Financial Regulation
Review of Regulators' Oversight of Risk Management Systems at a Limited Number of Large, Complex Financial Institutions Gao ID: GAO-09-499T March 19, 2009Financial regulators have an important role in assessing risk management systems at financial institutions. Analyses have identified inadequate risk management at large, complex financial institutions as one of the causes of the current financial crisis. The failure of the institutions to appropriately identify, measure, and manage their risks has raised questions not only about corporate governance but also about the adequacy of regulatory oversight of risk management systems. GAO's objectives were to review (1) how regulators oversee risk management at these institutions, (2) the extent to which regulators identified shortcomings in risk management at certain institutions prior to the summer of 2007, and (3) how some aspects of the regulatory system may have contributed to or hindered the oversight of risk management. GAO built upon its existing body of work, evaluated the examination guidance used by examiners at U.S. banking and securities regulators, and reviewed examination reports and work papers from 2006-2008 for a selected sample of large institutions, and horizontal exams that included additional institutions. In January 2009, GAO designated the need to modernize the financial regulatory system as a high risk area needing congressional attention. Regulatory oversight of risk management at large, financial institutions, particularly at the holding company level, should be considered part of that effort.
The banking and securities regulators use a variety of tools to identify areas of risk and assess how large, complex financial institutions manage their risks. The banking regulators--Federal Reserve, Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS)--and securities regulators--Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA)--use somewhat different approaches to oversee risk management practices. Banking examiners are assigned to continuously monitor a single institution, where they engage in targeted and horizontal examinations and assess risks and the quality of institutions' risk management systems. SEC and FINRA identify areas of high risk by aggregating information from examiners and officials on areas of concern across broker-dealers and by monitoring institutions. SEC and FINRA conduct discrete targeted and horizontal examinations. The banking regulators focused on safety and soundness, while SEC and FINRA tended to focus on compliance with securities rules and laws. All regulators have specific tools for effecting change when they identify weaknesses in risk management at institutions they oversee. In the examination materials GAO reviewed for a limited number of institutions, GAO found that regulators had identified numerous weaknesses in the institutions' risk management systems before the financial crisis began. For example, regulators identified inadequate oversight of institutions' risks by senior management. However, the regulators said that they did not take forceful actions to address these weaknesses, such as changing their assessments, until the crisis occurred because the institutions had strong financial positions and senior management had presented the regulators with plans for change. Regulators also identified weaknesses in models used to measure and manage risk but may not have taken action to resolve these weaknesses. Finally, regulators identified numerous stress testing weaknesses at several large institutions, but GAO's limited review did not identify any instances in which weaknesses prompted regulators to take aggressive steps to push institutions to better understand and manage risks. Some aspects of the regulatory system may have hindered regulators' oversight of risk management. First, no regulator systematically looks across institutions to identify factors that could affect the overall financial system. While regulators periodically conducted horizontal examinations on stress testing, credit risk practices, and risk management for securitized mortgage products, they did not consistently use the results to identify potential systemic risks. Second, primary bank and functional regulators' oversee risk management at the level of the legal entity within a holding company while large entities manage risk on an enterprisewide basis or by business lines that cut across legal entities. As a result, these regulators may have only a limited view of institutions' risk management or their responsibilities and activities may overlap with those of holding company regulators.
GAO-09-499T, Financial Regulation: Review of Regulators' Oversight of Risk Management Systems at a Limited Number of Large, Complex Financial Institutions
This is the accessible text file for GAO report number GAO-09-499T
entitled 'Financial Regulation: Review of Regulators' Oversight of Risk
Management Systems at a Limited Number of Large, Complex Financial
Institutions' which was released on March 19, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Securities, Insurance, and Investments,
Committee on Banking, Housing, and Urban Affairs, U.S. Senate:
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected at 2:30 p.m. EDT:
Wednesday, March 18, 2009:
Financial Regulation:
Review of Regulators' Oversight of Risk Management Systems at a Limited
Number of Large, Complex Financial Institutions:
Statement of Orice M. Williams, Director:
Financial Markets and Community Investment:
GAO-09-499T:
GAO Highlights:
Highlights of GAO-09-499T, a testimony to the Subcommittee on
Securities, Insurance and Investments, Committee on Banking, Housing,
and Urban Affairs, U.S. Senate.
Why GAO Did This Study:
Financial regulators have an important role in assessing risk
management systems at financial institutions. Analyses have identified
inadequate risk management at large, complex financial institutions as
one of the causes of the current financial crisis. The failure of the
institutions to appropriately identify, measure, and manage their risks
has raised questions not only about corporate governance but also about
the adequacy of regulatory oversight of risk management systems.
GAO‘s objectives were to review (1) how regulators oversee risk
management at these institutions, (2) the extent to which regulators
identified shortcomings in risk management at certain institutions
prior to the summer of 2007, and (3) how some aspects of the regulatory
system may have contributed to or hindered the oversight of risk
management. GAO built upon its existing body of work, evaluated the
examination guidance used by examiners at U.S. banking and securities
regulators, and reviewed examination reports and work papers from 2006-
2008 for a selected sample of large institutions, and horizontal exams
that included additional institutions.
In January 2009, GAO designated the need to modernize the financial
regulatory system as a high risk area needing congressional attention.
Regulatory oversight of risk management at large, financial
institutions, particularly at the holding company level, should be
considered part of that effort.
What GAO Found:
The banking and securities regulators use a variety of tools to
identify areas of risk and assess how large, complex financial
institutions manage their risks. The banking regulators--Federal
Reserve, Office of the Comptroller of the Currency (OCC), and the
Office of Thrift Supervision (OTS)”and securities regulators”Securities
and Exchange Commission (SEC) and the Financial Industry Regulatory
Authority (FINRA)”use somewhat different approaches to oversee risk
management practices. Banking examiners are assigned to continuously
monitor a single institution, where they engage in targeted and
horizontal examinations and assess risks and the quality of
institutions‘ risk management systems. SEC and FINRA identify areas of
high risk by aggregating information from examiners and officials on
areas of concern across broker-dealers and by monitoring institutions.
SEC and FINRA conduct discrete targeted and horizontal examinations.
The banking regulators focused on safety and soundness, while SEC and
FINRA tended to focus on compliance with securities rules and laws. All
regulators have specific tools for effecting change when they identify
weaknesses in risk management at institutions they oversee.
In the examination materials GAO reviewed for a limited number of
institutions, GAO found that regulators had identified numerous
weaknesses in the institutions‘ risk management systems before the
financial crisis began. For example, regulators identified inadequate
oversight of institutions‘ risks by senior management. However, the
regulators said that they did not take forceful actions to address
these weaknesses, such as changing their assessments, until the crisis
occurred because the institutions had strong financial positions and
senior management had presented the regulators with plans for change.
Regulators also identified weaknesses in models used to measure and
manage risk but may not have taken action to resolve these weaknesses.
Finally, regulators identified numerous stress testing weaknesses at
several large institutions, but GAO‘s limited review did not identify
any instances in which weaknesses prompted regulators to take
aggressive steps to push institutions to better understand and manage
risks.
Some aspects of the regulatory system may have hindered regulators‘
oversight of risk management. First, no regulator systematically looks
across institutions to identify factors that could affect the overall
financial system. While regulators periodically conducted horizontal
examinations on stress testing, credit risk practices, and risk
management for securitized mortgage products, they did not consistently
use the results to identify potential systemic risks. Second, primary
bank and functional regulators‘ oversee risk management at the level of
the legal entity within a holding company while large entities manage
risk on an enterprisewide basis or by business lines that cut across
legal entities. As a result, these regulators may have only a limited
view of institutions‘ risk management or their responsibilities and
activities may overlap with those of holding company regulators.
View [hyperlink, http://www.gao.gov/products/GAO-09-499T] or key
components. For more information, contact Orice Williams at (202) 512-
8678 or williamso@gao.gov.
[End of section]
Mr. Chairman and Members of the Subcommittee:
I appreciate the opportunity to participate in today's hearing on
regulators' oversight of risk management at large, complex, financial
institutions. As you know, financial regulators have a role in
assessing the risk management systems at the financial institutions
they supervise. This oversight is a responsibility of both federal
regulatory agencies, including the Federal Reserve System (Federal
Reserve), the Office of the Comptroller of the Currency (OCC), the
Office of Thrift Supervision (OTS), and the Securities and Exchange
Commission (SEC), and of self -regulatory organizations, such as the
Financial Industry Regulatory Authority (FINRA). Several significant
analyses of the current financial crisis, which has threatened the
stability of the financial system and led to the insolvency of some
large U.S. financial institutions, have identified inadequate risk
management at large financial institutions as one of the causes of the
crisis.[Footnote 1] Major institutions across the financial sector--
Lehman Brothers, Washington Mutual, and Wachovia--have failed or been
rescued at the last moment by mergers and acquisitions, and the factors
that led to these failures such as poor underwriting standards for
mortgages and a lack of understanding of the risks posed by some
structured products, as well as the failures themselves, have led to
instability of the financial system in the United States. The failures
of these institutions to appropriately identify, measure, and manage
their risks have raised serious questions about the adequacy of the
regulators' oversight of risk management. Moreover, these failures
raise a number of questions about what lessons can be learned from the
current crisis that should be considered as Congress and the
Administration begin to rethink the current financial regulatory
system.
