Introduction

In most industries in the United States, a company is generally not visited by federal examiners checking to see that, among other things, the company is safely profitable, not overly exposed to risks, well-managed, and serving the needs of the community. For a bank, this is a regular occurrence.¹

Federal bank supervision refers to the authority of certain agencies—the Federal Reserve (Fed), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Cooperation (FDIC), and the Consumer Financial Protection Bureau (CFPB)—to monitor and examine banks, impose reporting requirements, and recommend that banks take certain actions.² The purpose of this authority is to ensure that banks are operating in a safe and sound manner, to identify and mitigate risks, and to check that banks are in compliance with applicable laws and regulations.³ As part of an examination, an examiner may recommend that a bank's management and board of directors take certain actions to comply with regulations and advise of possible consequences if such action is not taken and noncompliance or a deterioration of the bank's condition subsequently occurs.⁴ The regulators often issue guidance documents recommending policies and procedures to ensure compliance.⁵

Bank supervision creates certain benefits (e.g., safer banks and a more stable banking system, more compliance with consumer protection laws and community reinvestment, and prevention of certain crimes) but imposes certain costs (e.g., direct supervision costs, compliance costs, and potential diversion of credit from certain market segments). As a result, Congress often considers an array of issues related to whether aspects of bank supervision are effective and efficient.

This report provides background information on bank supervision and analyzes certain selected policy issues. It begins with descriptions of the federal agencies that perform supervision, the requirements and processes it entails, and the benefits and costs of bank supervision. The report also examines the supervisory authority the agencies have over companies that provide certain services for banks. It then discusses the following policy issues:

• whether supervision requirements are appropriately tailored across banks of different sizes and levels of complexity;
• challenges raised by the Coronavirus Disease 2019 (COVID-19) pandemic and what expectations could be placed on banks as the effects of the pandemic continue to unfold;
• whether the supervisory authority over companies that provide services to banks is appropriately calibrated for bank relationships with technology service providers;
• whether the recent changes the OCC made to its Community Reinvestment Act (CRA; P.L. 95-128) regulations fulfill congressional intent and whether the OCC's lone implementation without the other federal regulators will create challenges;
• whether certain guidance documents and examiners' interpretation of them can lead to banks having to adhere to what are in effect regulations that have not gone through the mandated rulemaking processes;
• whether Home Mortgage Disclosure Act (HMDA; P.L. 94-200) requirements are appropriately calibrated and how the small business loan reporting mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act; P.L. 111-203) could be implemented; and
• whether reviews of examination appeals should be more independent from regulatory agencies.

Overview of Bank Supervision

Bank Regulators

Which agency is the primary federal supervisor and for what type of supervision—either prudential supervision, also called "safety and soundness" supervision, or consumer compliance—depends on a number of factors (as shown in Figure 1).⁶ These factors are (1) whether the bank has a national or state charter;⁷ (2) if a state bank, whether it is a member of the Federal Reserve System (FRS);⁸ and (3) whether the bank has more or less than $10 billion in total assets.

The OCC is the primary prudential regulator for all national banks, which are required to be members of the FRS (1,060 banks as of October 29, 2020).⁹ The Fed is the primary prudential regulator of state banks that are members of the FRS (736 banks). The FDIC is the primary prudential regulator of state banks that are not members of the FRS (3,242 banks). For banks with assets of $10 billion or less, their primary prudential supervisors are also generally their consumer compliance supervisors. The CFPB is generally the primary consumer compliance supervisor for banks with more than $10 billion in assets.

Figure 1. Which Agency Is a Bank's Primary Supervisor?

Source: CRS.

State agencies also supervise state banks with the Fed and the FDIC. In addition, the Fed supervises all parent companies that own banks, called bank-holding companies, regardless of which agency supervises the bank subsidiary.

This system featuring numerous regulators at the state and federal level can present certain challenges. The agencies could implement inconsistent or overlapping supervision. Banks may seek to be regulated by the agency they perceive to be most lax, and the agencies may have incentives to be more lax in order to attract banks—from whom they collect fees, called assessments—to their regimes. To avoid such outcomes Congress created the Federal Financial Institutions Examination Council (FFIEC) in the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (P.L. 95-630). The FFIEC "prescribes uniform principles and standards for the federal examination of financial institutions" by the federal bank regulators and other regulators and makes "recommendations to promote uniformity in the supervision of these financial institutions … [and] to promote consistency in such examination and to insure progressive and vigilant supervision."¹⁰

Benefits of Supervision

Supervision produces a number of potential benefits, including increased safety and stability in the banking industry and the financial system, better consumer compliance and community reinvestment, reduced money laundering, and fewer cybersecurity breaches.

Safety, Soundness, and Systemic Stability

The central business of commercial banks is to convert deposits in saving and checking accounts into loans and other credit. This credit intermediation generates tremendous economic benefits and growth, because funds that would otherwise be sitting idle can instead be spent and invested. However, it is inherently risky, because while banks are obligated to return deposits on short notice, the credit banks extend to borrowers is paid back slowly over time. This mismatch can lead to bank failures and, absent government guarantees, to depositors losing their savings. In addition, some banks, especially large banks, are also highly involved in numerous other financial markets and activities that expose them to additional risks and make them important actors in the financial system.

Because of the important role banks play in finance and the economy, the failure of a sufficiently large number of banks or of a small number (perhaps just one) of large banks can threaten the stability of the whole financial system and real economy. In response, the government has constructed "safety nets"—for example, making the Fed "a lender of last resort" for banks with cash flow problems and the FDIC the federal insurer of deposits—to reduce the occurrence of failures and protect against depositor losses. However, these safety nets expose the government (and so, ultimately, the taxpayer) to losses and distort market incentives in a way that could incentivize banks to take greater risks. To mitigate exposure and risk-taking, the government has implemented safety and soundness regulations, called prudential regulations, aimed at bringing stability to individual banks and the banking system as a whole.

