Analyzing Your Risks in the Banking Sector

Now that the Federal Reserve has raised interest rates for the first time in seven years, it’s as good a time as any to worry about risks in the banking system—and, thankfully, two different regulators have given us some fresh reason fret. Let’s get to it.

We can start here in the United States, where the Office of the Comptroller of the Currency just released its semi-annual review of the banking system and what challenges lie ahead for it. To a certain extent, what the OCC says is not news: small and large banks alike still struggle to find growth, so they are easing up their loan writing standards, and many seem unprepared for the vigorous risk management you need should you be in a sluggish industry where taking bolder risks is required for growth.

Let’s put that into a more tangible context for compliance and audit professionals. Your bank is under pressure to grow. The board is considering ideas such as mergers with other banks, expansion into new territory, and launching of new products, especially online offerings. Those ideas may sound like strategic risks to the directors and CEO, but they are operational risks to you. All of those actions, the OCC said, increase the bank’s reliance on third parties. New online products expose you to more cybersecurity risk. Geographic expansion, particularly across national borders, might trigger new regulatory burdens that could force the bank to recalibrate its balance sheet.

The good news for now—and remember that this report surveys financial activity for the first half of 2015, before the Chinese market went into turmoil and oil plunged to 11-year lows—is that banks don’t seem to be in any specific, immediate distress today. We are nowhere near the days of spring 2008, standing on rickety floorboards and waiting for collapse.

The question for compliance and audit executives, however, is how you can ensure that your bank has the right mechanisms in place to manage all these risks and maintain regulatory compliance in this slow-growth environment. The OCC did worry about pressure to reduce staff or cut budgets, and that will be all the more likely if economic growth continues to be sluggish. Rampant job-cutting in the banking industry these days does you no favors with employee morale, either.

We see those same three risks—regulatory compliance, cybersecurity, and search for yield—at the global level as well. The International Organizations of Securities Commissions published its own annual review of financial stability on Wednesday, and in many ways the IOSCO report mirrored what OCC had to say.

The IOSCO report is worth reading because its primary audience are securities regulators, and it spends a fair bit of time talking about where securities laws don’t quite line up across borders—and anywhere regulations don’t align, that’s a breeding ground for risk. So if you, single player in the global financial system, want to know how systemic risk might creep into the world and affect your operation, read the IOSCO report in that light.

Mergers with other banks, expansion into new territory, launches of new online products. Those ideas may sound like strategic risks to the board and CEO, but they are operational risks to the compliance and audit executive.

For example, IOSCO said, in what might be the understatement of the year, “There have been a large number of very detailed regulations for all aspects of financial markets implemented over the past number of years.” One problem is that not all countries in the G-20 have implemented the same regulations, so financial firms might be tempted to try regulatory arbitrage; another is that some regulations may be so complex that financial firms avoid the cost and headache of hedging transactions, which introduces more risk into the wider financial system overall.

Cybersecurity is another pesky risk for securities regulators too, IOSCO says; its cross-border nature makes enforcement against cyber-criminals difficult, and the threats themselves change constantly. Is that good news for compliance officers, that your regulators now grasp the severity of cybersecurity risk? To be honest I don’t know, since they still seem relatively powerless to pursue criminals. But you can expect banking examiners to pay far more heed to your cybersecurity controls, something mentioned in the OCC report this week and in prior OCC announcements as well.

Food for thought as we all start to wonder how banking risks will change in a new era of rising interest rates. 

Matt Kelly has been editor of Compliance Week for 10 years. He will step down from that role at the end of this year. You can find him on LinkedIn at www.LinkedIn.com/in/mkelly1971 or on GoogleTalk at MattCompliance@gmail.com.