Risk & Compliance

Forum: Out of Control?

Regulators are worried that banks are letting their internal controls slide. Who's minding yours?
Steven M. RobertsAugust 1, 1998

Most banks understand the importance of having appropriate internal controls in place to protect against risk. However, regulators are concerned that there appears to be some slippage in their attention. And if a highly regulated industry like banking deserves scrutiny, it stands to reason that CFOs of other companies should be reviewing their controls as well. A logical excuse for failing to do so is that they’ve managed to avoid problems so far. But that may be thanks only to the fair winds of a strong economy.

Perhaps the clearest expression of regulatory concern in the banking industry came last June, when Julie L. Williams, Acting Comptroller of the Currency (OCC), a unit of the Treasury that oversees large national banks, addressed a meeting of the Bank Administration Institute’s National Auditing and Regulatory Compliance Conference in Chicago. “I am concerned,” she told the gathering, “that the vigor and thoroughness of banks’ internal controls [are] slipping. This is a trend that must be reversed.” She cited evidence in a study prepared by the OCC’s Central District Office in Chicago that found that the growth in audit capabilities in the banks’ ability to manage risk they looked at was not keeping up with the growth of the banks. For example, one bank violated the rule against having a single person both authorizing loans and controlling their disbursement, and subsequently suffered a big loss.

Williams couldn’t explain this state of affairs in light of the industry’s ongoing upheaval–consolidation, globalization, and technological changes. “In the face of such [massive] industry change, it would stand to reason that banks would be strengthening their internal controls instead of cutting them back,” she noted. “It stands to reason that banks would be adding experts in this area–in- house or contract–to their staffs. It stands to reason that banks would be upgrading their monitoring systems to make them more effective and more resistant to tampering and intrusion.”

So much for reason. Williams went on to announce that the OCC would soon release a new Comptroller’s Handbook for Internal Control, to call attention to the importance of internal controls and the supervisory emphasis that will be put on examination of their effectiveness. Other financial regulators are likely to follow suit.

It’s not as if the banks haven’t had ample warning. Under the Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991, institutions operating in the United States are required to file an annual report with regulators in which management attests to the effectiveness of their controls, and independent public accountants must attest to, and separately report on, management’s assertions.

Heeding congressional concern, the accounting industry established a commission to encourage tighter controls and greater attention to them.

Regulators, meanwhile, began to focus their attention on risk management, and made changes to their examination approaches in hopes of getting banks to develop and implement reliable systems. While internal controls were not yet singled out for special consideration, that changed in July 1997, when the Group of Thirty, an informal gathering of central bankers, regulators, and other financial heavyweights from across the globe, published a report entitled “Global Institutions, National Supervision and Systemic Risk.”

Finally, the Basle Committee on Banking Supervision of the Bank for International Settlement, a central bank based in Switzerland that oversees other nations’ central banks, issued a paper last January that was intended for use by bank supervisors in evaluating the performance of banking institutions, particularly in regard to their internal control systems.

But despite report after report from regulators, it appears that some banks still have more to do. And if regulators can’t get sloppy banks to improve their systems, what is to keep inadequate controls from wreaking havoc at more lightly overseen companies when the economy slows?