Supervision enables regulators to evaluate institutions for how safe they are and whether they are complying with prudential regulations. In addition, it allows them to monitor and evaluate the industry as a whole and possibly to identify troubling industry-wide trends and rein in concerning activity before it culminates in major losses and crises. Preventing bank failures and mitigating financial crises and resulting economic contractions could lead to greater economic growth over the long term. In addition, a regulatory regime in which banks are closely monitored and risk-taking is constrained may create greater public trust in the banking system, leading more people to deposit funds and take out bank loans, which could foster economic growth further.

Consumer Compliance and Community Reinvestment

Regulators also evaluate bank compliance with consumer protection and fair lending laws (called consumer compliance supervision). In addition, the CRA requires regulators to assess how well banks are meeting the needs of the communities in which they operate.

Broadly speaking, these laws are aimed at ensuring that banking industry activities result in fair outcomes. Consumer protection refers to laws and regulations prohibiting banks and other lenders from engaging in unfair, deceptive, or abusive acts and practices.¹¹ For example, under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank; P.L. 111-203), they generally cannot take advantage of a consumer by not adequately informing him of the costs and other terms and conditions of a loan.¹² Fair lending laws prohibit lenders from discrimination against borrowers of certain protected classes. For example, under the Equal Credit Opportunity Act (15 U.S.C. §§1691-1691f), a bank cannot deny a loan application or provide a loan under more expensive terms if the applicant is a minority, a woman, or above a certain age.¹³

The CRA requires that regulators evaluate banks for how well they meet the credit needs of the entire community, including low- and moderate-income neighborhoods, in which they operate.¹⁴ The law was enacted with the aim of preventing "redlining," a practice wherein a bank would refuse to make home loans in certain low-income or minority neighborhoods (which the bank would outline in red on its maps, hence the name).¹⁵ Banks are not subject to enforcement actions (e.g., fines, legally compelled changes in behavior) for poor performance under the CRA, but regulators do consider their performance when they apply to expand operations, such as by merging with another bank.¹⁶ Thus, banks that hope to expand into new areas have an incentive to perform well on their CRA evaluations.

By evaluating banks for compliance and performance pursuant to these laws, supervision can reduce unfairness, deception, abuse, and discrimination in bank lending and encourage bank lending in low- and moderate-income areas. These are beneficial outcomes in their own right but may also increase economic growth by improving public trust in and use of banks.

Money Laundering Prevention and Cybersecurity

Banks must comply with laws and regulations aimed at reducing certain crimes, including money laundering and cybercrime. Supervision in these areas involves examination of banks' internal controls, policies, procedures, and information technology systems.

Banks face a number of requirements under the Bank Secrecy Act (P.L. 91-508) and anti-money laundering regulations (collectively BSA/AML) designed to prevent criminals from using the banking system to hold, process, and make seem legitimate their criminal proceeds.¹⁷ BSA/AML compliance requires a bank, among other things, to verify their customers' identities and to record and report certain transactions with the Treasury Department's Financial Crime Enforcement Network. For example, a bank must file a suspicious activity report when it suspects that a transaction may be related to criminal activity and a currency transaction report when it processes a large currency transaction (generally over $10,000).¹⁸

Banks must generally establish BSA/AML policies and procedures and assign personnel to carry them out. Bank examinations include an evaluation of how well banks have established and are maintaining these systems,¹⁹ and bank regulators have issued guidance describing certain features bank BSA/AML compliance programs should generally have.²⁰

Cybersecurity for banks has both safety and soundness and consumer protection implications. A cyberattack can expose a bank to financial losses. For example, a denial-of-service attack—wherein the attacker directs so much internet traffic at a bank's website that it gets overloaded—prevents customers from doing business with the bank for a period of time and could undermine public trust in it. From the safety and soundness perspective, cybersecurity is like physical security: Banks must guard against the theft of assets and records regardless of whether it is attempted by burglars cracking safes or hackers breaching cybersecurity. The consumer protection element arises because cybercriminals often target bank customers' sensitive personal information.²¹

Accordingly, bank regulators require banks to protect themselves (such as under Section 39 of the Federal Deposit Insurance Act [P.L. 81-797]) and their customers' information (such as under Sections 501 and 505(b) of the Graham-Leach-Bliley Act [P.L. 106-102]) by establishing information security standards²² and evaluating banks' systems in examinations.²³ These not only reduce the occurrence of successful cyberattacks but may also foster trust in the banking system.

By settings standards; issuing guidance; and evaluating banks' policies, procedures, and systems for preventing money laundering and successful cyberattacks, bank supervision aims to reduce those bad outcomes and foster public trust in the banking system.

Costs of Supervision

Supervision has a number of potential costs that could reduce credit availability in general or in specific market segments. These costs include the fees the regulators charge banks to fund their supervision activities, the costs banks incur to ensure they are in compliance with all laws and regulations, and an under-allocation of credit and services to markets that banks think regulators disfavor.

Fees, or "Assessments"

Regulators must employ examiners and other staff, pay for travel and lodging during on-site exams, and purchase and maintain various equipment and software used in supervision activities. The bank regulators are self-funded, independent agencies. The Fed, OCC, and FDIC cover the direct costs of supervision, at least in part, by charging banks fees called assessments.²⁴ The amount banks pay in these fees reduces the funds banks have available to lend and thus reduces the amount of credit available to the economy. In addition, the Fed earns interest from the assets it owns in order to implement monetary policy and collects fees from banks that use its payment systems. The Fed remits any income above expenses to the Treasury Department's general budget.²⁵ Thus, any money it spends on supervision reduces that remittance.

The FDIC's 2020 budget allocates $1.06 billion to supervision activities.²⁶ The OCC's 2019 annual report indicates that the agency spent $965 million on supervision in FY2019.²⁷ The Fed spent a combined $1.84 billion on supervision according to its 2019 annual report.²⁸ The CFPB does not report expenditures on bank supervision specifically but only on a broader category of expenditures on supervision and enforcement, for which it budgeted $153 million for FY2020.²⁹

Compliance Costs

Banks also incur compliance costs, such as employee time dedicated to recordkeeping and reporting, the purchase and maintenance computer systems and software used in compliance activities, and paying outside contractors such as accountants to ensure compliance. These costs can also reduce funds available for lending and thus reduce credit availability.

