# Revised Basel output floor could hit US banks after all

By Joanna Wright, Louie Woodall, Philip Alexander | News | 18 January 2018

Fall in operational risk weights could push up capital requirements for market and credit risk

US banks are being warned the floor on internal capital models already enforced by the US Collins Amendment to the Dodd-Frank Act will not necessarily prevent the new Basel floor from having an impact on their capital consumption.

US regulators had consistently shown far greater enthusiasm for the Basel output floor, finalised on December 7, under which banks must hold enough capital to meet 72.5% of all risks calculated using the standardised approaches.

European regulators suspected this was driven partly by competitive concerns among US firms who already face the Collins floor. The US rules, finalised by prudential regulators in 2013, require banks to hold enough capital for 100% of market and credit risk-weighted assets (RWAs), as calculated under the standardised approaches. But the Collins floor excludes operational risk and credit valuation adjustments (CVA).

Several banks contacted by Risk.net say they do not expect the Basel floor to affect them, because they already comply with the Collins floor. But a source at a US industry body warns against being too complacent over what he calls “conventional wisdom”.

###### We are trying to figure out the maths and understand the impact. But it may not be magically true that the 72.5% Basel output floor doesn’t matter to US banks because of the Collins floor

A source at a US industry body

“We are trying to figure out the maths and understand the impact. But it may not be magically true that the 72.5% Basel output floor doesn’t matter to US banks because of the Collins floor, because it’s 72.5% of a larger numerator. Now that the Basel floor has come out and it’s relative to the whole kitchen sink of standardised models, it’s quite possible it could be the case that it does matter,” says the source.

Crucial to the eventual impact for US banks is the change in the methodology for calculating operational RWAs, which was also included in the December 7 package. Since op risk is excluded entirely from the Collins floor, the amount of capital that banks hold against it naturally offsets the 100% floor.

Therefore, the larger the op risk RWAs as a share of the total, the lower the effective floor on credit and market RWAs (see table A).

Céline Choulet, a banking economist at BNP Paribas, says Collins has translated into an average effective standardised floor of 75% for US banks that are approved to use internal models – currently 10 banks, with another five under consideration by regulators.

“Neither the standardised requirement on operational risk nor CVA has been transcribed into US law. In other words, no capital charge is explicitly required to cover these two types of risk in the standardised US approach whereas, on average, operational risks alone account for nearly 30% of total RWAs under the advanced approaches,” says Choulet.

### Op risk surprise

Under the new Basel rules, op risk and CVA can only be calculated using the standardised approaches. This means an effective floor of 100% for those risk categories, which again reduces the effective floor imposed on market and credit risk.

According to calculations by Thomas Obitz, founder of consultancy RiskTransform, for the same level of op risk, the effective Basel floor for market and credit risk is lower than the effective Collins floor until the total amount of op risk rises above about 30% of total standardised RWAs (see table B).

For two US global systemically important banks (G-Sibs), current op risk exceeds 30% of total standardised RWAs (see figure 1).

However, the two floors are not yet directly comparable. Since banks using the advanced modelled approach (AMA) for op risk do not currently report the standardised output, it is impossible to calculate exactly where the Basel floor would fall.

The methodology for op risk will change completely with the removal of AMA by the Basel Committee. The Basel quantitative impact study, also released on December 7, showed the potential for a significant reduction in op risk RWAs – averaging 30% – for the world’s largest banks due to the introduction of the new standardised measurement approach (SMA).

This means a bank with AMA op risk at 25% of total RWAs (including standardised credit and market risk outputs) under the Collins floor would need to calculate the potential impact of the new Basel floor based on an assumption that op risk could fall to around 17.5% of total standardised RWAs. This would bring the biting point of the two floors much closer together.

By contrast, the impact of CVA is less of a concern. It is normally the smallest component of RWAs and some US banks already incorporate CVA into credit risk numbers. The new standardised approach for CVA is expected to lead to higher rather than lower outputs, which means it will not cause a rise in the effective floor for market and credit risk.

### Floored by lawmakers

Even if US regulators believe the Basel floor will not penalise US banks, the attitude of lawmakers to implementing further Basel reforms is highly uncertain at present.

Lee Reiners, director of the global financial markets centre at Duke University and a former bank supervisor at the Federal Reserve Bank of New York, says there is “basically zero chance that any of [the] revised Basel III capital standards get implemented in the US”.

Choulet is more sanguine, but agrees the US authorities may not implement the Basel floor itself word for word.

“[They] could argue their floor is more cautious, as it is higher, at 100% against 72.5%, even if, as we know, the 100% Collins floor does not include RWAs for operational risk and so the requirement is less stringent than it appears. They could also slightly modify the standardised approach for credit risk to offset the impact of a change in the full standardised approach,” says Choulet.

Credit risk is by far the largest component of RWAs, at 60% or more of the total for most of the US G-Sibs. As a result, any changes that turn out to make the standardised approach – and therefore the standardised floor – for credit risk more punitive would have a particularly significant effect on overall capital requirements.

# The impact of de-tiering in the United Kingdom’s large-value payment system

By Evangelos Benos, Gerardo Ferarra, Pedro Gurrola-Perez | Technical paper | 16 January 2018

# Top 10 op risk losses of 2017: crisis-era fines abate

By Risk staff | Opinion | 16 January 2018

Total losses fell by half last year with large fines slowing; frauds take top three slots

Industry-wide operational risk losses fell by more than half in 2017, plummeting from $49.8 billion in 2016 to$23.1 billion, thanks to a drop in the number of large fines and settlements meted out by regulators against banks from legacy crisis-era wrongdoing.

The 10 biggest operational risk loss events of 2017 accounted for 45% of all losses, with fraud and misconduct dominating the top 10. Within these two loss classes, a geographical theme emerged: conduct losses were concentrated in North America and Europe, whereas Asia-Pacific and Latin America experienced the most losses from fraud.

The three largest losses this year were frauds. The top spot was occupied by improper transactions at Brazilian bank BNDES totalling 8.1 billion real ($2.52 billion). Brazilian police discovered improper dealing between a BNDES subsidiary and a meat processing company. According to the investigators, the transactions were carried out with no due diligence and without following contractual requirements. Warrants have been issued for 37 people thought to have been involved in the scheme. Secondly, employees at Shoko Chukin Bank improperly granted ¥265 billion ($2.39 billion) of loans as part of a crisis response programme that offered low-rate financing to small businesses. Similar to other conduct issues that have arisen under pressure from high targets, employees at 97 of Shoko Chukin’s 100 branches were found to have improperly granted the loans by falsifying approval documents in an attempt to meet lending targets that did not align with demand.

