Recently, several U.S. senators asked the banking agencies to state whether supervisory guidance has the force of law or not. In other words, are banks required to follow supervisory guidance in the same way they are required to follow laws and regulations?
In an “Interagency Statement Clarifying the Role of Supervisory Guidance” issued in September, regulators confirmed that banks are not legally bound to follow supervisory guidance. They also clarified that examiners will not be criticizing a bank for a “violation of law” if it does not follow guidance. But this isn’t really a “free pass” to ignore all regulatory guidance. Banks will be smart to continue considering regulatory guidance carefully, as explained below.
The same Interagency Statement cautions bankers that avoiding a technical “violation of law” is not the only issue to be concerned about. Citing a bank for a “violation of law” is only one of the approaches that examiners have available in their arsenal to call out serious deficiencies and to compel corrective action. The Interagency Statement reminds banks that “unsafe or unsound practices” and “deficiencies in risk management” are two additional important grounds for criticism. Both are based on unsatisfactory resulting conditions and do not require that any specific legally binding law or regulation has been violated. In other words, banks ignoring the suggestions that regulators provide in guidance (and not developing alternatives of their own that are similarly effective) can still be subject to serious regulatory criticism.
The Interagency Statement explains that when a bank is cited for any type of enforceable condition, regulators often refer to supervisory guidance “to provide examples of safe and sound conduct, appropriate consumer protection and risk management practices, and ... compliance with laws and regulations.” Ironically, the steps that regulators may require a bank to follow to make regulatory criticisms go away may look just like the “non-binding” supervisory guidance that a bank didn’t pay attention to previously. In the long run, it’s just safer, better, and more effective for a bank to work to comply with supervisory guidance.
Using information security as one example, banks should work to develop and continue to update “best practices,” including following principles and examples outlined in regulatory guidance. Any bank simply puts itself in a better position for compliance success if it carefully follows what is recommended in regulatory guidance — particularly in higher-risk and complex areas. Regulatory guidance is like a “safe harbor,” and a bank carefully following what the regulators suggest will probably avoid any serious regulatory criticisms for those matters.