by H. Rodgin Cohen, Sullivan & Cromwell
Introduction: A revision of the current regulatory paradigm is needed to encourage collaboration between the public and private sectors, rather than separation.
The financial crisis of 2008 demonstrated the need for a more robust regulatory regime to deal with the modern global banking system – on that point, there is widespread agreement. Because the causes of the crisis encompass both aspects of a bank regulatory system – formal regulation and prudential supervision – a new regulatory approach was necessary for each.
Agreement, however, tends to break down beyond this general principle, and specific proposed changes have sparked substantial debate. In terms of formal regulation, although the need for higher capital and liquidity requirements is largely undisputed, many of the specific requirements are subject to significant disagreement. The philosophy of capital, the appropriate level of capital, and, perhaps of most significance, the calibration of capital requirements are all debated. Similar disputes arise about liquidity; as an example, the original Basel net stable funding (NSF) proposal had to be so substantially revised that more than a year elapsed between the original and subsequent proposals. There is also substantial disagreement and uncertainty about the holistic implications of multiple new regulatory requirements, including the pending total loss absorbing capacity (TLAC) rules.
Although less publicized, the argument over the new supervisory approach is even more fundamental. The principal source of this disagreement is not about increased supervisory expectations or a more intrusive supervisory approach. These changes are an inevitable outgrowth of the financial crisis.
Rather, the principal disagreement is about an even more basic change in supervisory approach. The new approach involves a separation, both physical and virtual, between the regulator and the regulated. A key rationale for this approach from the supervisors’ perspective appears to be the avoidance of both the appearance and reality of “regulatory capture,” a situation in which regulatory findings and actions are unduly influenced by the views of the regulated.
The physical separation has taken two main forms. First, on-site examiners are being pulled out of banks and relocated to regional offices and reserve banks. In addition, in an apparent effort to produce both enhanced and more uniform supervision, many decisions that were once largely delegated to the local supervisory staff are now made at the regulators’ central offices.
In terms of virtual separation, the new approach involves less discussion between the regulator and the regulated about supervisory findings before they are issued, including matters requiring attention (MRAs) and matters requiring immediate attention (MRIAs). This appears to encapsulate both the concerns about regulatory capture and a regulatory view that the supervisors’ expectations should not be revealed in advance, or banks will manage to those expectations rather than to what they deem appropriate.
This current supervisory approach of separation, whatever its benefits in terms of enhanced supervision of individual banks, also has a substantial downside. It threatens to prevent the most effective and efficient resolution of areas of key regulatory challenge where a collaborative effort between the regulated and regulator is essential. That collaborative effort would be designed to enhance the overall safety and soundness of the banking system, and even national security.
Accordingly, this article advocates for a revision of the current regulatory paradigm to encourage collaboration between the public and private sectors rather than separation. Four important examples are outlined below.
1. AML/Sanctions Utility
Money laundering is often the lifeblood of organized criminal activity of the most heinous sort – drug trafficking, illegal arms sales, and sexual exploitation. It also enables corruption to flourish, whether in the halls of legislatures, the backrooms of football (soccer) teams, or the boardrooms of corporations. Most perniciously, it enables terrorists to obtain financing. Likewise, the ability of sanctioned countries, organizations, and individuals to evade the impact of those sanctions depends on access to funding. There is a direct correlation between the success of this evasion and the threat to global security.
A prerequisite to an effective anti-money laundering and sanctions compliance program is access to information about people engaged in or likely to be engaged in money laundering (For ease of reference, the term “money laundering” will be used to include payments made in violation of sanctions programs). The best monitoring system in the world will not detect potential money laundering transactions unless that system knows what to look for. Although there are multiple sources of information about persons suspected of illegal activities, these sources cannot be comprehensive or consistently up to date. Moreover, no single institution has the capacity to obtain comprehensive information about not only thousands or even millions of its own customers, but also about millions of other people whose transactions are transmitted through that institution.
Whatever improvements individual institutions could make to improve their individual sources of information would pale compared with a collective effort to pool the information they have individually. The information would be even more comprehensive and more reliable if the government were to provide information from its own sources. Banks are required to perform a policing function in connection with anti-money laundering efforts and the Bank Secrecy Act (AML/BSA), but can anyone expect a policeman to work without a precinct, central headquarters, or even a radio?
The separation between U.S. bank regulators and the banks threatens to stand as a regrettable obstacle to a number of collaborative public-private initiatives that could significantly strengthen the banking system and our national security.
