Op risk capital: looking back in anger

By Tom Osborn | Opinion | 15 March 2019

Top 10 op risks survey shows industry has sights set on the horizon, even when regulators are looking backwards

How relevant are non-financial losses incurred a decade ago to the threats a bank faces today? It’s a question banks have been asking since the Basel Committee on Banking Supervision’s new standardised approach to calculating operational risk capital first hove into view.

Op risk managers have argued vociferously that the backward-looking nature of the new framework may end up eroding the quality of op risk management among banks. By simply setting capital primarily according to a bank’s size, and crudely scaling it to reflect past losses, risk-weighted assets will inherently not reflect a firm’s current risk profile. This will leave op risk managers staring at the rear-view mirror, the argument goes, rather than scanning the horizon for emerging threats.

With lenders still facing penalties for misdemeanours from a decade ago – UBS this week was fined by Hong Kong’s regulator for due diligence failings on a share prospectus dating from 2009 – by the time losses booked today roll off a bank’s 10-year loss history under the new framework, they may relate to events two decades old or more.

This year’s Top 10 Op Risks survey suggests the backward-looking nature of the standardised approach does not reflect the forward-looking nature of most institutions’ top op risk fears. The new category of data management in Risk.net’s annual survey reveals the rising level of bank concern about the risks of misusing customer data, for example.

The spectre of mega-fines under Europe’s draconian new data protection rules may have focused minds in this direction. And yet no bank has so far incurred a significant fine for a breach of the rules, therefore this particular op risk will not have featured prominently in banks’ historical op risk concerns. If risk managers were worried solely about preventing a repeat of past losses, the top 10 op risks would look very different.

Under a previous approach for calculating op risk capital, the AMA, firms were incentivised to make more forward-looking provision for op risk losses by taking into account changes in their business environment and internal control functions. Even if banks wanted to rekindle this technique, they might not be able: many of the quants responsible for scenario analysis have been moved on, with banks disillusioned by their prospects in op risk modelling.

The fate of the body tasked with drawing up the framework for the standardised approach – Basel’s operational risk working group – remains unclear. Multiple sources suggest the group has not met regularly since the acrimonious final deal on the new standardised approach was reached. Its current remit – it is listed as a subcommittee of Basel’s new working group on operational resilience, confusingly – is unclear.

As with other elements of the revised Basel III framework, the op risk deal saw the representatives from European regulators on the committee ranged against US delegates – the latter camp inherently distrustful of op risk modelling, and aggrieved that Europeans had never held AMA banks to the same tough standards as the Federal Reserve. Sources suggest it was the support of UK regulators which ultimately allowed the US to gain the upper hand, and kill off op risk modelling altogether.

Arguably, though, the deal was reached at the expense of Basel’s aim: a standardised, comparable approach that would end wide disparities in capital standards. When the framework is finally phased in during the mid-2020s, national regulators will have the right to let banks under their jurisdiction effectively ignore past losses, removing any element of risk sensitivity from capital requirements.

Given the form of certain national regulators in this regard, it doesn’t take much to see a race to the bottom developing between jurisdictions eager to give their capital-constrained lenders a helping hand.

The schism runs beyond mere politics: it has scuppered initiatives which might have helped improve the quality of banks’ op risk management. After the passage of the standardised approach, the op risk working group is said to have shelved other projects it was working on, such as an update to 2014’s Principles for the sound management of operational risk.

As it is, banks are saddled with out-of-date guidance they have been forced to adapt and revise themselves: the three lines of defence framework, for instance, which has required near-constant revisions at larger firms to make it functional, or Basel’s two-decade-old op risk taxonomy, which features such risks as cheque kiting fraud.

Under the circumstances, it is understandable that op risk managers might find themselves following the title of John Osborne’s most famous play.

A BIS spokesperson did not offer comment when reached.

Top 10 op risks 2019: theft and fraud

By Risk staff | Features | 14 March 2019

Rogue employees are costly, but the thought of cyber mayhem dominates managers’ concerns

Despite slipping a place on Risk.net’s 2019 list, theft and fraud is still many operational risk manager’s worst nightmare. The idea of a massive heist by enterprising hackers, mercenary employees or plain old bank robbers, possibly followed by fines and penalties, keeps the category near the top of the op risk survey year after year.

Inside jobs made up the top three of 2018’s biggest publicly reported op risk losses: Beijing-based Anbang Insurance lost a shattering $12 billion to embezzlement; in Ukraine, $5.5 billion vanished from PrivatBank in a ‘loan-recycling’ scheme; and in New Delhi, the Punjab National Bank lost $2.2 billion to wayward employees working with a fugitive diamond dealer.

These top losses were the result of old-fashioned crimes in the emerging world. At US and European banks though, it’s the cyber component of theft and fraud that looms large – despite the absence of even a single incident on the top 10 list.

“You can commit theft and fraud anonymously. You can go multicurrency, bitcoin,” comments a senior operational risk executive who says theft and fraud make up the biggest loss at the North American bank where he works. “You can be on the other side of the world, funds in hand, before anyone realises the money is missing.”

According to ORX News, the total of publicly reported losses attributable to cyber-related data breaches and instances of fraud and business disruption was $935 million worldwide in financial services last year. Over half those incidents involved fraud.

Theft losses come in a broad variety. The granddaddy of bank theft – the hold-up – has waned, but still goes on. In 2003, there were almost 7,500 stick-ups at US banks, according to the Federal Bureau of Investigation; by 2017, they had dwindled to around 3,900.

Instead of ski-masked gunmen, hackers are the new fear. Anecdotally, cyber hits are described as a hail of mostly tiny, but relentless attempts on data defences, leaving managers on perpetual alert. Whatever cash is stolen is a loss, but so are fines, the cost of patches and new bulwarks, the possibility of suits from other parties (Target paid millions to banks that had to re-issue credit cards after its 2013 breach) and the brand becomes a late-night punchline.

Cyber fraud comes generally in one of two sorts: one sows chaos, then grabs data en masse in the ensuing turmoil; the other zeros in on individuals to drain their accounts.

