Why Government Shouldn’t Regulate Reputation Risk at Banks

What do payday lenders, firearms retailers, porn stars, churches, coal mines, and condom companies have in common? All have complained that regulators pressured financial institutions to close their accounts over reputation-risk concerns. Broad regulation of reputation risk does not reduce overall bank risk and unnecessarily politicizes bank regulators. Congress should prevent regulators from requiring banks to make changes when there is no other safety and soundness concern.

What Is Reputation Risk?

Financial regulators say reputation risk is the risk of negative public opinion or negative publicity. Wells Fargo, for example, hurt its reputation by opening millions of unauthorized customer accounts. Reputation is important to all businesses, but it is especially important to banks. Negative publicity can cause depositors to withdraw their money. In extreme cases, reputation risk might cause a bank run or panic. At the same time, banks have a hard time signaling that they are trustworthy. A bank’s promise to return customer money might be worthless if the bank faces financial difficulty.

Instead, banks rely partly on government regulation to bolster their reputations and attract stable deposits. The Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) provide insurance, reassuring depositors that even if a bank fails, each will have deposits up to $250,000 (and possibly more) protected. Regulation also works by outlawing harmful practices and then supervising banks to make sure they comply with the law. The supervision of banks falls to both federal regulators (the Office of the Comptroller of the Currency [OCC], the Board of Governors of the Federal Reserve System, the FDIC, and the NCUA) and state regulators. In a sense, then, much of banking regulation is aimed at reputation risk. Capital rules, liquidity rules, antifraud rules, asset concentration rules, insider lending rules, and many more are partly designed to give people confidence in financial institutions.

Bank regulators began to focus more directly on reputation risk in the mid-1990s, however. For the first time, they defined reputation risk. Their definitions are now expansive. Negative publicity can be harmful “whether true or not.” Reputation risk “arises from virtually all bank products and services.” Regulators believe that activities posing reputation risk might warrant corrective action even when there is no threat of significant financial harm to the bank.

Regulatory Guidance about Reputation Risk

Once regulators defined reputation risk, it began turning up in all types of agency guidance. Regulators warn that mortgage lending, credit cards, derivatives, securitization, overdraft fees, bank-owned life insurance, and many other bank activities pose reputation risk. Rather than being in an isolated chapter, it is woven throughout the Federal Reserve’s bank examination manual, which uses the words “reputation” and “reputational” 190 times.

It is not just bank activities that concern regulators. As the FDIC explains, “any negative publicity involving [a] third party, whether or not the publicity is related to the institution’s use of the third party,” could damage the reputation of a bank. For example, the OCC warns that “[l]ending to [oil and gas] companies found or perceived by the public to be negligent in preventing environmental damage, hazardous accidents, or weak fiduciary management can damage a bank’s reputation.” New York’s financial regulator warns banks that “reputational risks . . . may arise from . . . dealing with the [National Rifle Association] or similar gun promotion organizations.”

Regulators have, at times, assured banks that this regulatory guidance is not binding. For example, when the OCC added the term reputation risk to its supervisory lexicon, it assured banks that its examiners would just monitor—not “actively supervise”—reputation risk. When payday lenders sued the FDIC complaining that reputation risk regulation caused them to lose banking relationships, the FDIC responded that its reputation risk guidance did “not impose rights or obligations” and had “no binding legal consequences.” More recently, the OCC has promised that it “does not prohibit national banks and federal savings associations from engaging in transactions and relationships that it identifies as involving greater reputation risk.”

But these assurances that regulators do not police reputation risk ring hollow. As regulators are aware, banks are repeat regulatory players. Upsetting a regulator may lead to increased regulatory scrutiny and enforcement. As a result, even if regulators assure banks that the guidance is not binding, many banks will treat the guidance as if it is the law. Moreover, regulators sometimes take enforcement action for reputation risk, thus reinforcing banks’ belief that guidance is binding.

Reputation Risk Enforcement

Of the regulatory enforcement actions addressing reputation risk, most focus on conduct that is already illegal or otherwise financially risky. For example, an enforcement action directed at a credit union’s violation of insider lending rules noted that violating the rules led to reputation risk. Similarly, a bank with inadequate underwriting and liquidity practices was told that these problems triggered reputation-risk concerns. Regulators also sometimes require that a penalized bank develop new risk management policies, including policies for managing reputation risk. In these enforcement actions, reputation risk does little work. The regulators could require the same remediation without any mention of reputation risk. Regulators do not need reputation risk to punish Wells Fargo for opening unauthorized customer accounts. That conduct was already illegal.

In some cases, however, regulators use reputation risk to target otherwise legal conduct that poses little financial risk to the bank. Investigations into Operation Choke Point show that FDIC officials, citing reputation risk, pressured banks to end relationships with payday lenders. Regulators did not think the banking relationships were illegal or financially harmful to the banks. Instead, FDIC officials were motivated by their personal beliefs that legal payday lending is “abusive,” “fundamentally wrong,” “unsavory,” and “ugly.”

