Testimony Concerning Lessons Learned in Risk Management Oversight at Federal Financial Regulators
by Erik Sirri
Director, Division of Trading and Markets
U.S. Securities and Exchange Commission
Before the Subcommittee on Securities, Insurance and Investment
Committee on Banking, Housing and Urban Affairs, United States Senate
March 18, 2009
Chairman Reed, Ranking Member Bunning, and Members of the Subcommittee:
I am pleased to have the opportunity today to testify concerning the insights gained from the SEC's long history of regulating the financial responsibility of broker-dealers and protecting customer funds and securities.
The turmoil in the global financial system is unprecedented and has tested not only the resiliency of financial institutions, but also the assumptions underpinning many financial regulatory programs. I have testified previously that the deterioration in mortgages spread to the capital markets through securitization, and to related derivative and insurance products. The knock-on effects broadened and deepened beyond those entities that deal in mortgages and mortgage-related financial products, including investment and commercial banks, insurance companies, and government sponsored enterprises, and finally to operating companies.
Market participants relied on the thriving securitization process to disperse risk and provide more private capital raising and investing opportunities for investors, but as we have learned that process did not eliminate or, in many cases, even reduce risk. Ultimately, the growing size and dispersion of risk, combined with deteriorating markets, has made clear to regulators the need for greater transparency and stronger risk management controls for financial institutions of all kinds. I believe, however, that hearings such as this one, where supervisors reflect on and share their experiences from this past year, will enhance our collective efforts to continue to improve the risk management oversight of complex financial institutions.
The CSE Program and BD Financial Responsibility
Some changes in the capital markets and the broader economy have presented new challenges that are rightly the subject of Congressional review, notwithstanding the current regulatory system's long record of accomplishment. The point is, we don't need to start from scratch. Instead, we should build on and strengthen what has worked, while taking lessons from what hasn't worked in order to adjust the current system to update our regulatory system to fit modern market practices, products, and conditions.
Beginning in 2004, the SEC supervised five entities with large U.S. securities firms as subsidiaries on a consolidated basis, specifically, Goldman Sachs, Merrill Lynch, Morgan Stanley, Lehman Brothers and Bear Stearns. For such firms, known as consolidated supervised entities or "CSEs," the Commission oversaw not only the U.S. registered broker-dealer, but also the holding company and all affiliates on a consolidated basis. The registered broker-dealers that were the core regulated entities within the CSE groups were supervised by staff both at the SEC and at the primary self-regulatory organization (SRO), FINRA — a system akin to bank supervision at the depository institution level as well as the holding company level. It should be noted that the U.S. broker-dealer subsidiaries of the CSE firms at all times during this credit crisis remained solvent and adequately capitalized.
The CSE program was designed to be broadly consistent with Federal Reserve oversight of bank holding companies. Of note, the use of the Basel Standard to regulate holding companies of the broker dealer did not result in a diminution of capital at the broker-dealer. First, broker-dealers had to maintain a minimum of $5 billion tentative net capital to qualify for the calculation. Although phrased as an early warning level, the "5 billion" was and remained a hard limit. No firm fell below this requirement. The CSE regime was also tailored to reflect two fundamental differences between investment bank and commercial bank holding companies. First, the CSE regime reflected the reliance of securities firms on fair value, and where possible, mark-to-market accounting as a critical risk and governance control.1 Second, the CSE program requirements as to liquidity are explained below. Whereas commercial banks may use insured deposits to fund their businesses and have access to the Federal Reserve as a backstop liquidity provider, the CSE firms were prohibited, under SEC rules, from financing their investment bank activities with customer funds or fully-paid securities held in a broker-dealer. Moreover, the SEC had no ability to provide a liquidity backstop to CSEs.
The CSE program had five principal components: First, CSE holding companies were required to maintain and document a system of internal controls that had to be approved by the Commission at the time of initial application. Second, before approval and on an ongoing basis, the Commission staff examined the implementation of these controls. Third, CSEs were monitored for financial and operational weakness that might place regulated entities within the group or the broader financial system at risk. Fourth, CSEs were required to compute a capital adequacy measure at the holding company level that is consistent with standards set forth by the Basel Committee on Banking Supervision (Basel Committee). Finally, CSEs were required to perform stress tests on the liquidity computation and maintain significant liquidity pools at the holding company, for use in any regulated or unregulated entity within the group without regulatory restriction.
