Banking Regulatory Outlook 2017

New trends in regulatory compliance

Explore the top banking regulatory trends that will impact the market—to help you navigate the year ahead.

A brief overview of the 2017 regulatory trends in banking

This publication is part of the Deloitte Center for Regulatory Strategy Americas' annual, cross-industry series on the year's top regulatory trends. The issues below provide a starting point for an important dialogue about future regulatory challenges and opportunities.

Download the full report for a deeper look at these trends.

Back to top

US elections

The regulatory implications of the 2016 presidential and congressional elections for banks are currently challenging to evaluate. Broadly, the president-elect campaigned on reducing regulations, and this emphasis continues. The prospect of regulatory reform for banks over the coming months or years has increased as policymakers reconsider past legislation or amend the scope of certain existing regulations.

Thus far, financial reform hasn’t been highlighted as one of the incoming administration’s 100-day priorities. However, the president-elect’s website has noted that the financial services policy team will work to “dismantle” Dodd-Frank and replace it with pro-growth policies.

Back to top

The new age of capital planning and stress testing

The seventh capital planning cycle since the financial downturn will start in 2017 and is now entering a new stage. For this next cycle, the Federal Reserve Board (FRB) has proposed eliminating the qualitative requirements for large, non-complex firms (LNFs)—exempting firms with less than $250 billion in assets, $10 billion in foreign exposure, and $75 billion in non-bank assets (the latter being a new criterion not seen in other rules).

The FRB continues to tailor its capital planning and stress-testing program based on size, complexity, and systemic footprint, creating a wider range of expectations for institutions to manage. Firms that continue to invest in their capital planning capabilities will be able to effectively navigate and benefit from these ongoing changes as they emerge in the years to come.

Back to top

New capital order

Banks must contend with new fundamental reform initiatives for some aspects of Basel III that are evolving into a so-called “Basel IV” capital regime. The changes are numerous and affect a wide range of capital calculations for systemic banks, injecting a mix of simplification and complexity, as well as an additional layer of conservative capital. The new standards and proposals seek to ensure that banks hold capital commensurate with their risks. But they also place even more pressure on bank business models and regulators, which in turn is creating some degree of uncertainty about the direction of Basel IV.

There are essentially two key initiatives under development or implementation:

  • One is a set of proposed changes that seek to reduce variability in the calculations of required capital that are driven not by underlying risk but by the significant differences in bank internal models upon which the calculations are based.
  • The other is a fundamental review of the trading book (FRTB), which is designed to fix gaps in the approach to assessing capital for trading risks.

FRTB was finalized by the Basel Committee on Banking Supervision, but it needs to be proposed, finalized, and implemented by each local jurisdiction, including the US, by 2019. When layered on top of several other finalized and proposed capital reform initiatives, these proposals further complicate bank efforts to pursue an appropriate business strategy under the new capital order.

Back to top

Data quality, analytics, and reporting

Regulators have increasingly made clear that they expect banking organizations—including both US bank holding companies (BHCs), as well as foreign banking organizations (FBOs) and their intermediate holding companies (IHCs)—to have the capabilities to access and provide high-quality data. Such capabilities include credible internal reporting and MIS that support regulatory reporting requirements and management information.

To meet regulatory expectations, firms should:

  • Conduct a maturity assessment of their data management capabilities
  • Document any gaps that exist in reporting requirements
  • Demonstrate a focus on continuous improvement for data via a data governance process that includes reporting functions (such as risk and finance) and also data production functions, including the front office

Back to top


The rapidly growing financial technology (fintech) market represents both a competitive threat and an opportunity for traditional banks. Fintech firms can compete directly with banks for loans, payment products, investment management, and other services. But there are also many ways for banks to adopt fintech strategies and tactics themselves, or to partner with fintech firms in order to serve their own customers better, improve risk management systems, and grow market share.

Although they still represent a relatively small share of the overall financial market, fintech firms are growing rapidly. Compared to traditional banks, fintech firms have generally demonstrated the ability to innovate in more creative ways. For example, fintech firms have developed loan origination platforms that pull information directly from customer tax records and other financial service providers, making the process faster, less burdensome, and less costly. Banks—hampered by legacy systems, processes, and culture—find rapid innovation harder to achieve.

Read our latest thinking on Fintech—The evolving Fintech regulatory environment: Preparing for the inevitable (January 9, 2017)

Back to top

Cyber threats and cyber risk

Cyber risk is not one specific risk but a group of risks that differ in many ways, including technology, attack vectors, and means. And for some criminals, it’s simply the means to a larger end.

Regulators are getting more involved and focusing on cyber risk as part of the operational risk. The New York State Department of Financial Services (DFS) issued a proposal that would require banks, insurance companies, and other DFS-regulated financial institutions to establish a cybersecurity program and comply with related requirements. These requirements would include the appointment of a chief information security officer and the submission of an annual certification to the DFS regarding compliance with the regulation. The proposal also includes prescriptive requirements, such as an annual risk assessment, annual penetration testing, and quarterly vulnerability testing.

Back to top

Resolution planning

Because the potential consequences are so severe, firms are continuing to emphasize embedding resolution planning into existing business-as-usual processes, procedures, and capabilities. As such, resolution planning isn’t just an annual compliance exercise that involves assembling and submitting a plan to regulators. Rather, it’s something organizations must constantly consider as they grow, enter new businesses, and become more complex and systemic.