It is difficult for regulators and banks to disentangle specifically which expenses are the direct result of supervision.³⁰ For example, many employees are not solely dedicated to compliance and have many responsibilities related to running a bank's business operations. Similarly, computers and outside specialists also manage banks' business activities.

A recent study by the Federal Reserve Bank of St. Louis used surveys from a sample of banks with less than $10 billion in assets to estimate that those banks' compliance costs were on average 7.2% of noninterest expenses. In addition, the study found that the percentage of noninterest expense dedicated to compliance declined as banks got bigger but that this effect flattened out in the biggest bank groups (Figure 2). For example, banks under $100 million dedicated 9.8% noninterest expense to compliance, while banks between $1 billion and $10 billion dedicated 5.3%.³¹

Figure 2. Compliance Costs as a Percentage of Noninterest Expenses

Source: Drew Dahl et al., Compliance Costs, Economies of Scale and Compliance Performance, Federal Reserve Bank of St. Louis, Community Bank Research and Outreach, July 2018.

Small banks are subject to less regulation and supervision than are big banks, so this measurement suggests that compliance costs are subject to economies of scale—that is, as a bank gets bigger it becomes more efficient at compliance. The results of other studies have a wide range of estimates, although indicators of economies of scale in compliance (sometimes with a leveling off among the largest banks) are common.

The St. Louis Federal Reserve results are consistent with earlier findings on compliance costs, although the percentages are near the lower end of the range of estimates.³² Thus, applying the results from that study to data on noninterest expenses can produce an estimate of total compliance costs, albeit one at the low end of the range. Assuming compliance costs are 7% of total noninterest expenses at community banks (which were $15.4 billion in the second quarter of 2020) and 5% at noncommunity banks ($106.9 billion total noninterest expenses), the sum of compliance costs would be over $6.4 billion in the quarter.³³ This would annualize to almost $25.7 billion a year. However, considering the higher measured costs from other studies, the true cost may be twice as large as this estimate or more.

Effects on Credit Allocation Decisions

A more indirect cost to supervision is its potential to affect bank decisions about which market segments to lend to. This could reduce credit to certain segments, leading to a less efficient allocation of credit. Banks may factor in how they think examiners will assess certain loans instead of making credit decisions based entirely on economic and business considerations. For example, banks may be hesitant to make loans in a higher-risk market segment even if the expected returns on the loans justify the risk, because they worry those loans will draw regulatory scrutiny. As a result, the argument goes, banks would over-allocate available funds to markets perceived to be favored by regulators and under-allocate to those perceived to be disfavored. However, recall that government-backed bank safety nets may cause banks, absent prudential regulations and supervision, to be overly risky. The extent to which supervision corrects toward risk-appropriate market segments or overcorrects causing misallocations is subject to debate.

The recent history of deposit advances and other short-term, small-dollar loans suggest that this is not a purely hypothetical situation. Before 2013, many banks offered deposit advances—small, short-term loans made to existing bank customers that are repaid when the customers deposit their next paychecks—to meet unexpected expenses, such as car repairs or medical bills. However, in that year the Fed, FDIC, and OCC issued a guidance on how these relatively expensive products may present consumer compliance, reputational, and operational risks.³⁴ Subsequently, most banks stopped offering deposit advances. Banks and observers asserted that this was the result of banks interpreting the guidance as a warning against offering such products.³⁵ This series of events is also an example of how guidance can act, in effect, like a rule without the agencies having to put it through the mandated rulemaking processes, as discussed in the "Guidance Versus Rules" section below.

Bank Supervision Requirements and Tools

Regulators have complementary tools to achieve their supervisory goals. Examinations, monitoring, and reporting requirements are all part of an ongoing, iterative process that allows regulators to evaluate banks, the industry, and market trends. Regulators also periodically issue guidance documents to explain particular regulations and provide detail on how banks can comply. For cases in which banks disagree with examination results, regulators have established appeals processes.

Examinations

Regulators are generally required to conduct at least one full-scope, on-site examination of a bank every 12 months.³⁶ However, banks that (1) have less than $3 billion in assets, (2) meet capital requirements necessary to be considered well-capitalized, and (3) were most recently found to be well managed and in "outstanding" condition (banks under $200 million in assets can be in "good" condition), among other conditions, can be examined every 18 months.³⁷

Regulators make efforts to coordinate exams and evaluate as many aspects of bank operations as possible so that a single full-scope exam is the only on-site visit by regulators in the 12- or 18-month cycle, especially for small, simple banks in good condition.³⁸ However, if a bank is larger or more complex or has issues its regulator thinks need more attention, the regulator may perform additional examinations during the cycle. These may only be targeted examinations, which focus on a particular product, activity, or risk, or specialty area examinations, which relate to consumer compliance, CRA evaluation, BSA/AML requirements, and information technology security.³⁹

Examinations involve an evaluation of bank practices and performance. Examiners objectively confirm whether a bank meets regulatory requirements and subjectively judge whether a bank satisfies regulatory goals. Bank examiners assign banks confidential ratings based on the Uniform Financial Institutions Ratings System, wherein the banks receive ratings from 1 (best) to 5 (worst) across six "CAMELS" components—capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk—and a composite rating based on all those components.⁴⁰ A bank's CAMELS rating can affect a bank in a number of ways, including how much a bank must pay for FDIC insurance and how often it is examined in the future.⁴¹ Bad ratings can result in informal agreements that the bank make certain changes or formal enforcement actions.⁴²

Ongoing Monitoring

In between examinations, bank regulators continually monitor bank practices and performance. This can be done off site and often involves analysis of information that banks send to the regulators as part of existing reporting requirements, which are discussed in the following section. In addition, regulators may request that additional information be sent. Examiners may also confirm that banks are undertaking any actions that had been agreed to in previous exams.⁴³

