BANK SUPERVISION
Federal Reserve and FDIC Should Address Weaknesses in Their Process for Escalating Supervisory Concerns
Report to the Committee on Banking, Housing, and Urban Affairs, U.S. Senate
November 2024
GAO-25-106771
United States Government Accountability Office
View GAO-25-106771. For more information, contact Michael E. Clements, (202) 512-8678, clementsm@gao.gov
Highlights of GAO-25-106771, a report to the Committee on Banking, Housing, and Community Affairs, U.S. Senate
November 2024
BANK SUPERVISION
Federal Reserve and FDIC Should Address Weaknesses in Their Process for Escalating Supervisory Concerns
Why GAO Did This Study
Signature Bank and Silicon Valley Bank were closed in March 2023, and FDIC was named as receiver. The failures raised questions about bank supervision, including whether the banking regulators are adequately escalating supervisory concerns to ensure that banks take prompt action.
As part of a series of reports related to these bank failures, GAO was asked to examine the regulators’ supervisory practices. Among other objectives, this report examines the processes and policies for escalating supervisory concerns at the Federal Reserve, FDIC, and OCC.
GAO analyzed data on the regulators’ supervisory concerns opened from 2018 through 2022 and examination documents for a nongeneralizable sample of 60 institutions representing different asset levels and regions. GAO compared regulators’ communications of supervisory concerns against their policies and procedures. GAO also reviewed regulators’ guidance and interviewed 109 federal bank examiners and seven subject-matter experts.
What GAO Recommends
GAO is making two recommendations to the Federal Reserve and three to FDIC to strengthen their processes for escalating supervisory concerns. Federal Reserve neither agreed nor disagreed with the recommendations. FDIC generally agreed with two of the recommendations but disagreed with a recommendation that it require rotations for large bank case managers. GAO maintains that the recommendation is valid, as discussed in this report.
What GAO Found
GAO identified weaknesses at the Board of Governors of the Federal Reserve System related to escalation of supervisory concerns.
Corporate governance and risk management. The Federal Reserve’s lack of a regulation or enforceable guidelines under section 39 of the Federal Deposit Insurance Act on corporate governance and risk management issues may have contributed to delays in taking more forceful action against Silicon Valley Bank, which failed in March 2023. Such authority may assist the Federal Reserve in taking early regulatory actions against unsafe banking practices before they compromise a bank’s capital.
Early remediation. The Federal Reserve has not finalized a rule required by the Dodd-Frank Wall Street Reform and Consumer Protection Act (with an effective date of January 2012). The rule was intended to promote earlier remediation of issues at financial institutions. Federal Reserve officials stated that other rules accomplish much of what the act intended but acknowledged that substantive items from the act remain unimplemented. By implementing the act’s requirements, the Federal Reserve could align its supervisory tools with congressional intent that it take early action before an institution’s financial condition deteriorates.
GAO also found weaknesses in the Federal Deposit Insurance Corporation’s (FDIC) escalation procedures.
Centralized tracking. The absence of a centralized system for tracking supervisory recommendations—that is, communications informing an institution of changes needed in operations or financial condition—limits FDIC’s ability to identify emerging risks across the banks it supervises.
“Vetting” meetings. Unlike other regulators, FDIC does not have a formalized process to ensure that large bank examination teams and relevant stakeholders are consulted before making changes or decisions, such as escalation decisions. Examiners from two selected banks cited concerns about managers altering conclusions without consulting the examiners or being unreceptive to divergent views. Procedures, such as vetting meetings, requiring managers to consult with large bank examiners and other stakeholders could ensure decisions are grounded in the evidence gathered during examinations.
Rotation requirements. Unlike the other regulators, FDIC does not require large bank case managers to rotate after a few years at one institution. Case managers play a key role in the examination process. GAO has previously reported that agencies can mitigate threats to independence by implementing policies that rotate staff in key decision-making roles, thereby reducing the impact of any one employee. Implementing rotation requirements could limit close relationships between FDIC large bank case managers and bank management, helping ensure large bank case managers maintain their supervisory independence.
The Office of the Comptroller of the Currency (OCC) has procedures for escalating supervisory concerns to enforcement actions, and GAO found that it generally adheres to these procedures. These procedures include collaborative decision-making processes and documentation of divergent views between examiners and supervisors.
Abbreviations
|
CAMELS |
capital adequacy, asset
quality, management, |
|
FDIC |
Federal Deposit Insurance Corporation |
|
Federal Reserve |
Board of Governors of the Federal Reserve System |
|
OCC |
Office of the Comptroller of the Currency |
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
November 19, 2024
Congressional Requesters
The 2023 failures of Silicon Valley Bank and Signature Bank created an estimated net loss of $3.2 billion to the Deposit Insurance Fund.[1] We previously reported that risky business strategies and weak liquidity and risk management practices contributed to these bank failures.[2] Officials from the Federal Deposit Insurance Corporation (FDIC) and the Board of Governors of the Federal Reserve System (Federal Reserve) have stated publicly that despite identifying vulnerabilities and supervisory concerns before the failures, they did not take sufficient actions to ensure the institutions promptly addressed these issues. The failures have prompted questions from some Members of Congress and the public about bank supervision.
In March 2024, we found that the Federal Reserve and FDIC had identified numerous supervisory concerns at Silicon Valley Bank and Signature Bank as early as 2018 but did not issue any enforcement actions, which would have required the institutions to address the problems.[3] We recommended that the Federal Reserve revise its escalation procedures to be clearer and more specific and to include measurable criteria.[4] The Federal Reserve agreed with the recommendation but has not yet implemented it. We also recommended that Congress consider requiring the adoption of noncapital triggers that require early and forceful regulatory actions tied to unsafe banking practices before they impair capital.[5] For example, Congress could amend the Federal Deposit Insurance Act to require corrective actions based on indicators other than capital adequacy (such as interest rate risk, asset concentration, and poor management).
This report follows up on our March 2024 report and examines the supervisory practices of all three federal banking regulators. Specifically, this report examines communication of supervisory concerns and processes and policies for escalating supervisory concerns for the three federal banking regulators: (1) the Office of the Comptroller of the Currency (OCC), (2) the Federal Reserve, and (3) FDIC.
To assess the communications of supervisory concerns, we developed a data collection instrument to systematically collect information on the supervisory concerns issued by the three regulators from January 2018 through December 2022, the most current data at the time of our review. We collected and analyzed supervisory documentation from each regulator.[6] We selected a nongeneralizable sample of 20 depository institutions supervised by each regulator for a total of 60.[7] We selected the sample of institutions to ensure it included (1) a range of asset sizes; (2) CAMELS (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk) ratings of 2 or 3, as of 2022; (3) geographic diversity in the regional offices overseeing the financial institutions; and (4) institutions with the highest total number of supervisory concerns issued by the regulators from January 2018 through May 2023.[8]
We focused our analysis on the regulators’ communications and on institutions’ remediation of supervisory concerns related to safety and soundness risks, such as credit, corporate governance, and management and liquidity. We reviewed the regulators’ internal examination policies and procedures to identify their requirements for communicating and escalating supervisory concerns in both annual and target examinations and for escalating concerns to informal and formal enforcement actions. We reviewed the regulators’ escalation guidance against applicable federal standards for internal control.
To assess the regulators’ supervisory concerns issued from January 2018 to May 2023, we collected administrative data from OCC, the Federal Reserve, and FDIC to produce descriptive statistics on the regulators’ supervisory concerns. We assessed the completeness and reliability of the data by performing electronic data testing to identify missing values, logical inconsistencies, outliers, or duplicates and found the data were sufficiently reliable for the purposes of this report.
We also interviewed a nongeneralizable sample of examiners in charge and examination team members who conducted examinations from January 2018 through May 2023. We interviewed 109 examiners across the three regulators. To select these examiners in charge and examiners, we selected three depository institutions for each regulator from our sample of 60, for a total of nine institutions. We selected these institutions to include (1) one institution from each of three asset groups (large, regional, and community); (2) at least one failed or liquidated institution; (3) institutions with supervisory concerns that had been open for a longer period relative to similar institutions; and (4) institutions from different geographic regions. We also interviewed seven experts in the fields of banking, finance, and economics. In selecting the experts, we sought a range of perspectives from academia, industry associations, and think tanks. See appendix I for more detail on our scope and methodology.
We conducted this performance audit from April 2023 to November 2024 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
Federal Banking Regulators
The purpose of federal banking supervision is to help ensure that depository institutions throughout the financial system operate in a safe and sound manner and comply with federal laws and regulations for the provision of banking services. In addition, federal banking supervision looks beyond the safety and soundness of individual institutions to promote the stability of the financial system as a whole. Each depository institution in the United States is primarily supervised by one of the following three federal banking regulators:[9]
· OCC supervises federally chartered national banks and savings associations and federally chartered branches and agencies of foreign banks.
· The Federal Reserve supervises state-chartered banks that are members of the Federal Reserve System, bank holding companies and any non-depository-institution subsidiaries of a bank holding company, and savings and loan holding companies and any subsidiaries (other than depository institutions) of a savings and loan holding company, Edge Act and agreement corporations, and the U.S. operations of foreign banks.[10]
· FDIC supervises insured state-chartered banks that are not members of the Federal Reserve System, state-chartered savings associations, and insured state-chartered branches of foreign banks.[11]
Bank Supervision Process
The federal banking regulators have broad authority to examine depository institutions subject to their jurisdiction. Under the Federal Deposit Insurance Act, as amended, FDIC, the Federal Reserve, and OCC are required to conduct a full-scope, on-site examination of each insured depository institution they supervise at least once during each 12-month period. The regulators may extend the examination interval to 18 months, generally for institutions that have less than $3 billion in total assets and meet certain conditions, based on ratings, capitalization, and status of formal enforcement actions, among other factors.
Regulators assess the strength of depository institutions using the Uniform Financial Institutions Rating System, also known as CAMELS. The federal banking regulators rate an institution on each CAMELS component (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk). Evaluations of CAMELS components consider an institution’s size and sophistication, the nature and complexity of its activities, and its risk profile. The regulators then give a composite rating (which closely relates to the component ratings but is not an average of them). Both the composite and component ratings are based on a scale of 1 (best) to 5 (worst). As an institution’s ratings worsen, corresponding supervisory actions generally increase in severity.
For large depository institutions, federal banking regulators generally do not conduct an annual point-in-time examination of the institution. Rather, they generally conduct ongoing on-site supervisory activities that are intended to evaluate the institution’s operating condition, management practices and policies, and compliance with applicable laws and regulations. Throughout the examination cycle, target examinations culminate in supervisory letters that are transmitted to the institution (where applicable).[12] At the end of the supervisory cycle, a report of examination is issued to the institution. The supervisory letters and report of examination may include supervisory concerns. For smaller depository institutions with less than $10 billion in assets, the regulators typically conduct single point-in-time, full-scope examinations.
