Overseeing banks' governance: can we do it better?
Speech by Mr Fernando Restoy, Chair, Financial Stability Institute, at the 2026 Corporate Governance Summit, Bangko Sentral ng Pilipinas (BSP), Manila, 25 May 2026.
Introduction
Let me first thank the organisers and, in particular, Governor Remolona for their kind invitation to participate in this conference on "Navigating the future: governance in action".
This is quite a catchy title for an important theme. The success of market economies in delivering growth and welfare for citizens depends very much on how corporations are governed and managed. This is particularly relevant in the banking sector, where strong governance is critical to maintaining the trust of depositors and investors. Trust is also the foundation for the sustainability of banks' businesses and, therefore, for preserving financial stability. Therefore, fostering sound governance in banks should always be a key focus for financial authorities.
Against this background, I will devote my remarks to banks' governance, or more concretely, to policy approaches to foster strong governance in banks.
Lessons from the past
Let's start by looking back at the (not too distant) past. Andrew Bailey, the current Governor of the Bank of England, once said that "there has not been a case of a major prudential or conduct failing in a firm which did not have among its root causes a failure of culture" (Bailey (2016)). If we examine the Great Financial Crisis (GFC) as well as more recent crisis episodes – such as the 2023 banking turmoil that caused the failure of several US regional banks and Credit Suisse in Europe – it is evident that bank failures were often caused by inadequate risk management and/or unsustainable business models. Such shortcomings can only be explained by a deficient culture and poor governance.
My own experience as a Deputy Governor of the central bank and head of the resolution authority in Spain during the Spanish financial crisis confirms this evidence. The failure of several savings banks in Spain was closely linked to deficient risk management, the lack of professional expertise at banks' top executives and their strong ties to local and regional political authorities (Baudino et al (2023)).
Interestingly, despite ample evidence on the importance of governance and other qualitative factors as key drivers of banks' vulnerabilities, international regulatory standards have historically focused on quantitative rules, such as minimum capital and, more recently, liquidity requirements. These requirements alone are not sufficient to ensure the safety and soundness of financial institutions. It is often forgotten that a small impact of poor risk management on asset quality can have a disproportionate impact on regulatory capital. Just consider that only a 5% decline in asset values would deplete the minimum common equity Tier 1 (CET1) capital requirement under Basel III. In other words, there is simply no feasible amount of capital that could compensate for the risks caused by deficient risk management or poor governance (Dahlgren et al (2023)).
Some useful developments
Following the GFC, several measures were introduced to strengthen banks' governance practices. In particular, in 2015 the Basel Committee on Banking Supervision updated its Corporate Governance Principles for Banks. Among other elements, these principles stress the overall responsibility of bank boards and introduce the concept of risk appetite frameworks as a foundation to support effective risk management and to strengthen firms' risk culture. This effort was complemented by guidelines issued by the Financial Stability Board on remuneration policies for board members and senior managers. These guidelines help to align the incentives of senior bank officials with responsible risk-taking.
The guidance issued by international standard-setting bodies has been complemented by jurisdiction-specific initiatives. For example, starting in 2015 with the United Kingdom, several authorities introduced individual accountability regimes (IARs). While details vary, IARs share two key features: (i) firms must formalise and document senior officials' responsibilities – through statements of responsibility – enabling supervisors to identify responsible individuals and address issues early; and (ii) senior executives are accountable for failings in their areas of responsibility unless they have taken "reasonable steps" to prevent breaches from occurring. These measures emphasise accountability at the highest levels, allowing supervisors to identify and, if necessary, hold executives accountable for their actions (or inaction) and those of their subordinates (Oliveira et al (2023)).
In the area of supervision, the Dutch central bank pioneered the adoption of a novel approach to oversee behaviour and culture in financial institutions, embedding behavioural psychologists with line supervisors in assessing firms' corporate governance practices. After the creation of the Single Supervisory Mechanism in 2014, the European Central Bank (ECB) has also adopted a rather intensive supervisory approach for assessing banks' governance. For example, in 2024 it issued its draft guide on governance and risk culture, linking the importance of risk culture in banks to good governance and raising supervisory expectations on governance practices in supervised entities (ECB (2024)).
