How and Why Are Regulators Protecting the Reputations of Banks?

How and Why Are Regulators Protecting the Reputations of Banks?

Every once in a while, one comes upon a piece of research that is truly eye opening, and such is the case with an article by Professor Julie Anderson Hill, Regulating Bank Reputation Risk.[1]

For some time, I have expressed concerns about how the concept of reputational risk has allowed the examination process to proscribe bank activities that are both legal and raise no material safety and soundness risk – in effect, shifting the role of examination from protecting depositors (and ultimately the Deposit Insurance Fund and taxpayers) to protecting shareholders – examination as management consulting.[2]  Or political consulting – as the use of reputational risk also has the potential to politicize examination.  Once the two guardrails of legality and materiality are removed, there is little to constrain the scope of examination mandates that can occur.  (By the way, I also always wonder, if regulators are really concerned about a bank’s reputation, why they don’t vigorously review a bank’s marketing department and outside advertising agencies.)

Still, my laments were based on anecdotal evidence, and I never took the step of doing actual research on the topic (in part because I didn’t imagine that such research was really possible).  In steps someone who actually did the work, and whose findings are revealing.  While I commend the whole article, below are some of key findings from the article by Professor Hill:

  • Reputational risk did not play a major role in examination until the 1990s, when the banking regulators moved toward risk-focused regulation.
  • Beginning in the late 1990s, reputational risk began to grow like kudzu in bank examination guidance and handbooks. Per the article, “Once federal regulators included reputation risk in the lists of official risks, it became ubiquitous.  Regulators warn reputation risk is everywhere….In 1996, the OCC re-wrote portions of its examination manuals covering credit card lending, mortgage banking and allowances for loan and lease losses to include detailed discussions of reputational risk…The other federal regulators also began integrating reputation risk into their supervisory frameworks.”[3]  Most significantly, they amended the CAMELS rating system to include reputational risk when evaluating Asset Quality and Management.
  • Reputational risk examination also began to move outside the bank: “Regulators also warn about third-party reputation risk….  For example, lending to [oil and gas] companies found or perceived by the public to be negligent in preventing environmental damage, hazardous accidents or weak fiduciary management can damage a bank’s reputation.”[4]
  • Per Professor Hill, “Today, the Federal Reserve’s bank examination manual uses ‘reputation’ or ‘reputational’ 190 times. The FDIC’s risk management manual uses ‘reputation’ 50 times.  The OCC’s large bank examination manual uses “reputation” 45 times….  Even specialized examination manuals, like those for information technology and anti-money laundering are replete with references to reputation.  Impressive, considering that reputation risk was hardly mentioned 25 years ago.”[5]
  • The largest change over the past ten years has been how the banking agencies force a bank to cease activities that regulators deem risks to the bank’s reputation. “When federal regulators first adopted risk-based assessments, they assured banks no major changes were required.  Instead the OCC and CUA emphasized that the risk assessment would help them tailor each institution’s examination to its unique risk profile…. The OCC even clarified its examiners would just monitor – not ‘actively supervise’ – reputation risk.”[6]  Now, formal enforcement actions sometimes include reputational risk, but most of the action occurs through the informal examination process, where reputational risk can prompt a Matter Requiring Attention or other sanction, outside of public view; MRAs now act as quasi-enforcement actions because they can affect a bank’s Management rating (per the change noted above), and they are effectively unappealable.  Professor Hill examines documents produced in the course of two lawsuits against the agencies, as they “provide a rare look into the private world of informal reputation risk regulation.  When viewed in combination with the glut of reputation risk guidance, there is reason to believe that informal enforcement is used to police reputation risk in the absence of significant financial harm or violation of law.”[7]
  • Regulators define reputational risk quite broadly, including, remarkably, listing themselves among the stakeholders whose perception of bank reputation is relevant. In a “L’etat c’est moi” bootstrapping kind of way, this makes any finding of reputational risk necessarily correct.[8]

Based on her look at the history of reputational risk examination, Professor Hill concludes, among other things:

  • “The nature of reputation risk makes it difficult to regulate in a way that adds meaningful value to the regulatory system. Reputation risk is often a derivative risk.  Because bank regulators have broad powers over other more direct risks, reputation risk often does little work.  When Wells Fargo employees illegally opened unauthorized accounts, they violated the law and created reputation risk.  When banks violated anti-money laundering laws it creates reputation risk.  When banks have credit quality problems it creates reputation risk.  Enforcement actions in those situations do not need to be grounded in reputation risk.”[9]
  • “[I]t is not clear that regulators are able to effectively forecast reputational losses. Reputation is based on ever changing stakeholder values and social expectations.  Values can ‘evolve’ slowly or expectations may adjust abruptly under the spotlight of media attention.”[10]
  • Perhaps most importantly, Bank regulators…are not well suited to determine when a third-party’s reputational damage will be transferred to a bank. In areas where regulators have indicated broad reputational concerns arising from third parties like fossil fuels, guns, and payday loans, there is little evidence that reputation risk alone has ever caused a bank material loss – let alone a run or panic.  If third-party reputation risk was causing material bank losses, we would likely see some evidence of it in the press, some evidence of it in regulatory enforcement, and perhaps some evidence of it in studies of bank failures.  We do not.  Instead, press reports tend to show some unhappy stakeholders but no material impact on bank health.”[11]
  • And more subtly, “Finally regulators are not well-positioned to determine whether the reputational harm might be offset by benefits, or whether the reputational harm of one course of action is less than the reputational harm of alternative actions….For example, shareholders might like a fee that generates income while customers prefer not to pay the fee.”[12] Professor Hill walks through several real-world examples where perceived reputational harm went the other way from expected.
  • Lastly, “Regulation of bank reputation risk is not just ineffective; it is dangerous…. Regulating bank reputation can hurt regulators’ reputations by politicizing them….This is especially true when regulators take action based on [reputational] risk alone (without a violation of the law or the likelihood of serious financial impact).”[13]

I hope this summary does not function as the equivalent of the trailer that convinces you that you’ve already seen the whole movie.  The article is worth a full read.


Disclaimer: The views expressed in this post are those of the author(s) and do not necessarily reflect the position of the Bank Policy Institute or its membership, and are not intended to be, and should not be construed as, legal advice of any kind.

[1]   Hill, Julie Andersen, Regulating Bank Reputation Risk (August 16, 2019). Georgia Law Review, Forthcoming; U of Alabama Legal Studies Research Paper No. 3353847. Available at SSRN:

[2]   See Baer, Greg, Rethinking Safety and Soundness Supervision,; see also Weinstock, Peter, Bank Think: Examiners Growing Misuse of “Reputation Risk,” American Banker, July 2, 2013,

[3] Hill, Julie Andersen, Regulating Bank Reputation Risk, at 25-26.

[4] Id. at 28 (quoting FDIC Financial Institution Letter 44-2008, Third-Party Risk (June 6, 2008)).

[5] Id. at 29.

[6] Id. at 38 (quoting OCC testimony from 1995).

[7] Id. at 46.

[8] Id. at 57.

[9] Id. at 59.

[10] Id. at 61.

[11] Id. at 62.

[12] Id. at 64.

[13] Id. at 66-67.