Banks cratering because of poor risk management

Economic shifts, crypto deposits, weak controls and incompetent administration have led many tech-heavy banks to bite the dust this year. But none of the institutions’ C-suiters should’ve been caught flat-footed. Since the Great Depression, risk management has been the mantra of the money world. And we know that complacency and hubris can lead to fraud. Here’s how the bank collapsed and reminders for organizations to get it right.

On March 9, the day before Silicon Valley Bank (SVB) collapsed, and the day after Silvergate Bank announced its failure, supposedly stable Signature Bank sent an update on the bank’s mid-quarter financial status in a letter to its investors and regulators to try to reassure them of the bank’s financial health. “As shown by our current metrics, we intentionally maintain a high level of capital, strong liquidity profile and solid earnings, which continues to differentiate us from competitors, especially during challenging times,” Eric Howell, Signature’s president and chief operating officer, said in the update. The letter backfired. Immediately upon SVB’s collapse, customers started withdrawing large deposits from Signature. That caused a run on the bank, which regulators stopped by seizing the bank Sunday, March 12. (See “FDIC Establishes Signature Bridge Bank, N.A., as Successor to Signature Bank, New York, NY,” FDIC, March 12, 2023.)

Now Signature investors are suing the bank for fraud, accusing them of overstating their ability to weather the gathering financial storm. “The March 9 Update overstated the company’s market position, given that just a few days later, it was shut down by the New York Department of Financial Services,” the lawsuit states. (See “Signature Bank sued for fraud following FDIC takeover,” by Nina Pullano, Courthouse News Service, March 14, 2023 and lawsuit.)

Undoubtedly, with the recent collapse of SVB, Signature, First Republic, the implosion of Credit Suisse and fears of more debacles to come, the thin curtain of banks’ respectability will open and reveal fraud and corruption. (See “Smaller Banks Are Scrambling as Share Prices Plunge,” by Rob Copeland, Joe Rennison and Matthew Goldstein, The New York Times, May 4, 2023.)

Consumers are also worried that we’re headed toward another banking system failure akin to the Great Recession. What’s going on? The problems at these financial institutions are different but stem from a common issue — inadequate control environments to manage risk, which, of course, is a breeding ground for fraud.

“For several years, the bank maintained a weak management and control framework for its fiduciary activities and had an insufficient audit program for, and inadequate internal controls over, those activities.”

This quote is from the 2020 Office of the Comptroller of the Currency (OCC) order to Citigroup, fining the bank $400 million for failing to rectify known control weaknesses around operations and financial reporting in October 2020. But it could’ve come from many different reports issued by regulatory agencies reprimanding and fining banks. JPMorgan Chase, Credit Suisse, HSBC, Danske Bank, Deutsche Bank, USAA, Barclays, BNP Paribas, Bank of America, Santander, Wells Fargo, UBS, U.S. Bancorp and many others over the past 10 years have found themselves in trouble with regulators.

Here we dissect a handful of financial institutions to discern why they collapsed and why weak controls allowed wrongdoing to occur.

Silicon Valley Bank — $42 billion run in one day

Silicon Valley Bank, founded in 1983, catered to venture capitalists and technology startups who had deposits larger than the Federal Deposit Insurance Corporation’s (FDIC) $250,000 insurance limit. [See sidebar: “What does the FDIC protect?” at the end of this article.] These customers, with millions at risk, rushed to withdraw $42 billion in a single day. On March 10, regulators closed the bank.

High uninsured deposit rate

SVB had over $150 billion in uninsured deposits as of the end of 2022. That’s an uninsured desposit rate of around 90%; anywhere between 30% to 50% would be considered normal. That left it vulnerable to a sudden surge of withdrawals among institutional depositors seeking to protect their money at the first signs of trouble. “Stickier” retail depositors, whose savings are insured, would be more inclined to stay put. (See “Eye On The Market,” by Michael Cembalest, J.P. Morgan, March 10, 2023 and “SVB, Signature racked up some high rates of uninsured deposits,” by David Hayes, S&P Global Market Intelligence, March 14, 2023.)

