In just the last few days, we’ve sent you in-depth analyses of sweeping proposals to rewrite the risk-based capital rules, redo the enhanced supplementary leverage ratio, and change the way loan-loss reserves may or may not fit into these capital rules.  Combined with the mountain of other post-crisis capital, liquidity, and resolution standards, these initiatives have convinced U.S. regulators that the biggest banks are basically bullet proof and, due to this, the same can be said of the financial system.  All of these rules may well be armor-plating against a 2008 repeat, but the next financial crisis won’t be a 2008 repeat.  It will be different and, as the U.K. TSB debacle shows, may well come from operational-risk failures within core client-service infrastructure.  Here, the post-crisis rules are about the same as the pre-crisis rules.  Good enough?  Not exactly – the pre-crisis rules create perverse incentives to operational-risk taking that are now at least as powerful.  I said this to Congress before the crisis but it bears urgent repeating now:  if the lights go out, all the capital in all the world won’t turn them back on.  Dark banks are very dangerous banks since the rest of the global financial system relies on them for critical infrastructure.  

To keep the lights burning even in a storm, banks needs robust operational infrastructure.  This in turn has to have accuracy checks, fraud protections, redundancy, and excess capacity along with the staff to make it so.  This costs a lot of money and money is what even the biggest banks don’t have much of due to the weak recovery and all of the costly post-crisis rules.  What, you say – look at the numbers and they show that the nation’s largest banks are reaping the “record” profits often cited on Capitol Hill.  Look more closely, though, and record profits are to be found only in nominal terms.  Judged the way markets do – return on equity – profits are down in comparison with the crisis.  Even with last quarter’s great results with the tax-reform tailwind, most banks are still barely cracking the ten percent ROEs that are de facto break-even.  Most banks also lifted ROE to these less-than-stellar levels by cost cutting, not productive, revenue-raising activities.  Cost-cutting means skimping on operational infrastructure, which brings me back to systemic risk.

A series of recent, excellent posts on the Naked Capitalism blog show how just one bank can botch what should be a relatively simple system to the point at which it crashes, balances go missing, account access is haywire, and customers are literally unable to undertake the basic transactions that support household sustenance and small-business operation.  TSB is significant in the U.K. but teeny-weeny from a systemic point of view.  What if it weren’t?  Then, a nation’s payment system would go dark, billions would go missing, a very big bank would fail, and all its capital- and liquidity-risk buffers would do little more than help pay for someone else to pick up as many of the shattered pieces as possible.  Helpful, but irrelevant as the crisis rages and perhaps spreads to other financial institutions and their counterparties and customers.

We have never lived in a time of greater operational-risk fragility.  This comes in large part from the manifold threats to cyber-security evident from criminal and state actors poking every day at financial-operation cracks and all too often breaking them wide open.  Financial technology has also never evolved as fast atop mobile systems and other infrastructure of uncertain resilience under potential stress ranging from cyber-attack on the grid to vulnerabilities in brand-new products that only become obvious as scale is gained and new risks emerge.  Due in part to profit pressure, banks are slower to enter the fintech ecosystem than non-banks that are also unburdened by costly prudential regulation.  “Partnerships” between banks and these fintech companies create their own raft of risks, risks against which lots of capital and liquidity are of little use under acute stress.  Inter-operability between bank data bases and screen-scrapers or other outsiders not subject to bank or regulatory scrutiny or privacy scruples are also a harbinger of problems to come.

In the face of all these risks, what are regulators doing other than worrying a whole lot?  They’ve reached for the capital cure-all, citing current operational risk-based capital rules and, as of last December in Basel, rewriting them to make this framework still worse.  The capital rewrite here doesn’t actually impose capital based on any meaningful measure of operational risk – the agencies haven’t ever figured out how to do this – so they go to an even more problematic risk measure:  a capital charge based on income.  The more income, the higher the capital requirement even though the more income, the more likely the bank is to build in the operational-risk controls and buy the insurance and otherwise protect itself from operational risk. 

Even more bewildering, the new approach adds extra charges for past operational-risk incidents, punishing those already paying dearly for their operational lapses and imposing no capital cost on institutions taking new risks.  Even if one believed that more capital means less operational risk, it’s astonishing that a rule posited on the value of capital for operational resilience makes the banks most likely to take the biggest risks the least capitalized against it.

A far better approach to real operational-risk resilience would be to build positive regulatory incentives for meaningful improvements to resilience.  Banks now receive credit-risk discounts for third-party credit enhancement and netting or other effective hedges.  Why not do the same for operational risk?  The rulebook is full of standards for effective operational risk management and recovery – indeed, the OCC just yesterday put out its latest manual on this critical question.  Put all this supervisory expertise and the practical experience banks bring to bear on this critical systemic risk, and we’ll get a far more resilient financial system than mountains of more capital could ever construct.