Banks explore new data techniques to tackle money laundering

By Risk staff | Features | 23 May 2018

Artificial intelligence in tandem with human analysis seen as effective for know-your-customer

It pays to know your customers. Just ask US Bank, smarting from a $600 million fine for anti-money laundering violations in February. Or Deutsche Bank, fined $630 million for similar failings last year.

Authorities around the world are keen for lenders to develop strong know-your-customer (KYC) procedures, and are prepared to levy big penalties on banks that fall short.

As a result, firms are looking to new data-based technologies to sharpen up their compliance and help avoid regulatory punishments. Machine learning and artificial intelligence figure prominently in this push.

But any visions of a future where compliance departments are staffed solely by robots are premature. Human intervention still plays a big role in transaction monitoring, and banks should be wary of depending too heavily on smart algos.

“AIs can pull out anomalies in our customer dataset, which analysts can then use to apply common sense and assess the level of risk,” says Frederick Reynolds, global head of financial crime legal at Barclays. “AIs are not good at applying common sense so analysts provide an extra level of input for AI models.”

As an example, a financial crime head at a UK bank cites a fraud algorithm programmed to flag all transactions in excess of £10,000 for additional checks. It was only when an analyst reviewed the data and discovered a series of transactions at £9,999 that the bank was able to tackle this flaw in its control processes.

“Although technology is good at automated search and data analytics, there is always room for human interpretation and intuition,” says Tony Wicks, head of screening and fraud detection at Swift, a financial messaging service. “The ultimate decision point will always sit with a human. Technology is there to help and support human decisions, not to replace them.”

Regulators agree. Under Europe’s new data protection regulation, known as GDPR, firms that use data to make decisions on, say, lending must build in an element of human judgement.

Article 22 of GDPR states: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” The regulation leaves the type and extent of human intervention to the discretion of businesses.

Regulations elsewhere aim to tighten procedures regarding AML, or anti-money laundering. In the US, new rules issued by the Treasury department’s Financial Crimes Enforcement Network address AML processes within banks and close loopholes in disclosure of beneficial ownership.

In Europe, beneficial ownership is a large part of the Fifth Anti-Money Laundering Directive, ratified by lawmakers in April. The regime will force banks to establish the identity of company owners and account holders. The rule changes are, in part, a response to the “Panama Papers” leaks, which exposed a global network of illegal funding.

The directive also instructs national authorities to set up centralised registers of bank accounts. These utilities will be interconnected across the bloc, enabling investigators to probe suspicious accounts more easily. Member states have 18 months to transpose the rules into local law.

Centralised information may aid other aspects of the KYC effort, too. A report from the European Supervisory Authorities in January highlights the use of “central identity document repositories” as one solution for customer due diligence. The report states these repositories “aim to streamline the collection and exchange of [customer due diligence] data and documentation between participating firms and their customers, thereby avoiding the same information being requested repeatedly from the same customer”.

Innovative technologies should not replicate human-based systems but should seek to find new solutions that change how we do business, not just make it faster

Frederick Reynolds, Barclays

As well as the threat of regulatory fines for AML failures (see box: Paying the penalty), banks face other losses from financial crime: primarily, the direct monetary cost of the crimes themselves. For example, Bangladesh Bank suffered an $81 million loss in 2016 when its computer network was hacked and criminals placed fraudulent transfer requests via the Swift network.

Some banks use insurance to mitigate losses, but exclusions can leave gaps in coverage. Risk managers are sceptical that insurance against cyber attacks is effective for the size and scale of losses involved.

Reputational damage and loss of business can also hit a bank financially. Banks susceptible to financial fraud, or whose remedial action is inadequate, risk losing business. UK bank TSB has been forced into costly measures to dissuade customers from closing their accounts following persistent IT problems which have left the bank an easy target for fraudsters. Banking association UK Finance received nearly 2 million reported cases of unauthorised financial fraud in 2017, up 6% year on year.

In-house or out

Banks are adopting different strategies to mitigate the risk of financial crime. Larger organisations with complex operations are developing in-house procedures, while smaller firms may find an external, off-the-shelf solution to be more cost-effective.

HSBC announced in April that it will use AI technology developed by UK data analytics firm Quantexa to support its anti-money laundering processes, following a successful pilot carried out in 2017. Royal Bank of Scotland and Vocalink, a payments business, have partnered to create a system to scan transactions by small and large business customers to identify false invoices and potential instances of fraud.

Regulators have a part to play in the development of fintech solutions. The UK’s Financial Conduct Authority created a regulatory “sandbox” in 2017, inviting banks and vendors to test tech applications. Of the first cohort of firms, 90% are now moving towards a wider market launch, with at least 40% of these having received investment during or after their sandbox testing phase.

Gemma Rogers, co-founder and director of Fintrail, a financial crime risk management firm, sees scope for new technology at most stages of the client lifecycle. “This can range from onboarding clients through easily integrated systems, such as using e-identification verification checks and incorporating new tools to carry out background checks for KYC. Other tools can provide ongoing reviews and background checks on existing clients,” she says.

Better use of data will improve efficiencies, helping to reduce the identification of false positives, vendors hope. A 2017 report by a UK think-tank estimated that 80­–90% of suspicious activity reports (SARs) are of no immediate value to active law enforcement investigations, despite the time and effort spent in raising them. The same report estimated that the global private sector spent $8.2 billion on AML controls in 2017.

This indicates a need for more targeted AML systems, both in terms of time and cost. Wicks from Swift estimates that compliance processes can comprise between 10–15% of a bank’s costs, while analysts can spend 80% of their time looking for the right data and only 20% of their time actively analysing it.

It is not possible to outsource risk, so even small firms that have bought in compliance tools have to make sure they understand them and have put the proper controls in place

Gemma Rogers, Fintrail

“By improving the quality of AML and fraud detection systems, they can be more effective, reducing the noise, ensuring more of the right kinds of financial crime risks are identified, resulting in an increased number of SARs that provide real value and can be acted upon,” Wicks says.

The challenge is identifying what to measure. Static classifications of risk, also known as typologies, can quickly become out of date. Reynolds at Barclays says: “Innovative technologies should not replicate human-based systems but should seek to find new solutions that change how we do business, not just make it faster. We should not be looking at typologies, which can be based on cases and networks identified several years ago, but at anomalies.”