Undoubtedly, with the recent collapse of SVB, Signature, First Republic, the implosion of Credit Suisse and fears of more debacles to come, the thin curtain of banks’ respectability will open and reveal fraud and corruption.

Investments in Treasury bonds and increasing interest rates

By standard metrics to measure a bank’s health, such as capital position and liquidity ratios, SVB looked fine, said John Sedunov, professor of finance at Villanova University, in a CNN article. But since the start of the pandemic, SVB had been buying U.S. Treasuries and government-backed mortgage bonds. The bank soon held 55% of its customers’ deposits in Treasuries alone. While those securities are normally considered safe, they can rapidly lose value in a rising interest rate environment. That’s particularly true of longer-term Treasuries, in which SVB invested billions. When the Federal Reserve quickly tightened monetary policy last year, those assets were no longer worth what SVB paid for them, and the bank was left carrying massive potential losses. (See “Why almost everyone failed to predict Silicon Valley Bank’s collapse,” by Allison Morrow, CNN, March 26, 2023 and “Bank fail: How rising interest rates paved the way for Silicon Valley Bank’s collapse,” by Stacey Vanek Smith, NPR, March 19, 2023.)

Insufficient risk management program and no hedges in bond portfolio

According to the CNN article, SVB lacked basic risk management fundamentals, including a chief risk officer, a standard position in most banks. Also, a bank typically hedges its interest rate risk using financial instruments called swaps — effectively exchanging a fixed interest rate for a floating rate for a period to minimize its exposure to rising rates. This requires a bank to look forward months or years to effectively manage risk. Managing interest-rate exposure is a fundamental part of a risk management strategy in a bank. However, SVB appears to have had zero hedges in place on its bond portfolio, according to the CNN article.

Years before, in January 2019, the U.S. Federal Reserve (Fed) had warned SVB about insufficient risk management systems in a “Matter Requiring Attention” citation. It’s unclear if SVB made improvements. (See “Fed Raised Concerns About SVB’s Risk Management in 2019,” by Andrew Ackerman and Dave Michaels, The Wall Street Journal, March 19, 2023.)

Social-media-savvy bank customers

SVB’s small, specific group of customers, venture capitalists — many of whom knew each other — regularly engaged on social media. When a few members of this tightknit community began to worry about the bank’s viability on social media, word got out fast that the bank was in trouble. The viral panic caused a run on the bank. SVB customers who had more than $250,000 in their accounts knew the FDIC couldn’t cover their losses, and so they lost faith in SVB.

Signature Bank’s 25% stock price drop

The Signature Bank situation resembled a soap opera storyline. On March 12, federal regulators seized control of the bank after customers withdrew more than $10 billion in deposits, and the stock price plummeted 25%.

Signature, a full-service financial institution founded in 2001, was based in New York City with 40 branches in New York state, Connecticut, California, Nevada and North Carolina. Signature catered to real estate and law firms and was one of only a few banks that allowed customers to deposit cryptocurrency — an uninsurable, unstable asset.

Barney Frank was on Signature’s board. Yes, that Barney Frank, the former senator and architect of the U.S. Dodd-Frank Act. The Dodd-Frank Act was designed to reign in banks’ risky financial activities. The irony runs deep.

SVB’s collapse on March 10 caused Signature’s customers to withdraw large deposits, which of course caused the proverbial run on the bank. Here are additional issues that led to the bank’s doom:

Cryptocurrency and bad risk management

Signature made a bet on cryptocurrency when they started accepting crypto deposits in 2018. Crypto’s volatility and its susceptibility to hacks and fraud, plus the failure of crypto exchange FTX, caused the bank to announce in December 2022 that it intended to shed $8 billion to $10 billion of its crypto assets.