OCC, the Federal Reserve, and FDIC have organized their supervision of financial institutions according to the asset size and complexity of the institutions they oversee (see table 1).
|
Regulator |
Program |
Structure |
Types and asset sizes of institutions in each program |
Number of depository institutions |
|
Office of the Comptroller of the Currency (OCC) |
Large Bank Supervision |
Core teams are assigned to specific institutions and are housed in OCC offices or embedded on-site with institutions. |
Large institutions generally with assets between $100 billion and $3 trillion |
28 |
|
Midsize and Trust Bank Supervision |
Core teams are assigned to specific institutions and are housed in OCC offices or embedded on-site with institutions. |
Midsize institutions, including federal savings associations with assets between $15 and $115 billiona |
63 |
|
|
Community Bank Supervision |
Supervision is conducted through six regions: East, Northeast, South, Southeast, Midwest, and West. |
Community institutions, including federal savings associations with assets of less than $15 billion |
850 |
|
|
Board of Governors of the Federal Reserve System |
Large Institution Supervision Coordinating Committee Program |
Supervision focuses on individual institutions’ safety and soundness and U.S. financial stability. Supervision includes the use of both institution-specific examinations and “horizontal” reviews.b |
Institutions that pose elevated risk to U.S. financial stability (for example, Bank of New York Mellon and State Street and Trust) |
4 |
|
Large and Foreign Banking Organization Program |
Each Reserve Bank supervises the large banking institutions located in its district, with support and oversight from staff at the Board of Governors. |
U.S. institutions with total assets of $100 billion or more and all foreign banking institutions operating in the U.S. regardless of asset size |
7 |
|
|
Regional Banking Organization Program |
Each Reserve Bank supervises the institutions located in its district with support from staff at the Board of Governors. |
U.S. institutions with total assets between $10 billion and $100 billion |
40 |
|
|
Community Banking Organization Program |
Each Reserve Bank supervises the institutions located in its district with support from staff at the Board of Governors. |
U.S. institutions with less than $10 billion in total assets |
654 |
|
|
Federal Deposit Insurance Corporation (FDIC) |
Continuous Examination Process |
Due to the size and complexity of these institutions, staff are dedicated to a specific bank and use a continuous examination process. |
Institutions that are larger, more complex, or present a higher risk profile |
55c |
|
Point-in-Time Examination Process |
Examination teams located at field offices conduct point-in-time examinations. |
Institutions that are generally smaller or less complex |
2,853 |
Source: OCC, Federal Reserve, and FDIC. | GAO‑24‑106771
aThe asset levels of Midsize and Trust Bank Supervision overlap with Large Bank Supervision.
bHorizontal reviews involve examining several institutions simultaneously, and they encompass institution-specific supervision and the development of cross-institution perspectives.
cFive of the institutions have less than $10 billion in assets but are part of the continuous examination process because of their complexity.
Supervisory concerns cover various topics related to safety and soundness and compliance with laws and regulations. For example, among the supervisory concerns OCC issued from January 2018 through May 2023, the most common were related to information technology, enterprise governance and operations, and commercial credit, which includes concerns related to commercial real estate risks.
Communicating and Escalating Supervisory Concerns
All three federal banking regulators have established requirements or guidance on the communication of supervisory concerns to the depository institutions. The regulators use various supervisory concerns and enforcement tools to communicate with institution management and to correct unsafe or unsound banking practices. See table 2 for the types of supervisory concerns issued by each regulator.
|
Level of severity |
Office of the Comptroller of the Currency |
Board of Governors of the Federal Reserve System |
Federal Deposit Insurance Corporation |
|
Minor concern resolved in normal course of business |
Matter requiring attention |
No categorya |
Supervisory recommendation |
|
Serious concern resolved in normal course of business |
Matter requiring attention or informal or formal enforcement action |
Matter requiring attention |
|
|
Serious concern that demands immediate board attention |
Matter requiring attention or informal or formal enforcement action |
Matter requiring immediate attention |
Matter requiring board attention |
|
Typically, CAMELS composite rating of 3, 4, or 5, or lack of adequate institution response to serious concern that demands immediate response or triggers certain legal actions |
Informal or formal enforcement action |
Informal or formal enforcement action |
Informal or formal enforcement action |
Source: Office of the Comptroller of the Currency, Federal Reserve, and Federal Deposit Insurance Corporation. | GAO‑24‑106771
aThe Federal Reserve may not issue written supervisory concerns for minor concerns resolved in the normal course of business.
FDIC, the Federal Reserve, and OCC employ progressive enforcement regimes to address supervisory concerns that arise during the examination cycle. If an institution does not respond in a timely manner or address the issue sufficiently, the regulators may take informal or formal enforcement actions, depending on the severity of the circumstances. An example of an informal enforcement action would be obtaining an institution’s commitment to implement corrective measures under a memorandum of understanding. Formal enforcement actions include, for example, issuance of a cease-and-desist order and assessment of a monetary penalty.
All three regulators have established procedures to escalate supervisory concerns to informal and formal actions.
· OCC. OCC policy states that when an institution receives a CAMELS composite rating of 3, the agency will likely issue a formal enforcement action following the supervisory letter or report of examination. The policy also states that OCC will likely issue a cease-and-desist order, consent order, or other actions for institutions with composite ratings of 4 or 5. Additional escalation factors OCC can consider include the institution’s risk profile; the nature, extent, and severity of the deficiencies; the extent of unsafe or unsound practices; and the board and management’s ability and willingness to correct deficiencies within an appropriate time frame.
· Federal Reserve. According to Federal Reserve guidance, informal enforcement actions generally are used for depository institutions with a composite CAMELS rating of 3. Formal enforcement actions generally are used for institutions with a composite rating of 4 or 5. The guidance also includes 10 factors that examiners are to consider in determining whether to escalate a concern. These include the institution’s supervisory rating and financial condition, the number of open supervisory concerns, the materiality of the open concerns to the institution’s safety and soundness, and the institution’s history of instituting timely corrective actions.
· FDIC. FDIC policy states that formal or informal enforcement actions are typically taken against institutions with a composite CAMELS rating of 3 or worse. The policy further states that FDIC may pursue enforcement actions regardless of the composite CAMELS rating if the “specific facts and circumstances make such an action appropriate.” The policy lists a number of escalation factors that are designed to assist examination staff in determining whether to seek informal or formal action. On August 29, 2023, FDIC issued a memorandum that advised examiners to (1) consider elevating a matter requiring board attention to an enforcement action if the matter was repeated or uncorrected at the end of an examination cycle and (2) elevate concerns to at least a matter requiring board attention if supervisory recommendations were repeated or remained uncorrected at the next examination cycle.
OCC Followed Guidance for Communicating and Escalating Supervisory Concerns for Selected Institutions
OCC Examiners Consistently Followed Guidance for Communicating Supervisory Concerns to Selected Institutions
We found that OCC examiners consistently followed agency guidance for communicating supervisory concerns to institutions in our review of a nongeneralizable sample of 101 supervisory concerns to 19 selected depository institutions from January 2018 through May 2023.[13] According to the OCC Comptroller’s Handbook, communications of supervisory concerns include five elements: description of the concern, cause of the deficiency, consequences of not remediating the deficiency, corrective actions required, and a request for commitment to remediation by a specific date.[14] All the communications we reviewed included each of these elements (see app. II).
OCC policy states that examiners are required to issue reports of examination within 90 or 120 days of the examination’s start, depending on the condition of the institution. Additionally, officials from OCC’s Large Bank Supervision office told us they expect supervisory communications to be delivered to institutions within 45 days from the date that examination fieldwork is complete. Our review of 42 selected communications to three OCC-supervised institutions (from January 2018 through May 2023) found that communications were generally issued in a timely manner.[15] Specifically, 39 of these communications (93 percent) met OCC’s requirements and expectations for timely communication. The three communications that did not meet timeliness standards had waivers for communication time frames with documented explanations.
OCC Generally Closed Supervisory Concerns within 12 to 18 Months, Though Some Remained Open Longer
OCC policy requires institutions to submit an initial response with an action plan for remediation within 30 days of receiving a supervisory concern. We found that institutions consistently responded within this time frame in the nongeneralizable sample of supervisory communications we reviewed. All the OCC-supervised institutions in our sample provided a committed remediation date in their response to the concerns. The committed remediation dates were generally longer for large institutions than for regional and smaller institutions.
OCC officials told us there is no specific time frame requirement for remediating supervisory concerns. Instead, the institution and supervisory office negotiate a commitment date for remediating each supervisory concern. These officials and OCC examiners told us the length of time it takes to remediate a concern depends on several factors. These include the actions required, the severity of the concern, resources required to implement the actions, and the timing of activities required to verify and validate the effectiveness and sustainability of the institution’s corrective actions.
OCC requires examiners to assess an institution’s progress in addressing supervisory concerns quarterly until they validate the sustainability of the institution’s corrective actions. OCC policy favors taking additional supervisory or enforcement actions when an institution has continuing, recurring, or increasing deficiencies for a prolonged period (generally defined as more than 3 years), particularly when the institution has made insufficient progress in correcting the deficiencies.
Our review of administrative data on all 6,775 supervisory concerns that OCC issued to supervised institutions from January 2018 through May 2023 found that concerns generally closed within 12 to 18 months. An estimated 72 percent of concerns closed within 2 years, while approximately 12 percent closed between 2 and 3 years. Approximately 4 percent closed between 3 and 4 years.[16] The remaining 12 percent of supervisory concerns were open for more than 4 years and were primarily associated with the examination issue areas of commercial credit, enterprise governance and operations, and information technology. OCC examiners noted that concerns involving enterprise-wide issues or technology can take longer to close due to their complexity and the resources required for remediation.
Approximately 9 percent of concerns issued in 2018 remained open and pending remediation as of May 2023, when our sample time frame ended. These concerns were associated with 26 institutions, and approximately half were linked to enforcement actions. See appendix III for more details.
OCC Has Established Escalation Procedures and Generally Escalated Concerns According to These Procedures
As previously noted, OCC has established escalation procedures, which include a number of factors that examiners are to consider in determining whether to escalate a concern. These factors include the institution’s supervisory rating and financial condition, number of open supervisory concerns, and history of instituting timely corrective actions.[17] Examiners that supervised one of the institutions in our sample told us these factors are clear but can sometimes be difficult to apply. For example, they said that for complex issues involving many supervisory concerns with a potentially similar root cause, they would want to avoid escalating too many different concerns into a single enforcement action. They said this kind of situation may require additional analysis to determine which concerns need to be escalated to the enforcement action.
OCC management and multiple examination teams described escalation procedures including collaborative decision-making through formal vetting of issues. These vetting sessions provide a forum for discussing key examination findings and deliberating potential supervisory concerns or enforcement actions. Participants in these discussions may include the deputy comptroller, assistant deputy comptrollers, examiners in charge, team leads, subject-matter experts, legal staff, and examiners participating in the examination. OCC procedures also describe supervision review committees that review or make enforcement decisions and promote consistent application of policies. Examiners told us they were not aware of an instance where their supervisory office disagreed with their findings or told them to change their recommendations. They added that any challenges happen early in the process and are resolved before reaching the draft recommendation stage.
OCC also has procedures for documenting divergent views that emerge during the decision-making process. Under the updated Large Bank Supervision template used to document examination conclusions, examiners must document why a proposed matter requiring attention or potential violation was not included in the final supervisory letter sent to the institution. This documentation must include an explanation for the omission, which may draw from internal deliberations or other documents. These documentation requirements aim to increase transparency and accountability for decision-makers.
OCC has established rotation requirements for examiners in charge of large institutions. OCC policy states that these requirements promote objectivity, cross training, and growth in expertise among examiners. Rotation requirements are one way to guard against regulatory capture. We have defined regulatory capture as a condition that exists when a regulator acts in service of private interests, such as the interests of the regulated industry, at the expense of the public interest.[18] Regulatory capture can hinder timely and appropriate escalation. Captured regulators may make decisions that inappropriately benefit the institutions they oversee, such as overlooking risky practices or failing to impose appropriate penalties.