A large-scale attack could consist of millions of small transactions, like a $1 charge on a credit card, each likely unnoticed by the cardholder. In a targeted attack, thieves try to pry loose enough data from a customer’s social media persona to get access to their bank account. Other, more sophisticated schemes look for the weak points in authentication systems like biometrics. Some apps, for instance, can replicate a person’s voice patterns and fool voice ID systems.

“Equifax taught us that you need to move away from knowledge-based authentication to more activity-based identification,” says an op risk head at a second North American bank, for instance, something like asking people what their last two transactions were. In 2017, hackers stole data such as names, birthdates and Social Security numbers on nearly 148 million people from Equifax’s online systems.

Cyber fraud losses tend to come in waves, reflecting the arms race between hackers and banks as each tries to outgun the other, says Michael Grimwade, head of operational risk at ICBC Standard Bank, in forthcoming research.

Perpetrators continue to exploit known vulnerabilities in the financial system – fraudsters have used the Swift network, for instance – but Grimwade says their success rate may be diminishing; the industry has responded vigorously to high-profile break-ins.

Others disagree.

“Banks will not give much information on the details of a cyber attack if they don’t have to – that includes their losses and costs,” says one op risk expert. “One reason is because they do not want to provide useful information to future potential fraudsters.”

But managers are hardly forgetting the here-and-now world of in-house bad behaviour. Avoiding it has required banks to try to establish a culture of ethics, not just at the top, but setting a ‘tone-in-the-middle’. Employees should know the line between what is acceptable in their roles, and what isn’t.

“Employees should know what fraud looks like, what their responsibilities are to mitigate it and how to report,” says a fraud management expert at a North American bank.

A whistleblower hotline should be available for employees fearful of retaliation by managers, says the fraud management expert.

Internal fraud can also be soft. Just last month, the Federal Reserve permanently barred a former managing director of JP Morgan from the banking industry for bribing Chinese government officials by providing jobs for their children, known as the ‘princelings’. JP Morgan agreed to pay $264 million to settle the matter.

But for all the dereliction on the inside, everyone is quietly watching for ambushes on the cyber front.

“Interconnectivity and the tools the fraudsters are using allows them to commit it on a much broader scale – we are seeing fraud be more successful,” a bank regulatory official says.

Return to index

Top 10 op risks 2019: outsourcing and third-party risk

By Risk staff | Features | 14 March 2019

Perfecting internal controls is meaningless when lax oversight of outsourcing offers back-door vulnerability

If you could pay someone to worry about something for you, would you? Outsourcing key infrastructure or services to third parties is a tantalising prospect for many of the world’s largest firms. The incentive is to harness the expertise of specialist providers, or to save costs. Or, ideally, a combination of the two.

The trade-off for many risk managers is a lingering concern about losing oversight of vital business functions. The prevalence of breaches via third parties and growing regulator scrutiny of this area, not to mention the build-up of risk in certain systemically important platforms, are the focus of anxiety.

In a poll of Risk.net readers in last year’s top 10 operational risks for 2018, 28% of the 750 respondents selected outsourcing as their top concern, the largest percentage. Outsourcing was presented alongside four other major operational risks, including IT disruption and regulatory risk.  

Interviews with respondents to this year’s operational risk survey highlight fears over the outsourcing of critical IT functions and the increasing reliance on cloud technology. Customer spending on third-party cloud providers was up 46% in the fourth quarter of 2018 compared to the previous year, reaching $23 billion, according to tech market analysis firm Canalys. Amazon Web Services remained dominant with 32.3% of the customer spending in the market, according to the report. Microsoft Azure and Google Cloud are second and third with 16.5% and 9.5% of customer spend respectively.

“If cloud platforms are correctly configured they can enhance security, as well as creating efficiencies and reducing costs for customers,” says a UK cyber insurance executive. “However, if there was an incident that took down a cloud provider such as AWS or Azure, or a component part of the cloud infrastructure, this could cause an outage for thousands of individual companies.”

Cloud computing firms generally use specialist software to separate the data and computing of companies employing their services. The executive says that if this software fails, data hosted in the cloud environment could be vulnerable to attack.

More broadly, a lack of control over how data and processes are managed by third parties is a worry for risk managers. And with good reason: a November survey by the Ponemon Institute, a data protection think-tank, indicated that 59% of companies polled had suffered data compromise by third parties.

A contributing factor for the prevalence of breaches is the scope of third-party involvement across payroll, health insurance, cloud computing, credit analysis and many other services. An operational risk executive notes that hacks involving larger specialist vendors could result in many clients reporting a data breach.

Some risk managers also point out that fourth parties can introduce additional, unforeseen risk factors, and may not have the same rigorous risk management standards as the initial outsourced service provider.

Regulators are zeroing in on outsourcing, too. The European Banking Authority finalised outsourcing guidelines in February, with a view to providing a single framework for financial firms’ contracts with third and fourth parties.

Apart from the direct costs of third-party failure and the exposure to regulatory penalties, firms are aware of the reputational damage.

“Say a company gets fined for using child labour in Bangladesh,” says a senior operational risk manager at a North American bank. “They didn’t even know that because they outsourced their operations, and that third party outsourced again. It’s your reputation that’s on the line but it’s difficult to establish a line of sight.”

Financial institutions are also concerned about their reliance on crucial financial market infrastructure like trading venues and clearing houses. Unlike IT or payroll systems, these are services that are difficult if not impossible to replicate in-house – as banks have tried to do with some troublesome vendor relationships. Furthermore, successful trading venues and clearing houses typically achieve critical mass of liquidity that make it very difficult for viable competitors to thrive. Without a credible threat to walk away, banks lack the leverage to persuade service providers to supply information on data or cyber security practices that might allow risk managers to properly assess threats.

A similar scenario can exist when a small firm engages the services of a large contractor. The firm may struggle to convince a large vendor to hand over information on risk management practices, for example.

