Reputation risk can be a big deal. A survey by Deloitte of business executives found reputational damage to be their top concern. The mess surrounding the Synapse bankruptcy is just the latest case where actions of a third party inflicted reputational damage on a partner bank. At the same time, a recent Supreme Court ruling potentially makes it more difficult for regulators to police reputational risk. Can banks and their regulators effectively control reputation risk while navigating through legal and political landmines?
The Comptroller’s Handbook defines reputation risk as “the risk to current or projected financial condition and resilience arising from negative public opinion.” As former Federal Reserve Governor Sarah Bloom Raskin observes, “banks … are particularly vulnerable to reputational consequences because of their public role.” A tarnished reputation can make it more difficult and costly to attract and retain customers. Moreover, banks benefit from federally insured deposits as well as implicit guarantees for the largest banks. The continued health of individual banks and of the industry overall depends on the public’s goodwill. Regulators consider reputational risk in their overall risk assessments.
NRA v. Vullo
National Rifle Association of America v. Vullo places constraints on a regulator’s ability to supervise reputation risk. The NRA had partnered with insurance companies to offer affinity insurance products, including one called Carry Guard. That product “insured New York residents for intentional, reckless, and criminally negligent acts with a firearm that injured or killed another person.” Not surprisingly, it’s illegal to insure criminal activity. The Commissioner of New York’s Department of Financial Services (DFS), Maria Vullo, urged executives of the partner insurance companies to curtail their business with the NRA. She also allegedly[1] offered to limit the scope of enforcement actions to NRA-affiliated products. DFS later issued guidance urging banks and insurance companies to “continue evaluating and managing their risks, including reputational risks, that may arise from their dealings with the NRA or similar gun promotion organizations.”
The Supreme Court ruled unanimously in favor of the NRA. The Court found that Vullo’s meetings with the insurance companies and the guidance letter were coercive in nature. The justices determined that the “First Amendment prohibits government officials from wielding their power selectively to punish or suppress speech, directly or through private intermediaries.”
How Banking Regulators Address Reputation Risk
Banking regulators don’t usually call out specific organizations and activities to the extent Vullo did. Banking regulators do, however, take reputation risk into account. The Wells Fargo cross-selling scandal, Goldman Sachs’ role in the multibillion-dollar theft from a Malaysian sovereign wealth fund, and DB’s and JPMC’s relationships with Jeffrey Epstein all damaged the reputations of the subject banks. They also had real financial consequences, leading to billions in fines, lawsuits, and restrictions on growth.
Regulators include reputation risk among a litany of risks, alongside legal risk, compliance risk, and operational risk. We rarely see reputation risk as the basis for an enforcement action and I’m unaware of any wholly attributable to reputation risk. Agencies periodically issue guidance warning of the reputation risk associated with various activities.
Do Regulators Go Too Far?
Despite these modest efforts, some believe that regulators have gone too far in supervising reputation risk. For example, Julie A. Hill argues in the Georgia Law Review that regulation of reputation risk is “harmful because it unnecessarily politicizes bank regulation.” Professor Hill focuses on supposedly politicized regulation of two areas: payday lending and oil and gas lending.
Let’s unpack these a bit. Take payday lending. It’s hard to get unanimous agreement on much of anything. But lending to vulnerable borrowers at APRs approaching 400% strikes most people as sketchy activity, especially for federally insured institutions. One thing we also learned from the subprime era is that predatory loans are usually bad loans as well.
The role of fossil fuels in climate change is a more politically divisive issue. Professor Hill sees as evidence of politicization the following guidance from the OCC: “Lending to [oil and gas] companies . . . perceived by the public to be negligent in preventing environmental damage, hazardous accidents, or weak fiduciary management can damage a bank’s reputation.” This quote is highly misleading. The guidance comes from Comptroller’s Handbook as part of an 89-page chapter on Oil and Gas Exploration and Production Lending. As with any activity, the guidance describes an array of potential risks, including credit, interest rate, liquidity, operational, compliance, strategic, as well as reputational risk. The reputational risk section never discusses climate change but focuses instead on accidents and resulting environmental damage.
