= Subscriber content; or subscribe now to access all American Banker content.

FDIC Should Charge Banks for Lax Risk Management

Despite thousands of pages of legislation and regulation aimed at addressing weaknesses in the banking industry that contributed to the financial crisis, there is no effective mechanism to ensure banks will adopt a strong risk management culture, governance and infrastructure consistent with their risk-taking.

The pricing of deposit insurance and the supervisory rating process known as Camels have missed the mark by focusing on metrics that mask underlying deficiencies in risk management, particularly during benign economic conditions. Tying deposit insurance premiums directly to the quality of a bank's risk management processes and controls would provide a strong financial incentive to banks to correct deficiencies in risk practices.

While we can debate the impact of such issues as "too big to fail" on the financial meltdown, at its core the industry and its regulators generally suffered from a lack of foresight in understanding the importance of risk management processes and controls to bank solvency. For example, a report by the Federal Deposit Insurance Corp.'s Inspector General in the aftermath of the Washington Mutual failure, noted that the Office of Thrift Supervision (merged now under the Office of the Comptroller of the Currency) gave WaMu the second highest Camels rating as late as December 2007 and its deposit insurance risk rating likewise remained relatively high during this period.

Since that time the FDIC overhauled its deposit insurance assessment process, issuing a final rulemaking in 2011. Although it expanded the use of risk-based deposit insurance pricing, it missed an opportunity to strengthen the linkage between premium levels and quality of risk management. Moreover, in determining how much a bank will be assessed for deposit insurance, it focuses on conventional, easy-to-quantify financial and risk performance metrics but fails to flag the quality of a bank's risk management processes other than via the "M," or management component of the Camels supervisory rating. (The acronym stands for capital adequacy; assets; management capability; earnings; liquidity; and sensitivity to market and interest rate risk.) Assessments for large banks (over $10 billion in assets) follow a scorecard exercise that takes into consideration such factors as Camels and Tier 1 capital ratios along with a host of other standard asset and credit quality metrics. The problem with this approach is that significant risk concentrations on the balance sheet in later years reflect a poor risk culture, a weak risk governance structure and/or underinvestment in risk infrastructure for the risks taken during the asset acquisition period. The deposit insurance scorecard used by FDIC at best underestimates the impact the quality of risk management has on a bank's condition. It perpetuates historically weak processes to evaluate the way risks are managed (which is different from focusing on outcomes).

The Federal Reserve Board and Office of the Comptroller of the Currency have undertaken various risk management assessment initiatives including the OCC's evaluation of risk practices at the largest national banks. However, these assessment processes, so far as can be understood, remain highly subjective and unable to consistently compare institutions across a set of risk-management quality indicators over time.

Instead, the Camels framework should be overhauled to include the results from a risk management quality scorecard. That scorecard would be based on a questionnaire that assesses a bank's risk culture, governance and infrastructure with specific emphasis on the institution's ability to identify, measure and manage risk. Each attribute would be rated numerically and assigned a weight that would roll up to an overall risk management score. The Camels ratings would become Carmels ratings, with risk management as a separate and quantifiable component in supervision and deposit insurance assessments.

To illustrate how these scores could influence bank attention on risk management, consider the following example.

A large bank today with a deposit assessment base of $100 billion would pay an annual base assessment of 5 to 35 cents per $100 of its assessment base, or a range of $50 million to $350 million depending on a complicated pricing algorithm used by FDIC that scales the final base rate up or down according the bank's total performance score described earlier. What is ironic about the deposit assessment scorecard is how it appears to be analytically rigorous but in the end allows the FDIC to assess up to an additional 15 basis points on a bank for major risks not captured in the scorecard. Allowing such a large fudge factor undermines the integrity of the scorecard and illustrates the overreliance on performance-based metrics that cannot accurately reflect the quality of the risk process.

Instead, if a risk management score made the difference between a base rate at the low or high end of that range, a swing of $300 million would certainly catch senior management's attention. Spending several million dollars to beef up risk management processes would be an easy decision to make if it saved hundreds of millions in deposits assessments each year. It may be impossible to regulate human behavior but when it comes to focusing on risk management, banks respond well to financial incentives and developing an effective risk quality scorecard tied to deposit insurance assessments is a logical step forward.

Clifford V. Rossi is the Executive-in-Residence and Tyser Teaching Fellow at the Robert H. Smith School of Business at the University of Maryland. 