The role of boards
Much of authorities' attention has been on the functioning of banks' board of directors. National jurisdictions have introduced specific requirements for assessing the eligibility of board members through fit-and-proper assessments. In addition, many authorities have adopted criteria – often inspired by national codes of good governance practices – relating to the size and composition of boards to enhance effectiveness.
The academic literature assigns boards two distinct functions: (i) as a monitoring or oversight body of banks' executives; and (ii) as a technical advisory body for management (Fama and Jensen (1983)). Over time, authorities have tended to attach more relevance to the oversight function. This explains the attention paid to the number of independent board directors and their roles in the organisation. In some jurisdictions, it has become mandatory to separate the roles of Chair of the Board and CEO, assigning them to different individuals and to require key board committees to be chaired by an independent director. Moreover, many authorities have introduced measures to strengthen independence by limiting remuneration, restricting the years of service and even reducing access to firms' services and staff. In addition, the greater emphasis attached to the monitoring/oversight function as compared with the advisory role has informed board member selection criteria. Across most jurisdictions, greater importance is now placed on achieving gender, age and cognitive diversity - sometimes even more than on directors' technical knowledge about the firms' core business.
While these initiatives have merit, they are not bullet-proof and may give only the illusion of being thorough. For instance, even within the monitoring/oversight function of the board, rigid constraints for independent directors might not always be fit for purpose. In particular, for large and complex institutions, effective board oversight often requires not only access to comprehensive information but also sufficient time and means to process it. That could be challenging for independent directors if their dedication to the firm is excessively constrained, they need to devote substantial time to other remunerated activities and, as is generally the case, they have no direct support staff at the firm. These constraints can create a conflict between the responsibilities placed on independent directors and their capacity to fulfil them effectively. This tension between independence, performance and responsibility is even more pronounced for independent directors who lack sufficient expertise in banking and finance. While independence is essential for objective oversight of senior management, the actual monitoring function may be shallow if it is not accompanied by access to sufficient information, dedication and technical knowledge. Moreover, adequate board dynamics, including well defined meeting agendas that are truly focused on key strategic issues and regular interaction of directors with investors, banks' second line of defence and supervisors, seem in practice to matter more than formal adherence to rules or high-level codes of conduct.
Indeed, empirical evidence does not demonstrate a clear positive relationship between board size, independence or diversity and banks' performance, nor does it show that these board attributes reduce the probability of bank failure. It does, however, support the hypothesis that directors' banking and finance expertise help banks to perform better (Fernandes et al (2018)).
The way out: supervision
These issues all point to a well-known secret. Good corporate governance cannot be guaranteed by rules alone, even if they look conceptually solid. Deficient corporate culture can emerge from different sources and manifest itself in different ways. This is what makes rigid regulation not only challenging but potentially counterproductive. Overly prescriptive rules risk reducing the public oversight of banks' governance to a simplistic tick-the-box exercise, diverting attention from identifying and addressing core behavioural vulnerabilities, such as deficient risk management, poor board oversight or misalignment between the firm's declared risk appetite with actual decisions.
At the Financial Stability Institute (FSI), we have emphasised for quite some time that, after the considerable tightening of prudential regulation following the GFC, the focus should now shift towards strengthening supervision. In fact, the qualitative vulnerabilities identified since the GFC are more efficiently and effectively addressed by supervision than by new regulatory requirements (Restoy (2025)). Supervision can serve as a powerful tool, capable of identifying and addressing a range of governance issues in banks at an early stage that simply cannot be addressed through regulation. It is always more effective and efficient to identify and address possible flaws on credit underwriting standards early through supervision than to wait for loan defaults to impact regulatory capital.
