The enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank Act," or "Dodd-Frank")1 in 2010 was a watershed moment in the history of U.S. financial services regulation. As we move through 2013 with many key regulatory actions still hanging in the balance, it has become apparent that Dodd-Frank has catalyzed fundamental changes in the financial regulatory environment, and that banking organizations and other regulated firms will need to understand and respond to these changes in order to manage the new environment.
How can a financial institution doing business in the United States respond to the regulatory changes resulting from the Dodd-Frank Act and adapt to the increasing intensity of financial agency supervision and regulation? Our goal in asking this question is to propose a conceptual framework for operating in the new financial regulatory environment, along with a series of concrete suggestions that will assist financial firms in planning for and responding constructively to the new environment.
In the time since Dodd-Frank's enactment, two broad regulatory phenomena have become apparent: (i) the supervisory climate has changed, involving more extensive and intrusive examination and regulation, and (ii) many of the regulatory changes that presumably were limited to systemically important organizations are flowing down to nearly all banks,2 regardless of size. Accordingly, all segments of the banking industry will need to understand the evolving climate and prepare for new regulatory standards.
Changing rules and principles will, of course, affect different banks in different ways. At least four different private sector constituencies have specific and significant interests at stake. Large U.S. banks and large foreign banks with U.S. operations, namely, those with $50 billion or more in consolidated assets, face the most substantial changes, including new prudential standards, capital and liquidity requirements, potential restrictions on activities, and several testing and planning obligations. Mid-size banks, those with between $10 and $50 billion in assets, are subject to several of the same requirements, including stress testing and capital planning. Community banks, those below the $10 billion threshold, are likely to encounter new requirements seemingly designed only for the largest banks but that nevertheless flow down to them in some form, such as capital and liquidity planning. Finally, nonbank financial institutions that have been designated as systemically important financial institutions ("nonbank SIFIs") by the Financial Stability Oversight Council (the "Council") will need to comply with banking-based requirements to which they may be unaccustomed.3
Dodd-Frank has also created a fifth constituency—the regulators themselves. They have received new powers, but they also must take on the unenviable task of turning the Dodd-Frank principles into meaningful and enforceable regulations. Their discretion to promulgate rules is limited; much of Dodd-Frank is devoted to telling the regulators what to do and preventing the agencies from setting the "wrong" regulatory priorities. Given their limited resources, the agencies remain in the middle of their work—a major hindrance to banks attempting to develop compliance programs while not knowing key provisions of the new requirements.
As we discuss in greater depth in this paper, a number of broad duties are emerging from the legislation and regulatory efforts to implement the statute, including obligations to:
- Review and strengthen the governance structure.
- Conduct more intensive capital and liquidity planning.
- Engage in more stringent risk management planning and testing.
- Conduct a business risk/retention analysis.
- Review the adequacy of the enterprise risk management structure
- Ensure that resources are available to the organization to help execute the tasks.
- Respond proactively to regulatory climate change.
Dodd-Frank is a work in progress, and the future decisions of the regulators will affect many of the conclusions we draw in this discussion. Still, regulatory actions to date—formal and informal—are shaping the new regulatory climate in several distinct ways.
Background - How We Arrived Here
Many elements of the new regulatory climate can be traced to the origins of financial regulation at the federal level. In an ironic or at least unintended sense, the expansion of federal regulation of the financial services industry and the accretion of multiple agencies over the past 150 years, beginning with the National Bank Act, laid the groundwork for what proved to be the markedly inadequate government response to the increasing risks to the financial system during the mid-2000s and the resulting financial crisis.
Each piece of federal legislation that constituted a part of the regulatory framework before the 2008 financial crisis was a response to a prior financial need or crisis at the time it was enacted4 and provided a near-term result, including the establishment of at least one new agency. There was, however, little if any effort to reconcile any new requirements with the existing regulatory framework or to consolidate agencies. Accordingly, the legacy U.S. financial regulatory system became increasingly disaggregated, with multiple financial regulatory authorities separately examining financial firms under their respective jurisdictions. Several important consequences have followed.
First, no one financial regulatory agency has been legally or functionally responsible or accountable for the supervision of the entire U.S. financial system, or the legal and financial interrelationships between and among U.S. financial institution participants or financial markets. The logical candidate for such a role would have been the Federal Reserve Board (the "Board") with its multifaceted responsibilities for bank holding companies and their nonbank subsidiaries, state member banks and U.S. banking operations of foreign banking organizations, along with its overall monetary policy responsibilities. But the Board never had primary regulatory and examination authority over wide swaths of the industry, and its back-up authority was of little practical use.
Second, there has been no established legal or supervisory mechanism for any Federal financial agency, or group of agencies, to "see the whole picture" in the U.S. financial system. In addition to the multiplicity of federal regulatory agencies, the "dual banking" financial regulatory system in the United States, with its parallel frameworks of Federal and State financial institution organization, supervision and regulation, coupled with large classes of lightly regulated nonbank lenders and financial intermediaries, seriously undercut any meaningful prospect of effectively supervising financial intermediaries across the country in a consolidated and coordinated manner.
Third, the Federal financial regulatory agencies have conducted their day-to-day regulatory examination activities almost entirely on a stand-alone basis. Because each agency was created at a different point in time for different purposes, each agency also brought its own particular and well-developed institutional history and attitudes, acquired over many years, to its supervision and regulation tasks. The gap between bank and securities regulation is notably wide. Bank regulation historically has been prudentially oriented, with a distinct emphasis on the safety and soundness of individual institutions. The statutes guiding the Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC") have, by contrast, led those agencies to emphasize investor protection, trading market stability, and compliance. Up until the financial crisis, joint examinations occurred only infrequently, where efforts to coordinate regulations were one-off affairs where a particular issue demanded agency uniformity, and even in these cases, not all financial regulatory agencies have been included.
