Main Content

Unwritten Rules: The Importance of a Strong Risk Culture

Sound organizational risk management and risk culture are critical to ensuring the maintenance of the broader safety and soundness of the banking system. While recent regulations put the nation’s largest banks on a path to prudent risk management, internal controls are no stronger than the culture that surrounds them.

By Thomas J. Curry

Our nation’s largest banks, most of which operate with a federal charter, are global institutions, but they play a vital role in the communities they serve throughout the United States. In addition to supporting economic growth through the day-to-day business of lending to consumers and businesses, they fund projects aimed at community development in our nation’s poorest communities, and they funnel hundreds of millions of dollars to charitable organizations. These projects represent conscious corporate decisions by senior management, and they speak well of the men and women who lead our large banks.

But for all of the good work these large banks do, there have been problems that can’t be ignored. Among them are improprieties in telemarketing arrangements and debt collection, lapses in Bank Secrecy Act controls, lax oversight over trading activities, and the whole range of mortgage foreclosure and servicing abuses that were summarized by the media under the heading of “robo-signing.”

These lapses and improprieties have resulted in the assessment of billions of dollars in penalties against the nation’s largest banks and billions more in restitution to affected borrowers. They have been the subject of congressional hearings and newspaper headlines. More important than the financial penalties they drew, these practices have diminished the public trust and confidence that are vital to the proper functioning of the U.S. banking system. The banking system runs on confidence, but the trust an organization spends a generation building can evaporate almost overnight when it loses sight of the values on which its business was built. As a regulator, I worry as much about the loss of trust and confidence in the system as I do about liquidity, capital, and underwriting practices.

The problems that have come to light in the years since the financial crisis may not have been the result of conscious decisions on the part of senior management. I doubt, for example, that any large bank chief executive officer called together his senior executives and said, “Foreclosure paperwork is too time-consuming. Let’s start robo-signing the documents.” Yet it happened, and for reasons that in some ways are even more worrisome than if they were the deliberate decisions of senior management.

What troubles me is not that some individuals made bad decisions, but that the business practices that have caused problems were made possible by weaknesses in the organization’s risk management and risk culture. Senior management bears responsibility for the problems that occurred in the years leading up to and following the financial crisis, but the nature of that responsibility is not necessarily in specific business decisions that senior executives made. Rather, management’s responsibility lies in its failure to set an appropriate tone at the top and to build a strong organizational culture that promotes responsible business practices and guards against excessive or improper risk-taking.

Let me add that these problems are by no means limited to large institutions regulated by the OCC. Indeed, we have seen improper business practices and deficient risk management systems at community banks. But those smaller institutions don’t get the kind of public attention that hurts the industry’s reputation, nor do they have the same kind of outsized impact upon the economy as large banks. So while it’s important that we continue to keep our eyes on community institutions, strong supervision and strong risk management at large banks takes on a special urgency.

The principles I have in mind here aren’t new. In fact, they harken back to the earliest days of the National Banking Act. The laws creating the National Banking System and The Office of the Comptroller of the Currency that President Lincoln promoted and signed into law – the statutes under which we still operate –were very prescriptive. And the principles woven into the law, while not explicitly a part of the statute, are as important as the words of the Acts themselves.

Advice to Bankers of 1863

In December 1863, Hugh McCulloch, the first Comptroller of the Currency, addressed a letter to all national banks. Those institutions had only lately been organized, and McCulloch wanted to make certain that their executives fully understood the responsibilities and expectations that came with their national charters. Below are some of his words that remain true today.

“Let no loans be made that are not secured beyond a reasonable contingency . . . Give facilities only to legitimate and prudent transactions.”

“Distribute your loans rather than concentrate them in a few hands. Large loans to a single individual or firm . . . [are] frequently unsafe.”

“Treat your customers liberally, bearing in mind the fact that a bank prospers as its customers prosper, but never permit them to dictate your policy.”

“The capital of a bank should be a reality, not a friction; and it should be owned by those who have money to lend, and not by borrowers.”

“Pursue a straightforward, upright, legitimate banking business. Never be tempted by the prospect of large returns.”

Lincoln and his collaborators understood that a bank charter conferred great power, but also great responsibility. The bank charter demanded that banks manage their risks in ways that did not compromise their solvency. It demanded that they operate in strict compliance with the law. It demanded that they serve their customers and communities in good faith. Perhaps most important of all, it held them to the highest standards of trustworthiness and integrity.

Those principles were exemplified by the practical advice offered in an 1863 letter to bankers by the first Comptroller of the Currency, Hugh McCulloch. McCulloch reminded them to “pursue a straightforward, upright, legitimate banking business,” never being “tempted by the prospect of large returns to do anything but what may be properly done” under the law. This was good advice in 1863, and it is good advice today.

