The writer served in the US Treasury and SEC during the 2008 financial crisis, and as chief risk officer at big banks. He is author of The End of Theory
In 2008, regulators did not see the potential for contagion from a subprime crisis. Nor did they see the possibility of a resulting nationwide residential real estate meltdown. Lesson learned.
Thousands of pages of regulation followed, among them the requirement for many large financial institutions to perform costly, detailed tests of their financial viability in the face of market stresses.
But here we are, fifteen years later, this time facing the potential for contagion from small and regional banks after the failure of Silicon Valley Bank and then days later Signature Bank. Now First Republic has been closed and its deposits and most of its assets sold to JPMorgan. These troubles have raised fears of a knock-on impact on commercial real estate if banks turn more conservative on lending.
Risk management regulation in the US is a failure. It is reactive and overbearing, zealously prosecuting the problems of the day and the institutions facing those problems. It is codified to cover every inch of the current landscape, with years of hearings and comments in the process.
But the markets do not stand still. They have been remoulded by past regulations. And over the years since the 2008 crisis, the financial sector continues to innovate and create. Thus, our markets are dynamic and complex. Regulating risk is a game of whack-a-mole. All the more so because gaming new regulations is itself a prime mover for the innovations.
Regulators don’t understand the nature of risk. Sure, there are the pedestrian notions of risk-like market volatility and its many variants. These look at risk based on what the market has done in the past. But the risks that matter are the ones we don’t see coming, that emerge from the ever-changing nature of the markets and catch us unaware.
You won’t see those with a 20-page risk report or a model filled with esoteric statistics chomping on gigabytes of data. Indeed, if you model it, you’re wrong. The key is simply to be looking in the right direction for the right institutions. Do that, and it is hard to miss a risk that rises to the level of being systemic.
Every systemic risk I have encountered can be uncovered with a few questions, and can be explained in a few sentences. Once it is identified, that is. This time around that would be: What might happen to the small and regional banks if interest rates go up? What might happen in the face of social media if there is a crisis of confidence in a few banks? (Hint: run the meme stock scenario in reverse.) Where could a large-scale rollback of bank credit hit the markets?
So, it’s not that hard. The nature of risk requires us to rethink the way we go about risk management in the regulatory sphere. We don’t fail because of mismeasurement at the second decimal point or a poorly drafted subsection. We fail because our regulatory approach misses material risks wholesale.
This failure comes down to our foundational philosophy for regulation. At present it is rules-based. It takes years to draft regulations, with more regulations layered on top of those to buttress and protect against end-runs, to cover every contingency we can think of at the time.
But of course we can’t think of every contingency, because we don’t have a crystal ball into the markets of the future. We need a flexible and robust approach that respects the nature of risk. When it comes to risk we all agree on the desired outcomes. The principles are clear and constant. How to get there, that’s what changes. To meet these outcomes, regulators need to work cooperatively with industry to identify material risks and come to common solutions in the moment. This is called principles-based regulation.
In my years in risk management I have worked under both rules-based and principles-based regimes. The rules-based approach makes for comfortable — and somewhat boring — work, and does the job for day-to-day risks. That is, for risks that don’t matter. When it really matters, those risks will not be spelt out by the regulations codified last year in the government’s Federal Register.
Nor will they pop out from the risk reports and stress tests mandated by that regulation. Regulating material risks requires fresh thinking and some imagination. Regulators need to sit at the table with industry risk personnel. This is the direction our regulatory approach needs to go in so that the regulations we write this time around don’t lead to someone else writing, fifteen years from now, about how our regulations failed us yet again.