In third place, after a long-running investigation the SEC brought charges against the Woodbridge Group of Companies and their owner Robert Shapiro, accusing them of running a $1.22 billion Ponzi scheme from 2012 until it collapsed in December 2017. According to the SEC, Woodbridge convinced 8,400 investors to take part in his scheme. The companies had already been the subject of legal action in eight states since 2015. At number four is €963 million ($1.18 billion) that Societe Generale agreed to pay to the Libyan Investment Authority, a sovereign wealth fund, in an out-of-court settlement relating to $2.1 billion of trades conducted between the two parties between 2007 and 2009 that resulted in losses for the LIA. The Libyan fund claimed that the French bank had secured the trades on the back of a “fraudulent and corrupt scheme” involving more than$50 million of bribes. Goldman Sachs successfully defended against a similar case by the LIA in 2016.

The ripples of Bernard Madoff’s Ponzi scheme are still being felt in loss number five. In July and September, Thema International Fund, an Irish fund which invested almost all of its assets in Madoff’s scheme, and a number of its affiliates agreed to pay a total of $1.06 billion to Irving H Picard, the scheme’s liquidation trustee. According to Picard, the funds, linked to Austrian banker Sonja Kohn and the Benbassat family of Swiss bankers, provided Madoff with access to funds in Europe as his scheme began to run out of new cashflows in the US. The sixth biggest lost is another fraud, also involving irregular transactions. Fifteen executives of Catalunya Caixa, a Spanish bank now part of BBVA, were accused in March of causing a loss of €720 million to the bank by conducting irregular real estate transactions between 2000 and 2013. Conflicts of interest were present in at least half of the transactions, including instances of insider trading when executives bought shares in the companies involved only days before the transactions were made. At number seven was the combined loss of 49.3 billion rupees ($770 million) from eight Indian banks resulting from commercial loans obtained by Vijay Mallya in an alleged fraud that is subject to ongoing criminal investigation in India and the UK. Mallya, the founder of now-defunct Kingfisher Airlines, is undergoing extradition proceedings from the UK to India. Read more about this loss in our September article.

In the eighth biggest loss, Western Union agreed to pay a total of $586 million to the US Department of Justice, Federal Trade Commission, three state attorneys and 49 US states for anti-money laundering breaches and aiding wire fraud. According to the investigations, Western Union failed to prevent its agents from sending hundreds of millions of dollars of money derived from illicit activities to China between 2004 and 2012, in tranches of less than$10,000 to avoid US reporting requirements. This issue continued into 2018, as Western Union was fined $60 million by the New York Department of Financial Services for the same conduct in January 2018. The penultimate loss is a hangover from the financial crisis. Deutsche Bank agreed to pay €450 million to settle claims it advised Icelandic bank Kaupthing to loan funds to clients to invest in credit-linked notes with a view to lowering the troubled Icelandic bank’s credit default swap spread. Finally, in June three employees of Beijing Pangu Investment pleaded guilty to using fake documents to illegally obtain 3.2 billion yuan ($497 million) from Agricultural Bank of China. The company belongs to exiled Chinese billionaire Guo Wengui, who is a critic of supposed corruption within the Chinese government.

### Legacy losses

Legacy losses were dominated by conduct risk. In January 2017, RBS announced it would provision a further £3.11 billion ($4.3 billion) to cover the ongoing costs of US investigations into residential mortgage-backed securitisations, and both Lloyds and Barclays provisioned an additional £700 million each for compensation relating to mis-sold payment protection insurance. At least there is an end in sight for this issue, with the UK Financial Conduct Authority announcing the final date for PPI claims as August 2019. Although the top 10 features a number of fraud events, overall, conduct-related events rose to become the most significant source of loss this year, accounting for$10.75 billion of the total. The significance of conduct risk is set to continue in 2018, as European regulators ramp up the introduction of new legislation, including Mifid II. It remains to be seen if losses will fall in North America as a consequence of US president Donald Trump’s push for deregulation.

# Banks begin to model climate risk in loan portfolios

By Steve Marlin | Features | 16 January 2018

Environmental stress tests and scenario analysis reveal hidden risks

Used by large banks since the early 1990s, stress testing has grown to encompass all manner of risks. One of the latest additions to the practice is the risk posed by climate change and environmental regulation.

The use of stress testing, as well as scenario analysis, to forecast the impact of climate change on loan portfolios is only a few years old, and in these early days banks are taking different approaches. But some are already adjusting lending strategies based on their assessments of the risk.

Two recent initiatives are likely to accelerate efforts to gauge climate risk. In June, the Financial Stability Board’s Task Force on Climate-related Financial Disclosures, chaired by former mayor of New York City Michael Bloomberg, issued recommendations on climate risk management and disclosure for financial institutions.

“When the TCFD recommendations were issued, we immediately said we want to follow those recommendations,” says Antoni Ballabriga, global head of the corporate responsibility unit at BBVA. “A lot of investors are asking us more and more about climate change and climate-related assets.”

The TCFD framework, which is voluntary, recommends the use of scenario analysis to assess climate risk exposures and calls on banks to disclose the results in annual filings, along with the metrics and processes used to conduct the analysis.

And in November, the European Parliament’s economic and monetary affairs committee issued a proposal that would amend the European Union’s Capital Requirements Regulation to make climate risk management and disclosures mandatory.

Banks are less enthused about the mandatory aspect of this proposal, pointing out that they have only just begun looking at ways to assess climate risk.

“There are still many unknowns and challenges associated with modelling and stress-testing climate change risk,” says Rahel Wendelspiess, director of environmental and social risk at UBS. “We caution against premature regulations before these are addressed. Once it’s required that we do it, it’s implied we already know how, but we’re still on a steep learning curve.”

### Taking action

The learning process includes a good deal of experimentation.

Responsibility for climate risk management typically rests with banks’ environmental and social risk management functions, rather than the credit or market risk groups.

“Any of the natural disasters fall within our remit,” says Courtney Lowrance, global head of environmental and social risk management at Citi. “Environmental risks fall into a general bucket of risks. We look at it as an operational risk for the company we’re financing. Environmental issues can also carry legal risks. There could [also] be regulatory risks if regulations crack down on the use of natural resources.”

A handful of banks – including JP Morgan, PNC and UBS – have begun conducting environmental stress tests of their loan portfolios. PNC, for example, looks at how certain environmental risks, such as carbon emission regulations and a lower demand for oil, would affect a specific customer portfolio, including the probability of default and loss.

However, this field of quantitative climate risk analysis is still in its infancy.

UBS attempted to measure its exposure to climate risks using its standard stress-testing infrastructure, based on macroeconomic scenarios, in 2014. It soon became apparent this approach was suboptimal, and the firm quickly switched to a bottom-up model focused on specific industries, such as oil and gas.

“We realised the existing infrastructure is not capable of capturing such risk because it is a macro-based model,” says Wendelspiess.

###### We’re limiting our risk appetite in certain carbon-related industries, such as the coal sector

Rahel Wendelspiess, UBS

UBS also joined forces with eight other banks and Risk Management Solutions (RMS), a catastrophe risk-modelling firm, to develop a drought stress-testing tool for loan portfolios.

“The drought project was another step in developing a bottom-up analysis,” says Wendelspiess. “This had not been done before.”

