News Release 1996-119 | October 22, 1996
Remarks by Eugene A. Ludwig Comptroller of the Currency Before the Bank Administration Institute's Asset/Liability and Treasury Management Conference
Banking today enjoys considerable momentum as it prepares for the twenty-first century. Institutions of all sizes and types have posted record profits as they have undertaken nontraditional activities and achieved substantial efficiencies in their operations. The record profitability that banks have posted over the past several years bears witness to the industry's success in eliminating unnecessary costs, serving new markets, and developing new revenue streams from activities such as mutual fund and insurance sales. At the same time, the industry has employed new tools and financial engineering — such as derivatives, securitization and sophisticated interest rate risk measurement models — to manage the risks of an increasingly more complex marketplace.
That is certainly good news. But as a regulator, my job is to focus on the clouds and not the silver linings. And that is what I would like to do today — talk about some clouds that, while they are still off on the horizon, demand our attention and action now, before they threaten the progress we've made in recent years.
The revenue growth and cost cutting you have achieved over the past few years, while a challenge, were relatively easy. Now, that relatively easy part is behind many of you. Large expense reductions are no longer obvious for many institutions because much of the excess fat has already been trimmed. As a result, when banks look for ways to continue to reduce costs, some may be tempted to make cuts in parts of their organizations that will have material safety and soundness implications. Let me be absolutely clear about this. I'm talking about cuts to those parts of your organization that are the bone and muscle of effective risk management.
I know it is tempting to trim — or not to grow — those parts of an organization that don't contribute directly and immediately to income. But many of those organizational units — specifically those critical to effective risk management — are essential to long-term stability and, indeed, to long-term profitability. That's true for banks in good times as well as in challenging times. No time is a good time for banks to sacrifice long-term strength to short-term profits. Cuts to risk management mechanisms are particularly problematic in an increasingly complex and rapidly changing environment when effective risk management is more important — and more difficult — than ever.
I am raising this issue now because banks are preparing their budgets for the coming year. As banks focus on where to cut and think about what adds value for their business, I urge bank management to recognize that strong risk management, including strong internal controls and comprehensive and coordinated management information systems, should not fall victim to the search for savings.
In the last few months, we have seen some institutions considering cuts that could strike close to the muscle and bone of sound business practice. In addition, we've seen that other institutions are reluctant to make additional investments in risk management in line with the growth of their activities. I know these ill-advised cuts are being considered at only a few institutions, and at the present time I certainly do not believe they currently post a systemic risk to the national banking system. However, I am concerned that what is happening at a few institutions could become a trend, and that a careless wielding of budget axes could threaten the ability of banks to guard against breaches of fundamental controls.
Internal controls are one of a bank's most important lines of defense in controlling risk. The importance of internal controls is so common-sensical that I know I'm not telling the industry much it doesn't know. Today, generally speaking, most American banks do indeed have superior internal controls. Our banking industry's commitment to internal controls has, in my view, been a defining quality and a clear competitive advantage — one that we cannot afford to squander. So I ask you, why risk losing the advantage that strong internal controls have given American banks simply to expand next quarter's revenues? In today's world, a competitive strength that has been years in the making — and a reputation or brand identity that has been hard-earned — can be lost in the blink of an eye.
Real world examples of the consequences of inadequate internal controls — or a lack of respect for their value — are all too evident. A poor segregation of duties — combined with poor oversight — allowed Daiwa Executive Vice President Toshihide Iguchi to generate over $1 billion of trading losses, because he was able to hide trading activities for 12 years through a web of falsified bank records. Kidder Peabody trader Joseph Jett ran up $350 million in losses in less than three years because of flawed controls. These lessons serve as reminders that banks should effectively segregate responsibility for making investment and credit decisions from responsibility for disbursing and receiving funds. And, of course, the domestic landscape has not always been unscathed either. We should not forget the go-go days of energy lending or real estate lending and what happened in their wake.
The lessons — wherever or however learned — are the same: the banking industry cannot afford to let its cash cows become sacred cows. And the best way to prevent that from happening is to have internal controls that cover all bank activities and employees. We've seen, historically, that banks have a tendency to focus less on internal controls during good times, and the failure to keep an eye on this fundamental part of the business has often led to serious problems. The difference this time is that we want to issue an early warning so banks can make the necessary adjustments to maintain appropriate internal controls now and avoid the mistakes of the past.
