Community Banking's New Regulatory Burden: SarbOx Syndrome

On June 14, 2004, former Federal Reserve Chairman Paul Volcker and former Securities and Exchange Commission Chairman Arthur Leavitt, Jr. jointly authored an Op. Ed. in the Wall Street Journal entitled, “In Defense of Sarbanes-Oxley” addressing “those in corporate America who worry that Sarbanes-Oxley has gone too far.” Recognizing that “financial and managerial effort as well as money is required,” these twin towers of finance argued that the “costs are justified in light of the benefits—the price necessary to pay for more reliability in accounting, clear accountability to shareholders, and more robust and trusted markets.” Certainly, after the Enron-WorldCom debacles, Sarbanes-Oxley1 (SarbOx) was the appropriate legislative and political tonic to rejuvenate public confidence in Wall Street’s financial marketplace. Significantly, however, because of its high profile and overwhelming Congressional support, SarbOx’s costly influence has spilled over into areas where it may not be needed. This overreach can be termed, “SarbOx Syndrome,” and its potential danger to smaller business entities situated on Main Street cannot be overstated.

One example is community banks. According to Donald G. Ogilvie, President and CEO of the American Bankers Association, in a June 22, 2004, letter to the editor of the Wall Street Journal, “thousands of America’s smaller community banks—with understandably limited human and financial resources—feel an added burden in dealing with the flood of paperwork coming out of Washington today. Now that we’ve begun to restore confidence in the nation’s boardrooms, perhaps it’s time to seek a better balance between carrot and stick for the nation’s smaller companies.” (emphasis added)

In a June 11 letter to Chairman Oxley, American Bankers Association Executive Vice President Edward Yingling makes the point even more directly. Acknowledging the importance of Sarbanes-Oxley in combating fraud and abuse in our largest public companies, “the need to apply its provisions . . . to community banks is less clear.” Notwithstanding Mr. Yingling’s letter, today’s political realities are such that Congressional relief from SarbOx Syndrome seems a long way off. Meanwhile, SarbOx Syndrome elevates regulatory compliance oversight to new levels of expectation for failsafe systems. Banking regulators are well-aware of this compliance creep.

Their June 22, 2004, testimony on a regulatory relief bill sponsored by Sen. Mike Crapo (R-Iowa), indicates their worry.2 In an election year, however, such concern is unlikely to lead to relief. And regulators will enforce the laws as they are, not as they ought to be. More important, regulators try to keep Congress happy, and what regulators are hearing on Capitol Hill is that they should add homeland security and investor protection to their traditional goals of safety and soundness and consumer protection, making certain that noncompliance is not even possible. However difficult, therefore, community banks must adjust to SarbOx Syndrome.

Community Banks

The FDIC is presently studying “The Future of Banking.” Most recently, it released, “Community Banks: Their Recent Past, Current Performance, and Future Prospects.” The study concludes that:

The obvious question raised by these informed observations is whether or not the “significant negative effect” of regulatory burden on the future prospects of community banks has become even more exaggerated in this new post SarbOx era? This article’s answer is Yes. Will Congress come to the rescue? Perhaps, but not soon enough. How must community banks respond? Community banks must take these new compliance challenges into their own hands, meeting them head-on with thoughtful risk-based prioritization and analysis. Community bankers have to reconsider their own role and that of their directors. And regulators themselves must become more flexible, supporting these efforts first, by being aware of the SarbOx Syndrome, then by infusing constructive scalability where possible into their examination standards. In both cases, the effort will require a qualitative change in their respective attitudes about systems to ensure safety and soundness and regulatory compliance.