To monitor the implementation of firms' internal controls, the CSE program leveraged the firms' internal audit functions, among other things. Our staff met regularly with internal auditors to review and explore issues identified by their risk assessment and audit program. The Commission's rules for CSEs required internal auditors to review the functioning of major governance committees and all internal risk control functions and represent in writing to the SEC annually that this work has been done, with the results presented to the external auditor and the audit committee of the Board of Directors. Also, as circumstances required, or as risk management issues arose, senior officers of the SEC met with CEOs, CFOs, and other members of the firm's senior management to raise issues for focus and resolution.
The CSE program also included examination of and monitoring for key risk control areas, in particular market, credit, liquidity, and operational risk. The holding company was required to provide the Commission on a periodic basis with extensive information regarding its capital and risk exposures, including market, credit, and liquidity risk. SEC staff met monthly with CSE firm risk managers and other personnel to review and discuss this information.
Two fundamental components of the CSE program deserve special attention: capital and liquidity. In electing to operate under the CSE program, the holding company was required, among other things, to compute on a monthly basis its group-wide capital in accordance with the Basel standards. CSEs were expected to maintain an overall Basel capital ratio at the consolidated level of not less than the Federal Reserve Bank's 10% "well-capitalized" standard for bank holding companies. CSEs were also required to file an "early warning" notice with the SEC in the event that certain minimum thresholds, including the 10% capital ratio, were breached or were likely to be breached. Commission rules for CSEs permitted the parent holding company to calculate its capital adequacy using an approach consistent with either of the two Basel standards, adopted by the Basel Committee.
Investment banks relied on the ongoing secured and unsecured credit markets for funding, rather than customer deposits; therefore liquidity and liquidity risk management were of critical importance. In particular, the Commission's rules required CSEs to maintain funding procedures designed to ensure that the holding company had sufficient stand-alone liquidity to withstand the complete loss of all sources of unsecured funding for at least one year. In addition, with respect to secured funding, these procedures incorporated a stress test that estimated what a prudent lender would lend on an asset under stressed market conditions (e.g. a haircut). Another premise of this liquidity planning was that any assets held in a regulated entity were unavailable for use outside of the entity to deal with weaknesses elsewhere in the holding company structure, based on the assumption that during the stress event, including a tightening of market liquidity, regulators in the U.S. and relevant foreign jurisdictions would not permit a withdrawal of capital. Thus, the liquidity pool at the holding company was comprised of unencumbered liquid assets.
Beginning immediately in the wake of the Bear Stearns sale to JPMorgan Chase, the SEC broadly strengthened liquidity requirements for CSE firms. The Division of Trading and Markets, working with the Federal Reserve, implemented substantially more rigorous approaches to supervision of liquidity levels and liquidity risk management. We developed scenarios that were much more severe, including denial of access to short-term unsecured funding. Those more stringent scenarios assumed limited access to the Fed's discount window or other liquidity facilities, although in fact such facilities became available to the major investment banks. As a matter of prudence, the investment banks were urged to maintain capital and liquidity at levels far above what would be required under the standards themselves.
The SEC scrutinized the secured funding activities of each CSE firm, and advised the establishment of additional term funding arrangements and a reduction of dependency on "open" and "overnight" transactions. We also focused on the so-called matched book, a significant focus of secured funding activities within investment banks. We monitored closely potential mismatches between the "asset side," where positions are financed for customers, and the "liability side" of the matched book, where positions are financed by other financial institutions and investors. Also, we discussed with CSE senior management their longer-term funding plans, including plans for raising new capital by accessing the equity and long-term debt markets.
Observations and Lessons
The Bear Stearns and Lehman Brothers' experience as well as the continuing financial distress and government support of commercial banks and insurance companies has challenged a number of assumptions held by the SEC. We are working with other regulators to ensure that the proper lessons are derived from these experiences, and changes will continue to be made to the relevant regulatory processes to reflect those lessons. Long before the CSE program existed, the SEC's supervision of investment banks recognized that capital is not synonymous with liquidity — that a firm could be highly capitalized — that is, it can have far more assets than liabilities — while also having liquidity problems. While the ability of a securities firm to withstand market, credit, and other types of stress events is linked to the amount of its capital, the firm also needs sufficient liquid assets — cash, and high-quality instruments such as U.S. Treasury securities that can be used as collateral — to meet its financial obligations as they arise.
