Internal Audit’s Role in the Too-big-to-fail Debate

The July 1 deadline for some of the United States’ largest banking institutions to submit “living wills” for review is looming, and there will be a lot of ink and internet space invested in predicting whether those banks will pass regulatory muster and what the fallout will be for those that do not.

The “living wills,” mandated by the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, require the periodic submission of resolution plans to the Federal Reserve and the Federal Deposit Insurance Corporation. Each plan must describe the company’s strategy for rapid and orderly resolution in the event of material financial distress or failure of the company, and include both public and confidential sections.

Last year, the nation’s 11 largest banks had their “living wills” rejected as inadequate, so there is indeed tremendous regulatory pressure for them to provide what regulators are looking for by the July 1 deadline. Essentially federal regulators are demanding “credible” plans that demonstrate how these banks can fail in an orderly manner without disrupting the U.S. financial system or relying on government support.

These challenges should place any affected organization’s internal audit function squarely in the midst of the matter. The Fed and the FDIC have commented on the inadequacy on the previously proposed plans, and these financial institutions would be remiss not to task internal audit with assessing what will be reported.

With limited guidance from the regulators themselves, this not only creates challenges for the financial institution but also for internal audit (and compliance) to have a credible basis to review and evaluate the sufficiency of a planned submission.

Some have questioned the value of this exercise for banks that already have been identified by the international Financial Stability Board as “systemically important financial institutions,” or SIFIs. After the spectacular banking failures of the 2000s, the international community moved to protect the global financial system by committing to prevent the failure of SIFIs in the future, or limiting the adverse effects should one fail.

From a critical viewpoint, there is circular logic and legislative contradiction to then require “living wills” from financial institutions, essentially already designated “too big to fail.”  Dodd-Frank was supposed to end “too big to fail,” yet the legislation also created an organization – the Financial Stability Oversight Council – empowered to designate an organization as a SIFI.  To then require these institutions to demonstrate how they would go through a rapid and orderly resolution seems contradictory.

Far be it from me to question how far the Fed and FDIC will go to force compliance with the living will requirement. For example, the FDIC has the authority to order divestment of assets or operations of banks that fail to submit credible living wills after two years. Only time and circumstances will tell us whether they have the political will to take such drastic steps.

But the debate brings up an important lesson for internal audit. Just as I have urged CAEs to get to know and understand their organizations’ business plans and objectives (regardless of their industry), so should they understand that legislative intent, politics and regulatory mandates are complex. Lots of valuable internal audit resources can be wasted if we don’t understand how the system works, and what is truly risky for the organization rather than what sounds risky because it is the topic du jour.

Internal audit can provide better insight on allocation of resources to meet regulatory demands if it is attuned to the legislative intent and political will behind the creation of regulation. At a minimum, CAEs should keep boards and audit committees abreast of the hours spent on compliance assessments in relation to all the other important work they do across the entire risk universe, as well as having an informed view on the potential impact of new regulations that may be on the horizon.

Having a resource to help internal auditors working in financial services stay on top of such regulatory questions would be helpful, and The IIA is stepping up on that front. Today, we launch the Financial Services Audit Center, which will provide members with direction, thought leadership, and advocacy for internal auditors who are so vital to the financial services industry.

I urge you to look at the ​Center’s website, which is offering a one-time, open-access period through September to what will be an exclusive members’ website, and give us your feedback.