As the Regulatory Winds Shift Again, Some Considerations for Bank Leaders

Federal bank regulation has existed in the United States since the Office of the Comptroller of the Currency (OCC) was created during the Civil War. Since that time, regulatory rigor has waxed and waned between the desire for financial market stability, safety, and soundness, and the drive for economic growth and corporate freedom of action.  

In the late 20th century, the need for larger and more globally competitive banks led to 1999’s Gramm-Leach-Bliley Act (GLBA), which functionally eliminated the Depression-era Glass-Steagall Act. Over the next two decades, the GLBA enabled mergers and acquisitions between commercial banks, investment banks, securities firms, and insurance companies. The rapid growth ended with a sharp economic downturn, the 2007 Great Recession, and the creation of the Dodd-Frank Wall Street Reform and Consumer Protection Act, passed in 2010. The Dodd-Frank Act covered 16 areas of reform, strengthened the Volcker Rule, and established additional oversight and accountability designed to prevent another government bailout through stricter regulation. This period of elevated regulation ended with President Donald Trump’s Executive Order 13771, Reducing Regulation and Controlling Regulatory Costs, in 2017. During the Biden administration, banking regulation focused on maintaining banking system resilience post-pandemic and the surprise failure of a handful of banks. 

The banking sector generally welcomes a more relaxed regulatory environment. While the size and complexity of the risk management framework employed by U.S. financial institutions should respond to financial and nonfinancial/operational risk, regulatory expectations also play a significant role. Practically speaking, modifying risk management practices to accommodate a changing regulatory environment is inevitable and necessary. 

Within the last decade, most financial institutions used a three lines of defense (LOD) model. The LOD concept was first introduced by the UK’s Financial Services Authority (FSA) in January 2011. The Institute of Internal Auditors (IIA) published a position paper to further promote the model in 2013. The first line, also referred to as the business line, is embedded in individual business areas. The second line is typically independent risk management. Internal audit is the third line. Each line has unique responsibilities in fulfilling the organization’s risk management strategy. For instance, aside from its product and service delivery and essential operational functions, the first line identifies risk embedded in business activities and suggests and implements controls to mitigate exposure to unwanted or a greater degree of risk. The second line is responsible for risk oversight of the first line. The internal audit oversees both the first and second lines to ensure overall risk management effectiveness. 

As part of Wall Street reform, the OCC defined the roles and responsibilities of the lines of defense model in 2014 guidance. This clarification helped strengthen governance and risk management practices in large financial institutions. Over the next few years, larger banks made significant investments in establishing independent risk management functions. During the initial deployment of the second line of defense, the majority of independent risk management leaders and staffers came from the business line. Their substantial amount of hands-on practice and in-depth knowledge of products and processes enabled independent risk management to properly identify and effectively communicate issues. As a result, the banking sector witnessed positive changes with more robust enterprise-wide risk governance.  

Meanwhile, the rigor and depth of regulatory activity prompted an industry-wide outcry on increased expenses and duplicative requirements. As the U.S. economy recovered from the Great Recession, most large banks established an independent risk management function in line with the LOD model. As fewer findings were brought up by regulators, a change occurred in second-line talent acquisition to reduce cost. Recent college graduates without significant business exposure filled vacancies in risk management positions. Risk evaluations from inexperienced staff were more prone to be isolated, one-sided, and procedural-focused. Issues and findings they brought up often did not fully justify the required change actions, nor the business and cultural impact. Business line risk was created to address these issues. It is sometimes called risk management within the first line, and is referred to as the “1-b” or “1.5” line. The business line risk function helped reduce the impact of the knowledge gap between the first and second lines; avoid potentially embarrassing second-line findings; and facilitate effective communication between business operations, the second and third lines of defense, and regulators. 