Our review of selected supervisory communications and discussions with examiners suggested that OCC followed its policy in instances where supervisory concerns were escalated to enforcement actions. OCC policy states that whenever possible, a proposed enforcement action should be presented to the institution within 180 days of the start of a supervisory activity that results in communication of significant deficiencies. We did not identify any instances in our sample where OCC’s escalation criteria appeared to be met but the concern was not escalated. OCC’s response to one community bank in our sample illustrates an example of timely and appropriate escalation:
· An annual report of examination described the bank’s increasing risk profile and included multiple supervisory concerns, noting the bank’s inadequate risk assessments and insufficient credit risk management processes.
· Approximately 3 months later, OCC began a target examination of the bank’s financial technology line of business, conducted due to the bank’s inadequate planning and management of increasing risks in its financial technology activities. The examination identified two violations of laws and regulations. It included new supervisory concerns and escalated prior supervisory concerns to an informal enforcement action. The bank was required to submit a safety and soundness plan, with a warning that failure to remediate these issues would result in further escalation.
· The subsequent annual report of examination noted that the bank’s board and management had not achieved compliance with their submitted plan and continued to aggressively grow the financial technology line of business. This report identified additional violations of laws and regulations and multiple new supervisory concerns, prompting OCC to escalate these items to a formal enforcement action.
Federal Reserve Generally Followed Its Communication Guidance for Selected Institutions, but Its Process for Escalating Concerns Has Weaknesses
We found that the Federal Reserve generally adhered to its guidance for communicating key details of supervisory concerns to selected institutions and has procedures for determining when to escalate a supervisory concern to an enforcement action. However, the Federal Reserve has not issued a regulation or enforceable guidelines on corporate governance and risk management, even though it has the statutory authority to do so, and has not finalized a rule related to early remediation standards, which may hinder escalation of concerns.
Federal Reserve Generally Adhered to Its Guidance for Communicating Selected Supervisory Concerns
Required Communication Components
Federal Reserve examiners generally followed agency guidance for communicating key details of concerns to selected institutions. Specifically, our review of a nongeneralizable sample of supervisory concern communications from January 2018 through May 2023 found that 98 of the 104 concerns we reviewed included most or all of the required components (see app. II for detailed analysis).[19]
In a 2019 report, we found that some Federal Reserve supervisory communications did not provide information on the cause or potential effect of a supervisory concern.[20] We recommended that the Federal Reserve require examiners to provide more complete information about the concerns, such as the likely cause and potential effect of the deficiency. In 2020, the Federal Reserve updated relevant manuals to require that communications of supervisory concerns include, if evident, both the root cause and potential effect of the finding on the institution. We determined that this modified guidance addressed our recommendation.[21]
Our review of selected communications from January 2021 through May 2023, following the Federal Reserve’s 2020 updates, found general alignment with its new guidance. Specifically, we found that 31 out of 33 communications (94 percent) identified a cause, and 29 out of 33 communications (89 percent) identified a potential effect. These communications also generally included most of the other elements described in the guidance, which emphasizes using clear and concise language, prioritizing findings by importance, focusing on significant matters that require attention, and using standardized language.
Timeliness of Communication
We found that Federal Reserve examiners generally issued communications in a timely manner, on the basis of our review of timeliness information for 177 communications to three institutions of different asset sizes from February 2018 through December 2023.[22]
The Federal Reserve expects examination reports or letters to be issued to institutions within certain time frames, depending on the category and size of the institution. Examination reports or letters are expected to be issued
· to community institutions within 60 days of the closing date of the examination and less than 90 days after the start of the examination;
· to regional institutions within 90 days of the examination start date for noncomplex holding companies and within 100 calendar days of the start date for state member institutions; and
· to large institutions within 60 days of the examination closing date.
For a majority of the selected supervisory communications we reviewed, the issuance time frames fell within the expectations for each of the three institutions. For the community and regional institutions, we found that 15 of the 18 communications (83 percent) in the sample met the expectations, and for the large institution, 89 of the 160 communications (56 percent) in the sample met the expected issuance time frame. However, for the regional institution in the sample, we found that one communication exceeded the expectation by 56 days. For the large institution in the sample, we found that communications that did not meet timely issuance expectations exceeded these expectations by a median value of 28 days.
Federal Reserve officials cited several reasons for delays in issuing examination reports. They said delays can occur when supervisory findings are being escalated to enforcement actions, requiring discussion with enforcement, legal, and analyst staff and state regulators to confirm that the letter supports escalation. Additionally, the emergence of new or material issues during the vetting or report processing phases can cause delays. Reports may also be delayed if they involve complex or borderline issues that require vetting, or if they require additional research or legal interpretation of complex or technical matters.
Institutions’ Response to and Remediation of Concerns
Federal Reserve policy requires institutions to respond in writing to communications of supervisory concerns regarding any completed or planned corrective actions.[23] This policy does not specify a required time frame to provide written responses, but all 104 communications in our nongeneralizable sample included time frames for institutions to respond, such as 45 days. These response requirements were met for 92 of the 104 communications (88 percent) in our nongeneralizable sample and generally included a committed remediation date.[24]
However, Federal Reserve officials said they have not designated standardized time frames for remediating all supervisory concerns, as the complexity and severity of issues vary. They said that supervisory concerns are not all the same and that the time required to remediate a concern depends on the specific issue, its context, and the institution involved. Therefore, they said, remediation time frames for individual supervisory concerns are created to ensure the institution correctly remediates the concern. Officials further noted that examiners may require institutions to implement compensating controls or other temporary measures until issues are fully remediated. Federal Reserve examiners told us that in some cases, it may take an institution’s management one or two annual examination cycles to fully understand the root cause of the issue.[25]
Federal Reserve policies require the supervising Reserve Bank to follow up on matters requiring attention and matters requiring immediate attention to assess progress and verify satisfactory completion. The Federal Reserve uses a central tracking system for follow-up on supervisory concerns over time. Reserve Bank staff monitor the status of concerns, and follow-up actions vary depending on the nature and severity of the matter. These actions may include subsequent examinations or other supervisory activities deemed suitable for evaluating the issue.
See appendix III for additional data on the Federal Reserve’s supervisory concerns issued and closed from January 2018 through May 2023.
The Federal Reserve Has Escalation Procedures and Is Considering Required Time Frames for Escalation
The Federal Reserve’s procedures, similar to OCC’s, include several factors examiners are to consider in determining whether to escalate a concern. These factors include the institution’s supervisory rating and financial condition, number of open supervisory concerns, and history of implementing timely corrective actions.[26] The Federal Reserve’s escalation process also involves collaborative decision-making through formal vetting of issues, according to Reserve Bank policy documents and interviews with Federal Reserve examiners. In addition, each Reserve Bank has a process for documenting and reviewing any divergent views that may arise during supervisory activities.
The Federal Reserve has a policy of preparing certain routine enforcement actions that involve safety and soundness concerns within 50 days. However, it does not have required time frames for issuing nonroutine, complex enforcement actions to institutions. In contrast, OCC’s policy is to present proposed enforcement actions to banks within 6 months of the start of the supervisory activity that identified the action. Unlike OCC, the Federal Reserve must coordinate with state banking agencies when considering escalation decisions, which can affect the timeline. The Federal Reserve said that while it may establish internal expectations for timeliness, it does not have authority to commit state banking agencies to these expectations.
In our review of a nongeneralizable sample of Federal Reserve examination documents, we found long time frames between the identification of concerns and the issuance of enforcement actions. In some instances, the Federal Reserve took more than 6 months from the start of a supervisory activity to issue a nonroutine, complex enforcement action. For example:
· In June 2022, the Federal Reserve downgraded a large institution. It issued an informal enforcement action about 10 months later, in April 2023.
· As we previously reported, Federal Reserve officials told us that although they initiated an informal enforcement action against Silicon Valley Bank in July 2022, examiners did not finalize the action before the bank failed in March 2023.[27]
In March 2024, we recommended that the Federal Reserve revise its escalation procedures to be clearer and more specific and to include measurable criteria.[28] The Federal Reserve agreed with the recommendation, and its staff told us they are updating their framework for escalating supervisory findings to enforcement actions. As part of this effort, they said they are considering whether required time frames for more complex enforcement actions are appropriate, including for those that raise legal or policy issues or that require more extensive coordination. Because more complex enforcement actions likely have a larger impact, establishing time frames for such actions would be prudent. We will continue to monitor the Federal Reserve’s progress in implementing our recommendation.
Federal Reserve Does Not Have Regulation or Enforceable Guidelines on Corporate Governance and Risk Management, Potentially Hindering Escalation
The Federal Reserve has established supervisory guidance on corporate governance and risk management standards, but it has no specific regulations or enforceable guidelines for escalating supervisory concerns on these issues.[29] The Federal Reserve’s Commercial Bank Examination Manual details supervisory expectations for board directors and management, including general duties and responsibilities and oversight of liquidity risks, and it provides guidance for assessing risk management practices.[30] In addition, under section 39 of the Federal Deposit Insurance Act, the Federal Reserve may prescribe operational and managerial standards by regulation or guidelines.[31] Effective May 2021, the Federal Reserve’s regulation on procedures was amended to include an appendix that states that the agency “will not issue an enforcement action on the basis of a ‘violation’ of or ‘noncompliance with’ supervisory guidance.”[32] The final rule’s preamble states that the Federal Reserve will continue to robustly use guidance to support safety and soundness and promote compliance.[33] However, the final rule clarified that, unlike a law or regulation, supervisory guidance does not have the force and effect of law. It also noted that the Federal Reserve does not take enforcement actions based on supervisory guidance.
Federal Reserve officials told us examiners have been able to sufficiently address corporate governance weaknesses using matters requiring attention. As a result, officials believe it unnecessary to convert the guidance to regulation. The officials said that, while the Federal Reserve does not have specific regulations or enforceable guidelines on corporate governance and risk management for large state-member banks, large bank holding companies are already subject to enhanced prudential standards that include corporate governance and risk management requirements.[34] The officials said that section 8(b) of the Federal Deposit Insurance Act allows them to take an enforcement action for any violation of law or unsafe or unsound practice.[35]
However, despite identifying numerous corporate governance and risk management concerns at Silicon Valley Bank, the Federal Reserve did not pursue an enforcement action until the bank was near collapse.[36] The lack of regulation on corporate governance and risk management may have contributed to delays in taking more forceful action against Silicon Valley Bank, exposing a potential gap in the Federal Reserve’s supervisory toolkit.[37]
In contrast to the Federal Reserve, OCC and FDIC have the same authority under section 8(b) of the Federal Deposit Insurance Act but chose to establish specific regulations with enforceable guidelines on corporate governance and risk management.
· Since fall 2014, OCC has had “heightened standards” in its regulations codified as enforceable guidelines under section 39 of the Federal Deposit Insurance Act for insured national banks with assets of $50 billion or more. These standards include minimum standards for the design and implementation of a bank’s risk governance framework and board oversight of the framework.[38] OCC examiners told us this rule has been helpful in addressing governance and risk management issues because escalation is based on regulation rather than agency guidance.
· In October 2023, FDIC issued proposed rules to similarly convert agency guidance on corporate governance and risk management into regulation proposed to be codified as enforceable guidelines issued under section 39 of the Federal Deposit Insurance Act.[39] FDIC officials told us they recognized that these issues contributed to Signature Bank’s failure. The supplementary information published with the proposed guidelines emphasizes the need for larger or more complex institutions to have more sophisticated and formal board and management structures and practices to ensure appropriate corporate governance. The supplementary information also states that regulators should have the authority to intervene when these structures and practices are inadequate or do not match the institution’s risk level.
