We consider a regulator providing deposit insurance to a bank with private information about its investment portfolio. As typical in practice, we assume that the regulator does not commit to auditing afternany risk report from the bank. We first show that the optimal contract can be implemented through a direct revelation mechanism. We also show that, at the optimal contract, a high risk bank has incentivesnto misreport. We thus establish that extraction of truthful riskninformation, as done in current regulatory practice, is not compatible with the maximization of social welfare.