creative manner which meets the intended objective of the policy statement. If we take the time to understand it and develop a concise approach that makes sense for our institution, and can explain to the examiner, it can be used as an advantage.
So what happens? Some of the smaller community banks and examiners lack the in-house expertise to use this flexibility. Both tend to gravitate to a practice that they might have seen at another institution as being a one stop solution. Now, it’s important for me to emphasize the difference between regulators and examiners. We tend to use the terms interchangeably. The regulators that I often meet at the national conferences are extremely knowledgeable and actually understand these policy statements. I don’t mean to infer that examiners are not knowledgeable. As a Firm that deals in risk management and out-sourced internal audit, we too have these issues. The objective is to standardize our audit approach on a firm wide basis so that it is not based on a specific auditor’s perspective. Since we are incredibly smaller in size compared to the regulatory agencies, our burden in accomplishing this is clearly less of a challenge. So training of personnel and ensuring that everyone is on board and on the same page in a large organization can be a very challenging effort. If we compound this with an environment which requires a greater regulatory scrutiny whether it is in the Asset Quality arena or previously in the BSA/AML area, we’ve got the makings of a confused examination environment.
While I acknowledge that many of the regulators that I meet at the conferences are indeed smart, we need to also understand that regulatory agencies and the accounting profession as well are always reactionary. FASB is always catching up or reacting to an issue or concern in the accounting arena. BSA/AML regulations came out of the 9/11 incident and also because it was discovered that a few banks that were blatantly facilitating money laundering for years while they continued to get a 1or a 2 rating in compliance. We have been trying to educate our clients about the inherent IT security risks and how the Gramm-Leach-Bliley and other IT guidance are just not good enough to manage an institution’s security risks. How do you push a bank to do more when the regulators give you a 1 or 2 CAMEL rating in IT? So what essentially happens in these situations is community banks too often out-source risk management to the regulators. We are really asking our internal audit function to help us just enough to get by the regulatory exam. Many internal audit functions are very good at that. They help manage that particular need and do not go beyond that at the risk of being seen as too aggressive.
It gets complicated when a situation occurs and the regulators react. Recently, Citibank was hacked, and over 600,000 customers were potentially susceptible to ID theft. I loved Citibank’s spin on the situation as they said that it affected less than 1% of its customer data base. However, it did get a peep out of the FDIC chairman, who said that we clearly need to review the IT security standards for banks in this internet age. Let’s fast forward to next year’s regulatory exam. As a bank, we have this false sense of comfort that we are excellent in managing our IT risks as evidenced by our prior CAMEL ratings in this area. This year however, due to the reactionary environment and change in emphasis, the regulators come with different checklist and we are caught by surprise.
Similarly, let’s look at the Asset Quality situation. For many years during the “good times”, our independent loan review and the regulators emphasized payment history as the single most important criteria in evaluating credit risk. If the borrower has an excellent payment history, the argument went, who cares if I don’t have the financial information or if I don’t have an objective basis of assessing the borrower’s credit risk rating? All of a sudden, the economic landscape changes and same examiners that signed off on that same very loan as being excellent in the past were now questioning its assessment suggesting that management is somehow ill prepared to manage the credit risks of the bank. These are the same management and loans that only last year looked so rosy and wonderful. There really was no change in regulations. Regulatory policy statements for assessing credit risk haven’t really changed but we all just elected to ignore them. So now when the examiners come to the bank, fresh out of their training on the new emphasis, we, as a bank, are startled and confused. Now one can argue all day whether that is regulatory examination inconsistency or an overreach or is it really our own lack of understanding of the evolving change in the landscape. Smaller community banks often, because of lack of resources, tend to suffer the most during such times. Perhaps the Bank needs to reassess its reliance on its Loan Review vendor.
Take another example, the ALLL methodology requirement hasn’t really changed much from a regulatory perspective since 1993 (…oh here he goes again with the ALLL!). Now imagine if your internal auditor came to you during such time and tried to tell the Bank that the ALLL methodology is not consistent with the interagency policy statement. The response would have been, “You must be smoking something! Both my regulators and external auditors think that I am well reserved. In fact, my external auditors think that I may be over reserved and want me to reduce my reserve level. But we’re going to remain conservative and not do that unless our regulators say it’s okay.” As your internal auditor, I could have pleaded until I turned blue to say, “I understand that the reserve level is okay, but I am actually concerned about the methodology of how we arrived at the number and whether we can actually support it in conformity with GAAP and regulatory guidance.” I probably would have been fired.
Let’s continue this dialogue of regulatory inconsistency during examinations. As it relates to regulatory exams, I hear from many clients that there seems to be a lack of understanding of the risk emphasis with respect to identified issues during the examination. I hear of isolated exceptions being used by examiners to support a MRA or a finding in a report. More than one bank executive has told me “the examiners in charge seem to lack the authority to intervene on minor issues being raised by junior examiners and use their experience and knowledge of the bank and the environment within which the Bank operates to put things in perspective. Instead all decisions are being made at the regional or even national level by individuals who view things without taking into account the related risk factors.” I hear that a lot lately.