SarbOx Syndrome

The summer of 2002 featured the Congressional enactment of the Sarbanes-Oxley Act (SarbOx), a politically-charged response to the Enron-WorldCom disasters. Passed with overwhelming, bipartisan support, this rare unanimity moved its impact far beyond its specific applicability. For bank regulators (even in a post-FDICIA world of closer supervision5), SarbOx is widely interpreted as a signal to make bank compliance “failsafe” in certain areas of high sensitivity so that similar scandals cannot occur in the world of financial services. “SarbOx Syndrome” has added stress if not new meaning to “risk-based” regulation, threatening to turn it into “risk-free” regulation, tied to fixed systems that are easy to measure but unduly constrictive for a given institution. Responsibility for the new controls appropriately resides even more with the bank’s officers and directors, but with new examination emphasis focused on internal control systems and buttressed by external accounting and audit, the failsafe mentality applied to regulatory compliance has been carried over into assessment of asset quality. But all risk-based compliance requires an assessment and prioritization process suited to each institution. No two community banks are alike. Morphing the examination process into the systemic reliability of “rule-based” regulation, therefore, can be counterproductive. One size does not fit all. Risk-based regulation cannot be risk-free. Yet that is where it is being driven.

Section 404

Section 404 of Sarbanes-Oxley requires that annual reports include a management-certified statement that their internal controls contain no “material weakness.” A material weakness exists if it is reasonably possible that a material misstatement of financial results would not be prevented or detected by the institution’s internal controls. Yes, Sarbanes-Oxley is enforced by the understaffed SEC and applies only to institutions with more than 500 shareholders, but as the ABA’s Edward Yingling stated in his letter, the Securities Exchange Act of 1934 reporting requirements now apply to many small community banks that have “over the years seen their shareholder base grow as successive generations distribute their stock holdings to their descendants.” More significant, the new regulatory burdens to which Mr. Yingling’s letter refers, are now being imposed on all community banks, whether or not they are directly targeted by SarbOx. Responding to Congress’s signal, bank regulators have unleashed a blizzard of banking bulletins, alerts, letters and guidelines establishing requirements for management responsibility and internal controls. Sarbanes-Oxley was aimed at the reliability of company reports for Wall Street. Its failsafe directives now are being applied to regulated entities on Main Street.

Such regulatory ratcheting is significant. Applied to community banking, the SarbOx Syndrome raises compliance costs to levels where these important institutions, whose contribution to their community is their business model, are handicapped in their robust competition with regional and money center brethren. That foreboding phrase in the definition of material weakness, “reasonably possible” is intended, no doubt, to intimidate, but for banks, whose job is to assume risk, it can be too constricting. Foolproof systems for compliance lead to costs that can rob community banks of their very reason for being. They can deter product offerings by imposing unnecessary opportunity costs. Moreover, many community banks operate at the edge of profitability. Roughly 10% are now losing money. These banks make loans to business that otherwise will not be made. If unwarranted regulatory burden causes community banks to further curtail or cease operation, Main Street consumers, small business and our nation’s economy all will feel their pain.

Community Banking Today

Nationwide, the community banking population (now approximately 8,000) has dropped to about one half of where it was 10 years ago. The disparity of assets between the super-size banking operations and the remaining community banks continues to widen. Larger banks and specialty finance companies (like ditech.com) continue to steal community bank market share as they adversely select against them, using new technology to serve so-called “higher-information” credits while, through pricing, they attract more efficiency-oriented customers. Increasingly, community banks that have clung to their independence are left to wrestle each other over a shrinking customer base. As any such “death spiral” dictates, eventually the pool served by their lending will progressively contain even less informational transparency. Remaining customers will want even more service. Today’s competitive environment features margins compressed on one hand by less-regulated credit unions paying lower taxes (which, according to the FDIC, makes for an uneven playing field.6) The differences at this level of competition are broadening.7 On the other hand, community banks must compete with larger financial institutions, able to spread expanding compliance costs over a wider operating base. As interest rates rise, larger banks and financial providers will have even more room to maneuver, making matters even worse.8

Beyond SarbOx, other recently enacted laws also reflect the new syndrome, adding further emphasis to the new failsafe mindset. The Bank Secrecy Act, Gramm-Leach-Bliley, and the USA PATRIOT ACT compliance all require the installation of management controls designed to render non-compliance impossible. Out-of-pocket expense for creating and integrating required foolproof systems is considerable. But worse than their expense, such failsafe measures can straitjacket community banks whose “can-do” creativity and responsiveness have always differentiated them from their more commodified large bank brethren. Larger banks, with their expanding menus of commoditized products and services are growing as rapidly as technological progress will allow. Their broader platforms are better able to spread and absorb the new costs, while their size and business models enable them to more efficiently utilize information technology.

