Besides being a shock to the market, the 2023 bank failures caused many to ask whether the federal banking agencies had done enough to prevent them. Precisely what the agencies should have done, or should do moving forward, is the subject of an intense policy debate. In the wake of the recent bank failures, not only must the regulators now take effective action, they must be seen to be doing so.

To that end, they have finalized important industry guidance, like the long-awaited, harmonized, and updated interagency guidance on third-party risk management (see our previous coverage). They have also proposed a slew of far-reaching proposed regulations, from heightened capital to long-term debt requirements. These means are all very public, and banks and the market are already feeling their impact.

Not all of the agencies' tools, however, are so public—at least not usually. But a recent leak of confidential supervisory information (CSI) that named specific financial institutions and their supervisory issues raised eyebrows. CSI is confidential and the property of the federal banking agencies. It is a crime for anyone besides those agencies to disclose it. While we can't be sure it was an authorized leak from within one or more of the agencies, the public disclosure of otherwise secret information sent a clear message: heightened supervisory scrutiny is here.

With regulation, guidance, and supervision covered, enforcement could only be next. And while so much focus has been on large banks—like regional banks—with more than $100 billion in total assets, it would be a mistake to think the agencies' heightened scrutiny will be limited to banks at or above that threshold.

Consider a Kansas bank with $100 million in total assets—0.1% the size of a "large bank"—that was recently hit with an enforcement action from the Federal Reserve. The bank specializes in serving small businesses, solopreneurs, and freelancers, offering checking, high-yield savings accounts, and business debit cards. It doesn't have any subsidiaries or affiliates, other than its parent bank holding company (BHC).

The enforcement action serves as a clarion call to banks following the 2023 failures. It rattles off a laundry list of safety and soundness and good governance considerations applicable to all banks, instead of merely focusing on BSA/AML (though those issues are included too) and consumer-facing compliance issues. The order identifies the following issues:

• Staffing
• Internal controls
• Credit risk management
• Lending and credit administration
• Capital
• Information technology and information security
• Books and records
• Regulatory reporting
• Liquidity and funds management
• Earnings
• Interest rate risk management
• Third-party risk management
• Other operations deficiencies

We note a few key points:

• The order is longer and more detailed than many recent enforcement actions. It is 19 pages long and, as noted above, runs the gamut of safety and soundness and good governance issues.
• Third-party risk management is specifically called out. After a long incubation period, the federal banking agencies harmonized and finalized their expectations in this area. Banks should be particularly and sufficiently on notice that these relationships are a priority for the agencies and enforcement actions are possible, as this order demonstrates. Among other considerations, banks are expected to monitor that their vendors are complying with state and federal laws and regulations that are applicable to the bank and have processes to onboard, oversee, and terminate third-party service providers.
• Many of the compounding problems that we saw with the 2023 bank failures, such as interest rate risk management and liquidity and funds management, are also expressly mentioned. These continue to be market issues and pressing supervisory concerns. Among other elements, the Federal Reserve called for: (1) diversification of sources of funding, (2) enhanced liquidity stress test scenarios, and (3) periodic independent reviews/evaluations of the entirety of the liquidity risk management process.
• The attention to capital and liquidity is a further reminder that even though larger banks are subject to the current anti-tailoring push and more heightened requirements and scrutiny, the standards and requirements that apply to smaller banks are also critical and can be enforced, if necessary.

Many of the other issues identified are rather basic. Sufficient staffing and training, risk limits and appropriate metrics, as well as board governance, and that BHCs serve as a source of strength for banks are not particularly new issues or expectations. The fact that so many of them were mentioned all at once likely means there were sustained and/or acute deficiencies in these areas. It also serves as a rather blunt reminder of many of the key risks regulators expect bank boards and management to understand and address effectively. While the agencies can certainly address these issues in the (secretive) supervisory process, a public enforcement action further underscores their importance, for both the subject bank and the financial services industry more broadly.