Environmental risk managers at Citi are following a similar path.

“Historically, [environmental] risk management focused on project- or asset-level analysis. That approach has evolved to a corporate [borrower] level,” says Lowrance. “A power company may have 10 power plants in different countries. We will look at the company’s ability to manage environmental issues, recognising conditions vary from place to place.”

Citi is able to take a specific customer’s portfolio of assets and map it to climate risks, such as drought and flooding, says Lowrance: “We can model the potential impact on a company’s financials depending on how much of their asset base is located in sensitive areas.”

Some banks are confident enough in their climate risk assessments to adjust their lending strategies accordingly. For instance, JP Morgan stopped financing coal-fired power plants in certain countries in March 2016 after analysing the impact of climate change regulations on its global power portfolio.

That same month, Industrial and Commercial Bank of China published a report on environmental factors and credit risk, which estimated that 68% of thermal power companies with a credit rating of AA or higher could be downgraded in a low-stress scenario of increased environmental regulations. That figure increases to 81% in a high-stress scenario.

The research team conducting the stress test made a number of recommendations, including advice that access to funding for companies that violate environmental protection laws and regulations should be strictly controlled.

At UBS, the environmental and social risk team has established controls and processes to identify and mitigate climate risks at both the individual client and portfolio levels. “We define standards in environmental and social risk,” says Wendelspiess. “That means we’re limiting our risk appetite in certain carbon-related industries, such as the coal sector. By limiting our engagement, that’s one way of protecting our assets.”

Still, risk managers say more robust tools are needed to effectively assess and disclose climate risks. To this end, a group of 16 banks has been working with the UN Environment Programme Finance Initiative (UNEP-FI) to “develop scenarios which can be used as inputs into a model into which banks can then plug in their own credit information”, says Wendelspiess of UBS, which is part of the project. “The result would be the impact on banks’ credit exposures.”

The UNEP-FI group intends to publish its methodology shortly after the project ends in March. “The working group has committed to disclose at least some of the information and report on the process,” says Wendelspiess.

### Drought stress-testing tool

RMS’s drought stress-testing tool includes five scenarios of varying duration, intensity and geographical extent for each of the four modelled countries: Brazil, China, Mexico and the United States. The tool maps the drought hazard in each scenario to an implied change in revenues for companies directly affected by water shortages or indirectly impacted due to, for example, interruptions in hydroelectric power generation or reduced supply of raw materials that require water. The results can be used to adjust a bank’s internal debt ratings upward or downward.

“The tool allows us to run a debt-rating model against a single company or on thousands of companies,” says Lowrance at Citi, which has already integrated the models into its system so the stress tests can be accessed by a user anywhere within the bank.

###### We can model the potential impact on a company’s financials depending on how much of their asset base is located in sensitive areas

Courtney Lowrance, Citi

However, Lowrance says the stress tests are not yet robust enough to inform the bank’s credit decisions. “Unfortunately, the data that goes into determining the vulnerability factors and how certain industries and companies react to drought is still quite limited,” she says. “That causes the confidence interval to be too low to be used for credit decisions.”

The RMS model uses proxy information when complete financial or location data is not available. “If we have a bank that knows it’s underwriting a loan for a petrochemical company in the US, but it doesn’t have detailed location information, we use what we know about the US petrochemical industry to help inform where they are likely to reside,” says Stephen Moss, the firm’s director of capital markets.

The RMS model shows climate risk analysis can be performed using a standardised framework linking environmental hazards to credit ratings, and ultimately default rates, says Laurence Carter, senior consulting analyst for capital and adjacent markets at RMS. “The tool demonstrates a new framework financial institutions could adapt and apply within their own internal systems,” he says. “The methodology is highly versatile and could be equally applied to many other types of environmental risk.”

### Climate disclosures: a hit and a miss

Initiatives on common approaches to climate risk have produced mixed results to date. In France, for instance, disclosure requirements known as Article 173, adopted in 2015, have thrust banks to the forefront of climate risk management and reporting.

A report published by ShareAction in December 2017 ranked BNP Paribas first among the largest 15 European banks for climate-related disclosure, while two other French banks – Crédit Agricole and Societe Generale – ranked fourth and fifth respectively.

“The requirement in France for assessment and disclosure of climate-related risks has accelerated action with the French banks,” says Lauren Compere, managing director at Boston Common Asset Management, which specialises in sustainable investing. “I would not have considered them as leaders, starting out.”

Other efforts have fallen flat. The Portfolio Carbon Initiative, a group of banks and asset managers working under the auspices of UNEP-FI, has been developing guidance for financial institutions on how to manage carbon-related asset risks since 2014. But it has only recently written a draft proposal, which it plans to release in February.

Compere, who was on one of the PCI technical working groups, says the project was dogged by disagreements among the participants. “There were many people at the table looking at the methodology,” she says. “There was a breakdown because they didn’t agree on the methodology; lack of co-ordination and communication is one of the main reasons why broad adoption of this concept has not happened.”

# Risk culture: banks fall short in eyes of staff

By Steve Marlin | Features | 11 January 2018

Many risk managers believe their banks have work to do on understanding, measurement and management of risk culture

A new survey has revealed widespread failings in the way banks approach risk culture, despite general agreement that a firm’s culture is a crucial part of risk management.

In the survey of more than 130 risk managers by Risk.net and advisory firm Catalyst, 87% of respondents say risk culture is key to the understanding of risk. Yet only 57% say it is well defined at their employer, and even smaller percentages say it is well understood (45%), well measured (27%) and well recognised and rewarded (38%).

The survey hints at the reason for this disconnect. Almost three-quarters of respondents say accountability for risk culture at their firm lies with the risk function (72%) while only 28% say it is the job of the business lines and other corporate functions. Practitioners that spoke for this article find it startling that a second-line team is being expected to take responsibility for risk culture when most risks arise within the first line.

“I would have answered differently,” says Alan Smith, global head of risk strategy and senior executive officer for global risk at HSBC. “The first line should be primarily responsible for the implementation of risk culture. It should be unequivocally the first line.”

Culture has become a focus for banks and regulators in the years since the crisis – a catch-all term for the disparate failings in attitude and conduct that allowed huge concentrations of securitised mortgage risk to build up in the years prior to 2007, and which also lie at the heart of a slew of post-crisis scandals, from the rigging of the Libor interest rate benchmark and foreign exchange markets, to misselling and violations of sanctions and money laundering rules.

Identifying the source of the problem is the easy bit, however. The Risk/Catalyst survey suggests the industry is still grappling with definitional and organisational questions – and many of the 13 practitioners who spoke for this article agree.

The Financial Stability Board, in 2014 guidance for supervisors for assessing risk culture, noted no single definition of risk culture exists, but pointed to a 2009 report from the International Institute of Finance (IIF) that defines risk culture as “the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes”.