My statement today focuses on our review of regulators' oversight of
risk management systems at a limited number of large, complex financial
institutions (initiated at the request of Chairman Reed) as well as our
past work on the federal regulatory system. Specifically, I will
discuss (1) how regulators oversee risk management at large financial
institutions, (2) the extent to which regulators identified
shortcomings in risk management at selected institutions prior to the
beginning of the financial crisis in the summer of 2007, and (3) how
some aspects of the regulatory system may have contributed to or
hindered the oversight of risk management.
To prepare for this testimony, we built upon our existing body of work
on regulatory oversight of risk management.[Footnote 2] We evaluated
the examination guidance used by examiners at the Federal Reserve, OCC,
OTS, and SEC. We also conducted a literature review to identify good
risk management practices. We identified and used as criteria The
Committee of Sponsoring Organizations of the Treadway Commission's
(COSO) Enterprisewide Risk Management--Integrated Framework and several
analyses of risk management as they relate to the current financial
crisis including the Institute of International Finance's (IIF) Final
Report of the IIF Committee on Market Best Practices: Principles of
Conduct and Best Practice Recommendations and the Senior Supervisor
Group's Observations on Risk Management Practices During Recent
Turbulent Times. Finally, for the the period 2006-2008, we reviewed the
authorities under which the regulators exercise oversight of risk
management, examination reports, and workpapers supporting these
reports for a small number of large financial institutions that we
selected. The results cannot be projected to the universe of large
complex institutions but rather provide examples of risk management
oversight at the selected institutions. In this regard, I note that the
statutory authority providing for GAO audits of the federal bank
regulators generally prohibits GAO from disclosing regulatory nonpublic
information identifying an open bank. Therefore, we will not disclose
the banking institutions included in our study or detailed information
obtained from the examinations or interviews with the examination
staff.
We conducted this work from December 2008 to March 2009 in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient
evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on
our audit objectives.
In Summary:
The Federal Reserve, OCC, OTS, and SEC maintain continuous contact with
large, complex institutions, using a risk-based examination approach
that aims to identify areas of risk and assess these institutions' risk
management systems but the approaches of banking and securities
regulators varies somewhat across regulators. The banking regulators
(Federal Reserve, OCC, and OTS) use a combination of supervisory
activities, including informal tools and examination-related activities
to assess the quality of risk management. For example, bank examiners
review the activities, products, and services that an institution
engages in to identify risks and then through continuous monitoring and
targeted examinations assess how the institution manages those risks.
Banking examiners use the information they gather to assign a rating
that, among other things, includes an assessment of the quality of the
institutions' risk management systems including its governance and
policies. The Federal Reserve and OCC have detailed risk assessment
frameworks or processes. Both OCC and the Federal Reserve conduct a
number of targeted examinations. SEC's and FINRA's risk management
assessment of broker-dealers primarily relies on discrete targeted
examinations to determine whether institutions are in compliance with
regulatory rules and securities laws. Generally, all the regulators
look at risk management at the institutional level, but they also
perform horizontal examinations--coordinated supervisory reviews of a
specific activity, business line, or risk management practice across a
group of peer institutions. When bank regulators identify weaknesses in
risk management at an institution, they have a number of informal and
formal supervisory tools they can use for enforcement and to effect
change.[Footnote 3] Similarly, SEC and FINRA have specific tools for
effecting risk management improvements that are used when institutions
are not in compliance with specific rules or regulations.
In the examination materials we reviewed, we found that regulators had
identified numerous weaknesses in the institutions' risk management
systems prior to the beginning of the financial crisis; however,
regulators did not effectively address the weaknesses or in some cases
fully appreciate their magnitude until the institutions were stressed.
For example,
* Some regulators found that institutions' senior management oversight
of risk management systems had significant shortcomings, such as a lack
of a comprehensive means to review enterprisewide risks, yet some
regulators gave the institutions satisfactory assessments until the
financial crisis occurred.
* Regulators identified other risk management weaknesses, such as the
testing and validation of models used to assess and monitor risk
exposures and price complex instruments. For example, some regulators
found that institutions had not tested the assumptions in models used
to evaluate risks--such as the likelihood of a borrower to default--
but, for at least one institution, examiners did not prohibit the
institutions from using untested models nor did they change their
overall assessment of the institutions' risk management program based
on these findings.
* In a 2006 review, the Federal Reserve found that none of the large,
complex banking institutions it reviewed had an integrated stress
testing program that incorporated all major financial risks
enterprisewide, nor did they test for scenarios that would render them
insolvent.
In these instances, regulators told us that they did not fully
appreciate the risks to the institutions under review or the
implications of the identified weaknesses for the stability of the
overall financial system. One regulator told us it was difficult to
identify all risk management weaknesses until these systems became
stressed by the financial crisis.
Some aspects of the regulatory system may have hindered regulators'
oversight of risk management. One is that no regulator systematically
and effectively looks across all large, complex financial institutions
to identify factors that could have a destabilizing affect on the
overall financial system. As a result, both banking and securities
regulators continue to assess risk management primarily on an
individual institutional level. Even when regulators perform horizontal
examinations across institutions in areas such as stress testing,
credit risk practices, and the risks of structured mortgage products,
they do not consistently use the results to identify potential systemic
risks. In addition, in 2005, when the Federal Reserve implemented an
internal process to evaluate financial stability issues related to
certain large financial institutions, it did not consider risks on an
integrated basis and, with hindsight, we note that it did not identify
in a timely manner the severity of the risks that ultimately led to the
failure or near failure of some of these institutions and created
severe instability in the overall financial system. Another aspect of
the regulatory system that hinders regulators' oversight of risk
management, by creating areas of overlap or limiting their view of risk
management, comes from primary bank and functional regulators--such as
the regulator of a broker-dealer--overseeing risk management at the
level of a legal entity within a holding company that owns a number of
subsidiary entities. While these regulators focus on depositories or
broker-dealers, large financial institutions manage risks on an
enterprisewide basis or by business lines that cut across legal
entities. To the extent that a primary bank or functional regulator
concentrates on the risks of a legal entity within an enterprise, the
regulator will have a limited view of how the enterprise as a whole
manages risk. On the other hand, if the regulator reviews risks outside
the legal entity, it may be duplicating the oversight activities of
other regulators including the holding company regulator. Finally, when
a financial institution manages risks such as market risk across the
depository and broker dealer, the primary bank and broker-dealer
regulators may be performing duplicative oversight of certain functions
as well.
Background:
Financial institutions need systems to identify, assess, and manage
risks to their operations from internal and external sources. These
risk management systems are critical to responding to rapid and
unanticipated changes in financial markets. Risk management depends, in
part, on an effective corporate governance system that addresses risk
across the institution and also within specific areas of risk,
including credit, market, liquidity, operational, and legal risk.
[Footnote 4] The board of directors, senior management (and its
designated risk-monitoring unit), the audit committee, internal
auditors, and external auditors, and others have important roles to
play in an effectively operating risk-management system. The different
roles that each of these groups play represent critical checks and
balances in the overall risk-management system.
Since 1991, the Congress has passed several laws that emphasize the
importance of internal controls including risk management at financial
institutions and the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) has issued guidance that management of
financial institutions could use to assess and evaluate its internal
controls and enterprisewide risk management.
* Following the savings and loan crisis in the 1980s, the Federal
Deposit Insurance Corporation Improvement Act of 1991 (FDICIA)
strengthened corporate governance in large U.S. banks and thrifts.
FDICIA required management to annually assess its system of internal
control over financial reporting and the external auditors to attest to
management's assertions. The corporate governance model established
under FDICIA emphasized strong internal control systems, proactive
boards of directors, and independent, knowledgeable audit committees.
* During 1992, and with a subsequent revision in 1994 COSO issued its
Internal Control - Integrated Framework. The COSO Framework set out
criteria for establishing key elements of corporate governance,
especially the "tone at the top." The framework also set forth the five
components of an effective system of internal control: control
environment, risk assessment, control activities, information and
communication, and monitoring.
