GAO: Regulators' Oversight of Large Financial Institutions is Lacking

New Report Faults Agencies for Failing to Assess Risk Management Systems Federal financial regulators are lacking in their ability to assess large, complex institutions' risk management systems. This is the key finding of a new report by the Government Accountability Office (GAO).

GAO's analysis points to inadequate risk management institutions as one of the causes of global financial crisis that began in the U.S., including Bear Stearn's collapse and sale to JP Morgan Chase, the Lehman Brothers failure, Merrill Lynch's acquisition by Bank of America, as well as Goldman Sachs and Morgan Stanley becoming bank holding companies.

The failure of large institutions to properly identify and manage risks raises questions about corporate governance, as well as the regulators' oversight of those institutions' risk management systems, the report states.

What the GAO Investigated
GAO set out to review three things:

How regulators oversee risk management at these institutions;
The extent to which regulators identified shortcomings in risk management at certain institutions prior to the summer of 2007;
How some aspects of the regulatory system may have contributed to or hindered the oversight of risk management.

Banking and securities regulators use a variety of tools to identify areas of risk and assess how large, complex financial institutions manage their risks, the GAO says. The regulators, including the Federal Reserve, Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS) and securities regulators Securities and Exchange Commission (SEC), and the Financial Industry Regulatory Authority (FIRA), have different approaches to oversee risk management practices. The Federal Deposit Insurance Corporation (FDIC) was not included in this report because it does not examine large, complex institutions.

In the report, the GAO states banking examiners are assigned to continuously monitor a single institution, where they engage in targeted and horizontal examinations and assess risks and the quality of institutions' risk management systems.

What GAO Found
The SEC and FINRA identify areas of high risk by aggregating information from examiners and officials on areas of concern across broker-dealers and by monitoring institutions. SEC and FINRA conduct discrete targeted and horizontal examinations. The GAO found banking regulators focused on safety and soundness, while SEC and FINRA tended to focus on compliance with securities rules and laws. All regulators have specific tools for effecting change when they identify weaknesses in risk management at institutions they oversee.

In reviewing the examination materials, GAO found:

Risk Management Weaknesses -- Regulators identified numerous weaknesses in the institutions' risk management systems before the financial crisis began. In one example, the GAO found regulators identified inadequate oversight of institutions' risks by senior management. But those regulators said that they didn't take forceful actions to address these weaknesses, such as changing their assessments, until the crisis occurred because the institutions had strong financial positions, and senior management had presented the regulators with plans for change.
Not Enough Action Taken -- Regulators also identified weaknesses in models used to measure and manage risk, but may not have taken action to resolve these weaknesses.
Institutions Not Pushed to do Better -- Finally, regulators identified numerous stress testing weaknesses at several large institutions, but GAO's limited review did not identify any instances in which weaknesses prompted regulators to take aggressive steps to push institutions to better understand and manage risks.

The GAO sees some aspects of the regulatory system may have hindered regulators' oversight of risk management.

First, it says no regulator systematically looks across institutions to identify factors that could affect the overall financial system. While regulators periodically conducted horizontal examinations on stress testing, credit risk practices, and risk management for securitized mortgage products, they did not consistently use the results to identify potential systemic risks.

Second, primary bank and functional regulators' oversee risk management at the level of the legal entity within a holding company, while large entities manage risk on an enterprise-wide basis or by business lines that cut across legal entities. In turn, the GAO sees the regulators may have only a limited view of institutions' risk management or their responsibilities, and activities may overlap with those of holding company regulators.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.