None of these issues look likely to abate in the next few years, and firms are set to continue relying on a complex web of external service providers. One global head of operational risk at a European bank is resigned to the risks posed by significant outsourcing practices.

“We can’t do everything ourselves. It’s something you have to manage.”

Return to index

Top 10 op risks 2019: organisational change

By Risk staff | Features | 14 March 2019

Missteps during strategic change open up a grab-bag of different risks

Organisational change – sometimes called ‘strategic execution risk’ – refers to the variety of potential hitches that can occur in the midst of any transition: switching to a new system from an old one, new strategic objectives, adjustments to new management edifices, errors or just bad decisions. And so on.

The catalyst can come from any number of directions – mergers or acquisitions, divisional reorganisations, a strategic change in business mix. Unfortunately for financial firms, none of these are mutually exclusive; most are largely unavoidable.

Banks and buy-side firms are subject to the currents of consumer taste and the need to keep pace with rivals. Often, firms might be prompted into action by a shift in the nature of threats they face: witness cyber risk’s long journey from the domain of IT to the risk team. New regulation may also force change, requiring a company to divert resources, redeploy personnel or create new departments entirely – as in the case of the Fundamental Review of the Trading Book, for instance.

Problems arising during technology upgrades or changes are perhaps the most often mentioned risk in this threat category. For the head of operational risk at one UK challenger bank, it’s a dominant concern. The firm, which offers phone-based services only and has no physical presence, is part of a group of young financial companies for which one strategic execution misstep can be grave – if the bank’s app goes down, the bank effectively ceases to exist until the problem is fixed.

The advent of ‘open banking’ in the UK is the next big source of organisational change, argues the practitioner. The law allows regulated third-party firms access to customer data held by the UK’s nine largest banks, and is designed to increase the number and variety of personal banking applications and services available to consumers.

“As a consumer it’s nice, but you can see the underlying complexity from an architectural perspective of working to comply with these rules,” the executive says.

The directives create the potential for execution errors through the large-scale changes in IT, data and outsourcing that are coming, he says.

“There’s a danger of generating more risk, or new types of risks that haven’t been seen before, in this cross-bank data transfer and aggregation,” he adds.

The same is true of bigger-scope regulation, like the FRTB. Its adoption will prompt a realignment between banks’ trading desks and their risk functions by forcing the risk models banks use to more closely match the estimates generated by the risk team.

Internal-modeller banks will be required to have ready access to vast quantities of trade data – something they may not have at their fingertips, forcing them to share among themselves. There are numerous hurdles in doing so, however; firms that decide it’s not worth doing may have to face the hard reality of closing certain business lines in light of FRTB’s proposed capital requirements. The years-long slog on the FRTB has been an ongoing source of organisational risk angst.  

The growing complexity of the tech relied upon by financial firms goes hand-in-hand with the possibility of misfires. Where systems are complex and interconnected, the potential for damage in a messy software merger or in culture clashes at newly-created offices is proportionately larger.

“In the past, you had an IBM 360 mainframe and terminals. The architecture was very simple,” says the head of op risk at one European bank’s securities services arm. “Now you have servers all over the place, multiple cloud providers – the complexity of IT architecture is increasing.” 

Geopolitical rumblings can add to the difficulties in changes to a hierarchy or embarking on a new business strategy, says one risk professional. One senior op risk consultant says the atmosphere it produces can lead to dangerous operational missteps.

Brexit likely will offer loads of examples of this soon. With a disorderly exit by the UK from the European Union this month almost a certainty, banks and brokers are setting up new entities on mainland Europe at a breakneck speed that almost guarantees problems, some as simple as staffing up and resource management.

“With political and economic risk increased, especially by Brexit, the time available to handle change is squeezed,” she says. “That leads to potential errors in execution.”

With political and economic risk increased, especially by Brexit, the time available to handle change is squeezed. That leads to potential errors in execution

Head of op risk, European bank’s securities services arm

Organisational change risk also rears its head when firms make hasty swerves to gain an edge over rivals, or to just keep up. Competition among big banks is nothing new, but established lenders, largely accustomed to trading blows with fellow giants, are now seeing increasing “pressure from below” – the world of bantamweight upstarts.  

Where in the past major firms all moved at a similar tempo, the market today is exploding with  fintechs brazen in their aspirations to upend banking, technologies and business models and skewing their marketing to millennials. Among the so-called challengers are Metro Bank and the digital-only Monzo, both of which have shot forward.  

An atmosphere that embraces change can help it go easier, though turmoil still can lead to strategy missteps.

“I don’t think employees aren’t accepting of change,” say an assistant vice president in op risk management at a US asset manager. “But the challenge is that there are so many change initiatives going on, and so many employees involved with multiple change initiatives as well as regular job activities. It’s managing these activities interspersed with day-to-day activities.”

So what does such widespread instability, such perpetual movement mean for a bank’s employees?

Exhaustion.  

“Change is good,” says the head of risk management at a US asset manager, “but the fact is, because it’s been going on for a series of years, it’s causing a sense of fatigue in the employees. That can have perverse impacts on organisation.”

Return to index

Top 10 op risks 2019: regulatory risk

By Risk staff | Features | 14 March 2019

Money laundering and threats to personal data have regulators spooked

For the specialists who nail down regulatory requirements at banks, the first thing they need to know is what they’re supposed to do. This year, that will be a little more complicated.

Take the sizzling topic of money laundering. Amid a spate of incidents, the European Union in February produced its latest blacklist of 23 places at high risk of money laundering and terror financing, naming Saudi Arabia and US territories like Puerto Rico. About two weeks later, the EU’s member states – voting nearly as one – struck it down in the wake of a diplomatic furore. The EU’s next move is anyone’s guess, but regulators are starting to push hard.

“On AML [anti-money laundering], there are huge regulatory expectations there,” says one operational risk executive at an international bank.

Another question mark hangs over Europe’s General Data Protection Regulation (GDPR), which took effect last May and governs personal data relating to anyone in the EU. In the event of a breach, a business has 72 hours to report it to the local regulator – subject to anything from warnings to fines peaking at €20 million ($22.5 million), or 4% of worldwide revenue, whichever is larger. Banks with so much as a toehold in Europe may be subject to it.