Given these conditions—the absence of central regulation, the lack of any mechanism for understanding risk throughout the financial services industry, and largely uncoordinated regulation—it is not surprising that the full extent of financial risk that grew within the U.S. financial markets, particularly during the first decade of the current century, and the threat that this risk posed to the U.S. markets, was not identified or addressed by U.S. financial regulators until it was too late. Important, but by no means the only, examples are the failure to see the build-up of high-risk subprime mortgage loans in the secondary market (primarily Fannie Mae and Freddie Mac) and to appreciate growing credit risk in the shadow banking system—nonbank mortgage lenders and brokers, as well as unregulated OTC swaps entities.
When the size and scope of the accumulated risk became fully apparent as the financial markets threatened to grind to a halt in the fall of 2008, it followed almost inevitably that the level of systemic risk created by the activities and interdependencies of key financial markets and market participants was simply too high to allow these major financial players to fail without the provision of government assistance.5
The Legislative Response
Such an after-the-fact regulatory response involving the use of taxpayer funds to support private industry was unacceptable both politically and economically. The Congressional response was the Dodd-Frank Act. The statute attempts to reduce systemic risk and the prospect of future publicly funded bailouts not only through more stringent regulation of specific operations of banks and nonbank SIFIs but also through a new framework of agencies, supervision and regulation of large financial institutions at the enterprise or holding company level, greater regulatory responsibility for "connectivities" in the financial markets (e.g., exchanges and central clearing facilities), and expansion of regulatory oversight to the shadow banking system. In order to understand the new regulatory climate, a bank or nonbank SIFI must consider Dodd-Frank not only from the industry perspective but also from that of the regulatory agencies.
The Industry Perspective
Dodd-Frank addresses nearly every aspect of a bank's operations based on the assumption that many activities, such as mortgage lending or over-the-counter derivatives trading, contributed to or amplified the financial crisis, while others, such as proprietary trading or the ownership or sponsorship of hedge funds or private equity funds, might do so in the future. Taken as a whole, Dodd-Frank has made financial regulation materially more complex, and it will significantly increase management oversight, compliance and reporting costs for financial institutions, increase the incidence of compliance shortfalls and violations, and dramatically increase the supervisory and regulatory responsibilities of all federal financial institutions regulatory agencies. In turn, different constituencies will have larger and more specific interests at stake.
Large banks. These organizations will be subject to "enhanced prudential standards," a set of requirements that is the primary source (although not the only source) of the new regulatory climate.
Nonbank SIFIs. Regulatory climate change will be most dramatic for these institutions. They will be subject to nearly the same enhanced prudential standards as will large banks, yet because these SIFIs are by definition not banking firms, the SIFIs will have had little experience with the Board as a regulator and will be unaccustomed to prudential regulations that have been designed for the banking industry and that limit day-to-day activities to a far greater degree than do insurance or securities regulation.
Mid-size banks. Some of the enhanced prudential standards for large banks—e.g., stress testing and risk committees—have been forced on mid-size banks by Dodd-Frank, while others likely will be the model for mid-tier bank supervision.
Community banks. Concepts used for large banks, including stress testing and capital planning, have been applied to community banks as well. The regulators have attempted to say that such requirements are different from the enhanced prudential standards, but, in the end, the regulators are likely to borrow from those standards in their supervision and regulation of community banks.
Changes in Supervisory Authority and Perspectives
The regulatory framework embedded in Dodd-Frank can be seen to address each of the defects in the regulatory structure that existed before the financial crisis. Indeed, Title I (the title that addresses systemic risk most directly) creates no obligations directly for banks or any other financial institutions. Rather, this title primarily instructs the regulators on how to regulate. In other words, Title I functions primarily to set the agenda for the federal financial regulatory agencies.
Centralized regulation(?). Dodd-Frank tries to address the absence of a centralized regulator in a somewhat peculiar fashion, with grants of authority to four agencies, the newly created Council, the Board, the Federal Deposit Insurance Corporation ("FDIC"), and the Consumer Financial Protection Bureau (the "Bureau"), each with specific responsibilities.6 All have begun to lay the groundwork for the exercise of their new authority, but none has finished.
The Council is charged with designating nonbank financial firms as nonbank SIFIs, identifying practices (regardless of which firms may undertake such practices) that present systemic risk, and with recommending prudential regulations to the Board. The Council has similar responsibilities under Title VIII for "financial market utilities" ("FMUs"), entities that are engaged in financial transactions processing, clearance and settlement activities.
The Board now has the power and duties to act as the overarching safety and soundness regulator of all bank holding companies and nonbank SIFIs. Its principal new power is the ability to supervise and examine banking organizations on an enterprise-wide basis. Its flexibility as a regulator and its ability to set priorities has, however, been reduced. Among other things, the Board must impose enhanced regulatory, prudential and regulatory capital requirements and restrictions on large banks and nonbank SIFIs, require more rigorous reporting, and develop more stringent regulatory requirements for financial activities identified by the Council. The Board also must require large banks and nonbank SIFIs to submit contingent resolution plans; adopt a program for the early remediation of SIFIs that are experiencing financial distress; and require SIFIs to divest or terminate businesses that may pose a grave threat to U.S. financial stability (section 121). Additionally, Title VIII requires the Board to issue new regulations governing the operations of FMUs.
The FDIC has been authorized under the Title II provisions that establish the Orderly Liquidation Authority ("OLA") to act as receiver for and, thus to manage the liquidation of, the non-depository activities of large banking organizations and nonbank SIFIs. Although the Council and the Board initially must approve the appointment of the FDIC as receiver, upon its appointment, the FDIC has largely unfettered discretion to liquidate large banks and nonbank SIFIs. Moreover, the FDIC's OLA authority gives it an ongoing role in the regulation of large banks and nonbank SIFIs: for example, it reviews resolution plans and participates in the designation of nonbank SIFIs in which orderly liquidation may be an important factor.