The CSE program built on this concept and required stress testing and substantial liquidity pools at the holding company to allow firms to continue to operate normally in stressed market environments. But what neither the CSE regulatory approach nor most existing regulatory models have taken into account was the possibility that secured funding, even that backed by high-quality collateral such as U.S. Treasury and agency securities, could become unavailable. The existing models for both commercial and investment banks are premised on the expectation that secured funding, would be available in any market environment, albeit perhaps on less favorable terms than normal.
Thus, one lesson from the SEC's oversight of CSEs — Bear Stearns in particular — is that no parent company liquidity pool can withstand a "run on the bank." Supervisors simply did not anticipate that a run-on-the-bank was indeed a real possibility for a well-capitalized securities firm with high quality assets to fund. Given that the liquidity pool was sized for the loss of unsecured funding for a year, such a liquidity pool would not suffice in an extended financial crisis of the magnitude we are now experiencing, where firms are taking significant writedowns on what have become illiquid assets over several quarters while the economy contracts. These liquidity constraints are exacerbated when clearing agencies seize sizable amounts of collateral or clearing deposits to protect themselves against intraday exposures to the firm. Thus, for financial institutions that rely on secured and unsecured funding for their business model, some modification, such as government backstop emergency liquidity support, may well be necessary to plug a liquidity gap on an interim basis, to guarantee assets over the longer term, or to provide a capital infusion. Indeed, as we have seen, such facilities can be necessary even for deposit-taking institutions. The role of the government in providing any such backstop liquidity should be carefully circumscribed, and the effects on incentives considered.
Another lesson relates to the need for supervisory focus on the concentration of illiquid assets held by financial firms, particularly in entities other than a U.S. registered broker-dealer. Such monitoring is relatively straightforward with U.S. registered broker-dealers, which must disclose illiquid assets on a monthly basis in financial reports filed with their regulators. Also, registered U.S. broker-dealers must take capital charges on illiquid assets when computing net capital. As a result, illiquid assets often are held outside the registered U.S. broker-dealer in other legal entities within the consolidated entity. So, for the consolidated entity, supervisors must be well acquainted with the quality of assets on a group wide basis, monitor the amount of illiquid assets, and drill down on the relative quality of such illiquid assets.
We currently inquire, through FINRA, about the amount of Level 3 assets at broker-dealers, but such information must be known with specificity about affiliates in the group as well. A thorough understanding of illiquid assets would be a more useful measure of financial health than a leverage metric that is broadly applied across a complex financial institution. The SEC has noted on numerous occasions that leverage tests are not accurate measures of financial strength, especially in firms with a sizable matched book or derivatives business. Leverage ratios do not account for the risk or liquidity of the underlying assets or associated hedging positions. Therefore, leverage ratios can overstate or understate actual risk due to leverage. For example: a 10-1 leverage ratio involving Treasury bills involves little risk of loss; however, the same 10-1 leverage ratio applied to uncollateralized loans would be extremely risky, and would not be prudent in a broker-dealer. The same could be said of repo transactions involving treasuries versus mortgages. Rather than rely on such overly simplistic measures of risk, regulators of financial firms have gone to great lengths to develop capital rules that are risk sensitive and act as limiters on the amount of risk that can be taken on by a firm.
While the SEC knew the importance of supervisory focus on illiquid assets, I do not believe any regulator truly understood that market perception of the integrity of the financial statements, which involves both the amount of illiquid assets and the valuation of such assets, could erode so precipitously and ignite a run on a securities firm. This brings me to a related point — and lesson.
A knowledge of illiquid assets also requires supervisors to review valuation thoroughly, and understand how mark-to-market (MTM) is executed within the firm — with a particular focus on the strength of control processes, the independence of the price verification function, and the disclosures made by the firm on its valuation processes. The challenges of valuing illiquid or complex structured products should not cast doubt on the process of marking-to-market, however. In fact, marking-to-market is part of the solution. This is another lesson from the events of 2008.