Operation Choke Point is not the only example of regulatory enforcement efforts purportedly justified by reputation risk. Consider the following examples:

• In 2009 (well before Operation Choke Point), the FDIC issued a cease-and-desist order requiring the Bank of Agriculture and Commerce in Stockton, California, to end its partnership with a third-party payment processor on the basis of reputation risk concerns. The bank and the payment processor allowed consumers to receive electronic deposits of Social Security and other government payments. The payment processor held an account at the bank that received the government payments. When deposits arrived, the bank provided the consumers with checks that could be picked up at a payday lender or check casher. The FDIC’s problem with this was that sometimes the payday lender or check casher (not the bank or the payment processor) also provided short-term loans. Sometimes a consumer would use nearly the entire benefits check to repay a loans. The FDIC faulted the bank for failing to monitor the payday lenders, saying that such a failure exposed the bank to “reputational and legal risk.” Although the FDIC mentioned legal risk, the only specific “law” the FDIC cited was its own document, “Third-Party Risk: Guidance for Managing Third-Party Risk.” The cease-and-desist order does not suggest that the bank lost any money in connection with the program. The FDIC’s actions seem primarily driven by the idea that the bank’s reputation could be tarnished by doing business with a payment processor that does business with payday lenders and check cashers. The FDIC ordered the bank to “unwind its benefit payment deposit account business with [the payment processor].”
   
• According to a report from the FDIC’s Office of Inspector General, between 2008 and 2012, the FDIC used reputation risk to pressure three banks to end tax refund anticipation loans. First the FDIC sent the banks letters warning of reputation risk. Then the FDIC followed the letters with “what it termed ‘strong moral suasion’ to persuade [the] banks to stop offering [refund anticipation loans]. What began as persuasion degenerated into meetings and telephone calls where banks were abusively threatened by an FDIC attorney.” After two of the three banks had already stopped offering the loans, the FDIC further pressured the last bank by “deploying an unprecedented 400 examiners to examine [the bank and] 250 tax preparers throughout the country.” The FDIC pursued this aggressive enforcement strategy even though refund anticipation loans “were, and remain, legal activities,” and, as the FDIC’s Office of Inspector General found, there was no “significant examination-based evidence of harm” to the bank caused by the loan program.
   
• In money laundering actions, the OCC and the FDIC have ordered banks to close all accounts that pose reputation risk (not just those that are used to launder money). For example, the OCC found deficiencies in anti-money-laundering policies and practices at Pacific National Bank, a subsidiary of Ecuador’s state-owned Banco del Pacifico S.A. An enforcement order required the bank to close any customer accounts that are “detrimental to the reputation . . . of the Bank.” Although there are anti-money-laundering statutes and regulations, none requires the closure of customer accounts that pose reputation risk. This type of enforcement requires banks to take action based entirely on reputation risk and not required by any other laws.
   
• The National Rifle Association (NRA) has sued the New York Department of Financial Services, alleging that it used regulatory guidance coupled with “backroom exhortations” to convince banks to cut off all services to gun rights groups. As previously mentioned, the New York regulator issued a guidance letter warning banks of dealing with the NRA or similar gun-promotion organizations. The NRA’s complaint highlights the strident rhetoric surrounding the regulator’s release of the letter. New York Governor Andrew Cuomo stressed that he had directed the guidance, calling “gun safety . . . a top priority for every individual, company, and organization that does business across the state.” Governor Cuomo later emphasized, “The NRA is an extremist organization. I urge companies in New York State to revisit any ties they have to the NRA and consider their reputations, and responsibility to the public.” The regulator’s press release accompanying the guidance praised “businesses [that] have ended relationships with the [NRA].” Beyond these statements, the NRA believes that discovery will further illuminate regulatory enforcement efforts. The New York Department of Financial Services denies that it engaged in any “backroom exhortations” aimed at chilling the NRA’s gun rights advocacy. It claims that the guidance letter is not binding and was “plainly intended to convince companies to work towards ‘positive social change’ without threat of regulatory action.” The case has not yet reached a resolution.

These enforcement efforts may be only the tip of the iceberg. Regulators conduct most of their enforcement work behind closed doors. They visit banks and prepare examination reports, sometimes requiring banks to take corrective action. Banks, however, are legally prohibited from revealing the reports or other confidential examination information. Indeed, it took congressional investigations to uncover much of the evidence showing that the FDIC used reputation risk to choke off banking services to payday lenders and curtail tax refund anticipation loans. Regulators might be quietly using reputation risk to stop other banking activities.

The Risk of Reputation Risk Regulation

This expansive use of reputation risk is troubling. Recall that regulation acts as a partial substitute for bank reputation. Depositors trust banks in part because they trust government regulators to effectively oversee banks. That public trust in regulators depends on regulators having strong reputations for technical competence and political neutrality. Yet the foregoing examples of expansive regulation of reputation risk—particularly in the absence of other violations of law or the threat of significant financial harm—could damage the reputation of regulators as competent and impartial experts.