Shortly after the inauguration in January 2025, the Trump administration initiated a hiring freeze at federal agencies, followed by mass layoffs carried out by the Department of Government Efficiency (DOGE). Events that could have a profound impact on the banking industry included the deep cutbacks at the Consumer Financial Protection Bureau (CFPB), reversal of artificial intelligence (AI) regulation from the Biden era, and withdrawal of the U.S. central bank and the OCC from international climate organizations in January and early February, respectively. The actions taken in Trump’s second administration signaled a significant change for banking regulation. banking regulation. 

As DOGE continues trimming the federal workforce, it seems possible that the bulk of bank supervision could be consolidated inside the OCC. If that happens, the change would shake the regulatory foundation U.S. banks have been familiar with over the last six decades. Even if the regulatory framework does not change to that degree, financial organizations are at a crossroads on the future of risk management. Do they maintain a robust second line of defense to protect growth, foster transparency, and maintain compliance? Do they focus on cryptocurrency-related opportunities and prioritize technology, while curtailing investment in independent risk management, legal, and compliance efforts? Bank management teams should consider the following actions as they maneuver through the significant regulatory environment changes. 

First, management should conduct a risk assessment to quantify risk items that are no longer supervisory focuses. This should be done via the separation of financial risk and nonfinancial risk. Financial risk includes credit risk, market risk, and funding and liquidity risk, which result from risk-taking, or core banking activities. Financial risk can be relatively easily quantified, as it is necessarily transferable into dollars. Further, such traditional risk needs to be managed at all times regardless of the regulatory environment. 

Nonfinancial risk, in contrast, arises from the bank’s operations (processes and systems) that are heavily impacted by cultural, legal, and regulatory expectations. Operational risk, compliance risk, conduct risk, reputational risk, model risk, and solvency risk are examples of nonfinancial risk. The current deregulation drive creates an opportunity for investments in some nonfinancial risk, such as environmental, social, and governance (ESG) risk, to be curbed or eliminated, in particular for non-global systemically important banks (GSIBs). 

Second, bank management may reinforce business line risk by consolidating duplicative responsibilities between business line risk and the second line. For example, credit review is a critical function to evaluate borrowers’ ability to pay back loans or take on more risk. Under the LOD model, a credit risk team in the second line performs very similar tasks after the business line, along with business line risk, completes its risk assessment. In a relaxed regulatory setting, business line risk can assume the majority of credit risk duties. Business line risk’s closeness to decisions and operations helps it provide meaningful and faster responses. Its ability to issue self-identified findings guarantees that effective challenge, risk control, and mitigation take place. Meanwhile, the stature and independence of the second line are preserved by the presence of management committees and executive leadership, including board members. This consolidation will create cost savings while maintaining or even enhancing effective risk governance. 

Third, bank management should revise its policies and culture regarding AI. Over the last decade, banks have benefited from advanced machine learning algorithms, deep learning, and large language models (LLMs). The speed of AI innovation adoption prompted a variety of compliance-related matters brought up by independent risk management, internal audit, and regulators. In the deregulatory environment, bank leaders can create a centralized AI risk management team and redefine risk disciplines that need to be addressed. For example, most open-source AI models are black box in nature. Rather than validating the mechanism, banks should focus on validating the processes, which requires joint expertise in IT risk, vendor management, cyber risk, data privacy, model risk, and legal risk. An AI risk management team that incorporates a manifold assessment should address most of the AI-related compliance risk without stifling innovation. 

The operational and financial advantages banks can gain from reduced regulation are obvious, including in the realm of risk management. Risk managers’ ability to understand changes and modify existing practices in a timely manner will minimize operational disruption and help their firms gain competitive advantages. In this time of great opportunity, bank leaders should act boldly—but also sensibly. After all, robust risk management remains an important feature of successful financial institutions in any regulatory environment, one that benefits the industry, consumers, management, and, ultimately, shareholders. 

Liming Brotcke is a director, advisory at KPMG. She can be reached at lbrotcke@kpmg.com.