Contributions to the Supervisors on Supervision Stocktake
What does culture mean in the supervisory context?
“Quite honestly, if you don't have a risk culture, you have culture risks. That's it. If there isn't a healthy respect for risk in everything that you do, you have culture risk.”
Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?
“Even though everything was under my roof, I have to tell you about a situation that arose because of the Global Financial Crisis. In Singapore, the biggest issue we had for the domestic consumers was originally thought of as a conduct issue, not a prudential issue. Our banks were rock solid. It was a conduct issue because of something called Lehman Brothers Minibonds. These were CDOs that were packaged and sold like they were bonds.
Mea culpa: we really should not have let them be called ‘mini bonds.’ People were buying them thinking they were bonds, but they were actually CDOs. As the assets in the reference basket started collapsing, so did the value of these instruments.
Is this a conduct issue or a prudential issue? On the surface, it's a conduct issue. But many of these instruments were sold by banks and insurance companies. Because of the blowback, it cost them many millions in fines and restitutions. There were also reputational risk issues. Then it became a prudential issue, didn't it?”
“The most important thing we need to tell the private sector is that you need to know where your inner true north is so that you follow your own principles, regardless of what others say. You have to decide. Do you really have to keep dancing while the music's still playing, or do you have to dance every dance? That's on you.”
How does the lack of a common supervisory approach to culture and conduct risk across jurisdictions pose a concern?
“Sometimes I get the impression there is too much red tape. It's not just one regulator; it's several. It's throwing out a lot of red herrings and sand in the wheels that may not be necessary.
There's also an unevenness in regulatory oversight across jurisdictions. I think the regulatory community needs to bring some regulators up to best practice as well. Some jurisdictions tend to take their eye off the right ball and try to make you do things that may not be in the best interest of the bank. More can be done in the international regulatory community to raise the baseline level.
It boils down to supervisory practice. This is hard to put science around, though you can to an extent. You must have structures and the right incentives in place. Over and above that, regulators can do more to share best practices amongst the industry.”
What role does culture play in governance failures that ultimately require supervisory attention?
“Some financial institutions are inherently very compliant. In those cases, you start from a much higher and easier base, but you can have another type of risk because they can be too compliant, in the sense that they abdicate their thinking. They only do what the regulators tell them, and that's not an ideal situation. Those types of institutions, frankly, don't do so well in the long term, because they don't really innovate and they don't think for themselves.”
One of the pillars of how risk-based supervision will work is if you are more forward-looking and more anticipatory, rather than reactionary.
I think [the reason for the SVB collapse was] because supervisors were too backward looking. Because you came out of the Global Financial Crisis where credit risk was all consuming, everybody was doing every kind of stress test on credit risk — left, right, center, up, down, across, diagonally — and people forgot about interest rate risk. Interest rate risk was benign for a good 10 years, so supervision was too backward-looking.
Silicon Valley Bank was also another example related to risk-based supervision. We all drank the Kool-Aid that you should focus on G-SIBs and large banks. Silicon Valley was a small bank, so the thinking was you don't need to be so tough on them because systemically they don't cause much of a problem. But the supervisory community forgot that while it's one small bank, as a class of small banks, and they can cause systemic risk.”
“In the past, a lot of the emphasis was on regulation; we set the ground rules, and everybody played by them. Everybody was very compliant. But of course, as the markets and the industry evolved, and as firms started hiring rocket scientists, we looked to give them more autonomy in things like modeling and self-assessments.
We found that supervision actually became much more important than just the regulations. It's the same old adage: you can have the traffic code, but you still need policemen to police that code. That's where we started getting more interested in the culture of an organization.
The problem is that, whenever something happens, we just layer on prescriptions and rules. That sometimes has the unintended consequence of making people switch off their brain.”
How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?
“What we wanted to do [at the regulator] was to get institutions to take responsibility. They're the frontline, and they take responsibility. We would say, "This is the base, and then you go and decide what you need for yourself. But this is the base, and it's a base, not the maximum."
That's how we started looking at how management and the board looked at this, and that is how I would define culture. How do they self-reflect and think about the risks and profiles of their company? How do they mitigate and navigate those risks? How do they look forward? How do they take advantage of some of these challenges and then move ahead? All of that is culture.”
How is supervision made more challenging by a reliance on judgment?
“If I may say, we're always hitting them with black marks. You should get some brownie points if you've gone above and beyond the regulatory minimum and have shown self-awareness in your company. Even if it's just a pat on the back or you tell the board, ‘Your management voluntarily did this.’ We don't do enough of that. We go out there with a stick all the time.”
Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?
“If you ask for too much information that you don't use, guess what? That information is sitting in your system. If something happens and people say, ‘Well, you had all this data and you didn't analyze it and you didn't see this coming,’ it is also a risk for the regulators.”
Why have some jurisdictions invested in and leaned into culture supervision while others have not?
“We lived through the Asian financial crisis. The Asian tigers were the ones that were badly hit. We were so lucky in Singapore; we were actually a safe haven and, in a way, beneficiaries of the Crisis, because there was a flight to quality.
But having said that, one of our very small local banks had an inordinate exposure to Indonesia. They didn't go bust, but they were bought over, and there's a reason people get bought over sometimes. We did have that as a lesson. Luckily, it was not a fatal blow, but it was still a lesson to us as to what can go wrong. Even with tight regulation, and even though it was our smallest bank, it still got into trouble. That taught us that we needed to change our thinking.
We were moving away from very tight regulation to more risk-based supervision, we had to then rely on the players and their in-house ability. We weren't clever enough to give it the label ‘risk culture,’ but that was what we were looking at.
When the Global Financial Crisis came, it was an even better result for Singapore. A lot of foreign banks were going down, but the local banks didn't even have a loss. We credit that to having gone through the earlier crisis.
The Asian financial crisis made our institutions very risk-aware. It made us think about following fads and about too much concentration risk. So, when all these CDOs came along and became a very sexy thing, we used to just say to the banks, ‘You have to understand it first before you get into it. Why are you getting into it?’”
What are the structural challenges to integrating culture supervision into standard oversight practices?
“In Singapore, conduct regulators and financial stability [shared common leadership], so it was all under one roof. But in many other jurisdictions, it's more balkanized. That is also a problem. Conduct and enforcement people tend to set really strict rules, and if they're broken, you want public hangings. But prudential regulators want to be more anticipatory. Especially if you're in charge of a bank, you do not want to precipitate a bank run. Public hangings are really not the way to go. It's a different philosophy, so it's a different culture.
The conduct regulator will have to look at culture from a particular perspective. The prudential regulators will look at it from a particular perspective. But there must be somebody joining it all up at the top for large institutions that have both prudential and conduct risk.”
How can supervisory bodies move to embed culture risk into supervision and governance frameworks?
“I’ve also seen this in staff rotations. You don't just rotate to give someone an all-rounder experience. The ones who go in, find practices that need changing, and actually change them — that's good risk culture. You're not just stepping into the old shoes for three years to get a tick and the next promotion. You go in with a fresh pair of eyes, and that's what these rotations are meant for.”