MTM informs investment bank senior managers of trading performance and asset price and risk factor volatilities, supports profit and loss (p/l) processes and hedge performance analyses, facilitates the generation and validation of risk metrics, and enables a controlled environment for risk-taking In short, the MTM process helps ensure consistency between p/l reporting, hedging, and risk measurement. Without this, discipline across these activities would be more difficult to maintain and risk management would be significantly weaker. The act of marking-to-market provides necessary information and can impose discipline on risk-taking and risk management.
At securities firms and elsewhere, to protect the accuracy and integrity of the financial institution's books and records and to support the CFO's attestation concerning the fair value of the firm's inventory as of a certain date, an independent group of financial controllers verifies monthly that traders' marks are accurate and unbiased. Once the price verification is completed, summary mark review reports are provided to senior managers at investment banks which provides insight into the composition of the portfolio, as different methods signal different degrees of liquidity, complexity or model risk. Internally, one of the primary aims of the control function performed by price verification is to reduce the risk of a position or portfolio being mis-marked. Obviously, this risk rises with the degree of subjectivity that may be applied to a given mark or position (and gets multiplied by the exposure). Given its critical contribution to the integrity of valuation and books and records, supervisors must engage fully in understanding the price verification controls at financial institutions, ensure that it is well-resourced, has independent authority to push back on the business line valuations, and is in ready communication with and has the active support and involvement of firm senior management.
Recent events have proven the limitations of certain risk metrics such as Value-at-Risk (VaR) and the necessity of rigorous stress testing of financial models. VaR, among other things, assumes certain historical correlations, which may be inapplicable during times of extreme stress. In addition, VaR does not measure liquidity or concentration risk. Therefore, a lesson learned is while VaR and other risk metrics may be useful during normal market conditions, risk managers and supervisors must recognize their imbedded limitations and assumptions and plan accordingly. That is, supervisors and risk managers must supplement their usage with stress testing that incorporates not only likely economic scenarios, but also low probability, extreme events. In addition, the market-wide failure to appreciate and measure the market risk of mortgage-related assets, including structured credit products, has shown that the Basel market risk standards as then in force were not adequate. Each is in need of serious improvement.
Another important lesson is that critical financial and risk management controls cannot just exist on paper. They must be staffed appropriately and well-resourced. Whether a supervisory program maintains staff on-site at regulated entities, or engages in frequent in- person meetings, the quality of the program must combine an ability to focus and follow up on risk management issues as they develop with an ability to gain the attention of senior management of the firm. Within the firm, senior management must engage with firm risk managers and support them as an independent function. Firm boards of directors must participate actively in setting the risk appetite of the firm, hold senior management accountable for following the board's direction on risk taking, and force management to take action, as appropriate. For instance, risk managers should have some degree of authority over trading decisions, and any decision by senior management to deviate from their recommendations should be documented and reviewed by the board.
One final observation relates to the challenges any single regulator has in overseeing an entity — in the SEC's case, sizable broker-dealers — that reside within a complex institution with multiple material affiliates, regulated or not, in numerous countries. Any regulator must have an ability to get information about the holding company and other affiliates, particularly about issues and transactions that could impact capital and liquidity. For instance, whether directed by a holding company supervisor here or abroad, a poorly capitalized and not very liquid affiliate could require infusions from the parent and become the source of financial weakness for the entire organization. This could occur while the registered U.S. broker-dealer is well-capitalized and liquid. As was true in the case of Lehman Brothers, the bankruptcy filing of a material affiliate has a cascading effect that can bring down the other entities in the group. Also, in some instances, affiliates try to involve the well-capitalized broker-dealer in their business in a manner that is not prudent. For these reasons, and to protect the broker-dealer and its customer assets, the SEC would want, not only to be consulted before any such liquidity drain occurs at the parent, but to have a say, likely in coordination with other interested regulators, in the capital and liquidity standards the holding company must maintain. Our experience last year with the failure of Lehman's UK broker-dealer, and the fact that the U.S. registered broker-dealers were well-capitalized and liquid throughout the turmoil, has redoubled our belief that we must rely on and protect going forward the soundness of the regulatory regime of the principal subsidiaries. Nothing in any future regulatory regime, or systemic regulator, should operate to weaken the regulatory standards of these subsidiaries.