Rogers of Fintrail agrees that risk identification must be flexible: “Fintechs tools may use AI or machine learning to create models or typologies of financial crime risk which can evolve over time and are applied holistically, allowing users to more proactively assess transactions and potential financial crime risks.”

This flexibility extends to how different countries interpret compliance regulations. European Union member states have transposed the EU’s money-laundering directive into national law according to their localised needs. Their technological requirements will vary accordingly.

Endija Springe and Carolin Gardner, AML policy experts at the European Banking Authority, explain that Germany’s KYC process relies heavily on face-to-face verification. This method may be inconvenient for some customers, or difficult to reconcile with some business models. One proposed solution is to use video conferencing to meet that face-to-face requirement.

Other countries may require a different emphasis on customer due diligence. For example, in regions where identification and verification processes are already efficient, firms might focus on developing new technology for transaction monitoring.

Right tool, right job

New technologies are not without risk, though. The European Supervisory Authorities’ report states: “Innovation in this field, if ill understood or badly applied, may weaken firms’ money laundering and terrorist financing safeguards and subsequently, undermine the integrity of the markets in which they operate.”

Firms must constantly monitor and update new systems to make sure they accurately reflect financial crime threats, especially in cases where compliance systems have been outsourced to external providers. Moreover, staff must be fully trained on how to use these tools and the significance of the tools’ findings, otherwise firms risk missing financial crime flags.

Rogers says: “It is not possible to outsource risk, so even small firms that have bought in compliance tools have to make sure they understand them and have put the proper controls in place. This is something that regulators and auditors will be assessing.”

Reynolds believes that extensive testing and consultation can mitigate potential risks involved in the transition to new technological solutions. “Some trials of new systems may fail in internal testing but this is healthy, it allows firms to build on that failing and find new ways that target risk more effectively and produce a better system in the end,” he says.

It is not just supervisors that need to be convinced about the suitability of compliance systems; internal boards must sign off on new compliance tools and will be careful to ensure that any risk is managed.

An effective, up-to-date compliance process must also inspire confidence among fellow banks. Wicks says: “It is all about transparency now. Banks interacting with other banks want to know that they have good anti-money laundering processes in place and that they can trust you.”

Technology is there to help and support human decisions, not to replace them

Tony Wicks, Swift

Mutual trust could foster further benefits, such as greater co-operation between firms in developing new solutions to financial crime risk management. “AI is limited to the data pool on which it can draw, such as the Barclays customer base,” Reynolds says. “Allowing an AI to work across the datasets of multiple banks, without actually sharing data due to data sharing and privacy restrictions, would allow the AI to learn faster. This would result in much better identification of anomalous activity for all banks than they could achieve alone.”

Firms are already using data-pooling initiatives to comply with new market risk requirements known as FRTB. Here, banks must separately capitalise risk factors that lack suitable pricing data, incurring additional costs. Vendors are touting data utilities to lessen these capital add-ons; banks are even considering teaming up to form their own pools.

But data-sharing initiatives between major banks require close co-ordination with regulators, especially in cross-jurisdictional instances, which can be problematic even within individual banks. The Financial Conduct Authority is considering launching a second, global sandbox that would allow firms to test new technological solutions across different jurisdictions before going to market. The FCA invited comments or suggestions on the topic by March 2018 and is currently evaluating the responses. No details on the global sandbox are available as yet, but suggestions proposed by the FCA include understanding AML/KYC compliance and onboarding; supporting specific firms aiming to launch in multiple jurisdictions, and addressing global policy and regulatory challenges, potentially in co-ordination with regulatory bodies from other jurisdictions.

“Financial crime is global, not jurisdictional,” says Reynolds. “Criminals are jurisdiction-neutral and maintaining jurisdictional boundaries gives them an advantage. Our industry is not always competitive. We want to share innovation in financial crime technology as it helps to make us all safer.”

This trend towards “consolidation and connectivity”, as Reynolds terms it, has already encouraged vendors to wrap more products into their offerings, such as incorporating negative news web trawls into machine learning.

The growth of new technological opportunities will allow experimentation across small and large firms. Wicks says: “Smaller firms can be more agile in adopting new approaches and using technology to protect and enable their business.”

On the other hand, larger businesses and banks have more financial resources to invest in refining existing systems and developing new solutions. Such firms have a strong incentive to keep up the momentum in technological advances in order to improve financial crime safeguards and mitigate the potential for major failures that could lead to large fines.

Paying the penalty

Since 2017, banks have paid a series of hefty sums to regulators for anti-money laundering deficiencies, according to data from ORX News. In top place is the $651 million that money transfer firm Western Union paid to US authorities for failing to prevent AML breaches, including sending funds to human traffickers in China. Deutsche Bank handed over $630 million to US and UK authorities over allegations it facilitated mirror trades that enabled over $10 billion to be moved out of Russia. Close behind is the $613 million that US Bank coughed up for various mis-steps, including failure to report suspicious activities of a customer who ran a billion-dollar fraudulent payday lending scheme.

Editing by Alex Krohn

An operational risk capital model based on the loss distribution approach

By Ruben D. Cohen | Technical paper | 18 May 2018

New method proposed for modelling large op risk losses

By Luke Clancy | News | 18 May 2018

Outsize loss events modellable through extension of approach to measuring moderate losses, says research

Banks should not ignore large operational risk losses suffered by firms in their peer group just because such events are difficult to include in the probability distribution of a standard op risk capital model, according to new research.

In his recent paper, Modelling very large losses, Henryk Gzyl, professor in the centre of finance at the IESA Business School in Caracas, Venezuela, presents a simple probabilistic model for aggregating very large losses to a data series. His research claims to offer a straightforward means of determining the tail behaviour of the loss distribution for the advanced measurement approach (AMA), which most large banks use to calculate operational risk-weighted assets.

Banks have long complained that modelling large, statistically infrequent losses plays havoc with AMA models – particularly as they are reliant on the use of external loss data from their peers to estimate the likelihood of such losses reoccurring. But it is precisely because such losses are infrequent that banks struggle to incorporate them into their model’s probability distribution.

“[A bank’s] recorded loss data may not include events that are known to have afflicted other institutions, and to have produced very large losses. Such events, not being part of the data set, do not contribute to the probability distribution that is inferred,” Gzyl says. “If risk managers want to include them in their analysis, they will have to augment their model to somehow include such losses.”

