We and others have found that at large financial institutions, management weaknesses—such as ineffective leadership by boards of directors, and compensation tied to quantity of rather than quality of loans—contributed to the 2007-2009 financial crisis.
Are federal banking regulators addressing these weaknesses?
We found regulators have improved their supervision of large banks’ management activities and generally followed leading practices. However, regulators could do a better job informing institutions of potential emerging problems.
We made 4 recommendations to further strengthen the regulators’ bank supervision policies and procedures.
A side view of the New York Stock Exchange on Wall Street in New York City.
What GAO Found
Since 2009, federal banking regulators have revised policies and procedures for use by examiners in supervising depository institutions' management activities (such as those related to corporate governance and internal controls) and for identifying and communicating supervisory concerns. For example, regulators differentiated levels of severity for supervisory concerns and specified when to communicate them to boards of directors at the depository institutions. GAO found that the updated policies and procedures generally were consistent with leading risk-management practices, including federal internal control standards.
Examination documents that GAO reviewed showed that examiners generally applied the regulators' updated policies and procedures to assess management oversight at large depository institutions. In particular, for the institutions GAO reviewed, the regulators communicated deficiencies before an institution's financial condition was affected, and followed up on supervisory concerns to determine progress in correcting weaknesses. However, practices for communicating supervisory concerns to institutions varied among regulators and some communications do not provide complete information that could help boards of directors monitor whether deficiencies are fully addressed by management. Written communications of supervisory concerns from the Federal Deposit Insurance Corporation (FDIC) and the Board of Governors of the Federal Reserve System (Federal Reserve) that GAO reviewed often lacked complete information about the cause of the concern and, for the Federal Reserve, also lacked information on the potential consequences of the concern, which in one instance led to an incomplete response by an institution. Communicating more complete information to boards of directors of institutions, such as the reason for a deficient activity or practice and its potential effect on the safety and soundness of operations, could help ensure more timely corrective actions.
While supervisory concern data indicated continuing management weaknesses, regulators vary in how they track and use the data. Data on supervisory concerns, and regulators' internal reports based on the data, indicated that regulators frequently cited concerns about the ability of depository institution management to control and mitigate risk. However, FDIC examiners only record summary information about certain supervisory concerns and not detailed characteristics of concerns that would allow for more complete information. With more detailed information, FDIC management could better monitor whether emerging risks are resolved in a timely manner. In addition, the regulators vary in the nature and extent of data they collect on the escalation of supervisory concerns to enforcement actions. FDIC and the Office of the Comptroller of the Currency (OCC) have relatively detailed policies and procedures for escalation of supervisory concerns to enforcement actions, but the Federal Reserve does not. According to Federal Reserve staff, in practice they consider factors such as the institution's response to prior safety and soundness actions. But the Federal Reserve lacks specific and measurable guidelines for escalation of supervisory concerns, relying solely on the judgment or experience of examiners, their management, and Federal Reserve staff, which can result in inconsistent escalation practices.
Why GAO Did This Study
Weaknesses identified after the 2007–2009 financial crisis included management weaknesses at large depository institutions and the need for federal regulators (FDIC, Federal Reserve, and OCC) to address the deficiencies in a timely manner. Concerns remain that positive economic results of recent years could mask underlying risk-management deficiencies.
This report examined (1) how consistent regulators' revised policies and procedures are with leading risk-management practices, (2) how they applied examination policies and procedures, and (3) trends in supervisory concern data since 2012 and how regulators tracked such data. GAO compared regulators' policies and procedures for oversight against leading practices; compared documents from selected bank examinations for 2014–2016 against regulator's risk-management examination procedures; reviewed aggregate supervisory concern data for 2012–2016; and interviewed regulators and industry representatives.
GAO recommends that FDIC and the Federal Reserve improve information in written communication of supervisory concerns; FDIC improve recording of supervisory concern data; and the Federal Reserve update guidelines for escalating supervisory concerns. FDIC disagreed with the first recommendation, stating its policies address the issue, but GAO found clarification is needed. FDIC agreed with the second recommendation. The Federal Reserve neither agreed nor disagreed with the recommendations.
Recommendations for Executive Action
|Federal Deposit Insurance Corporation||1. The Director of the Division of Risk Management Supervision of FDIC should update policies and procedures on communications of supervisory recommendations to institutions to provide more complete information about the recommendation, such as the likely cause of the problem or deficient condition, when practicable. (Recommendation 1)|
|Federal Reserve System||2. The Director of the Division of Supervision and Regulation of the Board of Governors of the Federal Reserve System should update policies and procedures on communications of supervisory concerns to institutions to provide more complete information about the concerns, such as the likely cause (when practicable) and potential effect of the problem or deficient condition. (Recommendation 2)|
|Federal Deposit Insurance Corporation||3. The Director of the Division of Risk Management Supervision of FDIC should take steps to improve the completeness of matters requiring board attention (MRBA) data in its tracking system, in particular, by developing a structure that allows examiners to record MRBAs at progressively more granular levels (from a broad level such as examination area to more specific levels, including risk or concern type). (Recommendation 3)|
|Federal Reserve System||4. The Director of the Division of Supervision and Regulation of the Board of Governors of the Federal Reserve System should update policies and procedures to incorporate specific factors for escalating supervisory concerns. (Recommendation 4)|