Since 2009, following the “Great Recession,” federal banking regulators have revised policies and procedures for use by examiners in supervising depository institutions’ management activities. Among them, those related to corporate governance and internal controls, and for identifying and communicating supervisory concerns.
Concerns remain that positive economic results of recent years could mask underlying risk-management deficiencies.
Is there a better way to conduct supervisory and remediation processes?
The bipartisan Government Accountability Office developed a few suggestions in a report issued this week. Areas it examined: how consistent regulators’ revised policies and procedures are with leading risk-management practices; how they applied examination policies and procedures; and trends in supervisory concern data since 2012 and how regulators tracked such data.
The GAO compared regulators’ policies and procedures for oversight against leading practices; compared documents from selected bank examinations for 2014–2016 against regulators’ risk-management examination procedures; reviewed aggregate supervisory concern data for 2012–2016; and interviewed regulators and industry representatives.
Positive steps
A positive takeaway from the report: “Regulators differentiated levels of severity for supervisory concerns and specified when to communicate them to boards of directors at the depository institutions.”
GAO: Questions regulators should ask
The GAO urged bank regulators, as appropriate to their purview, to consider various questions regarding the process and outcomes of the supervisory and examination efforts:
- Within the context of the consolidated financial entity, to what extent did examiners assess the bank’s implementation of its corporate governance framework
- Within the context of the consolidated financial entity, to what extent did examiners assess management of the bank’s core business lines?
- To what extent did the examiners assess the bank’s board and management for active oversight of the bank, to include the extent to which examiners assessed the adequacy of the bank directors’ fulfillment of their duties and responsibilities; and assessed bank management’s fulfillment of their duties and responsibilities?
- To what extent did examiners assess the adequacy of the bank’s policies, procedures, and limits?
- Did examiners assess the adequacy of the bank’s risk monitoring and management information systems?
- Did examiners assess the adequacy of the bank’s internal controls?
- To what extent did examiners assess the adequacy of the bank’s audit function, to include internal audit staff; quality assurance; internal audit function adequacy and effectiveness; external audit staff; and regulatory examinations?
- How did examiners assess the management rating for CAMELS (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk)?
- In identifying matters requiring attention, did examiners consistently explain the rationale for the concern?
- In communicating matters requiring attention, did examiners write in clear and concise language, prioritize based upon degree of importance, and focus on any significant matters that require attention?
- To what extent did examiners follow up on matters requiring attention and verify completion?
- Did the examiner comment on how the bank accomplished compliance with enforcement actions or the reason why the bank was not in compliance with enforcement actions?
- To what extent did examiners follow agency risk-management guidance for this examination? To what extent do the conclusion memorandums link to the supervisory letter and report of examination?
- To what extent did the examiners assess the quantity and quality of the bank’s strategic risk, reputation risk, operational risk, and compliance risk?
- Did the examiners assess the bank’s internal controls, including control environment, risk assessment, control activities, accounting information, communication, and self-assessment and monitoring?
- In identifying matters requiring attention, did examiners consistently find that the concern deviates from sound governance, internal control, or risk management principles, and has the potential to adversely affect the bank’s condition, including its financial performance or risk profile?
- Could deficiencies not addressed result in substantive noncompliance with laws and regulations, enforcement actions, supervisory guidance, or conditions imposed in writing in connection with the approval of any application or other request by the bank?
- In follow-up on matters requiring attention, did examiners consistently communicate matters requiring attention, identify the root causes of the concern and contributing factors; describe potential consequences or effects on the bank from inaction; describe supervisory expectations for corrective actions; and document management’s commitment to corrective action and include the time frames and those responsible for corrective action?
- Did the agency monitor the board and management’s progress implementing corrective actions; verify and validate the effectiveness of those corrective actions; perform timely verification; meet, as necessary, with the bank’s board or management to discuss progress assessments and verification results; and deliver written interim communications summarizing the findings of validation activity?
- To what extent did examiners verify and validate bank actions to comply with enforcement actions?
Source: GAO
The GAO also found that the updated policies and procedures generally were consistent with leading risk-management practices, including federal internal control standards.
Examination documents that were reviewed also showed that examiners generally applied the regulators’ updated policies and procedures to assess management oversight at large depository institutions.
“In particular, for the institutions GAO reviewed, the regulators communicated deficiencies before an institution’s financial condition was affected and followed up on supervisory concerns to determine progress in correcting weaknesses,” the report says.