Banks are still confused on how to label crypto. Is it a security? Commodity? Currency? The Securities and Exchange Commission (SEC) hasn’t answered the question yet, but it has released a March 23 warning to investors, “Exercise Caution with Crypto Asset Securities: Investor Alert.” Signature, when it failed, reportedly held 20-25% of its assets in cryptocurrency.

(Despite Signature’s heavy crypto deposits, Silvergate Bank was labeled “the crypto bank” because that’s where most crypto firms did their banking. It was unable to withstand the extreme volatility of the crypto market and announced its failure on March 8. Fatefully, many of Silvergate’s investors and customers deposited their crypto at Signature.)

Barney Frank, who drew significant press attention because of his involvement with Signature, contends that the bank was the victim of a political attack and wasn’t at high risk. He said, “regulators wanted to send a very strong anti-crypto message.” (See “Why regulators seized Signature Bank in third-biggest bank failure in U.S. history,” by Hugh Son, CNBC, March 13, 2023.)

It’s hard to imagine how Frank believes Signature’s heavy involvement in crypto isn’t a risky activity. Crypto deposits could be the epitome of risk that the Dodd-Frank Act was designed to limit.

Concentrated customer base and large deposits

Like SVB, Signature catered to specific niche industries and groups, most of which had deposits that also exceeded the $250,000 covered by the FDIC. These customers, who had large sums of money at risk, began withdrawing their funds and moving them to larger banks such as JPMorgan Chase and Bank of America, according to the CNBC article. Approximately 90% of Signature’s deposits — $79 billion — were reportedly uninsured. (See “Risky Bet on Crypto and a Run on Deposits Tank Signature Bank,” by Matthew Goldstein and Emily Flitter, The New York Times, March 12, 2023.)

Credit Suisse: The collapse and sale to UBS

On March 14, Switzerland’s Credit Suisse bank collapsed. The Saudi National Bank, which had supplied funding to Credit Suisse for years, refused to provide any additional funding, citing regulatory issues in increasing its ownership stake above 10%. Credit Suisse was then forced to borrow $54 billion from the Swiss National Bank. With no clear plan for recovery, Swiss rival UBS purchased it for approximately $3.3 billion in a deal brokered and approved by Swiss regulators without shareholder approval. (See “Federal Reserve green lights UBS-Credit Suisse deal in US,” by Hannah Lang, Chris Prentice and Ann Saphir, Reuters, April 14, 2023.) Founded in 1856, Credit Suisse was one of the largest banks in the world before its sale to UBS. (See “Credit Suisse to Borrow as Much as $54 Billion From Swiss Central Bank,” by Andrés R. Martínez, The New York Times, March 15, 2023.)

Credit Suisse’s long history of scandals

Credit Suisse had been frequently in the news for scandals going back to the ’80s when the bank helped Philippines dictator Ferdinand Marcos and his wife Imelda Marcos hide some of the billions the couple had stolen from the country. But the final straw was poor timing.

Here are the lowlights of controversies, scandals and regulatory problems from just the last 10 years. (See “Crooks, kleptocrats and crises: a timeline of Credit Suisse scandals,” by Kalyeena Makortoff and David Pegg, The Guardian, Feb. 21, 2022 and “Factbox: Credit Suisse’s scandals - spies, lies and money laundering,” Reuters, Oct. 3, 2022.

