Following the failures of Silicon Valley Bank, Signature Bank and Silvergate Bank and the subsequent actions by the banking regulators to instill confidence in the US banking system (see Our Take: Special Edition), the market and policymakers have continued to react. Notable actions this week include:
Our Take
The actions this week from the government and the eleven banks are a show of force designed to instill market confidence and preserve stability in the US financial system. As the industry rallies and cooperates with the government to prevent a broader crisis, the policymakers are already turning to the diagnosis and treatment of what they determine to be the root causes of the crisis.
President Biden’s call to empower the FDIC appears to have support from Senator Brown, but it will take much broader agreement and significant deliberation to pass these policies through a divided Congress, particularly given the looming election cycle. In the short term, legislators are more likely to hold the regulators accountable for responsive changes to supervision. Senator Brown’s statement has kicked this off with a call to action for the regulators to exercise their existing authority to verify that all banks are operating in a safe and sound manner, including by adequately identifying, managing and controlling risks. Most immediately, we expect intensity and invasiveness of supervision – through the examiners in the field – to increase. Areas of focus will likely involve more frequent and detailed liquidity reporting, enhanced assessments of risk management practices, internal audit coverage as well as senior management and board oversight.
In parallel, we expect the regulators to revisit the previous Administration’s regulatory tailoring that had reduced the frequency and magnitude of requirements including those around capital adequacy (e.g., leverage ratios), total loss absorbing capacity and resolution planning. The regulators had already been indicating that they would raise expectations for large regional banks that had grown in recent years but the concentration of the recent stress will likely prompt a reevaluation of the regulatory scrutiny applied to banks with less than $250 billion in assets. In addition, given the potential origins of the recent bank failures, the regulators’ assessment will likely include liquidity ratios, risk management and reporting; the impact of accounting for unrealized gains or losses in securities portfolios; and requirements for interest rate risk management.
In terms of bank reactions, the high volume of Fed and Federal Home Loan Bank borrowing that has taken place over this week indicates that banks are not hesitating to take necessary action to shore up liquidity, but could be reflective of depositors continuing to change their bank relationships. Despite Secretary Yellen’s assurance of the safety of bank deposits, her clarification on uninsured balances could drive customers to find alternative safe havens for deposits in excess of the insurance limit during this time of uncertainty. Given the high degree of political risk and moral hazard, policymakers are presumably treading lightly to reassure the public while avoiding signaling that all uninsured deposits will be protected by the government.
On March 15th, the SEC issued three proposals concerning customer data protection, cybersecurity risk management for broker-dealers, and amendments to Regulation Systems Compliance and Integrity (Reg SCI). It also reopened the comment period on a previous cybersecurity risk management proposal for investment advisers and funds.
Comments on all four proposals will be accepted for 60 days following publication in the Federal Register.
Our Take
With these proposals, Chair Gary Gensler has checked off nearly every target in his January 2022 speech outlining plans to shore up information security-related defenses across the capital markets. As he foreshadowed, these proposals would ensure that all major categories of financial institutions overseen by the SEC have comprehensive cybersecurity policies and procedures. Most firms already have cybersecurity policies and procedures at various stages of maturity, but even those with advanced programs will need to closely compare their capabilities with the elements described in these proposals and make plans to close any gaps. Notably, all four proposals include a provision around notifying either the SEC, customers, or both, of cybersecurity or data breach incidents, meaning that affected firms will need to develop or enhance reaction plans to develop, validate and issue the necessary communications. All of the proposals also echo Treasury’s recent cloud report in recognizing the prevalence of migrating data to cloud service providers and the resulting importance of effective third party risk management and oversight. As such, firms impacted by these proposals will need to develop a better understanding of where sensitive data is located, how access is restricted and authenticated, and what mechanisms are in place to detect and react to breaches - including through their third party service providers. As they are affected by all three of the new proposals, large broker-dealers will have the most work ahead and should begin to develop strategies and consider resource needs for potentially overlapping implementation schedules.
1 Reg SCI was adopted in 2014 to require certain market participants that are key to the functioning of the US securities market – including securities exchanges, registered clearing agencies and alternative trading systems – to have comprehensive policies and procedures for establishing, operating, maintaining, and securing critical technology systems.
These notable developments hit our radar this week: