After the 2008 financial crisis, I spent a good deal of time serving as an expert on who was to blame when banking organizations failed.  As I said later, what struck me most was how well examiners spotted trouble and then how little they did to correct it.  One might have thought that the great financial crisis and its cost – $3.5 trillion worldwide just for taxpayers – would suffice to give examiners more gumption now.  However, the details of the enforcement actions filed Wednesday by the Fed and OCC make it clear that, in at least one very big case, problems seen were still problems that only got worse. The discretion the Fed and OCC still have to decide when and how to sanction big banks remains only after pitched battles in 2010 with Members of Congress who didn’t trust regulators they thought unduly captive.  Many of these Members are still sore losers.  If they gain power in 2021, they’ll stop scolding and start legislating.  

They’ll have a lot of ammunition.  The two Citi enforcement agreements are sobering reading.  The supervisory orders lay out a litany of infractions going back to a 2013 Fed order on anti-money laundering and proceed through a 2015 Fed order on foreign-exchange compliance to a 2017 high-profile AML enforcement action, a 2019 OCC penalty for Fair Housing Act and other violations, a 2020 order from the OCC on flood-insurance violations, and finally to what sounds like a drubbing at about the same time from the Federal Reserve Bank of New York.  And, while it’s true that supervisors tend to throw the book at malefactors when agencies are finally spurred into action, the range of fundamental lapses laid out in the OCC’s order are unusually scathing in both detail and the extent to which fundamental, structural risk-management, control, and governance failings are detailed.  None of these could have been new.

When all this came to light on Wednesday, comment zeroed in on Citi’s recidivist record and the tolerance supervisors seemed to give it.  Although virtually all of Washington’s bandwidth now is consumed by nonstop drama surrounding the President and the election, this perspective will not be lost on those in Congress and, indeed, in some of the supervisory agencies who want to see large banks held more quickly and sternly to account.

The 2008 great financial crisis wasn’t the only one followed by statutory changes aimed at forcing supervisors to intervene early and forcefully.  The 1989 response to the S&L crisis overhauled the U.S. supervisory framework in hopes of ending regulatory forbearance.  When forbearance was still de rigueur as the S&L crisis of the 1980s turned into the banking crisis of the 1990s, Congress tried again with the “prompt corrective action” framework in the FDIC Improvement Act of 1991.   By 2008, it was clear again that many banks and virtually all savings associations had again been backsliding without even a bump or two back uphill from their supervisors. The “early-remediation” provisions embodied in Section 166 of the Dodd-Frank Act are thus aimed at this PCA construct in hopes of making it truly prompt and meaningfully corrective, but rules to do so remain in only proposed form after the Fed took a crack at them.

What might Congress do now to ensure that crime is answered with punishment and how might large banks ensure that justice is tempered not just with mercy, but also knowledge?

There is a strong tendency for bankers to circle the wagons when talk turns to prompt corrective action – given the often contradictory and sometimes even illusory conclusions examiners sometimes reach, companies are understandably loath to allow their examiners to lower any booms.  However, forbearance for poor internal practice inevitably leads first to regulatory arbitrage and then to moral hazard followed by heightened risk and, so it seems, a financial crisis every ten years or so.  Lowest-common denominator supervision affords lowest-common denominator competitive advantage that ultimately leads to shared political risk and still more regulatory burden, often even then without accompanying supervisory acumen.

After wagon-circling doesn’t work, the conventional response to supervisory and political risk taken together is industry best practices.  These often have a calming effect but they are best suited to emerging concerns – cybersecurity, for example.  A more effective option is the self-regulatory organizations that have long dignified the securities industry. Despite occasional incidents in which critics cite capture, SROs have an excellent track record.  SROs for targeted risks – AML, fair lending, operational resilience, even climate risk — may be viable for the banking industry and even efforts to consider them might enhance credibility in key areas.  However, there’s no getting around it – prompt supervisory intervention is essential to prevent poor governance from metastasizing into fragile banks.  Self-regulation is an important safeguard, but it’s no substitute for meaningful enforcement. Without it, Congress will get really angry, supervisors will be granted no discretion, banks will be unduly chastised, and risk migration will accelerate.  Surely, there’s a better way.