It is not clear that regulators are technically competent to manage reputation risk. Regulators are not likely to be good at predicting when negative publicity will lead to a loss. Each bank has a unique collection of stakeholders. What matters to the depositors, employees, or shareholders of one bank might not matter to the depositors, employees, or shareholders of another bank. Regulators spend little time gathering input from individual bank stakeholders, so they are not well positioned to evaluate or balance their preferences. Suppose, for example, that a bank wants to introduce a new account fee. It would be difficult for the bank’s regulator to determine whether the negative reputational impact from customers who don’t like the fee would be offset by reputational gains from shareholders who appreciate an increase in earnings. If regulators claim to regulate reputation risk but do a poor job of it, their reputations may suffer.

Regulators can, of course, identify industries that have frequently received public criticism. Payday lenders, gun rights groups, oil companies, and tax refund anticipation loans all have critics. But it is not clear that criticism of these industries regularly leads to material bank losses. In some cases, stakeholders may not attribute the action of the third party to the bank. In other cases, the negative impact to the bank may be offset by interest, fees, or even positive publicity from those who disagree with the critics.

Moreover, “subject to public criticism” is not a workable metric for reputation risk regulation. Any industry or third-party bank partner could at some point be perceived negatively. A restaurant might serve tainted food. An airline might have a fatal crash. A once-thought-safe product might be found to cause cancer. Banks need customers. Consequently, regulators must decide that many businesses and people with their own reputation risks do not pose significant risk to banks as customers or partners.

But when regulators’ actions reduce banking services to some controversial industries and not others—especially when there is no violation of the law or evidence of serious financial risk to the bank—regulators’ choices seem political. Regulators, for example, seem to be choosing to punish controversial gun rights groups, but not controversial abortion providers.

To be clear, though, reputation risk regulation can hurt groups of all political stripes. In the wake of Operation Choke Point, porn stars, churches, coal mines, and condom companies all thought they were being targeted by bank regulators for reasons unrelated to their financial risk. Moreover, elections might change which controversial practices or groups attract regulatory scorn. Those that escape the negative impact of reputation risk regulation today may not tomorrow.

In the end, bank reputation risk regulation may be counterproductive. If the public comes to believe that bank regulators are taking sides in political controversies and punishing political foes, even when those controversies have little financial impact on banks, the public will not trust bank regulators. This loss of trust could be far more financially devastating to banks than the reputational harm regulators warn about.

Limiting Reputation Risk Regulation

So how does society prevent regulators from expansively policing bank reputation risk?

The public examples of reputation risk enforcement demonstrate that regulators cannot be left to their own devices. Courts are also not well-positioned to constrain bank regulators. Banks have strong incentives to keep their regulators happy. Banks are likely unwilling to fight regulators over customer reputation risk when the customers impacted are small industries with whom the bank does little business. Because the bank examination process is confidential, customers (and other bank partners) who are hurt by reputation risk enforcement may never learn the reason for their banking troubles. If they do, they may not have the inclination or resources to sue.

This leaves legislation as the best avenue to restrain reputation risk regulation. In 2017, the US House of Representatives passed a bill providing that bank regulators “may not formally or informally request or order a depository institution to terminate a specific customer account or group of customer accounts . . . unless the agency has a valid reason for such request or order and such reason is not based solely on reputation risk.” The bill also included measures designed to strengthen oversight of regulatory action involving third parties. It required regulators to provide banks with the legal justification for account closures and required that banks relay that information to the affected customers. Thus, customers would have notice of the regulatory action affecting them. Finally, the bill required regulators to annually report to Congress the number of customer accounts the regulator requested be closed and the legal authority for the requests. Although the bill had broad bipartisan support in the House, it never received a vote in the Senate. Some lawmakers may have lost interest in the measure after regulators repeatedly assured them that Operation Choke Point had ended and would not be resumed.

Reform for reputation risk regulation should not depend on the status of Operation Choke Point. Operation Choke Point is not the only time regulators have required action based on reputation risk alone. Indeed, regulators have taken enforcement action on the basis of reputation risk even while stating that they do not do so. Operation Choke Point was not the anomalous result of overzealous regulators with a particular disdain for payday lending. It was a natural outgrowth of a regulatory structure that sees reputation risk everywhere. It is the outgrowth of a definition of reputation risk that regulates in response to any negative publicity, whether it has any basis or not. And it is an outgrowth of a system where regulators insist that they have power to regulate even when there is little evidence of a risk of serious financial harm. At best, the current reputation risk framework encourages regulators to regulate banks on the basis of regulators’ uncertain forecasts of negative publicity. At worst, it provides regulators cover for implementing their own political agenda unrelated to the safety or soundness of banks. Congress should restrict regulators’ ability to enforce regulations based on reputation risk.