Bank runs in the age of interconnectivity: Lessons for internal auditors

Understanding historical bank runs and their evolution

Before we can fully appreciate the risks associated with a modern bank run, let us start with the fundamentals and history related to bank runs.

What is a bank run?

A bank run occurs when a large number of a bank's customers withdraw their deposits simultaneously over concerns about the bank's solvency or ability to repay its debts. This often happens because people fear the bank will run out of money, leading to a loss of trust.

Bank runs are fueled by the belief that the bank will collapse, resulting in a rush for individuals to withdraw their funds before others do. Ironically, this can contribute to the bank's ultimate failure. Banks typically operate on a fractional reserve system, meaning they keep only a small portion of their deposits in reserve and lend out the rest. Because of this, if too many people try to withdraw their funds at once, the bank may not have enough liquid cash to cover the increase in withdrawals, which leads to a crisis and the bank eventually closing.

A brief history of bank runs

The history of bank runs stretches back centuries and is closely tied to economic crises, financial instability, and shifts in public confidence. Here is a brief overview:

• Early history (17th-19th Century) - Bank runs have occurred as long as banking has existed. The concept emerged in early modern Europe with the rise of banks holding deposits. In the 19th century, bank runs became more prominent, especially in the U.S., due to the instability of the banking system, lack of central oversight, and the fractional reserve model. For example, waves of bank failures in the U.S. led to a crisis of confidence, resulting in widespread withdrawals and the collapses of many smaller banks.
• The Great Depression (1930s) - One of the most infamous periods of bank runs occurred during the Great Depression. Between 1930 and 1933, thousands of banks in the U.S. failed because of economic collapse and loss of public trust. Rumors about bank insolvency would quickly lead to queues of people demanding their deposits, which exacerbated bank failures. The U.S. government responded with several reforms, including the creation of the Federal Deposit Insurance Corporation (FDIC) in 1933 to protect depositors' funds and restore confidence in the banking system.

  On January 1, 1934, the first-ever national system of deposit insurance begins, protecting up to $2,500 per depositor at FDIC-insured banks. At its start, FDIC deposit insurance guarantees $11 billion in deposits. To further promote public confidence in the banking system and to protect depositors, Congress increases the FDIC’s basic deposit insurance coverage to $5,000 effective July 1.

• Post-World War II to pre-digital era - Following the Great Depression and reforms like deposit insurance, bank runs became less common. The Continental Illinois Bank, considered “Too Big to Fail,” experienced a large-scale run by depositors that began around May 7, 1984, amid rumors that the bank was in danger of failing. Over the next ten days, the bank lost about 30 percent of its funding. The run was generally electronic and spearheaded by depositors with large uninsured deposits and other bank creditors.
• The U.S. bank runs in 2008 occurred during the global financial crisis, largely triggered by the collapse of the housing bubble and risky subprime mortgage lending. Major financial institutions like Lehman Brothers failed, leading to panic among investors and depositors. This resulted in widespread loss of confidence in banks, causing people to withdraw funds en masse. Several banks faced liquidity crises, prompting government interventions, including the Troubled Asset Relief Program (TARP) to stabilize the banking sector and prevent a complete financial meltdown.
• Modern bank run - In 2022, three significant modern bank runs occurred, each with unique characteristics reflecting the evolving nature of financial instability. The collapse of  Silicon Valley Bank (SVB) was driven by concentrated exposure to tech startups and venture capital-backed firms, leading to a liquidity crisis when depositors rapidly withdrew funds amid rising interest rates.
  
  Signature Bank, heavily invested in cryptocurrency, experienced a swift depositor exodus following regulatory concerns and the broader downturn in crypto markets.
  
  

  Lastly, Silvergate Bank, a key player in crypto banking, faced a run after the collapse of FTX, triggering mass withdrawals and forcing the bank to wind down operations. All three cases highlight the amplified speed and scale of modern bank runs due to digital banking and the interconnectedness of niche financial sectors.

  Refer to this list for additional examples of global bank runs since the 17th century.

Why 2022 and 2023 bank runs were distinctly different: The role of social media and digital banking

The Federal Reserve Bank of St. Louis published the article, Understanding the Speed and Size of Bank Runs in Historical Comparison, and provided the following information: “In late 2022 and early 2023, a number of banks experienced deposit runs that were extraordinarily fast and large by historical standards. To explain these historically unprecedented developments, banking regulators have focused on three factors: (i) changes in technology that have enabled faster withdrawals, (ii) social media that facilitated information dissemination and coordination among depositors, and (iii) uninsured deposits that were concentrated among bank customers with connections to each other.”

To break down these three points in more detail, consider the following:

i. Banking technology - Electronic banking has dramatically increased the speed of bank runs by enabling rapid withdrawal of funds, often within minutes, without the need for customers to physically visit branches. Historically, physical bank runs were constrained by factors like branch hours, long lines, and the need for customers to physically access their money. With electronic banking, these barriers have been removed, making it possible for withdrawals to happen at a much larger scale in a very short time.

ii. Social media and depositor coordination - Social media amplifies fear by spreading news, speculation, or rumors in real time. This was evident during events like the 2023 Silicon Valley Bank (SVB) bank run, where tech companies and venture capitalists withdrew billions in a single day after social media rumors and rapid communication amongst a concentrated depositor base (i.e., tech founders and venture capital firms) spread about the bank’s solvency, ultimately leading to the bank's failure.