Banks have been blindsided by such losses from a wide variety of risk events in the past decade: from the $5 billion loss amassed at Societe Generale by rogue trader Jerome Kerviel in 2008, to JP Morgan’s $13 billion settlement with US regulators over mortgage mis-selling in 2013. The as-then unprecedented size of such losses from a modelling perspective meant they would have been big enough to blow through a sizable chunk of the op risk capital held by many banks.

A large body of literature exists explaining how to model common losses – but not for modelling unprecedented losses. Gzyl posits that standard losses come in various possible sizes: small, moderate and large. Small or moderate op risk losses occur with observable frequency within a standard unit of time, such as a year. A very large loss is perhaps several orders of magnitude larger than the value-at-risk of the loss distribution of the common losses at a high confidence level; and such large loss may occur with a probability of less than 0.1%.

Both the original and extended distributions will have the same VAR – at slightly different levels of confidence – but quite different values of expected shortfall, defined as the average of all losses that are greater than or equal to VAR.

This is significant, says Gzyl, because expected shortfall is a better risk measure of quantifying losses expected beyond the VAR: “One may have risks with the same VAR but with considerably different losses beyond the VAR.”

[A bank’s] recorded loss data may not include events that are known to have afflicted other institutions, and to have produced very large losses

Henryk Gzyl, IESA Business School

Gzyl’s model includes a finite number of very large losses to obtain a simpler description of a total loss distribution, defined as the sum of standard losses collected over many time periods in addition to large, very rare losses.

The paper examines two possible scenarios: that standard and very large losses are independent of each other; or, alternatively, that very large losses may not be independent of ordinary losses.

Gzyl proposes using a simple model to capture large possible losses. “We begin by considering the total loss, L, to be written as L = L1+ L2, where L1 describes the losses included in the data set – which we call common losses – and L2 is used to model the losses known to exist, but absent from our data set, and which are much larger than the common losses.”

The simplest assumption to make is that very large and rare losses and common losses are independent. The problem then is to analyse the statistical nature of their sum.

Gzyl does that by relating the total losses to the common losses. It is found as well that the expected shortfall of the total loss is the sum of the shortfall of the common losses plus a corrected contribution due to the very large losses. 

According to Gzyl, given a confidence level α, the total shortfall is equivalent to the shortfall that considers only common losses, but at a higher confidence level, which is calculated by adjusting for the probability of large and rare losses not occurring.

For example, if α is 99% and the probability of large losses not occurring is 99.9%, then the adjusted confidence level is 99%/99.9% = 99.1%, which is higher than α.

In a second case, the paper considers that sometimes it may be reasonable to suppose that very large losses are not statistically independent of standard losses and in fact may have a common causal agent; an earthquake, for example, may cause losses of very different severities – a few of them qualifying as very large. In that case, the author contends that the formula may be adapted to this scenario.

Gzyl says: “The steps taken to pull the argument through in the simple, independent case can also be taken to replicate the same computations in the dependent case.”

Editing by Tom Osborn and Mauro Cesa

 

CFTC puts new spin on spoofing cases

By Alexander Campbell | News | 15 May 2018

Charges may be brought under regulation 166.3 in cases where intent is hard to prove

The US Commodity Futures Trading Commission can charge firms that fail to adequately supervise traders who engage in market manipulation or spoofing even if prosecutors are unable to prove intent.

Rostin Behnam, one of three commissioners at the CFTC, cited a January 2017 case involving Citigroup traders spoofing the US Treasury futures markets, where the bank settled charges of spoofing and failing to adequately supervise its employees – a violation of regulation 166.3. Regulators define spoofing as placing orders with the intent to cancel them before execution.

Punishing a violation of 166.3 does not require proof that an underlying offence of spoofing actually took place, Behnam said – sidestepping the requirement to prove intent.

“While [Citi’s] system identified individual instances of suspicious activity, it did not follow up on the majority of those red flags. That stands out to me as a really important issue in these cases, the role of technology in enforcement and compliance. To identify infractions by means of technology but not to follow up on them with human interaction, that raises a lot of concerns,” he said. “We as regulators need to trust that the regulated entity will impose a compliance programme that is strong and robust and will identify infractions, but also follow up on them. This is particularly important as we move forward with the role of artificial intelligence and machine learning in compliance.”

Citigroup was also reprimanded for failing to provide adequate training for employees – also part of its obligations under regulation 166.3.

Benham, who was speaking at the Energy Risk USA conference in Houston on May 15, also highlighted the technology being employed by the CFTC to crack down on spoofing cases. “Enforcement is utilising Commission data, analytics and forensics, and leveraging the tools utilised by self-regulatory organisations like CME Group to monitor for and detect conduct and patterns typical of spoofing and other manipulative behaviour,” he said. 

However, criminal charges remain difficult to prosecute. The CFTC and US Department of Justice have been successful with “low-hanging fruit in terms of the more standard, archetypal violative trading patterns”, Benham said. “But a pattern alone cannot always be trusted…a violation of spoofing requires intent.”

And intent is not always easy to prove: bids and offers can be cancelled before execution for legitimate reasons, particularly in the case of high-frequency trading which may produce a high level of cancelled bids and offers, without violating the law.

The commission has used various approaches to prove intent in criminal and civil spoofing cases. On May 14 the US Supreme Court upheld the criminal conviction of Michael Coscia, the first trader to be convicted on spoofing charges. Behnam linked his conviction to the testimony of a computer programmer who had been asked by Coscia “to create a program that would act like a decoy to pump the market”.

Behnam also warned against the new risks posed by a large-scale shift to electronic trading. New participants may be unsure of the rules, or may assume that the electronic environment allows continuous automatic monitoring and lifts the onus on human intervention, he said, adding that regulators needed to be cautious as well: “As we are regulating eight years out [from the passage of Dodd-Frank], we also need to be cognisant of what risks we are creating and what unintended consequences we are putting back into the market that maybe don’t exist today.”

Editing by Kris Devasabai

Eiopa targets cyber risk in stress tests

By Louie Woodall | Data | 14 May 2018

Europe-wide stress tests unveiled today will quiz insurers on their exposures to cyber risk for the first time.

The European Insurance and Occupational Pensions Authority (Eiopa) launched its latest round of stress tests on May 14. Included in the technical specifications is a questionnaire on cyber risk, which among other things asks firms whether the risk is included as part of their operational risk management framework, whether they conduct regular cyber risk loss data collection exercises, and total annual losses attributable to cyber risk.

