Secrecy and Supervision

New banking regulations go through an extensive notice and comment period. Regulators provide sometimes excruciating detail on the proposed regulation’s rationale, benefits, and costs. On the other hand, supervision of individual banks operates largely outside of the public view. Is this level of secrecy warranted?  What’s the proper balance between the need to maintain confidentiality vs. transparency, accountability, and the public’s right to know?

Background

The Federal Reserve’s post-mortem of the SVB collapse offers a rare glimpse into the supervisory process. Along with a 118-page narrative, the report provided more than two dozen supervisory documents, including Reports of Examination and Supervisory Letters. The SVB review is the exception. Regulators shield from the public most supervisory information for most banks.

Congress enacted the Freedom of Information Act (FOIA) to make government records more readily available to the public. However, the FOIA also exempts from disclosure certain activities. These include activities “contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.” That’s a broad exemption and banking regulators are more than happy to use it.

The Case for Secrecy

There are some good reasons to keep bank supervisory information confidential. The viability of the banking industry relies on confidence. Even a well-capitalized bank leverages ten or even twenty-to-one. Demand deposits and short-term liabilities are typically well in excess of cash on hand. Regulators try not to spook depositors or roil the market. An adverse exam rating or other supervisory action could do just that.

Public disclosure of exam ratings may also make examiners more reluctant to hand out a bad rating. You want examiners to call things as they see them, but that’s harder to do when the world is watching. No one wants to cause a run.

And we can’t always expect responsible coverage. For example, the FDIC recently announced that the number of “problem banks” rated 4 or 5 increased from 52 to 63. Headlines and hot takes translated this concerning trend to something more alarming: 63 banks were on the “brink of insolvency.” In fact, the figure represents only 1.4% of all banks. Moreover, while banks rated “4” certainly rank as problems, most don’t fail. To be fair, the most overheated coverage came from crypto fans, who are more apt to promote the coming collapse of traditional banks.

Some calls for transparency come off as a bit disingenuous. For example, the Bank Policy Institute argued that the FRB’s lengthy post-mortem was helpful but insufficient. BPI called for the release of “internal Federal Reserve correspondence, interview transcripts or notes and/or other internal materials on which the assertions or conclusions in the Federal Reserve report are based.” This request strikes me more as an attempted gotcha rather than a serious effort to learn what went wrong. Embarrassing examiner emails can take attention away from the banking industry’s own efforts to undermine banking supervision over the past ten years. Documentation of internal discussions can also be misleading, since they can reflect either serious differences of opinion or exam room bravado.

We get similar calls for full transparency around the Fed’s stress test supervisory model, such as here. The Fed already releases details on the supervisory scenarios, as well as key variables and output ranges for the supervisory models, but that’s not enough of some. Going further makes the stress tests too easy to game. Enough reverse engineering already occurs for banks to optimize stress test results if not actual risk.

The Case Against (So Much) Secrecy

Bank regulators keep examination reports, ratings, and other supervisory information secret – basically forever. Authors James Freeman and Vern McKinley point out that “the government’s standard practice is to warehouse examination reports … for thirty years while refusing to release them…After thirty years the feds then destroy the reports.” There are some notable exceptions. Material Loss Reviews for failed banks disclose supervisory information, including prior exam ratings. The Permanent Subcommittee on Investigations and the Financial Crisis Inquiry Commission have also shared this sort of supervisory information with the public. But those are the exceptions. It’s hard to see how disclosure of exam ratings from thirty, ten, or even five years ago will undermine financial stability.

The penchant for secrecy extends not only to supervisory assessments, but also to a bank’s internal risk measures. The OCC publishes a semiannual Interest Rate Risk Statistics Report that provides data on earnings-at-risk and EVE under a wide range of rate shocks. The report includes medians, 25^th and 75^th percentiles, and largest losses, broken down by asset size and charter. Great. However, the report excludes large banks (>$100Bn) because it is “difficult to anonymously aggregate exposure information.” There are about twenty large national banks and regulators worry that someone might be able to figure out IRR information on an individual bank, especially if that bank’s risk exposure makes it an outlier. However, banks are already supposed to make quantitative and qualitative disclosures about market risk in their SEC filings. Not that they’re very useful.