###### Banks recognise that risk culture is not stagnant, nor is it something you write on paper. It’s something you live

Senior US supervisor

This is what makes it such a slippery concept, senior risk managers say. Other aspects of risk management affect the way individuals and groups behave – such as risk appetite, risk limits, governance, and controls – but do not try to express, track and police behaviour itself.

“Risk has a well-defined set of expectations that are typically quantitative,” says Colin Church, chief risk officer for Europe, the Middle East and Africa at Citi. “The further you shift into qualitative, the more challenging it becomes. A lot of this goes in the category of you know it when you see it, but how do you quantify it?”

Faced with these challenges, many banks have traditionally put more emphasis on the elements of risk management that can be measured, reported and controlled via standardised, quantitative metrics. Risk culture has historically been seen as a squishier part of the discipline, and one that can be left to look after itself as long as harder controls are doing their job.

That is starting to change as a result of the heavy fines and penalties banks have incurred since the financial crisis, and the emphasis on individual firms’ risk culture that underpins new rules and regulation such as the Senior Managers and Certification Regime (SMCR) introduced by the UK’s Financial Conduct Authority in 2016.

And the regulatory drumbeat grew louder in November last year when the Bank of England governor, Mark Carney, said the SMCR regime was helping the FCA and BoE assess whether a firm “has the appropriate culture and is encouraging the necessary changes”. Those with “widespread or consistent shortcomings” may be instructed to hold more operational risk capital, Carney warned.

One senior US supervisor says banks are listening: “Risk culture is slowly becoming embedded into overall corporate culture. Banks recognise it’s not stagnant, nor is it something you write on paper. It’s something you live.”

“There’s real clarity that risk culture is important,” says Roger Noon, an independent risk culture consultant who has worked with a number of banks. “There’s a good understanding now of why it’s important and how it helps improve risk management.”

So, how much progress has been made? And where is further work needed? The survey provides some insight.

### Divergent approaches

The idea for the survey came from a roundtable held by Catalyst in June with a group of banks on risk culture, where striking differences between the quantitative and qualitative approaches to the topic became apparent. “They were quite divorced,” says Paul Butler, managing consultant in organisational development at Catalyst. “You had this vague, high-level cultural angle, but then you had the prescriptive, numbers focus of the trading risk management mentality.”

The first step in bridging this gulf is a definition of risk culture – something that explains how the ‘fluff’ of attitudes, behaviour and conduct, fits with the harder edges of traditional risk management.

One of the challenges banks face here is finding a way to separate risk culture from broader, existing programmes focusing on culture and values. Both attempt to set expectations around staff attitudes and behaviour, but risk culture is more specific; in this case, the attitudes and behaviour relate specifically to risk management. Banks have sought to make that clear in their definitions.

Kariann Dale, vice-president of risk conduct at Royal Bank of Canada, highlights the issue. “People know risk culture is important, but in practice, while many institutions including RBC already have approaches to assess, measure and strengthen risk culture, they are all continuing to enhance these approaches. There can be confusion, because the attributes of risk culture are a subset of organisational culture,” she says (see box, Risk culture at RBC).

HSBC defines risk culture as the norms, attitudes and behaviours related to risk awareness, risk taking and risk management (see box, Risk culture at HSBC). Again, the bank has sought to make it clear that this is a more focused issue than the broader debate around culture.

“One thing we don’t do well as an industry is make a distinction between risk culture and culture generally,” says Smith. “In our case, we were very clear about getting a concise definition of what risk culture is. You can’t manage what you can’t define.”

The definitions used at HSBC and RBC are similar to the IIF’s 2009 take: broadly, all three establish risk culture as the behavioural norms that relate specifically to the identification and management of risk. And the survey suggests the industry as a whole is making relatively solid progress: 39% agree their firm has defined risk culture well, and 18% strongly agree, with only 20% and 3% disagreeing and strongly disagreeing, respectively. A fifth sit on the fence.

A definition may be a necessary condition for a bank to address risk culture, but on its own it clearly isn’t sufficient. The next question is whether the definition has taken root: is there a common understanding across the bank? The survey responses were less positive on this front, with lower proportions saying risk culture is well understood and higher proportions saying it is not. More respondents also hedge their bets, neither agreeing nor disagreeing (26%).

Given these shaky foundations, it’s no surprise the survey’s questions about the measurement and management of risk culture generate even lower scores – and evidence of divergent practice. Practitioners are not surprised, citing the wide variety of methods that can be used to monitor attitudes and behaviour.

“There’s the notion of not only do you understand risk culture, but is it strong and how do you evidence that?” says Jeffery Weaver, head of qualitative risk assessment at Key Bank, the Cleveland-headquartered US regional lender. “Do you do it with key risk indicators, value statements, or a clearly stated risk appetite, qualitatively and quantitatively articulated? That’s when it begins to diffuse.”

In part, this is a natural result of the discipline’s immaturity, says Jason Forrester, managing director for enterprise and operational risk management at Credit Suisse: “There’s a difference in the level of embeddedness of risk culture, where that same rigour of identification, appetite, and monitoring has been in place for a shorter period of time for non-financial risks than for market and credit risk.”

### Methods of measurement

Survey respondents were asked to specify the metrics used for risk culture at their firm (see table). The 85 answers were almost all different – ranging from financial ratios and levels of fines, to incident tracking, key risk indicators, risk appetite frameworks and internal audit or compliance sweeps. A handful of firms said they track a variety of metrics via a dashboard, while others said they were not aware of the metrics used, or that no specific metrics were in place. One joked: “I’d like to know, too”.

The resulting list can be grouped into two broad categories: “big” risk culture measures, and “small” ones, says Forrester. Big risk culture metrics such as financial ratios and risk appetite provide a view of the organisation as a whole, while small risk culture metrics such as incidents and limit breaches provide insight into how well risk culture is ingrained at the individual employee level.

What metrics do you use in assessing risk culture?

Selected responses:
• Control breaches, operational loss trending, audit performance
• Don’t know – dashboard is not shared below board level
• Incident/breach reporting (policies, limits, regulations; op losses; intentional vs unintentional; new vs recurring)
• Interviews based on a checklist of points that are linked to elements of a risk culture framework
• Key control indicators, control sample tests, key risk indicators
• Loss event reporting
• Multiple metrics on a dashboard
• No metrics: qualitative risk culture survey
• Not consistently measured
• Qualitative and expert views
• Risk appetite and limits
• Risk control self-assessment
• Survey of behaviours and knowledge of risk framework and policies

“When people are talking about small risk culture, ie, the individual view the traders have of risk – these are all things I would expect a firm to be monitoring,” says Forrester. “When people are talking financial ratios, liquidity ratios and credit quality, they’re talking bigger risk culture, where you’re looking at the entire limit framework and cascading the risk appetite downwards.”

State Street uses a dashboard to track what it calls “risk excellence culture” across its business units, but Kim Newell Chebator, the bank’s chief administrative officer for Europe, the Middle East and Africa, concedes it is tough to find measures that work.