In a paper by Cookson, Fox, Gil-Bazo, Imbet, and Schiller, Social Media as a Bank Run Catalyst - “Social media fueled a bank run on Silicon Valley Bank (SVB), and the effects were felt broadly in the U.S. banking industry. We employ comprehensive Twitter data to show that preexisting exposure to social media predicts bank stock market losses in the run period even after controlling for bank characteristics related to run risk (i.e., mark-to-market losses and uninsured deposits). Moreover, we show that social media amplifies these bank run risk factors. During the run period, we find the intensity of Twitter conversation about a bank predicts stock market losses at the hourly frequency. This effect is stronger for banks with bank run risk factors. At even higher frequency, tweets in the run period with negative sentiment translate into immediate stock market losses. These high frequency effects are stronger when tweets are authored by members of the Twitter startup community (who are likely depositors) and contain keywords related to contagion. These results are consistent with depositors using Twitter to communicate in real time during the bank run.”

iii. Uninsured depositors - Having uninsured depositors poses several risks to banks and the broader financial system, particularly in times of financial stress. Uninsured depositors are more likely to withdraw their funds quickly during periods of uncertainty, as they have no protection beyond the bank’s solvency. This can cause a sudden liquidity crunch, as large withdrawals drain the bank’s cash reserves, potentially leading to a bank run. The three banks mentioned had historically low deposit insurance coverage which could amplify the negative impacts.

Guidance for internal audit leaders to address risks associated with a modern-day bank run

Internal audit leaders play a critical role in identifying, assessing, and mitigating risks associated with bank runs, especially given the speed and interconnectedness of today's financial environment. In addition to general best practices around banking safety and soundness, here are several key considerations for internal audit leaders when addressing the risks posed by a modern bank run, including specific examples from the Review of the Federal Reserve’s Supervision and Regulation of Silicon Valley Bank.

• Communication and social media strategy - Social media can amplify reputational risk, as negative sentiment can spread quickly and tarnish a bank’s brand, leading to loss of customer confidence and trust. Internal auditors should focus on:
  • Communication strategy - Assess whether the bank’s communication, crisis management, and social media strategy is effective in managing reputational risk and mitigating the impact of social media-driven crises.
  • Sentiment monitoring - Test for the existence of robust monitoring tools that track real-time social media sentiment, assess the bank’s ability to respond quickly to negative posts or rumors, and evaluate whether there is a clear crisis communication plan in place.
  • Coordination and escalation - Additionally, auditors should verify that the strategy includes coordination with senior management and the Board, proactive engagement with stakeholders, crisis communication and PR teams, and seamless integration with the bank’s broader risk management framework to address potential contagion risks.
• Liquidity risk management - One of the primary risks in a bank run is liquidity, where a bank might not have enough liquid assets to meet the demands of mass withdrawals. Internal audit leaders should develop:
  • Liquidity risk management program - Review the bank’s liquidity risk management program to ensure they meet regulatory requirements and are sufficient to withstand stress scenarios.
  • Stress testing - Ensure stress testing models simulate sudden, large-scale withdrawals and assess whether contingency plans are robust enough to maintain liquidity.
  • Contingency funding plans - Evaluate the bank’s contingency funding plans to confirm they address sources of emergency liquidity (e.g., central bank support or alternative lines of credit).
• Appropriate board governance and senior leadership - The Federal Bank Reserve report referenced earlier in this article noted that “Silicon Valley Bank was a highly vulnerable firm in ways that both its board of directors and senior management did not fully appreciate. The full board of directors did not receive adequate information from management about risks at Silicon Valley Bank and did not hold management accountable for effectively managing the firm’s risks.”
  
  To address these critical risks, internal auditors should:
  • Evaluate risk reporting - Internal auditors should evaluate whether the board is receiving timely, accurate, and comprehensive information about key risks from senior management.
  • Test Board oversight and accountability mechanisms - Internal auditors should assess the effectiveness of the Board’s oversight role in holding senior management accountable for managing risks.
  • Board risk awareness - Internal auditors should assess whether the Board members have the necessary expertise, training, reporting, and understanding to appropriately oversee the firm’s risk management practices.
• Appropriate risk management vs. baseline regulatory requirement - Based on the Federal Bank Reserve’s post-mortem, “When supervisors (Bank Regulators) did identify vulnerabilities, they did not take sufficient steps to ensure that Silicon Valley Bank fixed those problems quickly enough.” Additionally, the bank continued to receive satisfactory regulatory ratings even though there were serious underlying issues at the bank. While an internal auditor cannot change or materially influence a banking regulator’s work product, they can support and test for a culture of compliance that manages risks appropriately and proactively identifies issues.
  • Assess risk management framework and culture - Internal auditors should evaluate the robustness of the bank's risk management framework, ensuring it manages risk areas appropriately and has a process to self identify issues.
  • Internal controls and issue remediation process - Internal auditors should ensure that the bank has effective internal controls to identify and resolve risks and vulnerabilities quickly, even when those risks have not yet attracted regulatory attention.
  • Evaluation of governance and board oversight - Internal auditors should assess the quality of governance and board oversight in relation to risk management, ensuring that the board is not overly reliant on satisfactory regulatory assessments and is independently reviewing and challenging management’s risk practices.
  • Uninsured deposits - Ensure the bank has clear policies and procedures that define how uninsured deposits are identified, tracked, and reported.

Conclusion

Bank runs present a catastrophic risk for financial institutions. Internal auditors are essential in ensuring that banks are well-prepared to withstand these threats by assessing overall safety and soundness, liquidity management, stress testing, and communication protocols. As the dynamics of modern banking continue to shift, internal audit teams must stay ahead by adapting their approaches, ensuring that both the bank and its customers are protected from the cascading effects of a sudden loss of confidence.