This pooling of information could be most efficiently and effectively accomplished through a utility-like database that stored information gathered from many public and private sources. The objective of this utility would not be to reduce costs or liability for banking institutions, although such reductions would be worthwhile by-products. Rather, the objective would be a more effective AML/BSA system.
Of course, structural and operational issues would need to be resolved in establishing such an information utility, including the form of the utility, ownership, allocation of costs, access, and criteria for providing information. Contrary to the adage that the devil is in the details, however, in this case, the devil is in the concept. If there is a private and public sector agreement on the desirability of an AML/BSA information utility, and a true commitment to its achievement, these operational details can be worked out.
Concerns regarding such an information utility also need to be addressed. Although some of these concerns are valid, problems should not outweigh the benefits if appropriate precautions are taken.
The first concern is the potential invasion of privacy. The initial response is that there can be no legitimate expectation of a right of privacy in terms of banks sharing information about potential money laundering activities, particularly since the passage of Section 314(b) of the Patriot Act. Nonetheless, any information-sharing utility would need to establish thoughtful protocols, policies, and procedures to protect privacy.
A second concern is that the utility would allow participating institutions to reduce their efforts to identify and collect relevant information, and instead piggyback on the efforts of others. The answer to this concern is that any such dereliction of responsibility should become apparent, and subject to sanction, during the examination process.
A third objection is that the government would be unable to share information about ongoing criminal investigations and other sensitive matters with the private sector. The response to this concern is that the inability to share some truly sensitive information should not preclude the sharing of the remaining information. In addition, it may be possible to develop special clearance protocols for access to some of this sensitive information at individual banks.
Beyond the storage of raw data and information, the utility could conduct data validation and analysis. Although this expanded approach would add to the complexity and cost, it would also be considerably more effective in combating money laundering. Indeed, to create the most effective AML/BSA system, an industry utility could be expanded beyond being an information source to perform monitoring for customers, transacting parties, and even the transactions themselves. However, because of substantially increased levels of complexity, a monitoring function may be a potentially desirable second step, but its realization is not necessary to begin an information-sharing utility.
2. Central Registry for Departing Employees
A second key area where a joint regulatory approach could benefit the banking system is dealing with the problem of circulation of what might be called “bad actors” among multiple banks. In a number of cases, an employee has been asked to leave a bank because of improprieties, or leaves the bank one step ahead of dismissal, and that employee re-emerges at another bank and engages in a similar type of improper conduct. The improprieties in question involve not only violations of laws and regulations, but also conduct that violates bank policies or acceptable norms of behavior. The recirculation of bad actors has contributed to serious issues in a number of areas – LIBOR and foreign-exchange rate fixing, mortgage securitization, mortgage servicing, and trading. This situation exists in large part because liability concerns make banks highly reluctant to disclose any information about a departing employee other than the dates of employment.
In these circumstances, the most effective approach for addressing the issue would be a combined public-private effort to create a registry and database for relevant bank employees. This could be achieved by legislation or regulation.
One approach would be a registry established by the Federal Reserve for collecting, and providing appropriate access to, information regarding conduct of employees that is potentially injurious to financial institutions. Under this registry approach, there would be two basic requirements. First, all covered financial institutions would be required to make reports to the registry about departing employees if they had engaged in certain conduct proscribed by the registry that was potentially injurious to the reputation and well-being of financial institutions. Second, all covered financial institutions would be required to use the registry before making hiring decisions.
The registry’s costs would be borne by the covered financial institutions; to ease the regulatory burden on smaller institutions, these costs could be allocated among financial institutions above a designated asset-size threshold.
No single institution has the capacity to obtain comprehensive anti-money laundering information about not only thousands or even millions of its own customers, but also about millions of other people whose transactions are transmitted through that institution.
The reports would be made in two categories. The first category includes a violation of law, regulation, or enforcement action, or conviction of a crime. The second, somewhat less serious, category would include conduct that violates the financial institution’s code of conduct or similar policy or an employee who has been subject to a disciplinary action such as suspension, termination, or loss of meaningful compensation.
Four key safeguards would be necessary. First, to protect employees against mistaken or malicious reports, the registry system would need to allow employees to dispute the accuracy of any report and would establish an administrative process to delete or correct any inaccurate information. In addition, an employee could seek judicial relief in lieu of the administrative process.
Second, to preserve the privacy of individuals, there would be comprehensive rules protecting the confidentiality of the information provided to and obtained from the registry.