Of course, much has changed since the days of Lincoln. Our examiners no longer count cash in the vaults, and consumers no longer schedule trips to their bank to make sure they have cash to meet their daily financial needs. Technology makes it possible to move money in seconds where it used to take days or weeks and allows bank customers to substitute a single card for a clip full of cash.

Yet McCulloch’s advice of 1863 reminds me how much about banking has not changed and should never change. It is still a business founded on confidence and character. When those qualities have gone missing, it has caused no end of trouble. And throughout our nation’s economic history, we have seen that when banks become unsound, the consequences ripple beyond those institutions themselves.

That happened in 2008, when we found ourselves in the midst of a new crisis. While some of the worst practices leading up to the crisis involved nonbank lenders, too many large banks had engaged in practices that would adversely affect their customers, their own institutions, and the national economy. Catastrophe was averted in large part because the federal government acted decisively to prop up the system, but also because several large banks – banks with national charters – had the financial strength to absorb large institutions that posed great risk to the financial system. Still, the cost to the world economy and countless consumers was enormous, and five years later, the effects of the crisis are still being felt.

Even so, the financial system as a whole and the banking industry in particular are on firmer financial footing today. Banks have significantly increased their capital, reserves, and liquidity. New laws and regulations have gone into effect, holding them to higher risk management, capital and liquidity standards. Large banks are now required to have plans in place to arrange for their orderly dissolution under the U.S. Bankruptcy Code should their condition warrant it. And the OCC has just finalized a rule addressing “heightened standards” for risk management and controls. This rule applies to institutions with more than $50 billion in assets.

Just as important, the large banks we supervise have taken steps on their own to address public concerns. For example, one of our large banks stopped writing interest-only HELOCs for most borrowers, sacrificing short-term profits and market share to protect its customers. Other large institutions have clawed back compensation in cases involving misconduct, sending a strong signal about organizational values. And several of our large banks announced recently that they would provide mortgages at discounted interest rates to help low-income borrowers. These are all steps that can help rebuild public confidence.

I was heartened to see the results in early September of a Gallup Poll that found the public has a positive view of the banking sector for the first time since the financial crisis. But I’m reluctant to place too much stock in a single poll. I suspect that those results, even if they are replicated in other surveys, are fragile. The trust that is slowly being rebuilt can be eroded again, one newspaper headline at a time, and even a single misstep that appears to involve a disregard for customers or communities could have disastrous consequences for the reputation of the institution involved.

Clearly, banks have a strong incentive to keep their customers satisfied. You don’t build market share by engaging in abusive practices. So, it seems reasonable to ask why some large banks allowed themselves to stray from the principles of sound business practices that have differentiated successful banks from unsuccessful ones over many years. Was it the conscious decision of management to flout laws, regulations, and basic precepts of business ethics? Or was it something more subtle, less visibly apparent, and more difficult to measure, that caused them to lose their way?

Some industry critics, including many in the public policy arena, cast the debate in terms of moral and ethical conduct. In the aftermath of a financial crisis that cost many Americans their jobs, their homes, and the financial security they had spent a lifetime building, it’s not surprising that feelings are still running high and that banks have been accused of losing their moral compass and putting their interests ahead of the public good. In cases where criminal acts occurred or where regulatory standards were breached, individuals need to be held accountable for their misdeeds.

But what some think of as an ethical or moral compass, I think really boils down to the quality of a bank’s risk management and the health of its risk culture. Sound risk management, supported by a healthy organizational culture, aims at protecting the bank’s reputation and shelters it from credit losses, litigation risk, and the kind of breakdowns in operational risk that, as we have seen, can have very significant consequences.

Our new heightened standards guidance for large banks addresses this concern squarely. It sets minimum standards for the design and implementation of a large institution’s risk governance framework and provides minimum standards for the board’s oversight of the framework.  The standards make clear that the framework should address all risks to a bank’s earnings, capital, and liquidity that arise from the bank’s activities. 

The standards also set out roles and responsibilities for the organizational units that are fundamental to the design and implementation of the risk governance framework.  These units, often referred to as a bank’s three lines of defense, are front line business units, independent risk management, and internal audit.  The standards state that, together, these units should establish an appropriate system to control risk taking.  The standards also provide that banks should develop a risk appetite statement that articulates the aggregate level and types of risk a bank is willing to assume to achieve its strategic objectives, consistent with applicable capital, liquidity, and other regulatory requirements.

In addition, the final guidelines contain standards for boards of directors regarding oversight of the design and implementation of a bank’s risk governance framework.  They note that it is vital for directors to be engaged in order to understand the risks their institutions are taking and to ensure that those risks are well-managed.  Directors should be in a position to present a credible challenge to bank management, and it is their responsibility to ensure the sanctity of the federal charter – to prevent the insured bank from becoming a booking agency for the holding company.