* With the failures of Enron and WorldCom, Congress passed the Sarbanes-
Oxley Act of 2002 (SOX) which required managements of public companies
to assess their systems of internal control with external auditor
attestations, though the implementation for smaller public companies
has been gradual and is not yet complete. Under section 404 of SOX, the
SEC required that management identify what framework it used to assess
the system of internal control over financial reporting. Though it did
not mandate any particular framework, the SEC recognized that the COSO
Framework satisfied the SEC's own criteria and allowed its use as an
evaluation framework.
* In 2004, COSO issued Enterprise Risk Management - Integrated
Framework (ERM Framework), though it is not a binding framework for any
particular entity or industry. The ERM Framework, which encompasses the
previous internal control framework, establishes best practices and
expands the criteria and tools that management can use to assess
whether it has an effective risk management system. The framework
encourages the board of directors and senior management, in their
corporate governance roles, to set the risk appetite of the entity,
which is the amount of risk the entity is willing to accept in its
overall strategy. Management further sets risk objectives to achieve
the entity's goals and sets risk tolerances to ensure that the risk
appetite is not exceeded.
Regulators also have a role in assessing risk management at financial
institutions. In particular, oversight of risk management at large
financial institutions is divided among a number of regulatory
agencies. The Federal Reserve oversees risk management at bank holding
companies and state member banks that are members of the Federal
Reserve System; OTS oversees thrift holding companies and thrifts; SEC
and FINRA oversee risk management at SEC-registered U.S. broker-
dealers; and OCC oversees risk management at national banks.
The Federal Reserve and OTS have long had authority to supervise
holding companies. The Federal Reserve's authority is set forth
primarily in the Bank Holding Company Act of 1956, which contains the
supervisory framework for holding companies that control commercial
banks. OTS's supervisory authority over thrift holding companies is set
forth in the Home Owners Loan Act. In the Gramm-Leach-Bliley Act of
1999 (GLBA), Congress expanded the range of permissible holding company
activities and affiliations and also set forth restrictions and
guidance on how those companies should be supervised. However, Congress
did not clearly express the aims of holding company supervision. GLBA
authorizes the Federal Reserve and OTS to examine the holding company
and each subsidiary in order to: (a) inform the regulator of "the
nature of the operations and financial condition" of the holding
company and its subsidiaries; and (b) inform the regulator of the
financial and operational risks within the holding company system that
may threaten the safety and soundness of the holding company's bank
subsidiaries and the systems for monitoring and controlling such risks;
and (c) monitor compliance with applicable federal laws. On the other
hand, GLBA specifies that the focus and scope of examinations of
holding companies and any of their subsidiaries shall "to the fullest
extent possible" be limited to the holding company and "any subsidiary
that could have a materially adverse effect on the safety and soundness
of a depository institution subsidiary" due to the size, condition or
activities of the nonbank subsidiary or the nature or size of
transactions between that subsidiary and the banking subsidiary. In our
work over the years, we have encountered a range of perspectives on the
focus of holding company examinations, some of which emphasize the
health of the depository institution as the primary examination focus
and some of which look more expansively to the holding company
enterprise under certain conditions.
In addition to the provisions generally applicable to holding company
supervision, GLBA also limits the circumstances under which both
holding company regulators and depository institution regulators may
examine functionally regulated subsidiaries of bank holding companies,
such as broker-dealers. Gramm-Leach-Bliley permits holding company
regulators to examine functionally regulated subsidiaries only under
certain conditions, such as where the regulator has reasonable cause to
believe that the subsidiary is engaged in activities that pose a
material risk to an affiliated bank or that an examination is necessary
to obtain information on financial and operational risks within the
holding company system that may threaten an affiliated bank's safety
and soundness. The examination authority of depository institution
regulators permits the examination of bank affiliates to disclose fully
an affiliate's relations with the bank and the effect of those
relations on the bank. However, with respect to functionally regulated
affiliates of depository institutions, Gramm-Leach-Bliley imposes the
same restraint on the use of examination authority that applies to OTS
and the Federal Reserve with respect to holding companies. That is,
Gramm-Leach-Bliley instructs that bank and holding company supervisors
generally are to limit the focus of their examinations of functionally
regulated affiliates and, to the extent possible, are to reply on the
work of primary bank and functional regulators that supervise holding
company subsidiaries. An example of this situation would be where a
holding company has a national bank or thrift subsidiary and a broker-
dealer subsidiary. Under GLBA, the holding company regulator is to rely
"to the fullest extent possible" on the work of primary bank and
functional regulators for information on the respective entities. Also
under GLBA, bank supervisors are similarly limited with respect to
affiliates of the institutions they supervise.
SEC's authority to examine U.S. broker-dealers is set forth in the
Securities and Exchange Act of 1934. Under the 1934 act, SEC's
examination authority over broker-dealers does not permit SEC to
require examination reports on affiliated depository institutions, and
if SEC seeks non-routine information about a broker-dealer affiliate
that is subject to examination by a bank regulator, SEC must notify and
generally must consult with the regulator regarding the information
sought. Oversight of U.S. broker-dealers is performed by SEC's Division
of Trading and Markets (Trading and Markets) and Office of Compliance,
Inspections, and Examinations (OCIE). In addition, SEC delegates some
of its authority to oversee U.S. broker-dealers to FINRA, a self-
regulatory organization that was established in 2007 through the
consolidation of NASD and the member regulation, enforcement and
arbitration functions of the New York Stock Exchange.
Under the alternative net capital rule for broker-dealers, from 2005-
2008, SEC conducted a voluntary consolidated-supervised entity program
under which five investment bank holding companies voluntarily
consented to having SEC oversee them on a consolidated basis.[Footnote
5] Today, no institutions are subject to SEC oversight at the
consolidated level, but several broker-dealers within bank holding
companies are still subject to the alternative net capital rule on a
voluntary basis.[Footnote 6]
Regulators Identify Areas of Risk and Examine Risk Management Systems,
but Their Specific Approaches Vary:
The Federal Reserve, FINRA, OCC, OTS, and SEC each identify areas of
risk relating to the large, complex financial institutions they oversee
and examine risk management systems at regulated institutions. However,
the banking and securities regulators take different approaches. The
banking regulators (Federal Reserve, OCC, and OTS) use a combination of
supervisory activities, including informal tools and examination-
related activities to assess the quality of institutional risk
management systems and assign each institution an annual rating. SEC
and FINRA aggregate information from officials and staff of the
supervised institutions throughout the year to identify areas of
concern across all broker-dealers. For those broker-dealers covered by
the alternative net capital rule, SEC and FINRA emphasize compliance
with that rule during target examinations. Under the CSE program, SEC
continuously supervised and monitored the institutions in the program.
Banking Regulators Use a Number of Supervisory Activities for Assessing
Risk Management at Large, Complex Institutions:
Banking regulators carry out a number of supervisory activities in
overseeing risk management of large, complex financial institutions. To
conduct on-site continuous supervision, banking regulators often
station examiners at specific institutions. This practice allows
examiners to continuously analyze information provided by the financial
institution, such as board meeting minutes, institution risk reports/
management information system reports, and for holding company
supervisors supervisory reports provided to other regulators, among
other things. This type of supervision allows for timely adjustments to
the supervisory strategy of the examiners as conditions change within
the institution. Bank examiners do not conduct a single annual full-
scope examination of the institution. Rather, they conduct ongoing
examinations that target specific areas at the institutions (target
examinations) and annually issue an overall rating on the quality of
risk management.[Footnote 7]
Each regulator had a process to assess risk management systems. While
each included certain core components, such as developing a supervisory
plan and monitoring, the approach used and level of detail varied.
* The Federal Reserve's guidance consisted of a detailed risk
assessment program that included an analytic framework for developing a
risk management rating for holding companies. Unlike most bank
regulatory examination guidance, this guidance is not yet publicly
available. According to Federal Reserve officials, the primary purpose
of the framework is to help ensure a consistent regulatory approach for
assessing inherent risk and risk management practices of large
financial institutions (the holding company) and make informed
supervisory assessments. The Federal Reserve program for large complex
banking organizations is based on a "continuous supervision" model that
assigns a dedicated team to each institution. Those teams are
responsible for completing risk assessments, supervisory plans, and
annual assessments. The risk assessment includes an evaluation of
inherent risk (credit, market, operational, liquidity, and legal and
compliance) and related risk management and internal controls. The risk
assessment is often the starting point for the supervisory plan as well
as a supporting document for the annual assessment.
The annual assessment requires the dedicated team to evaluate and rate
the firm's risk management, its financial condition, and the potential
impact of its non-depository operations on the depository institution.
To apply the risk or "R" rating, the examiner must consider (1) board
of director and senior management oversight; (2) policies, procedures,
and limits; (3) risk monitoring and management information system; and
(4) internal controls for each of the risk areas.[Footnote 8] The
examiners then provide an overall "R" rating for the institution.