Forty-two insurance groups, representing 78% of total European market coverage, are participating in the stress tests. Each insurer will report the impacts to their Solvency Capital Requirement coverage ratio – which denotes excess own funds over liabilities – as of end-2017 in relation to two combined market and insurance risk shock scenarios, and one natural catastrophe scenario, as well as completing the cyber questionnaire.

Firms must complete the stress test by August 16. Eiopa will report on the results in January 2019.

Who said what

“The scenarios reflect severe but plausible external shocks including insurance-specific shocks. Furthermore, for the first time the exposure to cyber risk and best practices in dealing with these risks is assessed. This stress test will therefore provide further valuable insight to the resilience of the European insurance sector” – Gabriel Bernardino, chairman of Eiopa.

What is it?

Eiopa previously ran insurance stress tests in 2011, 2014, and 2016. The watchdog has three objectives with the exercises: to assess the vulnerabilities of the European insurance sector, to raise awareness of threats the sector poses to financial stability, and to increase transparency by requesting disclosure of individual results by participating groups.

Why it matters

Cyber risk is a growing threat to financial institutions – heading Risk.net’s annual list of operational risks. By requesting information on European insurers’ vulnerabilities to IT disruption, Eiopa may be in the early stages of formulating guidelines for the prudent management of this risk, or even incorporating the risk in future stress tests. Whatever the end objective, the inclusion of the cyber questionnaire shows the watchdog is taking the cyber threat seriously.

Get in touch

In what ways could Eiopa ensure cyber risk is captured appropriately in insurers’ risk management practices? Share your thoughts by emailing louie.woodall@infopro-digital.com or tweeting @LouieWoodall or @RiskQuantum.

Tell me more

Top 10 operational risks for 2018

View all insurer stories

Asia-Pacific banks grapple with conduct risk rules

By Afiq Isa | Features | 13 May 2018

Australia, Hong Kong regimes lead in developing conduct risk guidelines; Singapore lags behind

Bankers in Asia have looked from afar as US and European institutions suffered punitive fines for conduct failings and, consequently, big increases in their operational risk capital. Any sense of complacency in Hong Kong, Singapore or Sydney is fast diminishing, though, as local regulators issue greater penalties for malpractice and enforce new codes of conduct.

Influenced by the UK’s Senior Managers Regime, Australia is due to impose an accountability code known as BEAR, which clarifies the roles and responsibilities of bank leaders. Hong Kong has brought in a similar regime called Manager-in-Charge.

Both sets of rules mark an attempt by authorities to codify expectations of behaviour by senior executives, in the hope that a trickle-down effect will see an improvement in culture throughout firms. But the task is tough in a region whose financial services industry has traditionally exhibited wildly differing attitudes towards conduct.

“We do not yet have a unified framework or inputs to make sense of conduct, especially if you’re talking from a risk capital perspective. In Asia, it is still considered a ‘soft’ type of risk,” says a Singapore-based senior risk manager for an asset management firm.

Traditionally, banks in Asia have faced lower fines for misconduct that their US and European counterparts. When NAB and ANZ settled with Australia’s regulator over benchmark rate rigging claims, the fines totalled A$50 million ($38 million) apiece. By comparison, UBS was forced to pay $1.5 billion to US and European authorities for its part in the Libor rigging scandal, Dutch lender Rabobank coughed up $1 billion, and UK’s Barclays $0.5 billion.

Comparatively smaller fines for Asian firms have put downward pressure on their levels of operational risk capital. Indeed, Basel’s forthcoming switch in op risk capital calculation method, from the advanced approach for the largest banks to a one-size-fits-all standardised approach, is expected to have little effect on the region’s banks due to their lower overall op risk capital.

But the status quo may not last indefinitely. China’s authorities have tightened their oversight of bank conduct, unfurling a series of hefty penalties for miscreants. In December 2017, the nation’s banking regulator fined China Guangfa Bank 722 million yuan ($114 million) for issuing fake letters of guarantee on corporate bonds in order to conceal financial losses. A second bank, Postal Savings Bank of China, was also fined 520.5 million yuan for its role in the fraud. A month later, PSBC booked a 90.5m yuan fine for an illegal bank bill trading scheme.

CBA: misconduct penalty
Photo: Alex Proimos

In Australia, a Royal Commission probe into banking misconduct is set to rumble throughout 2018, causing a drip of reputational damage to many leading financial institutions as more findings come to light. The Australian Prudential Regulation Authority (Apra) has already hit Commonwealth Bank with a A$1 billion hike in its op risk capital requirements, in a verdict announced on May 1. The move echoes a threat from Bank of England governor Mark Carney last year that conduct failings could be punishable with Pillar 2 capital add-ons, in extreme cases.

With greater scrutiny from regulators has come greater awareness of conduct risk among bankers across Asia. Matt Maddocks, Singapore-based chief risk officer at regtech advisory firm RISKflo, says: “The attitudes in banks have changed over the past year. Historically [conduct risk] was something that involved a PowerPoint presentation and some questionnaires.”

But, he adds, “even with more training on conduct now, the main challenge is this: how do banks monitor conduct and demonstrate that to the regulator?”

By the book

The answer may depend on the introduction of new codes of conduct across the region. Apra can lay claim to being the most advanced Asia-Pacific jurisdiction when it comes to developing conduct standards, a process that began in 2013 with a review of Australia’s risk management processes. Next, Apra drew up a comprehensive plan to assess conduct and risk culture at banks. Inspired by the Netherlands central bank, the regulator announced its intention to conduct one-on-one interviews with bank staff and attend board and executive committee meetings at the firms.

On July 1, the Australian government will begin implementing the Banking Executive Accountability Regime, affecting banks and other regulated entities. The regime will give Apra new powers to deregister and disqualify senior executives and directors who fail to meet accountability expectations. Institutions found guilty of misconduct are also liable to significant civil penalties, while errant executives face deferred remuneration (see box: Taming the BEAR).

Hong Kong, meanwhile, implemented the Manager-In-Charge regime in October last year, which designates a representative at banks as responsible for reviewing management practices and key business line functions. About 10,000 individuals were appointed by licensed corporations as MICs following a six-month transition period. Under the regime, appointed MICs will be in charge of eight core functions in a firm (see box: MIC check).

Singapore is lagging regional rivals but it has taken its first steps on addressing conduct. On April 26, the Monetary Authority of Singapore has proposed new guidelines to strengthen individual accountability and conduct in financial institutions. It is currently seeking feedback from industry players until May 25.