“Measuring risk culture is notoriously hard. It is difficult to identify a meaningful metric to measure a specific behaviour. At best, metrics can identify risks and trends in behaviours,” she says.

Even if a bank is measuring the right things, little will change unless the right bits of the organisation are held accountable, practitioners say. For many, this was the most worrying aspect of the survey. Almost three-quarters of respondents said the risk function was accountable for risk culture at their firm, followed by the board, which was named by 52% of respondents, the executive committee (33%), compliance (30%) and the business lines (28%). The percentages add up to more than 100 because respondents could choose more than one option.

Although the risk function was identified in the survey as being the most accountable for risk culture, risk managers argue the responsibility should reside primarily with the business lines. Risk culture is more likely to be effective when the first and second lines work in partnership, they argue – with the first line setting risk appetite and conduct standards, and the second line providing oversight through monitoring, surveillance and key risk indicators.

Some banks do operate in this way, says Sarah Dahlgren, a partner in the risk practice at McKinsey and former head of supervision at the Federal Reserve Bank of New York: “There are organisations that recognise risk culture is embedded in the businesses, with the second line providing an oversight function.”

The low number assigned to the business lines and the high number assigned to the risk function should be reversed, according to several people. “Risk culture, according to this data, is imposed by specialists,” says Adrian Docherty, head of financial institutions advisory at BNP Paribas. “The 28% figure I thought was quite low.”

Regulators and supervisors also have a part to play, but while 60% of survey respondents acknowledged the role of watchdogs, there is no clear consensus on what that role is.

“Risk culture is not something you regulate,” says the senior US supervisor. “But for the regulations that do exist, ensuring you follow those and comply with the spirit and intent will be part of a sound risk culture and a sound corporate culture.”

Risk culture plays a part, explicitly or implicitly, in many of the regulations enacted in the post-crisis years. There is a perception that European regulators, particularly in the UK, have been more actively promoting risk culture – perhaps because they have traditionally been more comfortable with a principles-based approach to regulating, versus the more legalistic approach associated with the US.

But while these rules may signal a regulator’s priorities, they deliberately do not give banks a blueprint for how to respond.

Prior to joining Catalyst, Butler was a managing director at Royal Bank of Scotland, where he was involved in implementing the SMCR. One of the sticking points was the regime’s use of the term ‘fit and proper’, which firms were initially left to define for themselves.

“The FCA said, ‘You need to assure executives are fit and proper to do the job. We’re not going to tell you what fit and proper means aside from the fact that they have no criminal record. We’ll audit you, and if we don’t like it we’ll tell you’,” Butler says.

He adds: “The FCA has been quite visionary because it has realised you can just keep piling on rules, and smart people will figure out a way around them. A lot of banks in the UK are now focusing heavily on values, and they’re incorporating them in annual performance reviews. It’s not just what you’ve done, but how you’ve done it.”

### Carrot and stick

To close the gap between risk culture’s perceived importance and its patchy implementation, banks should tie it to things that people care about – such as compensation or their chances for promotion, say some practitioners.

Credit Suisse, for example, conducts an annual survey of managers to gauge adherence to risk culture. Those who score well are rewarded, and those who don’t are offered remedial help, and if that fails, are subject to more punitive measures.

What one thing could the industry do more of to promote and enhance risk culture?

Selected responses:
• Acknowledge that risk culture has to be embedded consistently across the organisation
• Awareness and training interventions
• Better sharing of information on “bad apples”
• Consistent definition and common reporting metrics
• Continue to promote tone at the top awareness
• Developing professional standards
• Education, education, education
• Fundamentally change bonus structures
• Have consensus on metrics and common standards
• Incentivise and reward it
• Integrate risk thinking in business execution
• Make Basel set standards
• More regulatory oversight
• More transparency
• Provide explicit examples where risk culture not followed
• Reduce the number of risk managers – make everyone a risk manager!
• Stop calling it ‘risk culture’ and integrate it with ‘company culture’

“It’s important for people to see there’s a carrot as well as a stick, which helps to amplify the benefits of getting it right,” says Forrester.

Something similar is true at State Street and at HSBC. For the latter, employees are rated on their adherence to the bank’s values during the year. Bonuses are blocked for employees with an unacceptable rating, while those who “exhibit exceptional conduct” get paid more. And Citi revealed in October that it had overhauled its bonus system so profitability and conduct scores could no longer be averaged – which in theory could have allowed a high-earning trader to behave poorly and still receive a bonus.

“Not this year,” Citi’s chief compliance officer, Mark Carawan, told a Risk.net conference. “If there are behaviours that have been inappropriate, such as not reducing [a position], or taking a position that wasn’t authorised, that’s a zero bonus.”

These are efforts to close the loop, making front-line risk-takers accept responsibility for risk culture. And it’s where the foundations laid by the industry matter: if individual employees are going to be impacted by their contribution to cultural success or failure, then they, their managers, the senior executives and the board, all need to agree that risk culture matters, share a common definition and understanding, and select appropriate metrics.

“To me, culture is a scientific set of processes, and those processes include strategic objectives, performance management, and compensation,” says Docherty at BNP Paribas. “You can define and measure those. But other people’s understanding of risk culture may be a bit more vague. Therefore, they might have a less clear definition of what risk culture means.”

The survey suggests many banks still have a lot of work to do on the basics.

### Risk culture at RBC

This is an edited version of a statement provided by the bank.

Royal Bank of Canada saw the need to supplement its enterprise risk appetite framework with an expression of principles and approach to conduct risk and risk culture.  This led to development of an enterprise-level risk conduct and culture framework, which has been in place since 2013. Risk appetite encompasses what risks RBC is able and willing to take, while risk conduct and culture articulates how it expects to take those risks.

“We consider risk culture and conduct a topic, not a type of risk,” says Kariann Dale at RBC. “The term is defined as a shared set of behavioural norms that sustains our core values and enables us to proactively identify, understand and act upon our risks, thereby protecting our clients, safeguarding our shareholders’ value, and supporting the integrity, soundness and resilience of financial markets.”

RBC has adopted the Financial Stability Board’s four fundamental practices as foundational to effective risk conduct and culture in order to enable and reward the desired risk behaviours and outcomes, namely:

• Tone from above;
• Accountability;
• Effective communication and challenge; and
• Incentives that reinforce desired risk management behaviours.

Desired outcomes from effective risk conduct and culture practices align with RBC’s values and support its risk appetite statements, namely:

• Products and services are suitable for clients to protect their interests;
• Standard of market practice safeguards the effectiveness and fairness of the market;
• Reputation aligns with values; and
• Avoid misconduct.

Regular monitoring is fulfilled through qualitative and quantitative indicators of effective practices and outcomes, which are aggregated into dashboards. Accountability for the first line of defence to sustain and strengthen risk conduct and culture is made clear through individual mandates and performance objectives.

Areas where RBC is now focused include enhancing communication and awareness, and recognising employees who strengthen risk conduct.