For the largest, most complex bank organizations, this ongoing monitoring can involve significant resources and attention. For example, staff from the regulatory agencies are permanently placed on site at certain large bank offices, and some regulators have work units and policies dedicated specifically to large bank supervision.⁴⁴

Reporting Requirements

On a regular basis, banks are required to submit certain information to regulators. Reporting this information requires a bank to dedicate resources to complete the task. For example, a bank employee or employees dedicate time to filling out forms, and in many cases banks purchase computer software to make meeting reporting requirements faster and easier. Reporting requirements are varied, but two prominent requirements are the Report of Condition and Income (referred to as the call report) and HMDA mortgage loan and mortgage application reporting.⁴⁵

All banks must submit a call report at the end of every financial quarter of the year. The call report is comprised of a number of schedules that give a detailed accounting of bank income, expenses, assets, liabilities, and capital, among other variables that describe a bank's condition. There are three variations of the call report of varying specificity and detail. Large, complex banks submit the most detailed and small simple banks the least.⁴⁶ As of June 30, 2020, the most detailed version was 91 pages long and contained 27 schedules, while the least detailed version was 65 pages long and contained 19 schedules.⁴⁷

HMDA was originally enacted in 1975⁴⁸ and requires most lenders, including most banks, to report data on their mortgage applications and loans. Regulators use the data to assist in (1) "determining whether financial institutions are serving the housing needs of their communities;" (2) "distributing public-sector investments so as to attract private investment to areas where it is needed;" and (3) "identifying possible discriminatory lending patterns."⁴⁹ Under HMDA, banks must generally record and report to regulators the number and amount of mortgage loans made and applications received, certain applicant characteristics—such as income level, race, age, and gender—and certain loan characteristics such as interest rate and fees charged.⁵⁰

Guidance

Bank regulators often issue nonbinding guidance providing explanations on how to adhere to particular regulations. To take a recent example, the bank regulators issued a joint statement on August 13, 2020 (which updates earlier guidance), describing examples of when they would issue a cease-and-desist order for failing to comply with BSA/AML requirements.⁵¹ In addition, regulators issue guidance advising banks about how they view changes to market conditions or practices. For example, regulators have issued a number of guidance documents in response to the COVID-19 pandemic advising banks how they should continue to service customers and treat loans that are nonperforming because of the pandemic.⁵²

Guidance in supervision can subtly influence regulatory burden by changing banks' understanding and expectations related to how rules should be complied with and how regulators will enforce those rules.

Appeals Process

When examiners determine that some aspect of a bank's condition or compliance is deficient and needs to be changed, they may make a material supervisory determination (MSD). These can include a CAMELS rating downgrade, which in turn may result in an increased FDIC insurance assessment.⁵³ Or an MSD may require a bank to increase its loss reserves or reclassify the status of certain loans. In addition, an MSD could portend a formal enforcement action.⁵⁴

Banks may disagree with an examiner's determination. Often, disputes are resolved informally through discussion between the bank and the examiner. However, the bank regulators are required to maintain certain formal, independent appeals processes for supervisory findings. For example, under the Riegle Community Development and Regulatory Improvement Act (P.L. 103-325), each agency must appoint an independent ombudsman and maintain regulatory safeguards to prevent retaliation against a bank that disputes the examination findings.⁵⁵ Each agency's ombudsman's exact role varies, but they generally facilitate the resolution of disagreements over examination results.

Supervision Authority and Bank Service Providers

Bank regulators also have authorities over certain companies that perform services for banks by contract. In recent years, these authorities have come under scrutiny as banks increasingly rely on technology service providers (TSPs). The Bank Service Company Act (P.L. 87-856) directs the bank regulators to treat all activities performed by contract as if they were performed by the bank and grants them the authority to examine and regulate these third-party vendors that provide services to banks,⁵⁶ including check and deposit sorting and posting, statement preparation, notices, bookkeeping, and accounting.⁵⁷ In addition, Section 501 of the Gramm-Leach-Bliley Act (P.L. 106-102) requires federal agencies to establish appropriate standards for financial institutions to protect customer information. Pursuant to that law, the bank regulators have issued interagency guidance indicating that banks have to ensure that third-party vendors maintain appropriate security measures.⁵⁸

Companies known as core software providers or bank core processors sell and maintain the digital technology that banks use to perform their "core" activities, such as processing payments and other transactions, recording digital information, complying with regulatory reporting requirements, and developing interfaces for customer accounts. The costs of these services may be less than the staffing and investment costs of developing and maintaining the information technology in-house.⁵⁹ Some of the companies have been active for decades.⁶⁰

Another industry segment is cloud service providers. Some have jokingly referred to cloud computing as "someone else's computer."⁶¹ While this is a facetious characterization, it does succinctly describe the core tenet of the technology. Users of cloud computing transfer their information from a resource (e.g., hard drives, servers, and networks) that they own to one that they lease. One of the benefits of cloud computing is that it relieves users from having to buy, develop, and maintain technical resources. Instead, users pay the cloud service providers, who specialize in building and managing such resource infrastructures.

Selected Policy Issues

Because supervision plays such a prominent role in the regulation of the banking industry, regulator supervisory authorities and practices are the subject of a variety of policy questions. The numerous supervision-related issues range from general and long-standing (e.g., whether or not the frequency and scope involved in examination and reporting are appropriately balanced) to relatively new and specific (e.g., how bank examiners will assess loans impaired in the aftermath of the COVID-19 pandemic). This section will discuss certain prominent supervision issues that may attract congressional attention.

Tailoring of Requirements

One area of debate related to supervision involve questions of calibration: How can requirements be applied so that supervision is not too lax and allowing excessive risks but not too stringent and imposing unnecessary costs? In many cases, the answers might depend on the characteristics of individual banks.

