FDIC Should Charge Banks for Lax Risk Management

Despite thousands of pages of legislation and regulation aimed at addressing weaknesses in the banking industry that contributed to the financial crisis, there is no effective mechanism to ensure banks will adopt a strong risk management culture, governance and infrastructure consistent with their risk-taking.

The pricing of deposit insurance and the supervisory rating process known as Camels have missed the mark by focusing on metrics that mask underlying deficiencies in risk management, particularly during benign economic conditions. Tying deposit insurance premiums directly to the quality of a bank's risk management processes and controls would provide a strong financial incentive to banks to correct deficiencies in risk practices.

While we can debate the impact of such issues as "too big to fail" on the financial meltdown, at its core the industry and its regulators generally suffered from a lack of foresight in understanding the importance of risk management processes and controls to bank solvency. For example, a report by the Federal Deposit Insurance Corp.'s Inspector General in the aftermath of the Washington Mutual failure, noted that the Office of Thrift Supervision (merged now under the Office of the Comptroller of the Currency) gave WaMu the second highest Camels rating as late as December 2007 and its deposit insurance risk rating likewise remained relatively high during this period.

Since that time the FDIC overhauled its deposit insurance assessment process, issuing a final rulemaking in 2011. Although it expanded the use of risk-based deposit insurance pricing, it missed an opportunity to strengthen the linkage between premium levels and quality of risk management. Moreover, in determining how much a bank will be assessed for deposit insurance, it focuses on conventional, easy-to-quantify financial and risk performance metrics but fails to flag the quality of a bank's risk management processes other than via the "M," or management component of the Camels supervisory rating. (The acronym stands for capital adequacy; assets; management capability; earnings; liquidity; and sensitivity to market and interest rate risk.) Assessments for large banks (over $10 billion in assets) follow a scorecard exercise that takes into consideration such factors as Camels and Tier 1 capital ratios along with a host of other standard asset and credit quality metrics. The problem with this approach is that significant risk concentrations on the balance sheet in later years reflect a poor risk culture, a weak risk governance structure and/or underinvestment in risk infrastructure for the risks taken during the asset acquisition period. The deposit insurance scorecard used by FDIC at best underestimates the impact the quality of risk management has on a bank's condition. It perpetuates historically weak processes to evaluate the way risks are managed (which is different from focusing on outcomes).

The Federal Reserve Board and Office of the Comptroller of the Currency have undertaken various risk management assessment initiatives including the OCC's evaluation of risk practices at the largest national banks. However, these assessment processes, so far as can be understood, remain highly subjective and unable to consistently compare institutions across a set of risk-management quality indicators over time.

Instead, the Camels framework should be overhauled to include the results from a risk management quality scorecard. That scorecard would be based on a questionnaire that assesses a bank's risk culture, governance and infrastructure with specific emphasis on the institution's ability to identify, measure and manage risk. Each attribute would be rated numerically and assigned a weight that would roll up to an overall risk management score. The Camels ratings would become Carmels ratings, with risk management as a separate and quantifiable component in supervision and deposit insurance assessments.

To illustrate how these scores could influence bank attention on risk management, consider the following example.

A large bank today with a deposit assessment base of $100 billion would pay an annual base assessment of 5 to 35 cents per $100 of its assessment base, or a range of $50 million to $350 million depending on a complicated pricing algorithm used by FDIC that scales the final base rate up or down according the bank's total performance score described earlier. What is ironic about the deposit assessment scorecard is how it appears to be analytically rigorous but in the end allows the FDIC to assess up to an additional 15 basis points on a bank for major risks not captured in the scorecard. Allowing such a large fudge factor undermines the integrity of the scorecard and illustrates the overreliance on performance-based metrics that cannot accurately reflect the quality of the risk process.

Instead, if a risk management score made the difference between a base rate at the low or high end of that range, a swing of $300 million would certainly catch senior management's attention. Spending several million dollars to beef up risk management processes would be an easy decision to make if it saved hundreds of millions in deposits assessments each year. It may be impossible to regulate human behavior but when it comes to focusing on risk management, banks respond well to financial incentives and developing an effective risk quality scorecard tied to deposit insurance assessments is a logical step forward.

Clifford V. Rossi is the Executive-in-Residence and Tyser Teaching Fellow at the Robert H. Smith School of Business at the University of Maryland.