Speeches & Testimony
Remarks by FDIC Chairman Martin J. Gruenberg to the American Banker Regulatory Symposium Arlington, Virginia
September 22, 2014
Good morning and thank you for the opportunity to take part in this conference and to speak with you today.
The first point I would like to make this morning is that this is a time of transition for the U.S. economy and for the U.S. banking industry. In 2008 and 2009, we experienced the most severe financial crisis and economic downturn in the United States since the 1930s. Since that time we have experienced an economic expansion that is now well into its sixth year. During this expansion, the banking industry has posted eighteen consecutive quarters of positive net income, with industry earnings last year reaching a record level of almost 155 billion dollars.
While the pace of economic growth during much of this period has remained below its long-term trend, and the profitability of the banking industry also remains below pre-crisis levels, the industry has used this time to repair balance sheets, build capital, and enhance liquidity. The ratio of noncurrent loans and the number of problem banks have both fallen by around 60 percent since their peak levels during and after the crisis.
The recovery in bank balance sheets indicates ample capacity on the part of FDIC-insured institutions to support the economic recovery at a time when loan demand and lending volumes appear to be on the rise. Loan balances for the industry increased by 178 billion dollars during the second quarter of this year, the quarter for which we have the most recent data. This is the largest increase since 2007, excluding first quarter 2010 when there was an accounting change. It also represents a continuation of the upward trend in loan balances that we have noted in recent quarters.
Moreover, loan growth during the quarter was broad-based. Almost all loan categories registered an increase, and almost three-quarters of all institutions reported higher loan balances. Loan growth was even stronger at community banks. Loan balances have risen by 7.6 percent over the past year at community banks compared to 4.9 percent for the industry. All major loan categories saw an increase, including loans to small businesses.
Rising loan demand and a recent pickup in the pace of economic activity are creating new opportunities for FDIC-insured institutions. However, with these opportunities the industry will face new risk management challenges that will require the attention of their senior management and boards.
In my remarks today, I would like to discuss three areas of ongoing supervisory focus at the FDIC. The first is the interest rate risk associated with this prolonged period of exceptionally low interest rates. The second is the management of credit risks as loan portfolios begin to grow once again. And the third is cyber security, or the operational risks associated with the adoption of new technologies.
The context for such a discussion is our common understanding that banks are in the business of managing financial risk, both for themselves and for their customers. Accordingly, as supervisors we are seeking to strike an appropriate balance— encouraging financial institutions to meet the credit needs of their customers while assuring careful underwriting and prudent risk management.
Interest Rate Risk
The first area of supervisory focus I would like to address today is interest rate risk. Interest rate risk is by no means a new area of supervisory focus for the FDIC and the other federal banking agencies. We have always understood that financial institutions are inherently sensitive to changes in interest rates and other market prices. The Sensitivity to Market Risk – or "S" component – was added to the CAMELS rating system in 1996, during a previous period of heightened market risk. Since that time, the "S" rating has been a vehicle for proactive communication between banks and their supervisors as to whether such market risks are being appropriately managed.
Today, with the federal funds rate having been essentially zero for more than five and a half years, we stand at another turning point for market risk at financial institutions. An upward shift in the yield curve is inevitable; the only remaining questions are when, and by how much.
Already, the upward shift in the long end of the yield curve in 2013 has had a significant effect on mortgage origination activity, particularly curtailing the refinancing of existing mortgages. For the industry as a whole, mortgage-related noninterest income in the second quarter of this year was $3.7 billion lower than in the second quarter of 2013 – a decline of 43 percent.
For community banks, the effects of interest rate risk tend to be most visible in their net interest margins. For most of the past five years, community bank margins have remained well below pre-crisis levels that were frequently in excess of 4 percent. Still, the upward shift in long-term interest rates since mid-2013 helped to lift net interest margins at community banks to 3.61 percent in the second quarter, a level that is 46 basis points above the industry average.
Despite the recovery in industry earnings that has taken place since the crisis, slow loan growth and narrow interest margins have made it difficult for most institutions to restore their ratios of return on assets to pre-crisis levels. This naturally leads to concerns that institutions may take on more interest rate risk to bolster their profitability. In the recent period of relatively slow loan growth, some banks have responded to deposit inflows by investing in long term securities that offer attractive yields.
Indeed, Call Report data show a pronounced trend toward longer asset maturities. As of June 30, over two thirds of FDIC-insured institutions held at least 40 percent of their assets in longer-term maturities that do not re-price for at least three years. Almost 500 institutions held at least 70 percent of their assets in this long-term category. In contrast, at year-end 2006, before the crisis, less than a quarter of banks had concentrations in longer term assets at this level.
For many banks, this extension of asset maturities is creating maturity mismatches that have increased their exposure to interest rate risk. The normalization of interest rates that will accompany a stronger economy will, in most respects, be a welcome development for the industry. But this environment will create problems for institutions that fail to properly manage their exposures to this development.
