Why Regulatory Compliance Works
He expounded upon how laws such as Gramm-Leach-Bliley and Sarbanes-Oxley did very little to address the problems they were intended to fix. That they generated extra work and produced little if any meaningful results. And on and on he went until I eventually had to end the conversation and return to work (meaningful or not, I had reports to issue).
Later in the day I returned to thinking about the conversation and why it bothered me. Fundamentally I disagreed with him. I knew it at the time, but hadn't really thought it through. I've been working in and around compliance for quite a long time and have intersected at some point with every regulation swirling about. I can pull out my soapbox and deliver dissertations on all of them without hesitation (and often do). However, I've grown fond of saying that with regards to GLBA and the related laws governing banks and credit unions, I've found a domain I can call home. Unlike most of the others I've worked on, these make sense, and I genuinely believe that they make a difference.
If government intervention is required to solve the problem, it should also be allowed to help ensure it doesn't happen again.
Our clients come in all shapes and sizes. Some are in the magic quadrant of regulatory compliance (they do the right things and have it sufficiently documented); some are in the scary quadrant (they have little or no documentation and fail to do much of what's necessary); and the majority are somewhere in the middle. However, what they do and how they do it directly impact the degree of risk to which they expose their account holders. For the magic quadrant institution, it would take a criminal genius to figure out how to gain unauthorized access to sensitive data. The network perimeter is secure, system access is closely monitored, the network is well-maintained, hardcopy data is never left exposed, and they're vigilant. The scary quadrant institution unlocks the door to the branch each business day and pretty much cedes control of their infrastructure to almost anyone who enters at that point. No kidding, I had one client where I accessed their network through a wireless router and gained access to spreadsheets on a shared drive that contained customer names and addresses. The IT manager had disabled the security feature a week earlier to diagnose a problem, and never turned it back on. But in either quadrant there's a real and direct impact on risk: Compliance equates to secure; non-compliance equates to exposure.
That's why I retain my confidence in the regulatory system. Banks were allowed to either issue or purchase loans that simply didn't make sense and likely shouldn't have been allowed (black hole quadrant?). At some level there should have been rules by which examiners could've assessed the situation, identified there was a problem and required remedial steps be taken. And I'm not talking about things like liquidity or due diligence -- those are already regulated. I'm talking about having in place rules by which examiners can assess the institution's ability to make sound decisions based upon the required activities.
I know there are people out there who think that whatever regulatory actions result will inhibit free market concepts, and see it as a bad thing. Some, such as my colleague, may even feel that it's ineffective. But if government intervention is required to solve the problem, it should also be allowed to help ensure it doesn't happen again. And if the FDIC and its counterparts maintain the same approach they've used thus far, I (continue to) have faith that it will have a real and direct impact on risk. Compliance equates to stability; non-compliance equates to instability.