I began my banking career in 1978 at an eight-branch affiliate of a $3 billion bank holding company. One of my roles was security officer. The prevailing law addressing bank security is the Bank Protection Act of 1968. In 1978 the operative regulation implementing the Act was Regulation P (for Protection. Reg P now stands for Privacy). Reg P wasn’t long, just a few pages. But it included Appendix A, which was much longer. Among other things, Appendix A prescribed the construction of bank vaults, including the thickness of vault walls and doors, the number of tumblers in the combination, the type of ventilation. The Appendix also addressed the steps bankers had to take when entering their branch before opening, the amounts and denomination of marked currency designated to be given to robbers. It described the required types and locations of surveillance cameras as well as the frequency of film exchange. It was, I think, an exemplar of the mindset behind prescriptive bank regulation. In that period, regulation was binary: you were either in compliance with the relevant regulation or you weren’t. Everyone knew the rules. But the rules didn’t always make sense. And every activity required its own rule. When Appendix A of Regulation P was first promulgated, 35mm film cameras were the state-of-the-art. Of course one of the few eternal verities is that technology always overtakes law; and, so too, over the years video overtook film both in terms of quality and cost.
This is just an overwrought example of why, beginning in the mid-1980’s, the regulatory agencies began migrating toward risk-based examination. It became accepted wisdom that each bank presented a unique risk profile, based on its products, services, and market areas. Teams of examiners were assigned full-time to large banks because it was believed that resident examiners who were more familiar with their bank would be better able than examiners descending on the bank for its periodic safety and soundness examination to assess the bank’s management of its unique risk profile. At the same time, the tone of regulations changed. The agencies issued “guidance”, using words like “should” and “consider”, instead of “shall” and “will”. One admittedly cynical description of risk-based examination is “We won’t tell you what to do, but we’ll sanction you when you don’t do it”.
Bank regulation is like a pendulum. And pendulums tend to swing in one direction or the other seeking equilibrium. And the farther they swing to one side, the longer they take to achieve equilibrium. Just as in the 1970’s they had swung too far in the prescriptive direction, by the turn of the Century they had swung pretty far in the risk-based direction. Since the banking crisis in 2008, however, the arc seems to have changed direction back toward prescriptive. The agencies still issue guidance, but the tenor is changing. It will be interesting to track just how far the pendulum will arc.
Santa Fe Group Strategic Advisor, Bob Jones, has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.