Having spoken in confidence with some examiners, I understand that some agencies, more than others, have specifically modified their reporting mechanism. Their internal reviews discovered that in many instances of bank failure, some of the issues were raised during exams by examiners, only to be down played and minimized by those in charge. To circumvent that weakness, the agencies have enhanced the ability of junior personnel to raise issues and weakened the ability of their immediate superiors to close them without an adequate level of documentation and support. In theory, it seems like the right way to respond. However, in practice, I believe this issue more than any other has contributed to the frustration and the use of the term “overbearance” to characterize the recent regulatory exams. The regulatory exams in some instances are suggested as being turned into a checklist mentality without an adequate level of the understanding of the risk of the identified issue. All issues are deemed high risk and subject to inclusion in the report. When junior personnel along with their immediate superiors who jointly spend 3-5 weeks in the field cannot make a decision on any issues and have to rely on regional or national personnel to make conclusions, we have the making of a scenario which is ripe for regulatory overreach. In many cases, the examiners are being required to raise all issues with the regional office and when that office concludes, without the benefit of being on the location to understand existing mitigating factors, that the raised issue is indeed serious and warrants inclusion in the report of examination, an unintended wrong signal is sent to the field examiner. This process further encourages the field examiners to be even tougher and raise even the minutest issues.
While it seems that more and more exams are becoming guilty of this pattern, I remain comforted by the fact that the regulators in-charge of policy and guidance understand risks. Unfortunately, they don’t run the exams. So maybe as the dust settles and the economy turns around, those in charge at the top will have the ability to push down their knowledge and their intended emphasis. Until then, we need to think outside the box.
Another major tremor that will affect many community banks is the merger of the OTS into the OCC. No matter what anyone says, unless these institutions are proactive, they will be in a state of shock as the try to understand how the same regulations can be interpreted and enforced in such a dynamically different way. As an out-sourced internal audit firm that has serviced the needs of both OCC community banks and those regulated by the OTS for over 25 years, we have seen the disparity in the enforcement of regulations within both agencies. This is like Wal-Mart merging into Target. I think the only thing more divergent than those two cultures would be the NCUA merging into the OCC. It will be interesting to see how OTS banks absorb the OCC culture. Quite frankly, I think banks regulated by the OTS had almost an unfair advantage over those that were not. Many of today’s thrifts act like a commercial bank, yet, their regulations were more geared towards the typical risks of thrifts. So if I am an executive of a thrift, do I wait and see the change in emphasis that the OCC will require me to implement through its regulatory exams over the next two years or do I become proactive, swallow the pain and do it of my own volition? I will bet that many will wait and complain about the regulatory burden. The risk management, compliance and internal audit structures of many of these smaller OTS institutions are extremely weak when compared to their OCC counterparts. So we have now the settings of another industry outcry of regulatory burden which we will hear over the next few years.
When smaller institutions lack internal resources and out-source many risk management functions, perhaps one thing that might help is to maintain a dialogue with the vendors to ensure that they are continually realigning their services with the shifting emphases. While this may sound self-serving, too often the need for vendors to maintain costs and be the low cost service provider restricts their ability to train personnel and invest the required resources to shift and expand their services to meet the changing times. The issue of costs vs. quality is all the more important during volatile times. In a recent Audit Committee discussion, I had a member frustratingly ask me “…I don’t understand why we had so many issues with the regulatory exam when we have an outside loan review vendor, out-sourced internal audit, out-sourced ALM vendor and external audit firm. We’re spending so much money and yet we have issues. We rely on our vendors because we don’t have the time or expertise. What could we have done differently?” This is pretty common where everyone points the finger at someone else and we ultimately learn to accept the fact that there wasn’t anything different that could have been done because it’s the regulators being overly reactive. Sometimes that is true, but in this case what really happened was that the Bank in an attempt to maintain costs, elected to reduce the internal audit’s scope in the area of loan documentation and asset quality with the acknowledgement that those areas would be covered by the loan review vendor and that it would be just a duplication of work. The loan review program, however, was managed by the Chief Lending Officer and not the Audit Committee. The CLO in his attempt to reduce the burden and save costs, also reduced the scope of that work. While everybody acted with good intentions, collectively, we had a process where one of the most important areas of a small, yet growing institution, was being ignored by all of the vendors and the Audit Committee had this false sense of comfort that all of the areas were being properly managed by reputable outside vendors.
Whether they are right, wrong, strong, weak or just “normal”, the regulatory agencies are an integral part of banking. I am not going to pretend to have the answer as to how to minimize the regulatory burden or the perceived “overreach.” Coming off the heels of a tumultuous economic meltdown and the public perception that the banking industry (to them all banks are the same) is to blame, regulations and regulatory reach is going to increase, at least for a while. During these times, to manage and to compete effectively, we will need to enhance our understanding of the regulatory changes, emphases and ensure that our processes and risk management needs are also evolving.
If not, then we can always try the Deepak Chopra method to awaken our mind-body-spirit connection with the regulators to achieve the level of spirituality, higher consciousness, and emotional freedom, and the power of intention to manage those exams. If that doesn’t work either, there is always the 21 year old Chivas Regal bottle. Come to think of it, somehow being continuously beaten by my daughter at Jenga with glass of scotch in my hand doesn’t seem to faze me much.
Amit Govil, Managing Partner, has over 25 years of experience serving the risk management needs of financial institutions