A report on the spring 2023 bank failures by the Bank for International Settlements highlighted this issue. It stated that supervisors had warned the distressed banks about governance issues that posed risks to their safety and soundness, but these warnings did not drive sufficient change to prevent stress.[40] It noted that without regulatory authority, supervisors may have to rely on less robust tools to incentivize banks to address risks, which may prove less effective. The report recommended that regulators review their supervisory tools to ensure they are sufficient to encourage corrective action by banks and consider any regulatory constraints on their application.
By promulgating a regulation or enforceable guidelines on corporate governance and risk management under section 39 of the Federal Deposit Insurance Act, as the other regulators have done, the Federal Reserve could give examiners a specific tool to escalate corporate governance and risk management concerns and could more easily take early, forceful regulatory actions tied to unsafe banking practices before they impair capital.
Federal Reserve Has Not Finalized a Rule Related to Early Remediation Standards
The Dodd-Frank Wall Street Reform and Consumer Protection Act directed the Federal Reserve to establish early remediation standards for nonbank financial companies and certain bank holding companies.[41] The standards are to require the Federal Reserve to intervene quickly, rather than waiting until a financial institution is about to fail. Specifically, section 166 of the act requires the Federal Reserve to establish an early intervention framework based on forward-looking financial metrics in addition to an institution’s capital levels. Examples of such metrics could include noncapital triggers based on liquidity metrics, risk management weaknesses, and other market indicators.[42] The statutory deadline for implementing section 166 was January 2012.[43]
The Federal Reserve proposed a rule in 2012 to implement early remediation standards for large bank holding companies, but it was never finalized.[44] Officials acknowledged that section 166 has not been fully implemented. They said the agency received substantial comments requiring further consideration to avoid implementing rules that duplicate existing regulations. The officials also noted that many risks intended to be addressed by the proposed rule under section 166 were being addressed in other rules.
Federal Reserve officials noted that the agency’s existing regulatory framework addresses numerous aspects of section 166. For example, they stated that existing rules on capital, capital planning, and total loss-absorbing capacity establish heightened requirements that restrict capital distributions or require capital raising when firms’ capital levels decline.[45] They also stated that existing rules on the liquidity coverage and net stable funding ratios require firms to notify regulators of liquidity shortfalls and submit remediation plans.[46] In addition, officials noted they already can take measures like restricting acquisitions and asset growth and requiring asset sales.[47] Given these existing regulations and powers, officials told us that reintroducing rulemaking for section 166 has not been a priority.
In addition, Federal Reserve officials expressed concern that the proposed rule could have unintended consequences. For example, punishing firms for not complying with the minimum requirements for the liquidity coverage ratio and net stable funding ratio could discourage the firms from using liquidity buffers to maintain regulatory ratios. A purpose of these requirements—especially the liquidity coverage ratio—is to ensure that firms hold sufficient liquid assets relative to their risk profile to meet their liquidity needs during stress. Therefore, it is appropriate and desirable for a firm to use its liquid assets to meet its liquidity needs under certain circumstances rather than hoard those assets to maintain regulatory ratios. However, a firm may choose not to use its liquid assets when needed if it will be punished for not complying with the minimum requirements. Further, they said the proposed rule included market indicators, which present policy and procedural challenges when tied to automatic and escalating triggers. Specifically, counterparties could be incentivized to act in a way that impacts market indicators if they know it will trigger a specific consequence.
However, Congress entrusted the Federal Reserve to develop a framework that balances these concerns with the ability to take early actions to prevent bank failures. Some commentators contend that the Federal Reserve’s partial measures do not satisfy Congress’s intent.[48] Subject-matter experts we interviewed noted, and Federal Reserve officials acknowledged, that key aspects of the 2012 proposed rule designed to implement section 166 remain unimplemented. These include the proposed rule’s restrictions on capital distributions, market-based triggers, and changes to the liquidity coverage ratio, which are not currently part of the Federal Reserve’s existing regulatory framework.[49]
In our March 2024 report, we recommended that Congress consider requiring the adoption of noncapital triggers that require early and forceful regulatory actions tied to unsafe banking practices before they impair capital.[50] As noted, section 166 already includes such triggers. In addition, since 2023, an interagency working group on liquidity involving FDIC, the Federal Reserve, and OCC has been meeting weekly. According to officials, the group is working to address the types of liquidity deficiencies that contributed to losses at a number of banks, including Silicon Valley Bank, Signature Bank, and First Republic Bank.[51] Officials did not provide a time frame for when any proposal by the group would be finalized.
In the meantime, by issuing a regulation to fully implement section 166, the Federal Reserve would help achieve the statutory goal of minimizing the risk of insolvency among nonbank financial companies and certain bank holding companies, thereby promoting financial stability.
FDIC Generally Followed Guidance for Selected Concerns, but Weaknesses in Escalation Processes Risk Inconsistent Action
FDIC generally followed guidance for communicating key details of supervisory concerns to selected institutions. However, certain limitations in FDIC data and policies—such as a lack of vetting procedures for large bank examination findings and rotation requirements for case managers—may hinder its escalation of concerns.
FDIC Generally Adhered to Guidance for Communicating Selected Supervisory Concerns
Required Communication Components
FDIC generally followed guidance for communicating key details of concerns to institutions in our review of a nongeneralizable sample of communications of supervisory concerns. Across all communications of supervisory concerns we reviewed, 323 of 341 (95 percent) included most or all of the components instructed in FDIC’s guidance.[52] See appendix II for details on FDIC’s adherence to communication requirements.
In 2019, we found that some FDIC supervisory communications from a sample of three institutions did not provide information on the cause of supervisory concerns.[53] We recommended that FDIC update its policies and procedures on communications of supervisory recommendations to institutions to provide more complete information, such as the likely cause of the problem or deficient condition, when practicable. In 2019, FDIC reported that it had formalized its policies and procedures on root cause analysis, which addressed our recommendation. We found that 130 of the 163 communications in our sample (80 percent) from January 2020 through May 2023 (after the guidance was in place) identified a cause.
FDIC’s guidance on communicating supervisory concerns also includes additional instructions, such as for describing the deficiency (including an introductory statement, a description of the concern, and the corrective action needed); reminding institutions’ management of the importance of addressing issues; listing supervisory concerns in order of importance; and communicating clearly. FDIC examiners generally followed these instructions in the nongeneralizable sample of communications we reviewed.
Timeliness of Communication
FDIC has established internal goals for timely sharing of information with institutions.[54] One goal is the timely transmission of safety and soundness reports to financial institutions, such that reports issued within a 12-month period have an overall median time frame of 75 days from the on-site examination start date to report transmission. Another goal is completion of report processing—from finishing field work to sending the report to the institution—within a median time frame of 45 days over a 12-month period. A 2018 memorandum clarifies that these median timeliness goals are not requirements for individual examinations and that the goals exclude institutions subject to the continuous examination process.
In 2024, FDIC reported on examination turnaround times and noted that the agency met its internal goals for timely communications.[55] Specifically, FDIC’s analysis showed that over a 12-month period, the time frames for issuing reports of examination had a median turnaround time of 60 days from the start of the examination and a median processing time of 25 days after field work was complete.
FDIC’s internal goals for sharing timely examination information with institutions are broad and allow for variation. Examiners we spoke with explained that delays can occur due to certain circumstances, such as changes to a bank’s CAMELS ratings, supervisory issues related to trust and information technology, or the need for significant edits to initial findings made by the regional office or state regulator during joint examinations.
Institutions’ Response to and Remediation of Concerns
FDIC policy requires examiners to discuss tentative findings and supervisory recommendations with the financial institution’s management prior to the conclusion of an examination and to provide management an opportunity to respond. Agency policy also states that in some cases, supervisory communications can request that the bank provide a written response to the examination, although it does not specify a required time frame for these responses. In the nongeneralizable sample of 341 supervisory communications we reviewed, 288 (84 percent) specified a required response date. Institutions generally met this requirement and provided a committed remediation date.[56] The expected remediation time frames were generally longer for large and regional institutions than for small institutions.[57]
FDIC requires interim contacts with institutions to monitor progress on matters requiring board attention and supervisory recommendations. Case managers are to review institution management’s response to examination reports and follow up on the disposition and resolution of these concerns between examinations. However, in August 2023, FDIC revised its escalation guidance to require examiners to consider elevating a supervisory recommendation to a matter requiring board attention, and a matter requiring board attention to an enforcement action, if the concern is repeated or uncorrected at the next examination cycle. If examiners choose not to escalate, they must provide written justification to regional office management.
FDIC officials told us that they expect institutions to remediate supervisory recommendations (other than matters requiring board attention) during the normal course of business, meaning institutions should generally address supervisory recommendations within months of receiving the report of examination. FDIC expects institution boards of directors to remediate matters requiring board attention within an examination cycle. However, not all concerns close within this time frame.[58] FDIC examiners from one institution told us remediation can take longer for larger institutions, especially if the issue involves information technology or enterprise-wide response across multiple units. In the case of Signature Bank, supervisory concerns related to liquidity issues were identified in the 5 years before the bank failed.[59] See appendix III for details on FDIC’s closure of supervisory concerns.
Certain Limitations in FDIC Data and Policies May Hinder Its Effective Escalation of Concerns
FDIC Does Not Have a Central Tracking System for Supervisory Recommendations
FDIC’s existing tracking methods do not provide headquarters managers and staff with readily available information on supervisory recommendations.[60] Supervisory recommendations refer to FDIC communications with an institution that are intended to inform the institution of FDIC’s views about changes needed in its practices, operations, or financial condition. When we requested data on these recommendations, FDIC staff had to manually compile and process spreadsheets created by examiners to provide the necessary information. For community banks, officials told us that the request would require extracting supervisory recommendation data from examination documentation, as it was not otherwise readily available. In contrast, OCC and the Federal Reserve centrally track all their supervisory concerns and provided readily available data.
Federal internal control standards state that management should use quality information to achieve objectives.[61] Quality information is appropriate, current, complete, accurate, accessible, and provided on a timely basis. Management uses quality information to make informed decisions and evaluate the entity’s performance in achieving key objectives and addressing risks.
The absence of centralized tracking of supervisory recommendations prevents FDIC from leveraging these data to identify emerging risks and target its reviews more effectively. According to an analyst in the Large Bank Supervision Branch, the absence of centralized tracking has hindered efforts to aggregate related issues across institutions, limiting opportunities for horizontal examinations (i.e., examining the same issue across multiple institutions).[62] Because supervisory recommendations are common and may detect key issues early, implementing centralized tracking could help FDIC managers and examiners identify common emerging risks across all supervised institutions.
In addition, the absence of centralized tracking hinders FDIC’s ability to ensure proper implementation of its new policy of escalating concerns after one examination cycle. Currently, individual examination teams may be aware of when supervisory recommendations are opened and escalation is triggered, but recommendations are not tracked in the aggregate. Without centralized tracking of supervisory recommendations, FDIC management does not have the comprehensive visibility needed to ensure consistent application of the new policy across examination teams.