Banks should have a strong risk management process commensurate with their business activities — including a strong function to test transactions and compliance, such as audit, loan review, and compliance management. The testing function should be independent of the balance sheet management and investment functions. Employees performing these testing activities should have the technical expertise and knowledge to detect potential problems and breaches of bank policy and prudential standards. Further, the functions charged with testing transactions should have the stature within the bank to bring problems directly to executive management's attention. They should be able to challenge any business transaction — even one involving the so-called superstar performers — before it leads to financial loss or irreparable damage to the institution's reputation.
Of course, a bank's internal controls are immeasurably aided by strong information systems. Strong and integrated information systems give banks timely access to the information they need to operate safely and soundly. Fragmented or weak systems inhibit a bank's ability to aggregate exposures on a timely basis. As the banking environment becomes more challenging and banks continue to expand through growth or by merging with other financial institutions, their internal information systems must keep pace. Otherwise, there is the very real risk that large and geographically-dispersed institutions will find themselves with numerous systems that are incompatible. This can result in essentially manual measurement of a bank's risk exposure — the hunting and gathering of data via emails and faxes, which can make it difficult and expensive, if not impossible, to aggregate data and prepare vulnerability analyses. Not only are incompatible systems cumbersome and inefficient, but because it can take so much time and cost to collect and aggregate data from different systems, there is also a temptation to do without some information that is difficult to obtain — despite its value to comprehensive risk measurement and management.
So banks should work to standardize their operating and technology platforms across lines of business and throughout their markets. Integrated information systems will allow management to better manage their various lines of business and the risk in those business — based on sound information, rather than only gut instinct and intuition.
We have seen a few banks that have been reluctant to invest in the technology necessary to capture and analyze on a timely basis information about the business and risks in the institution. We recognize that developing common systems at banks that operate in numerous or far-flung locales is time-consuming and expensive. For many institutions, systems integration must be a long-term, rather than an immediate goal. But achieving this goal must be a top priority, and banks should have a strategic plan for fixing fragmented systems. Because trying to manage a business in this day and age without the appropriate information is like flying a jet without instruments — you may be lucky for a while, but you are flirting with disaster.
I want to close by talking briefly about the importance of strong management oversight. Bank regulators have stressed the importance of management oversight so often that it is probably elementary to stress it once again. But in an era of intense competitive pressures and heightened stakes for risk management, I believe regulators should do more than merely preach responsibility to bank management and bank boards — we need to provide the tools and the incentives to manage risk appropriately.
At the OCC, we recognize that bank management has a hard task identifying, measuring, monitoring and controlling risk. That's why we implemented our supervision by risk examination approach. Supervision by risk forces banks to focus on critical risk management techniques and allows regulators to focus on how individual institutions and the industry as a whole are responding to existing and emerging challenges.
At the OCC, we have also recognized that supervision by risk can be augmented by appropriate guidance, guidance that does not layer on needless burden but rather shares with banks our views and experience in targeted risk areas. In this regard, I should mention that we will issue updated guidance on bank derivative activities by year-end, giving our examiners specific procedures for looking at internal controls in this area. We are also putting the finishing touches on new handbook sections on interest rate risk and securitization. With supervision by risk we have lowered burden and focused attention on risk at many banks. And with improved guidance and diligence, we can continue to lower burden in those institutions that have strong self-policing mechanisms in place.
We plan to work with the industry to help it move forward in these important risk management endeavors. When we encounter trends like those I have just discussed, our examiners will meet with bank management to ensure that appropriate actions are taken. In addition, we expect examiners to closely monitor plans for managing expenses — particularly as they relate to auditing functions and information systems. Their analyses of bank growth plans will take into account efforts in these important areas.
Even in the face of relentless market and technological change, banks must be disciplined — they must adhere to strong internal controls, ensure that they have integrated information systems, and maintain strong lines of communication to and between senior management, the board, and the regulatory community.
No one is advocating that banks not evolve — least of all me — and particularly in terms of their risk management systems. It is essential that as banks grow and take on new activities — whether in capital markets or other areas — they make certain they are meeting their increased responsibilities to manage the risks that are inevitable in today's financial services marketplace.
My intention has not been to paint a dark picture of the state of banking today. On the contrary, the state of the industry is quite positive. My intention is to recognize trends and communicate their implications so that we do not have material problems in the banking system in the future. We have seen these trends before and they can result in needless loss and instability. This time, we must learn from history and make the necessary adjustments before problems arise.
So, yes, as a regulator, I have concerns today, but I'm also sanguine. I'm confident because I believe that you understand the challenges, know the consequences of ignoring controls, and have the discipline to make the correct strategic decisions that make the most sense for your banks and will ensure your banks' continued strength in the future.