Good afternoon, I'd like to begin by thanking the event organizers, including our staff at the Chicago Federal Reserve Bank, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency, and the Conference of State Bank Supervisors for inviting me to share my thoughts with you at the 18th Annual Community Bankers Symposium.1 I always enjoy the opportunity to speak to bankers across the country and share perspectives on the issues facing the banking and financial system, especially when it's related to community banks.
Banks are a critical component of the U.S. economy.2 Their work often extends well beyond the provision of credit— providing services and volunteer and financial support within their community. Among many things, banks offer financial education, sponsorships and funding for community programs and events. Without question, community banks are important and integral to the local economy.
But community banks also face challenges that require proactive risk management, effective and efficient prioritization of compliance resources, and the need to innovate. Today, I would like to briefly highlight some of the issues banks are facing and discuss ways that community banks and regulators can more effectively work together in the future.
The Challenges Facing Community Banks
As this audience knows well, community banks face a number of challenges. They often rely on third-party service providers to offer products and services to their customers. It may be more difficult for them to hire and retain qualified staff or plan for future leadership with management succession planning. Given limited staffing, they may be overwhelmed by the recent onslaught of new regulations and guidance. And in light of all of this, it may be challenging to prioritize resources in order to appropriately focus on the most important risks facing their businesses. While the headwinds may seem overwhelming, community banks are always resilient in the face of change.
Often, one of the greatest challenges facing a community bank is not about managing any particular risk but rather how to address all of the risks they face—and how to prioritize the approach to address each of those risks. Regulators have, at times, exacerbated these challenges through policy choices. The risk of mis-prioritization is not limited to community banks. In my mind, this was most recently evident in the events and supervision leading to the failure of Silicon Valley Bank. Management failed to address growing interest rate risk and funding risks, and supervisors failed to prioritize and escalate these issues. Our goal should be to identify, understand, and learn from these past mistakes, and to avoid repeating them.
Both regulators and banks should be working toward a common goal—a banking system that supports economic activity throughout the country, in which banks operate in a safe and sound manner and in compliance with consumer laws and regulations. In considering the challenges facing community banks, both regulators and banks have an important role to play.
Competition
Community banks face competitive pressures from many sources. These pressures may result from local or regional economic conditions, the needs of retail and business customers, and the products and services available in the market. Competitors can take the form of traditional banks, internet banks, and non-banks like fin-techs and mortgage companies. While fin-tech partnerships can be beneficial to both the customer and the bank, if the relationship is not managed according to safe and sound banking principles, serious problems can result. When deposits are accepted through fin-tech relationships but not handled appropriately, deposit insurance can be jeopardized and the ability to access deposited funds may be impacted.3
Competition can also come from other local competitors like credit unions, large banks with a broader operational footprint, payday lenders, or other nonbank credit sources. As bank customers grow increasingly comfortable and familiar with new mechanisms for doing business, the use of online banking has continued to expand. This has tended to increase the footprint of non-local banks or lenders, enabling them to effectively compete for business outside of their geographic area. Even against this backdrop, research shows that community banks have maintained an important role in many banking markets, including in small- and medium-sized business lending.4
The regulatory framework establishes expectations for how community banks can compete, and often creates an unlevel playing field with many of these competitors. This includes whether they are subject to the same regulation as banks that engage in the same activities and how competition is evaluated.
A core concept in financial regulation is to impose the same regulation—and I suggest we expand this to include the same regulation, guidance, and supervisory expectations—on entities that are engaged in the same activities. Banks compete against many non-bank providers, including financial technology firms, credit unions, and other non-bank lenders. In some of these head-to-head competitions, community banks face distinct disadvantages that can pose challenges when competing for the same banking opportunities. For example, banks are subject to taxes and additional regulatory requirements (including the Community Reinvestment Act). They are also subject to a broader range of restrictions imposed by regulatory requirements or the "soft" power of supervision. In all of these cases, the disparity in the legal framework can have a distortive effect on competition. In short, where the financial regulatory framework can provide for parity of treatment, it should do so. The regulatory framework should not knowingly distort competition, or effectively impose a regulatory allocation of credit.