### Risk culture at HSBC

This is an edited version of a statement provided by the bank.

In recent years, HSBC has focused on how risk culture is defined, promoted, and measured – in line with a broader shift across the industry since the global financial crisis.

HSBC defines risk culture as the norms, attitudes and behaviours related to risk awareness, risk taking and risk management. To support this, it has identified five drivers of a strong risk culture:

• Tone from the top: The board and senior management are the starting point for setting core values and expectations for the firm’s risk culture – reflected in HSBC’s risk appetite framework.

• Accountability: Ensuring relevant employees understand the firm’s core values and approach to risk; perform their prescribed roles in the HSBC three lines of defence framework; and are held accountable for their actions in relation to risk ownership and stewardship.

• Effective communication and challenge: Considering a range of views in decision-making processes; challenging current practices; and fostering an environment of open and constructive engagement.

• Incentives: Using performance and talent management to reinforce desired risk management behaviour so individual performance is judged both on what is achieved and how.

• Competency: Both in terms of the status, resources and empowerment of the risk function, and the embedding of risk attitudes and behaviours across the firm – supported by values-based assessments for new joiners and training for staff.

Risk culture is measured in several ways through operational risk and internal audit reviews, and employee surveys, which provide insight on important areas of accountability, good judgement and speaking up.

“Embedding risk culture across a large organisation is a journey of continuous improvement,” says Alan Smith at HSBC. “The importance of a strong risk culture is widely understood; the challenge is to ensure this understanding is refreshed and reinforced. The bank focuses on embedding through communications, training and performance management to underpin effective risk management across the firm.”

Source: HSBC

The survey was conducted between October 17 and November 3 last year. Participants were sourced via an email campaign targeting risk managers at big and small banks around the world. They answered the survey questions online.

A total of 134 individuals participated – more than 100 completing all 14 questions – with 17% self-identifying as C-suite or board level, 39% as heads of department, and 24% as senior managers. A third of the respondents came from Tier 1 banks. By geography, just over half of the respondents were based in Europe, the Middle East and Africa, with 25% in Asia-Pacific and 22% in the US.

# Transneft quits OTC market after settling $1bn swaps case By Chris Davis, Olesya Dmitracova | News | 11 January 2018 Russian market participants edgy after settlement leaves disclosure duties unclear Russian oil transportation monopoly Transneft will not enter into new derivatives transactions for the foreseeable future, just weeks after agreeing a settlement with state-owned Sberbank on a billion-dollar claim arising from disputed foreign exchange options transactions. The move is a response to what the company claims is a lack of clarity on derivatives sales and disclosure practices. “We’re abandoning all work with derivatives,” a spokesperson for Transneft tells Risk.net. The spokesperson adds that the decision may be reviewed once the company deems there to be sufficient regulatory clarity on the use of the instruments. For almost a year, Transneft had been fighting a legal battle with Sberbank over two expired forex options contracts that resulted in losses of 75.3 billion rubles ($1.3 billion) for the non-financial company. The USD/RUB-linked options fell heavily out of the money for Transneft when the imposition of economic sanctions on Russia caused the ruble to plunge to an all-time low against the greenback.

Transneft successfully claimed in a Moscow arbitration court that it was inexperienced in trading derivatives and should have been given more information about the risks of the transactions – a verdict Russia’s central bank denounced as a threat to the local derivatives market. The first judgement was overturned on appeal in August 2017, leading Transneft to take its case to a cassation court, before a settlement was finally agreed in late December.

However, Transneft argues clear rules are now needed on what information banks should disclose to clients, and says it will refrain from any new hedging until such rules are in place.

It is unclear how the company will manage its various financial exposures in the meantime. According to a 2017 report from Standard & Poor’s, approximately 70% of the company’s debt stock is denominated in foreign currencies.

### Calls for clarity

Lawyers say Transneft’s plan to quit the market is indicative of the legal uncertainty now troubling both buy- and sell-side participants in the wake of the dispute.

Although precedent is not a source of law in Russia, a judgement at the cassation court would have provided some guidance on what banks should disclose to clients prior to trading. But because the case was settled outside of court the issue remains unclear.

“Already we see some banks taking a more cautious approach,” says Igor Gorchakov, a derivatives lawyer at Allen & Overy’s Moscow practice. “They are not investing in developing their derivatives portfolios – to say the least. People are now more alert about these types of transactions; everybody is a lot less relaxed than they used to be.”

Corporate treasurers say some banks have reacted by trading exclusively via London-based entities; they are also reluctant to provide details that could be used against them by a client.

###### There are no problems with forwards and options in Russia. Problems start when people use complex derivatives with knock-outs and various resettable features

Timur Kudoyarov, Rostelecom

“Some banks are now very careful about offering corporates derivatives deals and are doing them only through their London branches,” says Timur Kudoyarov, head of liquidity management at Rostelecom, Russia’s largest telecommunications provider. “Before, we could easily talk to banks about their valuation of our risks, but now some banks don’t want to discuss this because they’re afraid we will then sue them over what they told us.”

To restore confidence in the market, Allen & Overy’s Gorchakov says the Bank of Russia needs to push through new regulation providing clarity on what information should be disclosed to clients prior to trading.

### Proof of understanding

However, Russia’s Association of Corporate Treasurers says any new regulation should also clarify the level of derivatives expertise a non-financial company can reasonably be expected to possess. Even though Sberbank reportedly discussed the forex risks of its disputed trades with Transneft, the corporate argued in court it didn’t have sufficient expertise and skills to independently evaluate such risks.

“Clarifying the risks is not a problem,” says Vladimir Kozinets, president of the association. “You can write 10 disclaimers – but how can a bank prove in court that what it explained was understood [by the corporate]? That’s the problem. In this respect, it may make sense to introduce some kind of certification to distinguish between corporates that have the right to enter into ‘toxic’ deals and those that don’t and admit it.”

A form of certification on a counterparty’s qualification is especially important for more structured types of trades, says Rostelecom’s Kudoyarov. These are the products that have been hit hardest by regulatory uncertainty, he adds, predicting wider spreads in the local market and a shift towards the use of International Swaps and Derivatives Association documentation.

“There are no problems with forwards and options in Russia,” he says. “Problems start when people use complex derivatives with knock-outs and various resettable features.”

“Corporates don’t usually have the specialists who can properly understand the mathematics of the risk. Such people work in banks but they have a different job there: their job is to sell these instruments, and therefore they look at the best-case rather than worst-case scenario and evaluate the risks differently,” he adds.

A source close to the Bank of Russia (pictured) confirms to Risk.net that it is developing rules on derivatives use. The new regulatory framework will be published by the central bank in the first quarter, according to the Association of Russian Banks. The central bank declined to comment.

The Association of Russian Banks has developed a separate set of industry standards for risk disclosures on derivatives trades, which is also due to be introduced in the first quarter. Allen & Overy’s Gorchakov says such standards would be treated as business customs under Russian law. This means banks should receive some legal protection from following them in the absence of any specific regulation on disclosures. Having now been agreed, the standards are awaiting approval from stakeholders including Russia’s central bank.