But it’s not all good news …
“Practices for communicating supervisory concerns to institutions varied among regulators and some communications do not provide complete information that could help boards of directors monitor whether deficiencies are fully addressed by management,” the GAO wrote. “Written communications of supervisory concerns from the Federal Deposit Insurance Corporation and the Board of Governors of the Federal Reserve that GAO reviewed often lacked complete information about the cause of the concern and, for the Federal Reserve, also lacked information on the potential consequences of the concern, which in one instance led to an incomplete response by an institution.”
Communicating more complete information to boards of directors of institutions, “such as the reason for a deficient activity or practice and its potential effect on the safety and soundness of operations, could help ensure more timely corrective actions,” the researchers said.
GAO also found that while supervisory concern data indicated continuing management weaknesses, regulators vary in how they track and use the data.
“Data on supervisory concerns, and regulators’ internal reports based on the data, indicated that regulators frequently cited concerns about the ability of depository institution management to control and mitigate risk,” it wrote. “However, FDIC examiners only record summary information about certain supervisory concerns and not detailed characteristics of concerns that would allow for more complete information.”
With more detailed information, the FDIC could better monitor whether emerging risks are resolved in a timely manner, the report adds. In addition, regulators vary in the nature and extent of data they collect on the escalation of supervisory concerns to enforcement actions.
“The FDIC and the Office of the Comptroller of the Currency have relatively detailed policies and procedures for escalation of supervisory concerns to enforcement actions, but the Federal Reserve does not,” the GAO also found. “According to Federal Reserve staff, in practice they consider factors such as the institution’s response to prior safety and soundness actions. But [examiners] lack specific and measurable guidelines for escalation of supervisory concerns, relying solely on the judgment or experience of examiners, their management, and Federal Reserve staff, which can result in inconsistent escalation practices.”
Recommendations
The GAO suggests that the director of the Division of Risk Management Supervision at the FDIC should update policies and procedures on communications of supervisory recommendations to institutions “to provide more complete information about the recommendation, such as the likely cause of the problem or deficient condition, when practicable.”
It also recommends that the FDIC and Federal Reserve improve information in written communication of supervisory concerns; the FDIC improve recording of supervisory concern data; and the Federal Reserve update guidelines for escalating supervisory concerns.
“The Director of the Division of Supervision and Regulation of the Board of Governors of the Federal Reserve System should [also] update policies and procedures on communications of supervisory concerns to institutions to provide more complete information about the concerns, such as the likely cause (when practicable) and potential effect of the problem or deficient condition,” the report adds.
Also detailed as potential remedies in the report:
- The Director of the Division of Risk Management Supervision of FDIC should take steps to improve the completeness of matters requiring board attention data in its tracking system, in particular, by developing a structure that allows examiners to record MRBAs at progressively more granular levels (from a broad level such as examination area to more specific levels, including risk or concern type).
- The Director of the Division of Supervision and Regulation of the Board of Governors of the Federal Reserve System should update policies and procedures to incorporate specific factors for escalating supervisory concerns.
The report notes that regulators also issue supervisory guidance, which they describe as including interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions issued to their respective supervised institutions.
The GAO’s conclusion: “Practices for communicating supervisory concerns to institutions varied among regulators and some communications do not provide complete information that could help boards of directors monitor whether deficiencies are fully addressed by management.”
“Communicating more complete information to boards of directors of institutions, such as the reason for a deficient activity or practice and its potential effect on the safety and soundness of operations, could help ensure more timely corrective actions,” it added. “While supervisory concern data indicated continuing management weaknesses, regulators vary in how they track and use the data. Data on supervisory concerns, and regulators’ internal reports based on the data, indicated that regulators frequently cited concerns about the ability of depository institution management to control and mitigate risk.”
FDIC examiners, however, only record summary information about certain supervisory concerns and not detailed characteristics of concerns that would allow for more complete information.
“With more detailed information, FDIC management could better monitor whether emerging risks are resolved in a timely manner. In addition, the regulators vary in the nature and extent of data they collect on the escalation of supervisory concerns to enforcement actions,” the GAO wrote.
“The FDIC and the OCC have relatively detailed policies and procedures for escalation of supervisory concerns to enforcement actions, but the Federal Reserve does not,” the report says. “According to Federal Reserve staff, in practice they consider factors such as the institution’s response to prior safety and soundness actions.”
Nevertheless, the Federal Reserve lacks specific and measurable guidelines for escalation of supervisory concerns, relying solely on the judgment or experience of examiners, management, and Federal Reserve staff, which can result in inconsistent escalation practices.
No comments yet