Global banking watchdogs are in the midst of a major paradigm shift.
In the five years since the financial crisis, regulators focused on tough, but necessary new rules for things like capital ratios. Now they're turning their attention to the softer stuff.
Despite steadfast capital requirements and major bills like the Dodd-Frank Act, regulators acknowledge that these tough restrictions can only do so much. "Rules are not enough," as one Canadian regulator recently put it.
Even with stringent standards, a lot can still go wrong inside financial institutions. The watchdogs, as well as certain bank executives, acknowledge that they simply can't regulate everything to death. At some point the burden becomes too heavy, and even those in favour of regulation resort to checking boxes to comply with the growing list of standards.
Already there's been chatter about the importance of changing risk culture. Before he retired last month, former Bank of Nova Scotia chief executive officer Rick Waugh argued the importance of involving the chief risk officer in all key decisions, and stressed that he was trying to push risk management as a priority for bank employees at all levels.
Regulators are singing a similar tune. In a speech Monday, the Office of the Superintendent of Financial Institutions' deputy superintendent Andrew Kriegler stressed the importance of enforcing internal codes that have "more emphasis on how the institutions are managing themselves, [and] on their behaviours and attitudes."
OSFI argues that it has long held these beliefs. Even before the crisis, the regulator regularly met with institutions under its watch to sound out their strategies and risk practices, and would then work with these firms without necessarily slapping down formal rules.
But the watchdog now feels the need to publicly reiterate these values, because its global peers are listening.
One of the big items on OSFI's agenda is the adequacy of internal audit teams within big financial institutions. While the regulator sets some key rules for everyone to follow, internal audit teams keep organizations on track in between their regular checkups with OSFI.
Although many firms have beefed up internal audits since 2008, no one has really studied the effectiveness. That's now OSFI's main priority, because it strongly believes that this internal governance can send messages within firms.
One of the questions OSFI will study: "Does the entire institution have sufficient respect for not only the role internal audit plays but for the capabilities of all of its people? ... Not just executive management and the Board, who already tend to take these issues quite seriously, but also line management and professional staff — right down to the level of the trading desk being audited."