Long-term assets will generally decrease in value in a higher interest rate environment. As an example, during the second quarter of 2013 we saw the reversal of more than $50 billion in unrealized securities gains due to what was a fairly moderate rise in long-term interest rates. Even though unrealized losses on these assets do not always need to be recognized in capital, they can adversely affect liquidity by making it costly to sell the securities should the need arise. And because rising rates have the potential to prompt large outflows of deposits, there is the risk that they could force banks to liquidate a depreciated securities portfolio, which would lead to a capital loss.
Banks could also see margins compress as deposits re-price faster than their assets. Finally, rising interest rates would also make it more difficult for some variable rate borrowers to service their debt, and this could indirectly result in higher levels of loan losses.
Managing interest rate risk always presents banks with difficult choices. Reducing the duration of the asset portfolio is likely to reduce profitability today, even as it lessens the impact of higher rates in the future. We have heard from a number of bankers that they understand the importance of being patient with their earnings when making such choices. I would like to emphasize that we do not intend to lower the earnings ratings of banks that are making prudent choices to limit interest rate risk.
I would also like to point out that there are many good resources available to banks to help them strengthen their process for managing interest rate risk. In particular, I would mention the in-depth interest rate risk video the FDIC has posted on its website, which is just one of a growing library of technical assistance videos we are providing to assist banks in strengthening their internal governance and risk management.
Managing Credit Risks as Loan Demand Grows
As economic growth and loan demand appear to be gaining traction, FDIC supervisors have also placed a high priority on managing the credit risks that may result from an expansion in lending activity.
Almost 75 percent of banks grew their loan portfolios during the second quarter. And all major loan categories saw an increase, including small loans to businesses. We welcome this recovery in the overall pace of lending as a sign that our banking system is once again in a position to carry out its critical role in making sound loans to creditworthy borrowers. Nonetheless, the return to more active lending requires bankers and supervisors to renew their focus on sound principles of loan underwriting and the management of loan concentrations.
Our examiners complete an underwriting survey at the conclusion of every bank exam. In the big picture, their responses do not reveal widespread or significant concerns about loan underwriting at this time. But competitive pressures are real, and may be growing. So this is the time that adherence to sound underwriting policies is the most important.
Looking at loan concentrations, there are two dimensions to consider. The first is the important role of community bank lending in local communities and to small- and medium-sized businesses.
Recent FDIC research has shown that community banks hold a majority of deposits in rural and micropolitan counties with population centers of up to 50,000. Community banks also hold 45 percent of the industry's small loans to U.S. farms and businesses, or more than three times their share of total industry assets. Unless community banks are effectively carrying out their role as portfolio lenders, these local economies and small businesses cannot thrive.
But the flip side of this local dependence on the community banking sector is the need to actively manage loan concentrations so as to limit the credit risk associated with this type of lending. The history of the recent crisis, and indeed the FDIC's history over the past 30 years, shows that the imprudent management of loan concentrations – particularly in commercial real estate and construction loans – has frequently been associated with bank failures during periods of economic distress.
Conversely, as documented in a recent study by the FDIC Office of Inspector General, many banks with significant concentrations of CRE and construction loans managed to survive the recent crisis with the benefit of:
- conservative growth strategies
- limited dependence on non-core funding
- prudent risk management practices
- effective capital maintenance, and
- responsiveness to supervisory recommendations, actions, and guidance.
But while the quality of risk management is of crucial importance to a bank's ability to withstand adversity, it is not possible to draw a bright numerical line that separates prudent from imprudent levels of concentration.
Parts 364 and 365 of the FDIC regulations and the 2006 interagency guidance on CRE lending all deal with risk management in the area of real estate lending procedures and concentrations. These documents describe our regulatory and supervisory expectations, and are also a rich source of information on the management of risk in banking.
However, nowhere in our regulations and guidance will you find a portfolio concentration limit. There simply is no bright line that separates prudent concentration levels from imprudent concentrations.
What matters most is how well the risks are managed. That's why the sole purpose of the concentration thresholds in the 2006 CRE guidance is to trigger heightened expectations relative to risk management practices. Examiners appropriately review these practices in relation to a bank's level of CRE loan concentrations during a bank's regularly scheduled examination.
If the crisis has taught us anything, it is that it is much easier and much less costly to address concentration risks early – during the good times – than it is once a downturn has begun. That's why we believe that this supervisory approach is the one most consistent with the long run success of the community banking sector.
The need to effectively manage credit risks applies equally to larger banks that make loans to the corporate sector. Here, we have observed large increases in recent quarters in leveraged lending, or loans to companies with a degree of financial or operating leverage that often far exceeds industry norms. Leveraged loan issuance reached record levels in 2013, and remains strong in 2014. The large majority of leveraged lending since 2013 has supported leveraged buyouts, dividend payouts to business owners, and refinancing of existing debts – often at higher leverage multiples.