The Bureau has succeeded to the authority of federal agencies, including the Board and the Federal Trade Commission, to issue consumer protection rules that apply to financial products and services. The Bureau's powers are more limited than those of the other agencies with centralized authority, and are compliance rather than prudential in nature. Further, the Bureau does not have supervisory or enforcement authority over banks with less than $10 billion in assets.
Comprehensive understanding of risk. The Dodd-Frank Act formally declares that the purposes of the Council are to "identify risks to the financial stability of the United States," to eliminate industry expectations of government support, and to respond to emerging threats to financial stability. Accordingly, it is given 14 different duties, which involve information collection, risk assessment, and recommendations on improved regulation and supervision. A critical element of the Council's work is monitoring the shadow banking system.
Agency coordination. Dodd-Frank seeks to enhance agency coordination in three respects. First, one explicit duty of the Council is to "facilitate information sharing and coordination" among regulatory agencies. Second, the statute avoids some coordination issues by centralizing authority in one agency—e.g., the Board's broad authority to supervise banks and nonbank SIFIs on an enterprise-wide basis, without deference to other agencies. Third, Dodd-Frank requires considerable joint rulemaking by the federal financial regulatory agencies, as well as interagency consultations, but whether these requirements streamline or complicate interagency action remains to be seen.
Changes in regulatory and public attitudes. An important consequence of the financial crisis and the reaction encapsulated in Dodd-Frank is the far-reaching change in the agencies' approach to regulation and the regulated industries. In general, the financial regulatory agencies are adopting a more critical and less forgiving attitude in their supervision and regulation activities in diverse areas such as BSA/AML, governance and oversight, risk management and asset quality.
In addition to the general perception of regulatory diffidence leading up to the financial crisis, the events of the past year, including the JPM Chase "London Whale" matter and the LIBOR "scandal," have resulted in continued congressional and public criticisms of U.S. regulators that were viewed as being "asleep at the switch." Whether these perceptions and criticisms are accurate is beside the point—the fact is, they exist, and the temperature of the supervisory environment has become correspondingly more frigid and will remain that way for the foreseeable future. The regulators also must take into account the continuing public anger over the perceived misbehavior of the financial industry during the run-up to the financial crisis, and the continuing perception—correct or not—that financial institutions are continuing to misbehave and are not being held accountable for their behavior. The agencies are responding with a renewed supervisory intensity and an increased willingness to resort to their enforcement and compliance tools to address these concerns.
What Has Not Changed in Financial Services Regulation?
Notwithstanding efforts to correct regulatory deficiencies, Dodd-Frank did not dismantle the existing regulatory framework. First, the statute does not modify the fundamental objective of financial regulation, which is promoting the safety and soundness of the financial system and its participants. The historical focus of financial regulation on prudential supervision remains fully in place. The regulatory agencies will continue to administer the system, developed over decades of regulatory activities, of principles, policies, programs and expectations on how financial firms should manage their financial and operational risks.
Second, recognizing the attempts in Dodd-Frank to centralize regulation and improve interagency coordination, disaggregation remains a fact of life. The federal and state regulatory agencies responsible for prudential financial supervision remain the same, with the exception of the abolition of the Office of Thrift Supervision. Just as important, Dodd-Frank did not result in any material reallocation of supervisory and regulatory jurisdiction among the federal banking and securities/commodity agencies, apart from the OCC's and the Board's assumption of the OTS' legal and supervisory responsibilities over savings institutions and their holding companies. If anything, Dodd-Frank created greater disaggregation through the establishment of the Bureau, whose activities in consumer financial regulation will have a material effect on the scope and intensity of financial regulation, including more complicated examination schedules and conceivably additional input on prudential supervision. In short, we still are faced with multiple federal (and state) regulatory bodies exercising separate—and often competing or inconsistent—regulatory authority over their constituents, many of which are simultaneously regulated by multiple federal financial agencies.7
Third, the historic legal and supervisory tools that the financial regulatory agencies have used to perform their responsibilities all are still in place without significant modifications. The federal regulatory agencies can conduct the same examinations, engage in the same supervision, promulgate the same regulations, take the same enforcement actions, and use the other regulatory, enforcement and compliance tools that they had before Dodd-Frank. Dodd-Frank may have given the agencies some additional authority at the enterprise (holding company) level, along with many more requirements to enforce, but the statute has not changed the fundamental ways in which the various federal financial agencies go about their supervisory and regulatory activities.
Fourth, the historic regulatory attitudes, and institutional differences among regulators that were characteristic of regulatory attitudes and activities prior to the Dodd-Frank Act have remained in place. There is nothing in the individual and collective behavior of the banking and securities/commodities regulatory agencies since mid-2010 that indicates any material change, or the likelihood of such change, in their long-held institutional points of view. In turn, the continued existence and authority of these multiple regulatory agencies continues the strong influence that the diverse regulatory attitudes of the various agencies will continue to exert on U.S. financial regulation.
In short, while the regulators will have to "learn" how to perform their systemic supervision duties in the new regulatory environment, they will rely on established regulatory and supervisory practices, policies and procedures to the maximum extent that they can do so.
The Challenges and Impact of the Dodd-Frank Act Supervisory Framework
The grant of new authority to and the imposition of new duties on the federal financial regulatory agencies will, against the backdrop of a decades-long system of regulation, mean that the new regulatory framework should be of more than passing interest to the broad financial services community, and not just for large banks and other financial institutions that may be designated as systemically important.
First, the efforts of the regulatory agencies to apply prudential and regulatory gradations in their oversight of a diverse SIFI population will reverberate in the broader financial services community: in many cases, supervisory policies and practices developed for SIFIs are likely to become de facto "gold standard" practices across the board. For example, the enhanced prudential standards for large banks will include risk management oversight principles and practices that logically would find their way into the supervisory programs used for the larger banking community.