The budding field of regulation technology, or regtech, will continue to make inroads, with all the growing pains of new systems. The arrival of blockchain, and how it may be used in regulation, will continue apace.

This year, the usual complement of regulation plus roiling new issues placed regulatory risk in sixth position on Risk.net’s survey of top 10 risks.

Anti-money laundering compliance has taken centre stage since the Danske Bank Estonian episode came to light in 2017. As much as €200 billion in ‘non-resident’ money coursed through Danske’s modest Tallinn branch from 2007 to 2015.

Danske’s chief and chairman were ousted. The Danish financial regulator has imposed higher capital requirements, and the US Department of Justice has begun a criminal investigation. The European Banking Authority is looking into whether regulators in Denmark and Estonia were remiss. Estonia has ordered Danske to shut the branch.

More recently, the Troika Dialog ‘laundromat’ is alleged to have filtered $8.8 billion for Russian oligarchs and politicians into banks from Oslo to Istanbul. How far the network seeped into European banks is emerging day by day; how the EU will vouchsafe the integrity of banks over its large porous territory is unclear.

In the meantime, local regulators are scrambling to toughen standards and penalties. Without regional co-ordination, though, banks may wrestle with compliance.

The operational risk executive at the international bank says regulators worldwide are amping up on a number of fronts, like cyber and risk reporting. But money laundering is a priority.

“We have a huge programme in the group to try and comply with their requirements,” he says.

Fines for money laundering are way up. According to ORX News, between 2014 and 2017, fines in Europe and the UK totalled $214 million, and $1.96 billion in the US. By 2018, fines in Europe and the UK had jumped to $979 million and $1.3 billion in the US.

As with money laundering, data protection presents its own cross-thatch of requirements for banks spanning continents, beginning with the EU’s GDPR and its implications for privacy law.

Under GDPR, no consumer should be subject to a solely automated decision that “produces legal effects concerning him or her, or similarly significantly affects him or her”. One interpretation holds that it prohibits banks from making automated decisions that would affect a customer without their explicit permission; another is that those decisions can proceed without the person’s consent if they were part of a contract or if it is required by local law.

“There are so many privacy regulations that raise issues from a regulatory risk standpoint. It’s a patchwork of regulations at the state and federal levels,” says an operational risk executive at a second North American bank.

GDPR’s fines may be bringing more breaches to light. At the Financial Conduct Authority in the UK, reported breaches were up nearly fivefold last year, according to research by the UK law firm RPC.

Another evolving area is regtech. Besides automating reporting and compliance, it might be used to identify changes to rules and regulations across multiple jurisdictions – it might even proactively check for compliance before a transaction is executed.

Even regulators are looking at its uses. The FCA and the Bank of England launched a pilot programme in 2018 with several large UK banks to evaluate machine-readable and -executable regulatory reporting. The goal is to improve accuracy in reporting, get regulatory changes moving faster and cut compliance costs.

The US Commodity Futures Trading Commission is on board. Chairman Christopher Giancarlo waxed digital in a speech last November, veering into a related topic: blockchain, or distributed ledger.

“We envision the day where rulebooks are digitised, compliance is increasingly automated or built into business operations through smart contracts, and regulatory reporting is satisfied through real-time DLT [distributed ledger technology] networks.” He added: “The machines here at the CFTC would have the ability to communicate regulatory requirements and consume and analyse the data that comes in through such systems.”

Regulators have also warned however that blockchain raises a host of legal and regulatory issues. The CFTC has a tech advisory committee studying distributed ledger and cryptocurrencies.

But regulatory risk continues to involve the usual complement of acronyms and shorthand: FRTB (Fundamental Review of the Trading Book), Mifid II (revised Markets in Financial Instruments Directive), CECL (Current Expected Credit Loss) and the big tent of Basel III.

CECL, and how it will be included in stress tests, may be the most debated new regulation. The rule, which goes into effect from the beginning of 2020, will require expected losses over the lifetime of loans be recognised at the time loans are booked. At present, losses are recognised only after a loan has begun to deteriorate. The US Federal Reserve has said it will not require CECL in stress tests until 2022.

Return to index

Top 10 op risks 2019: data compromise

By Risk staff | Features | 14 March 2019

Big data provides big target for hackers, as banks wrestle with risk of monetary and reputation loss

The threat of data loss through cyber attack, combined with an awareness among managers that defences are vulnerable, has made data compromise a perennial concern for op risk managers. But the advent of strict new regulation has intensified those fears, helping propel the category to the top of our annual survey for the first time.

Risk managers are discovering that big data – or the aggregation and cross-referencing of multiple sources of information – can play an important part in fraud detection and anti-money laundering efforts. But big data’s principal advantage may also be its greatest vulnerability. Collecting many datasets and storing them in one place presents a single, tempting target for hackers.

Companies have responded by breaking up the data and storing it across several locations in an effort to reduce the potential loss from a single breach. A risk practitioner comments: “You have to assume hackers will get through and what do you do then? It can be just making sure you are storing data in several places, splitting your data so [hackers] getting into one file won’t get what they need. And obviously encrypt the data; unencrypted data stored in one place is easy pickings.”

Mandates to centralise large amounts of data at trading venues and regulators threatens to exacerbate the problem. For example, hackers obtained releases containing price-sensitive information from the US Securities and Exchange Commission’s Edgar system in 2016, and used them to make millions through insider trading, according to an official report.

The EU’s Mifid II markets regime requires trading platforms and investment firms to collect personal information on the counterparties to every trade – not just a potential privacy issue, but a new and worrying point of entry to would-be hackers. As the data is passed from firm to platform and from platform to regulator, it becomes exposed to attack.