• 2014: Fined $2.6 billion for helping Americans evade taxes.
• 2016: Fined €109.5 million by Italian authorities for helping clients hide funds to evade taxes.
• 2016: U.S. regulators fine it $16.5 million for significant deficiencies in the bank’s anti-money laundering program.
• 2017: Singaporean authorities fine it $700,000 for its involvement in money-laundering transactions related to 1MDB.
• 2017: Authorities raided homes and offices in the Netherlands and France to launch investigations into suspected tax evasion involving 55,000 accounts. The case is ongoing.
• 2018: Swiss regulators ordered the bank to improve its anti-money laundering program because of its dealings with the football (soccer) association FIFA, as well as Latin American state-controlled oil companies Petrobras (Brazil) and PDVSA (Venezuela).
• 2018: Former Credit Suisse banker Patrice Lescaudron was sentenced to five years after being found guilty of forging client signatures to divert money, making stock bets without a client’s knowledge, resulting in more than $150 million in losses.
• 2018: U.S. authorities fined it $47 million for a corruption scandal involving the bribery of Chinese officials to win business.
• 2019: In a corporate espionage scandal, it was found to have hired private investigators to conduct surveillance on seven executives.
• 2020: Swiss authorities fined it $22 million for helping a Bulgarian crime ring launder money from cocaine sales.
• 2021: Recorded a $5.5 billion loss because of its risky exposure with Archegos Capital Management, a U.S. hedge fund that collapsed in early 2021.
• 2021: Suspended $10 billion of investor funds in relation to the Greensill Capital scandal, which involved risky loans extended to Sanjeev Gupta’s companies.
• 2021: U.S. and U.K. authorities fined it $547 million for deceiving and defrauding investors through the financing of a Mozambique fishing project.
• 2022: Found guilty in Switzerland’s Federal Criminal Court of laundering money for a Bulgarian cocaine trafficking gang.
• 2023: On March 9, announced delayed annual reporting after material weaknesses were found in the bank’s financial reporting for 2021 and 2022.

Control environment and risk management

According to the Guardian article, “Crooks, kleptocrats and crises: a timeline of Credit Suisse scandals,” after each of these incidents, Credit Suisse leadership responded with promises of improvement and expressions of regret, such as:

• “We deeply regret the past misconduct that led to this settlement.” (2014 U.S. tax scandal)
• The bank is “taking appropriate internal remedial efforts.” (2016 U.S. anti-money laundering)
• The bank is “firmly committed to upholding the high standards of the Singapore financial centre.” (2017 1MDB)
• The bank “applies a strict zero-tolerance policy” on tax evasion. (2017 EU tax evasion)
• “The bank said it took its compliance responsibilities seriously.” (2018 anti-money laundering)
• “A spokesperson for the bank said it had improved its compliance processes.” (2018 bribery)
• Credit Suisse said it would “defend itself vigorously” and “unreservedly rejects as meritless all allegations in this legacy matter raised against it.” (2020 Bulgarian drug trafficking for which the bank was criminally convicted of in 2022)
• The bank said “it took action against 23 staff and fired nine,” and vowed to place risk management “‘at the heart’ of its decision-making.” (2021 Archegos scandal)
• “The bank said it condemns any unjustified observations and has already taken decisive steps to strengthen its relevant governance and processes.” (2021 Mozambique fishing scandal)

Credit Suisse repeatedly promised to improve its control environments and risk management, yet it never did and continued to get into trouble.

Material weaknesses and timing

Credit Suisse was forced to announce material weaknesses in its internal controls over financial reporting the day before SVB’s collapse. When Credit Suisse released its financials the following week on Tuesday, March 14, the bank reported a net loss of 7.3 billion Swiss francs (about  $7.9 billion). By then, both SVB and Signature had already collapsed, and Credit Suisse had endured a year of investors losing faith, resulting in large deposit withdrawals. By the end of 2022, customers had withdrawn 138 billion Swiss francs (over $100 billion) in assets. On Wednesday, March 15, the bank’s stock price went into free fall. (See “The Swiss claim the U.S. banking crisis ultimately toppled Credit Suisse. But are they right?” by Elliot Smith, CNBC, March 24, 2023 and SEC filing, 20-F.)

After PricewaterhouseCoopers issued an adverse opinion on the effectiveness of the bank’s internal controls last March, Credit Suisse stated in its annual report that it had found “the group’s internal control over financial reporting was not effective” because it failed to adequately identify potential risks to the financial statements. The auditors noted that Credit Suisse didn’t maintain an effective risk assessment process designed to identify and analyze the risk of material misstatements in its financial statements. (See “Credit Suisse Warns ‘Material Weaknesses’ in Financial Reporting,” by Vandana Singh, yahoo!life,  March 14, 2023.)

