Bank regulators are quick to chastise their charges for bad behavior, but when the bad behavior goes unanswered for years, who’s the culprit? A comment this week from an SEC official points to one of the most egregious practices identified since the financial crisis that has to this day gone largely unaddressed. Despite all the talk about simplifying complex rules so that banks can be held accountable, one major, straight-out transgression spotted years ago – fake credit-risk transfers that nonetheless win sizeable capital reductions – has gone unanswered. If the glorious, complex architecture of global finance rests on weak foundations, the entire post-crisis exercise will prove not just costly to banks, but also academic from a financial-stability perspective.

Although the issue may seem technical, the credit-risk mitigation question strikes at the heart of the Basel capital rules. A major and correct goal of the risk-based framework is to raise or lower capital according to credit risk. Thus, if a bank goes to the trouble of obtaining credit risk mitigation (CRM), its risk-based capital should go down. Absent this, there’s a strong incentive in fact for banks to take risk. Worse still, failure to reward CRM ensures that credit risk is concentrated in banking institutions, creating pockets of systemic weakness we know all too well.

When banks buy valid, enforceable CRM, they can and should get a lower risk weight. However, recognizing CRM does add complexity and complexity creates opportunities for arbitrage. One spotted in 2010 is CRM provided by affiliates – i.e., where there is no consolidated risk reduction – or by thinly-capitalized counterparties who charge a hefty fee essentially so that the bank can rent their name and claim a risk-weight reduction.

In 2011, Basel spotted this problem and issued a consultation to curb it. The FRB sent out some warning shots and, in 2013, went them one better with a supervisory letter warning banks not to count on high-risk CRM. Still, four years after the problem first was spotted, Basel’s consultation is incomplete and the FRB’s 2013 advisory – less stringent than the Basel consultation – has had at best an uncertain impact.

Enter the SEC, which this week let one of its top enforcement cops state that it would be penalizing banks – he targeted foreign ones – for shady CRM on which capital reductions are premised. As we noted in our alert on this statement, it’s unclear to us how the SEC could sanction CRM approved by a U.S. or foreign regulator – fraudulent accounting, perhaps, or violations attributed to broker-dealers if the shaky CRM is used to cut trading-book capital, but the real responsibility here doesn’t rest with the SEC. It’s up to the bank regulators to make risk-based capital a real, binding constraint.

Some might counter that the banking agencies are indeed correcting for risk-based capital’s flaws with the leverage rule, a standard that discounts CRM as with all other risk indicators to mandate a flat – and now quite high – minimum capital requirement. However, larding a leverage rule into an ill-enforced risk-based framework will only widen the opportunities for still more CRM and regulatory arbitrage. Bank regulators clearly knew these high-risk CRM deals were bad more than four years ago, just as they have known since 2011 that zero weightings for sovereign risk are an illusion. The sovereign weightings at least have friends in high places. Why are high-risk capital games like this CRM one unchallenged for so long?