Second, this impact will be accentuated by key requirements of Dodd-Frank (e.g., regulatory capital and the Collins amendment, the Volcker Rule, derivatives trading and the Lincoln Amendment, and stress-testing for banks of $10 billion or more in assets) that reach beyond SIFIs to banking organizations in general. In turn, it may become more difficult for the regulatory agencies to draw SIFI/non-SIFI distinctions in these and probably many other regulatory subject areas. Regulatory capital is the current and obvious example. The federal banking agencies have proposed (although not yet finalized) capital rules based on Basel III. Even though the Basel III standards were developed for large, internationally active banks, the U.S. proposals go well beyond large banks to the banking industry as a whole, including community banks. The Volcker Rule and the proposed implementing regulations published by the financial agencies are another example of this phenomenon: the Volcker Rule by its terms applies to all banking organizations that engage in trading or private fund activities, and most banks will have to implement a separate compliance regimen to address a statutory prohibition that is plainly based on a concern over the systemic impact of covered trading and fund activities.8
Third, while Dodd-Frank nominally orients the SIFI regulatory regime towards an identified class of important financial services firms, the actual implementation will result in the regulation and supervision of a large universe of organizationally and financially diverse financial services firms with very different business lines and risk postures. In order to be effective, the SIFI regime must be tailored to take into account the different business operations, geographic locations, market/counterparty exposures and risk management systems of affected SIFIs. In addition, SIFI activities and risk profiles will be dynamic as a result of their ongoing business activities, changes in business, or changes in their financial condition, which in turn will result in increases and decreases in SIFI risk profiles.
To date, the regulatory actions taken to create the SIFI regulatory regime have proceeded in fits and starts, and there are important issues that have still not been definitively addressed. In its systemic regulation proposals,9 the Board has acknowledged that there will be variations in the nature and intensity of federal supervision and regulation among domestic and foreign bank SIFIs, but the Board has also proposed applying the same general prudential requirements to bank and nonbank SIFIs alike, to the dismay of the large nonbank financial institutions community. At the same time, the federal regulators (through the Council), almost three years after Dodd-Frank's enactment, have not reached agreement on which nonbank financial institutions to designate as SIFIs, a fact that tellingly signals the major challenges that the Council and its constituent regulators are confronting in implementing the SIFI regime.
Overall, the challenges of adapting to the new regulatory regime will be substantial not only for the regulatory agencies, but for all major financial institutions. Banking organizations that are already in the bank regulatory matrix, however, will not see fundamental changes in how they are regulated, but they will see more intensive and more intrusive supervision and regulation. Similarly, foreign bank SIFIs, which also have some familiarity with U.S. (primarily Board) banking regulation, will experience an increase in the scope and tenor of regulatory supervision, although those entities with modest U.S. operations may be less affected by these changes. Major nonbank financial institutions that are designated as systemically important, however, will have to adapt and adjust to a whole new system of financial regulation, and one that has a long history of engrained institutional processes and attitudes. Compounding the issue for these nonbank institutions will be a significant divergence, between bank and nonbank regulatory regimens, in areas such as insurance regulation, where there are long-established principles and practices in core areas such as capital and solvency regulation that diverge markedly from the basic scheme of bank regulation.
What to Expect in the New Regulatory Climate
It is one matter to talk about changes and trends in U.S. financial regulation and the regulatory environment, but another matter to understand what those changes will mean for regulated financial institutions in the U.S., and how banks and other financial institutions should prepare for and adapt to those changes. We attempt below to pull together these changes and assess at a high level what they will mean to financial institutions going forward. We later offer some observations on response strategies and activities for banks and other U.S. financial institutions.
In our view, there are seven major consequences for regulatory supervision and oversight that flow from the Dodd-Frank Act and related regulatory trends. Bank supervision and examinations already are incorporating these changes; the OCC has been especially forthright in alerting national banks—particularly community banks—to the evolving regulatory regime.
1. A greater supervisory emphasis on vertical and horizontal supervision and regulation. One of the lessons of the financial crisis was that the bank and securities/commodity regulators "failed to see the big picture" of the financial system. As a result, they did not appreciate the nature and extent of financial risk, and the extent to which the risks being assumed by individual financial institutions affected, and were affected by, the risks assumed by other financial institutions, until it was too late. Systemic regulation is supposed to solve this problem, and the new system of macroprudential monitoring and supervision—or, "horizontal" supervision across multiple financial institutions—will be a key element of bank and financial institution supervision and examination going forward. The peer review process has been one supervisory tool that the regulators have occasionally used, but the macroprudential approach to supervision will go far beyond that process.
In addition, the regulation of financial relationships between unaffiliated financial institutions undoubtedly will increase as the regulatory agencies pay more attention to the risks arising from various types of credit and operational relationships among financial institutions. By the same token, "vertical" regulation—the regulation of a single banking or other financial enterprise—is likely to become more focused on the financial enterprise as a whole, and the financial relations among the banking and nonbanking components of a single financial enterprise. Dodd-Frank gave the Board clear authority to undertake just such regulation, and we can see how this is beginning to play out as the regulatory framework develops. For example, there is significantly more regulatory attention being paid to the tracking and quantification of counterparty exposures across a single banking enterprise (horizontal regulation), just as there is on the capital and liquidity planning that a banking organization now must undertake for its business lines and legal entities (vertical regulation).
2. Greater regulatory insistence on comprehensive and transparent risk management and mitigation activities. Modern financial services is all about the assumption and management of risks, and the regulatory agencies will expect their regulated constituents to do a better job in identifying and managing risks. "Doing a better job" will mean, among other things, having in place strong, clear and effective risk management policies, procedures and systems that are transparent, well-documented and actively enforced.
