A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Michael Hsu

past-Acting Comptroller of the Currency (US)

Picture of Michael Hsu
View Full Report

Contributions to the Supervisors on Supervision Stocktake

Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

1.2.1d Some supervisors have suggested that organizational culture has the potential to generate systemic risks, rather than merely idiosyncratic risks isolated to a given firm.

“We have seen what happens when large banks become unmanageable and need government support to avoid disorderly failure. The negative impacts of [too-big-to-manage] and too-big to-fail on households and communities, on the banking system and economy, and on trust are immeasurable and can take years to mend.”

If culture is important to supervision, then what factors make it challenging to assess?

1.2.2c Other participants describe how organizational complexity can make it difficult to assess culture risk and to evaluate success in connection with culture change initiatives.

“There are only so many hours in the day and so many meetings in a week that executives and board members can attend. This dynamic places heavy reliance on materiality determinations, which drive the issues senior leaders consider and make decisions about. 

When a significant problem surfaces at a bank, there are two likely reactions: Either the bank assumes similar problems might be lurking elsewhere in the organization and embarks on a mission to seek them out and address the root cause, or the bank assumes that the problem is isolated and reflective of a bad apple and maintains business as usual. 

When a negative surprise occurs, large banks should presume that similar risks lie hidden beneath the surface elsewhere and that unseen root causes need to be uncovered and addressed. A “look across” to other units should be standard operating procedure, and the burden should be on those units to demonstrate they are not similarly vulnerable. The larger the banking organization, the more important it is to shift the default presumption before concluding that an issue is contained and being addressed. 

A sign that a bank may be becoming [too-big-to manage] is when supervisors consistently uncover more risks and problems than the bank’s internal risk and control functions do. Tracking the ratio of supervisor-identified issues to self-identified and self corrected issues is one way to gauge this risk and track it over time.”

How do supervisors approach supervision in the absence of clear frameworks and guidelines related to culture?

1.4.1a Many participants point to the importance of supervisory judgment in assessing potential problems related to culture.

“It’s easy to get lost in details and the numbers, so when I took over at OCC, I anchored priorities on safeguarding trust in banking. That prompted my interest in doing a survey on trust in the OCC itself. 

While sitting on the FDIC board, I had been struck by the FDIC’s survey on the unbanked or underbanked. It’s very rigorous — done through the Census, with economists — and has shaped the policy conversation for years. It provided the FDIC with credible, visible leadership on access and inclusion. 

I wanted something similarly rigorous for the OCC — something focused on trust in its multiple dimensions — so banks and supervisors could get useful feedback. I thought that would also signal that OCC cares about trust for banks and for itself. 

Trust is multi-directional: trust in banks, trust between banks and regulators, and trust between regulators and the public. In healthy systems, accountability and discipline apply across those relationships.”

What role does culture play in governance failures that ultimately require supervisory attention?

2.1.1d Participants observe that culture can undermine incentive programs, employee engagement efforts, and other common management measures aimed at shaping behavior in desired directions, making it even more so a challenge for large, complex organizations.

“There are limits to a large organization’s manageability. I have seen enterprises become so big and complex that control failures, risk management breakdowns, and negative surprises occur too frequently — not because of weak management, but because of the sheer size and complexity of the organization. Some identify this as the too-big-to-manage (TBTM) problem. 

Misidentifying or misdiagnosing problems at a large bank can lead to ineffective actions and solutions, which in turn can prolong the risk of harm to consumers, counterparties, and the financial system. It can also hurt the credibility of financial supervisors, as large banks can take inordinate amounts of time trying to remedy deficiencies, which can and should be addressed quickly.”

How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.

“Think of supervision as a feedback mechanism. Banks, left to market forces alone, will sometimes drift into unsafe/unsound practices. Supervisors provide corrective feedback.”

How should supervisory bodies approach enforcement in the context of culture risk governance and supervision?

2.3.1a Participants note that a lack of established culture risk governance frameworks and metrics makes enforcement and accountability more challenging.

“How do we know when a bank is [Too-Big-to-Manage (TBTM)], as opposed to just poorly managed? And how do we make sure we use due process and fairness in making that determination? Given the stakes involved, getting both right is vitally important. The answer to both questions lies in having a clear enforcement framework. 