(5) Comments



Comments (5)
Since the most disastrous risk managers were the bank regulators who ordered the banks to clear for "perceived risk" on the liability and equity side of the balance sheet, even though those perceived risks were already cleared for in the assets, and thereby doomed banks to overdose on perceived risk, FDIC should charge the bank regulators for dumb risk-management.
Posted by Per Kurowski | Tuesday, April 23 2013 at 8:56AM ET
We're spending too much time trying to motivate good and proper behavior at 7000 banks with quantitative formulas and intellecutual theories. Why not just hold the CEO's first born to insure good performance?
Posted by Rhsmith999 | Monday, April 22 2013 at 11:06AM ET
Clifford Rossi's excellent article got my attention. In 2005 I developed the FDIC's foray into using a risk based premium pricing model. Unfortunately, due to expediency and the desire of the pricing chief to put his name on the model, some poor decisions and fatal changes to the model were made by this individual just before implementation in 2006.

I was appalled once I saw the extent of changes made to the model I had initially designed. I wrote a formal critique of the revised model that was put into production in 2006 hoping to make senior officials at the FDIC aware of major problems before it was too late to remedy. Sadly, my critique only got others upset because their was a working group who realized an undertaking this big at the FDIC would certainly result in a coveted Chairman's Group Project award, which comes with recognition and award money. Of course, in reality the system implemented was a pink elephant from the start, which nobody wished to admit for internal political reasons.

The following are my point-by-point criticism of the risk based premium pricing scheme as highlighted in my 2006 critique.

1. CAMELS Component rang "weights" are too subjective and not fully supportable
2. "Institutionalizing" Analyst Bond Ratings by Moody's/Fitch/S&P is a concern
3. Risk Assessment should focus on insured institution AND on affiliates & bank holding company
4. "Complexity" should be the focus rather than Size as the dominant determinant for risk assessment
5. Create a comprehensive, Large Bank Financial & Risk Analysis and combine it with a Premium Assessment (make the Large Bank risk rating more granular than existing A, B, C, D grades and add more specificity and uniformity to the CAMELS exam ratings)

I cautioned how unwise it was for the FDIC to do away with an ancillary offsite rating program whereby consolidated companies as a whole are provided an overall risk rating. In 2006, supervisors chose to change the large bank program to focus and assign a risk rating (known as a LIDI rating) based on the insured entity risk and no longer the bank holding company as a whole. This single change in focus that was implemented in the beginning of 2007 may have been the most damaging decision by the FDIC. No longer was the agency paying much attention to the risks being offloaded from parent companies to non-bank affiliates. The huge shadow banking industry was no longer in our sights. There has been no public admission of this major blunder by the FDIC.

The managers who came up with this ill-fated decision were recognized and rewarded for this group project "change" as well. There was no willingness to embarrass any senior officials who were recognized earlier for a venture that turned into an albatross. For the record, everyone one of my suggested corrections and changes from my 2006 critique were identified for implementation in 2011. There is no telling how many billions the FDIC would have saved and added to its insurance reserve fund had my suggestions been acknowledged all along.

If interested, one can go to my blog to find out more about my recommendations and critique of the FDIC risk based insurance premium system. Go to
Posted by Dwihas3 | Sunday, April 21 2013 at 3:57PM ET
It is worth reminding us that Basel II was original developed as an incentive for banks to implement good risk management practices: An improved capital adequacy framework intended to foster a strong emphasis on risk management and to encourage ongoing improvements in banks' risk assessment capabilities (BIS The New Basel Capital Accord - April 2003). Notice how calculation of minimum capital is not mentioned as the primary goal of Basel! In reality regulators have focused on Pillar 1 (minimum capital) not on Pillar 2 i.e. the Internal Capital Adequacy Assessment Process (ICAAP) and even less in risk management.
Without a strong positive or negative incentive (such as that mentioned in the article) banks will not adapt their risk management culture.
Finally I have also come to the conclusion when analyzing pricing models and strategies, that banks do not fully integrate (with some rare exceptions) one-to-one risk in pricing. Check this out on
Posted by Clive Wykes | Saturday, April 20 2013 at 4:04AM ET
I concur with Mr. Rossi's predicate - "Tying deposit insurance premiums directly to the quality of a bank's risk management processes and controls would provide a strong financial incentive to banks to correct deficiencies in risk practices."
The FDIC insurance pricing algorithm that allows a 15 bp adjustment for risk not captured elsewhere is a subjective assessment based on the whimsical mood of the bank examiner.
Mr. Rossi's solution is to ask the examiner to complete a subjective questionnaire. This does nothing more than move the adjustment to a CArMELS rating. What did that accomplished? The result is still a subjective model and prone to how a bureaucrat feels. It does not measure risk.
Isn't it a fact that the true measure of risk cannot be known until the risk event is over and assessed? Is it possible to develop an objective assessment tool that correctly predicts future events and therefore today's risk of engaging in that activity? Let's call Dr. Emmett "Doc" Brown and see what he can offer us.
Posted by steveholt | Friday, April 19 2013 at 1:13PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.