Changing governance and internal controls in response to recent enforcement actions cannot mask a fundamental deficiency: remediation is not changing the way decisions are being made, allowing the same mistakes to happen over and over.
Across recent U.S. enforcement actions and supervisory examinations, a pattern has emerged. Repeat findings are tied to governance and control effectiveness. Despite significant investment and redesigned frameworks, similar deficiencies keep resurfacing across examination cycles. These recurrences shift supervisory focus. Regulators stop asking about isolated control gaps. They start asking whether governance can identify and correct risk without being pushed.
If you look at enforcement actions, the patterns are remarkably consistent. After years of effort and millions spent, firms end up back where they started.
About the Author
Natalia Taft is a senior compliance executive and independent regulatory advisor with over 20 years of experience working with regulated financial institutions across the U.S., Europe, and other international markets. Her work focuses on board-level compliance strategy, complex regulatory remediation, and governance challenges arising from regulatory change, enforcement actions, and technology adoption.
Why this keeps happening
The core problem: remediation targets controls, not decisions. Most remediation programs fail because they fix controls rather than decisions, leaving the root cause unidentified and unaddressed. Fixing the root cause can be scary, costly, and sometimes require massive efforts that executives shy away from or fail to comprehend.
Institutions build new frameworks, implement policies, deploy dashboards, and establish committees. But the underlying way decisions are made remains largely unchanged. So do incentive structures, accountability mechanisms, and escalation norms. The supervisory outcomes don’t materially change. Similar issues reappear in subsequent examinations.
The most common blind spot I’ve seen in transformation programs is confusing structural independence with actual independence. Structural mechanisms such as committees and formal policies can create a framework for challenge, but they do not guarantee that challenge meaningfully influences outcomes. If you create the committee and write the policy, you assume a challenge will happen. It won’t, unless it’s safe and consequential.
In my work, I’ve repeatedly encountered programs with too many metrics and insufficient examination of how decisions are made. Dashboards can move while judgment stays weak. Real governance manifests itself in specific moments—in decisions that are altered, in objections that are documented rather than informally resolved outside formal governance channels. If a governance challenge does not influence outcomes over time, it’s not independent. It’s just a formality.
What makes it harder to fix: misreading regulatory expectations and treating symptoms as root causes. Firms often misinterpret regulatory language. The challenge is not the absence of guidance. It’s the difficulty of translating broad regulatory expectations into institution-specific operating realities.
Communication is also a key: it’s not only reading between the lines in the enforcement action, but it’s the ability to communicate up the chain to the board what needs to happen, how long, and how expensive the remediation will be.
Regulatory language tends to be repetitive across different guidance, but practical application differs as each firm has a unique business model and risk profile. Correctly interpreting regulatory language for a specific institution is harder than it looks.
They also address symptoms and observable outcomes while failing to identify and address the root cause. The root cause is uncomfortably large and structural: core operations, legacy systems, data architecture, and reporting infrastructure. Addressing these would be expensive and disruptive. So institutions take the more tractable path. They improve the monitoring dashboard, restructure the governance committee, and document the policy. The control appears fixed.
Why it persists: culture protects the status quo. Because symptoms are cheaper politically. Governance flaws usually sit close to leadership behavior and incentives. That’s uncomfortable territory. Symptom fixes are easier to scope, report, and measure. Genuine governance reform is slower, harder to quantify, and demands uncomfortable conversations about how decisions are made and who ultimately constrains whom.
Career risk prevents honest escalation. People know very quickly whether honest escalation is rewarded, tolerated, or remembered. Policy doesn’t matter. Consequences do. Compounding this is what I call message smoothing. As risk information travels upward through an organization, it gets filtered. Critical details get lost, urgency downplayed, dissenting perspectives filtered out before they reach senior leadership. Senior management sees the data without fully understanding its implications. By the time a legitimate concern reaches the executive level, it has been rephrased as context rather than as a warning.
When governance failures escalate
Supervisory focus itself has shifted in recent years. Examiners increasingly function effectively under pressure—whether escalation mechanisms operate in real time. Governance frameworks often appear comprehensive on paper, yet remain ineffective if they do not alter outcomes when it matters. Repeat findings reflect not a lack of policies, but a lack of consequential challenge in decision-making.
In many cases, documentation exists, but the governance response does not materially alter the underlying risk trajectory. In remediation work, institutions invest heavily in data quality and reporting infrastructure. But when uncomfortable risk conclusions emerge, they are reframed to reduce their perceived urgency. Quantitative reporting reaches senior leadership, while the practical implications for decision-making are less clearly conveyed. The numbers traveled upward. The meaning didn’t.
Here’s when escalation happens: when the issue repeats and doesn’t self-correct. One issue is a gap. The same issue across multiple areas, recurring despite prior remediation attempts, is a governance signal.
Escalation typically begins when supervisors determine that internal identification and remediation mechanisms lack sufficient reliability or independence. The progression is clear. Findings in routine examination. MRAs. Then, an MOU and formal enforcement actions, like written agreements or cease-and-desist orders. Personal liability charges. Each step reflects diminishing confidence that governance works.
What this means for boards
Boards and audit committees need to ask for unresolved disagreements, not just clean reports. Show me where risk and business still don’t agree. Show me what was overridden, what’s stuck. Polished summaries don’t prove strong governance. Visible friction does.
If substantive disagreement surfaces at the board level only after extended internal tension, this indicates limitations in earlier escalation mechanisms. It suggests that escalation processes are not functioning—that concerns are resolved informally rather than surfaced for actual decision-making. Understanding what was overridden and what objections were noted but not heeded reveals whether governance is constraining decisions or merely documenting them.
Finally, understand what happens to people who escalate concerns. Employees observe how escalation outcomes affect professional trajectories. Formal policy articulates one standard while observed organizational responses communicate another. That gap between stated policy and actual consequence is where governance effectiveness is either reinforced or undermined.
No comments yet