On June 23, 2020, the FDIC posted “The Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions.” FIL-64-2020
This statement this is only one of several interagency statements issued since the start of the Covid-19 Pandemic outlining supervisory principles examiners will use to guide their safety and soundness examinations in the context of this event. Simply put, this statement makes it clear that regulators expect financial institutions to take prudent actions and make reasonable accommodations to address the impact of the event on their customers (and by extension, on themselves).
The focus on this post is on what may be less clear, because ambiguity opens the door to interpretation, and differences of opinion between management and regulators are where the most contentious examination findings occur. We’re going to look at a few passages that caught my eye, and discuss how to interpret them and what specific action to take. We’ll focus on the Management section starting on page 9. The first few sentences state that:
Interpretation and actions to be taken
This one is pretty straightforward. When the dust settles from this event, examiners will be asking you to see specific changes you’ve made to your strategic planning based on the lessons-learned. Not if you’ve made adjustments to strategy, but what you’ve done to respond. Even if no material changes are forthcoming, make sure the Board and senior management meeting minutes reflect your thinking.
The next area we’ll try to read between is right after the previous one:
Interpretation and actions to be taken
This relatively short sentence is much trickier to decode because it depends on the definition of “…external factors beyond management’s control.” Does “beyond control” mean beyond the capacity of management to anticipate? Virtually all natural disasters (and most man-made disasters and cyber events) are beyond management’s control, but that doesn’t mean the event should not be foreseen and assessed for probability and impact. In fact the most recent FFIEC BCM Booklet makes no reference to risks beyond management’s control, instead using the term “reasonably foreseeable events”, (including low probability, high impact events, like Pandemic) to describe the scope of events expected to be foreseen and risk-assessed by management. How should we reconcile the two concepts; “external factors beyond management’s control”, and “reasonably foreseeable/anticipated risks”? Again, most threats facing financial institutions today are both beyond management’s control, and reasonably foreseeable. Understanding how to approach this issue is more than an academic exercise, the Management component of your CAMELS rating may be affected by it.
Continuing in the same section:
Interpretation and actions to be taken
To me this was the most difficult to interpret. Hypothetically, let’s say you’ve encountered credit quality issues largely related to the effects of the Covid-19 Pandemic. No downgrade because it’s outside your control and not a sign of weak management practices. Just retroactively adjust your loan loss reserves and move on. Now, substitute “pandemic” with “major storm”. Let’s says you’ve experienced significant operational problems largely related to the storm. Also outside your control, but regulators will probably take the position that operational issues arising from a natural disaster should have been reasonably foreseen, and your failure to anticipate that is a sign of weak management practices. In this case your Management component will likely take a hit. Both Pandemic and severe weather are very likely addressed in your BCM plan, but the impact of one may be forgivable, while the other is attributed to weak management?
What we think the regulators are saying here is that it’s not the specific event, or problems arising from that event, or even whether or not management foresaw the problems in advance, that regulators really care about. It’s management’s response to the event, whether or not it was within their control, whether or not it was foreseen. That is the core of the issue; how management improvises, adapts, and overcomes.
This brings us back to the beginning and the first “actions to be taken”. This event has been an unprecedented event in both scale and scope, and we believe when the dust settles, examiners will be asking to see your specific adaptations to procedures and processes to ensure continued delivery of financial services. This will include your ability to assess and implement additional controls (including cyber) to “…manage heightened risks related to the adjusted operating environment.”
One last sentence to decipher, and this one may be the easiest to understand:
Interpretation and actions to be taken
Self-explanatory. Examiners will take a dim view of cost-cutting even if you can use the Pandemic to rationalize it. Don’t sacrifice your control environment on the altar of saving money. Additionally, this is not the time to cancel or delay projects, stay on track with your initiatives but make any necessary strategic adjustments resulting from the lessons-learned, including new technology and staffing considerations.
In summary, we believe that when all the direct and indirect impact from this event is calculated, it will prove to be no less significant than a major natural disaster or even a recession. The regulators are giving every indication that they think so too, and plan to treat it that way.