The benefits of supervising large, complex, interconnected banks may be greater compared to small, simple banks. A large bank can individually pose risks to the entire financial system if it were to fail, while a small bank does not. Further, large bank noncompliance with consumer protection and fair lending laws could harm millions of consumers, while far fewer would be affected by a small bank's noncompliance.

Meanwhile, the costs of supervising large institutions may be smaller relative to bank size. As mentioned in the "Compliance Costs" section, small banks have disproportionately higher compliance costs, whereas larger banks benefit from economies of scale. As a bank gets bigger its compliance costs increase by a smaller proportion. In addition, some observers assert that small banks are important sources of credit for small, local borrowers that large banks might not serve.⁶² If this is the case, then the reduction in credit resulting from supervision costs might occur in market segments with fewer alternatives.

Thus, there is a general consensus that supervision should be less stringent for small banks than for large banks, and many aspects of supervision are already more lenient for small banks. For example, certain small banks are eligible for less frequent examination, can fill out shorter call reports, and do not have the CFPB as a primary federal regulator. However, calibration and degree of tailoring are matters of debate: At what size or complexity should a bank become more closely supervised and in which aspects of their supervision?

For instance, Section 205 of EGRRCPA directed the bank regulators to shorten the call report that banks with assets under $5 billion file in the first and third quarter of the year. In June 2019, the regulatory agencies issued a final rule pursuant to the provision, raising the threshold for banks permitted to file the shortest form of the call report to $5 billion and removing certain line items from the first and third quarter requirements.⁶³ Bank industry groups asserted that the reduction was insufficient given the intent of the law, arguing that the rule would not meaningfully reduce the reporting burden on small banks, such as those that could already file the shortest form of the call report.⁶⁴ In response, the regulators have asserted that they need the information required in the proposed call report "to effectively monitor the safety and soundness of institutions and the financial system, as well as to monitor compliance with consumer financial protection laws and regulations."⁶⁵

Another example is CFPB supervision of banks. Before Dodd-Frank, the Fed, OCC, and FDIC supervised banks for both safety and soundness and consumer compliance. Congress created the CFPB in response to assertions that this dual mandate restricted the regulators' incentive or ability to effectively monitor and curtail questionable consumer lending practices leading up to the 2008 financial crisis. Critics of the CFPB assert that certain banks subject to its supervision (e.g., those over but near the $10 billion threshold) face unnecessarily onerous examinations, and they call for raising the $10 billion threshold or returning consumer compliance supervision to the primary regulator.⁶⁶ Proponents of the CFPB argue that these changes could lead to inappropriately lax consumer compliance supervision, similar to what was in place before the financial crisis.⁶⁷

Supervisory Responses to COVID-19

The 2019 novel coronavirus disease (COVID-19) pandemic led to the closure of millions of businesses and to tens of millions of workers losing their jobs, which significantly reduced borrowers' ability to make repayments on their bank loans. Missed payments puts stress on banks. In addition, absent any response from regulators, restrictions on travel and working indoors create challenges related to banks meeting their supervisory obligations. This section examines supervisory issues related to the COVID-19 pandemic. For a broad examination of COVID-19 effects on banks and related policymaker responses, see CRS Report R46422, COVID-19 and the Banking Industry: Risks and Policy Responses, coordinated by David W. Perkins.

Temporary Supervisory Changes

COVID-19 has presented logistical challenges both to banks in fulfilling their reporting obligations and to regulators in carrying out supervision operations. Bank employees may be restricted from regularly going to work on bank premises. This could hinder their ability to file required reports. Similarly, bank employees and contractors may have found it difficult to complete tasks remotely. Regulator staff also face challenges, particularly in traveling to and performing on-site examinations.

Regulators have responded to these challenges by temporarily changing supervision policies and priorities and delaying reporting deadlines and implementation dates. These actions included

• On March 24, 2020, the Fed temporarily shifted its focus from examination to monitoring in order to better understand "the challenges and risks that the current environment presents."⁶⁸ The Fed announced on June 15, 2020, that it would resume examination activities, though it anticipated it would conduct exams off site until conditions improve.⁶⁹
• On March 25, the bank regulators jointly announced a 30-day deadline extension for filing the first quarter call reports.⁷⁰ On March 26, the Fed announced a 30-day grace period for bank holding companies with less than $5 billion in assets for filing a similar form.⁷¹
• On March 26, the CFPB announced that it would not cite in an examination or take enforcement actions against certain financial institutions that did not submit certain required information or data until further notice. This included the quarterly HMDA data and information required under certain Truth in Lending Act (P.L. 90-321) regulations.⁷²
• On March 27, the bank regulators jointly announced that banks could delay the adoption of a new accounting standard for estimating future losses, called the current expected credit loss standard, for up to two years. This is in addition to the existing three-year implementation schedule.⁷³ This delay was longer than the one mandated by Section 4014 of the CARES Act enacted on the same day.

COVID-19 Guidance Documents

Once it was clear that COVID-19 was a global pandemic with far-reaching economic implications, regulators began providing guidance on how to address challenges and serve affected customers.⁷⁴ In early March 2020, banking regulators encouraged financial institutions to work with customers in COVID-19-affected areas. Throughout the month, the regulators clarified the ways they wanted financial institutions to address consumer concerns and began providing more incentives for doing so. For example, regulators announced that any "prudent efforts to modify terms of existing loans for affected customers would not be subject to supervisory criticism"—in other words, efforts to help customers would not face the type of safety and soundness concerns that might otherwise be raised in bank examinations in normal times.⁷⁵ Additionally, the federal regulators began encouraging financial institutions to offer small-dollar loans to consumers and businesses affected by COVID-19 to help meet customers' needs.⁷⁶

These initiatives reflect the regulators' view that efforts to help customers "serve the long-term interests of communities and the financial system when conducted with appropriate management oversight and are consistent with safe and sound banking practices and applicable laws, including consumer protection laws."⁷⁷

Another consequence of COVID-19 is its effect on low- and moderate-income (LMI) areas. Building off their guidance to ensure that financial institutions are able to continue working with customers, regulators began providing new incentives for institutions to help LMI customers. Banking institutions can often receive CRA credits for meeting customer cash and financial needs during major disasters in adversely affected communities, even in those where the bank does not primarily accept deposits.⁷⁸ In March, the Fed, FDIC, and OCC issued a joint statement declaring "that financial institutions will receive CRA consideration for community development activities."⁷⁹

Supervision as COVID-19 Effects Continue to Unfold

It is highly uncertain how the COVID-19 pandemic and the policy responses to it will affect the banking industry. Bankers and regulators generally can, due to their experience and through historical analysis, fairly accurately predict losses on loan portfolios that might occur during and after a typical recession. In this case, bankers and examiners may have a shared understanding of how banks should account for losses, how perilous a bank's condition may or may not be, and what are the best actions a bank can take given the situation. However, the speed, breadth, and depth of the pandemic's effects on the economy are unprecedented.