* OCC's onsite examiners assess the risks and risk management functions
at large national banks using a detailed approach that is similar to
that used by the Federal Reserve's examiners. The core assessment is
OCC's primary assessment tool at the institutional level. According to
OCC's guidance, its examiners are required to assess the quality,
quantity, and overall direction of risks in nine categories (strategic,
reputation, credit, interest rate, liquidity, price, foreign currency
translation, transaction, and compliance). To determine the quality of
risk management, OCC examiners assess policies, processes, personnel,
and control systems in each category. This risk assessment is included
in the examination report that is sent to the bank's board of
directors. OCC also provides a rating based on the bank's capital,
asset quality, management, earnings, liquidity, and sensitivity to
market risk (the CAMELS rating), all of which can be impacted by the
quality of a risk management system. OCC's supervisory strategy or plan
for targeted examinations is developed from this Risk Assessment
System.[Footnote 9] Examiners can change a bank's ratings at any time
if the bank's conditions warrant that change. Targeted examinations are
a key component of OCC's oversight. Based on the materials we reviewed
covering the last 2 years, OCC conducted 23 targeted examinations in
2007 and 45 in 2008 at a large national bank. These examinations
focused on specific areas of risk management, such as governance,
credit, and compliance.
* Recently revised OTS guidance requires its examiners to review large
and complex holding companies to determine whether they have a
comprehensive system to measure, monitor, and manage risk
concentrations, determine the major risk-taking entities within the
overall institution, and evaluate the control mechanisms in place to
establish and monitor risk limits. OTS's recently revised guidance on
assessing risk management includes a risk management rating framework
that is similar to the Federal Reserve's. It includes the same risk
management rating subcomponents--governance/board and senior management
oversight; policies, procedures, and limits; risk monitoring and
management information systems, and internal controls--and criteria
that the Federal Reserve applies to bank holding companies. However,
OTS considers additional risk areas, such as concentration or systemic
risk. Starting in 2007, OTS used a risk matrix to document the level of
13 inherent risks by business unit. The matrix also includes an
assessment of each unit's risk mitigation or risk management
activities, including internal controls, risk monitoring systems,
policies/procedures/limits, and governance. OTS began using the risk
matrix to develop its supervisory plan. Based on our review of
examination materials, OTS conducted targeted examinations on risk
management in such areas as consumer lending and mortgage-backed
securities.
In the last few years, the banking regulators have also conducted
examinations that covered several large complex financial institutions
on specific issues such as risk management (horizontal examinations).
According to the Federal Reserve, horizontal examinations focus on a
single area or issue and are designed to (1) identify the range of
practices in use in the industry, (2) evaluate the safety and soundness
of specific activities across business lines or across systemically
important institutions, (3) provide better insight into the Federal
Reserve's understanding of how a firm's operations compare with a range
of industry practices, and (4) consider revisions to the formulation of
supervisory policy. During the period of our review, the Federal
Reserve completed several horizontal examinations on large, complex
banking organizations, including stress testing and collateral
management. According to Federal Reserve officials, examiners generally
provide institutions with feedback that tells them generally how they
are doing relative to their peers, and if any serious weaknesses were
identified, these would be conveyed as well. With the Federal Reserve,
OCC conducted a horizontal examination on advanced credit risk
practices and OTS conducted a review across institutions for
nontraditional mortgages and used the findings to issue supplemental
guidance. According to an OCC official, the regulator uses the findings
in horizontal reviews as a supervisory tool and to require corrective
actions, as well as a means to discover information on bank practices
to issue supplemental guidance.
Securities Regulators' Approaches to Assessing Risk Management Revolve
around Regularly Scheduled Targeted Examinations:
SEC and FINRA generally assess risk management systems of large broker-
dealers using discrete, but risk-focused examinations. The focus of SEC
and FINRA oversight is on compliance with their rules and the
Securities and Exchange Act of 1934. Although SEC and FINRA are in
continuous contact with large, complex institutions, neither SEC nor
FINRA staff conduct continuous onsite monitoring of broker-dealers that
involves an assessment of risks. FINRA's coordinator program is
continuous supervision, albeit not on site. According to SEC and FINRA,
however, they receive financial and risk area information on a regular
basis from the largest firms and those of financial concern through the
OCIE compliance monitoring program, the FINRA capital alert program,
and regular meetings with the firms. To identify risks, they aggregate
information from their officials and staff throughout the year to
identify areas that may require special attention across all broker-
dealers. SEC and FINRA conduct regularly scheduled target examinations
that focus on the risk areas identified in their risk assessment and on
compliance with relevant capital rules and customer protection rules.
SEC's internal controls risk management examinations, which started in
1995, cover the top 15 wholesale and top 15 retail broker-dealers as
well as a number of mid-sized broker-dealers with a large number of
customer accounts. At the largest institutions, SEC conducts
examinations every three years, while FINRA conducts annual
examinations of all broker-dealers. According to Trading and Markets,
the CSE program was modeled on the Federal Reserve's holding company
supervision program, but continuous supervision was usually conducted
off site by a small number of examiners, SEC did not rate risk
management systems, nor use a detailed risk assessment processes to
determine areas of highest risk. During the CSE program, Trading and
Markets staff concentrated their efforts on market and liquidity risks
because the alternative net capital rule focused on these risks and on
operational risk because of the need to protect investors. According to
OCIE, their examiners focused on market, credit, operational, legal and
compliance risks, as well as senior management, internal audit and new
products. Because only five investment banks were subject to
consolidated supervision by SEC, SEC staff believed it did not need to
develop an overall supervisory strategy or written plans for individual
institutions it supervised; however, OCIE drafted detailed scope
memorandums for their target examinations. While no institutions are
subject to consolidated supervision by SEC at this time, a number of
broker-dealers are subject to the alternative net capital rule.
SEC and FINRA conduct horizontal or "sweep" examinations and, for
example, have completed one for subprime mortgages. OCIE officials said
that it had increased the number of these types of examinations since
the current financial crisis began. Under the consolidated supervised
entity program, Trading and Markets conducted several horizontal
examinations aimed at discovering the range of industry practice in
areas such as leveraged lending.
Banking Regulators Have a Variety of Tools to Address Risk Management
Weaknesses:
The banking regulators have developed guidance on how they should
communicate their examination findings to help ensure that financial
institutions take corrective actions. Bank regulators generally issue
findings or cite weaknesses in supervisory letters or an annual
examination report addressed to senior management of the financial
institution. However, regulators also meet with institution management
to address identified risk management weaknesses. Examples include:
* After a target examination, the Federal Reserve, OCC, OTS each
prepare supervisory letters or reports of examination identifying
weaknesses that financial institutions are expected to address in a
timely manner. In addition to issues or findings, the Federal Reserve
and OCC supervisory letters provided a specific timeframe for the
institution to send a written response to the bank regulator
articulating how the institution planned to address the findings. In
these instances, for the files we reviewed, the institutions complied
with the timeframes noted in the supervisory letter. These letters may
be addressed to the board of directors or the CEO or as we found, the
senior managers responsible for the program. For example, a Federal
Reserve Bank addressed a recent targeted examination on a holding
company's internal audit function to the chief auditor of the holding
company. Similarly, OCC addressed an examination of advanced risk
management processes to a bank's chief credit officer. OTS also
addressed some reports of target examinations to senior managers
responsible for specific programs.
* In their supervisory letters, OCC sometimes identifies "Matters
Requiring Attention," which instruct the bank to explain how it will
address the matter in a timely manner. In its supervisory guidance,
matters requiring attention include practices that deviate from sound
governance, internal control and risk management principles that may
adversely impact the bank's earning or capital, risk profile, or
reputation if not addressed.[Footnote 10] According to its guidance,
OCC tracks matters requiring attention until they are resolved and
maintains a record when these matters are resolved and closed out. OCC
also includes recommendations to national banks in their supervisory
letters. In addition, OCC will insert recommendations in their letters
which are suggestions relating to how a bank can operate a specific
program or business line more effectively.
* After the beginning of the financial crisis, the Federal Reserve
issued revised examination guidance in July 2008 that established three
types of findings: matters requiring immediate attention, matters
requiring attention, and observations. Previously, each of the
individual Federal Reserve Banks had its own approach to defining
findings. Matters requiring attention and observations are similar to
related practices followed by OCC. For matters requiring immediate
attention, the matter is considered more urgent. According to their
guidance, matters requiring immediate attention encompass the highest
priority concerns and include matters that have the potential to pose
significant risk to the organization's safety and soundness or that
represent significant instances of noncompliance with laws and
regulations.
* OTS examiners may list recommendations in the report, findings, and
conclusions, but in the materials we reviewed examiners did not report
these in a standard way. While members of the Board of Directors are
required to sign the report of annual examination indicating that they
have read the report, they are not required to submit a written
response. The OTS Handbook Section 060 Examination Administration
provides guidance on the use of "matters requiring board attention" or
other lesser supervisory corrective actions that should be addressed in
the examination correspondence. According to OTS, matters requiring
board attention and corrective actions are also tracked in its
regulatory action system for follow up.