Banks’ outdated technology

Just weeks before the Fed ordered Citigroup to pay $400 million in fines for failing to rectify a weak control environment, the financial institution made a $900 million “mistake.” In August 2020, the bank, acting as administrative agent for a loan taken out by Revlon, accidentally paid off the entire principal amount rather than the approximately $8 million it was meant to send to creditors. Certain asset managers felt they had a right to keep the money owed to them by the struggling cosmetics company and went to court over it. The blame for the mistake fell on the complicated payment process involving outdated software that was susceptible to human error. (See “Citi’s $900 Million Misfire Happened During Software Switch,” by Jenny Surane, Bloomberg, Data Center Knowledge, Aug. 28, 2020.)

Citi isn’t alone in the banking industry when it comes to relying on legacy systems that need to be updated or replaced to support today’s required regulatory and operating environments adequately.

Until executives make good on their promises to make long-term risk management and effective control environments top priorities, bank failures likely will continue to occur.

“The lack of investment in new technology, coupled with maturing infrastructures, creates barriers to digital transformation,” according to Greg Watson, CEO of software development company Napier. “Instead, banks end up stuck with old, manual processes, which negatively impacts operational efficiency, client experience and, perhaps most urgently, a bank’s regulatory compliance positioning.” (See “Outdated Technology Preventing Banks from Investing in Disruptive Technologies,” by Greg Watson, Corporate Compliance Insights, June 13, 2019.)

Risk management and control environments are dependent on technology, but if the technology is outdated how can we expect control environments and risk management to be effective?

Of course, robust control environments and risk management programs are costly. And though we can quantify what our organizations need, it’s almost impossible to determine explicitly what we should spend. It’s easy to point to a bank’s problem, failure or scandal and determine in hindsight that it should’ve had better controls or spent more on resources. It’s much more difficult to determine how much an organization should dedicate to risk management when problems aren’t apparent. When the cost to improve controls, upgrade technology and increase risk management compete with profitability, what should be obvious isn’t always obvious.

By the time a major issue becomes public knowledge, an organization probably already has multiple major issues brewing. To a casual observer, Credit Suisse’s multiple regulatory issues might appear to be unrelated, but more likely they’re linked to management’s shoddy inattention, inertia and desire to keep a lid on costs (not to mention outright corruption).

Is it over?

Some analysts hope that J.P. Morgan’s purchase of troubled First Republic in May will finally put a line under the current banking crisis given there aren’t any other banks of a similar size that are so vulnerable. (See “In an Unsteady Banking Industry, First Republic’s Problems Stood Out,” by Stacy Cowley, The New York Times, updated May 3, 2023.)

Republic’s downfall is also a lesson in poor risk management and controls, and it arguably highlights the need for greater scrutiny across the banking system. Like Signature Bank and Silicon Valley Bank, the San Francisco-based financial institution had large amounts of uninsured deposits. Billions of dollars in support from regulators and other banks failed to prevent nervous depositors from fleeing for the exits.

Before the banking crisis, First Republic drew the admiration of many in the banking industry. But its business model had flaws. To lure clients, it had offered low interest-only mortgages to the super wealthy. The value of those loans quickly plummeted as the Fed raised interest rates to tackle inflationary pressures. Warren Buffett has called those jumbo low-rate mortgages a “crazy proposition,” condemning bank executives for taking these kinds of risks and warning of more possible problems ahead. (See “Warren Buffett says American banks could face more turbulence ahead, but deposits are safe,” by Hugh Son, CNBC, May 6, 2023 and “Lending mortgages to rich Silicon Valley home buyers was part of First Republic Bank’s DNA—and helped contribute to its collapse,” by Hannah Levitt, Jenny Surane, Sonali Basak and Bloomberg, Fortune, May 1, 2023.)

