Top Banking Regulator Warns of Compliance Blind Spots, Drawing Lessons from Past Failures

Acting Comptroller of the Currency Michael J. Hsu warned financial institutions against falling into compliance tunnel vision, citing historical examples where regulatory focus on specific risks inadvertently created new vulnerabilities in the financial system.

In remarks delivered to the CFA Institute Systemic Risk Council on Friday, Hsu used the ancient tale of Xerxes crossing the Hellespont as a metaphor for the delicate balance regulators and financial institutions must strike between taking decisive action on identified risks and maintaining broader situational awareness.

"The prioritization of hedge funds and equity tranches effectively committed their armies of analysts, supervisors, and policymakers to the task of defeating those particular risks to the financial system," Hsu noted, referring to pre-2008 regulatory focus. "Like Xerxes, we succeeded in winning many of those battles, but as the Global Financial Crisis showed, we lost the financial stability war."

Hsu highlighted a concerning pattern where intense focus on specific compliance areas can push risks into less visible forms. He pointed to how pre-2008 regulatory scrutiny of equity tranches in securitizations may have contributed to financial engineering that moved risks into supposedly safer, higher-rated tranches, creating a false sense of security.

The Acting Comptroller outlined three categories of risks that compliance officers and risk managers need to monitor:

1. Known Knowns: Including commercial real estate exposure, geopolitical risks, and regulatory arbitrage through synthetic risk transfers
2. Known Unknowns: Encompassing cyber risks, operational resilience, and "crowded trades"
3. Unknown Unknowns: Including emerging threats like quantum computing's impact on encryption and undersea cable vulnerabilities

Regulatory Response

The Office of the Comptroller of the Currency (OCC) is taking action to address these concerns, with Hsu revealing that the agency is developing an advance notice of proposed rulemaking on operational resilience standards for critical operations. The OCC has also recently finalized updated guidelines regarding recovery plan expectations.

For compliance officers and risk managers, Hsu's remarks suggest the need for a more balanced approach to risk management. While institutions must address known regulatory priorities, they should avoid the trap of becoming so focused on specific compliance areas that they miss emerging threats.

"Whether, when, and how to cross the Hellespont and declare war on a specific emerging systemic risk carries high opportunity costs and may have unintended consequences," Hsu cautioned. "At the same time, analyzing and discussing risks endlessly can result in costly inaction."

The speech comes at a critical time for the financial sector, as institutions grapple with traditional risks like commercial real estate exposure while facing new challenges from technological and operational threats. Hsu's remarks suggest that regulatory authorities are increasingly focused on ensuring financial institutions maintain comprehensive risk management approaches rather than concentrating solely on specific compliance priorities.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.