FDIC Lacks Processes to Ensure Managers Formally Consult Large Bank Examiners on Escalation
FDIC uses composite CAMELS ratings to determine whether to escalate a supervisory concern to an enforcement action. FDIC’s Formal and Informal Enforcement Actions Manual states that formal or informal enforcement actions are typically taken against an institution with a composite CAMELS rating of 3 or worse. In addition, FDIC requires examiners to consider elevating a matter requiring board attention to an enforcement action if the matter is repeated or uncorrected at the end of an examination cycle. If an examiner believes such a case does not warrant escalation, the examiner must provide written justification to regional office management, which makes a final determination.[63] In addition, the manual includes 11 factors to consider in determining whether to take informal or formal enforcement actions, regardless of the CAMELS rating.
FDIC officials described their process for making key examination decisions, including decisions about escalation, as iterative, with ongoing communications during supervisory activities. According to FDIC procedures, case managers should discuss any significant changes to examination findings with examiners in charge prior to finalizing the report. In addition, FDIC procedures require case managers to complete a feedback form for examiners in charge, which provides reasons for substantive report changes. These procedures apply to both Point-in-Time Examination and Continuous Examination process case managers.
However, unlike OCC and the Federal Reserve, FDIC does not require “vetting” meetings for managers (including case managers, assistant regional directors, deputy regional directors, and regional directors) to formally consult with examination teams and other stakeholders before making substantive decisions about examination findings, including those related to escalation. Although managers generally are required to consult with examiners in charge before making substantial changes to examination findings, FDIC does not require managers to also consult with other stakeholders, including the dedicated or designated examination team reporting to the examiner in charge and specialists in the Large Bank Supervision division. In contrast, OCC and Federal Reserve large bank vetting meetings include managers, examiners, subject-matter experts, and other stakeholders. Several OCC and Federal Reserve examiners we spoke with described the benefits of collaborative work, including the vetting meetings used to reach agreement on examination findings and escalation decisions.
In our interviews, examiners cited examples of changes made to examination reports without the examiners’ knowledge that may indicate threats to the objectivity and independence of the decision-making process. FDIC examiners and examiners in charge at two of the four institutions we selected for examiner interviews described cases where substantial changes or deletions were made to substantive examination findings without their input. Also, one examiner in charge described an instance when certain findings were removed from the examination report without consultation. This examiner in charge did not learn about the changes until seeing the final examination report as it was shared with the institution.
Examiners for another institution noted that managers sometimes but not always consult with them on changes to findings. For example, the examination team cited an instance where management added a violation to the examination report without explanation or supporting evidence in the workpapers.
A process for managers to consult with examination teams and other stakeholders is particularly important for institutions supervised under the Continuous Examination process. These institutions are larger and more complex, and, as FDIC staff explained, examination findings are more specialized. In contrast, institutions supervised through the Point-in-Time Examination process are smaller, less complex, and, according to FDIC staff, examiners-in-charge are typically more involved in all aspects of the examination.
Federal internal control standards state that management should identify, analyze, and respond to risks related to achieving the defined objectives.[64] Management should also design control activities to achieve objectives and respond to risks. In addition, in previous work, we identified policies that agencies can use to mitigate threats to independence.[65] One policy includes incorporating layers of review that involve individuals with differing perspectives, incentives, and relationships with industry. Agencies can also promote transparency by documenting the full decision-making process to include divergent views and the rationale or evidence used to resolve them.[66]
OCC and the Federal Reserve have processes for managers to consult with large bank examination teams and other stakeholders before making substantive changes to examination findings. Without a similar documented process, FDIC faces increased risk that decisions related to Continuous Examination process institutions may not be fully independent or grounded in evidence gathered during examinations.
Lack of Rotation Requirements for FDIC Large Bank Case Managers Can Threaten Independence
FDIC officials told us that case managers for Continuous Examination process institutions are not required to rotate assignments after a certain number of years. In contrast, the Federal Reserve and OCC require individuals in similar roles to rotate every 5 years.[67] Officials told us that FDIC does have a 5-year rotation requirement for individuals whose job responsibilities meet certain criteria. In prior work, we reported that FDIC requires examiners in charge to rotate.[68] But, FDIC officials said these criteria do not apply to case managers, who are not subject to this policy.
However, we found that FDIC’s criteria for rotations align with the tasks and interactions of case managers for Continuous Examination process institutions. Specifically, FDIC policy requires rotations for individuals when (1) the primary portion of their tasks involves continuing, broad, and lead responsibility for examining an institution and (2) they are required to interact routinely with financial institution officers and staff and to have on-site presence. According to FDIC procedures, case managers serve as primary points of contact for Continuous Examination process institutions and are responsible for
· ensuring supervisory strategies are appropriate and revised as needed;
· reviewing and analyze reports of examination, applications, investigations, and other correspondence involving the institution;
· developing informal and formal programs to correct deficiencies in the operations and condition of the institution; and
· coordinating all communications with the institution.
While case managers may not meet all of FDIC’s criteria for rotation requirements—specifically, they do not always have an on-site presence—they play a key role in the supervisory process and have important decision-making authority. When case managers are assigned to the same institution for long periods, they risk developing close relationships with institution management, which can threaten their independence and interfere with supervision outcomes.
Additionally, examiners and examiners in charge from two selected institutions described instances of case managers exhibiting biased behavior, including informal meetings between case managers and institutions that may not have been appropriate. As previously discussed, several examiners also described instances where managers overrode examiner assessments of an institution’s condition without consulting with examinations teams or providing adequate support.
In 2019, FDIC identified regulatory capture as a risk through its risk identification process.[69] Federal internal control standards state that management should identify, analyze, and respond to risks related to achieving the defined objectives.[70] Management should also design control activities to achieve objectives and respond to risks. In addition, in previous work, we identified policies that agencies can use to mitigate threats to independence.[71] In particular, we found that agencies can mitigate threats to independence by implementing policies that require staff in key decision-making roles to rotate, so as to mitigate the impact of any one employee.
As noted earlier, FDIC has rotation policies in place for examiners in charge. Rotation requirements for Continuous Examination process case managers could also help ensure they maintain their supervisory independence.
Conclusions
The March 2023 bank failures raised questions about the regulators’ ability to escalate safety and soundness concerns, such as weak corporate governance and risk management practices, before they materially affect a bank’s financial condition. We identified several issues that could affect the Federal Reserve’s and FDIC’s ability to escalate concerns effectively:
· The Federal Reserve’s lack of specific regulation or enforceable guidelines to escalate supervisory concerns about corporate governance and risk management may hinder its ability to take early, forceful regulatory action against unsafe banking practices before they compromise an institution’s capital.
· Congress recognized the importance of early intervention in financial institution supervision when it enacted the Dodd-Frank Act’s section 166, which requires the Federal Reserve to develop early remediation standards for large bank holding companies. However, more than 14 years later, the Federal Reserve has yet to issue a regulation fully implementing section 166. By doing so, it would help lessen the risk of insolvency among certain financial institutions, thereby protecting financial stability.
· FDIC does not centrally track supervisory recommendations, which are common and can help the agency detect key issues early, as it does matters requiring board attention. Central tracking of supervisory recommendations could help management identify emerging risks earlier across all supervised institutions.
· By implementing procedures for managers—including case managers, assistant regional directors, and regional directors—to consult with the entire Continuous Examination process examination team and relevant stakeholders before making substantive changes to examination findings, FDIC could better ensure its escalation decisions are independent and grounded in the evidence gathered during examinations.
· Rotation requirements for Continuous Examination process case managers after a certain number of years could help FDIC prevent regulatory capture and ensure that case managers for Continuous Examination process institutions maintain their supervisory independence.
Recommendations for Executive Action
We are making the following five recommendations, including two to the Federal Reserve and three to FDIC:
· The Chair of the Federal Reserve should determine whether to promulgate a regulation or enforceable guidelines on corporate governance and risk management under section 39 of the Federal Deposit Insurance Act, consistent with those issued by the other regulators, and document steps taken to make this determination. (Recommendation 1)
· The Chair of the Federal Reserve should issue a regulation to implement remaining open portions of section 166 of the Dodd-Frank Act, taking into account prior proposals and public comments. (Recommendation 2)
· The Chair of FDIC should develop a central database for recording and reporting supervisory recommendations, similar to that used for matters requiring board attention. (Recommendation 3)
· The Chair of FDIC should establish procedures, such as vetting meetings, for the Continuous Examination process program to ensure that managers formally consult with the examination team and relevant stakeholders before making substantive changes to examination findings. Such vetting meetings should be documented and include any divergent views that arise. (Recommendation 4)
· The Chair of FDIC should consider a requirement that case managers for Continuous Examination process institutions periodically rotate assignments. (Recommendation 5)
Agency Comments and Our Evaluation
We provided a draft of this report to OCC, the Federal Reserve, and FDIC for review and comment. The Federal Reserve and FDIC provided written comments, which are provided in appendix IV and V, respectively. OCC, the Federal Reserve, and FDIC provided technical comments, which we incorporated as appropriate.
In its comments, the Federal Reserve neither agreed nor disagreed with our recommendations. The Federal Reserve said it recognizes the importance of using available supervisory tools to require firms to timely and fully remediate issues identified through the supervisory process that may pose a threat to an institution’s safety and soundness. The Federal Reserve also said it has been modifying supervisory processes so that once material issues are identified, they are addressed more quickly by both bankers and supervisors.
Regarding the first recommendation, the Federal Reserve stated that it will evaluate its existing applicable standards and expectations to determine the appropriateness of promulgating a new regulation or enforceable guidelines on corporate governance and risk management at state member banks and holding companies.
Regarding the second recommendation, the Federal Reserve stated that it will continue to consider how to address any residual elements of section 166 of the Dodd-Frank Act in a manner consistent with the statutory language and without creating unintended consequences.
In its comments, FDIC expressed concern that some findings in the draft report appeared to be based solely on interviews with individual examiners and did not appear to consider the views of others or supporting documentation for context. We conducted the interviews to obtain examiner perspectives on escalation of supervisory concerns. In light of concerns raised in a report commissioned by FDIC’s Board of Directors on allegations of sexual harassment and interpersonal misconduct at FDIC, as well as concerns about retaliation expressed by examiners-in-charge and examiners we interviewed, we agreed to provide anonymity to encourage open and honest discussion on escalation practices.[72] Therefore, we did not disclose to FDIC management the specific details shared during these interviews. However, after the interviews, we met with FDIC management to ask questions related to what we heard and later sent follow-up written questions seeking further clarification.
FDIC agreed with our first recommendation to centrally track supervisory recommendations and will explore interim technology solutions for doing so.
FDIC generally agreed with our second recommendation to formally consult with the entire examination team and relevant stakeholders before making substantive changes to examination findings. On the basis of FDIC’s comments, we revised our recommendation to include only the Continuous Examination process. We made this revision in recognition of the large volume and small size of institutions in the Point-in-Time Examination process, and we note that institutions under the Continuous Examination process are more comparable to those institutions supervised by OCC and the Federal Reserve, which also employ such vetting meetings.
FDIC disagreed with our third recommendation for rotation requirements for case managers. FDIC stated that the report does not recognize that the case manager position is a separate and important part of FDIC lines of defense both against regulatory capture and for ensuring consistency with examination policies. FDIC stated the report also does not consider other controls for mitigating the potential risk of regulatory capture of case managers, including controls that were acknowledged in our 2020 report on regulatory capture.[73] FDIC stated that because the Federal Reserve and OCC do not utilize a similar case manager position, it was not clear what positions at those agencies we used for comparison. FDIC also stated that case managers are not required “to have on-site presence,” as they work in regional offices and would only have an on-site presence at banks in their portfolio for occasional meetings.