Some don’t even see reputation risk as a legitimate consideration for the banks themselves. On January 14, 2021, OCC issued a Final Rule called Fair Access to Financial Services. The regulation would require banks to “make each financial service it offers available to all persons in the geographic market served by the covered bank on proportionally equal terms.” The rule would also prevent banks from denying a financial service the bank offers “unless the denial is justified by such person’s quantified and documented failure to meet quantitative, impartial risk-based standards established in advance the bank.”
The Proposed Rule received 35,700 comments, with more than 88% of commenters opposed. For reference, the controversial Basel Endgame proposal received about 400 comments. Somehow, the OCC was able to review and address these comments in eight business days. OCC “paused” the Final Rule two weeks later.
The Bank Policy Institute’s comment letter correctly noted that the regulation would “appear to prohibit banks from using subjective judgment and qualitative considerations, including reputational risk, in deciding whether to provide a financial service, which is entirely inconsistent with how the OCC has historically expected banks to make risk management decisions.”
Attempts to limit reputation risk considerations by either bankers or regulators make for a sort of enforced shortsightedness. Reputational risk can cause real, monetary damage, but that damage is hard to quantify before the fact. You should weigh not just benefits and risks that are easily quantifiable but to also consider those that aren’t.
Reputation risk usually occurs in concert with other risks and may also involve legal or regulatory violations. But not always. I recall a case where the bank sought a deficiency judgment against the estate of a recently deceased young woman. The woman had good credit and her outstanding car loan only became past due after her death. The car securing the loan had been damaged so the bank decided to go after the deceased family in what appeared to be an especially insensitive way. The bank was within its legal rights to try to collect, but did it make sense? Banks typically make only pennies on the dollar on these collections. Meanwhile, a “60 Minutes” story featuring the grieving parents and the heartless bank could practically write itself.
Regulators Can Also be Exposed to Reputation Risk
Regulators must deal with their own reputational risk. Stories of misconduct and a toxic work environment at the FDIC have damaged that agency’s reputation and probably make it more difficult to attract new staff. Reputation risk can also relate more directly to bank supervision activities. Granting new and novel bank charters or expanding bank powers can provide regulators with a source of revenue and make the charter more attractive. It can also irreparably damage their reputations if things go wrong. What looked like a good idea at the time can age poorly in retrospect.
Some actions even look bad at the time. In 2017, the CFPB issued a rule banning contracts that restrict class action lawsuits against credit card companies and banks. The CFPB conducted some dubious statistical analysis to support its position. The Acting Comptroller of the Currency issued a rebuttal based on similarly dubious analysis. While neither agency comes out well here, the OCC didn’t really have a dog in the fight. The OCC is supposed to be the banking industry’s regulator, not its water carrier. That the Acting CoC counted credit card companies among his many past clients didn’t help matters.
Regulatory Guidance and Actions
Much of the regulatory guidance around reputation risk is overly vague. A notable and welcome exception is the OCC’s Risk Assessment System (RAS). Along with credit risk, liquidity risk, and interest rate risk, OCC includes reputation risk as part of its overall risk assessment of a bank. The RAS rates each risk component based on the quantity of risk and quality of risk management. The Large Bank Supervision Handbook provides good detail on what high, medium, and low reputation risk looks like. It does the same for strong, satisfactory, insufficient, and weak reputation risk management, while steering clear of the hot buttons.
Partnerships between banks and fintech companies would seem to present a compelling case of reputation risk, especially when federally insured deposits go missing. However, the enforcement actions against Evolve Bank and Blue Ridge Bank fail to mention reputation risk while touching on seven (Evolve) or eight (Blue Ridge) other risk categories. Reputation risk figures prominently in a 2007 FDIC publication on Third Party Risk Arrangements but disappears entirely from 2023 Interagency Guidance on the same topic. The same goes for OCC’s 2024 Guide for Community Banks.
Formal enforcement actions and industry guidance are public documents while the RAS is kept strictly confidential and serves primarily an internal audience. Regulators may continue to recognize reputation risk and understand its importance. But they may also be wary when it comes to specifics, especially when those specifics are made public. Fairly or not, reputation risk assessments stir enough political and legal controversy that regulators try to steer clear of them … if they can.
If you find this article useful, feel free to share it with your friends and colleagues.
[1] The Supreme Court decided on a motion to dismiss and for those purposes assumed the allegations were true. The accuracy of the allegations as well as other potential defenses will be decided at trial.