Regulators Call Out Banks for Lack of Governance
Bank governance remains an issue at some institutions, more than a decade after the 2007–2008 financial crisis.
The root of the downturn, as explained in painstaking detail by the Financial Crisis Inquiry Commission's final report, was excessive borrowing, risky investments, and a lack of transparency that ultimately impacted millions of lives. Yet, it's clear that failures in governance and risk management at critical financial institutions also set the stage for overzealous borrowing and investment.
While the Sarbanes-Oxley (SOX) Act and other regulations cracked down on governance and risk management at corporations across the board, some financial institutions are still running into trouble, according to a recent report.
The report: Regulatory clampdown isn't letting up
The report from Navigant Consulting referenced in the Oct. 1, 2019, edition of The Wall Street Journal's Morning Risk Report newsletter revealed both good and bad news for banks.
Let's start with the good news: enforcement actions continue to trend downward. During the first half of the year, regulators issued 63 enforcement orders—which puts it roughly on par with the first two months of 2018 but down 43% overall from the same period four years earlier.
Now the disturbing trend—weak governance was the reason behind 41% of the enforcement actions issued during the first half of 2019, according to the report. That percentage is higher than in each of the previous four calendar years, when governance was cited in an average of 19% of enforcement actions.
While it's ultimately a good thing for consumers and corporations alike that regulators are cracking down, risk and compliance professionals—especially those in the financial sector—must have their guard up.
After all, a changing regulatory environment, pressures from the Public Company Accounting Oversight Board (PCAOB), and emerging technologies aren't going away.
Three trends influencing bank governance
In conversations with Workiva customers and at industry events, my colleagues and I have been hearing chatter around a few challenges facing banks:
- Pressure from the Public Company Accounting Oversight Board (PCAOB). The PCAOB shook things up with changes to the auditor's report and provisions on critical audit matters (CAMs). There's no telling what's in store for the years to come.
- An ever-changing regulatory landscape. The Current Expected Credit Losses (CECL) impairment model, new corporate whistleblower protections, and other regulatory changes all muddle the waters for risk, compliance, and financial reporting pros.
- Technology is bringing new possibilities—and responsibilities. Fintech is disrupting how banks serve customers. Meanwhile, cryptocurrencies such as bitcoin don't seem to be going anywhere—even Facebook is planning its own. How will regulators get involved, what will they demand, and what should risk professionals do in the interim?
Three ways to stay a step ahead
Organizations with top governance, risk, and compliance (GRC) programs tend to do these three things.
1. Instill a culture that thrives on oversight
Integrating controls and risk management into activities across the organization creates an expectation that everyone will play a part in ensuring strong governance.
At the upper levels, appointing executives and even board directors devoted to governance, risk, and compliance can bring focus to building programs to measure, manage, and mitigate risk.
Due to the cross-functional nature of enterprise risk management (ERM) and integrated risk management, consider systems that enable transparent collaboration among employees who can identify, monitor, track, and respond to risks or governance breakdowns.
No matter what, transparency is key. Giving employees insight into how their governance questions are tracked and resolved can provide them with greater confidence that their concerns have been heard.
2. Keep a record of what went wrong
Stay up to date on enforcement actions, problems that tripped up other institutions, and how peers are responding to emerging threats. Follow industry conferences and publications, including this blog, for first word on best practices and to network with fellow GRC professionals.
The Institute of Internal Auditors' Financial Services Exchange is one popular IIA event that tends to sell out and also draw big names.
In addition to The Wall Street Journal and Financial Times, it's worth signing up for updates from the Office of the Comptroller of the Currency. Just enter your email address at the bottom of the OCC home page. And one more publication to read for compliance, audit, and risk news in general: Radical Compliance, a blog by former Compliance Week writer, editor, and publisher Matt Kelly.
3. Look for technology that connects data directly to reports
Governance, by necessity, is ever-evolving. Policies and systems that were effective in days past might not cover the modern era of mobile banking, encrypted messaging platforms, and tweet-happy executives.
Connecting the data used across traditionally siloed teams that tackle fraud, anti-money laundering, and cybersecurity, for example, makes it easier for banks to identify threats and concerns earlier. Connecting data across international teams is also critical—and now it's also a lot easier, with cloud platforms that are replacing on-premise systems.
Look for a cloud platform that makes it possible for your teams to:
- Deliver transparency into the entire process with a full audit trail into activities, including who updated a control and when
- Bring risk evaluation/mitigation tools into the same system and monitor risks in real time with dashboards
- House the most up-to-date policies and procedures, and keep a complete record of all signoffs and certifications
With the right tools, governance becomes much more manageable. And, no one wants to face an embarrassing enforcement action—especially for something that could easily be avoided. Building in processes and bringing in technology to better govern critical data is not only good practice for preventing mistakes or mishandling of material information. It helps ensure good standing with regulators.