2018 Regulatory Overview: Current Issues Facing Financial Institutions

By Dennis M. Hild, CBE
2018 Regulatory Overview: Current Issues Facing Financial Institutions
As 2018 draws to a close, financial institutions are watching the economic and regulatory environments carefully. Among the larger issues drawing their attention are the ongoing consolidation of the industry, legislative moves enacting modest regulatory reform, and leadership changes at major regulatory agencies.
Notwithstanding regulatory efforts to implement provisions of the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), financial services industry executives should focus on expected areas of continued regulatory concern in the near term, with issues such as asset quality, credit administration, and cybersecurity drawing close examiner attention. Financial services organizations can benefit by remaining alert to emerging industry and regulatory issues and by assessing their risk in these areas within the context of long-term industry trends.

The current industry and economic landscape

The ongoing, long-term consolidation trend within the banking industry continues with few signs of slowing down in the near term. The final statistics for calendar year 2017, as published in the Federal Deposit Insurance Corporation (FDIC) Quarterly Banking Profile, show that the number of FDIC-insured banks continued to decline during the year, dropping to 5,670 FDIC-insured institutions as of Dec. 31, 2017. That is a 4.1 percent decline from 2016. (See Exhibit 1.)


Exhibit 1: Consolidation of assets and deposits

Source: FDIC Quarterly Banking Profile, Fourth Quarter 2017

Source: FDIC Quarterly Banking Profile, Fourth Quarter 20162 

The 4.1 percent decline in the number of institutions contrasts with the continuing growth in bank assets, which increased by 3.8 percent during the same time period.  

In the longer term, the total number of banks has now shrunk by more than one-third since there were 8,680 insured institutions at year-end 2006. The consequence of these opposite trends is inevitable: a greater concentration of assets in a shrinking number of institutions, especially in larger banks. Today, roughly 2 percent of banks hold more than 80 percent of total banking assets and deposits.

Comparable trends are occurring in the credit union industry. According to the Credit Union National Association’s (CUNA) 2017 year-end profile, 5,684 credit unions were operating in the United States as of Dec. 31, 2017. That number is a 3.8 percent decline from 2016. Meanwhile, total credit union assets grew by 6.6 percent during the same time period.3

The changing regulatory landscape

Both the U.S. House of Representatives and the Senate began 2018 with a renewed focus on regulatory reform, including proposed rollbacks of some provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Their efforts culminated in the passage of EGRRCPA, which President Donald Trump signed into law on May 24, clearing the way for regulatory agencies to begin working on the implementing regulations. 

Among the most closely watched of these regulations was the elimination of Dodd-Frank stress-testing requirements for many banks and bank holding companies (BHCs). Banks that are not BHCs and that have total consolidated assets of less than $250 billion no longer will be subject to the company-run stress-testing requirements in Dodd-Frank. Additionally, BHCs with less than $100 billion in assets will not be subject to the requirements.

EGRRCPA also raised the threshold for qualifying banks to be eligible for an 18-month exam cycle from the previous level of $1 billion in assets. Under the new rules, qualifying banks with up to $3 billion in assets will be eligible for the extended exam cycle if they have “outstanding” or “good” composite exam ratings. 

The Federal Reserve (Fed) has also issued an interim final rule expanding the applicability of its small-BHC policy statement, as required by EGRRCPA. The small BHC statement’s total consolidated assets threshold increases from $1 billion to $3 billion. The policy statement also applies to savings and loan holding companies with total consolidated assets of less than $3 billion.

Federal banking agencies have also published proposed changes to regulations commonly known as the Volcker Rule, which restrict the ability of banking entities to engage in proprietary trading or have certain other interests or relationships with hedge funds or private equity funds. EGRRCPA generally exempts banks with less than $10 billion in assets from Volcker Rule requirements. The new rules proposed by the regulators are intended to improve supervision and implementation by focusing on banks with “significant” and “moderate” trading activities. 

Another significant factor affecting the regulatory environment is recent leadership changes at a number of regulatory agencies including the Fed, Office of the Comptroller of the Currency (OCC), FDIC, National Credit Union Administration, and Consumer Financial Protection Bureau (CFPB). Several of the new agency heads have been vocal supporters of more “common sense” approaches to financial regulation. 

Current regulatory priorities

Moving beyond the impact of leadership changes and regulatory reform, some issues are currently drawing added scrutiny from regulatory agencies. Various credit-related issues continue to account for the largest share of matters requiring attention (MRAs) and matters requiring board attention (MRBAs).

According to the OCC, the commercial credit area accounted for 29 percent of all MRAs issued to midsize and community banks in 2017. Information technology – with particular emphasis on cybersecurity risk – is another major area of concern for regulators.

Cybersecurity: Banks’ and regulators’ concerns

Cybersecurity is viewed as a critical risk by many financial institution executives, reflecting growing regulatory expectations in this area. In a recent webinar for bank executives sponsored by Crowe, participants were asked to identify the areas of risk that cause them the greatest concern. Cybersecurity risk was by far their number one issue, with 35 percent of survey respondents ranking it as their area of greatest concern. (See Exhibit 2.)