We maintain that rotation requirements for case managers should be considered. Our 2020 report on regulatory capture at FDIC focused on risk of regulatory capture of examination staff, for which case managers serve as a control for regulatory capture. In this report, our evidence led us to consider the potential risk of capture to FDIC management, including case managers, assistant regional directors, and regional directors. We found that the risk of capture exists, particularly regarding FDIC supervision of Continuous Examination process institutions. We continue to believe that rotation requirements for case managers at these institutions would be an important protection against capture.
However, we revised the recommendation to apply only to case managers involved in supervision of Continuous Examination process institutions, which are the largest and most complex FDIC-supervised banks. We acknowledge that a blanket rotation requirement for all FDIC case managers could be onerous and may not properly consider the large volume, small size, and less complex nature of the majority of FDIC-supervised institutions. In addition, we edited the report to acknowledge that case managers are not required to have on-site presence.
We are sending copies of this report to the appropriate congressional committees, OCC, the Federal Reserve, FDIC, and other interested parties. In addition, the report will be available at no charge on the GAO website at http://www.gao.gov.
If you or your staff have any questions about this report, please contact me at (202) 512-8678 or clementsm@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix VI.
Michael E. ClementsDirector, Financial Markets and Community Investment
List of Addressees
The Honorable Sherrod Brown
Chairman
Committee on Banking, Housing, and Urban Affairs
United States Senate
The Honorable Catherine Cortez
Masto
United States Senate
The Honorable John Fetterman
United States Senate
The Honorable Jack Reed
United States Senate
The Honorable Kyrsten Sinema
United States Senate
The Honorable Tina Smith
United States Senate
The Honorable Jon Tester
United States Senate
The Honorable Chris Van Hollen
United States Senate
The Honorable Mark R. Warner
United States Senate
The Honorable Raphael Warnock
United States Senate
The Honorable Elizabeth Warren
United States Senate
This report examines communication of supervisory concerns and the processes and policies for escalating supervisory concerns for the three federal banking regulators: (1) the Office of the Comptroller of the Currency (OCC), (2) the Board of Governors of the Federal Reserve System (Federal Reserve), and (3) the Federal Deposit Insurance Corporation (FDIC).
Review of Supervisory Communications
Selection of Institutions
We reviewed OCC, Federal Reserve, and FDIC supervisory documentation from the 2018 through 2022 supervisory cycles, the most recent annual supervisory cycles at the time of our review, to assess their communications of supervisory concerns to depository institutions. We selected 20 depository institutions from each regulator for a nongeneralizable sample of 60 institutions.[74] We selected institutions with (1) a range of asset sizes; (2) CAMELS (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk) ratings of 2 or 3, as of 2022; (3) geographic diversity in the federal regulators’ regional offices overseeing the institutions; and (4) the institutions with the highest total number of supervisory concerns issued by the regulators from January 2018 through May 2023, the most current data available at the time of our review.[75]
To select institutions with a range of asset sizes, we defined three asset-size categories: (1) large institutions had $100 billion or more in assets, (2) regional institutions had $10 billion–$100 billion, and (3) community institutions had less than $10 billion.[76] The nongeneralizable sample for each regulator consisted of five large depository institutions, 10 regional depository institutions, and five community depository institutions. We selected a larger number of regional institutions because (1) they have greater complexity in terms of their business lines and products than community depository institutions, and (2) Silicon Valley Bank and Signature Bank (each of which failed in 2023) were considered regional depository institutions based on their asset size in 2018 but rapidly grew to over $100 billion in assets.
We selected depository institutions assigned a CAMELS composite rating of either 2 or 3 as of 2022 because these ratings can indicate supervisory issues that the regulators should communicate to an institution early. We selected depository institutions from the different locations of FDIC regional offices, Federal Reserve Bank districts, and OCC regional offices to ensure some geographical diversity in the sample.
We selected depository institutions that had the highest numbers of supervisory concerns among depository institutions supervised by FDIC, the Federal Reserve, and OCC from 2018 through 2022.
Selection of Supervisory Concerns
Because our review focused on safety and soundness concerns, we selected supervisory concerns related to these issues. Specifically, for depository institutions supervised by OCC and the Federal Reserve, we focused our review on safety and soundness concerns (excluding concerns related to consumer compliance, anti–money laundering, information technology, and trust/wealth management).[77] We further narrowed the review to the three risk categories with the highest numbers of supervisory concerns from 2018 through 2022. For OCC, these categories were (1) Management, (2) Capital Markets, and (3) Commercial Credit Risk.[78] For the Federal Reserve, they were (1) Governance and Controls/Management, Risk Management, Internal Controls, (2) Credit Risk, and (3) Market Risk. Other than matters requiring board attention, FDIC does not centrally track supervisory recommendations, so we could not determine which categories had the highest numbers of supervisory concerns. Therefore, we reviewed concerns related to the same categories we selected for the Federal Reserve.
Data Collection Instrument
For each of the 60 sampled institutions, we collected the following supervisory documentation dated from January 2018 through May 2023: (1) annual reports of examination, (2) supervisory letters resulting from target examinations, (3) the institutions’ written responses regarding remediation of supervisory concerns, and (4) the regulators’ documentation on the remediation and closing of the concerns.
We created data collection instruments to aid our review of these documents and our assessment of whether the regulators adhered to their communication criteria. For each regulator, the data collection instrument listed the regulator’s communication criteria, and as we reviewed the documentation for the selected supervisory concerns, we marked whether the documentation contained each required element.
We identified each regulator’s requirements for communicating supervisory concerns in its policies and procedures, the FDIC Division of Risk Management Supervision’s Manual of Examination Policies and Continuous Examination Process Procedures, the Federal Reserve’s Commercial Bank Examination Manual, and OCC’s Bank Supervision Process Handbook.
In completing the data collection instruments, one analyst reviewed a supervisory document, such as an annual examination report or a supervisory letter where supervisory concerns are described. The analyst determined whether the communication aligned with the regulator’s guidance and recorded “yes” or “no,” accompanied by explanatory notes. A second analyst reviewed the initial assessment to determine agreement or disagreement. In cases of disagreement, the two analysts discussed and reconciled their differences.
We also collected from the supervisory documents (1) the time frame set by the regulators for each institution to respond to the supervisory concerns, (2) the actual time frame within which each institution submitted a written response to the regulators, and (3) the expected time frame for each institution to implement corrective actions in response to supervisory concerns, among other items.
In total, we completed data collection instruments for 546 concerns across the 60 sampled institutions: 101 from OCC, 104 from the Federal Reserve, and 341 from FDIC.
Review of Administrative Data
To assess the regulators’ supervisory concern data, we collected administrative data from OCC, the Federal Reserve, and FDIC to produce descriptive statistics on supervisory concerns issued from January 2018 through May 2023. These descriptive statistics included the number of supervisory concerns, the dates when the concerns were opened and closed, and the number of concerns for specific supervisory categories, among other items. We assessed the completeness and reliability of the data by performing electronic data testing to identify missing values, logical inconsistencies, outliers, or duplicates. We determined the data were sufficiently reliable for assessing timeliness of the closing of supervisory concerns.
Many supervisory concerns were still open when we received the administrative data from the regulators, preventing us from calculating the full duration of all concerns. For this reason, we used the life table method of survival analysis to estimate a concern’s probability of remaining open or closing as a function of time, up to the end of the observation period (May 31, 2023). In our survival analysis, the dependent variable was composed of two parts: (1) the time in days from when a concern was issued until it was closed and (2) whether closure was observed.[79]
Review of Escalation Policies and Practices
To examine the regulators’ policies for escalating supervisory concerns to enforcement actions, we reviewed their escalation guidance in OCC’s Policies and Procedures Manual, the Federal Reserve’s Commercial Bank Examination Manual, and FDIC’s Risk Management Manual of Examination Policies. We compared these policies against applicable federal standards for internal control, such as the principles that management should define objectives clearly to enable risk identification and definition of risk tolerances.[80]
We also analyzed laws and regulations, including the Federal Deposit Insurance Corporation Act, as amended; section 166 of the Dodd-Frank Wall Street and Reform and Consumer Protection Act, passed in 2010; and the Economic Growth, Regulatory Relief, and Consumer Protection Act, passed in 2018, to assess their potential effect on regulators’ ability to escalated concerns. We analyzed OCC’s “heightened standards” on corporate governance regulation and FDIC’s proposed guidelines on corporate governance and risk management. In addition, we reviewed material loss reports on Silicon Valley Bank, First Republic Bank, and Signature Bank from the Office of the Inspector General of the Federal Reserve Board and FDIC’s Office of Inspector General.
To understand escalation practices, we interviewed examiners in charge and other examination team members from three institutions per regulator (selected from the original sample of 60 institutions). We discussed their application of escalation guidance and any impediments to escalating supervisory concerns to enforcement actions. We interviewed team members from a fourth FDIC institution later in the review. The 16 examination teams we interviewed were responsible for examining the depository institutions from January 2018 to March 2023. We interviewed 109 examiners across the three regulators. We selected these teams to include, for each regulator, (1) one institution from each of the asset groups (large, regional, and community); (2) at least one failed or liquidated institution; (3) institutions with supervisory concerns that had been open for longer periods relative to similar institutions; and (4) institutions from different geographic regions.
We also interviewed seven experts in the fields of banking, finance, and economics. In selecting the experts, we sought a range of perspectives from academia, industry associations, and think tanks. We identified the experts through online research. To select these experts, we considered factors including the individuals’ credentials, experience and standing, previous published work, and whether they had recent publications related to the March 2023 bank failures and other topics related to our objectives.
We conducted this performance audit from April 2023 to November 2024 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Appendix II: Analysis of Federal Banking Regulators’ Compliance with Their Guidance on Communication of Supervisory Concerns
The federal banking regulators—the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation—each have their own guidance for examiners regarding written communications of supervisory concerns. However, we identified five common elements that are consistently included:
1. Condition or issue
2. Cause of the condition or issue
3. Potential effect or consequence of the condition or issue
4. Corrective action required to remediate the condition or issue
5. Date by which institution commits to remediate the condition or issue
For our nongeneralizable sample of 60 institutions, we analyzed the extent to which the regulators followed their guidance in reports of examination and target examination supervisory letters from January 2018 through May 2023. While all the regulators included the first and fourth elements cited above in their communications, the extent to which they included the other elements varied (see figs. 1–3).
See appendix I for more information on the methodology we used to collect and analyze the data.
Figure 1: Federal Banking Regulators’ Communication of the Cause of Supervisory Concerns, January 2018–May 2023
Note: This figure reflects the extent to which the cause of supervisory concerns was included in reports of examination and target examination supervisory letters for our nongeneralizable sample of 60 institutions from January 2018 through May 2023.
Figure 2: Federal Banking Regulators’ Communication of the Potential Effect of Supervisory Concerns, January 2018–May 2023
Note: This figure reflects the extent to which the potential effect of supervisory concerns was included in reports of examination and target examination supervisory letters for our nongeneralizable sample of 60 institutions from January 2018 through May 2023.
Figure 3: Financial Institutions’ Commitment to Remediate Supervisory Concerns, January 2018–May 2023
Note: This figure reflects the extent to which financial institutions committed to remediate supervisory concerns by a certain date in their responses to reports of examination and target examination supervisory letters for our nongeneralizable sample of 60 institutions from January 2018 through May 2023. “Unknown” values represent instances when we could not definitely determine whether a specific date was provided by which the institution committed to remediate the supervisory concern.