For the most part, this is not likely to be a qualitative departure from what the regulatory agencies currently expect of their constituents, but it is easy to see—and emerging supervisory activities and trends support this observation—how the intensive risk-based supervision that will be a cornerstone of the SIFI regulatory system will have a broader impact on the level of risk-based supervision and examination in the financial system as a whole. For example, the OCC has circulated an extensive set of risk management principles to large bank directors that demonstrates the agency's increased attention to risk management processes.10
3. A stronger emphasis on corporate governance and accountability. A close corollary of the preceding consequence certainly will be increased regulatory scrutiny of corporate governance, management oversight and individual accountability. Financial institutions regulation has progressively raised the profile of governance and accountability, but Dodd-Frank will accelerate that trend not only in risk management oversight and audit, but also in other areas, including codes of ethics, conflicts of interest, executive compensation, compliance oversight, human resource management and business practices. The emphasis on accountability clearly will be focused primarily on the directors and senior executives of regulated financial institutions, who by all accounts will be held to higher standards, but a broader supervisory focus on enterprise-wide accountability may develop as well over time. The OCC guidelines noted above include stringent corporate governance standards.
4. A strong emphasis on capital and liquidity resources. This comes as absolutely no surprise, but capital and liquidity will become two primary benchmarks for financial health not only for individual financial institutions, but across the financial services industry. Regardless of whether the bank regulatory agencies continue down the current path of importing wholesale the requirements of the current Basel Committee accord into the U.S. regulatory capital framework, the trend is clear: more and better (namely, common equity) capital will be required. The focus of some regulators on the leverage ratio (as opposed to the risk-based standards) also will involve greater attention to capital quality.
Likewise, liquidity standards and requirements, even if the formal Basel Committee liquidity requirements are only applied in the U.S. to the large, internationally active banks—and that limited application is by no means assured at this time—will almost certainly become a key feature of the financial institutions examination and supervision process.
5. More supervisory attention to credit and operational exposures and concentrations. The supervision of credit exposures and asset concentrations has been an established feature of the regulatory landscape from the inception of modern bank supervision. The financial crisis, however, and Dodd-Frank's response to the crisis at the SIFI level, underscores the high level of legislative and regulatory concern over the consequences of failing to properly identify and manage these risks in a globalized and highly interconnected financial environment. That concern, in turn, will lead to heightened supervisory expectations that regulated financial institutions identify and manage their exposures, both for individual counterparties, but also across separate and correlated asset classes and exposures. As required by Dodd-Frank, the Board's proposed enhanced prudential standards for large banks (and nonbank SIFIs) include new limits on counterparty credit exposures, and the Board also has proposed a process for periodically reporting such exposures. There is more to counterparty exposure management than credit exposures, however, and there is a clear trend towards more supervisory attention to financial institutions' operational exposures, whether those exposures are to clearinghouses, payments systems, technology services providers or catastrophic external events.
6. Process: The journey will matter just as much as the destination. The increasing emphasis on policies, procedures, systems and controls across multiple business and operational areas plainly shows that, to the regulators, a banking organization's governance, management and compliance processes matter just as much, if not more, than the simple end result of making a profit or being in compliance with applicable regulatory and supervisory requirements. And processes, in turn, have to be carefully conceived, developed, put into writing and consistently applied. To some, this may be the final triumph of form over substance, but the regulators strongly believe that the quality of the form (processes) will largely dictate the quality of the substance (results).
7. A gradual and incremental application of new regulatory standards and supervisory activities developed at the SIFI level to a broad range of regulated banking and other financial services firms, and more intensive and skeptical supervision across the board. The net result of Dodd-Frank's changes in financial institution regulation and supervision will lead first to a much more intensive and prescriptive supervision and regulatory environment for SIFIs. Putting aside the substantive merits of Dodd-Frank's many requirements, common sense dictates that this is how it should be. But, just as important, for all those financial institutions that are outside of the SIFI framework, matters will change as well.
How will these matters change? Specifically, what kind of more intensive supervision and regulation will the financial institution community experience? Several key elements come to mind:
a. More intensive enterprise-level regulation and supervision with a strong emphasis on: adequate capital and liquidity; adequate MIS and risk management systems, policies and procedures; rigorous corporate governance and oversight; and careful management of credit and counterparty exposures and concentrations.
b. The collection, synthesis and production of new and potentially large amounts of data. SIFIs, of course, will have to generate exponentially more reports and data than community banks, but relatively speaking, the informational and reporting burdens on smaller financial institutions also will dramatically increase.
c. Possible limitations on activities, especially those that are viewed as presenting higher levels of institution-specific or systemic risk.
d. An increased willingness of the financial regulatory agencies to use their early-action regulatory and supervisory authority, including their regulatory enforcement tools.
Some of these trends have already been previewed by senior regulators.11 Although many of the concerns arise out of the supervision of large banks, the regulatory agencies have been clear that the more intensive forms of supervision we have discussed above are the order of the day for all banking organizations. Indeed, there is no logical reason why the financial regulators would not apply these principles and priorities to the general financial institutions community. After all, if something works well at the SIFI supervisory level, why not use it elsewhere?
An Organized Response Strategy
Faced with these changes and trends, what can financial institutions do to prepare themselves for the future of supervision and regulation? We do not use the word "prepare" in this context to mean preparing for a raft of new Dodd-Frank Act-required (or inspired!) rules, if only because in order to prepare for new regulations, one has to know what the regulations are in the first place, and right now there are too many instances where these requirements are not known. But, there are actions that financial institutions can take to adapt and even prosper in the new environment, and may improve their standing with their principal regulators.
1. Review and strengthen your governance. What it takes to have a well-run financial institution starts at the top, and a rigorous top-level review of corporate governance organization, policies and procedures will allow a financial institution to assess the overall quality of its governance architecture, and assist in identifying areas for improvement. Most organizations do not have to start from the ground up; they can build on what already exists within the organization (e.g., Sarbanes Oxley governance policies, ERM activities and systems, regulatory capital assessment data, risk management committees)—although the OCC's recent and largely unfavorable review of the current governance at large banks suggests that existing procedures fall well short of what the regulators ultimately expect to see. Also, the scope and detail of needed governance policies and activities, and the intensity of supervisory oversight, will vary significantly with the size and complexity of the financial institution. The point here is not that governance has been a secondary supervisory priority up until now; rather, financial regulators will be paying more attention across the board to the quality of governance and management oversight.