“Banks generally have processes in place to monitor conduct risks, such as the use of metrics and dashboards,” it says in an emailed statement. “Most major banks have established conduct risk management frameworks, with dedicated committees overseeing conduct risks. Internal audit functions in banks have generally included areas of conduct risks such as product design and sales practices as part of their regular audits. The MAS continues to monitor and engage banks on developments in this area.”

Conduct policy should be embedded from the top down, but the real challenge is on embedding it across the different departments

Claudia Marcusson, NN Investment Partners

Further afield, regulators in Vietnam and Thailand have begun plans to incorporate conduct risk standards into existing regulatory frameworks, sources tell Risk.net.

Jennifer Patwell, financial services risk partner at PwC Singapore, notes the difference between the MIC and BEAR, which is considered more analogous to the Senior Managers Regime. “MIC’s focus to date has been on promoting awareness of regulatory obligations and potential liabilities of senior management and establishing expectations, whereas for both SMR and BEAR, more prescribed approaches have been set with the respective regulatory authorities possibly imposing stronger consequences.”

The SMR has proved a useful template for Asian jurisdictions. Introduced by the UK’s Financial Conduct Authority in 2016, the regime imposes accountability and conduct standards on senior individuals in the industry.

The prescribed responsibilities under the SMR are very specific. Designated senior managers must directly oversee the adoption of a firm’s risk culture and ensure that countermeasures are in place to prevent the firm from being used to further financial crime. All members of a firm’s governing body must undergo suitable training and professional development, which is monitored. 

Regional variations

While the general desire in Asia is to mirror the SMR, banks may struggle to impose consistent standards of oversight across a region of scattered jurisdictions and timezones. For all the effort that organisations may make to emphasise conduct as a major risk element, the attitudes of staff will ultimately determine its success.

Claudia Marcusson, head of risk management at NN Investment Partners in Singapore, says auditors do not yet consider conduct risk as a major part of their checks.

“Based on external audits that we have experienced, in Singapore the reliance is more on financials and not really on conduct risk as it is not explicitly part of the audit. Even in Europe it has never really been part of the scope, but we hope that will change as more emphasis on the SMR comes up,” she says.

The main point to consider with regards to conduct risk events is the access to internal loss data

Jennifer Patwell, PwC Singapore

This essentially means that auditing culture will be at the discretion of the firms themselves. To implement quantitative measures, Marcusson suggests firms institute key performance indicators (KPIs) on conduct, which can be reviewed to guide the decisions of senior managers.

“Things like anti-money laundering, anti-fraud assessments are more quantifiable, but these are the minimum standards for conduct. Conduct policy should be embedded from the top down, but the real challenge is on embedding it across the different departments. Should the KPI apply for all individuals? Would you adjust the KPIs in more risk-sensitive departments? This is what managers have to deal with,” she says.

Quantifying conduct risk is an elusive business, given how much of the risk is qualitative in nature: predicting rogue traders is as much about human psychology and behaviour as about statistics and modelling. But that should not prevent firms from gathering data where relevant.

RISKflo’s Maddocks says: “Conduct risk quantification will happen as firms collect more data; it is essential if you have to present tangible and measurable evidence of poor conduct.”

PwC’s Patwell says capital requirements for conduct risk are a work in progress under Basel’s broader operational risk measures. “Op risk capital requirements are evolving as part of Basel IV. The main point to consider with regards to conduct risk events is the access to internal loss data and the impact of isolated loss incidents on current capital levels.”

Australia’s banks may have to prepare for more loss incidents – and their effect on capital levels – as Commonwealth Bank digests the A$1 billion hike in its op risk capital. Australia’s largest bank by assets is already preparing for the departure of chief executive Ian Narev amid allegations that CBA broke disclosure laws by not telling investors about potential money-laundering activities by criminals and terrorists.

On May 1, Apra released its final report on its enquiry into CBA. The regulator found a number of conduct infractions, fostered by a “widespread sense of complacency” and “an overly collegial working environment” which meant opportunities were missed to thwart misconduct. The bank has given Apra an enforceable undertaking to establish a framework showing that it is addressing the regulator’s recommendations fully.

This enquiry, together with the Royal Commission probe into banking, is independent of the BEAR rules spearheaded by Apra. At the same time, serious cases involving money laundering and bribery are overseen by the Australian Transaction Reports and Analysis Centre (Austrac). RISKflo’s Maddocks says these combined efforts illustrate the heightened scrutiny among the country’s regulators and lawmakers in rooting out misconduct in the banking system.

Taming the BEAR: the Banking Executive Accountability Regime (Australia)

Apra: new conduct regime

The BEAR regime applies to all authorised deposit-taking institutions (ADIs) in Australia. This includes Australian branches of foreign banks as well as overseas branches of Australian-based ADIs. Large ADIs must comply with the regime from July 1, while medium-sized and smaller ADIs will have to meet the new guidelines from July 1, 2019.

Banks are required to register their representatives, known as “accountable persons”, with Apra on an ongoing basis. Firms must also provide Apra with full details of the representative’s areas of responsibility and core functions.

A major part of the regime concerns new rules on the remuneration of accountable persons. Under BEAR, firms must defer a percentage of staff members’ variable remuneration (including bonuses) for a minimum period of four years with the intention of ensuring that the accountable person does not engage in behaviour that breaches their obligations. A minimum of 40% of an executive’s variable remuneration can be deferred, while for CEOs the figure can increase to 60%.

Aside from the disclosure of registered accountable persons to the regulator, Apra can also exercise its powers to remove and disqualify senior managers and directors that were found to have failed to meet updated regulatory expectations. Civil penalties also apply to ADIs that fail to meet the expectations, with fines ranging from A$10.5 million for smaller ADIs to A$210 million for larger ADIs.

MIC check: the Manager-In-Charge regime (Hong Kong)

The MIC regime states that the senior management of a firm should bear primary responsibility for ensuring the maintenance of appropriate standards of conduct and adherence to proper procedures. According to the Hong Kong Securities and Futures Commission, the scope of each senior manager’s duties must be clear, with each manager being fully aware of his or her obligations under Hong Kong’s regulatory regime.

Since its implementation date on October 16, 2017, banks have begun updating their management structure to conform with MIC guidelines. The firms are required to report the latest management structure information and organisational charts by April 16, 2018 according to a Hong Kong Monetary Authority circular.

The MIC is slightly different from the SMR as it prescribes eight core functions of the business: overall management oversight, key business line, operational control and review, risk management, finance and accounting, information technology, compliance, and anti money laundering and counter-terrorist financing.