Appendix III: Analysis of Federal Banking Regulators’ Supervisory Concerns Issued from January 2018 through May 2023
The following figures present analysis of administrative data from the federal banking regulators on supervisory concerns from January 2018 through May 2023. The regulators are the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, and Federal Deposit Insurance Corporation.
Number of Supervisory Concerns and Enforcement Actions by Type
Figure 4: Office of the Comptroller of the Currency, Number of Supervisory Concerns and Enforcement Actions, by Type, January 2018–May 2023
Note: “Total closed” refers to closed concerns among those that were opened from January 2018 through May 2023. For informal and formal enforcement actions, we did not calculate the total number closed.
Figure 5: Board of Governors of the Federal Reserve System, Number of Supervisory Concerns and Enforcement Actions, by Type, January 2018–May 2023
Note: Totals for matters requiring attention and matters requiring immediate attention include state member banks, domestic bank holding companies, domestic financial holding companies, domestic intermediate holding companies, savings and loan institutions, and savings and loan holding companies. “Total closed” refers to closed concerns among those that were opened from January 2018 through May 2023.
Figure 6: Federal Deposit Insurance Corporation, Number of Supervisory Concerns and Enforcement Actions, by Type, January 2018–May 2023
Note: For institutions in the Point-in-Time Examination program, supervisory recommendations and informal enforcement actions are omitted because FDIC did not have readily available data. For institutions in the Point-in-Time Examination program from January 2018 through June 2020, FDIC tracked matters requiring board attention in “groups,” which may represent multiple matters. Starting in July 2020, FDIC tracked these matters individually. Therefore, the total number of matters requiring board attention for institutions in the Point-in-Time Examination program is reported in both “ungrouped” and “grouped” categories, which may lead to a significant undercount of the actual totals. “Total closed” refers to closed concerns among those that were opened from January 2018 through May 2023.
Number of Supervisory Concerns by Issue Area
Figure 7: Office of the Comptroller of the Currency, Number of Supervisory Concerns, Total Opened by Concern Examination Area, January 2018–May 2023
Note: The “BSA/AML” category includes matters related to the Bank Secrecy Act or anti–money laundering, and the “commercial credit” category includes matters related to commercial real estate risks.
Figure 8: Board of Governors of the Federal Reserve System, Number of Matters Requiring Attention and Matters Requiring Immediate Attention, Total Opened by Selected Issue Category, January 2018–May 2023
Note: Totals include state member banks, domestic bank holding companies, domestic financial holding companies, domestic intermediate holding companies, savings and loan institutions, and savings and loan holding companies. The issue categories include only those with the highest totals of matters requiring attention and matters requiring immediate attention, so the totals in this figure do not represent the complete numbers of matters issued during the period. “Capital planning and positions” and “credit risk” include matters related to commercial real estate risks. The “BSA/AML issues” category includes matters related to the Bank Secrecy Act or anti–money laundering.
Figure 9: Federal Deposit Insurance Corporation, Number of Matters Requiring Board Attention, Total Opened by Supervisory Category, Continuous Examination Program Institutions, January 2018–May 2023
Note: The supervisory categories listed include only categories with matters requiring board attention that match the categories for institutions in the Point-in-Time Examination program. As a result, the totals in this figure do not reflect the total number of matters requiring board attention issued during the period. The “IRR/STMR” category includes matters related to interest rate risk or sensitivity to market risk, and the “lending” category includes matters related to commercial real estate risks.
Figure 10: Federal Deposit Insurance Corporation, Number of Matters Requiring Board Attention, Total Opened by Supervisory Category, Point-in-Time Examination Program Institutions, July 2020–May 2023
Note: For institutions in the Point-in-Time Examination program from January 2018 through June 2020, FDIC tracked matters requiring board attention in “groups,” which may represent multiple matters. Starting July 2020, FDIC tracked these matters individually. This figure includes the total number of “ungrouped” matters requiring board attention for institutions in the Point-in-Time Examination program because “grouped” matters requiring board attention were not tracked by supervision category. The “IRR/STMR” category includes matters related to interest rate risk or sensitivity to market risk, and the “lending” category includes matters related to commercial real estate risks.
GAO Contact
Michael E. Clements, clementsm@gao.gov, 202-512-8678
Staff Acknowledgments
In addition to the contact named above, Winnie Tsen (Assistant Director), Philip Curtin (Analyst in Charge), Danielle Curet, Dahlia Darwiche, Nancy Eibeck, Jason Rodriguez, Jessica Sandler, Eric Schwab, Jennifer Schwartz, and Jena Sinkfield made key contributions to this report.
GAO’s Mission
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on Facebook, Flickr, X, and YouTube.
Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454 or (202) 512-7700
Congressional Relations
A. Nicole Clowers, Managing Director, ClowersA@gao.gov, (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room 7125, Washington, DC 20548
Public Affairs
Sarah Kaczmarek, Managing Director, KaczmarekS@gao.gov, (202) 512-4800, U.S.
Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
Strategic Planning and External Liaison
Stephen J. Sanford, Managing
Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office, 441 G Street NW, Room 7814, Washington,
DC 20548
[1]Federal Deposit Insurance Corporation, Annual Report 2023 (Washington, D.C.: February 2024). In addition, the estimated cost of the 2023 failure of First Republic Bank to the Deposit Insurance Fund was $16.7 billion. The Deposit Insurance Fund is primarily funded by assessments levied on insured banks and savings associations and is used to cover all deposit accounts (such as checking and savings) at insured institutions, up to the insurance limit.
[2]GAO, Bank Regulation: Preliminary Review of Agency Actions Related to March 2023 Bank Failures, GAO‑23‑106736 (Washington, D.C.: Apr. 28, 2023).
[3]GAO, Bank Supervision: More Timely Escalation of Supervisory Action Is Needed, GAO‑24‑106974 (Washington, D.C.: Mar. 6, 2024).
[4]The Federal Reserve System consists of the Board of Governors, 12 Reserve Banks, and the Federal Open Market Committee. The Board of Governors is an independent federal agency whose responsibilities include promoting the stability of financial markets and supervising financial institutions. The Board of Governors has delegated the authority to examine financial institutions to the Reserve Banks.
[5]GAO‑24‑106974. As of August 2024, Congress had not passed legislation that would implement this recommendation.
[6]The supervisory documentation included (1) annual reports of examination, (2) supervisory letters resulting from target examinations, (3) responses from the institutions addressing the supervisory concerns, and (4) bank regulators’ documentation on remediation and closure of the concerns.
[7]Our sample did not include foreign bank institutions, such as branches and agencies; Edge Act corporations; bank holding companies; financial holding companies; credit card banks; or trust banks. However, the sample may have included savings banks, savings and loan associations, and industrial loan companies since these depository institutions accept insured deposits.
[8]In an examination, a depository institution is rated on each CAMELS component and then given a composite rating, which generally bears a close relationship to the component ratings. However, the composite is not an average of the component ratings. The component and composite ratings are scored on a scale of 1 (best) to 5 (worst). Regulatory actions typically correspond to the composite rating, with regulatory actions generally increasing in severity as ratings become worse. We selected depository institutions assigned a CAMELS composite rating of either 2 or 3 because these ratings can indicate supervisory issues that the regulators should communicate to an institution early.
[9]For this report, we use “depository institutions” to refer to institutions chartered as commercial banks or savings associations (or thrifts), but not institutions chartered as credit unions.
[10]Edge Act corporations are chartered by the Federal Reserve Board to conduct an international banking business. Agreement corporations are chartered by a state to engage in international banking.
[11]At institutions where FDIC is not the primary federal regulator, FDIC staff work with other regulatory authorities as a back-up regulator to identify emerging risks and assess the overall risk profile of large and complex institutions.
[12]Target examinations focus on one or two activities rather than assessing all the safety and soundness components of the CAMELS rating system.
[13]The selected concerns related to safety and soundness and reflected the three risk categories with the highest numbers of concerns: (1) Management, (2) Capital Markets, and (3) Commercial Credit Risk. One selected OCC institution did not have safety and soundness concerns within our scope.
[14]See Office of the Comptroller of the Currency, Comptroller’s Handbook, Bank Supervision Process, version 1.1 (Washington, D.C.: September 2019). We previously found that OCC’s guidance on communication of supervisory concerns is adequate. See GAO, Bank Supervision: Regulators Improved Supervision of Management Activities but Additional Steps Needed, GAO‑19‑352 (Washington, D.C.: May 14, 2019).
[15]For the three institutions we selected for interviewing examination teams, we reviewed data on selected supervisory concerns that were issued from January 2018 through May 2023. The selected concerns were the same three risk categories noted above.
[16]The estimated time frames for closing supervisory concerns were developed using the life table method of survival analysis (see app. I for more detail on our analysis).
[17]Office of the Comptroller of the Currency, Policies and Procedures Manual, PPM 5310-3 (Washington, D.C: May 25, 2023).
[18]GAO, Large Bank Supervision: OCC Could Better Address Risk of Regulatory Capture, GAO‑19‑69 (Washington, D.C.: Jan. 24, 2019).
[19]For the 20 institutions we selected for reviewing communication of supervisory concerns, we reviewed documentation for selected supervisory concerns that were issued from January 2018 through May 2023. The selected concerns related to safety and soundness and reflected the three risk categories with the highest numbers of concerns: (1) Management, (2) Capital Markets, and (3) Commercial Credit Risk. Two selected Federal Reserve institutions did not have safety and soundness concerns within our scope.
[21]For the Federal Reserve’s guidance for examiners on communication of supervisory concerns, see Board of Governors of the Federal Reserve System, Commercial Bank Examination Manual (Washington, D.C: May 2021).
[22]As we did for OCC, for the three institutions we selected for interviewing examination teams, we reviewed data on selected supervisory concerns that were issued between 2018 and 2023. The selected concerns related to safety and soundness and reflected the three risk categories with the highest numbers of concerns: (1) Governance and Controls/Management, Risk Management, Internal Controls; (2) Credit Risk; and (3) Market Risk.
[23]According to Federal Reserve policy, an institution’s response to a matter requiring immediate attention must include a committed remediation time frame as part of its action plan. An institution’s response to a matter requiring attention must include an action plan but does not require a committed remediation time frame.
[24]Institutions provided a committed remediation date in 70 of the 100 Federal Reserve supervisory concerns we reviewed for which a specific remediation date was applicable. For the remaining 30 supervisory concerns, the institutions did not include a specific date.
[25]Our review of administrative data on all 6,866 supervisory concerns that the Federal Reserve issued to supervised institutions from January 2018 through May 2023 found that an estimated 72 percent of concerns closed within 2 years, while approximately 15 percent closed between 2 and 3 years. Approximately 8 percent closed between 3 and 4 years. The estimated time frames for closing supervisory concerns were developed using the life table method of survival analysis.
[26]For the Federal Reserve’s guidance for examiners on factors to consider for escalation determinations, see the Commercial Bank Examination Manual (October 2023).
[27]GAO‑24‑106974. Federal Reserve officials told us that although they downgraded the bank's ratings in August 2022, the downgrades did not precipitate further supervisory action before Silicon Valley Bank’s failure.
[29]Both regulations and enforceable guidelines are authorized by Congress and go through the notice and comment process, and both are enforced as law.
[30]Board of Governors of the Federal Reserve System, Commercial Bank Examination Manual (Washington, D.C.: October 2023). See sections 3200.1, 4000.1, 4010.1, 4011.1, and 4012.1.