As ratios of community bank compliance costs to other non-interest costs continue to worsen, many will be forced to avoid offering products and services rendered inefficient by the cost of creating systems to ensure compliance. Some will have to sell out to larger banks. In either case, community banks’ supportive role in our economy could lessen, withdrawing much-needed stimulus and support. No one has yet made the case that community banks wishing to stay independent should not do so. Nevertheless, if SarbOx Syndrome is not soon brought into balance, more losses will result. As one banker put it, “the community bank, which has been the cornerstone of economic growth in this country, is in great danger of being regulated right out of business.”9

So while community banks are forced to operate with lower net interest margins, and compliance now comprises some 12-14% of non-interest costs,10 SarbOx syndrome will demand even more quantification of risk, more recordkeeping, and more “systems.”

The shifting “paradigm” of FDIC examination is clearly explained in the first issue of Supervisory Insights (Summer 2004) by its Senior Policy Analyst John M. Jackwood. Beginning in 1996, with more changes put in place in 2003, the FDIC has been reorienting the examination process “toward a top-down, risk-focused approach . . . changing examination workflow . . . by establishing a compliance risk profile” and focusing on changes in bank operations before proceeding with more traditional transactional analysis.11 But coupled with the new risk sensitivity imposed by SarbOx Syndrome, particularly when applied to asset management, these new procedures can have the effect of reducing the very exercise of discretion and judgment based upon local experience that defines community banking. As Fed Governor Susan Schmidt Bies puts it, “when we find significant control deficiencies, significant asset-quality or financial-reporting problems are generally present.”12 Accordingly, those community banks who want to remain independent must find new ways now to both adjust to the new regulatory paradigm and to contain compliance costs, reducing the operational risk of losses resulting from internal processes deemed inadequate in the harsh light of the new sensitivities.

Black Box Solutions?

Obviously, regulatory compliance cannot be outsourced; indeed, SarbOx Syndrome requires even greater integration of compliance into the bank’s operations. Vendors offer a kind of “insourcing” in the form of database information technology, promising the operational integration of compliance and risk management, and predicting an agile and competitive business. Though purely technological responses can help, they cannot resolve the problem. Virtually all of the assets and liabilities of financial service providers are maintained in digital form. Internal information systems can be supported by electronic systems, while continuing audits, running in real time, can expedite the external audit function required by the new regulatory focus. Information technology and data-based compliance can help, but IT alone cannot do the job.13

The best of internal systems cannot “control” the conduct of bank employees or the conduct of service providers to whom more and more operations are outsourced to hold down costs. Black boxes do not deliver the increased level of managerial awareness, attention and understanding now sought by bank examiners. Indeed, these “failsafe” controls require endless analysis, assessment, testing and discussion by bank personnel, followed by management reports to directors and audit committees, who with the rest of management are expected to “know what’s going on under the hood.” Examiners are moving compliance responsibility toward management, not away and out of sight.

Fancy, sophisticated compliance technology may not seem as “reliable” to bank examiners as it is to those who sell it. They too need to be able to see and to understand the compliance mechanisms. Cutting back on compliance certainly is not an acceptable response to the new competition, and dueling with larger banks with commoditized products and services is bound to fail. Thus, community banks have no choice but to compete in the new world of commoditized financial services and to elevate their internal systems controls to acceptable compliance levels properly integrated into their business operations. All directors and employees must project a culture of commitment to compliance.

Is Survival Possible?