The SFC states that for each core function of a licensed corporation, there should be at least one individual appointed to manage that function. Corporations are allowed to have one individual overseeing several core functions where appropriate based on their scale of operations and control measures.

The SFC may exercise disciplinary powers to sanction individuals found guilty of misconduct or those considered not fit and proper. However, the extent of the SFC’s actions are civil rather than criminal in nature – these may include licence revocation or suspension, fines and reprimand.

Gold standard: the Senior Managers Regime (UK)

The SMR is currently applicable to banks, including credit unions, building societies and UK branches of foreign banks. Insurers will have to comply with the regime from late 2018 while asset managers will be expected to comply by mid-2019, according to the Financial Conduct Authority.

On December 10, 2018, the rule will also apply to all firms authorised under the Financial Services and Markets Act. According to the FCA, the regime aims to raise standards of governance, increase individual accountability and help restore confidence in the financial services sector.

The SMR introduces a wide array of senior management functions and prescribed responsibilities that must be allocated amongst senior managers. As a refinement of the previous Approved Persons Regime, the SMR introduced the “statutory duty of responsibility”, where managers are now obligated to take reasonable steps to prevent regulatory breaches or misconduct from occurring in their departments.

In another major shift, the FCA and Prudential Regulation Authority have established a list of certain functions which require regulatory pre-approval. In general, pre-approved functions are limited to the top tier roles in the bank, namely the executive management and the board of directors. The list replaces the previous “controlled functions” under the Approved Persons Regime.

The shift to individual accountability means that in the case of a regulatory breach, the authorities will possess the information to quickly pinpoint the problematic areas of a bank’s business and the senior manager responsible.

The SMR, which first came into force on March 7, 2016, was implemented at the same time as a new law that holds managers and firms criminally accountable if they were found to have committed misconduct leading to the failure of the bank or financial institution. Offenders could face a maximum jail term of seven years or an unlimited fine if convicted.

Editing by Alex Krohn

Share of op risk RWAs at US banks falls

By Louie Woodall | Data | 10 May 2018

Operational risk-weighted assets shrunk as a percentage of total RWAs across the eight US global systemically important banks (G-Sibs) in the first quarter of the year, after a number of firms posted multi-billion dollar reductions in their op risk requirements.

Aggregate operational RWAs, as calculated under the Basel advanced approaches, made up 28.6% of total RWAs across the banks at the end of March, down from 29% three months earlier, and 28.7% at the end of 2016.

The last quarter decrease was due in part to big cuts in op RWAs at three of the G-Sibs. Goldman Sachs posted a $3.3 billion quarter-on-quarter decrease, Citigroup $2.5 billion, and Morgan Stanley $178 million. Operational RWAs dropped as a percentage of total RWAs at each firm by 0.52%, 1.25% and 2.45% respectively.

Goldman Sachs’ chief financial officer said on the firm’s April 17 earnings call that the bank had seen a “continuing roll-off” in op RWAs, but did not specify in its most recent disclosure what had driven the decrease. Citigroup stated its cut was primarily driven by “changes in operational loss severity and frequency”, while Morgan Stanley’s decrease was due to “a reduction in the internal loss frequency related to litigation utilised in the operational risk capital model.”

Of the other G-Sibs, JP Morgan and Bank of America saw no change in their op RWAs quarter-on-quarter. At State Street and BNY Mellon they increased $217 million and $200 million respectively.

Wells Fargo posted the largest gain in op RWAs, with an increase of $9 billion. It’s likely related to a number of regulatory sanctions the bank was subject to following a series of malpractice cases brought against it last year.

The shrinkage in the percentage share of op RWAs across the G-Sibs was also helped along by significant increases in market and credit RWAs over the quarter. 

What is it?

US G-Sibs use the advanced measurement approach (AMA) to calculate their operational RWAs. Each bank calculates its risk based on scenarios incorporating a number of different types of operational failures, as well as internal and external actual loss experience. Updates to the loss experience inputs can cause the total op RWA amount to vary dramatically. For example, if a large regulatory fine is incurred one quarter, it may result in higher reported op RWAs at the end of that reporting period.

Why it matters

Ten years on from the financial crisis it is likely that a number of hefty op risk losses used to calculate RWAs will start to “roll off” the AMA formula used by each bank. This means op RWAs as a percentage of the total are predicted to continue to trend down. But as the chart above shows, this effect is by no means universal. Wells Fargo, having incurred a $1 billion fine in the first quarter, is likely to report an even bigger leap in op RWAs in its next disclosure.

Get in touch

Have US op RWAs peaked? Let us know your thoughts by emailing louie.woodall@infopro-digital.com or tweeting @LouieWoodall or @RiskQuantum.

Tell me more

Monthly op risk losses: banks count the cost of IT failures

Op risk capital: why US should adopt SMA today

View all bank stories

Finma’s op risk ruling could set precedent, banks hope

By Steve Marlin | News | 10 May 2018

Credit Suisse granted capital relief for divested business; others hope for clemency ahead of SMA

The Swiss Financial Market Supervisory Authority’s decision to grant Credit Suisse operational risk capital relief for a sold business could prompt other supervisors to follow suit, bankers say.  

Credit Suisse was given the green light by Finma to write off Sfr2.5 billion ($2.6 billion) of operational risk-weighted assets (RWAs), most of which were held against its US private bank, which was sold to Wells Fargo in 2015. The bank had petitioned the regulator for relief last year.

An operational risk expert at a North American bank expects to see a flurry of requests for similar relief from non-US banks slapped with hefty fines by US authorities after the financial crisis.

“The banks will certainly use this opportunity to ask for similar relief from their regulators,” he says. “I can see the regulators outside the US would be much more sympathetic to the request, especially if they have already exited the US business line. There is a general view internationally that US regulators are very tough with penalties and fines.”

The head of op risk at a second bank agrees. “I’d expect banks using loss distribution models [under the advanced measurement approach to calculating operational RWAs] to make similar claims,” he says, adding: “I think regulators will accept these claims to avoid disadvantaging their firms relative to other jurisdictions.”

Credit Suisse’s success in getting Finma to grant relief was due primarily to two factors, according to a risk capital executive at a large European bank: the fact the US private bank was a self-contained entity, distinct from the parent firm; and that the operational risk losses weren’t related to conduct issues. It remains to be seen whether the same sort of relief could be obtained for losses tied to other businesses, he argues, such as residential mortgage-backed securities.