The framework also plays an important role in assessing competition among banks. The mergers and acquisitions (M&A) approval process can have a disproportionate impact on community banks because the "screens" that are used to evaluate the competitive effects of a proposed merger often result in a finding that M&A transactions in rural markets can have an adverse effect on competition and should therefore be disallowed.5 Even when these transactions are eventually approved, the mechanical approach to analyzing competitive effects—which is grounded in the effect of proposed transactions on the control of deposits within individual banking markets—often requires additional review or analysis, and can lead to delays in the regulatory approval process.
Cybersecurity
Community banks often note cybersecurity and third-party risk management as areas that raise significant concerns. Cyber-related events, including ransomware attacks and business email compromises, are costly and time-consuming experiences, and they pose unique challenges for community banks. For example, the maintenance of and the technology resources required to support a successful cybersecurity program are often difficult for smaller banks. Regulators can promote cybersecurity, and stronger cyber-incident "resilience" and response capabilities by identifying resources and opportunities for banks to develop "muscle memory" in cyber incident response.
Recent incidents, like the Crowdstrike-related outage, have highlighted the heavy dependence many banks have on technology, third-party providers, and the broader supply chain. In the current risk environment, it is important for banks of all sizes to implement sound operational resilience, cybersecurity, and third-party risk-management practices. One important resource for community banks is the Federal Financial Institutions Examination Council (FFIEC) website, which includes the FFIEC Cybersecurity Resource Guide and links to other external cybersecurity resources.
The Federal Reserve plays an important role in supervising banks and supporting risk management practices. For example, the Federal Reserve hosts the Midwest Cyber Workshop, with the Federal Reserve Banks of Chicago, Kansas City, and St. Louis.6 Over the past two years, this workshop has provided a forum to further cyber risk discussions among community bankers, regulators, law enforcement, and other industry stakeholders. Today's Symposium also includes an interactive cyber workshop, during which participants will participate in a cyber exercise, working through the various decisions that would be required in responding to a hypothetical cyberattack.7
We know well that cyber threats pose real risks to the banking system. We also recognize that community banks may have unique needs in preventing, remediating, and responding to cyber threats. Therefore, regulators should ensure that a range of resources are available to support community banks and seek further opportunities to help build community bank resilience against these threats.
Third-Party Risk Management
Third-party risk management can pose an additional challenge for community banks. Due to their size and scale, community banks often leverage centralized resources—technical experts who have greater expertise than the bank could fully maintain on staff—to advise and assist on a range of issues. Often these third-party service providers are significantly larger, and their bank clients—including smaller banks—may lack leverage in conducting due diligence and negotiating the terms of the relationship.
In 2023, the federal banking agencies published supervisory guidance addressing third-party risk management, which was expressly applicable to community banks. As I noted at the time it was issued, the guidance included shortcomings that were known and identified but not addressed in advance.8
What many of you may not know is that after nearly a year from the original publication, the regulators published a guide to assist community banks interpret and apply the guidance to their third-party risk management activities. The guide was intended to provide additional context for the guidance—including step-by-step examples of how to address third-party risk management—making the guidance more useful. While I am pleased that the community bank implementation guide was eventually published, the delays in its publication suggest a shortcoming in our regulatory approach. We must ensure new guidance provides clarity to regulated firms on its own, or that we provide additional resources at the time the guidance is published.
Consumer Compliance
Like third-party risk management, consumer compliance can be another area that may present challenges to community banks given their size and scale. An effective and well-run consumer compliance program balances consumer protection with the complexity and cost to establish a robust compliance management program. One challenge for community banks is the difficulty in retaining qualified consumer compliance experts. Notwithstanding these challenges, community banks devote significant time and resources to their consumer compliance risk management programs. Compliance with consumer protection laws and regulations, including fair lending laws, is essential to ensuring that the banking system provides fair and broad access to credit and financial services.