Using workarounds such as anonymous identifiers is not a perfect solution either. Risk managers point out that if regulators hold the plaintext names and information as well as the identifiers, it could break data protection laws, while if they do not they will be forced to contact firms to request details of customers corresponding to suspicious identifiers, potentially alerting them to an investigation. Furthermore, there is still no common standard for the format of anonymous customer identifiers.

Nor should banks assume that government agencies are immune to data compromise: in a notable third-party data leak of 2019, a Dutch security researcher discovered that a subcontractor to the Chinese government had accidentally exposed details of the country’s use of facial recognition.

Some banks are taking advantage of the new market in cyber crime to adopt a more proactive defensive strategy. Cyber criminals use the unindexed “dark” web to offer stolen data for sale. By monitoring this black market, institutions may gain advance warning of attacks, or even discover stolen data whose theft had gone unnoticed.

An active defence should also include penetration testing, both online and physical. Often the critical weakness in a cyber security plan exists, as IT managers put it, between chair and keyboard. In a landmark case in October 2018, US authorities fined fund manager Voya Financial $1 million after a security breach allowed hackers to steal the personal details of thousands of customers. The hackers gained access by making repeated phone requests for password changes, pretending to be Voya subcontractors. Resetting the passwords was explicitly banned by Voya’s policies, but its employees did it nonetheless.

This attack represents the first fine under a 2013 SEC rule requiring written procedures – “red flags” – in place to prevent identity theft. Voya’s op risk head Gus Ortega says: “Classifying, categorising and maintaining customer data is one of our concerns.” And assistant vice-president of op risk management, Beth Bramlett, adds: “There is more interest in data protection plus the fact that when [breaches] happen it’s quickly disseminated in social media.”

In Europe, the General Data Protection Regulation, introduced in May 2018, aims to tighten consumer safeguards around data disclosure. No prosecution has yet used the full scope of penalties – the regulation allows a fine of up to 4% of global revenue – but companies are wary of a sizeable additional loss associated with, for example, a major data breach due to negligence.

One early enforcement resulted in the French government fining tech giant Google €50 million ($56.5 million) for failing to provide proper data security and privacy.

Other areas of GDPR may have attracted less attention, but still pose significant operational risk. Companies must provide customers with access to their own data, including the ability to correct or erase it in some cases; and they must report a data breach within 72 hours.

Fear of reputational damage is one likely cause for companies failing to report cyber events. The lack of data makes modelling difficult, not just for internal risk management but also for insurance pricing purposes, and the total cover provided by cyber insurers still falls far short of the estimated size of the threat.

There are grounds for optimism that the largest banks are tightening their processes for protecting sensitive data held in-house, respondents to Risk.net’s survey said. One risk practitioner comments: “In small retail firms, I would imagine client credit card data is more vulnerable. I want to think that big banks have this under control more or less [but] we see chinks in their armour sometimes.”

But organising in-house defences is only part of the battle. Third parties and contractors can present a sizable risk to banks. For example, US credit union ASI Federal outsourced cash management to a third party, which itself employed a contractor for transportation. When $1.4 million went missing during transit, ASI attempted to recover the funds through the contractor’s insurance policy, but a 2018 court ruling blocked the move.

As financial institutions grapple with the various aspects of cyber-driven data compromise risk – the potential losses to fraud from impersonation or account takeover, and the reputational damage associated with a large and public failure of data security – op risk managers must sharpen their response to the risk of data compromise.

Return to index

Top 10 op risks 2019: mis-selling

By Risk staff | Features | 14 March 2019

Concern over sales practices remains amid economic and political uncertainties

Mis-selling drops a few places on this year’s top 10 op risks – a reflection (or perhaps a shared hope among risk managers) that the era of mega-fines for crisis-era misdeeds among US and European banks might finally be over. They would do well to check their optimism, however: as the recent public inquiry into Australia’s financial sector that has excoriated the reputation of the nation’s banks shows, another mis-selling scandal is never far away.

Firms have shelled out a scarcely credible $607 billion in fines for conduct-related misdemeanours since 2010, the bulk of them related to fines and redress over mis-selling claims. 2011 and 2012 saw the heaviest losses, with the bulk of the fines for residential mortgage to payment protection insurance (PPI) mis-selling concentrated here.

Costly settlements on related lawsuits can linger for years after the event. In December 2018, Wells Fargo reached a $575 million deal with the US attorney general to resolve claims in all 50 states over misconduct – partly to cover its 2016 ghost account scandal, in which unauthorised accounts were opened for thousands of customers, making it in part an internal fraud loss, but also for charging consumers for unnecessary auto insurance and mortgage fees.

Wells’s peers feel its pain – and are taking the bank’s struggles as a salutary lesson.

“Since the Wells Fargo issue, we’ve been spending a lot more time on sales practices. This could happen anywhere. If I tweak compensation plans, or make targets too aggressive, all those things drive humans to behave in different ways, not always desirable,” says a senior op risk manager at a North American bank.

The tone set by those at the top of an organisation is frequently cited as one of the primary forces behind a strong risk culture, as is the importance of sufficient risk management experience in order for bank boards to hold managers to account. Yet two benchmark analyses conducted by Risk.net in the last 12 months reveal a paucity of hard-earned risk management expertise on board risk committees among US and European banks and Asia-Pacific banks.

The cumulative impact of fines and settlements has taken a huge toll on bank capital. As a recent Risk Quantum analysis shows, op risk now accounts for one-third of risk-weighted assets (RWAs) among the largest US banks, while UK lenders still face hefty Pillar 2 capital top-ups from the Bank of England, largely as a result of legacy conduct issues.

Under the advanced measurement approach to measuring op risk capital that most US banks use, sizeable op risk losses can heavily skew a model’s outputs. But from a capital point of view, there are hopeful signs that with the severity and frequency of losses decreasing, RWAs are starting to see a gradual roll-down for most banks – although the US Federal Reserve has privately made clear it will not sign off any more changes to bank op risk models, leaving their methodologies frozen in time.

Banks will be hopeful that, by the time the new standardised approach is fully implemented in the mid-2020s, some legacy losses will have begun to roll off the model’s 10-year lookback period – a possible driver for some European banks, such as Barclays and BNP Paribas, adopting the model early.