“Many banks have tried to get rid of their RMBS losses, but not a single bank has succeeded,” says the executive. “The smaller items are a bit easier to argue. If you could get rid of anything RMBS-related, it would be a whole different ball game.”

We will see more institutions around the world try to approach their regulators with similar requests. I expect the regulatory responses to be varied but generally more favourable

Evan Sekeris, Oliver Wyman

Finma and Credit Suisse declined to comment.

Under the Basel Committee on banking Supervision’s recently finalised standardised measurement approach (SMA) for calculating operational RWAs, national regulators will have discretion to ignore banks’ historical op risk losses when calculating capital requirements. This can be achieved by setting the internal loss multiplier – the component of the SMA that scales a bank’s op risk capital by its past losses – to one.

James Oates, head of operational risk at Credit Suisse’s Swiss peer UBS, said recently his firm was in discussions with its regulators about whether it would be allowed to benefit from this clause.

The SMA relies on a simple accounting measurement of bank total income – dubbed the business indicator – to set a bank’s op risk capital, with firms divided into three size buckets. A separate business indicator multiplier is then applied to each bucket to produce the business indicator component.

Evan Sekeris

However, the SMA does not take effect until 2022 – prompting banks to petition their regulators for relief in the interim. “We will see more institutions around the world try to approach their regulators with similar requests. I expect the regulatory responses to be varied but generally more favourable,” says Evan Sekeris, a partner in the financial services practice of Oliver Wyman.  

The final Basel III rules approved last December state the exclusion of internal loss events should be “rare and supported by strong justification”.

Some national regulators have already signalled they will apply the rules more liberally. In a discussion paper released on February 14, the Australian Prudential Regulation Authority said it would “exercise its national discretion to not implement the loss component, and instead set the operational risk requirement equal to the business indicator component for all authorised deposit-taking institutions.”

As the underlying assumption of regulators is that capital should only be held once, the request for removing losses makes sense

Operational risk executive at a European bank

Risk.net understands banking regulators in the European Union are working with the European Central Bank’s single supervisory mechanism (SSM) on the application of the SMA, and are actively discussing the conditions under which banks under their jurisdiction will be allowed to exclude past losses from operational RWAs.

The ECB did not respond to a request for comment by press time.

Under the current advanced measurement approach, US regulators are said to take a tougher line on granting capital relief for op risk losses associated with sold or divested business lines. “With the US regulators, it’s pretty much a no-go. Most banks don’t even bring this up. The European regulators are a bit more pragmatic,” says the risk capital executive. 

Current guidance from the Federal Reserve requires banks to combine the operational loss histories of merged or acquired companies and treat the resultant loss history as if it had occurred at a single entity. The implication is that – barring some regulatory relief – the seller would have to retain certain losses in its model to reflect its residual exposures and cultural issues as well as any indemnities provided to the acquiring firm.

Risk.net understands at least two large US banks have asked the Federal Reserve for relief for op risk RWAs for businesses that have been divested. One bank sold off an auto lending business, but was told by the regulator that even though it sold the business, it could still be subject to legal fines. Both cases are still pending.

The Fed declined to comment.

Entitlement

While the sale of a business doesn’t automatically indemnify a bank against any residual risks, banks are making the case that they are entitled to some relief, provided the op risk losses are transferred to the acquiring bank. That is, when Bank A acquires a subsidiary of Bank B, it should use the subsidiary’s op risk loss history in its capital calculations. Similarly, Bank B should be able to remove the loss data for its capital calculation.

“Otherwise, both banks would hold capital for the same losses,” says an operational risk executive at a European bank. “As the underlying assumption of regulators is that capital should only be held once, the request for removing losses makes sense.”

The case for granting relief will hinge on persuading regulators the issues that led to the operational risk losses were confined to the business that’s being sold or wound down, and not related to the company as a whole. This could be especially problematic if the losses were caused by some conduct-related issue. In that case, the bank would need to prove the conduct was not related to some deeper cultural issues at the bank, which left unaddressed could result in additional losses being incurred in the future.

To the extent op risk losses are a reflection of a firm’s risk culture, the fact a firm exited a business that was subject to large fines due to Libor, foreign exchange rates, or mortgage-backed securities, its loss history could still be indicative of future losses, some point out.

“Regulators will always pay high scrutiny to such events, given that when my bank closes an entity or withdraws from a market, legacy losses and legal cases usually remain with the disinvesting bank,” says the executive at the European bank.

Commonwealth Bank hit by A$1bn op risk add-on

By Alessandro Aimone | Data | 9 May 2018

The Commonwealth Bank of Australia has been slapped with a A$1 billion ($744 million) add-on to its operational risk capital requirement, following the conclusion of an inquiry into its governance, culture and accountability by the Australian Prudential Regulation Authority on May 1.

The adjustment to the CBA’s op risk regulatory buffer, equivalent to a A$12.5 billion increase in its risk-weighted assets, is effective from April 30 – the date on which the bank entered into an “enforceable undertaking” with Apra. The CBA will be allowed to apply for the removal of the adjustment only on meeting certain conditions.

As a result of the action, the CBA’s common equity Tier 1 (CET1) capital ratio dropped 27 basis points to 9.8% at the end of March.

Excluding the add-on, operational risk-weighted assets were largely unchanged in the first three months of the year, compared with the previous quarter, at A$41 billion.

Who said what

“CBA has given to Apra an enforceable undertaking, which establishes a framework by which CBA will demonstrate it is addressing the full set of recommendations made by the panel in a timely manner. Until such times as these recommendations are addressed to Apra’s satisfaction, an add-on to CBA’s operational risk capital requirement will continue to apply” – Prudential Inquiry into the Commonwealth Bank of Australia (CBA) Final Report, Apra, April 30. 

What is it?

Apra launched an inquiry into the CBA in August 2017, following several incidents that damaged the reputation and public standing of the bank. The damning report published last week found a “complex interplay of organisational and cultural factors at work”, and “CBA’s continued financial success dulled the institution’s senses to signals that might have otherwise alerted the board and senior executives to a deterioration in CBA’s risk profile”.

The report concluded “this dulling was particularly apparent in CBA’s management of non-financial risks; i.e. its operational, compliance and conduct risks” – hence the add-on to its regulatory capital.