Community banks take these responsibilities seriously, and the overwhelming majority of banks that we supervise invest in strong compliance management systems to prevent violations and detect problems before they occur. When consumer compliance concerns arise, banks address them by making their customers whole and adopting the necessary changes to ensure that issues do not persist or reoccur. In a very small subset of cases, banks fall short of their obligations, and we hold those institutions accountable through enforcement actions or other supervisory actions.
The Federal Reserve's consumer compliance supervision program is risk-focused and tailored to a bank's compliance risk, focused on the activities that present the greatest risk. One example related to third-party risk management is our recent system supervisory focus on consumer compliance risks associated with fin-tech relationships. As a result of this work, our supervisors seek to identify the parties to relationships that pose the greatest risk of consumer harm. This effort promotes our understanding of higher risk fin-tech partners across the Federal Reserve System, and helps supervisors proactively identify relationships that pose greater risk of consumer harm.
Other Core Risks
There are a number of "core" risks that are essential for bank management to address. These "core" risks—including funding, liquidity and credit risk—should already be integrated into management priorities, since they pose the greatest threats to a bank's operations.
Focusing on core risks is second nature for community banks. In contrast, supervision can be susceptible to diversion from core to non-core risks leading supervisors to neglect the build-up of traditional risk. Diverting resources to non-core risks can often leave a bank vulnerable, especially when regulators direct banks to allocate resources in other ways, whether by regulation, guidance, or through supervisory expectations.
Mitigating Risks to Community Banks
The design of regulation, guidance, and supervisory approach regulators rely upon for community banks—and the intentional policy choices that underpin this framework—are important for ensuring their effectiveness in supporting the safety and soundness of the banking system. These design choices can enable community banks to operate successfully while mitigating risks, leveraging tailoring, transparency, and consistency across institutions.9 I have spoken at length about these themes in the past, but I would like to reiterate just a few of the critical elements of a regulatory agenda that will allow community banks to thrive in the future:
- First, we need to revisit size thresholds over time as inflation and economic growth slowly erode our regulatory categories. The bank regulatory framework is built largely upon asset-based size thresholds, and these thresholds should reflect a deliberate policy choice. But, over time, these fixed thresholds effectively result in more firms being "scoped in" to higher compliance tiers over time, even when there has been no change in a bank's underlying risk profile.10
- We need to have a regulatory system in which M&A transactions and de novo bank formations are possible for banks, not one in which regulatory approval requirements are used to impose additional (and extra-regulatory) requirements on firms.11 Viable formation and merger options for banks of all sizes are necessary to avoid creating a "barbell" of the very largest and very smallest banks in the banking system, with the number of community banks continuing to erode over time. Left unchecked, an applications process that imposes additional costs and delays on healthy and appropriate banking transactions will result in a reduction in available credit and services, an increase in the number of unbanked or underbanked communities, and economic harm.
- We should prioritize direct experience in our regulatory efforts, giving greater voice and opportunities for input from policymakers with banking or state supervisory experience currently at the Federal banking agencies, and by soliciting and accepting feedback from our state banking counterparts. Greater coordination and participation by a wider set of policymakers in regulatory reform efforts would bring several benefits. For example, discussion of competing ideas and compromise in the drafting of regulatory proposals often results in a more moderate approach, reducing dramatic swings of the regulatory pendulum. And in many instances, we can better anticipate the unintended consequences of reform proposals if policymakers engage in good faith discussions and coordination of these efforts.
- While regulatory reform brings many benefits, we should also shift our mindset to focus on the tradeoffs of regulation, guidance, and supervision. Changes to the regulatory framework often yield benefits in terms of greater visibility into the workings of the banking system, additional capital that can absorb losses and promote financial resiliency, and more conservative risk-management standards for interest rate risk and funding risk. But we need to evaluate not only the benefits of proposals but also the costs and unintended consequences. How will banks adjust their activities in response? Will they raise prices on lending activities or for other banking products or services? Will they exit certain low-margin businesses, resulting in greater concentration and increased financial stability risk? By considering the cumulative burden, we can better address and acknowledge these concerns.