Third, to encourage banks to be as forthcoming as possible, there would be liability immunization of banks for the reports they make. Without this protection, the registry’s value would be significantly diminished.
Fourth, the Federal Reserve would also need immunity from liability.
3. Cybersecurity
The need for public-private sector collaboration on cybersecurity should be self-evident, as cyber is the existential threat to individual banks and the industry. What would happen if hundreds of thousands of customers at a major bank could not access their accounts, not for just a few hours, but for days or even weeks? Even beyond the customers of that bank, what does would this do to the confidence of customers in other banks? The problem would, of course, be compounded if there were multiple banks with major and prolonged service outages.
And to continue with the parade of horrible possibilities, there have been published reports that a multinational gang of cybercriminals infiltrated more than 100 banks across 30 countries and made off with up to a billion dollars over a period of roughly two years. What would happen if that amount were 10, 20, or 50 times greater?
Cybersecurity is too complex and too systemic to rely on individual efforts, irrespective of how dedicated they might be. Once again, a key to addressing this risk is information sharing about a variety of cyber-related matters. Although substantial efforts have been made in this regard, there needs to be a more formalized and comprehensive process. Most important, there should be a central database for the various aspects of cyberrisk, and protocols for access to that database. The database would receive information from both the private and public sectors and could be administered by the private sector, the public sector, or, ideally, both. There also should be clearer protocols for whom to contact when a cyberattack occurs or is even threatened. One other area of collaboration could be regular “table top” planning exercises.
Cybersecurity is too complex and too systemic to rely on individual efforts, irrespective of how dedicated they might be. A key to addressing this risk is information sharing about a variety of cyber-related matters.
Consideration could also be given to utilization of the cybersecurity expertise of other government agencies, such as the National Security Agency and Department of Homeland Security, in the examination process. This expertise would enhance the bank regulators’ supervisory efforts to assist banks in understanding their risks and identifying processes for addressing them.
Finally, in the absence of new federal legislation addressing cyberrisk, which remains the preferred approach for dealing with a number of cyber-related problems, there should be increased collaboration between the regulators and the regulated. That collaboration could provide guidance on such matters as breach notification requirements to consumers and other affected parties.
4. Hedge Fund Activism and Control Determinations
Hedge fund activism has become a pervasive feature of corporate America, including the banking industry. Hedge fund activism refers to hedge funds that take a minority position in a company and advocate for a major change in strategy (e.g., a sale or split-up) or operations (e.g., much higher cash payouts or major expense reductions). This type of activism is different from that of shareholder activists whose agendas are focused on changes in corporate governance or social/political issues.
Although the hedge fund activists generally have limited their challenges to smaller banks, they have recently targeted such large institutions as BNY Mellon and State Street, both of which are global systemically important banks (GSIBs), and American Express. Indeed, one of the earliest hedge fund challenges involved what was then one of the country’s largest banks, Chase Manhattan (now part of JPMorgan Chase). The hedge funds’ willingness to take on the very largest industrial and commercial companies demonstrates that absolute size creates no immunity.
It is not the objective of this article to enter into the hotly debated topic of whether hedge fund activism is a positive or a negative. It should be beyond doubt, however, that hedge fund activists often force major changes in the companies in which they invest, and that, in the case of banks, those changes will not inevitably advance the safety and soundness of individual banks or their ability to serve their communities.
Accordingly, it is appropriate for bank regulators to engage with the banking industry to determine whether a controlling influence is being exercised without the legally required prior regulatory approval. A principal focus of this inquiry would be the so-called “wolfpack” approach, whereby a number of hedge funds, often collectively controlling more than 10% of a bank’s stock, invest at about the same time. Bank regulators have imposed a number of restrictive conditions when multiple investors seek to recapitalize a bank with the concurrence of bank management. The question is whether similar strictures should apply to hedge funds that acquire their shares in the secondary market, particularly in view of the potential prudential considerations.
Indeed, the interests of clarity and uniformity would be advanced for both banks and hedge fund activists if bank regulators would issue a policy statement that dealt with key questions in this area. One crucial question would be the level and type of communications that could occur among hedge fund investors before they were deemed to be “acting in concert.” The joint interest of the regulators and the regulated should be predictability and stability.
In conclusion, the separation – both physical and virtual – between U.S. bank regulators and the banks they regulate threatens to stand as a regrettable obstacle to a number of collaborative public-private initiatives that could significantly strengthen the banking system and our national security. Only an enhanced regulatory paradigm can produce the collaboration necessary for these projects to be implemented successfully.