Why it matters

The levy imposed by Apra is adding pressure to the CBA’s capital ratios, which have been on a downward trend since September 2017, and its CET1 measure is now far below the 10.5% “unquestionably strong” threshold set by the regulator in June 2017.

Even before accounting for the regulatory add-ons, the bank’s CET1 capital ratio had already declined 30bp quarter-on-quarter, pushed down by higher RWAs. The additional capital requirements could weigh down the Australian lender for months to come too, as Apra did not specify an end date to the penalty. To reach the 10.5% level by Apra’s deadline of January 2020, it is looking ever more likely the CBA will have to take drastic action.

Get in touch

Can the CBA make a quick comeback from this reversal and get itself back into Apra’s good books? Let us know your thoughts. You can contact me at aimone.alessandro@gmail.com or @aimoneale and @RiskQuantum.

Tell me more

View all bank stories

OCC’s Morrison on combating the cyber threat to clearing

By Dan DeFrancesco | Profile | 7 May 2018

Cyber security chief eyes analytics and machine learning to help anticipate – and defend against – breaches

Mark Morrison’s resumé speaks for itself, and that’s fortunate considering most of his previous employers can’t do it for him.

The chief information security officer at the Options Clearing Corporation has an ideal CV for cyber security, with stints at the US Department of Defense, Office of the Director of National Intelligence, Defense Intelligence Agency, and National Security Agency.

However, Morrison’s success in his previous roles – or even what he did – was difficult for the OCC to ascertain. A background check the clearing house performed prior to hiring him in May 2017 offered little information. One OCC executive jokingly speculates it was due to all the alternative identities Morrison held.  

The reality, Morrison says, isn’t nearly as thrilling.

“The agencies’ rules will only tell you the years I worked and what I made,” Morrison says. “That sets the OCC background investigation on its ear a little bit. So they had to make adjustments because they couldn’t get detailed knowledge that they usually get on employees.”

Mark Morrison
OCC

The OCC isn’t the only financial firm to have faced such a predicament when hiring a cyber security expert. The path from government intelligence agency to financial services chief information security officer (CISO) is well worn. For nearly a decade – as the financial sector has looked to build out cyber defences beyond a subdivision of technology departments – government defence organisations have been fertile ground for recruiting CISOs.

Morrison initially made the jump in 2013 when he left the Department of Defense to join State Street as its CISO. However, Morrison’s career progression may no longer be the industry template it once was. Credible candidates for deputy CISO and CISO jobs are emerging from other sectors – including finance – as cyber security programmes in those businesses mature.

“There is a general increase in the amount and the quality of senior security management across different sectors,” Morrison says. “You are still going to see a steady pipeline of DoD, intelligence community folks going into the financial and private sector because it has worked, but it is not going to be as heavily reliant as it was in the past.”

Keeping the lights on

For Morrison, moving from the public to private sector has led to a shift in how he approaches the three main pillars of information security: confidentiality, integrity and availability. In previous roles within the government, Morrison’s main concern was the first pillar: safeguarding the organisation’s secrets.

His focus has shifted to pillars two and three: ensuring integrity of clearing at the OCC, and maintaining continuity of service. These objectives are particularly important given the OCC’s status as one of the US’s “systemically important” infrastructure firms.

Banks and other market participants have repeatedly voiced concerns about the potential impact a disabling cyber attack on a critical piece of infrastructure such as a central counterparty could have on the functioning of markets. The OCC alone clears around 20 million derivatives trades a day, on average.

“Availability is critically important to us. We do a lot of exercise scenarios, both internally and with other financial utilities, to determine what would be the most applicable type of threat and attack patterns by the adversaries and ensuring that we can identify those as quickly as possible,” Morrison says. “We are trying to put more emphasis on being able to reduce the recovery time and the response time if we had a significant attack.”

You don’t want the battlefield dictated to you by the adversary. You want to control the battlefield

Mark Morrison, Options Clearing Corporation

When discussing how to stay ahead of the curve in cyber, Morrison harken backs to an old DoD saying, citing the importance of having “information dominance”. Most firms are able to collect data, he says, but the challenge is to understand how to make proper use of the data. He highlights analytics and machine learning as technologies that are integral to the future of cyber security programmes.  

Morrison says these technologies will evolve rapidly over the next year, as firms look to move their cyber programmes from being reactive to proactive. 

“You don’t want the battlefield dictated to you by the adversary. You want to control the battlefield,” he says. “You want to be able to know and predict what actions the adversary is going to take because you studied them, and you want to be able to make near real-time adjustments. As the adversary makes adjustments in their attack patterns, you want access to corresponding defensive countermeasures.”

Put your money where your mouth is

To help fund that effort, the OCC has invested heavily in cyber security. In April, John Davidson, president and chief operating officer of the OCC, said the central counterparty’s biggest area of increased spending last year was in cyber.

In keeping with the goal of being proactive, a significant portion of that funding went towards the central counterparty’s incident response capabilities, Morrison says. The aim was to automate the way the firm processes cyber threat intelligence.

Time and money was spent on automating policies, procedures and technical capabilities to better allow the OCC to monitor, detect and respond to incidents quickly, Morrison says.

“We don’t want to wait for a light to go from green to red on our screen that we potentially have an alert,” Morrison says. “We want to be more proactive in being able to hunt for those types of alerts. We do that by automatically ingesting cyber intelligence and then using other tools to automate and investigate the workflow.”

Morrison says his group does model some cyber risk to find weaknesses. But in a nod to his DoD roots, he says he favours real-world testing, suggesting: “You fight as you train; you train as you fight.”

Part of the increased cyber funding went towards building out both external and internal red and blue teams – a form of war-gaming that sees one party attempt to breach security while another defends. As the OCC moves to more of a cloud- and data-centric architecture, testing new points of weakness is crucial, Morrison says.

“We wanted to make sure that we had the right security controls being implemented in the different layers of the perimeter: at the servers, at the desktop and within the networking devices,” he says. “We come up with different scenarios, and we exercise this regularly to look for vulnerabilities or disruptions that an adversary could exploit in the OCC business processes. This work ensures that our defence identifies and responds to those scenarios as we believe it should.”

Biography – Mark Morrison

2017–present: Chief information security officer, OCC

2013–2017: Chief information security officer, State Street

2012–2013: Principal director to the deputy chief information offer, US Department of Defense

2009–2011: Chief information security officer, Office of the Director of National Intelligence

1981–2009: Various roles at Defense Intelligence Agency, National Security Agency and Mitre Corporation

Editing by Alex Krohn