I. Inadequate risk management
Time and again, one of the most persistent drivers of regulatory failure is the inability to manage risk holistically. It’s not that institutions are blind to risk — it’s that they often work with fragmented instruments. Each business line sees a portion of the exposure, but no one has a full picture. Vulnerability begins with a lack of a cohesive view of their aggregate risk exposure.
| Red flags/early signals | Self-check questions | Boardroom considerations | DOJ lens |
How a SIREN might look like: Unresolved or repeated internal audit findings |
|
|
|
Cases to look at/References: Bear Stearns, Lehman Brothers, and Silicon Valley Bank
Institutions that fail to manage risk in a connected, enterprise-wide manner often find themselves blindsided when those risks converge. Strong governance demands that leadership has both visibility and ownership of risk across the business — anything less invites oversight failure.
II. Excessive leverage
Excessive leverage occurs when institutions take on more risk than they can absorb, often by funding long-term illiquid assets with short-term liabilities. While it may seem like a balance sheet issue at first glance, the real concern lies deeper — it's a structural vulnerability that can unravel quickly under stress. In these cases, it’s not just about how much an institution borrows; it's about how fragile the funding becomes when the market shifts.
| Red flags/early signals | Self-check questions | Boardroom considerations | DOJ lens |
How a SIREN might look like: Inadequate capital held against new, riskier business lines |
|
|
|
Cases to look at/References: Lehman Brothers, American International Group, Celsius Network, Genesis Global Capital
Unchecked leverage may appear as momentum during expansion, but beneath that surface, fragility can build quietly and quickly. Without board-level scrutiny and a forward-looking view of funding structures, institutions risk becoming overexposed — often without realizing it until it’s too late.
III. Fraud
Fraud rarely starts with a single bad actor. More often, it’s the result of sustained pressure, weak oversight, and a culture that discourages transparency. When employees feel they can’t speak up — or worse, when no one listens when they do — unethical behavior can take hold and go unchecked. We’ve seen this play out across high-profile failures where silence and unchallenged ambition created conditions that allowed unethical behavior to grow without intervention.
Early signs of fraud are often visible and easy to rationalize. A business unit that consistently bypasses controls to meet aggressive revenue targets may appear successful but actually operates outside acceptable risk boundaries. A spike in whistleblower complaints, particularly when left uninvestigated, suggests deeper, systemic issues. The most alarming sign is a lack of documented approval trails. When decisions can’t be traced back to accountable owners, the institution becomes vulnerable to manipulation.
| Red flags/early signals | Self-check questions | Boardroom considerations | DOJ lens |
How a SIREN might look like: A lack of documented approval trails or inconsistent reconciliations *These may be vague or unverified, but a pattern of similar concerns, especially if they’re not investigated, should raise alarms. |
The DOJ has released guidance to its prosecutors on what to look for in a whistleblower program when fraud or misconduct is uncovered. |
|
|
Cases to look at/References: Enron, FTX
Fraud isn’t just an ethical lapse. It's a failure of oversight and governance. When regulators investigate, they won't only examine the misconduct itself; they'll scrutinize the systems and leadership that allowed it to happen and enabled it to persist unchallenged.
IV. Lack of transparency
Lack of transparency is a root cause that often precedes both regulatory action and reputational harm. It goes beyond disclosure. It's about whether leadership, regulators, and internal teams understand the institution’s risk profile. As seen during the subprime mortgage crisis and the collapse of Archegos Capital, institutions can hold complex financial exposures that even senior executives struggle to explain.
The warning signs here are often structural. When business units launch complex products or strategies that only a few people understand — and risk and compliance teams are brought in too late — the institution loses its ability to govern those risks effectively.
| Red flags/early signals | Self-check questions | Boardroom considerations | DOJ lens |
How a SIREN might look like: A lack of internal understanding of business line risk |
|
|
|
Cases to look at/References: 2008 Subprime Mortgage Crisis, Archegos Capital
Aside from being a reporting obligation, transparency is also a governance imperative. When leadership cannot clearly explain the risks they’re managing, it signals that the institution may not fully understand its risk, prompting regulators and markets alike to ask difficult questions.
V. Risky lending practices
Risky lending is a root cause that often builds quietly, only revealing itself when it’s too late. It results from systemic exposures that accumulate over time, such as weakened underwriting, concentrated portfolios, and the erosion of prudence in pursuit of growth. These behaviors gradually undermine credit discipline and increase institutional vulnerability.
These signs are often found in the data. Risk silently creeps in when lenders raise loan-to-value ratios or relax covenant requirements to stay competitive. A surge in lending to high-risk sectors like commercial real estate or cryptocurrency without corresponding adjustments in capital buffers signals misalignment. Minor exceptions become structural threats if delinquencies spike or credit policies are frequently overridden.
| Red flags/early signals | Self-check questions | Boardroom considerations | DOJ lens |
How a SIREN might look like: An increase in delinquencies or frequent overrides of credit policy |
|
|
|
Aggressive lending without strong oversight can lead to more than just credit risk — it can signal a slow-motion governance failure. What may seem like temporary exceptions are often early indicators of deeper, systemic issues that ultimately draw regulatory scrutiny.
Conclusion
Periods of deregulation can offer powerful opportunities. But they also test the strength of an institution’s internal controls. Those that weather these cycles best are not the ones that avoid risk entirely, but those that recognize early warning signs, foster a culture of transparency, and ensure their boards are equipped to ask — and act on — the right questions.
By learning from the five root causes of past regulatory actions, institutions can safeguard against repeating them. Now is the time to reexamine your governance structures, compliance programs, and cultural assumptions. The cost of inaction may be far higher than the cost of preparation.
If you want to dive deeper into the implications of deregulation, real-world lessons from past deregulatory cycles, and actionable strategies to strengthen compliance frameworks while mitigating risks, we encourage you to watch our on-demand webinar: Driving resilience in a deregulated era: Proactive compliance and risk management in financial institutions.