Is the “viable business in the future” described in the FDIC study real or is it just a tag-line in the study’s conclusion. (Critchfield et al., p. 4.) With fewer products and more time spent tailoring of services to individual customer needs, and providing “a disproportionately large amount of credit to small business,”14 community banks are now being subjected to the FDIC’s new examination focus intensified by SarbOx Syndrome. Clearly, although the regulators want to make the examination process more constructive (see Jackwood), the post-SarbOx application of this new “focus” to the “risk profile” of community banks can result in a painful examination process, in which management’s unquantifiable experience and local know how is deemed unacceptable from a “systems” point of view, especially when such “systems” are expected to produce “risk-free” compliance. Ironically, “low information” and “more opaque” business lending are recognized as a leading role of community banks by the FDIC in its Study released this June,15 in the same month Jackwood’s article described the new “systems” focus. In any case, as regulator emphasis on senior administrative involvement in risk management intensifies, community bank CEOs, whose job is to make the close calls on these low information loans, will be required to demonstrate systemic capabilities that in fact are more art than science, that hitherto have resisted quantification, systemization or the application of hard and fast rules. The coming period of adjustment will be difficult.

To stay independent while continuing to be community banks, community bankers themselves have to change. As the FDIC’s Mr. Jackwood says, “Effective compliance program management at a bank starts at the top—with the board of directors and senior management, who are responsible for the bank’s management and control. The top-down, risk-focused approach to compliance examinations complements the importance of directorate and senior management accountability for a bank’s compliance risk management system.”16 For community banks, the “better balance” sought by Mr. Ogilvie has to occur “within the walls.” CEOs must extend their sales sensitivities and creative consciousness to the area of compliance. They must join with their compliance professionals in a new effort to “sell” their business model to the regulators and their new emphasis on compliance to their employees and directors. They need to mold their business model into this new regulatory environment. There is no other way. The alternative is to match the regionals and money centers at their game, and scale considerations suggest this is no longer practical.

New Regulators?

The regulators themselves also have an interest in maintaining a banking system that can accommodate the varied risk profiles of community banks. As long as there remains a continuing need for hands-on examinations, their own personal presence will be needed. They should have no wish to be replaced by some black box approach providing “failsafe” compliance in “real time.” Flexibility (not “forbearance”) is needed to apply the new regulatory focus to the unique operations of our community banks. And since regulators need community banks to survive as much as community bankers do, they should learn to work together. The new compliance may be burdensome, but its successful implementation will require bank management to apply the same sound judgment and discretion now employed to meet customer needs, to regulatory needs. Regulators, acting as a resource, have a significant contribution to make.17

One can agree with Leavitt and Volcker on the economic importance of Sarbanes-Oxley, with its heightened responsibility and accountability, and still recognize that its approach may not require the imposition of rigid, rule-based systems enforcement as though one size fits all. Clearly, post September 11 concerns about money laundering and other means of terrorist financing are justified, but over-zealous, risk-proof response to recent heightened Congressional concerns carries its own dangers to our economy. In this evolving dynamic, if the present system of community banking and regulatory examination is to maintain its critical support of Main Street business, seeking the better “balance” sought by Mr. Ogilvie is not only sound, it is necessary. Eventually, Congress will catch up with SarbOx Syndrome and the intensified regulatory burden it brings with it. But for now, that balance must be attained within the banks themselves. Preserving our community banks will require both newly-sensitized bank management and regulators working together to bring about a reasonable, risk-based regulation that will work for everyone.

The [New] Ten Commandments

1. The rising fixed cost of compliance and its effect on efficiency ratios means that CEOs, directors and other top managers must elevate their attention to raising its priority and profile, and get involved directly.

2. The risks of noncompliance are heightened, not only because of new “SarbOx Syndrome,” but because enforcement priorities may require public examples, making mistakes more costly. Don’t be the next Riggs.

3. Anticipation of regulator needs, priorities and emphasis is now even more critical. Waiting to learn where they are “coming from” through examinations is itself no longer reasonable. Work more closely with your compliance professionals and your regulators.

4. Where feasible, information technology can be helpful, but it cannot do the job by itself and certainly must not be allowed to lower consciousness about compliance.

5. Automated electronic compliance works well where formulaic solutions (such as computing Truth in Lending disclosures) solve the problem. Today’s risk-based compliance, like any other risk process, however, requires the proactive and informed exercise of executive judgment.

6. Regulators should be viewed as “customers.” Identifying their needs, priorities and regional points of emphasis is more important now than ever. Community banks thus need CRM and “RRM” to which management is committed.

7. There are no off-the-shelf, one-size-fits-all formulas or programs. Risk-based compliance is bank-specific. It must be scaled and integrated into the bank’s total risk management planning and operation.