[31]Under section 39, the federal bank regulators were authorized to issue safety and soundness standards as regulations or enforceable guidelines. Based on this authority, the Federal Reserve has developed enforceable guidelines in multiple areas that can affect safety and soundness, including operations and management; compensation; and asset quality, earnings, and stock valuation. 12 U.S.C. § 1831p-1; 12 C.F.R. Appendix D-1 to Part 208. These standards do not apply to bank holding companies supervised by the Federal Reserve. If the Federal Reserve determines a bank failed to meet certain standards described in section 39, it may require the institution to file a safety and soundness plan specifying how it will correct the deficiency. If the institution fails to submit an acceptable plan or fails to materially implement or adhere to an approved plan, the regulator must order the institution to correct identified deficiencies. It also may take other enforcement actions pending correction of the deficiency.
[32]12 C.F.R. part 262 and Appendix A to Part 262.
[33]Role of Supervisory Guidance, 86 Fed. Reg. 18173, 18177 (April 8, 2021). OCC and FDIC issued similar rules. 86 Fed. Reg. 9253 (February 12, 2021) (OCC) and 86 Fed. Reg. 12,079 (March 2, 2021) (FDIC).
[34]12 U.S.C. § 5365 and 12 C.F.R. pt. 252.
[35]12 U.S.C. § 1818(b).
[36]See Board of Governors of the Federal Reserve System, Office of the Inspector General, Material Loss Review of Silicon Valley Bank, 2023-SR-B-013 (Washington, D.C.: Sept. 25, 2023).
[37]The Federal Reserve has corporate governance and risk management regulations for bank holding companies with total assets of $50 billion or more and less than $100 billion, but not state-member banks it supervises. 12 C.F.R. § 252.21-.22.
[38]12 C.F.R. part 30, Appendix D to Part 30.
[39]Guidelines Establishing Standards for Corporate Governance and Risk Management for Covered Institutions with Total Consolidated Assets of $10 Billion or More, 88 Fed. Reg. 70391 (Oct. 11, 2023). In the Spring 2024 Unified Agenda of Regulatory and Deregulatory Actions, FDIC lists December 2024 as the target date for a final rule. See https://www.reginfo.gov/public/do/eAgendaMain.
[40]Bank for International Settlements, Basel Committee on Bank Supervision, Report on the 2023 Banking Turmoil (October 2023). The report states that “it can be very difficult for some authorities to impose actions on banks that meet regulatory requirements (e.g., where a bank is not in breach of regulatory ratios or other prudential requirements), even though the authority may have identified risks that could threaten the bank’s safety and soundness. This is because supervision may be deemed to lack a legal basis for intervention, and therefore be subject to legal challenge and damage to the supervisor’s reputation. In these cases, the authorities may have to rely on less robust tools to incentivize banks to address risks, which may prove less effective.”
[41]Dodd-Frank Wall Street Reform and Consumer Protection Act, § 166, 124 Stat. 1376, 1432 (2010) (codified at 12 U.S.C. § 5366).
[42]We previously identified noncapital triggers, or tripwires, as including (1) problems involving internal or management controls over banking operations which have not yet resulted in high levels of nonperforming assets or operating losses; (2) problems in assets, earnings, management, or liquidity that have not yet impacted bank capital; (3) problems in bank operations that have impacted capital and deterioration have caused the bank to fall below minimum capital standards; and (4) problems that have depleted bank capital. We proposed that the enforcement process could be altered to (1) develop a series of measures to standardize definitions of unsafe and unsound practices within a CAMELS component and (2) tie specific enforcement actions to such measures. See GAO, Bank Supervision: Prompt and Forceful Regulatory Actions Needed, GAO/GGD‑91‑69 (Washington, D.C.: Apr. 15, 1991).
[43]12 U.S.C. § 5368 (establishing the deadline for early remediation rules).
[44]Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies, 77 Fed. Reg. 594 (January 5, 2012).
[45]12 C.F.R. § 217.11(a)(4) and (c)(1); 12 C.F.R. § 225.8(f); and 12 C.F.R. § 252.63(c)(4).
[46]12 C.F.R. § 249.40(a)-(c) and 12 C.F.R. § 249.110(a)-(c).
[47]12 U.S.C. § 1843(m)(3)-(4); 12 U.S.C. § 5363(a)-(b); and 12 U.S.C. § 1818(b)(6)(B)-(F).
[48]See Jeremy C. Kress and Matthew C. Turk, “Rethinking Countercyclical Financial Regulation,” Georgia Law Review, vol. 56, no. 2 (2022): 495. See also David Portilla, “The March 2023 Banking Sector Turmoil: Policy Considerations for the Regulation of Large Banking Organizations,” American Bar Association (August 2023), https://www.americanbar.org/groups/business_law/resources/business-law-today/2023-august/march-2023-banking-sector-turmoil/.
[49]In the proposed rule to implement section 166, market-based triggers included equity-based indicators (expected default frequency, marginal expected shortfall, market equity ratio, and option-implied volatility) and debt-based indicators (credit default swaps and subordinated debt spreads). 77 Fed. Reg. 594, 640. The liquidity coverage ratio rule was adopted by the federal banking regulators in 2014 and requires a firm subject to the rule to maintain an amount of high-quality liquid assets that is equal to or greater than its total net cash outflows over a prospective 30-calendar-day stress period. Liquidity Coverage Ratio: Liquidity Risk Measurement Standard, 79 Fed. Reg. 61440 (October 10, 2014). The rule is designed to promote the short-term resilience of the liquidity risk profile of large and internationally active banking organizations, thereby improving the banking sector’s ability to absorb shocks arising from financial and economic stress, and to further improve the measurement and management of liquidity risk.
[50]GAO‑24‑106974. Section 38 of the Federal Deposit Insurance Act requires regulators to classify banks into one of five capital categories and take increasingly severe actions, known as prompt corrective action, as a bank’s capital deteriorates. Section 39 of the act directs regulatory attention to a bank’s operations and activities in multiple areas aside from capital that also can affect safety and soundness.
[51]See, for example, Federal Deposit Insurance Corporation, Office of the Inspector General, Material Loss Review of First Republic Bank, EVAL-24-03 (Nov. 28, 2023).
[52]For FDIC’s guidance for examiners on communication of supervisory concerns, see Federal Deposit Insurance Corporation, RMS Manual of Examination Policies, Section 16.1, Report of Examination Instructions (January 2022), and Section 20.1, Risk-Focused, Forward-Looking Safety and Soundness Supervision (April 2021).
[54]Federal Deposit Insurance Corporation, Risk Management Manual of Examination Policies (July 8, 2024). See section 20.1.
[55]“Transparency & Accountability—Bank Examinations,” Federal Deposit Insurance Corporation, accessed April 25, 2024, https://www.fdic.gov/transparency/examination.html#.
[56]Institutions provided a committed remediation date in 251 of the 286 FDIC supervisory concerns we reviewed for which a specific remediation date was applicable. For the remaining 35 supervisory concerns, the institutions did not include a specific date.
[57]According to our review of a nongeneralizable sample of 341 supervisory concerns issued and closed between 2018 and May 2023, the median number of days from the initial date of the concern to the committed remediation date was 202 and 169 days for large and regional banks, respectively, and 105 days for small banks.
[58]Our review of administrative data on all 3,793 supervisory recommendations and matters requiring board attention that FDIC issued to institutions subject to continuous examination from January 2018 through May 2023 found that an estimated 80 percent of concerns closed within 2 years, while approximately 14 percent closed between 2 and 3 years. Approximately 2 percent closed between 3 and 4 years. Our review of administrative data on all 1,553 matters requiring board attention that FDIC issued to institutions subject to point-in-time examination from July 2, 2020, through May 2023 found that an estimated 89 percent closed within 2 years, while approximately 6 percent closed between 2 and 3 years. The estimated time frames for closing supervisory concerns were developed using the life table method of survival analysis.
[59]Signature Bank failed before FDIC revised its guidance in August 2023 to require examiners to consider escalation of supervisory concerns that remain uncorrected after one examination cycle.
[60]As described earlier, FDIC uses four supervisory concern types that depend on the severity of an issue, including enforcement actions. Supervisory recommendations, used for minor and serious concerns that should be corrected in the normal course of business, are not centrally tracked. However, matters requiring board attention, used for more serious concerns that require immediate board attention, are centrally tracked.
[61]GAO, Standards for Internal Control in the Federal Government, GAO‑14‑704G (Washington, D.C.: Sept. 10, 2014).
[62]FDIC’s Large Bank Supervision Branch participates in reviews of supervisory plans at institutions reviewed as part of the continuous examination process, including performing horizontal reviews of a single issue at several institutions, and it assists examination teams as needed.
[63]Federal Deposit Insurance Corporation, “Supervisory Recommendations.” The memorandum also advises examiners to elevate concerns to at least a matter requiring board attention if supervisory recommendations are repeated or remain uncorrected at the next examination cycle.
[66]GAO, Bank Supervision: FDIC Could Better Address Regulatory Capture Risks, GAO‑20‑519 (Washington, D.C.: Sept. 4, 2020).
[67]The Federal Reserve generally requires central points of contact in the Large and Foreign Banking Organization program to rotate every 5 years. In prior GAO work, we reported that OCC requires examiners in charge in the Large Bank Supervision program to rotate every 5 years.
[68]Specifically, we reported that FDIC prohibits examiners in charge of large institutions’ safety and soundness examinations from serving in the role for more than a 5-year term for the same institution. The agency also prohibits examiners in charge of small institutions from staying in the role for more than two consecutive examinations for the same bank. See GAO‑20‑519.
[69]We define regulatory capture as a condition that exists when a regulator acts in service of private interests, such as the interests of the regulated industry, at the expense of the public interest, due to actions taken by the interested parties.
[72]Cleary Gottlieb Steen & Hamilton LLP, Report for the Special Review Committee of the Board of Directors of the Federal Deposit Insurance Corporation (April 2024).
[73]GAO-20-519.
[74]Our sample did not include foreign bank institutions, such as branches and agencies; Edge Act corporations; bank holding companies; financial holding companies; credit card banks; or trust banks. However, the sample may have included savings banks, savings and loan associations, and industrial loan companies since these depository institutions accept insured deposits.
[75]In an examination, a depository institution is rated on each CAMELS component and then given a composite rating, which generally bears a close relationship to the component ratings. However, the composite is not an average of the component ratings. The component and composite ratings are scored on a scale of 1 (best) to 5 (worst). Regulatory actions typically correspond to the composite rating, with regulatory actions generally increasing in severity as ratings become worse.
[76]OCC, the Federal Reserve, and FDIC organize supervised depository institutions into specific supervision programs depending on size and complexity. The asset-size breakdown differs across the three regulators. For both the Federal Reserve and OCC, institutions are considered large at the $100 billion threshold, whereas FDIC’s large bank threshold is $10 billion. However, all three regulators have designated community or small banks as institutions with assets of $10 billion or less.
[77]We excluded these areas because, with exception of anti–money laundering, they generally are separate examinations from the safety and soundness examinations.
[78]The Capital Markets category includes concerns related to investment, liquidity, and trading activities, among others.
[79]We used survival analysis to avoid making inaccurate conclusions about actual durations from this type of data, when the analyst can only measure duration up to a certain time before the event (in our case, closure of a concern). Survival analysis accounts for analysis units with complete or incomplete duration data. Without accounting for incomplete duration data, ordinary statistical methods, such as the calculation of medians, would be based on a potentially biased sample of closed concerns.
[80]GAO, Standards for Internal Control in the Federal Government, GAO‑14‑704G (Washington, D.C.: Sept. 10, 2014).