In addition, certain policy responses to the pandemic—such the CARES Act Section 4013 requirement to allow lenders to account for troubled debt restructurings differently and the Section 4022 requirement to grant forbearances to certain mortgages for up to one year—mean that bank losses and recovery of value on nonperforming loans will unfold differently than under normal circumstances.⁸⁰ Given these uncertainties and deviations from norms, bankers and regulators may disagree over bank conditions and what the appropriate response to changing conditions should be.

On June 23, 2020, the bank regulators issued interagency guidance to their examiners in an effort to address those challenges and establish supervision standards related to COVID-19 considerations. The statement accompanying the guidance noted

The four federal [bank regulatory] agencies in conjunction with the state bank and credit union regulators today issued examiner guidance to promote consistency and flexibility in the supervision and examination of financial institutions affected by the COVID-19 pandemic…. The interagency guidance instructs examiners to consider the unique, evolving, and potentially long-term nature of the issues confronting institutions due to the COVID-19 pandemic and to exercise appropriate flexibility in their supervisory response.⁸¹

Regulations Implementing the CRA

As discussed in the "Consumer Compliance and Community Reinvestment" section above, the CRA encourages banks to meet the credit needs of LMI neighborhoods⁸² by requiring regulators to evaluate how well a bank is meeting credit needs in the community and consider those evaluations when a bank applies to expand operations.⁸³

The CRA does not specify how banks can "meet the credit needs" of a community or what areas should be considered a bank's "community." Instead, it leaves it to the Fed, OCC, and FDIC to implement regulations to carry out the purposes of the act.⁸⁴ One critique of the CRA regulation is that the standards on which banks are judged are not transparent and objective. Community advocates also criticize the current system of evaluation. They note that a very high proportion of banks—almost 99 percent in 2019⁸⁵—get a Satisfactory or Outstanding rating, despite the continued under-allocation, in their view, of credit to LMI and minority neighborhoods.⁸⁶

Another issue is the decreasing importance of physical bank office locations. When the CRA was enacted in 1977 and for years afterward, banking was carried out almost entirely at physical offices. People brought checks and cash for deposit and applied for loans in person. Thus, a bank's community was clearly a geographic area determined by where those offices were located. In recent years, however, banking is increasingly done over the internet. Some banks offer only online products and have no physical branches. This has led some to contend that basing CRA evaluations on geographic factors may produce inaccurate evaluations for certain banks.⁸⁷

While there is general agreement that CRA regulations need to be updated, there is lack of consensus over how. This apparently extends to the bank regulators themselves, as they have not moved forward in unison using joint rulemaking. The three implementing bank regulators have all at least begun the process of changing CRA regulations, but the OCC is the only one to have issued a final new rule.

On August 28, 2018, the OCC announced that it would publish an advanced notice of proposed rulemaking in the Federal Register.⁸⁸ The notice requested comments about CRA evaluation and was issued by the OCC alone.⁸⁹ After receiving over 1,500 comments, the OCC issued a notice of proposed rulemaking on January 9, 2020, this time jointly with the FDIC.⁹⁰ The rule proposed to clarify and expand the set of activities that would qualify for CRA credit, expand the geographic area where activities would count toward CRA evaluation, and increase reliance on quantitative measures in evaluation. The two agencies jointly extended the comment period on the proposal on February 26.⁹¹ On June 5, the OCC finalized its new rule on its own without the FDIC.⁹² To date, the FDIC has not issued any additional rulemakings.⁹³ On September 21, 2020, the Fed announced it would issue its own advanced notice of proposed rulemaking for a new CRA approach.⁹⁴

The agencies' recent CRA rulemaking efforts have elicited mixed reactions. A number of consumer and community advocacy and civil rights groups argue that expanding CRA qualifying activities and other changes will make it easier for banks to achieve good CRA ratings while directing less credit to LMI neighborhoods, making them inconsistent with congressional intent.⁹⁵

State bank regulators, community advocacy groups, and bank industry associations argue that three agencies implementing changes in separate processes risks having the CRA applied differently across bank types. This could create practical and legal problems for banks and regulators and contravenes the widely accepted principle that regulation generally should be consistent for all banks.⁹⁶

Bank industry associations generally favor actions to increase the objectivity, transparency, and simplicity of the evaluation methodology. However, they took issue with aspects of the OCC's new rule, including its recordkeeping requirements and the costs of changing their compliance to a new system.⁹⁷

Bank Technology Service Providers Supervision

As discussed in the "Supervision Authority and Bank Service Providers" section, bank regulators treat certain activities performed by contract as if they were performed by the bank itself and have supervisory authority over certain bank service providers. While the regulator authorities help ensure that banks are safe and sound and complying with applicable law, banks and technology company proponents argue that aspects of these regulations hinder banks and TSPs from entering into beneficial arrangements. Broadly speaking, policy debates in this area involve questions of whether the regulations that apply to banks and their TSPs are appropriately balanced to foster the benefits of technology while mitigating the risks. Policymakers have also examined issues specific to the types of TSPs and possible changes to existing regulation.