The FDIC and other banking agencies continue to be concerned about aggressive leveraged lending activities, as many of the more recent transactions have been characterized by high debt service loads, weak protective covenants, and a lack of amortization. The banking agencies issued guidance in March 2013 that outlined new supervisory expectations and high-level principles for banks to engage in leveraged lending in a safe and sound manner.
We will continue to focus on leveraged lending activities to ensure that insured depository institutions do not take outsized risks and are fully conforming to the interagency leveraged lending guidance.
As important as it is to effectively manage market risk and credit risk, I would be remiss if I did not touch on the growing importance of cybersecurity in the management of operational risks on the part of large and small banks alike.
We all know that the continual adoption of new technologies has long been a vital part of maintaining the competitiveness of financial institutions in a rapidly changing marketplace. Whether a community bank, a regional, or a mega-bank, they are continually making strategic investments in new information technologies that can help serve their customers, manage risks, and improve efficiencies.
But one of the lessons of the last 40 years is that new technologies often bring with them new vulnerabilities. And it is precisely during this critical period of rapid innovation that the need to manage the operational risks associated with new technologies is the most urgent.
While many of today's technologies are new, the supervisory processes for conducting IT examinations are well established. In partnership with the Federal Financial Institutions Examination Council (FFIEC), the FDIC has developed a framework for conducting IT examinations that covers a broad spectrum of technology, operational, and information security risks.
Our framework consists of published standards, examination procedures, routine on-site inspections, and enforcement capability. The FFIEC publishes a series of Information Technology Examination Handbooks to communicate regulatory expectations for IT and information security.
In an increasingly interconnected banking environment, internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks. The large number and sophistication of cyber attacks directed at financial institutions in recent years requires a shift in thinking. Cybersecurity is no longer just an issue for the IT department. Instead, it needs to be engaged at the very highest levels of corporate management.
As many of you are aware, cybersecurity has become an issue of the highest importance not only at the FDIC, but for the FFIEC and its member agencies as well as the federal government as a whole. In response to this threat, the banking agencies are in the process of implementing a number of work streams.
In June 2013, the FFIEC formed a new Cybersecurity and Critical Infrastructure Working Group. This Working Group serves as a liaison with the intelligence community, law enforcement, and the Department of Homeland Security on issues related to cybersecurity and the protection of critical infrastructure. The primary purpose of the Working Group is to help the banking agencies collaborate in developing examination policy, in training and information sharing, and in coordinating their responses to cybersecurity incidents.
Earlier this year, the Working Group produced a webinar for community bank executives highlighting our efforts to assess cyber threats and evaluate how institutions are managing these risks. The Working Group is also undertaking an assessment of the banking sector's overall readiness to address a significant cyber threat. This report will include a self-assessment of regulatory practices to ensure that our own guidance and response capabilities are up to date.
In addition, the FDIC has initiated a number of programs this year to assist community banks in their awareness of cyber threats and to provide practical tools to help mitigate these risks.
The FDIC "Cyber Challenge" exercise is a new online resource, including videos and a simulation exercise, designed to help community banks assess their own preparedness to address a cybersecurity incident. Also beginning this year, we have begun requiring third-party technology service providers, or TSPs, to update their client financial institutions on any operational concerns the FDIC identifies at the TSP during an examination.
We're clarifying our expectations with regard to actions community banks should take when problems are identified at their TSP, and guiding these banks to zero-cost resources that can assist them in assessing their vulnerability to cyber threats.
Clearly, this work will be ongoing. But even as we gear up to meet new emerging threats, we should remember that many of the operational risks they pose are really not all that new. Instead, new technologies are forcing us to think differently about familiar categories of operational risk.
For years, banks have been developing their capabilities in business continuity, typically as it relates to natural disasters and other physical threats. Today, business continuity increasingly means preserving the ability to maintain access to customer data and to consistently ensure the integrity and security of that data. For this reason, we encourage banks to practice responding to cyber threats as part of their regular disaster planning and business continuity exercises.
In conclusion, the quarterly financial data show that the trials of the recent crisis continue to give way to recovery for the U.S. banking industry. New opportunities lie ahead, for small banks and large banks alike, and it is important to the economy for the institutions to take advantage of these opportunities.
But in realizing those opportunities, it is also important for bankers and supervisors to heed the lessons of the recent crisis and previous crises. Of these, the most important is that success or failure is not determined in the current quarter or the current year. The banks that have best served their shareholders and their communities over time are those that have taken the long view, and have made risk management an essential part of their culture.
Attention to prudent risk management is what helped most FDIC-insured institutions to get through the recent crisis, and to recover quickly even in a challenging post-crisis environment. We believe an ongoing commitment to these practices will serve the long run interest of the banking industry and the U.S. economy.