Thus, the presence of a merely "adequate" corporate governance infrastructure no longer may be sufficient going forward. So why not beat the regulators to it? There are an ample number of concrete steps that a banking organization can take to start moving ahead of the curve, such as creating a code of ethics for the organization, developing a thoughtful and effective succession plan, reviewing and updating the structure and responsibilities of board committees, testing the strength and adequacy of internal audit programs, and reviewing and updating executive compensation policies and practices, to name just a few actions.
2. More intensive capital and liquidity planning—it's for everyone. Financial institutions that are in the SIFI category will be subject to specific, extensive and detailed capital and liquidity planning and management requirements. This is already true for the largest U.S. banking organizations, which have been subject to SCAP, CCAR, "living wills," stress-testing and other supervision-driven exercises and requirements over the past three-plus years. Dodd-Frank forces stress testing and the requirement for a formal risk committee (with specific membership requirements) down to mid-size banks, and guidance on some of the same issues has been issued for community banks. But the essential task of reviewing and assessing a banking organization's capital structure and needs, and sources of immediate and term funding, is more important than ever. Even if the capital levels at most U.S. banks would meet the minimum regulatory capital standards proposed last June, regulatory capital requirements are and will remain high. In turn, financial regulators, in addition to requiring more capital—which is why the capital planning processes need to include consideration sources of additional capital, if needed—will expect more rigor and discipline in the capital and liquidity planning processes.
3. More intense risk management planning and stress testing. As discussed above, the fundamental requirements for the identification and management of banking risk have developed over a substantial period of time, and the concept of risk-based supervision is well-embedded in regulatory goals, objectives, policies and practices. And, what has changed under Dodd-Frank are not the types of risk that must be managed (credit, market, legal, operational, reputational, etc.), but the assumptions and projections that must be used to assess and control risk. Put another way, financial institutions are being required to use significantly gloomier scenarios (otherwise known as "stressed scenarios") along with baseline scenarios in their risk management activities.
Fortunately for most banks and other financial institutions, formal stress-testing, which will be on a nearly continuous basis, is legally required only for SIFIs, and to a reduced extent for banking organizations of more than $10 billion in assets. For all other banks, the message has been a little mixed. The regulators have assured community banks that Dodd-Frank's formal stress-testing requirements will not be pushed down to them,12 but in the same statement, the banking agencies were quick to remind community banks of their ongoing risk management obligations, including the "capacity to analyze the potential impact of adverse outcomes on their financial condition." That statement, to us at least, sounds suspiciously like stress-testing. Indeed, the OCC has since issued a bulletin with general standards for stress-testing the balance sheet.13 And, given that much of the financial crisis was precipitated by the collapse of mainstream asset classes (real estate home mortgages, commercial real estate loans) that were common to the entire U.S. banking industry, banks that fail to incorporate stressed scenario analyses in their planning efforts will face criticism—and perhaps more—from their primary regulators.
4. Conduct a business risk/return analysis. A corollary to the process of risk management is the basic decision—and this plainly is an enterprise level governance decision—of how much risk a financial institution is prepared to take on. Regulators expect a banking organization to be able to answer this question, and now more than ever. The changing rules for permitted and prohibited activities, the amounts of regulatory capital required for various asset classes and off-balance sheet exposures, and the increased compliance costs associated with many banking activities, all point to the need for financial institutions to conduct a risk/return analysis of their activities and operations. How much risk is the financial institution prepared to assume, both overall and in specific activities? How accurately can it measure its risk appetite? Do the risks and regulatory costs of a given activity and its projected returns warrant the modification, or even the discontinuation, of that activity? And of course, the scope, methodology and results of this analysis should be properly documented.
5. Ensure an enterprise-level approach to compliance. The multiplicity of risk management and other compliance obligations is perhaps the first aspect of the new regulatory environment that meets the eye. The proposed enhanced prudential standards for large bank holding companies, for example, require stress-testing, specific liquidity stress testing, liquidity planning and resolution planning. The regulators have separately required capital planning. All of these undertakings overlap with respect both to the data necessary for the test or the plan and to the execution of the task. With the possible exception of resolution planning, these risk management tools are relevant for all banking organizations. This translates into a review of the sufficiency of enterprise-level risk management systems, including systems for the collection, consolidation and analysis of risk exposure data, and the rigor of stress-testing models and programs and their compliance with current regulatory expectations. It also means a review and evaluation of the sufficiency of internal and external compliance and audit systems. In order to meet the regulators' several expectations and to do so efficiently, a banking organization must review its current compliance procedures, which now must cover such duties as capital planning, and structure them in a way that the relevant data and the necessary methodologies can be shared in a single compliance unit.
6. Review the adequacy of the enterprise risk management infrastructure. This is not a pitch for an increase in every banking organization's IT or MIS budget, but an unavoidable corollary to the supervisory consequences of Dodd-Frank, which will be the need for more and better data on matters ranging from liquidity management, stress-testing, Volcker Rule compliance, and much more. The regulators will expect more and better information on core matters—in addition to capital and liquidity—such as financial exposures to geographic markets, business segments and markets, and individual and central counterparties. In addition, data on credit and operational exposures and concentrations alike will be needed. A financial institution needs to assess whether its data management and information collection infrastructure is up to the task of collecting, processing and managing an ever-increasing amount of data, and take steps, if necessary, to improve data management systems.
