On Friday, the Washington Post reported that Key Bridge passed all its stress tests before it fell into the harbor.  These were well-established protocols looking at structural resilience – acceptable, if not awesome – and, after 9/11, also at terrorist attack.  That a giant container ship might plow into the bridge was not contemplated even though this has happened before in the U.S. and not that long ago.  Which brings me to bank stress-testing and how unlikely it is to matter under actual, acute stress because the current U.S. methodology correlates risk across big banks in ways that can make bad a lot worse.  Even more troubling, tests still don’t look over the banking parapet.

To be sure, the Fed’s semi-annual financial-stability reports (see Client Report SYSTEMIC97) muse about risks that lurk outside the largest banks, and FSOC dutifully catalogs nonbank risk each and every year in a copious annual report (see Client Report FSOC29).  Last year, FSOC also said a lot about what might someday be done to address it via systemic designation (see FSM Report SIFI36).  But what’s being done, not just said, about nonbank risk even as inter-connections become ever more entwined?  Not much in the U.S. even though other national regulators are taking meaningful steps first to know where it lies and then to curtail it.

For example, the Bank of England and Australia’s Prudential Regulatory Authority are quickly moving past bank-centric stress testing, with Australia importantly looking not just within the financial system for landmines, but also at inter-connections with telecommunications and other infrastructure providers.

The Bank of England’s recent system-wide stress test is models-based, but then that’s the bane of all stress-testing.  At least the model looks beyond the BoE’s nose.  This systemic model takes on recent events such as the gilt crisis and then posits shocks that are faster, broader, and longer-lasting.  This was done last year, with the U.K. now considering results and planning for a new, more dynamic round by the end of this year.

Australia is just beginning to design its tests, but at least it’s starting, looking for example at how CRE risk bounces around among banks, insurers, and pension funds to figure out what lands on whom not just from its own exposures, but also second and third-order effects.  Australia is also and rightly thinking through operational resilience to spot points of payment-system or similar failure with structural consequence.

Australia’s approach rightly recognizes that systems matter as much as individual entities, pointing to another major gap in U.S. systemic prevention.  FSOC hasn’t named a financial market utility (FMU) subject to systemic regulation since 2012.  Things have of course changed more than a little since then – see, for example, our paper last year on what it means systemically now that ICE controls much residential-mortgage software along with CDS clearing, big chunks of the commodities market, and the NYSE.  Think also of tech-platform companies and payment-system evolution – is PayPal systemic? What about Amazon’s payment links to so much around the world?  Could it go dark for a while without payment-system collapse?

Further, a new Federal Reserve Bank of Kansas City study lays out growing concentration in the critical arena of core-service providers, providers about which there is no doubt when it comes to their critical-infrastructure role.  Who regulates them?  No one I know except to the extent that one or another banking agencies gives them a poke via its authority over third-party vendors.

We know that asymmetric regulation leads to high-risk regulatory arbitrage even though banking-agency regulatory impact statements stoutly refuse to look over the perimeter.  Soon, we may also know that stress testing only big banks is like counting on airplanes with just one engine because that works most of the time.  Engineers have learned a lot, often the hard way, about redundancy.  I fear bank regulators will soon get the same costly wake-up call.