Core Service Providers

Bank proponents and new financial technology (or fintech) firms have voiced concerns that certain market characteristics and current regulations are stifling innovation and leaving banks without access to the latest, most effective technology. In recent years, they have asserted that existing core processors have not been responsive to banks' needs as technology's role in delivering banking services to customers has rapidly increased.⁹⁸ One possible reason is the high cost of switching core processors, particularly in cases where bank legacy systems were initially put in place years or decades ago and then updated and added onto in a patchwork way.⁹⁹ Another reason may be a high degree of market concentration. According to one industry analysis, the three largest core providers—Fiserv, Jack Henry, and FIS—have an estimated 66% market share of core processing services.¹⁰⁰ In addition, some banks assert that the bank regulators view new technology warily, which makes banks hesitant to switch to new fintech firms, who might have little experience with regulatory compliance.¹⁰¹ Bank proponents argue that if the market structure were more competitive, the large firms in this industry would have a greater incentive to develop more innovative banking products.¹⁰²

Cloud Service Providers

Exercising supervisory authority over cloud service providers can present challenges to bank regulators. At least initially, the regulators may be unfamiliar with the cloud service industry, and cloud service providers may not be familiar with what is expected during bank-like examinations. The former could lead to bank regulators not knowing what should be involved in the examination of a service provider, potentially resulting in ineffective or overly burdensome supervision. Cloud service providers, for their part, may be hesitant to take on bank clients due to the added compliance requirements, potentially making a beneficial service less available or more costly for banks.

The Fed's April 2019 examination of Amazon Web Service (AWS), Amazon's unit that provides cloud services, anecdotally illustrates the challenges in this area. As reported, AWS was wary of the examination process, and when Fed examiners asked for additional information, "the company balked, demanding to first see details about how its data would be stored and used, and who would have access and for how long."¹⁰³ As cloud service providers continue to take on bank clients, their obligations to and relationship with bank regulators will likely continue to be debated.

Another issue is that the cloud service industry, like the core service industry, is highly concentrated. According to one widely cited industry study, AWS controlled almost 48% of the global market for one type of cloud service in 2018, and Microsoft had over a 15% market share.¹⁰⁴ Certain characteristics of the industry, such as strong economies of scale and the necessity of large initial investment, suggest that it could naturally remain highly concentrated.¹⁰⁵

In addition to usual concerns related to anticompetitive pricing and practices that market concentration can generate in any industry, concentration in the bank cloud service industry could also pose a systemic risk to financial stability. Since there are only a small number of large providers, many banks may use the same provider, so an incident at one of the main providers could affect numerous firms simultaneously and so potentially disrupt large portions of the entire financial system. Large, systemically important banks are reportedly moving significant portions of their operations onto cloud services, which could exacerbate the effects of disruption at a cloud service provider.¹⁰⁶ One particular breach of AWS illustrates this point. Allegedly, a hacker who had previously worked at AWS targeted Capital One's data stored on AWS's cloud. The attack successfully breached AWS's safeguards, compromising the personal data of over 100 million consumers.¹⁰⁷

Proposed Voluntary Certification Program for TSPs

Some observers have suggested reducing the burdens related to banks entering into contracts with TSPs that have a good track record in regulatory compliance.¹⁰⁸ One idea is a regulator-provided list of vendors that meet certain technical specifications.¹⁰⁹ This list could be an informative guidance document that does not change bank third-party due diligence requirements, or it could include a "safe harbor" protection, wherein banks that use approved TSPs are presumed to be in compliance. The criteria that could qualify a TSP could take on any number and combination of metrics, from the number and duration of banks successfully served to past examination results or the qualifications of TSP executives and managers.

On July 20, 2020, the FDIC announced it was considering such a program and requesting input from the public about the possibility of setting standards and establishing a voluntary certification program for TSPs and other third-party service providers. The announcement stated that it wanted to assess the potential to reduce regulatory and operation uncertainty facing banks when deploying new technology and entering into arrangements with fintechs.¹¹⁰

Such a program could encourage innovative and beneficial technology in the banking industry. However, this could result in banks becoming lax in their due diligence and entering into arrangements that expose them to operational risk.

Guidance Versus Rules

As described in the "Guidance" section, regulators issue guidance documents explaining to banks how they view a particular rule. These documents do not establish enforceable regulations. Congress has granted many federal agencies the authority to issue regulations that carry the force of law, but to issue a regulation agencies must follow a set of procedures and requirements developed by Congress and various Presidents over the last 60-70 years.¹¹¹ For example, a regulation can be issued only if the agency follows the Administrative Procedure Act's (P.L. 79-404) requirements, including the notice-and-comment process and other relevant requirements.¹¹² After a regulation has been issued, Congress can overturn it under the Congressional Review Act (P.L. 104-121, Title II, Subtitle E) by passing a joint resolution of disapproval in both chambers using the act's expedited procedures. If the joint resolution is signed by the President, or if Congress overrides the President's veto, the rule is taken out of effect, and the agency is prohibited from issuing a rule in "substantially the same form."¹¹³

However, in recent years, banks have asserted that certain guidance documents have established rules without going through the mandated rulemaking processes, as bank management might feel compelled to adhere to the guidance recommendations, even though it is not violating a rule, because it fears an adverse exam finding. For example, after a 2013 guidance about deposit advances was issued, many banks subsequently stopped offering the product, as discussed in the "Guidance" section. Arguably, banks may have done this because they interpreted the guidance as a warning against the product.