8. Traversing the “mine field” of regulatory burden without more conscious attention to compliance is now another form of “betting the bank.” The adverse consequences of such madness are truly dire. Sanctions, reputation damage, class actions, loss of operating or merging options are only the more obvious financial consequences.

9. Financial, regulatory and reputational risks must be recalibrated to produce the right balance for each independent bank.

10. Documenting ongoing compliance planning and implementation is now even more critical. With the new systems based regulatory oversight, its absence becomes a material weakness. Mere absence of specific violations is no longer enough; proving that noncompliance did not occur anywhere now requires the demonstration that it could not have occurred.

Notes

2. “My concern is that the volume and complexity of existing banking regulations, coupled with new laws and regulations, may ultimately threaten the survival of our community banks.” (“Statement of John M. Reich, Vice Chairman, FDIC, on Consideration of Regulatory Reform Proposals before the Committee on Banking, Housing and Urban Affairs, United States Senate,” June 22, 2004, p. 4. Available from http://banking.senate.gov/_files/reich.pdf. Similarly, see p. 2 of the Testimony of June L. Williams, first Senior Deputy Comptroller and Chief Counsel, Office of the Comptroller of the Currency, before the same committee hearing. Available from http://banking.senate.gov/_files/ACF413.pdf.)

3. Tim Critchfield et al., “Community Banks: Their

Recent Past, Current Performance, and Future Prospects”, FDIC Paper FOB-2004-3.1, Executive Summary, p. 1. Available here.

4. Ibid., p. 2.

5. Financial institutions with total assets of $500 million or more have been subject to Section 112 of FDICIA for more than ten years.

6. Reich Statement, p. 8.

7. “At the same time credit unions, with an unfair tax-exempt advantage and favorable legislation loosening membership restrictions, have made inroads into small banks’ market segments. Credit union assets have more than tripled since 1984, from $194 billion to $611 billion, whereas small bank (less than $1 billion) assets have decreased in value.” (“Testimony of Dale Leighty on behalf of the Independent Community Bankers of America on Consideration of Regulatory Reform Proposals before the U.S. Senate Committee on Banking, Housing and Urban Affairs,” June 22, 2004, p. 2. Available from http://banking.senate.gov/_files/leighty.pdf.)

8. And regulators of community banks even more vigilant!

9. “Testimony of Bradley E. Rock on behalf of the American Bankers Association before the U.S. Senate Committee on Banking, Housing and Urban Affairs,” June 22, 2004, p. 1. Available from http://banking.senate.gov/_files/rock.pdf.

10. See: “The Cost of Bank Regulation: A Review of the Evidence,” by Gregory Elliehausen. 1998. Staff Study No. 171. Board of Governors of the Federal Reserve System. Available here.

11. John M. Jackwood, “Compliance Examinations: A Change in Focus,” Supervisory Insights1, No. 1 (Summer 2004), Federal Deposit Insurance Corporation, p. 16. Available here.

12. Remarks by Governor Susan Schmidt Bies at the Financial Managers Society Finance and Accounting Forum for Financial Institutions, Washington, D.C., June 22, 2004, p. 4. Available here.

13. Even digitally-directed control systems must comply with the still unsettled requirements of the E-Sign Act of 2001.

14. Critchfield et al., p. 1.

15. Critchfield et al., p. 7.

16. Jackwood, p. 17.

17. See “Resource Regulation: The Road to Relevance,” by Christopher C. Gallagher, September 30, 2003. Available here.

Community Banking's New Regulatory Burden:
The SarbOx Syndrome

Introduction

Community Banks

SarbOx Syndrome

Section 404

Community Banking Today

Black Box Solutions?

Is Survival Possible?

New Regulators?

The [New] Ten Commandments

Notes

Community Banking's New Regulatory Burden: The SarbOx Syndrome

Introduction

Community Banks

SarbOx Syndrome

Section 404

Community Banking Today

Black Box Solutions?

Is Survival Possible?

New Regulators?

The [New] Ten Commandments

Notes

Community Banking's New Regulatory Burden:
The SarbOx Syndrome