The OCC further notes that “as federal financial regulatory agencies implement Principle 8 of the Basel Committee on Banking Supervision’s ‘Interest Rate Risk in the Banking Book,’ large banks will publicly report information on their IRR exposures and modeling practices.” The latest Basel standards came out in 2016. I’ve seen zero evidence that U.S. adoption of Standard 8 is on the horizon. Plus, if enhanced public disclosures are imminent, why the need to anonymize?

While public disclosure of exam ratings may make examiners less willing to hand out adverse ratings, this probably already happens to some extent under the current framework. Consider the FDIC’s Problem Bank List. The FDIC provides quarterly information on both the number and aggregate assets of these banks. Aggregate assets are only $82.1 billion and even during the Global Financial Crisis never reached $500 billion.  Adding a very large bank to the list would make that bank easily identifiable. Also, since some very big banks got into some very deep trouble during the GFC, regulators were probably already pulling their punches when it came to exam ratings.

Internal Policing of Confidential Information

Examiners have access to what is known as Controlled Unclassified Information (CUI). The information is sensitive but unclassified. With 1.2 million Americans having Top Secret clearance, bank examiners don’t stack up too high on the security hierarchy. Examiners still go through initial and follow-up background checks. Those reviews aren’t always timely and effective. Last year, OCC hired a Chief Financial Technology Officer based largely on a phony resume. OCC may have discovered the problem as part of a post-hiring background check. (Details are sparse.) But if a 43-year-old man claims to have 30 years of industry experience, figuring something was amiss shouldn’t require a detailed background check. Bank examiners also go through annual security awareness training. That doesn’t ensure good behavior but makes it harder for violators to claim they didn’t know the rules.

Examiners have access to confidential bank information on a need-to-know basis. Who needs to know what is subject to some debate. At OCC, for example, examiners can see exam reports, supervisory letters, and workpapers associated with their assigned bank. Information on other banks is more restricted, even in cases where you also examine those other banks. Outside examiners can provide insight into practices at other banks, lend specialized expertise that the resident team lacks, or get exposure to a risk area they don’t see at their assigned bank. However, these outside jobs can be a sort of Snapchat supervision since you lose access to this information as soon as the assignment ends. Some workarounds are available, but the focus on security can make the assignments less valuable.

Along with the preventive measures outlined above, regulators also take steps to punish the violators. In 2018, a former FDIC employee was convicted of “embezzling confidential documents.” She faced up to 20 years in prison.[1] The employee copied sections of Resolution Plans for several large banks onto a thumb drive, shortly before interviewing with those banks. The press release from the U.S. Attorney and FDIC Office of Inspector General emphasized the sensitive nature of the information.

Two points are worth noting. The employee copied the banks’ resolution plans, which her prospective employer would already have in its possession. The FDIC’s analysis of those plans would be the more sensitive item. The OIG’s report also indicates the employee only copied the Executive Summary and the narrative description of the SIFI’s resolution strategy. The FDIC started publishing this information on its public website in 2021, apparently deciding it wasn’t super sensitive after all. While the employee should be kept far away from a position of public trust, she wasn’t exactly selling the nuclear codes on the dark web.

Striking a Balance

Regulators can take steps to improve transparency without scaring off depositors or disrupting the markets. One is to release examination ratings on a delayed basis. The delay should be at least five years and perhaps ten, to be conservative. An adverse rating from 2014 isn’t going to spark a deposit run. Regulators can release historical safety and soundness ratings on their websites, as is already the case with both current and historical CRA ratings. Making this information readily available would allow analysts to better understand the relationship between financial ratios and exam ratings and support or counter existing narratives about the quality of supervision.

Reports of examination are a bit trickier. Reviewing, redacting, and processing thousands of exam reports would require armies of FOIA specialists. Regulators can limit release to the transmittal letter and the CAMELS sections, which typically include little personally identifiable information. They can also limit requests to, say, five examination reports, to prevent these requests from becoming expensive fishing expeditions.

Free market advocates can overstate the effectiveness of market discipline. The market, by itself, won’t police excessively risky and imprudent behavior. But it can play a useful role. Regulators should try to overcome their penchant for secrecy by encouraging (if not requiring) better public disclosures of credit, liquidity, and interest rate risk. As Justice Louis Brandeis wrotein 1913, “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”

---

[1] The case was later overturned on appeal.