A well-calibrated enforcement framework gives banks sufficient opportunities to address deficiencies. A bank’s repeated failures to do so then become, by themselves, presumptive evidence that it is at the limits of its manageability. Under such a framework, the need for simplification and divestitures at a bank is clear from management’s actions and outcomes, or lack thereof. 

Stepping back, following this enforcement framework has a number of benefits. First, it strikes a balance and is proportional. Second, it helps to ensure that regulators avoid doing too little (simply imposing a [civil money penalty]) or doing too much (jumping to breaking up a bank). And third, it adheres to due process, giving banks time and opportunities to fix their problems, while providing clear steps for escalation should a bank be unable or unwilling to implement the needed fixes in a timely manner.”

What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

3.2.2d Participants describe other innovative applications of AI to challenges of culture risk governance and supervision.

“We need to start by recognizing the expanding task of supervision: coverage needs are much broader, institutions are much more complex, and things move faster than ever. The top three U.S. banks are at multi-trillion-dollar scale; twenty years ago that was unimaginable. 

We can’t solve this by hiring ‘10x’ more people. We need different ways of processing and acting on information — greater agility and cross-functional teaming. Specialization changes from being an asset to becoming a liability in dynamic, complex, fast-changing environments. 

This is where AI helps — not as a savior, but as a forcing function to ask: Can AI do what I do? What is the core of my job, actually? What do I really need to do? And how can AI help me accomplish that? 

That third question — re-clarifying the purpose of supervision — can guide supervision through this time of great change. Then we can design how AI augments that purpose.”

What are the informal challenges with integrating culture supervision into regulatory bodies?

3.3.3a Still others describe cultural barriers to trialing new approaches and encouraging the internal risk taking that innovation demands, making it difficult to drive change in practice.

“Two types of errors loom: 

Type I (false positive): calling out problems that aren’t really problems. These are costly ‘inconveniences’ that accumulate and erode trust between banks and supervisors. 

Type II (false negative): missing real problems — like SVB in 2023, or the Financial Crisis in 2008. These are catastrophic errors. 

Historically, the pendulum has swung between a ‘tougher’ and ‘looser’ regulatory environment, mapping crudely onto those error types. We should aim to minimize both. That requires openness by supervisors to reduce false positives without blunting detection of true risks. 

After 2008, the intent of being ‘tough’ wasn’t to create useless headaches for firms; it was to address big risks. Likewise, the industry pushing back wasn’t about inviting future blow-ups. 

It’s not just about ‘gas’ or ‘brake.’ Some industry arguments are ‘full brake,’ others are ‘full gas.’ Neither is sustainable. But policy has defaulted to these kinds of binary moves and emotions are running high on both sides. 

What doesn’t help is each side retreating to its echo chamber to get hyped by friends. Leadership has to call a time-out, identify credible mechanisms or projects, and create space for objective work. We need a third way — something to permit for better ‘steering’.”

How do supervisors need to adapt in order to accelerate progress in culture supervision?

3.4.2a Participants highlight the importance of effectively embedding challenge in their engagements with firms related to culture.

“This is perhaps a controversial view, but I think the asset cap at Wells Fargo was pivotal. Ultimately, culture changes when leadership changes — and supervisors struggle to compel leadership changes at well-resourced firms. The asset cap functioned as a mechanism that gave the board permission to make changes effectively. 

By contrast, Credit Suisse cycled leadership in less healthy ways and lacked a strong mechanism to force change. More pleading wouldn’t have helped there. Supervisory feedback had been given but wasn’t acted upon. 

So the question in such cases is: what if nothing changes? My ‘Too Big to Manage’ escalation logic is: feedback → enforcement → civil money penalty → binding constraint (e.g., asset cap). Different firms have different mixes of ability and willingness to change. Supervisors should give notice and a chance — but if change doesn’t happen, they need mechanisms that enable boards to act.“

3.4.2b Participants note that supervisors should build trust into their approaches.