Back to top

Consumer protection

The coming year may become a period of significant change for the Consumer Financial Protection Bureau (CFPB), which looks ahead to its sixth year of operation. Notably, the Financial CHOICE Act of 2016 proposes to replace the CFPB’s sole director with a bipartisan five-member commission and subject the agency to congressional appropriations.

With respect to the CFPB’s overall supervisory expectations, regulated entities (including both banks and non-banks) are expected to embed strong compliance programs into their compliance management systems (CMS), thereby reducing the chances of problems occurring—and helping to identify, escalate, and remediate problems that do arise. To better manage its CMS, a firm should consider assessing and enhancing its entire compliance infrastructure in a way that’s sustainable and repeatable.

Back to top



The year 2016 was a milestone one for the implementation of extensive liquidity requirements for foreign and domestic financial institutions, largely as part of the FRB’s final rule on EPS. The liquidity requirements apply (in varying degrees) to US BHCs and FBOs with total consolidated assets of $50 billion or more. Several other key requirements, such as the US liquidity coverage ratio (US LCR) and complex institution monitoring reporting (FR 2052a), also made important strides towards implementation.

Governance and risk management

It has been over two years since the FRB finalized its enhanced prudential standards (EPS) rule and since the OCC issued its heightened standards (HS) enforceable guidelines. However, many firms haven’t yet developed risk governance and cultural frameworks sufficient to fully meet regulatory expectations.

Over the past couple of years, regulators have reviewed the governance frameworks of the banks they supervise and have provided feedback. Through that process, certain themes have emerged as areas of regulatory emphasis. In order to meet regulatory expectations and avoid negative examination comments, it’s important that bank managers assess their frameworks with these themes in mind:

  • Demonstration that the first line of defense is assessing and managing the risks in their business line
  • Demonstration that line-of-business risk limits, thresholds, and product selections are consistent with the firm’s strategy, business planning, and risk appetite
  • Clear documentation in the second line of defense that identifies all material aggregate risks and how those risks are being managed
  • Maintenance of strong compliance, conduct, and cultural frameworks
  • Maintenance by internal audit of a complete inventory of material risks at the bank

Back to top

Outlook for foreign banking organizations

Although the July 1, 2016, compliance deadline for large FBOs to establish IHCs has passed, the long road to operationalizing run-the-bank functions has just begun. Rather than viewing the July 1 date as the “finish line,” FBOs and their IHCs should see it as mile 13 of a marathon.

FBOs must demonstrate that they can govern and manage risk for their combined US operations on a self-sufficient and sustainable basis. Ultimately, it will come down to how an FBO’s US management and US IHC board of directors work through key issues and decisions, such as business strategy, budget approvals, capital planning, and crisis management—as well as how they navigate their shareholders; their parent organizations; and the dichotomy between global consolidated efficiency and a regional, legal-entity focus.

Back to top

Credit quality concerns

After several years of a relatively benign credit environment, underwriting standards continue to loosen and concentrations have increased at a number of firms. Regulators are increasingly reminding banks to maintain their lending discipline and to avoid responding to competition by making imprudent changes in lending practices.

Although most credit indicators remain favorable, regulators have communicated that credit risk is now building in the system. FRB and OCC underwriting surveys have shown that underwriting standards are deteriorating. Credit indicators have either leveled off or are moderately deteriorating at most firms. Also, certain asset classes continue to garner regulatory scrutiny. Regulators expect enhanced and rigorous portfolio management practices designed to limit exposure to losses when the credit cycle turns. This includes portfolio stress testing and implementation of mitigation programs in areas where credit risk exceeds established risk tolerances.

Back to top

Model risk management

Although most firms have taken their past examination feedback to heart and improved their model risk management (MRM) frameworks in terms of both practice and documentation, further improvement activities are ongoing and challenging. Also, the quality of MRM functions is likely to be a focus area for IHCs undergoing the dry run of comprehensive capital analysis and review (CCAR).

Moving forward, firms need to continue building out their MRM capabilities across all three lines of defense. Key activities include:

  • Promoting an organizational culture that values effective challenge and debate
  • Ensuring budget is aligned with the steep demands across the entire model inventory, which involves much more than just stress-testing models
  • For models that couldn’t be fully validated prior to CCAR, ensuring that any required compensating controls/actions are identified and implemented

Back to top

Auto gears

Financial crimes risk

Fifteen years after the passage of the USA Patriot Act, financial crimes compliance continues to pose a substantial risk to financial institutions. The government’s focus on compliance and enforcement—augmented by more robust tools and techniques—has prompted the industry to devote substantial resources to meeting or exceeding evolving expectations.

Moving forward, institutions need to stay abreast of evolving threats posed by financial crimes—as well as government initiatives to combat such crimes—by attending industry forums and roundtables that include key stakeholders. They should also work to ensure program performance through robust governance, strong integration within an overall risk management framework, monitoring of key financial crimes metrics, and maintaining a high level of expertise and experience. Last but not least, institutions should actively look for ways to enhance compliance program efficiency while maintaining effectiveness by leveraging innovative technologies and advanced analytics.

Back to top


Look again

In today’s rapidly evolving marketplace environment, key business issues are converging with impacts felt across multiple industry sectors. What are the key trends, challenges, and opportunities that may affect your business and influence your strategy? Look for more perspectives and insights from some of Deloitte’s forward thinkers.

Discover more Industry Outlooks.

Back to top

Did you find this useful?