Regulators Demanding Clearer Picture of Risk from Banks
Systems that don't talk to each other are the original "legacy assets." Some banks are finally integrating them.January 28
Not long before the subprime mortgage crisis metastasized into a global financial crisis, it dawned on U.S. regulators that they had a huge blind spot.
"Nobody had a clue where all those mortgages were being held," said William Isaac, a former Federal Deposit Insurance Corp. chairman. "You should have had an information system that was tracking that. But nobody really thought there was a need for it because, after all, these mortgages were being securitized and sold off to investment trusts, and 'who cares' where they went. They were out of the banking system, and that's all the regulators cared about. Now we know we needed to know."
Today, as the banking industry recovers, regulators are focusing, laserlike, on making sure they and the institutions they supervise — particularly the largest ones — know everything they need to know.
Supervisors have found that some banks have a reasonably clear picture of their exposure to various risks but that others' vision is more blurred.
"The regulators are seeing two kinds of institutions: one that is proactively engaging with them and understands the need to upgrade their risk management capabilities, and another camp that is not so keen on jumping on the bandwagon," said Ashish Midha, a principal at Deloitte Consulting LLP who advises banks and regulators on technology modernization. Though technological investments clearly help, regulators are concerned not just about data systems but also about whether bank managers have sufficient experience to analyze the information and manage the risk.
"It's not just: 'Do you have super-fast computers?' That helps, but it also matters what data are the computers collecting and what are institutions doing with it?" said Isaac, who is now chairman of the consulting firm LECG Global Financial Services.
Two key regulatory exercises have provided markers for companies' progress in upgrading information systems.
The 2009 Supervisory Capital Assessment Program, more colloquially known as the "stress tests" — a picture of a company's ability to withstand financial stress — assessed how quickly and completely companies could report financial information. Likewise, large companies will soon be required to give regulators a broad cataloguing of their structure — known as a "living will" — as a guide in a failure scenario.
"With SCAP, we saw that some were better than others," said Michael Brosnan, the senior deputy comptroller for large-bank supervision in the Office of the Comptroller of the Currency. "As we complete more exams and other assessments, you can see where some firms are closing the gap. The ones that are good keep moving forward. Some of the ones that were noticeably lagging have begun to close the gap."
As the panic of 2008 showed the consequences of poorly managed risk, observers said, the agencies gained interest in companies' modernizing their systems.
"The regulators by and large have been reasonably patient with banks in terms of recognizing that it takes time and that it's hard, but I also think that in this environment — we're coming out of a crisis, and people are focused on issues like resolution authority — there is a lot more attention being paid to systems now maybe than there has been in the past," said John Douglas, a former general counsel at the FDIC and now a partner at Davis Polk & Wardwell.
"Three or four years ago, it was an item on a list — 'How are you doing with your systems integration?' — and people were given a fair amount of leeway. There's a lot more interest [now] in getting systems issues down pat."
Brosnan said the decade of industry expansion before the crisis — during which institutions were becoming global and merging with what had been separate companies with distinct systems — did not correspond with enough attention to technological infrastructure.
"They weren't investing proportionally in the systems that would help identify, measure and report risk better," he said.
As the crisis was followed by a period of slowdown, Brosnan said, certain companies made the conscious decision to allocate time and resources that had been focused on growth "to think[ing], paus[ing] and do[ing] things that are better strategically."
"In that period, the better-managed companies were using the time, money and talent when they didn't have to innovate to begin to improve their systems," he said.
Still, regulators said, even the best firms are not yet up to snuff.
"It takes time to build, and that's what these last two or three years have been for," Brosnan said. "We need probably another two or three years for new systems to further mature and be embedded for the better risk managers, executive officers and regulators to be comfortable.
"We're not going to be happy if" improvements "stop now," he said. "It needs to keep going."
The variability of data quality stems partly from the different ways global corporations have been formed.
"As a general principle, the systems in banks are in a sense all over the place," said Douglas, the former FDIC lawyer. "There are some banks that have, or at least try to have, a pretty integrated system to track exposures and risk. There are other institutions, particularly those that have been cobbled together from lots of different places, where the systems aren't compatible and interchangeable as people would clearly like."
But not every bank shares regulators' view on this issue. Deloitte's Midha said some institutions see the clamor for technological advances as overblown.
"The first camp looks at investment in their management infrastructure as adding to their bottom line. The other camp, and justifiably so, thinks that the regulators are overreacting after the crisis," he said. "They're watching the policy as it gets framed, and they view this as a cost-of-compliance issue. They're looking to do the bare minimum to be compliant with what the regulators want."
Some industry representatives insist that the sophistication of firms' data systems before the crisis was not deficient.
"The information systems were adequate for providing management … with the information they needed to make decisions," said William Henley, a senior vice president at BITS, the technology policy arm of the Financial Services Roundtable, and the former head of information-technology exams at the Office of Thrift Supervision.
Indeed, many said a company's technological prowess should not be confused with how well managers analyze, evaluate and act on data.
"Automated tools can be useful in monitoring subtle changes and activities that people may miss, but that's all they do. They're just capturing a flow of information," said Eric Holmquist, a consultant and the president of Holmquist Advisory LLC. "At the end of the day it is still vital that there is a human element evaluating that data to determine if it represents risk."
Regulators acknowledge that technology alone is not the answer. "You can have the best systems, and it will produce all of these nice numbers and reports. But you also need judgment and discipline," said Brosnan.
"If you had better data systems and better human beings to pull things together in a way that decision-makers could understand the firm-wide risk profile, your odds of getting picked off go down," he said.
"But even if you had the best real-time systems — and they don't exist — you would still have had to have the discipline to say, 'The U.S. housing market could have a significant drop in value.' "
There are examples throughout the crisis of institutions and regulators lacking the proper information to assess the extent of the industry's peril.
Consider bank executives' cluelessness about who all their subsidiaries were trading with.
Regulators "wanted to understand who the key counterparties were for the institutions, and the institutions did not have that information available in a timely manner to be able to make quick decisions," said Midha.
"That goes into the legal structure of these entities. Sometimes the legal structure is so convoluted, and it's not well-documented on paper, that these organizations cannot get the appropriate information about not just their overall exposure but the exposure of their individual legal entities."