* For 2008, we reviewed one regulator's tracking report of matters
requiring attention at one institution and found that only a small
number of the 64 matters requiring attention relating to risk
management and internal controls had been closed out or considered
addressed by the end of January 2009. The examiners explained that some
matters, such as institutions making adjustments to their technology
framework can be time consuming. Another regulator told us that it does
not track when institutions have implemented remedial actions.
* Because the banking regulators are generally on site and continuously
monitoring large, complex institutions, examiners told us that a
significant part of their efforts to improve risk management systems
were undertaken through regularly scheduled meetings with senior
management. According to Federal Reserve and OCC officials, these
meetings allow opportunities for examiners to followup with management
concerning actions that they expect the financial institutions to
implement. A Federal Reserve examiner explained that several meetings
were held with officials at a holding company concerning an internal
control matter in order to help ensure that the institution was
addressing the issue. For its complex and international organizations
program, OTS directs its examiners to use regular meetings with senior
management and periodic meetings with boards of directors and any
relevant committees to effect change. OTS guidance indicates that
examiners' regular meetings with senior management are designed to
communicate and address any changes in risk profile and corrective
actions. OTS also views annual meetings with the Board of Directors as
a forum for discussing significant findings and management's approach
for addressing them.
In addition to these tools, bank regulators' approval authorities
related to mergers and acquisitions could be used to persuade
institutions to address risk management weaknesses. For example, the
Federal Reserve, OCC, and OTS are required to consider risk management
when they approve bank or thrift acquisitions or mergers and could use
identified weaknesses in this area to deny approvals. In addition, bank
regulators have to approve the acquisition of bank charters and must
assess management's ability to manage the bank or thrift charter being
acquired.
SEC's Oversight Tools Are Aimed at Addressing Violations:
If SEC's OCIE or FINRA examiners discover a violation of SEC or FINRA
rules, the institution is required to resolve the deficiency in a
timely manner. OCIE developed guidance on deficiency letters for
examinations. According to SEC and FINRA staff, because SEC or FINRA
rules do not contain specific requirements for internal controls,
problems with internal controls generally are not cited as
deficiencies. However, weaknesses in internal controls can rise to such
a level as to violate other FINRA rules, such as supervision rules.
Deficiencies and weaknesses are followed up on in subsequent
examinations. OCIE's compliance audits require institutions to correct
deficiencies and address weaknesses. OCIE staff told us that if the
institutions do not address deficiencies in a timely manner, they may
be forwarded to the enforcement division. For example, OCIE staff was
able to discuss limit violations with one firm and required the firm to
change their risk limit system to significantly reduce their limit
violations--indicating senior management was taking steps to better
oversee and manage their risks. Under the consolidated supervised
entity program, SEC's Trading and Markets relied on discussions with
management to effect change. For example, Trading and Market staff told
us that they had discussions with senior management that led to changes
in personnel.
Regulators Identified Weaknesses in Risk Management Systems before the
Crisis but Did Not Fully Recognize the Threats They Posed:
In the years leading up the financial crisis, some regulators
identified weaknesses in the risk management systems of large, complex
financial institutions. Regulators told us that despite these
identified weaknesses, they did not take forceful action--such as
changing their assessments--until the crisis occurred because the
institutions reported a strong financial position and senior management
had presented the regulators with plans for change. Moreover,
regulators acknowledged that in some cases they had not fully
appreciated the extent of these weaknesses until the financial crisis
occurred and risk management systems were tested by events. Regulators
also acknowledged they had relied heavily on management representations
of risks.
Some Regulators Identified Weaknesses in Risk Management Systems in a
Limited Number of Institutions but Did Not Take Forceful Actions to
Address Them until the Crisis Began:
In several instances, regulators identified shortcomings in
institutions' oversight of risk management at the limited number of
large, complex institutions we reviewed but did not change their
overall assessments of the institutions until the crisis began in the
summer of 2007.[Footnote 11] For example, before the crisis one
regulator found significant weaknesses in an institution's
enterprisewide risk management system stemming from a lack of oversight
by senior management. In 2006, the regulator notified the institution's
board of directors that the 2005 examination had concluded that the
board and senior management had failed to adequately oversee financial
reporting, risk appetite, and internal audit functions. The regulator
made several recommendations to the board to address these weaknesses.
We found that the regulator continued to find some of the same
weaknesses in subsequent examination reports, yet examiners did not
take forceful action to require the institution to address these
shortcomings until the liquidity crisis occurred and the severity of
the risk management weaknesses became apparent. When asked about the
regulator's assessment of the holding company in general and risk
management in particular given the identified weaknesses, examiners
told us that they had concluded that the institution's conditions were
adequate, in part, because it was deemed to have sufficient capital and
the ability to raise more. Moreover, the examiners said that senior
management had presented them with plans to address the risk management
weaknesses.
In another example, other regulators found weaknesses related to an
institution's oversight of risk management before the crisis. One
regulator issued a letter to the institution's senior management in
2005 requiring that the institution respond, within a specified time
period, to weaknesses uncovered in an examination. The weaknesses
included the following:
* The lack of an enterprisewide framework for overseeing risk, as
specified in the COSO framework. The institution assessed risks (such
as market or credit risks) on an individual operating unit basis, and
was not able to effectively assess risks institutionwide.
* A lack of common definitions of risk types and of corporate policy
for approving new products, which could ensure that management had
reviewed and understood any potential risks.
* An institutional tendency to give earnings and profitability growth
precedence over risk management.
In addition, the regulator recommended that senior management
restructure the institution's risk management system to develop
corporate standards for assessing risk. However, the regulator's
assessment of the institution's risk management remained satisfactory
during this period because senior management reported that they planned
to address these weaknesses and, according to examiners, appeared to be
doing so. Moreover, the examiners believed that senior management could
address these weaknesses in the prevailing business environment of
strong earnings and adequate liquidity. After earnings and liquidity
declined during the financial crisis that began in 2007, the examiners
changed their assessment, citing many of the same shortcomings in risk
management that they had identified in 2005.
At one institution, a regulator noted in a 2005 examination report that
management had addressed previously identified issues for one type of
risk and that the institution had taken steps to improve various
processes, such as clarifying the roles and responsibilities of risk
assessment staff, and shortening internal audit cycles of high-risk
entities in this area. Later in 2007, the regulator identified
additional weaknesses related to credit and market risk management.
Regulatory officials told us that weaknesses in oversight of credit and
market risk management were not of the same magnitude prior to the
crisis as they were in late 2007 and 2008. Moreover, examiners told us
that it was difficult to identify all of the potential weaknesses in
risk management oversight until the system was stressed by the
financial crisis.
Some regulators told us that they had relied on management
representation of risk, especially in emerging areas. For example, one
regulator's targeted review risk relied heavily on management's
representations about the risk related to subprime mortgages--
representations that had been based on the lack of historical losses
and the geographic diversification of the complex product issuers.
However, once the credit markets started tightening in late 2007, the
examiners reported that they were less comfortable with management's
representations about the level of risk related to certain complex
investments. Examiners said that, in hindsight, the risks posed by
parts of an institution do not necessarily correspond with their size
on the balance sheet and that relatively small parts of the institution
had taken on risks that the regulator had not fully understood. Another
regulator conducted a horizontal examination of securitized mortgage
products in 2006 but relied on information provided by the
institutions. While the report noted that these products were
experiencing rapid growth and that underwriting standards were
important, it focused on the major risks identified by the firms and
their actions to manage those risks as well as on how institutions were
calculating their capital requirements.
Regulators Identified Weaknesses in Models Used to Calculate Risk but
May Not Have Acted on These Findings:
Regulators also identified weaknesses in the oversight and testing of
risk models that financial institutions used, including those used to
calculate the amount of capital needed to protect against their risk
exposures and determine the valuation of complex products. Regulators
require institutions to test their models so that the institutions have
a better sense of where their weaknesses lie, and OCC developed
guidance in 2000 related to model validation that other regulators
consider to be the standard. OCC's guidance states that institutions
should validate their models to increase reliability and improve their
understanding of the models' strengths and weaknesses. The guidance
calls for independent reviews by staff who have not helped to develop
the models, instituting controls to ensure that the models are
validated before they are used, ongoing testing, and audit oversight.
The process of model validation should look not only at the accuracy of
the data being entered into the model, but also at the model's
assumptions, such as loan default rates.