In the UK, banks will certainly breathe a sigh of relief after the final deadline by which consumers can claim redress for PPI mis-selling passes in August 2019. The Financial Conduct Authority has estimated the total paid out in compensation to customers who complained about the way they were sold PPI reached £4.2 billion ($5.6 billion) in 2018, taking the amount paid since January 2011 to £33.8 billion.

As of last August, ORX News had recorded payments or provisions of over £47 billion by UK banks in relation to mis-sold PPI, with several upping provisions last year. Lloyds, for example, has provisioned a further £2.2 billion for payouts, despite having given guidance that the £1 billion it set aside in 2016 was its “last big PPI provision”.

2018 was also the year the UK’s largest banks reached settlements with US regulators over the crisis-era sale of mortgage-backed securities. RBS finally reached an eye-watering $4.9 billion settlement with the US Department of Justice in May. Barclays had faced a similar-sized settlement – but its decision to fight the claim and willingness to see the DoJ in court perhaps helped it secure a lighter $2 billion penalty in March. Latterly, HSBC agreed to a $765 million settlement in October.

Plenty of other scandals linger, though. Another mis-sold product that came to light in recent years was a scheme in which savers in the UK were wrongly advised by financial firms to give up their company pension by transferring their defined benefit pension plan into a cash lump sum or a riskier personal pension. Data from the UK’s Financial Services Compensation Scheme showed that payouts to clients who were misled rose to £40 million in 2018 from £20 million two years ago.

The UK’s Financial Conduct Authority warned in a December note on pension transfer that it “will not hesitate to take action against any firm that continues to present harm to consumers”.

While Australian banks emerged relatively unscathed from the 2008 global financial crisis, they too are now feeling the sting of public ire following a series of mis-selling and conduct-related scandals. A subsequent inquiry into the conduct in the country’s financial sector has shown Australia’s lenders to be no better than their fee-chasing global peers when it comes to adequately managing and checking the risk of misaligned incentives around sales practices.

Commonwealth Bank of Australia, for example, sold credit card insurance to 64,000 customers who were ineligible to make claims because they did not meet the employment criteria of the policy, including students and pensioners. The nation’s largest lender has set aside about A$16 million (US$11.3 million) to compensate an estimated 140,000 customers of its credit card and personal loan protection insurance in last March.

The scandal claimed the scalp of chief executive Ian Narev in 2018, and dealt a severe blow to the bank’s reputation. However, the Royal Commission enquiry it helped spark had far wider ramifications beyond the bank. Once the final report landed last month, few of Australia’s large financial institutions escaped censure, guilty of a grim parade of misdemeanours that included paying cash bribes to branch staff as an incentive to hit quarterly targets, as well as selling life insurance policies to long-dead customers.

The fallout from the report is still being felt, with National Australia Bank announcing on February 7, 2019, that its chief executive Andrew Thorburn and chairman Ken Henry would both step down.

Banks are not out of the woods yet. The Australian Securities and Investments Commission has launched a review on banks’ mis-selling of credit cards, with assurances from lenders that they will take “proactive steps” to help redress consumers.

As the episode highlights, a bumper crop of mis-selling claims are never far away for banks. In this regard, a global economic slowdown risks raising the stakes: when products fall in value or expire worthless, investors tend to feel more readily that they were mis-sold.

In this regard, Brexit could add a new dimension to mis-selling fears, argues one senior London-based op risk manager for a global bank, with the possibility of markets plummeting – leading to structured products underperforming. In the event of a stagflation crisis, the Bank of England could be forced to intervene and raise interest rates to prop up the pound, forcing up rates on mortgage products, and helping fuel claims that such products were sold to borrowers without sufficient checks that they understood how they worked.

In the event of a disorderly Brexit, there is also the added complexity of banks potentially facing claims of having sold products to investors without the correct documentation or in a jurisdiction where they are no longer permitted to do business, following the loss of automatic regulatory passporting with other European Union nations.

Return to index

Top 10 op risks 2019: IT failure

By Risk staff | Features | 14 March 2019

Worries amplified by conspicuous mishaps and regulators’ new focus on operational resilience

Though usually overshadowed by its attention-grabbing cousin – the threat of a cyber attack – the risk of an internal IT failure is never far off risk managers’ minds. When such failures happen, their financial, reputational and regulatory consequences can easily rival the damage from high-profile data theft.

It is probably no coincidence that the danger of a self-imposed IT debacle is the third-largest operational risk in the Risk.net 2019 survey: it follows a year in which a botched system migration cost UK bank TSB more than £300 million ($396 million) in related charges and an unknowable sum in lost customers.

And it’s a risk that is only likely to grow in importance.

“The more we interconnect, the more we have online banking and direct [digital] interaction between our clients and ourselves – the more IT structures can be disrupted,” says a senior op risk executive at a major European bank, summing up a view expressed by several risk managers.

Both firms and regulators are erecting defences.

For some firms, IT risk – whether from internal or external sources – calls for its own risk specialists.

“We’ve overlaid a dedicated risk management team over IT,” says an operational risk manager at a large US provider of financial services. “We’re focusing on app development risk, cyber risk and hardware failures, and we’re prioritising remediation activities.”

The Basel Committee on Banking Supervision, meanwhile, is coordinating various national and international efforts to improve cyber risk management. Last year it set up the Operational Resilience Working Group – its first goal has been “to identify the range of existing practice in cyber resilience, and assess gaps and possible policy measures to enhance banks’ broader operational resilience”, the committee said in a November 2018 document.

On a national level, operational resilience – including against IT failures – is an area of focus for the Bank of England. The central bank defines it as “the ability of firms and the financial system as a whole to absorb and adapt to shocks”. In July it published a joint discussion paper on operational resilience with the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA).

In a key statement, the paper said UK firms and financial market infrastructures may need to set out how quickly they will resume operations after a disruptive event, specifically for services such as transferring funds between accounts, the processing of mortgages and collateral management.

