Lessons from the pandemic for financial regulation and supervision
Your Excellencies, distinguished guests, regulatory and supervisory colleagues,
Thank you for the invitation to join you for this important event, jointly sponsored by the Arab Monetary Fund, Financial Stability Institute, Bank for International Settlements and the Basel Committee on Banking Supervision. It is an honour to have been asked to make a keynote address this afternoon.
I have been asked to speak on the lessons from the pandemic for regulating and supervising a post-COVID banking system. When I was reflecting on what to say today, it occurred to me that it was in some ways a brave topic to take on, because it implies a sense that the pandemic is behind us. With the emergence of the omicron variant in the past month, I am certain that’s not the case. When it comes to the pandemic, perhaps the best we can hope for at this stage is that we have seen the worst of it.
Thinking about a post-COVID world, though, is essential. The pandemic will produce enduring change to many aspects of the way society operates – and the financial system will not be spared that change. I think we have seen enough to know that post-COVID will not be the same as pre-COVID. But just how things evolve from here – much like the virus itself – is still a bit of a mystery.
So, with the recognition that there may be more to learn before we draw up the definitive list of lessons, let me at least offer a few thoughts on some important lessons so far.
Lesson 1: A strong foundation is essential
The first lesson is a statement of the obvious, but one that always bears repeating: preserving a strong and resilient financial system in good times is valuable insurance for when a crisis hits.
The global economy took a severe hit as COVID-19 spread rapidly around the world in the early months of 2020, shutting businesses, confining residents to their homes, and leaving millions globally with reduced hours of employment or no job at all. The simultaneous contraction of supply and demand, and the speed with which it has occurred, was rightly described as unprecedented in our working lives.
A bad situation would have become dramatically worse were a major financial institution to find itself under severe stress or possibly facing failure. Thankfully, that did not eventuate, and the post-2008 Basel reforms no doubt made a major contribution to that outcome1. Banking systems, with the aid of central bank and government support packages, were not only well placed to ride out the financial market volatility when the virus first struck, but could also play their role in channelling that public sector support to the broader economy by continuing to provide credit to new borrowers, as well as offer loan concessions to existing borrowers who needed help.
It was a useful reminder, if one was needed, that building strength and resilience – both financial and operational – in good times is always a very wise investment. Whatever the post-COVID world looks like, it is unlikely to be one in which a stable and resilient financial system is not an essential prerequisite to ongoing economic prosperity.
Lesson 2: Be prepared for the unexpected
The second lesson is another fairly obvious one: be prepared for the unexpected. The arrival of COVID-19 at the beginning of 2020 was certainly unexpected – of all the potential vulnerabilities that risk managers and financial supervisors were thinking about in the second half of 2019, a pandemic would not have been high on the list. But with SARS in 2003, H1N1 (swine flu) in 2009, and MERS in 2013, the sudden emergence of a dangerous and disruptive virus was certainly well within the realms of possibility.
So, there was no excuse for not having some form of contingency planning in place for such an eventuality. In Australia, we have had prudential guidance on pandemic planning for more than a decade2, and it has certainly proved its worth. Building on the lessons from those earlier viruses, the guidance helped ensure financial institutions had business continuity plans that were tailored to a pandemic-style event. It also provided a ready framework for our supervisors to engage with regulated firms, to understand and assess their capabilities and readiness to handle disruption, and to quickly identify risks and exposures that may not be being well handled. The lessons we learnt in handling this disruption should strengthen contingency planning into the future, regardless of the direction from which the next unexpected stress event comes.
Lesson 3: Third-party suppliers are increasingly critical to operational resilience
My third lesson relates to the need to better understand operational resilience, and particularly the potential vulnerabilities that emerge from third-party relationships.
COVID-19 has been a real-world stress test of operational risk management. The good news is the financial sector has come through it fairly well so far: financial services have, on the whole, been provided pretty seamlessly despite the disruption COVID-19 caused. That said, that outcome required, at times, a scramble behind the scenes to find urgent responses to unexpected issues. Sometimes, short cuts and control over-rides were necessary, creating new risks. It is essential those gaps are registered and rectified as quickly as possible.
Often, the biggest vulnerabilities in financial firms’ systems and processes were found in third party partners and suppliers (and sometimes triggered by vulnerabilities in the suppliers to the suppliers). That adds another layer of complexity to the task of financial supervisors, given the limits of our regulatory reach. When these suppliers are essential for the provision of critical functions, as is increasingly the case, financial supervisors need to think harder about how to gain assurance as to their robustness. That is especially the case where the third party is a critical supplier to multiple firms – that is, it can itself be a source of concentration risk within the system. Indeed, we can increasingly see the emergence of a new class of systemically important institution: that of the systemically important provider (or SIP). And of course, a number of providers may not just be a source of concentration risk domestically, but internationally as well (or, if you like, a G-SIP).
With all of this in mind, a key project for APRA over 2022 will be to review our current (but pre-pandemic) prudential requirements for operational risk management, service provision and business continuity. There have been a lot of lessons over the past couple of years, and having built a financially resilient financial system, we need to make sure there is operational resilience to match. Internationally, standard-setters like the Basel Committee could assist by devoting serious thought to how to best coordinate the supervisory assessment of the global SIPs, since a decentralised national approach is unlikely to be efficient or effective.
Lesson 4: The value of data and transparency
My fourth lesson is on the value of good quality data and transparency.
COVID-19 disrupted many models of supervision, especially those that were highly dependent on traditional forms of regular and intensive on-site supervision. Lockdowns meant such activity, and many other traditional forms of in-person supervisory interaction, could not occur. New models of assessment were needed.