7. Assure that the human resources are there to get the job done. One of the reasons that the Dodd-Frank Act rulemaking process is far behind the statutory timetable results from the fact that Congress assigned a huge number of rulemaking tasks to financial regulatory agencies that through no fault of their own, lack sufficient personnel to get the job done within those deadlines. But at some point the rules will be out, and the regulators will be requiring more capital, liquidity and risk management planning, governance, reporting and the like, so are the right people in place to respond to these demands? Financial reporting, legal, compliance, audit and IT resources will be key priorities and experienced people in these areas will be very much in demand. Further, these resources will need to be proficient in the new requirements and responsibilities, so they may need to be trained. We are hearing many anecdotal examples of financial institutions that are looking for additional experienced resources to help them manage their new regulatory and supervisory obligations, and finding that these resources are scarcer than they would like. Financial institutions will need to face up to the fact that they will need to spend additional money for more FTEs, or will need to retain (and oversee) more third party services providers to support these functions.
8. Respond proactively to regulatory climate change. Unlike its environmental namesake, regulatory climate change is not about true believers and deniers. Rather, it is a trending of regulatory attitudes and actions in a more aggressive, skeptical and adversarial direction. Banking organizations and other financial institutions across the board would benefit from acknowledging this phenomenon and considering four specific courses of action:
a. Behave as if the regulators will not give you the benefit of the doubt. There is a good deal a bank can do in a number of areas to mitigate the negative consequences of a skeptical regulator, such as careful management and documentation of corporate actions and business activities; extra attention to documented and strong compliance policies and procedures, and an emphasis on disciplined, proactive and transparent regulatory communications. The common theme here is to not take regulatory indulgences and forbearances for granted, but to anticipate and respond proactively and positively to the change in regulatory attitudes.
b. Show them the process. As process gains ascendancy in the regulatory worldview, a banking organization that is able to demonstrate to its regulators that it has in place written policies and procedures not only for the proverbial loan underwriting and administration, but also for all key governance and management functions, will much more easily earn the trust and confidence of its regulatory agencies. Dodd-Frank, of course, requires the memorialization of many processes (e.g., capital, liquidity and stress testing) for large banks, but there is a management lesson here for banks of all sizes.
c. Remember and apply the "New York Times test". Financial institutions' actions and behavior are and will continue to be under more rigorous public scrutiny, and as a result of modern technology, there really is no such thing as truly private actions and communications. How would the financial institution's public and internal behavior look on the front page of the local—or national—newspaper? This is a useful, and important, reality-check principle that can help avoid reputational, or worse, problems down the road. In addition, regulators are now heavily focused on reputation risk, and want to see that banking organizations have recognized and addressed that risk.
d. Excellence in customer service counts more than ever. Every financial institution wants a base of stable and loyal customers, but being a market-leader in customer service by redoubling efforts to offer products that are suitable for customers, being attentive to customer needs and concerns, and dealing clearly and fairly with customer, can help mitigate public and regulatory perceptions that financial institutions are not looking after customer interests, at least for individual financial institutions. And, if every financial institution paid attention to this principle, then the stature of the financial services industry would be better off for it.
Further Considerations for Nonbank Financial Firms
It is too early to offer any detailed advice on how nonbank financial firms that are not currently regulated by the Board should adapt to the future regulatory environment, because at this time we do not know which—or how many—nonbank financial firms will be designated as SIFIs and made subject to Board supervision and regulation. That being said, those firms that stand a possibility of SIFI designation—and they presumably know who they are at this time—are well-advised to spend time to become informed on the nature, tenor and impact of the bank regulatory supervisory structure. This includes understanding the powers, functions, priorities and attitudes of the Board and the FDIC, and their approaches to supervision and regulation matters, as discussed in greater detail above.
Nonbank financial institutions that are not designated as SIFIs will not be subject to bank regulation, but of course they may be subject to federal or state regulation (e.g., by the SEC, CFTC or state insurance regulators), some of which has assumed an increasingly prudential character in recent years. Will the Dodd-Frank Act and its aftermath affect how they are regulated? Apart from the numerous new regulations and other requirements that federally-regulated financial institutions will have to comply with, Dodd-Frank will have no direct impact on these firms. But might it change the atmosphere or processes of nonbank financial regulation? Greater regulatory oversight of regulated activities, and less regulatory tolerance for violations and compliance missteps, may be one outcome. This outcome, however, probably will be the result more of the financial regulators' awareness that their actions are under increased and more critical congressional and public scrutiny than it will be as a result of Dodd-Frank itself.
Further Considerations for Foreign Banking Organizations
Foreign banking organizations with U.S. operations face multiple regulatory challenges going forward. In addition to whatever supervisory and regulatory changes may be occurring in their home country jurisdictions—and the nature and pace of these changes vary widely across jurisdictions—they must come to terms with the new requirements of the Dodd-Frank Act as it affects their U.S. activities in just the same manner as their U.S. counterparts. Curiously, it appears that the largest population of bank SIFIs will consist of these foreign banking organizations, inasmuch as the quantitative benchmarks for bank SIFI status are being measured by the U.S. regulators on a worldwide basis.
U.S. perceptions of a foreign banking organization's systemic significance, however, will not be based solely on the mere size of the banking organization's U.S. operations. In turn, SIFI supervision issues for these foreign firms may be harder to predict but may be more dependent on the U.S. regulatory perception of the U.S. and global ramifications of a foreign institution's distress or failure. The development of that perception, however, will turn in large part on the level of familiarity that U.S. regulatory agencies can acquire about a foreign banking organization's global operations and how those operations impact their U.S. activities. To gain that knowledge, U.S. regulators will rely to some extent on their foreign counterparts, but this educational process is one action where foreign banking organizations can—and should—be proactive in assuring that U.S. regulatory authorities have the most accurate and current understanding of their businesses, operations, risk posture, and home country supervision.
U.S. authority to regulate the operations of foreign firms in theory is supposed to be limited to the regulation of foreign banks' U.S. operations. Regulatory actions taken by U.S. regulatory agencies in areas such as systemic regulation, the Volcker Rule and OTC derivatives regulation, however, undoubtedly will have a material—and many say unwarranted—extraterritorial impact on foreign banks' non-U.S. activities. While the extraterritorial effects of key Dodd-Frank Act rulemaking may be scaled back when the rules are adopted in final form, foreign banking organizations need to be attentive to this issue by reviewing the nature and scope of their U.S. activities, and the significance of these activities, to their overall mission and business objectives.