Speaking at the OpRisk Europe conference in June, the PRA’s deputy chief executive was more explicit. “It is likely that the FPC will set a minimum level of service provision it expects for the delivery of key economic functions in the event of a severe but plausible operational disruption,” said Lyndon Nelson, referring to the central bank's Financial Policy Committee.

Nelson also highlighted his personal expectations for what firms should do to withstand and recover from disruptions. They included “viable, tested” contingency plans for the resumption of critical functions and effective communication, both internally and externally, during inevitable incidents.

The plans and expectations outlined by Nelson are already having a far-reaching impact. For example, the European head of op risk at a North American bank says that after hearing him speak at the conference he immediately flew back to the bank’s head office to convene a meeting of its senior management, in order to assess the firm’s operational resilience according to the criteria set out by Nelson.

Such an assessment may have also limited the damage from TSB’s gigantic IT failure last year.

In April 2018 TSB attempted to move the records of around 5.5 million customers from Lloyds, its previous parent, to the system of Sabadell, which bought TSB in 2015. But the migration tripped over software faults, resulting in problems with online and mobile banking that lasted weeks. Customers reported being unable to access their accounts, seeing incorrect balances and in some cases being shown the details of the wrong customer altogether.

Fighting to keep customers from jumping ship, the bank waived fees and overdraft charges for March and April 2018 and raised the interest rate on current accounts. Eventually, in its full-year results published in February this year, TSB disclosed a £330 million charge in costs related to the incident, covering customer redress, advisory expenses and other operational losses.

Equally, better planning may have helped US bank BB&T. An IT outage in February 2018 cost it about $20 million in lost revenue and non-interest expenses, partly resulting from waived fees.

The reputational fallout from such mishaps is less easily quantifiable. What is certain is that social media now magnify it.

“Reputational damage spreads quicker as a result of social media,” says an op risk veteran. “And it increases the risk of customers switching away from a bank.”

The reputational risk is probably what is keeping firms from reporting all technical failures. According to the FCA, more incidents than ever are being reported but some remain under the radar.

If the trend continues and firms become more transparent, the risk of IT failures will loom even larger in the minds of risk managers across the industry.

Return to index

Top 10 op risks 2019: Brexit

By Risk staff | Features | 14 March 2019

UK departure from European Union could result in “every operational risk you’ve ever seen”

Brexit covers such a wide range of possible risk events that some participants in this year’s survey disputed whether it should be included as a standalone chapter at all; but a significant number argued strongly that it should, with its collective drivers likely engendering a common set of specific risks for banks and financial firms for years to come.

At the time of writing, the UK is a fortnight away from leaving the European Union, although speculation about a delay ranging from two months to two years is growing. Nor is there any clarity on the state of the UK-EU relationship after the March 29 deadline. Anything from a long delay or a cancellation to an abrupt “no-deal” crash exit remains possible; this may have changed by lunchtime on the day this article is published.

Many financial firms whose business is affected by Brexit have given up waiting for lawmakers to finalise negotiations over the terms of the split and are pushing ahead with contingency plans. Banks and brokers are setting up new entities in mainland Europe, a process that is fraught with operational risk, particularly given the accelerated timescale for its completion.  

Third-party risk from new supplier relationships; legal risk from repapering numerous financial contracts; people risk from hiring and training new personnel; these and other effects of the relocation will put additional strain on the operational resilience of companies.

Particularly in the case of a Brexit with no deal, industry practitioners fear a general increase in stress on almost every aspect of operations. One survey respondent points out: “If you have a hard Brexit, how resilient are your operation processes in terms of new requirements? If you think about it, overnight you go into new tariff regimes. So you have a portfolio with every operational risk you’ve ever seen.”

For firms active in the derivatives markets, switching swaps portfolios from London to subsidiaries elsewhere in the EU – such as Dublin or Frankfurt – has proved troublesome, as UBS and Barclays have discovered. Other banks are waiting to migrate portfolios, but the novation process is shrouded with uncertainty.

In November, the EU granted temporary equivalence to UK clearing houses in the event of a no-deal exit. As London’s LCH clears more than 95% of euro-denominated interest rate swaps, the deal is vital to safeguard activity in over-the-counter derivatives markets. But the arrangement only lasts for 12 months, and does not include EU derivatives traded on UK exchanges, raising doubts over this key activity.

Disruption to banks’ ongoing use of derivatives could threaten financial stability, a consequence that regulators are at pains to avoid. To this end, UK and US authorities have put an agreement in place to maintain transatlantic derivatives trading under any form of Brexit.

Cross-border data sharing between the UK and EU would also continue after Brexit, even after a crash exit, under memoranda of understanding signed between the UK Financial Conduct Authority and European Securities and Markets Authority. But market infrastructure firms such as Six have warned of serious operational problems, in particular with regard to trade data repositories.

Another respondent to Risk.net’s survey has concerns over data sharing, among others: “Brexit has the potential to cause serious disruption across the industry, both from a financial and non-financial risk perspective. Specifically, the impact on data sharing and outsourcing across the EEA could result in disruption.”

More specifically, cross-border movement of personal client information between counterparties, and between dealers and their clients, could face problems. Andrew Bailey, FCA chief executive, warned in late February that time had already run out for UK financial companies to prepare for a no-deal Brexit, and singled out data protection as an area of particular concern. Clients were reluctant to repaper existing contracts with FCA-recommended clauses that would allow personal data to move across the EU’s border.

“Firms are finding on a number of issues that many of their clients, when it comes to contract repapering, tend to want to sit tight and see what the politics delivers. So there is a tension here frankly,” Bailey said. “Firms are saying it is hard to get clients to engage, even though they know what to do and we have explained to them it is not that painful.”

Firms are finding on a number of issues that many of their clients, when it comes to contract repapering, tend to want to sit tight and see what the politics delivers

Andrew Bailey, FCA

There are other risks as well. A crash exit would mean that EU nationals would lose the automatic right to live and work freely in the UK, and vice versa. Even the rights of current residents have not yet been secured by law. Key person risk – existing staff may have to leave or relocate – is combined with a reduced recruiting pool for both UK and EU institutions, and problems transferring existing employees between the UK and the EU after Brexit.