Many supervisors have been investing to become more data-driven organisations. The pandemic only reinforced the importance of that investment, driving us all towards greater use of data analytics as a basis for risk-based supervision. For financial risks, supervisors have sought additional, more granular data. Stress testing programs have become considerably more sophisticated, both in terms of the scenarios being applied and the depth of analysis undertaken. But probably the biggest advances, and greatest scope for new insights, have been the increasing use of data, and techniques such as machine learning, to assess non financial risks: that is, new analytical approaches that provide insights into operational risk, cyber security, and even risk culture.
As we shift into the post-COVID world, I very much doubt we will find that the traditional on-site inspection has become redundant. Nor will data replace the need for experienced supervisory judgement. Both will continue to play fundamental roles in the art of prudential supervision. But ideally we will have better data to inform risk-based decision making, helping alert us to emerging risks and enabling us to establish sharper supervisory programs that deploy scarce supervisory skills and experience in a more targeted manner.
Alongside data for supervisors, COVID-19 also reminded us the importance of good data for financial markets. Markets depend on information, especially in times of crisis. We do not need analysts, investors or rating agencies to over-estimate the size of the problem by assuming the worst in the absence of information – they will tend to run first and ask questions later.
In Australia, we were conscious of this risk when banks began granting widespread repayment deferrals to their customers. We made the decision – without knowing what the final picture would look like – that it was best that the size of these concessions were known. So, we began publishing the data for each bank monthly. This step was important in assuring markets that there were no ‘hidden surprises’ lurking in banks’ books. Our underlying confidence in the strength of the banking system (see Lesson 1) meant that we could in turn be confident such transparency would help, rather than harm, the industry.
Lesson 5: Have the courage to act counter-cyclically
Lesson five relates to the willingness and ability to act counter-cyclically in bad times.
Exercising caution by building and preserving financial reserves in good times comes naturally to prudential supervisors. The more difficult task is to let those reserves be used in times of stress. Yet capital buffers are not buffers if they can’t be used to absorb losses. Liquidity is not liquid if it can’t be used in the face of funding strains. Allowing regulatory ratios to decline in times of stress can help prevent regulatory requirements from inhibiting the flow of finance and thereby amplifying the shock being experienced.
The Basel framework has been designed to work this way. Indeed, one of the most important messages from the Basel Committee in the early stages of the crisis was for national authorities to take advantage of the inbuilt flexibility in the framework.3
Nonetheless, watching capital and liquidity ratios decline can be unnerving for a supervisor who has been trained to think that the higher the ratios, the better. Especially when no one really knows where the bottom will be, it takes a degree of courage to not just watch, but also explicitly encourage, capital and liquidity to be consumed.
We therefore need to find ways to replace courage with confidence. Having good stress testing capability is one such way, as it helps supervisors understand the potential impact of shocks, and the magnitude of the erosion of capital that could occur under various scenarios. So is having flexibility – especially in the form of macroprudential-type tools – built into the prudential framework. These can be very effective in helping financial firms and markets understand the supportive impact of regulatory adjustments – and sometimes, the signalling effect can be more impactful than the size or specifics of the regulatory change itself.
Lesson 6: Don’t lose sight of bigger trends
My last lesson is perhaps more of a note of caution: that while crises such as COVID-19 demand our attention, they do not necessarily stop other disruptive changes from sweeping through the financial system. Technology, digitisation and new forms of finance have evolved considerably while we have had ‘all hands to the pump’ responding to the pandemic. Indeed, in many ways COVID-19 turbo-charged the digital shift already underway (retail payments being a particular case in point).
It goes without saying that innovation in financial services is occurring rapidly. Innovative new products and services are being constantly developed – sometimes with a robust business case and sound economics; sometimes not. Acronyms such as DLT, DeFi and DAO are now part of our lexicon.4 At least in my part of the world, consumers seem willing to embrace new ways of doing things. Whether they all understand and accept they are doing some of those things without the usual safety nets remains to be seen.
Hopefully, we will at some stage be able to put COVID-19 behind us. The digitisation of finance, though, will persist. That is not to say every innovation we see today will succeed, or that developments that are sometimes seen to be existential threats to today’s financial institutions will prove to be just that. But there seems little doubt that the regulatory perimeter will need to be revisited; that policy will need to be revised; and that new supervisory tools and techniques will need to be developed to deal with new players and products that challenge the conventional ways financial business has been conducted.5
Regulation rarely keeps pace with the leading edge of innovation (and nor should it be expected to): more typically, the regulatory frameworks and supervisory methods we use today are a product of the financial institutions of yesterday. That may not be too concerning if the pace of change is relatively sedate. But the pace of change today seems extremely rapid. So, I’ll conclude by emphasising that, as important as it is that we continue to support our financial systems, economies and communities through the cost and disruption that COVID-19 has created, we can’t allow it to cause us to fall any further behind the rapid change in the structure of the financial system that is occurring at the same time.
1 In Australia, the Basel reforms were supplemented by a domestic strategy to ensure bank capital ratios were unquestionably strong. As a result, the CET1 capital ratio of the banking system was above 11 per cent during 2019 (roughly 16 per cent on an internationally comparable basis). Going into the Global Financial Crisis, the equivalent ratio would have been roughly half that.
2 See APRA Prudential Practice Guide CPG 233 – Pandemic Planning.
3 Some jurisdictions were better placed to do this than others: for example, those who had explicitly set a counter-cyclical capital buffer (CCyB) above zero were much more effective, when they publicly reduced that requirement, in signalling their approval for buffers to be used.
4 Distributed ledger technology (DLT), decentralised finance (DeFi) and distributed autonomous organisation (DAO).