Hal S. Scott, Dennis Campbell & John Gulliver, Regulation of Governance & Risk Management: The Intersection of Banking & Technology (2021).
Abstract: Executive Summary: In this paper, we evaluate the regulatory structure for risk management at U.S. banking institutions as compared to technology companies. We also evaluate the appropriate regulatory structure for cloud service providers to U.S. banking institutions, as banking institutions are increasing their reliance on cloud service providers for their data needs and effective risk management regulation can safely facilitate that transition.Part I of our paper provides a comprehensive review of the regulation of corporate governance and risk management at U.S. banking institutions with a focus on how the regulatory structure is tailored to address the business activities of U.S. banks. We find that the regulation of risk management processes by U.S. banking institutions is highly prescriptive and that U.S. banking regulators have centralized key risk management responsibilities with the board of directors and senior management.Part II of our paper reviews the regulation of corporate governance and risk management at U.S. technology companies. We find that the regulation of risk management at technology companies is principles-based and does not shift prescriptive responsibilities to technology companies’ board of directors.Part III of our paper considers whether the banking approach to the regulation of risk management or the technology approach to the regulation of risk management is better suited for cloud service providers to U.S. banks. In doing so, we consider key differences between the risks faced by U.S. banking institutions as compared to cloud service providers. We conclude that a principles-based and decentralized approach to the regulation and supervision of cloud service providers and other technology services providers to U.S. banking institutions would better address the risks inherent in such services and facilitate continued adoption of cloud services by U.S. banking institutions.