I was speaking at a conference earlier this year and was serving on an expert panel regarding the changes the Current Expected Credit Loss (CECL) will bring to the world of banking. One of my co-presenters, responding to a question about the potential impact of CECL replied (as best as I can remember), “Well, banking is a quasi-utility anyway and the CEO’s will live with the additional requirements”. Two thoughts ran through my mind. The first was I was glad this wasn’t a CEO conference or things could have gotten pretty ugly. The second was, do bankers really see themselves as a quasi-utility with all of the issues that go along with that view? Utilities are thought of as having a consistent and relatively safe return on investment that results from a steady flow of revenue. Utilities also have relatively few (if any) competitors and as a result have heavy regulatory oversight.
Does this describe banking?
Community banks in the US have been cited as a key component of our economic engine. The model is interesting in that because it is so decentralized, with over 6,000 banks serving communities throughout the US, it can present higher risk. Higher risk comes about because of the lack of diversification in the loan portfolio and the significant impact the local economy can have on a bank’s performance. If you are a community bank in the oil patch, you live and die by the price of oil. A bank can diversify outside of its market but the tradeoff is the amount of knowledge about the other marketplace it enters. It’s something we call disproportionate risk. Because we are good in our market, we assume we will be as good in other markets, which is not usually the case.
If you do not believe in the quasi-utility view, then what is the role of the regulators in risk management?
The regulators are responsible for systemic risk; ensuring the various institutions do not negatively affect the economy or the insurance fund. As such, they are supposed to be looking for material weaknesses in a financial institution and addressing those issues that have a likelihood of leading to failure. Of course, they also act as the sheriff for legal (or compliance) risk and since most laws are put in place because of the worst offenders, this has become a very significant activity for regulators to cover.
The financial institution is responsible for business specific risk, managing it such that the stakeholders are properly educated about and rewarded for their investment in the bank (financial or otherwise). In theory (where everything works better, by the way), if the financial institution is doing its job in managing risk, then the regulatory role in the examination process should be minimal.
Since each group has a different view of risk, there is always going to be tension and a need for discussion. Right now we are in a position where the regulators are dictating much of the risk management process to the bankers. Many bankers have been caught with either not enough data or not enough support for the businesses they are in and the loans they are making. This will change as bankers learn to use and manage their data better (for example, think of historical loan information or non-maturity deposit behavior). As bankers build up this data foundation, the risk management pendulum should start to swing the other way.
I have used the term moral hazard quite a bit in the last several years to describe what can happen when the regulators dictate the components of risk management to a bank. I have heard comments like, “a bank needs 3 BSA analysts for every billion dollars in assets”, or “you (the Bank) shouldn’t reduce your reserves even though your model says you should”. When these comments are made, the financial institution starts to look to the regulators to tell them what to do as opposed to developing a program to effectively manage risk. This brings forth my other (not) favorite comment from bankers, “so we just paper the file”. The moral hazard occurs because the financial institution is solely looking to the regulator for direction and approval and misses the emerging risk that could have and should have been identified and managed.
The tension between the regulator and the financial institution will always be there. Right now risk management is being directed by the regulators (kind of like a quasi-utility). Bankers need to turn from “just doing it because they were told to do it” and figuring out how to effectively manage their risks and demonstrate they have an effective process in place. I recognize, by the way, this is much easier said than done. But I also firmly believe it is achievable and more importantly, cost effectively achievable.