“As policymakers, we must seek additional signals — from the public and elsewhere — about what actually builds trust. People’s perceptions are real; if they don’t trust government, they don’t trust it. Better to face that head-on and try to unpack it. I’ve long argued that the North Star for banking and bank supervision is trust. Money and banking run on trust: when trust is high, the system works remarkably well for the economy, communities, and people. When trust is low, things fall apart.”

What steps should regulators consider to enable more effective culture risk supervision?

4.1.1c Participants noted that greater transparency and accountability in supervisory processes would improve outcomes and preserve independence.

“Supervisors lack vehicles to tell their story credibly, and others control the narrative. Take crypto ‘de-banking.’ Crypto firms accused banks; banks pointed at regulators. It’s an uncomfortable conversation to tell a client, ‘We don’t understand your business; KYC/AML costs are too high; we’re out.’ So it’s easier to say, ‘the regulators made us.’ 

Meanwhile, do we think FTX should have been banked? No — banking a fraudulent enterprise enables harm. In 2022 there was widespread crypto fraud, (Celsius, Three Arrows, etc.). Banks had reasons to be cautious. 

This isn’t a pogrom by supervisors; it’s messy reality meeting safety and soundness. But supervisors can’t explain that publicly because of confidentiality.”

What steps should supervisory bodies consider to help drive their own culture change?

4.2.1a Participants noted the importance of supervisory cultures supportive of innovation and a readiness to adapt to change.

“Supervision is asymmetric. When times are good, you’re blamed for holding things back. When times are bad, you’re blamed for not doing enough. And supervision’s successes are invisible. Because supervisors are typically only noticed only when things go wrong, they become defensive. 

After SVB, members of Congress were talking about ‘matters requiring attention (MRAs)’ — an internal tool — out of context, as part of a blame game. Put yourself in a line examiner’s shoes: your instinct becomes ‘check every box,’ so no one can blame you.

That’s the supervisory version of a defensive mechanism — and it doesn’t yield good outcomes. Good supervision requires judgment, expertise, and knowing when to call for help — behaviors that don’t fit well in blame-centric environments.

There are hundreds of dashboard issues in any given week; supervisors nudge banks constantly — ‘measure this differently,’ ‘tighten this control’ — and most of it is unseen even inside firms. Publicly, you only see one failure every decade.

Post-Crisis, agencies get defensive and default to checklists because that’s what quality assurance reviews and oversight bodies test: “Did you follow procedure?” Box-checking is safe — but it’s not good supervision. That’s a serious challenge. 

A helpful model is the National Transportation Safety Board. After an accident, the NTSB culture is to avoid finger-pointing and analyze system failures dispassionately. Complex events rarely have a single culprit. Politically, money invites blame; but an NTSB-like approach — ‘figure it out first, then assign responsibility sensibly’ — would produce better outcomes. It’s hard because simple blame gets headlines; nuanced explanations don’t.”

4.2.1c Participants also recognized the need to develop new capabilities and frameworks

“Going forward, I see two scenarios. 

 

In one, supervisors don’t change much; frustration with Type I/II errors rises [e.g., false positives and false negatives], and a translator or 3rd party solutions layer grows between banks and supervisors to fill the gap. 

In the other, supervisors focus, recognize the moment, and re-architect to meet the moment — i.e., the ‘denominator’ (scale/complexity/speed of the banking system). In that scenario, the gap is filled by the agencies themselves. 

Agencies need a clear sense of direction: ‘We’re here; we need to get there.’ Without direction change will be incremental, and the gap will grow — the translator layer will harden. The risk is creating a permanent translator layer — which often ends badly for firms that over-rely on it. But a capacity-building, time-boxed model that gets agencies moving in the right direction in bold ways could add real value.
In equilibrium, the ‘numerator’ — agency resources and capabilities — must catch up to the denominator — scale/complexity/speed of banking. Some agencies can do that in-house; others will need help. External forces that accelerate that path can be positive, provided we avoid creating a permanent dependency. 

Either way, the core currency is credibility. I’ve delivered very bad news to banks that they hated but accepted because it was credible. I’ve also seen weak findings trigger steam-from-the-ears frustration because they lacked credibility. The former yields grudging respect; the latter erodes the supervisor’s standing. Leaders must discern: is current criticism a sign we’ve lost credibility, or just garden-variety pushback?”