The SEC is now reportedly investigating the bank’s executive team in charge before the J.P. Morgan takeover, looking into whether some engaged in insider trading. U.S. Senator Elizabeth Warren (D-Mass.) has also accused the bank’s former CEO Michael J. Roffler of “complacency, incompetency, and mismanagement,” noting that they failed to identify and address the risks that came with the Fed’s rate hikes. (See “SEC probing First Republic Bank executives for insider trading, Bloomberg reports,” Reuters, May 5, 2023 and “Senator Warren Seeks Answers from Former First Republic CEO Following Bank’s Collapse,” Elizabeth Warren, May 4, 2023.)

Until executives make good on their promises to make long-term risk management and effective control environments top priorities, bank failures likely will continue to occur.

Customers’ lost faith in Signature, SVB, Credit Suisse and First Republic led to bank runs, which directly led to their collapses.

The indirect cause of runs at Signature and SVB was the large percentage of uninsured deposits the banks held. But the volatility of portfolio management and economy shifts aren’t new emerging risks. Competent bank managers shouldn’t have to scramble when the status quo shakes.

While pandemic and supply-chain issues have caused unprecedented risks, bank runs and failures because of economic shifts have been happening almost since the U.S. was founded. (See “A Brief History of U.S. Bank Failures,” The American Deposit Management Co., updated May 3, 2023.) Financial institutions, among all organizations, should appropriately conduct business with well-designed risk management programs supported by effective control environments. If they don’t, they’ll also soon see costly fraud cases.

Mary Breslin, CFE, CIA, is president and founder of Verracy, a training and consulting company specializing in risk management, data analytics, fraud and corruption, investigations and forensics, and internal audit. Contact her at mbreslin@verracy.com.

What does the FDIC protect?

The Federal Deposit Insurance Corporation (FDIC) is a U.S. government agency that provides protection for bank customers’ deposits. If a bank insured by the FDIC fails or goes out of business, the FDIC reimburses customers for their deposits up to $250,000 per depositor, per ownership category in a bank. (See “The Importance of Deposit Insurance and Understanding Your Coverage,” FDIC, updated Sept. 7, 2022 and “Your Insured Deposits,” FDIC, April 3, 2023.)

Ownership categories of a bank impact the coverage provided by the FDIC. Deposits held in different ownership categories are separately insured, up to $250,000, even if held at the same bank. The FDIC provides insurance coverage for deposits held in FDIC-insured banks, which include most U.S. financial institutions. However, the amount of coverage provided by the FDIC can vary depending on the ownership and category of the account.

The five main ownership categories are: individual accounts, joint accounts, revocable trust accounts, irrevocable trust accounts and retirement accounts (such as IRA accounts). Here’s how each ownership category impacts coverage:

• Individual accounts: The FDIC provides up to $250,000 in coverage per depositor, per insured bank. This means an individual is covered for up to $250,000 regardless of how many accounts they have at that bank. The person is covered, not individual accounts.
• Joint accounts: These accounts (held by two or more people) are insured separately from individual accounts; the FDIC provides up to $250,000 in coverage per co-owner, per insured bank. If two people hold a joint account at a bank, they’re each covered for up to $250,000 in deposits for a total of $500,000 in coverage for the joint account.
• Revocable trust accounts: The FDIC provides up to $250,000 in coverage per beneficiary, per insured bank. This means that if you have a revocable trust account at a bank, you’re covered for up to $250,000 in deposits for each beneficiary named in the trust.
• Irrevocable trust accounts: The FDIC provides up to $250,000 in coverage per owner, per insured bank. This means that if you’re the owner of an irrevocable trust account at a bank, you’re covered for up to $250,000 in deposits, regardless of the number of beneficiaries named in the trust.
• Retirement accounts: Certain retirement accounts, such as IRA accounts, are insured separately from other types of accounts. The FDIC provides up to $250,000 in coverage per depositor, per insured bank.