“The dispute between Transneft and Sberbank very much unnerved the market,” says Yuri Kormosh, a deputy for the president of the Association of Russian Banks. “Therefore, there was an urgent need to develop standards for information disclosure, and this was supported by all participants, including corporations that need to hedge their risks.”

# Monthly op risk losses: China bond fraud implicates leading banks

By Risk staff | Opinion | 10 January 2018

Breakdown of top five loss events. Data by ORX News

The largest loss this month relates to a Ponzi scheme. On December 20, 2017, the US Securities and Exchange Commission charged the Woodbridge Group of Companies and its founder Robert Shapiro with running a $1.22 billion Ponzi scheme affecting 8,400 investors nationwide. According to the regulator, Shapiro and Woodbridge told investors they could make returns of between 5% and 10% through his business model in which he made short-term loans to third-party companies for 11% to 15% interest. In reality, almost all of these third-party companies were shell vehicles owned by Shapiro, whose sole function was to perpetuate the fraud, the complaint reads. Woodbridge relied on new investments to pay returns promised to existing investors, and the company filed for Chapter 11 bankruptcy on December 4. The fraudulent scheme is said to have run from July 2012 to December 2017. The second largest loss reported in December occurred in China. On December 8, 2017, the country’s banking regulator hit China Guangfa Bank with a 722 million yuan ($111 million) penalty for issuing forged letters of guarantee for defaulted corporate bonds.

According to the China Banking Regulatory Commission, six employees at the Huizhou branch of Guangfa Bank forged the letters of guarantee using counterfeit corporate seals. The activity was designed to help conceal Guangfa’s non-performing loan ratio and operating losses, the CBRC said.

The penalty was made up of 176 million yuan in confiscated profits, with the remainder in fines.

In the third largest loss, QBE Insurance settled a shareholder class action for A$132.5 million ($103 million). The class action alleged that QBE did not disclose to the Australian Securities Exchange information relating to its expected earnings and financial position that was likely to have a material impact on the value of QBE’s shares.

The fourth most severe loss reported in December 2017 was a legal order received by BBVA Compass. On December 13, 2017, a Dallas court ordered BBVA Compass to pay more than $98 million in punitive damages and in restitution to a luxury home developer after the bank and one of its executives misled the developer on loan renewals. Finally, the fifth loss also relates to the China Guangfa Bank event. On December 29, 2017, Postal Savings Bank of China was ordered to pay 520.5 million yuan ($79.6 million) in a fine and disgorgement by the China Banking Regulatory Commission over its alleged role in helping China Guangfa Bank to conceal its non-performing assets and operational losses.

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

# Swift’s CRO on Bangladesh Bank heist, cyber risk and DLT

By Alexander Campbell | Profile | 28 December 2017

Quraishi lays out Swift’s approach to members’ security, and technological risks and opportunities

Dina Quraishi could fly before she could drive. She says learning to safely pilot a light aircraft was her first step in a risk management career that has taken her, via Zurich Insurance and engineering group Sandvik, to processor of interbank payments Swift, where she has worked as chief risk officer since November 2015.

Shortly after her arrival, in February 2016, the central bank of Bangladesh suffered one of the most ambitious thefts in history: stolen Swift authorisation codes apparently allowed the thieves to transfer $101 million from the bank’s account at the Federal Reserve Bank of New York to various accounts in Sri Lanka and the Philippines. Only some of the money was later recovered. Swift’s own security wasn’t at fault, the firm’s chief executive Gottfried Liebbrandt said later in the year, but Swift nevertheless took the Bangladesh Bank theft as a cue to pay a lot more attention to security among its members. This resulted in the launch of the Customer Security Programme, which introduced new mandatory security measures and daily reports of customers’ Swift activity, enabling them to look for anomalies. Swift will also shortly roll out a feature allowing customers to tailor their own analytics in order to reduce false-positive rates and improve the chance of picking up activity that lies outside the norm. The programme was expanded in May 2017 with the launch of an information sharing and analysis centre – an online portal hosting all of Swift’s information on cyber security in a searchable format. The portal includes details of malware and intelligence gleaned from Swift’s investigations into attempted cyber attacks on its customers. “People are bombarded with information every day – how do you make sense of it all? That’s the case for thought leadership – we can provide one compact and digestible view of the threat landscape,” says Quraishi. Cyber risk, which was at the heart of the Bangladesh Bank theft, is what Quraishi classes as a “franchise risk” – a risk that threatens Swift’s ability to continue in business. It can sometimes sit uneasily with the need for technological progress, she says. “Technology is both a threat and an enabler,” says Quraishi. If advances in quantum computing allow cheap and practical quantum cryptanalysis, and endanger the security and integrity of Swift messages, this would qualify as a franchise risk: “We have a team of experts who, amongst other things, are in close contact with universities to keep up with this [quantum computing] issue – their role is to keep up with the discussion, investigate these innovations and regularly report back on them. We also have a process through which we engage on this progress with the community.” She says Swift itself is involved in innovation, building use cases for new technology for the company and its customers, exploring how to innovate in a “risk-free way” and making sure that “we remain relevant”. ###### People are bombarded with information every day – how do you make sense of it all? That’s the case for thought leadership – we can provide one compact and digestible view of the threat landscape … Technology is both a threat and an enabler Dina Quraishi, Swift Technological advances are also high on Swift’s list of emerging risks. These risks, which could pose an existential threat to the company, are discussed by the risk committee over the course of a full day in advance of each board meeting. On the subject of one prominent new technology – distributed ledger technology (DLT), which underpins bitcoin – Swift has been cautious. In early 2017, the company launched a proof-of-concept project using DLT to reconcile balances in nostro accounts – accounts that a bank holds in a foreign currency at another bank. The interim report notes “significant progress in the underlying technology” since 2016, but warns that the value of a DLT-based approach – likely to be a hybrid, with some, but not all, information held on a blockchain – will vary from bank to bank, and that the technology is still far from mature. Swift is not alone in its wary approach to DLT. For example, while CLS, a foreign exchange settlement provider, set up its new bilateral payment netting service to be powered by DLT, it avoided the technology when it updated its core settlement engine this year, saying DLT was not mature enough for a systemically important function such as settlement. Likewise, several central banks, including the Bank of Canada and the Monetary Authority of Singapore, have run pilot projects in 2017 looking at the feasibility of handling interbank payments using DLT – with mixed results. Quraishi herself is not ready to make any predictions about DLT’s future with Swift: “Who knows? I’m not a prophet. Let’s see it working in practice and all the issues round it resolved – regulation, privacy and so on. We are actively engaging in DLT developments and running proof of concepts and will keep up with innovations in this area, to better understand how we can usefully deploy it.” But technology and the risks it entails aren’t Quraishi’s only concern. Physical risks, such as an office fire or a break in a transatlantic cable, pose an equal threat to Swift – and with the company priding itself on near-100% uptime this year, customers are unlikely to overlook any downtime, however brief. To this end, Swift runs regular disaster-recovery exercises, involving its own staff and customers, as well as central banks. Many of the exercises happen with no advance warning of their exact time and date, says Quraishi. “It’s important to go beyond prevention and also think about response, recovery – all through the chain,” she explains. ### Biography – Dina Quraishi November 2015–present: Chief risk officer, Swift 2014–15: Global enterprise risk manager, Sandvik 2011–14: Head of operational risk, Zurich Insurance 2009–10: Chief risk officer, Asia-Pacific & Middle East, Zurich Insurance 2007–10: Head of integrated assurance, Zurich Financial Services 2001–June 2007: Various roles at Swiss Re, finally deputy head of Sarbanes-Oxley compliance 1993–2001: Various roles, finally global project manager, PwC # 1MDB looms large in Asian banks’ war on money laundering By Mark Nicholls | Features | 26 December 2017 Banks in Asia-Pacific spurred by tougher enforcement and stricter AML rules It would be difficult to write about money laundering controls in Asia without mentioning 1MDB, a Malaysian sovereign wealth fund embroiled in an ongoing international money laundering scandal. Yet, when Risk.net contacted six of the banks penalised for the wrongdoing to talk about lessons learned, our enquiries were greeted with either radio silence or a flat ‘no’. One reason for this reticence could be a reluctance to show their hand to money launderers. But another is likely to be a fear of publicising anti-money laundering (AML) breaches – a sometimes bigger worry than the risk of regulatory fines. Banks in Asia-Pacific are having to work harder to avoid such fallout, as the region’s regulators adopt increasingly rigorous standards and conduct more aggressive investigations. “We’re seeing more of an enforcement approach coming to the major financial centres in Asia,” says David Howes, Singapore-based deputy head of financial crime compliance at Standard Chartered, one of the banks unwilling to talk about their 1MDB experience. According to a Thomson Reuters survey released in October, financial companies put their average customer due diligence costs in Australia, Hong Kong and Singapore at$50 million a year – a touch above the global average spend on this central part of AML controls. The average cost for the three countries has changed little since last year’s survey, whereas the global figure fell to $48 million from$60 million.

