Summary

Financial regulators have an important role in assessing risk management systems at financial institutions. Analyses have identified inadequate risk management at large, complex financial institutions as one of the causes of the current financial crisis. The failure of the institutions to appropriately identify, measure, and manage their risks has raised questions not only about corporate governance but also about the adequacy of regulatory oversight of risk management systems. GAO's objectives were to review (1) how regulators oversee risk management at these institutions, (2) the extent to which regulators identified shortcomings in risk management at certain institutions prior to the summer of 2007, and (3) how some aspects of the regulatory system may have contributed to or hindered the oversight of risk management. GAO built upon its existing body of work, evaluated the examination guidance used by examiners at U.S. banking and securities regulators, and reviewed examination reports and work papers from 2006-2008 for a selected sample of large institutions, and horizontal exams that included additional institutions. In January 2009, GAO designated the need to modernize the financial regulatory system as a high risk area needing congressional attention. Regulatory oversight of risk management at large, financial institutions, particularly at the holding company level, should be considered part of that effort.

The banking and securities regulators use a variety of tools to identify areas of risk and assess how large, complex financial institutions manage their risks. The banking regulators--Federal Reserve, Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS)--and securities regulators--Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA)--use somewhat different approaches to oversee risk management practices. Banking examiners are assigned to continuously monitor a single institution, where they engage in targeted and horizontal examinations and assess risks and the quality of institutions' risk management systems. SEC and FINRA identify areas of high risk by aggregating information from examiners and officials on areas of concern across broker-dealers and by monitoring institutions. SEC and FINRA conduct discrete targeted and horizontal examinations. The banking regulators focused on safety and soundness, while SEC and FINRA tended to focus on compliance with securities rules and laws. All regulators have specific tools for effecting change when they identify weaknesses in risk management at institutions they oversee. In the examination materials GAO reviewed for a limited number of institutions, GAO found that regulators had identified numerous weaknesses in the institutions' risk management systems before the financial crisis began. For example, regulators identified inadequate oversight of institutions' risks by senior management. However, the regulators said that they did not take forceful actions to address these weaknesses, such as changing their assessments, until the crisis occurred because the institutions had strong financial positions and senior management had presented the regulators with plans for change. Regulators also identified weaknesses in models used to measure and manage risk but may not have taken action to resolve these weaknesses. Finally, regulators identified numerous stress testing weaknesses at several large institutions, but GAO's limited review did not identify any instances in which weaknesses prompted regulators to take aggressive steps to push institutions to better understand and manage risks. Some aspects of the regulatory system may have hindered regulators' oversight of risk management. First, no regulator systematically looks across institutions to identify factors that could affect the overall financial system. While regulators periodically conducted horizontal examinations on stress testing, credit risk practices, and risk management for securitized mortgage products, they did not consistently use the results to identify potential systemic risks. Second, primary bank and functional regulators' oversee risk management at the level of the legal entity within a holding company while large entities manage risk on an enterprisewide basis or by business lines that cut across legal entities. As a result, these regulators may have only a limited view of institutions' risk management or their responsibilities and activities may overlap with those of holding company regulators.