5/1/18 - Midsize Banks May Receive Only Modest Regulatory Relief
Home > News & Insights > Insights & Publications

5/1/18 - Midsize Banks May Receive Only Modest Regulatory Relief

The U.S. Congress will likely soon offer banks legislative relief from some compliance demands. Industry observers have speculated that midsize banks will receive significantly more regulatory relief than their larger peers. But midsize firms will take on unacceptable compliance risks if they operate on the assumption they will enjoy a rollback in regulations. In fact, supervisors will continue to demand that lenders of all sizes remain vigilant about material risk issues,1 as well as maintain a robust second-line-of-defense operating model around key programs such as enterprise risk management, risk-control self-assessments, and Bank Secrecy Act/anti-money-laundering compliance. In addition, midsize banks may even have to contend with heightened regulatory expectations in areas such as conduct risk.

Banks can bring on unwelcome regulatory scrutiny if they halt their efforts to enhance key frameworks in support of robust ERM.

Maintaining the Compliance Momentum

Since the last financial crisis, chief risk officers have understood the importance of maintaining strong risk management frameworks, and most CROs recognize that these efforts must continue to satisfy regulatory expectations for comprehensive controls. Further enhancing these controls is key for any growing and evolving institution.

Midsize banks can address several common areas of weakness:

  • Lack of documented road maps and execution plans for enhancing risk management 
  • Significant data gaps that hamper capital planning, liquidity management, and risk management
  • Risk-identification processes that fail to translate into meaningful scenarios that help a bank assess its capital and liquidity adequacy
  • Insufficient capital and liquidity contingency planning, including robust escalation processes
  • Compliance systems that lag, or are unable to scale to, the organization’s growing complexity
  • Weak ERM processes and inadequate risk-assessment capabilities
  • Poorly documented policies and procedures for model risk management, as well as gaps in model validation

Additional Steps

Looking ahead, CROs at midsize firms will want to focus their efforts and resources to meet current and emerging regulatory expectations in the following areas:

Data Collection and Governance
  • Comprehensive, accurate data subject to clear ownership and controls
  • Enhanced automation of data flows
  • Increased use of data to inform decision-making
Capital Planning and Stress Testing
  • Integration of stress testing with capital-planning activities
  • Idiosyncratic scenarios used to stress material risks of the bank
  • Incorporation of liquidity stresses to test full impact on bank’s viability
Firmwide Compliance
  • Robust governance, including policies and procedures created and approved pursuant to firmwide standards
  • Inventory of regulatory obligations and controls, with processes to respond to regulatory changes
  • Monitoring and testing program focused on areas of highest inherent compliance risk
BSA/AML Controls
  • Comprehensive BSA/AML program
  • Technology-enabled solutions, where appropriate
Conduct Risk
  • Processes to identify potential conduct issues through analysis of internal data
  • Implementation of appropriate incentive compensation schemes

Effective risk management programs typically structure formalized elements into an integrated and cohesive system for managing across risks and business units, with oversight by the board of directors and senior management.

Effective Risk Management Programs

Click here to view larger version of graphic.

Data Collection and Governance

Supervisory expectations for data collection and data governance are less prescriptive for smaller banks, but still demanding. Supervisors expect these banks to put in place technology, processes, and controls that ensure enterprise data is comprehensive, accurate, and timely. Effective data management and governance are key components of a bank’s stress testing, capital management, and broader risk management.

Good data-governance frameworks will:

  • Address challenges related to the collection, management, and processing of data
  • Establish appropriate management information systems and related data processes
  • Be well-documented and actionable
  • Establish clear ownership and strong change controls
  • Contain transparent procedures and policies for independent accuracy verification
  • Include a system of metrics to monitor quality over time
  • Demonstrate the use of data in decision-making processes

Capital Planning and Stress Testing

While the asset threshold for banks subject to Dodd-Frank Act stress tests may be raised as part of the likely forthcoming legislative relief, regulators have expressed the expectation that banks continue to incorporate stress tests in their capital-planning activities. And banks will surely benefit from incorporating their material risks into idiosyncratic stress tests that support their capital-planning efforts. Forward-looking banks can develop a robust risk-identification process and stress-testing scenarios that demonstrate resiliency and the ability to conduct contingency planning in the event of capital deficiencies.

Banks that also consider the idiosyncratic nature of their liquidity profile in their stress testing will give themselves an end-to-end view of the potential impact of idiosyncratic stresses.

Firmwide Compliance

Banks of all sizes and levels of complexity are increasingly expected to demonstrate formalized and sophisticated processes for the monitoring and management of compliance risk.

This trend is most commonly seen in the merging of compliance into ERM frameworks. This integration of compliance and ERM includes setting standards for compliance risk materiality and establishing the key foundational elements (such as risk metrics, a compliance risk taxonomy, and regulatory-obligation inventory) needed to conduct an independent and rigorous assessment of compliance risks. This trend is increasingly reflected in committee structures — and also sometimes in reporting relationships, with compliance reporting up and through the risk function, rather than to the general counsel or a board committee.

Effective compliance functions include clear governance processes, such as effective committee structures and reporting practices that ensure accountability, ownership, and oversight. By developing data and technology systems that use both quantitative metrics and (where appropriate) qualitative elements to objectively measure compliance risk, banks will improve their decision-making in the sometimes vague and subjective realm of compliance risk. And aligning the overall compliance program with other key enterprise activities — such as risk identification, risk-control self-assessments, and internal audit — enables banks to achieve consistency and a holistic approach to testing and monitoring.

BSA/AML Controls

Breakdowns in BSA/AML compliance programs can occur at any level and be costly for banks. Regulators will continue to expect bank boards to have a thorough and current grounding in AML-related requirements, trends, and leading industry practices and to review and challenge management when controls are deemed to be insufficient.2 The bank’s board-approved risk appetite statement should include a section on compliance risk that highlights AML and sanctions requirements and guides senior management on ways to ensure that new strategies or initiatives appropriately consider financial-crime risks. All client-facing staff — line-of-business management, in particular — remain responsible for understanding their roles in meeting firmwide AML requirements.

Conduct Risk

In whatever form the upcoming legislation passes, banks can expect increased regulatory scrutiny on conduct risk. Recent sales-abuse scandals have dominated headlines and left both banks and regulators scrambling to determine how practices evolved to allow the misconduct to happen. The largest banks have responded by performing forensic reviews and establishing new departments and/or risk disciplines to manage conduct risk.

Regulators will likely not hold midsize banks to the same conduct-risk standard as the largest banks, but CROs at midsize financial institutions should be prepared to demonstrate how their firms identify and mitigate potential conduct-related issues. At a minimum, these banks can establish a process to monitor for potential misconduct by using their existing data — on account opening, complaints, human resources, and internal ethics reporting — to identify potential breaches and determine root causes and potentially systemic issues. All banks will also benefit from broadly reviewing incentive compensation schemes and assessing annual sales incentives throughout the bank, including at the branch level.

Notwithstanding regulatory expectations, appropriate management of conduct risk is critical to a bank’s reputation.

How Promontory Can Help

Promontory is uniquely qualified to help midsize firms meet evolving regulatory expectations for risk management and governance. We have extensive knowledge of using data derived from modeling to support banks’ stress testing and capital planning. Our assessments help organizations determine their current state of readiness to meet supervisory expectations and industry best practices. Promontory delivers multiyear enhancement plans that allow systems, capabilities, and frameworks to evolve over time and keep pace with requirements.

We also help clients implement comprehensive compliance frameworks that maintain and leverage the best aspects of current capabilities, while avoiding duplication of work already performed by internal teams or other third parties. Promontory professionals guide financial institutions through a process of collaborative discussion, helping them develop right-sized, well-balanced, and achievable plans.

Please contact Promontory to discuss how we can help your financial institution meet its current and future regulatory requirements.

Contact Us

David Samuels
Managing Director
+1 212 542 6776


1. We anticipate that regulatory guidance on risk management and stress testing will remain key compliance areas for midsize banks — guidance including “SR 16-11: Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion,” Federal Reserve Board (June 8, 2016), and “SR 12-7: Supervisory Guidance on Stress Testing for Banking Organizations with More Than $10 Billion in Total Consolidated Assets,” Federal Reserve (May 4, 2012).

2. “Bank Secrecy Act/Anti-Money Laundering Examination Manual,” Federal Financial Institutions Examination Council (Dec. 2, 2014).