Another example is the bank regulators' jointly issued 2013 update to guidance about leveraged lending—that is, lending to highly indebted companies—which described their "expectations for the sound risk management of leveraged lending activities."¹¹⁴ Subsequently, banks asserted that following the guidance constrained them from making sound loans and that examiners enforced the guidance as if it were a binding regulation.¹¹⁵

In 2017, the Government Accountability Office (GAO) concluded that the guidance was a rule subject to CRA review.¹¹⁶ Following GAO's determination, the bank regulators reportedly indicated that they would seek further feedback on the guidance.¹¹⁷ Federal Reserve Chairman Jerome Powell stated at a February 27, 2018, hearing that the Fed had emphasized to its bank supervisors that the guidance was nonbinding.¹¹⁸ Then-Comptroller of the Currency Joseph Otting reportedly stated in 2018 that the guidance provides flexibility for leveraged loans that do not meet its criteria—provided that banks operate in a safe and sound manner.¹¹⁹ Because the bank regulators appeared to believe that the document did not meet the CRA's definition of rule, they did not submit it to Congress.¹²⁰ To date, no changes have been made to the guidance, and no joint resolution of disapproval under the CRA was introduced. CRS has been unable to locate a submission of the guidance to Congress following the GAO finding that it was required under the CRA.¹²¹

Subsequent to these and other debates about how guidance was being used and interpreted, the regulators issued a policy statement in September 2018 to clarify the difference between guidance and rules. It noted that "law or regulation has the force and effect of law. Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance."¹²² In October 2020, the bank regulators proposed codifying the policy statement in regulation.¹²³

Fair Lending Data Reporting Requirements

As discussed in the "Reporting Requirements" section, the HMDA requires most lenders—including most banks—to report data on their mortgage business, including applicant income level, race, age, and gender.¹²⁴ Section 1094 of the Dodd-Frank Act, as enacted, required lenders to collect additional data pursuant to HMDA, including points and fees payable at origination, certain information about the interest rate, and the value of property pledged as collateral.¹²⁵

In addition, Section 1071 of the Dodd-Frank Act amended the Equal Credit Opportunity Act (15 U.S.C. §§1691-1691f) to require lenders to report data to the CFPB on their small business loans and loan applications, including the race, sex, and ethnicity of the principal owners, "to facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses."¹²⁶ The CFPB is in the process of implementing regulations pursuant to this law.

In recent years, matters on which banks needed to report HMDA data and what that data includes have been the subject of legislation, rulemaking, and debate. Under the 2015 CFPB rule, depository lenders generally had to comply with HMDA reporting requirements if they had more assets than an inflation-adjusted threshold (adjusted to $47 million in 2020),¹²⁷ originated at least 25 close-end mortgage loans or at least 100 open-end mortgage loans in each of the previous two years, and satisfied other criteria.¹²⁸ Since then the regulation has been modified a number of times by enacted legislation and rulemaking.

In 2018, Section 104 of EGRRCPA (P.L. 115-174) exempted many depository lenders from most of the HMDA requirements that were added by Dodd-Frank.¹²⁹ Depositories that have originated fewer than 500 closed-end mortgage loans in each of the preceding two years qualify for reduced reporting on those loans, and lenders originating fewer than 500 open-end lines of credit in each of the preceding two years qualify for reduced reporting on those loans, provided they achieve certain CRA compliance scores.¹³⁰ In the most recent rulemaking in May 2020, the CFPB raised the home purchase loan exemption threshold for all HMDA reporting requirements for depositories from 25 to 100.¹³¹ The debate underlying all these issues involves balancing the reduction in costs when more banks are exempted or report less data against the reduction in the regulators' ability to fulfill the purpose of HMDA. Particularly in rural communities with smaller and fewer operating banks, this trade-off can sometimes be more stark, as exemptions can limit regulators' ability to determine whether the banking system is meeting the needs of the community.

Though Dodd-Frank was enacted in July 2010, the CFPB has to date not issued finalized regulations implementing the Section 1071 small business loan reporting requirements. The CFPB had taken certain actions in recent years that were part of the rulemaking process, including holding a public hearing and releasing a white paper in May 2017 and holding a symposium in November 2019.¹³² However, some advocacy groups alleged that the agency was improperly delaying implementing a regulation in violation of the Administrative Procedure Act. In May 2019, some of those groups filed a lawsuit against the CFPB seeking an order requiring the agency to implement regulation promptly.¹³³ In February 2020, the CFPB agreed to a settlement with the plaintiffs requiring the CFPB to meet certain deadlines in carrying out the rulemaking and submit status updates.¹³⁴ Pursuant to that agreement, the CFPB issued an outline of proposals under consideration for public comment in September 2020.¹³⁵

Ombudsmen and the Appeals Process

Some observers have characterized the regulators' appeals process as one in which the regulatory agencies play the role of both reviewer and adjudicator and are unlikely to admit that a mistake had been made in the original exam. Thus, they assert that reviewers with more independence from the agencies would be better positioned to appropriately adjudicate disputes.¹³⁶ Opponents view additional ombudsmen or reviewers as redundant, as they would not have specialized knowledge of the supervisory process undertaken at each bank (which inherently involves examiner discretion on a bank-by-bank basis). Furthermore, they argue that shifting the appeals process away from the bank regulators could undermine supervisors' ability to promote banks' safety and soundness.¹³⁷

On August 21, 2020, the FDIC announced that it was requesting comments on a proposed change to its review process that aims to increase the independence of its appeals reviewers. Currently, a bank can first appeal an MSD to the appropriate FDIC division director and then to the FDIC's Supervision Appeal Review Committee (SARC). The SARC currently has three members: an inside FDIC board member and a deputy or assistant from two other inside board members.¹³⁸ The FDIC proposes to replace the SARC with an independent Office of Supervision Appeals, which would be staffed by people with experience in bank examination and supervision but not from within the FDIC.¹³⁹

Outlook for Bank Supervision Issues

Policy issues related to bank supervision are likely to remain highly visible. Because supervision produces important benefits but at a cost, there will likely always be questions about whether existing supervision is effective and efficient. In addition, many laws and regulations related to supervision are decades old, raising questions about whether, particularly in the face of technological changes in finance, these rules need updates. Against this backdrop, the COVID-19 pandemic suddenly injected a tremendous amount of uncertainty into the banking industry, and supervision will play a central role in how banks deal with the pandemic's effects. Given this, it is unsurprising that several recent and current rulemakings are aimed at amending bank supervision. It is likely, then, that Congress will continue to consider bank supervision issues.