There may be measures that can be taken such as organizational restructurings, and reducing the use of U.S.-based facilities and services, that can be taken—and some foreign banking organizations have already moved down this path—to reduce the potential offshore impact of Dodd-Frank, although recent Federal Reserve Board proposals have sought to counteract this "organizational arbitrage" strategy.14 In the final analysis, however, it will be largely in the hands of the U.S. regulatory authorities to address this issue thoughtfully and sensibly.
One theoretically helpful aspect of the Dodd-Frank Act is that it requires U.S. regulators to consult with foreign supervisory authorities on matters such as systemic regulation and cross-border resolution, so there is at least a congressional expectation that U.S. regulators will not act unilaterally in applying the Dodd-Frank Act to foreign firms. There is a question-begging element to this consultative process, of course—Dodd-Frank doesn't say how much consultation is needed and how much attention American authorities should pay to the views of international supervisors and central banks, which have, for example, turned out in force against several of the controversial offshore activities elements of the Volcker Rule and the Board's more recent FBO supervision proposals.
To Sum Up . . .
The world of U.S. financial regulation has been materially altered by the Dodd-Frank Act, but those changes have occurred within the context of a long-established regulatory framework, attitudes and regulatory behaviors that have not been altered by Dodd-Frank. Financial firms—SIFIs and others—that are able to understand what is and what is not different in the new regulatory environment, and adjust their activities and operations with these characteristics in mind, are likely to be more successful in adapting to the post-Dodd-Frank world. In general, financial institutions that are successful in doing business in this environment will understand the regulatory expectations that will develop as the Dodd-Frank Act is fully implemented against the backdrop of what is already in place, and respond proactively to those expectations with an appropriate emphasis on core prudential measures, including governance, capital and liquidity, risk management processes systems, and human resources. In the final analysis, this formula is not complex, but it will require careful planning, proper execution, and hard work.
Footnotes
1 Pub.L. 111-203, 124 Stat. 1376 (2010).
2 We use the term "bank" in a collective sense to include all national and state member and nonmember banks, federal and state savings associations, bank holding companies, and savings and loan holding companies.
3 This category currently has no members. While Treasury Department officials signaled that the FSOC would issue its first designations by the end of 2012, this timetable, like so many others under Dodd-Frank, has slipped.
4 The principal purpose of the National Bank Act of 1863 was to create a national currency to finance Union operations during the Civil War. The Federal Reserve Act was a response to the periodic monetary panics occurring in the late 19th century and early 20th century. The Great Depression led to the creation of the FDIC, the Federal Home Loan Bank Board, and the SEC. Even the 1989 congressional response to the S&L crisis—FIRREA—left the fragmented regulation of banking firms in place.
5 That assistance was provided through a number of vehicles and programs created by legislation and regulatory action, including the Emergency Economic Stabilization Act of 2008, which created the Troubled Assets Relief Program ("TARP"), under which the U.S. government provided capital support to a large number of regulated financial institutions. In addition, the Federal Reserve Board implemented numerous other "backstop" programs for money market mutual funds, primary dealers and other deemed-essential financial markets participants.
6 Arguably the enhanced authority of the SEC and the CFTC over swaps and derivatives gives them a degree of centralized authority, although their new power is a reaction to the previous absence of regulation rather then a consolidation of previous fragmented powers.
7 In theory, the Council has some authority to oversee and influence the activities of a single regulatory agency; we see this phenomenon, for example, in the Council's efforts to encourage the SEC to strengthen the regulatory oversight structure for the money market mutual fund industry. But the Council lacks the authority on its own to write rules or to compel a regulatory agency to act in a certain way.
8 See our discussion of compliance considerations under the proposed Volcker Rule regulations, available at http://www.mofo.com/files/Uploads/Images/120126-The-Volcker-Rule-Compliance-Considerations.pdf
9 Federal Reserve Board, Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies; Proposed Rule, 77 Fed. Reg. 594 (Jan. 5, 2012); Federal Reserve Board, Enhanced Prudential Standards and Early Remediation Requirements for Foreign Banking Organizations and Foreign Nonbank Financial Companies; Proposed Rule, 77 Fed. Reg. 76628 (Dec. 28, 2012).
10 See, Big Banks Flunk OCC Risk Tests, Am Banker (Dec. 13, 2012) (subscription required).
11 See, e.g., remarks by Thomas J. Curry, Comptroller of the Currency Before the 8th Annual Community Bankers Symposium, Nov. 9, 2012, available at http://www.occ.treas.gov/news-issuances/speeches/2012/pub-speech-2012-161.pdf Remarks by Thomas J. Curry, Comptroller of the Currency, Before the Financial Services Roundtable, September 20, 2012, available at http://www.occ.treas.gov/news-issuances/speeches/2012/pub-speech-2012-130.pdf ; Remarks by Thomas J. Curry, Comptroller of the Currency before the Exchequer Club, May 16, 2012, available at http://www.occ.treas.gov/news issuances/speeches/2012/pub-speech-2012-77.pdf.
12 See, OCC, Federal Reserve Board, and FDIC, Statement to Clarify Supervisory Expectations for Stress Testing by Community Banks (May 14, 2012), available at http://www.federalreserve.gov/newsevents/press/bcreg/bcreg20120514b1.pdf .
13 OCC Bulletin 2012-33, Community Bank Stress Testing (Oct. 18, 2012), available at http://www.occ.treas.gov/news-issuances/bulletins/20
14 See, Federal Reserve Board, Enhanced Prudential Standards and Early Remediation Requirements for Foreign Banking Organizations and Foreign Nonbank Financial Companies, supra.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