Worst of all, op risk managers say privately, employing more people in Europe and fewer in London means greater exposure to Europe’s less flexible labour markets, which, bluntly they say, make it harder to sack underperforming employees. One of the UK’s attractions for international banks is the ability to make mass redundancies relatively easily.

UK government impact assessments predict that any form of Brexit will lead to economic damage compared to the UK remaining in the EU, and this, too, will present operational risks. Just as risk management, compliance, legal and personnel departments are caught up in dealing with the regulatory and operational changes, upheavals in international trade and an economic downturn will increase the opportunities and motives for fraud and other financial crime.

Risk necessarily involves a degree of uncertainty, but the scale and range of Brexit-related unknowns is causing anxiety for op risk managers. “If you think about regulations, you will get a discussion paper, you will have reviews, you will know what changes you need to have and the deadline. Typically you know the date you have got to be ready for,” one says. “With Brexit what makes it different is not being certain.”

Return to index

Top 10 op risks 2019: data management

By Risk staff | Features | 14 March 2019

GDPR fuels fears of mega-fines for data-handling missteps

A conversation with any op risk manager will land, sooner or later, on the issue of data management. It could be concerns about data quality, particularly of historical data stored on legacy systems – which carries with it problems such as format and reliability. Or it could be the risk of missteps when handling customer data – inappropriate checks on storage, use or permissioning – that now come with the added threat of eye-watering fines from regulators.

Taken together, it’s no surprise that data management has made it into the top 10 op risks as a discrete risk category for the first time this year. It is considered separately from the threat of data compromise, where data breaches share the common driver of a malicious external threat.

Much of the impetus behind firms’ drive to beef up standards around the storage and transfer of personal data stems from the tightening of regulatory supervision on data privacy and security around the world – most obviously, the European Union’s General Data Protection Regulation (GDPR), which entered force in May last year. Firms operating within the EU or holding data on EU citizens – which puts just about every firm around the world in scope, to some degree – may be heavily fined for falling foul of the regime, for instance, by failing to explicitly gain consent from individuals to retain and use their data.

National regulators are empowered to weed out non-compliance. The UK’s Information Commissioner’s Office, for example, has already dished out a number of six-figure fines for data protection breaches under the regime, including one levied on intelligence firm Cambridge Analytica for illegal misuse of Facebook users’ data.

Those are the headline risks of infringement, though. The subtleties run far deeper, as financial firms are only just starting to learn. For instance, a clause in GDPR enshrines the right of EU citizens to have any material decision about their financial future made by a human, not a machine – potentially scuppering the work of many banks looking to cut costs and improve the customer experience by automating such processes as credit card approvals through the use of machine learning techniques.

As data management and compliance headaches multiply, the financial sector is pushing to use machine learning to augment the modelling of everything from loan approvals to suspicious transactions. In a sense, the methods offer a fix to downplay human errors. However, dealers have acknowledged machine learning models’ predictive power leaves them open to potentially unethical biases, such as inadvertently discriminating against certain customer groups because the bank’s data shows a higher risk of non-payment based on other customers historically served there.

The threat of a disorderly exit by the UK from the EU could add a further element of complexity. Some UK financial institutions, including Ice Clear Europe, a London-based clearing house, have voiced concern over the potential for inadvertent missteps should the firm become a third country under GDPR when the UK leaves the union – meaning the transfer of personal data from EU organisations to organisations in the UK would be subject to strict data-transfer rules.

In the event of a no-deal Brexit, “if an EU27-based clearing member has not already put in place safeguards called for by the GDPR with respect to transfer of personal data from that member to Ice Clear Europe, that clearing member could violate the GDPR if it continued to transfer personal data to Ice Clear Europe”, the central counterparty said in a recent regulatory filing.

Estimates on the quality of data governance within banks paint a bleak picture: only about 30% of banks have a coherent data strategy in place, a recent McKinsey survey revealed

In Asia, where data privacy laws are much more localised, some jurisdictions are still more proscriptive, with the definition of personal data under many existing legal frameworks broad enough to include all information generated by the banking sector, including transaction data from trades – making transfer of such data between institutions, let alone jurisdictions, a compliance minefield.

Op risk and compliance managers’ role in ensuring data is collected responsibly, made secure and put to good use has become increasingly important. Often, however, these efforts are duplicative and frustrating. Estimates on the quality of data governance within banks paint a bleak picture: only about 30% of banks have a coherent data strategy in place, a recent McKinsey survey revealed.

“We realised recently that internally we have a lot of people working on getting, storing, cleaning, using and reporting on our data. We don’t have a holistic approach to our data, and [we] want to start thinking about what our data governance should be and how to prioritise efforts to change the status quo,” says the head of enterprise risk at a large US insurer.

Some banks are using a patchwork of legacy systems, often outdated and requiring proper maintenance – a senior UK regulator last year described the job of senior technologists as more akin to that of “archaeologists” at some firms – to produce data that must be aggregated for the purpose of calculation and valuation of exposures, as well as for producing regulatory reports and internal documents.

The risk of data becoming trapped and useless in different operational silos is exacerbated by the vast volumes of structured and unstructured data that banks hold. Firms are increasingly realising the use of legacy systems presents a variety of challenges and risks, ranging from operational inefficiencies to security and compliance risk.

Although dealers were given until January 2019 to achieve compliance with the data management principles set down by the Basel Committee on Banking Supervision under BCBS 239, there’s still widespread uncertainty about what full compliance looks like, and how regulators will enforce it.

But poor data management has consequences for everyday compliance exercises, such as filling in mandatory quarterly risk control self-assessment forms to the satisfaction of regulators. Banks “are missing robust data management processes to ensure that data is reliable, complete and up to date, and that reports can be generated [in a timely manner]”, the head of op risk at one Asian bank tells Risk.net.

Return to index