Institutions use capital models as tools to inform their management
activities, including measuring risk-adjusted performance, setting
prices and limits on loans and other products, and allocating capital
among various business lines and risks.[Footnote 12] Certain large
banking organizations have used models since the mid-1990s to calculate
regulatory capital for market risk, and the rules issued by U.S.
regulators for Basel II require that banks use models to estimate
capital for credit and operational risks. The SEC's consolidated
supervised entity program allowed broker-dealers that were part of
consolidated supervised entities to compute capital requirements using
models to estimate market and credit risk. In addition, institutions
use models to estimate the value of complex instruments such as
collateralized debt obligations (CDOs).[Footnote 13]
Regulators identified several weaknesses related to financial
institutions' oversight and use of risk models:
* One regulator found several weaknesses involving the use of models
that had not been properly tested to measure credit risks, an important
input into institutions' determinations of capital needed, but did not
aggressively take steps to ensure that the firm corrected these
weaknesses. In a 2006 letter addressed to the head of the institution's
risk management division, the examiners reported deficiencies in models
used to estimate credit risk, including lack of testing, a lack of
review of the assumptions used in the models, and concerns about the
independence of staff testing the models. The regulator issued a letter
requiring management to address these weaknesses, but continued to
allow the institution to use the models and did not change its overall
assessment. Although the institution showed improvement in its
processes, over time, in late 2007, examiners found that some of the
weaknesses persisted. In late 2008, examiners closed the matter in a
letter to management but continued to note concerns about internal
controls associated with risk management.
* A horizontal review of credit risk models by the Federal Reserve and
OCC in 2008 found a similar lack of controls surrounding model
validation practices for assessing credit risks, leading to questions
about the ability of large, complex institutions to understand and
manage these risks and provide adequate capital to cushion against
potential losses. For example, the review found that some institutions
lacked requirements for model testing, clearly defined roles and
responsibilities for testing, adequate detail for the scope or
frequency of validation, and a specific process for correcting problems
identified during validation.
* Before the crisis, another regulator found that an institution's
model control group did not keep a complete inventory of its models and
did not have an audit trail for models prior to 2000. The examiners
said that they did not find these issues to be significant concerns.
However, they were subsequently criticized for not aggressively
requiring another institution to take action on weaknesses they had
identified that were related to risk models, including lack of timely
review, understaffing, lack of independence of risk managers, and an
inability or unwillingness to update models to reflect the changing
environment.
* Other regulators noted concerns about pricing models for illiquid
instruments, but made these findings only as the crisis was unfolding.
For example, in a 2007 horizontal review of 10 broker-dealers' exposure
to subprime mortgage-related products, SEC and FINRA examiners found
weaknesses in pricing assumptions in valuation models for complex
financial products. They found that several of these firms relied on
outdated pricing information or traders' valuations for complex
financial transactions, such as CDOs. In some cases, firms could not
demonstrate that they had assessed the reasonableness of prices for
CDOs. Another regulator noted in a 2007 targeted examination that
although management had stated that the risk of loss exposure from
highly rated CDOs was remote, the downturn in the subprime mortgage
market could mean that they would not perform as well as similarly
rated instruments performed historically.
The Regulators Found That None of the Institutions We Reviewed Had
Tested for the Effects of a Severe Economic Downturn Scenario:
Because of the inherent limitations of modeling, such as the accuracy
of model assumptions, financial institutions also use stress tests to
determine how much capital and liquidity might be needed to absorb
losses in the event of a large shock to the system or a significant
underestimation of the probability of large losses. According to the
Basel Committee on Banking Supervision, institutions should test not
only for events that could lower their profitability, but also for rare
but extreme scenarios that could threaten their solvency. In its
January 2009 report, the Basel Committee emphasized the importance of
stress testing, noting that it could (1) alert senior management to
adverse unexpected losses, (2) provide forward-looking assessments of
risk, (3) support enterprisewide communication about the firm's risk
tolerance, (4) support capital and liquidity planning procedures, and
(5) facilitate the development of risk mitigation or contingency plans
across a range of stressed conditions.[Footnote 14] Moreover, the
report noted that stress testing was particularly important after long
periods of relative economic and financial calm when companies might
become complacent and begin underpricing risk.
We found that regulators had identified numerous weaknesses in stress
testing at large institutions before the financial crisis. However, our
limited review did not identify any instances in which an institution's
lack of worst-case scenario testing prompted regulators to push
forcefully for institutional actions to better understand and manage
risks. A 2006 Federal Reserve horizontal review of stress testing
practices at several large, complex banking institutions revealed that
none of the institutions had an integrated stress testing program that
incorporated all major financial risks enterprisewide, nor did they
test for scenarios that would render them insolvent. The review found
that institutions were stress testing the impact of adverse events on
individual products and business lines rather than on the institution
as a whole. By testing the response of only part of the institution's
portfolio to a stress such as declining home prices, the institution
could not see the effect of such a risk on other parts of its portfolio
that could also be affected. The review was particularly critical of
institutions' inability to quantify the extent to which credit exposure
to counterparties might increase in the event of a stressed market risk
movement. It stated that institutions relied on "intuition" to
determine their vulnerability to this type of risk. It also found that
institutions' senior managers were confident in their current practices
and questioned the need for additional stress testing, particularly for
worst-case scenarios that they thought were implausible.
The 2006 review included some recommendations for examiners to address
with individual institutions, and Federal Reserve officials told us
that they met with institutions' chief risk officers to discuss the
seriousness of the findings just before the crisis began. However,
officials told us that the purpose of the review was primarily to
facilitate the regulator's understanding of the full range of stress
testing practices, as there was neither a well-developed set of best
practices nor supervisory guidance in this area at the time. The
regulatory officials also told us that these findings were used to
inform guidance issued by the President's Working Group on assessing
exposure from private pools of capital, including hedge funds.[Footnote
15] However, this guidance focuses on testing the exposure to
counterparty risks, such as from hedge funds, and not on testing the
impact of solvency-threatening, worst-case scenarios. In hindsight,
officials told us that the current crisis had gone beyond what they had
contemplated for a worst-case scenario, and they said that they would
probably have faced significant resistance had they tried to require
the institutions to do stress tests for scenarios such as downgrades in
counterparties' credit ratings because such scenarios appeared
unlikely.
Other regulators raised concerns about stress testing at individual
institutions, but we did not find evidence that they had effectively
changed the firms' stress testing practices. In the materials we
reviewed, one regulator recommended that the institution include worst-
case scenarios in its testing. In a 2005 examination report, examiners
noted a concern about the level of senior management oversight of risk
tolerances. This concern primarily stemmed from lack of documentation,
stress testing, and communication of firm risk tolerances and the
extent to which these were reflected in stress tests. While the firm
later took steps to document formal risk tolerances and communicate
this throughout the firm, the recommendation related to stress testing
remained open through 2008.
Another regulator required institutions to show that they conducted
stress tests of the institution's ability to have enough funding and
liquidity in response to certain events, including a credit downgrade
or the inability to obtain unsecured, short-term financing. In
addition, institutions were required to document that they had
contingency plans to respond to these events. The regulator said that
it specifically required institutions to conduct stress tests such as
those based on historical events including the collapse of Long-Term
Capital Management or the stock market decline of 1987. However,
regulatory staff told us that the liquidity crisis of 2008 was greater
than they had expected.
Regulators' Oversight of Institutions' Risk Management Systems
Illustrates Some Limitations of the Current Regulatory System:
In this and other work, we identified two specific shortcomings of the
current regulatory system that impact the oversight of risk management
at large, complex financial institutions. First, no regulator has a
clear responsibility to look across institutions to identify risks to
overall financial stability. As a result, both banking and securities
regulators continue to assess risk management primarily at an
individual institutional level. Even when regulators perform horizontal
examinations across institutions, they generally do not use the results
to identify potential systemic risks. Although for some period, the
Federal Reserve analyzed financial stability issues for systemically
important institutions it supervises, it did not assess the risks on an
integrated basis or identify many of the issues that just a few months
later led to the near failure of some of these institutions and to
severe instability in the overall financial system. Second, although
financial institutions manage risks on an enterprisewide basis or by
business lines that cut across legal entities, primary bank and
functional regulators may oversee risk management at the level of a
legal entity within a holding company. As a result, their view of risk
management is limited or their activities overlap or duplicate those of
other regulators including the holding company regulator.
Regulators Were Not Looking Across Groups of Institutions to
Effectively Identify Risks to Overall Financial Stability:
In previous work, we have noted that no single regulator or group of
regulators systematically assesses risks to the financial stability of
the United States by assessing activities across institutions and
industry sectors.[Footnote 16] In our current analysis of risk
management oversight of large, complex institutions, we found that, for
the period of the review (2006-2008), the regulators had not used
effectively a systematic process that assessed threats that large
financial institutions posed to the financial system or that market
events posed to those institutions.
