GAO & OCC Disagree Over Risk Management
Have you felt like an examiner, auditor, or other reviewer just didn’t get you, your bank, or a program/business line? The Office of the Comptroller of the Currency (OCC) can relate.
The agency disagrees with many of the findings in a recent GAO report about the agency’s efforts to manage the risk of regulatory capture at large banks. (Regulatory capture is when a regulator acts in the interest of a regulated industry rather than the public interest.)
The watchdog said that while the OCC has some policies “to encourage transparency and accountability in large bank supervision, the agency could take steps to improve the documentation of its supervision process, check for conflicts of interest, periodically assess the ethics program, and expand its approach to addressing the risk of capture across the agency, among others.” The GAO reached these conclusions after reviewing OCC policies, analyzing examination workpapers, analyzing conflict-of-interest data, the OCC’s enterprise risk management framework, and interviews of supervisory staff.
In the GAO’s report, it stated that the OCC could better address the risk of regulatory capture, then the GAO offered nine recommendations for the OCC to limit the risk of regulatory capture.
The OCC agreed with one recommendation, disagreed with five, and neither agreed nor disagreed with three.
Require documentation of examination teams’ internal deliberations that lead to consequential decisions for the bank, such as the decision whether to issue a matter requiring attention, among others.
OCC response: No thanks. There are so many conversations between a large bank and examiners, it would be onerous to record them all. It would also make staff less likely to share their thoughts.
Bank examination teams retain drafts of key documents, including the conclusion memorandum and supervisory letter, that record the supervisory review process.
OCC response: No thanks. Examiners interact amongst themselves and other experts regularly to share feedback. It says that examiners initial impressions evolve as they gain new insights and that the ombudsman is available if an examiner or bank has concerns.
Require documentation of communications with banks, including those between executive and senior management and banks, that inform supervisory decisions.
OCC response: No thanks. These communications are reflected in final reports and memos, and documenting every interaction would take time away from the actual exam.
Systematically track and monitor Large Bank Supervisions use of informal recommendations.
OCC response: There’s no indication informal recommendations are being misused, and they aren’t required anyway so tracking their adaption is a waste of resources.
Require that staff who review and record employees conflict-of-interest information (1) consistently record explanations of changes to scopes of recusals and (2) record waivers of Treasury’s supplemental standards separately from recusals.
OCC response: The agency agrees that there is value in further documenting adjustments to scopes of recusal but stands behind its existing conflict of information notices. It notes it already collects waivers, and the assessment was based on an old system that is being phased out.
Develop a policy for Large Bank Supervision (1) to check employees active conflicts of interests during the staffing process for examinations and other supervisory activities and (2) to document the results of this check.
OCC response: No thanks. It won’t do this because it would undermine personal responsibility for ethical behavior.
Revise OCC’s instructions for conducting examination workpaper reviews to ensure that they are complete, and communicate the revised instructions to employees.
OCC response: That works for us. It plans to disseminate updated instructions next year.
Conduct a periodic self-assessment of OCCs ethics program, including evaluating the implementation of its associated controls, policies, and guidance; (2) document the results; and (3) take action based on this assessment, as appropriate.
OCC response: Its ethics program is regularly reviewed and assessed, and the GAO’s opinion is “based on a selective reading of the facts.” The OCC has already planned on a new ethics management system and will create written documentation of regional office financial disclosure reports and other documentation.
Expand OCCs approach to addressing the risk of regulatory capture, including (1) revising its risk appetite statement to address risk areas other than reputational risk and (2) identifying additional factors to analyze when assessing the risk of regulatory capture.
OCC response: Its interpretation of regulatory capture includes supervision, operational, human capital and legal risk in the context of employee conduct and other evaluations. The agency will consider adding language to risk category definitions to make it more explicit, but this item is already managed.
While the OCC ended up disagreeing with most of the GAO’s recommendations, this was still a valuable exercise. Any time an organization assesses risk, it creates an opportunity to discover weaknesses that need attention. It can also present an opportunity to uncover strengths or even areas where the organization isn’t taking enough risk. That allows the organization to optimize risk, dedicating resources to the most important areas.
But this really only works when an institution is open-minded and prepared to consider the possibility that improvements are needed. At least, that appears to be the case based on research in the working paper published by the Federal Reserve Bank of Cleveland.
Researchers studied the impact of Dodd-Frank’s requirement that bank holding companies with more than $10 billion have a risk committee and that banks with more than $50 billion have a chief risk officer (CRO). Their research suggests that forcing an FI to have a risk committee or CRO doesn’t make a bank any safer or less risky. This may be because those banks are following the letter, not the spirit, of the law. (There was no research on banks that chose to adopt risk committees and CROs by choice.)
The CRO requirement actually lead to an increase in some risks, including aggregate and tail risk. That’s because when someone is tasked with risk management, that person is likely to uncover areas where an FI is actually taking fewer risks than it should.
It’s important to keep an open mind and consider recommendations from auditors, examiners, and reviewers. Even if you ultimately end up disagreeing with them, that decision will be based on a sound risk assessment instead of a gut reaction.