Having learned all of these lessons, we at the SEC are focusing on how best to deploy our broker-dealer expertise in a new regulatory paradigm. As Congress considers the financial services regulatory structure, we believe that regulatory expertise should be recognized and deployed efficiently. For a certain set of large broker-dealer holding companies that are not affiliated with banks, the SEC supports a program that would permit us to also set capital standards at the holding company level (perhaps, in consultation with a holding company supervisor, if any), and to obtain financial information about, and examine, the holding company and material affiliates. Such broker-dealer holding companies may also have an emergency liquidity provider (not the SEC). The SEC would determine the universe of broker-dealer holding companies that would be subject to parent company capital standards. The remaining broker-dealer holding companies not affiliated with banks would be subject to material affiliate reporting requirements, similar to the reporting regime under Section 17(h) of the Exchange Act.
Given the recent dialogue about systemic regulation, I must note that our experience with the bankruptcy filing of a foreign affiliate of Lehman Brothers has demonstrated the innate difficulties of any multijurisdictional approach to regulation. While cross border coordination and dialogue is important, jurisdictions nonetheless have unique bankruptcy and financial regulatory regimes-and creditors wherever they are located shall always act in their own interest during a crisis. Thus, a U.S. liquidity provider might be faced with the difficult choice of guaranteeing the assets of the holding company globally, or else risk creditors exercising their rights against foreign affiliates or foreign supervisors acting to protect the regulated subsidiaries in their jurisdictions, either of which could trigger bankruptcy of the holding company. These are thorny issues that Congress should consider carefully.
GAO Review of Regulators' Oversight of Risk Management Systems
I want, finally, to mention that, recently, we were provided a copy of the GAO's draft Review of Regulators' Oversight of Risk Management Systems. Based on our review of that draft, I can make a few personal observations. First, I appreciate the work that GAO did to review the supervision of financial institutions' risk management programs across the various regulators and find GAO's observations about those programs helpful. I can also make a few comments about the draft of GAO's review of regulators' oversight of risk management systems at various financial institutions. Staff of the Division of Trading and Markets has discussed these and other comments on the draft directly with GAO staff.
The GAO draft states that banking regulators (the Federal Reserve, OCC, and OTS) use a combination of supervisory activities, including informal tools and examination-related activities to assess the quality of institutional risk management systems. It then describes the securities regulators' approach as revolving around regularly scheduled target examinations. This is not, however, an apt description of the SEC's CSE risk management supervisory program. We believe it is important to stress that SEC's supervision included continuous monitoring throughout the year of the CSEs for which we were the consolidated supervisor. While SEC staff conducted formal meetings with firms on a regular schedule (e.g., monthly risk meetings), SEC staff had continuous contact with the firm. These formal meetings were supplemented by additional follow-up meetings to discuss issues further. This often led to further monitoring by staff and, if warranted, included cross-firm reviews conducted by SEC monitoring staff and later SEC inspection staff for CSEs. We also received regular risk, financial, and liquidity reporting from the CSE firms, including some information on a daily basis. Particularly with respect to the liquidity reporting, we had frequent discussions, often daily or weekly, with the firms' treasurers during much of 2007 and 2008. In addition, during times of extreme market stress we had on-site coverage as well. While not continuously on-site, the SEC's approach was one of continuous supervision, a point not evident in the draft GAO report.
SEC staff's continuous supervision was directly aimed at addressing risk management weaknesses. While we fully understand that SEC's process for ensuring that firms take corrective action was not as formal as some of the banking regulators, the substance was the same. There have been many instances in which, based on our supervisory approach, firms made changes to their risk management to address weaknesses that the SEC highlighted.
We concur in the GAO's observation that although financial institutions manage risks on an enterprise basis or by business lines that cut across legal entities, functional regulators may oversee risk management at the legal entity level, resulting in a view of risk management that is limited or in overlap in efforts by regulators. Under the CSE program, the SEC continued its focus on the functionally regulated entity — the broker-dealer — but also assessed risk management wherever implemented within the holding company structure. This is necessary in order to gain an accurate assessment of the effectiveness of these risk management controls.
Thank you again for this opportunity to discuss these important issues. I am happy to take your questions.