- And finally, we must incorporate "tailoring"—calibrating the regulatory framework based on the size and complexity of banks' activities—as a required input for regulatory consideration. Tailoring helps us to better allocate finite resources both in banks and among regulators and helps us avoid threatening the long-term viability of community banks by simply adding to the mass of existing regulations, guidance, and other supervisory material. We simply cannot ignore the "cumulative" or "compounding" effect of increasing the complexity of the regulatory framework and we must make room in our reform agenda for the unglamorous work of "maintenance" in promoting an efficient framework.
By no means is this proposal for regulatory reform exhaustive, but these critical components must be integrated into our future approach to ensure a diverse banking system for the future.
Closing Thoughts
Thank you for the opportunity to speak to you today, and for your commitment to community banking. You serve a critical role within the banking system, and in support of the U.S. economy. Your work to leverage the power of the community banking model enables you to serve your customers, promote financial inclusion and expand access to banking services. But policymakers have an important responsibility to make sure that the community banking model remains viable into the future. To function effectively, the banking system requires the presence of banks of all sizes—larger, regional, and community banks. This diversity of our financial institutions is the greatest strength of our banking system, and it can easily be imperiled by insufficiently targeted regulation, supervision, and guidance.
1. These remarks represent my own views and are not necessarily those of my colleagues on the Federal Reserve Board or the Federal Open Market Committee.
2. See Michelle W. Bowman, "Building a Community Banking Framework for the Future (PDF)" (speech at the Federal Reserve Bank of St. Louis Community Banking Research Conference, St. Louis, MO, October 2, 2024).
3. See, e.g., Board of Governors of the Federal Reserve System, Arkansas State Bank Department, "In the Matter of Evolve Bancorp, Inc. and Evolve Bank & Trust, Cease and Desist Order (PDF)," news release, June 11, 2024.
4. Allen N. Berger, Nathan H. Miller, Mitchell A. Petersen, Raghuram G. Rajan, and Jeremy C. Stein, "Does Function Follow Organizational Form? Evidence from the Lending Practices of Large and Small Banks (PDF)," National Bureau of Economic Research, Working Paper 8752 (Cambridge, MA: National Bureau of Economic Research, February 2002).
5. Michelle W. Bowman, "The Role of Research, Data, and Analysis in Banking Reforms (PDF)" (speech at the 2023 Community Banking Research Conference, St. Louis, MO, October 4, 2023); Michelle W. Bowman, "The New Landscape for Banking Competition (PDF)," (speech at the 2022 Community Banking Research Conference, St. Louis, MO, September 28, 2022).
6. See Federal Reserve Bank of Chicago, Federal Reserve Bank of St. Louis, and Federal Reserve Bank of Kansas City, Midwest Cyber Workshop 2024 (June 25‑26, 2024).
7. Federal Reserve Bank of Chicago, Community Bankers Symposium (October 11, 2024).
8. Michelle W. Bowman, "Defining a Bank (PDF)" (Speech to the American Bankers Association 2024 Conference for Community Bankers, San Antonio, TX, February 12, 2024); Statement by Governor Michelle W. Bowman, "Third-Party Risk-Management Guidance," news release, June 6, 2023 ("...Federal Reserve regional bank supervisors have indicated that we should provide additional resources for community banks upon implementation to provide appropriate expectations and ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes…I am disappointed that the agencies failed to make the upfront investment to reduce unnecessary confusion and burden on community banks").
9. See Michelle W. Bowman, "Building a Community Banking Framework for the Future (PDF)" (speech at the Federal Reserve Bank of St. Louis Community Banking Research Conference, St. Louis, Missouri, October 2, 2024).
10. See, e.g., Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, "Regulatory Capital Rule: Large Banking Organizations and Banking Organizations with Significant Trading Activity," 88 Fed. Reg. 64,028, 64,095 (September 18, 2023) ("[t]o reflect inflation since 1996 and growth in the capital markets, the agencies are proposing to increase the trading activity dollar threshold [applicable to the market risk rule] from $1 billion to $5 billion.").
11. FDIC, "Final Statement of Policy on Bank Merger Transactions (PDF)," (September 17, 2024).