While the regulators periodically conducted horizontal examinations in
areas such as stress testing, credit risk practices, and risk
management for securitized mortgage products, these efforts did not
focus on the stability of the financial system, nor were they used as a
way to assess future threats to that system. The reports summarizing
the results of these horizontal examinations show that the purpose of
these reviews was primarily to understand the range of industry
practices or to compare institutions rather than to determine whether
several institutions were engaged in similar practices that might have
a destabilizing effect on certain markets and leave the institutions
vulnerable to those and other market changes, and that these conditions
ultimately could affect the stability of the financial system.
Beginning in 2005 until the summer of 2007, the Federal Reserve made
efforts to implement a systematic review of financial stability issues
for certain large financial institutions it oversees and issued
internal reports called Large Financial Institutions' Perspectives on
Risk. With the advent of the financial crisis in the summer of 2007,
the report was suspended; however, at a later time the Federal Reserve
began to issue risk committee reports that addressed risks across more
institutions. While we commend the Federal Reserve for making an effort
to look systematically across a group of institutions to evaluate risks
to the broader financial system, the Perspectives of Risk report for
the second half of 2006 issued in April 2007 illustrates some of the
shortcomings in the process. The report reviewed risk areas including
credit, market, operational, and legal and compliance risk but did not
provide an integrated risk analysis that looked across these risk
areas--a shortcoming of risk management systems identified in reviews
of the current crisis. In addition, with hindsight, we can see that the
report did not identify effectively the severity and importance of a
number of factors. For example, it stated that:
* There are no substantial issues of supervisory concern for these
large financial institutions.
* Asset quality across the systemically important institutions remains
strong.
* In spite of predictions of a market crash, the housing market
correction has been relatively mild, and while price appreciation and
home sales have slowed and inventories remain high, most analysts
expect the housing market to bottom out in mid-2007. The overall impact
on a national level will likely be moderate; however, in certain areas
housing prices have dropped significantly.
* The volume of mortgages being held by institutions--warehouse
pipelines--has grown rapidly to support collateralized mortgage-backed
securities and CDOs.
* Surging investor demand for high-yield bonds and leveraged loans,
largely through structured products such as CDOs, provided continuing
strong liquidity that resulted in continued access to funding for lower-
rated firms at relatively modest borrowing costs.
* Counterparty exposures, particularly to hedge funds, continue to
expand rapidly.
With regard to the last point, a Federal Reserve examiner stated that
the Federal Reserve had taken action to limit bank holding company
exposures to hedge funds. The examiner noted that although in hindsight
it was possible to see some risks that the regulators had not
addressed, it was difficult to see the impact of issues they had worked
to resolve.
When asked for examples of how the Federal Reserve had used supervisory
information in conjunction with its role to maintain financial
stability, a Federal Reserve official provided two examples that he
believed illustrated how the Federal Reserve's supervisory role had
influenced financial stability before the current financial crisis.
First, the official said that the Federal Reserve had used supervisory
information to improve the resilience of the private sector clearing
and settlement infrastructure after the attacks on the World Trade
Center on September 11, 2001. Second, it had worked through the
supervisory system to strengthen the infrastructure for processing
certain over-the-counter derivative transactions. Federal Reserve
officials noted that financial stability is not the sole focus of
safety and soundness supervision and that several mechanisms exist in
which regulation plays a significant role with other areas of the
Federal Reserve in assessing and monitoring financial stability.
Federal Reserve regulators indicated that other Federal Reserve
functions often consulted with them and that they provided information
to these functions and contributed to financial stability discussions,
working groups, and decisions both prior to and during the current
crisis.
In October 2008, the Federal Reserve issued new guidance for
consolidated supervision suggesting that in the future the agency would
be more mindful of the impact of market developments on the safety and
soundness of bank holding companies. The new guidance says, for
instance, that the enhanced approach to consolidated supervision
emphasizes several elements that should further the objectives of
fostering financial stability and deterring or managing financial
crises and help make the financial system more resilient. The guidance
says that two areas of primary focus would be:
* activities in which the financial institutions play a significant
role in critical or key financial markets that have the potential to
transmit a collective adverse impact across multiple firms and
financial markets, including the related risk management and internal
controls for these activities, and:
* areas of emerging interest that could have consequences for financial
markets, including, for example, the operational infrastructure that
underpins the credit derivatives market and counterparty credit risk
management practices.
Primary Bank and Functional Regulators May Limit Their Oversight of
Risk Management to Specific Legal Entities Such As Depository
Institutions or Broker-Dealers:
Some regulators have noted that the current practice of assessing risk
management at the level of a depository institution or broker-dealer
did not reflect the way most large, complex institutions manage their
risks. Regulators noted that financial institutions manage some risks
enterprisewide or by business lines that cross legal entity boundaries.
The scope of regulators' supervisory authorities does not clearly
reflect this reality, however. As set forth in the Gramm-Leach-Bliley
Act, various regulators can have separate responsibilities for
individual components of a large, complex financial institution. In
addition, GLBA generally restricts the focus of holding company
examinations to the holding company and any subsidiary that could have
a materially adverse effect on the safety and soundness of an
affiliated bank. OCC examiners told us that it was difficult for them
to assess a bank's market risk management because OCC focused on the
national bank's activities, while the financial institution was
managing risk across the bank and the broker-dealer. The examiners said
that in some cases the same traders booked wholesale trades in the bank
and in the broker-dealer and that the same risk governance process
applied to both. Thus, both the primary bank regulator and the
functional regulator were duplicating each other's supervisory
activities. In addition, if initial transactions were booked in one
entity, and transactions designed to mitigate the risks in that
transaction were booked in another legal entity, neither regulator
could fully understand the risks involved. While effective
communication among the functional and primary bank regulators could
address this limitation, securities regulators told us that they shared
information with the Federal Reserve but generally did not share
information with OCC.
OCC examination materials show that examiners sometimes assessed risks
and risk management by looking at the entire enterprise. In addition,
OCC examiners often met with holding company executives. In previous
work, we noted the likelihood that OCC's responsibilities and
activities as the national bank regulator overlap with the
responsibilities and activities of the Federal Reserve in its role as
the holding company regulator. We found in this review that this
overlap continued to exist; however, we also continued to observe that
OCC and the Federal Reserve share information and coordinate activities
to minimize the burden to the institution.
Securities regulators face similar challenges in assessing risk
management at broker-dealers. In a number of past reports, we have
highlighted the challenges associated with SEC's lack of authority over
certain broker-dealer affiliates and holding companies.[Footnote 17]
FINRA officials also cited two examples of limitations on their efforts
to oversee risk management within broker-dealers. First, they noted
that FINRA's regulatory authority extended only to U.S. broker-dealers
and that related transactions generally are booked in other legal
entities. FINRA noted that the riskiest transactions were usually
booked in legal entities located offshore. FINRA also noted that often
inventory positions booked in the U.S. broker-dealer might hedge the
risk in another affiliated legal entities. From time to time, FINRA has
requested that the U.S. broker-dealer move the hedge into the broker-
dealer to reduce the amount of the losses and protect the capital base
of the broker-dealer. An SEC official noted that to take advantage of
certain capital treatment the transaction and the hedge would both need
to be booked in the broker-dealer. Second, FINRA officials noted that
their view was limited because market risk policy is set at the holding
company level.
In closing, I would like to reiterate a number of central themes that
have appeared often in our recent work. While an institution's
management, directors, and auditors all have key roles to play in
effective corporate governance, regulators--as outside assessors of the
overall adequacy of the system of risk management--also have an
important role in assessing risk management. The current financial
crisis has revealed that many institutions had not adequately
identified, measured, and managed all core components of sound risk
management. We also found that for the limited number of large, complex
institutions we reviewed, the regulators failed to identify the
magnitude of these weaknesses and that when weaknesses were identified,
they generally did not take forceful action to prompt these
institutions to address them. As we have witnessed, the failure of a
risk management system at a single large financial institution can have
implications for the entire financial system.
Second, while our recent work is based on a limited number of
institutions, examples from the oversight of these institutions
highlight the significant challenges regulators face in assessing risk
management systems at large, complex institutions. While the painful
lessons learned during the past year should bolster market discipline
and regulatory authority in the short term, history has shown that as
the memories of this crisis begin to fade, the hard lessons we have
learned are destined to be repeated unless regulators are vigilant in
good times as well as bad. Responsible regulation requires that
regulators critically assess their regulatory approaches, especially
during good times, to ensure that they are aware of potential
regulatory blind spots. This means constantly reevaluating regulatory
and supervisory approaches and understanding inherent biases and
regulatory assumptions. For example, the regulators have begun to issue
new and revised guidance that reflects the lessons learned from the
current crisis. However, the guidance we have seen tends to focus on
the issues specific to this crisis rather than on broader lessons
learned about the need for more forward-looking assessments and on the
reasons that regulation failed.
