American Banker has an article up that is astonishing in that it tells us that the main regulator of national banks, the OCC, has confirmed one of our ongoing complaints: that the controls at the biggest banks are inexcusably weak. The OCC is the last place you’d expect to hear this from; historically it’s been a major enabler of banks playing fast and loose with the rules. And the implication is that bank execs should be wearing orange jumpsuits rather than getting multi-million pay packages.
Recall that this blog has inveighed repeatedly that the officialdom had a clear and easy path to prosecuting bank executives by using Sarbanes Oxley. From a 2011 post:
Contrary to prevailing propaganda, there is a fairly straightforward case that could be launched against the CEOs and CFOs of pretty much every US bank with major trading operations. I’ll call them “dealer banks” or “Wall Street firms” to distinguish them from very big but largely traditional commercial banks like US Bank.
Since Sarbanes Oxley became law in 2002, Sections 302, 404, and 906 of that act have required these executives to establish and maintain adequate systems of internal control within their companies. In addition, they must regularly test such controls to see that they are adequate and report their findings to shareholders (through SEC reports on Form 10-Q and 10-K) and their independent accountants. “Knowingly” making false section 906 certifications is subject to fines of up to $1 million and imprisonment of up to ten years; “willful” violators face fines of up to $5 million and jail time of up to 20 years.
The responsible officers must certify that, among other things, they:
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
These officers must also have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function):
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial
data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls
The premise of this requirement was to give assurance to investors as to (i) the integrity of the company’s financial reports and (ii) there were no big risks that the company was taking that it had not disclosed to investors.
This section puts those signing the certifications, which is at a minimum the CEO and the CFO, on the hook for both the adequacy of internal controls around financial reporting (to be precise) and the accuracy of reporting to public investors about them. Internal controls for a bank with major trading operations would include financial reporting and risk management.
It’s almost certain that you can’t have an adequate system of internal controls if you all of a sudden drop multi-billion dollar loss bombs on investors out of nowhere. Banks are not supposed to gamble with depositors’ and investors’ money like an out-of-luck punter at a racetrack. It’s pretty clear many of the banks who went to the wall or had to be bailed out because they were too big to fail, and I’ll toss AIG in here as well, had no idea they were betting the farm every day with the risks they were taking.
With that in mind, get a load of the opening paragraphs of the American Banker story:
Think corporate governance at the largest banks is weak? You’re right, but you probably have no idea just how right you are.
The Office of the Comptroller of the Currency recently graded the 19 largest national banks on five factors designed to gauge how well they are being run.
The results are startling.
Not a single bank met the OCC’s requirements for internal auditing, risk management or succession planning. Only two of the 19 banks met the regulator’s requirements for defining the company’s appetite for risk-taking and communicating it across the company. Only two banks were judged to have boards of directors willing to stand up to their CEOs.
You might not fathom how damning that is. If the top brass ins’t doing an adequate job of making sure the books are kept properly and overseeing risk, what the hell are they doing? There’s absolutely no justification for super duper pay packages in light of this finding. It confirms what critics have long charged: that banking has become an exercise in looting, as defined by George Akerlof and Paul Romer: lever up on the basis of government support (which allows you to persist in reckless behavior far longer than normal businesses could) in order to pay the insiders more than they deserve. They keep the leverage and extraction game going until the odds catch up with the enterprise and it collapses.
These internal audit and risk management failures indicate probable Sarbanes Oxley violations. We’ve already flagged that issue with JP Morgan’s London Whale trade, but media, not surprisingly, has refused to buck the Cult of Jamie Dimon. And it’s pathetic that the OCC takes note of this issue now, a full four+ years after the crisis. Remember, in the wake of the crisis, banks have had the opportunity to remedy deficiencies, both for their own sake and as a result of more regulatory oversight. Yet after a period when it would be reasonable to expect that some improvements had been made, they still fall short. But why should they if they can get away with it? Their boards are complicit and I’m sure they remain confident that they’ll be bailed out, regulatory fulminating to the contrary (and remember, big financial firm CEOs believe they’ll be salvaged even in the face of official statements otherwise. Recall how Dick Fuld still can’t fathom why Lehman wasn’t rescued).
Admittedly, the OCC contends that this change is the result of completely redoing their large bank supervision model:
After the 2008 crisis, [agency veteran Mike} Brosnan and his colleagues at the OCC did some serious soul searching and concluded that the same mistakes that have bedeviled banks for decades did them in again: lousy loan underwriting, overleveraging, rapid growth and asset concentrations. Brosnan also faults the regulators, including himself, for missing the obvious.
“We don’t have anything to hide behind. This is all fundamental stuff,” he says. “Let’s not kid ourselves. We got beat the old-fashioned way.”
Determined not to get beat again, Brosnan’s mission is nothing if not bold. He wants to restore the industry’s — and the OCC’s — reputation.
“I want the banking system to be valued again and to be recognized that it is a key component to growth,” he says. “Also, the supervision of the large banks has to be trusted again.”
To do that he’s turned the large-bank supervision model inside out. Rather than putting the primary focus on credit, liquidity, interest rate and price risk, Brosnan has the OCC’s large-bank examiners targeting operational, compliance, strategic and reputation risks.
What I find interesting is that this tougher posture was implemented after the OCC got a new director, Thomas Curry, that has been perceived to be more tough minded that the bank shill that served as the OCC’s head, former acting director John Walsh. One of Curry’s first acts was to get rid of the OCC’s horrorshow of a general counsel, Julie Williams. The odds are high that the fact that the new bank supervision model got implemented without being seriously watered down is due to Curry’s leadership. It would be a remarkable and welcome change if the OCC starts taking its regulatory duties seriously.