Exhibit 2: Bank executives’ areas of concern

Source: Crowe Online Survey, Feb. 28, 2018. Note: Numbers do not equal 100 percent due to rounding.
The importance of cybersecurity also is reflected in several recent regulatory actions and guidance. The Federal Financial Institutions Examination Council (FFIEC) established its Cybersecurity and Critical Infrastructure Working Group in June 2013, and since then has taken a number of steps, including issuing its Cybersecurity Assessment Tool, which it updated in May 2017. Although use of the tool by banks is voluntary, federal and state banking regulators typically consider a bank’s use of the FFIEC tool (or some other recognized assessment or framework) as part of their assessment of an organization’s cybersecurity risk management, controls, and cyberresilience.4

Credit Issues: Emerging regulatory trends

As mentioned above, credit-related issues continue to lead outstanding MRAs. However, many of the MRAs are focused on credit administration and loan portfolio management deficiencies. Loan performance indicators show that asset quality is generally sound industrywide, but tighter spreads and slowing loan growth are beginning to cause some deterioration in underwriting standards, and growing credit concentrations continue to attract significant regulatory attention.

For example, in its fall 2017 Semiannual Risk Perspective, the OCC specifically noted that increased credit risk associated with loan growth, weaker underwriting terms, or increased concentrations “needs to be thoroughly assessed and qualitatively incorporated into capital or allowance for loan and lease losses analyses.”5

Other regulators have published similar comments in recent months. For instance, the summer 2018 edition of the FDIC’s Supervisory Insights focused on several issues closely related to credit risk management. One article specifically addressed the importance of strong credit grading systems, encouraging banks to strengthen these systems by incorporating clearly identifiable processes and establishing a sound governance framework.

Other compliance and risk management issues

In addition to cybersecurity- and credit-related issues, other areas of risk are also attracting regulatory attention. For example, the industry has seen an increasing number of formal enforcement actions – along with severe sanctions in some instances – related to the Bank Secrecy Act and anti-money laundering (BSA/AML) compliance. Regulators have been particularly critical of instances where they perceived banks have pared back resources in this area.

The FDIC’s summer 2017 Supervisory Insights offers valuable information and provides examples of the examination process along with information on recent trends in BSA examination findings. It includes examples of failures in BSA/AML compliance programs, which can be helpful for all institutions regardless of whether the FDIC is their primary regulator.6

Another area, third-party and vendor risk management, has been continuing to garner more scrutiny from regulators in recent exams. Regardless of an institution’s charter and the specific agency to which it must answer, useful guidance for all types of organizations can be found in the OCC’s updated examination procedures, which were released in OCC Bulletin 2017-7.7

The FDIC Office of Inspector General examined third-party risk in the technology sphere in 2017. Its report, “Technology Service Provider Contracts With FDIC-Supervised Institutions,” includes recommendations that can serve as useful guidance for many financial services providers.8

The Fed also published a 2017 article titled “The Importance of Third-Party Vendor Risk Management Programs.” Although it focused in particular on community banks, the article’s general overview of third-party risk issues can be useful for other financial services providers as well.9

A cautious look ahead

Despite the final passage of regulatory relief legislation, the financial services industry must guard against complacence about risk management, regulatory compliance, and maintaining a solid corporate governance framework. The details of regulatory relief will continue to evolve over the coming months, so continued monitoring and awareness of legislative and regulatory issues are essential. Meanwhile, institutions must maintain sound risk management policies and practices that can adapt to reflect today’s environment of continuing change and growing competitive pressures.


1 FDIC Quarterly Banking Profile, Fourth Quarter 2017, Table III-A (page 7), https://www.fdic.gov/bank/analytical/qbp/2017dec/qbp.pdf
2 FDIC Quarterly Banking Profile, Fourth Quarter 2016, Table III-A (page 9), https://www.fdic.gov/bank/analytical/qbp/2016dec/qbp.pdf
3 U.S. Credit Union Profile, Year-End 2017, Credit Union National Association, page 2, https://www.cuna.org/uploadedFiles/Global/About_Credit_Unions/NationalProfile-D17-Bank(1).pdf
4 “FFIEC Release Update to Cybersecurity Assessment Tool,” Federal Financial Institutions Examination Council news release, May 31, 2017, https://www.ffiec.gov/press/pr053117.htm
5 “Semiannual Risk Perspective,” Office of the Comptroller of the Currency, Fall 2017, https://www.occ.gov/publications/publications-by-type/other-publications-reports/semiannual-risk-perspective/semiannual-risk-perspective-fall-2017.pdf
6 “Supervisory Insights,” Federal Deposit Insurance Corporation, Vol. 14, Issue 1, Summer 2017, https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum17/si-summer-2017.pdf
7 OCC Bulletin 2017-7, "Supplemental Examination Procedures,” Office of the Comptroller of the Currency, Jan. 24, 2017, https://www.occ.gov/news-issuances/bulletins/2017/bulletin-2017-7.html
8 “Technology Service Provider Contracts With FDIC-Supervised Institutions,” Office of Audits and Evaluations Report No. EVAL-17-004, FDIC Office of the Inspector General, February 2017, https://www.fdicig.gov/sites/default/files/publications/17-004EV_0.pdf
9 Tony DaSilva, “The Importance of Third-Party Vendor Risk Management Programs,” Community Banking Connections, 2017 – First Issue, U.S. Federal Reserve System, https://www.communitybankingconnections.org/articles/2017/i1/third-party