A key challenge – and frequent criticism – of supervision is its reliance on supervisory judgment, which can lead to either excessive intervention or delayed action, often after a firm's financial health deteriorates. This is a fair criticism – but the solution is not to curtail supervision; instead, we should introduce structure to guide judgment.
One promising means to do so would be to adapt risk appetite frameworks (RAFs) – that we ask banks to develop – for the supervisory context (Balan and Zamil (2026)). Supervisory RAFs can facilitate prioritisation and risk-based decision-making – including a focus on risks that matter the most – while fostering greater consistency in supervisory judgment (Hernández de Cos (2026)).
Supervisory RAFs entail three steps: (i) establishing the authority's tolerance for supervisory risk – that is, the risk that its actions or inaction fail to achieve its prudential objectives; (ii) using qualitative and quantitative risk indicators to operationalise its stated supervisory risk tolerance; and (iii) establishing effective governance arrangements, including an independent second line function (independent of line supervisors) to ensure a consistent application, including appropriate supervisory decision-making.
There is no "magic bullet" for strengthening corporate governance practices in banks. Regulatory requirements are necessary but not sufficient. Supervision remains our most effective tool for identifying and addressing weaknesses in governance following procedures that are proportionate to a firm's size, complexity and risk profile. And supervisory RAFs can provide structure to supervisory decision-making, reduce unwarranted variability in supervisory actions and support more timely, consistent and credible supervisory interventions.
Conclusion
The age-old debate on the balance between regulation and supervision can naturally be compared with the discussion on rules versus discretion in monetary policy. Under this framework, the choice hinges on relative preferences: flexibility, which favours an emphasis on supervision, versus consistency and predictability, which suggest more reliance on regulation.
When it comes to governance and culture, there should be little doubt that supervision is the most effective policy tool, and that supervisory effectiveness requires a fair amount of judgment. Yet how judgment is applied merits attention at the highest level within supervisory authorities to avoid arbitrariness and to ensure sufficient transparency regarding the rationale behind supervisory assessments of banks' corporate governance practices. To achieve this, supervisory judgment should be anchored within a well-established framework of supervisory objectives, priorities, tools and measures that need to be consistently applied to all supervised institutions.
References
Bailey, A (2016): "Culture in financial services – a regulator's perspective", speech at the City Week 2016 Conference, London, 9 May.
Balan, M and R Zamil (2026): "Acting under uncertainty - the case for supervisory risk appetite frameworks", FSI Insights on policy implementation, no 74, April.
Baudino, P, M Herrera and F Restoy (2023): "The 2008-2014 banking crisis in Spain", FSI Crisis Management Series, no 4, July.
Dahlgren, S, R Himino, F Restoy and C Rogers (2023): Assessment of the European Central Bank's Supervisory Review and Evaluation Process Report by the Expert Group to the Chair of the Supervisory Board of the ECB, April.
European Central Bank (ECB) (2024): Draft guide on governance and risk culture, July.
Fama, E and M Jensen (1983): "Separation of ownership and control", The Journal of Law and Economics, vol 26, no 2.
Fernandes, C, J Farinha, F Vitorino and C Mateus (2018): "Bank governance and performance: a survey of the literature", Journal of Banking Regulation, vol 19, no 12, July.
Hernandez de Cos, P (2026): "The quest for supervisory effectiveness", speech at the BCBS-FSI high level meeting of European supervisors, Basel, 22 May.
Oliveira, R, R Walters and R Zamil (2023): "When the music stops – holding bank executives accountable for misconduct", FSI Insights on policy implementation, no 48, February.
Restoy, F (2025): "Towards a more efficient EU prudential framework: the role of supervision", speech at the CEPS-ECMI task force on EU regulatory and supervisory structures, Brussels, 16 September.
I am grateful to Jaime Caruana, Rodrigo Coelho, Juan Carlos Crisanto and Raihan Zamil for helpful comments. The views expressed here are my own and not necessarily those of the BIS or its member institutions.