Finally, I would like to briefly discuss how our current regulatory
framework has potentially contributed to some of the regulatory
failures associated with risk management oversight. The current
institution-centric approach has resulted in regulators all too often
focusing on the risks of individual institutions. This has resulted and
in regulators looking at how institutions were managing individual
risks, but missing the implications of the collective strategy that was
premised on the institution's having little liquidity risk and adequate
capital. Whether the failures of some institutions ultimately came
about because of a failure to manage a particular risk, such as
liquidity or credit risks, these institutions often lacked some of the
basic components of good risk management--for example, having the board
of directors and senior management set the tone for proper risk
management practices across the enterprise. The regulators were not
able to connect the dots, in some cases because of the fragmented
regulatory structure. While regulators promoted the benefits of
enterprisewide risk management, we found that they failed to ensure
that all of the large, complex financial institutions in our review had
risk management systems commensurate with their size and complexity so
that these institutions and their regulators could better understand
and address related risk exposures.
This concludes my prepared statement. I would be pleased to answer any
questions that you may have at the appropriate time.
Staff Contributions and Acknowledgments:
For further information about this testimony, please contact Orice M.
Williams on (202) 512-8678 or at williamso@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this statement. Individuals making key
contributions to this testimony include Barbara Keller, Assistant
Director; Nancy Barry, Emily Chalmers, Clayton Clark, Nancy Eibeck,
Kate Bittinger Eikel, Paul Thompson, and John Treanor.
End of section]
Footnotes:
[1] Senior Supervisors Group, Observation on Risk Management Practices
during the Recent Market Turbulence, March 6, 2008; The President's
Working Group on Financial Markets, Policy Statement on Financial
Market Developments, March 13, 2008; Financial Stability Forum Report
of the Financial Stability Forum on Enhancing Market and Institutional
Resilience, April 7, 2008; and Basel Committee on Banking Supervision:
The Joint Forum, Cross-sectoral review of group-wide identification and
management of risk concentrations, April 2008. Institute of
International Finance, Final Report of the IIF Committee on Market Best
Practices: Principles of Conduct and Best Practice Recommendations--
Industry Response to the Market Turmoil of 2007-2008, July 2008.
[2] GAO, Financial Market Regulation: Agencies Engaged in Consolidated
Supervision Can Strengthen Performance Measurement and Collaboration,
[hyperlink, http://www.gao.gov/products/GAO-07-154] (Washington, D.C.:
Mar. 15, 2007); Risk-focused Bank Examinations: Regulators of Large
Banking Organizations Face Challenges, [hyperlink,
http://www.gao.gov/products/GAO/GGD-00-48] (Washington, D.C.: Jan. 24,
2000); Risk-Based Capital: Regulatory and Industry Approaches to
Capital and Risk, [hyperlink,
http://www.gao.gov/products/GAO/GGD-98-153] (Washington, D.C.: July 20,
1998); Financial Derivatives: Actions Taken or Proposed Since May 1994,
GAO/GGD/AIMD-97-8 (Washington, D.C.: Nov. 01, 1998) [hyperlink,
http://www.gao.gov/products/GAO/GGD/AIMD-97-8]; and Financial
Derivatives: Actions Needed to Protect the Financial System,
[hyperlink, http://www.gao.gov/products/GAO/GGD-94-133], (Washington,
D.C.: May 18, 1994).
[3] Informal enforcement actions include commitment letters, memoranda
of understanding, and for bank regulators safety and soundness plan.
Formal actions are authorized by statute, are generally more severe,
and are disclosed to the public. Formal actions include consent orders,
cease and desist orders and formal written agreements, among others.
[4] Credit risk is the potential for financial losses resulting from
the failure of a borrower or counterparty to perform on an obligation.
Market risk is the potential for financial losses due to the increase
or decrease in the value or price of an asset or liability resulting
from broad movements in prices, such as interest rates, commodity
prices, stock prices, or the relative value of currencies (foreign
exchange). Liquidity risk is the potential for financial losses due to
an institution's failing to meet its obligations because of an
inability to liquidate assets or obtain adequate funding. Operational
risk is the potential for unexpected financial losses due to inadequate
information systems, operational problems, and breaches in internal
controls, or fraud. Legal risk is the potential for financial losses
due to breaches of law or regulation that may result in heavy penalties
or other costs.
[5] 17 C.F.R. � 240.15c3-1.
[6] Bear Stearns was acquired by JPMorgan Chase, Lehman Brothers
failed, Merrill Lynch was acquired by Bank of America, and Goldman
Sachs and Morgan Stanley have become bank holding companies.
[7] Depository institutions receive what is known as a CAMELS rating.
The CAMELS rating is defined as Capital Adequacy-C, Asset Quality-A,
Management-M, Earnings-E, Liquidity-L, and S-Sensitivity to Market
Risk. The Federal Reserve issues what is known as a RFI/C(D) rating. It
is defined as Risk Management-R, Financial Condition-F, Potential
impact of the parent company and nondepository subsidiaries on the
subsidiary depository institutions-I, Composite Rating-C and Depository
Institution-D. The D rating subcomponent is the primary banking rating.
In late 2007, OTS changed its guidance related to the CORE
competencies--Capital, Organization, Relationship, and Earnings. In a
rule finalized on January 1, 2008, OTS changed the "R" to Risk
Management.
[8] According to Federal Reserve documentation, Board of Director and
Senior Management Oversight evaluates the adequacy and effectiveness of
its understanding and management of risk inherent in the BHC's
activities, as well as the general capabilities of management. It also
includes considerations of management's ability to identify,
understand, and control the risk undertaken by the institution, to hire
competent staff, and to respond to change in the institution's risk
profile or innovations in the banking sector. Policies, Procedures, and
Limits evaluates the adequacy of policies, procedures, and limits given
the risk inherent in the activities of the consolidated organization
and the organization's stated goals and objectives. The analysis may
include a consideration of the adequacy of the institution's accounting
and risk-disclosure policies and procedures. Risk monitoring and
management information system reviews the assumption, data, and
procedures used to measure risk and the consistency of these tools with
the level of complexity of the organization's activities. Internal
controls and audits are evaluated relating to the accuracy of financial
reporting and disclosure and the strength and influence, within the
organization, of the internal audit team. The analysis will include a
review of the independence of control areas from management and the
consistency of the scope coverage of the internal audit team with the
complexity of the organization.
[9] The Risk Assessment System is the assessment framework of the nine
categories of risk and the risk management systems.
[10] OCC Memorandum, Matters Requiring Attention, August 8, 2005.
[11] OTS does not have specific risk-based or leverage capital
requirements for thrift holding companies but does require them to hold
adequate capital pursuant to capital maintenance agreements.
[12] Economic capital models measure risks by estimating the
probability of potential losses over a specified period and up to a
defined confidence level using historical loss data. See [hyperlink,
http://www.gao.gov/products/GAO-07-253] Risk-Based Capital: Bank
Regulators Need to Improve Transparency and Overcome Impediments to
Finalizing the Proposed Basel II Framework (Washington, D.C.: February
15, 2007).
[13] In a basic CDO, a group of loans or debt securities are pooled and
securities are then issued in different tranches that vary in risk and
return depending on how the underlying cash flows produced by the
pooled assets are allocated. If some of the underlying assets
defaulted, the more junior tranches--and thus riskier ones--would
absorb these losses first before the more senior, less-risky tranches.
Many CDOs in recent years largely consisted of mortgage-backed
securities, including subprime mortgage-backed securities.
[14] Basel Committee on Banking Supervision, Consultative Document:
Principles for Sound Stress Testing Practices and Supervision. (Basel,
Switzerland: January 2009).
[15] See President's Working Group, Agreement Among PWG and U.S. Agency
Principals on Principles and Guidelines Regarding Private Pools of
Capital, February 22, 2007. The information from this horizontal review
was later used in 2008 to analyze risk management practices after the
crisis began in the Senior Supervisors Group Observations on Risk
Management Practices During the Recent Market Turbulence.
[16] GAO, Financial Regulation: A Framework for Crafting and Assessing
Proposals to Modernize the Outdated U.S. Financial Regulatory System,
[hyperlink, http://www.gao.gov/products/GAO-09-216] (Washington, D.C.:
Jan. 8, 2009); Financial Regulation: Industry Changes Prompt Need to
Reconsider U.S. Regulatory Strategy, [hyperlink,
http://www.gao.gov/products/GAO-05-61] (Washington, D.C.: Oct. 6, 2004)
and Long-Term Capital Management, Regulators Need to Focus More
Attention on Systemic Risk, [hyperlink,
http://www.gao.gov/products/GAO/GGD-00-3] (Washington, D.C.: Oct. 29,
1999).
[17] [hyperlink, http://www.gao.gov/products/GAO-09-216] and
[hyperlink, http://www.gao.gov/products/GAO/GGD-00-3].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