We issued the final standards as a new appendix to Part 30 of our regulations.  Part 30 codifies an enforcement process set out in the Federal Deposit Insurance Act that authorizes the OCC to prescribe operational and managerial standards.  If a bank fails to satisfy a standard, the OCC may require it to submit a compliance plan detailing how it will correct the deficiencies and how long it will take.  The OCC can issue an enforceable order if the bank fails to submit an acceptable compliance plan or fails in any material way to implement an OCC-approved plan.

These are strong standards, but for our largest institutions, we should expect no less. Our large bank teams will be monitoring compliance closely, and I believe they will play an important role in the development of strong risk management systems at large institutions. But while the articulated principles of an organization’s risk management are important, what is just as important – and perhaps even more critical – is the health of the risk culture that supports that structure.

Every organization has a unique risk culture that consists of the core values that drive business practices and shape executive decision making and employee actions. A strong risk culture consists of more than written policies. It’s the tone set by top management, the expectation that everyone, from senior executives on down, will conduct themselves in a way that will protect the bank from credit losses as well as injury to the organization’s reputation.

A strong risk culture is really the beacon that guides employees to behave responsibly, knowing that they will have the support and approval of their superiors and the organization as a whole. When that beacon goes dark, an organization can lose direction, entering markets or introducing new products without proper due diligence, or aggressively pursuing earnings and growth at any cost.

The strength of an organization’s risk culture is not easy for regulators to measure. It’s not like credit quality or earnings strength. But it’s important because it has an incredibly powerful influence on the risk decisions and behaviors at all levels of an organization. We at the OCC are looking to boards of directors and the senior management of our large banks to set the tone at the top that leads to a healthy organizational culture that abhors improper practices and excessive risk taking.

Let me add that we are also taking a hard look at ourselves. While it is true that many institutions, both regulated and unregulated, fell short in the years leading up to and following the crisis, so did the supervisory agencies, including the OCC. The fact is, we didn’t always recognize problems as quickly as we should have, and we didn’t always take action promptly after we did identify a concern.

But while we didn’t always meet up to our own expectations, we are taking a hard look at every aspect of how we do business in an effort to improve our future performance. One of the steps we took was to invite an international group of senior regulators in to evaluate our supervisory process. I can tell you that this was not easy for anyone at the OCC. Inviting the critical analysis of one’s peers is uncomfortable at best, but we felt it was a necessary part of reinvigorating our supervisory culture.

The results touched upon every aspect of our approach to supervision, including issues involving risk management, enterprise governance, organizational structure and even our strategic goals and vision statement. As uncomfortable as the process was at times, it was extremely helpful, and I’m proud that our staff, from senior executives on down, gave their full support. We are still in the process of implementing the report’s recommendations, but we are making steady progress. What is most important to me is that we try to hold ourselves to the same high standards we set for the large institutions we supervise.

I’d like to close by citing our first Comptroller of the Currency one last time. In 1863, Comptroller McCulloch urged bankers to “pay your officers salaries as will enable them to live comfortably and respectably without stealing.” I might have put it a little more delicately, but that still seems about right. In some respects, it foreshadowed the controversy over incentive compensation, which led lending officers and others not to steal, but to jeopardize the soundness of their bank in order to bolster their compensation.

As I write this article, we are continuing work on a regulation that will ensure that large organizations structure their incentive compensation programs so that they balance risk and financial rewards; are compatible with effective controls and risk management; and are supported by strong corporate governance. The rule would prohibit arrangements that either provide excessive compensation or that could expose an institution to inappropriate risks that could lead to material financial loss.

This rule, which is being developed on an interagency basis, is a priority for the OCC. Had it been in place a decade ago, it might have prevented some of the more “creative” practices that ultimately brought us to the brink of financial disaster. It might, for example, have kept the “originate-to-distribute” model, which started off as a means of managing risk, from becoming a means of ignoring risk.

At the end of the day, however, regulations only go so far, and systems of internal control are no stronger than the culture that surrounds them. We can’t write rules to cover every conceivable situation that might come up, and risk officers are only as effective as the support they receive from top management, which is another way of saying that they can only be as effective as their bank’s culture will permit.

Maintaining a healthy organizational culture, one that reflects McCulloch’s principles, should be the objective of every bank in the country, especially the large institutions that have the capacity to affect the lives and livelihood of so many people around the globe. Meeting this challenge won’t be easy, but we’ve seen progress already at the large banks we supervise, and I have every confidence that the men and women who lead our banking system are more than up to the task.