Local regulators’ actions are partly driven by the Financial Action Task Force, an intergovernmental body whose 37 members represent most major financial centres around the world. In 2012, FATF set out landmark standards for national measures against money laundering and the financing of terrorism and weapons of mass destruction, billing them as a “stepping up” of the fight against those crimes. Since then, it has updated the recommendations every year apart from 2014. FATF also regularly visits its member states to gauge their implementation of the international standards and lays out the findings in detailed public reports.

FATF inspections in Malaysia in late 2014 and Singapore in late 2015 prompted “significant amendments” to AML regulation in the two countries, says Stephanie Magnus, head of the financial services and regulatory practice in Singapore at law firm Baker McKenzie.

Singapore, for example, issued revised AML regulations for financial institutions in April 2015. Key changes included requiring company-wide assessments of money laundering risks, in addition to evaluations of individual customers; introducing a new customer category for people entrusted with prominent public functions in an international organisation and corresponding stricter rules for business relationships with such people; and additional requirements for cross-border wire transfers exceeding S$1,500 ($1,112).

Since the FATF inspections, regulators in both countries have also been more proactive in enforcing the rules, adds Magnus.

###### 1MDB is one of many cases in the region highlighting the increased regulatory focus on senior management responsibility for AML and financial crime

Phil Rodd, EY

In Asia’s highest-profile recent case, allegations in 2015 of massive illegal flows from 1MDB to the accounts of Malaysian prime minister Najib Razak have prompted money-laundering investigations in at least six countries, including Singapore, the US and Switzerland.

Citing mainly AML breaches in 1MDB-related transactions, last year the Monetary Authority of Singapore shut down the local branch of Switzerland’s BSI Bank – the first time it has closed a merchant bank since 1984. Less than six months later, it shut down another merchant bank, Switzerland’s Falcon Bank, due to 1MDB-related failures and improper conduct by senior management in Switzerland and Singapore.

The closures were “a shock to the system” and made “everyone quite scared”, according to the head of risk management for the region at an asset management firm.

Singapore also took aim at individuals implicated in the scandal. In March, the city-state barred Tim Leissner, former chairman of Goldman Sachs for South-east Asia, from its financial industry for 10 years. Seven other people, including BSI Bank and Falcon Bank executives, have either been served similar prohibition orders, jailed or fined, or punished with a combination of those measures.

“1MDB is one of many cases in the region highlighting the increased regulatory focus on senior management responsibility for AML and financial crime,” says Phil Rodd, chief adviser on financial crime risks for Asia-Pacific at EY.

Lastly, Singapore’s central bank fined both Swiss firms, as well as Coutts, Credit Suisse, DBS, Standard Chartered, UBS and UOB, as a result of its investigation of 1MDB. Risk.net contacted the latter six banks.

Those fines were relatively small – the biggest set BSI Bank back the equivalent of $9.9 million – but financial penalties do come in much larger sizes, especially if a bank has a branch in the US. Over the past five years, foreign regulators, mostly in the US, have imposed$1.75 billion in fines on banks headquartered in Asia-Pacific for AML and sanctions violations, according to Corlytics, provider of regulatory enforcement data. In contrast, regulators in Hong Kong, Singapore and Australia – the most active enforcers in the region – extracted just $40 million in fines over the same period. ###### If you’ve successfully onboarded a customer in Hong Kong, asking them for extra documents or more information when they then onboard in Singapore, or vice versa, tends to result in a negative customer experience Chee Kin Lam, DBS A$225 million penalty against Pakistan’s largest bank is a case in point. In September, the New York Department of Financial Services fined Habib Bank and closed down its New York branch. The regulator said that, among other things, the bank used its New York branch to facilitate “without adequate anti-money laundering and counter-terrorist financing controls” billions of dollars of transactions by a Saudi private bank with reported links to Al-Qaeda.

It is such “mega-fines” that inflict real financial pain on firms, says Dominic Mac, global head of know-your-customer (KYC) services at Thomson Reuters. But even without them, simply being singled out for failing to prevent money laundering can be damaging, he adds. “AML failures have a massive downstream reputational impact. It’s the bad banks that get fined because they’ve got bad processes.”

Another, less-publicised but often no less onerous consequence of control slip-ups – be they intentional or not – is pressure on the bank by supervisors to put its house in order.

“Once you have a fine, you have to be able to demonstrate to the regulator the route to solving that inefficiency in your processes, which leads to banks engaging costly consultants, usually hiring more people, coming up with a band-aid solution. The incremental costs are much more impactful than the [average] fine,” says Mac.

At the same time, staying above board can be a tricky balancing act for firms.

Banks active in more than one jurisdiction in Asia-Pacific must contend with differences between national regulations. For instance, the Hong Kong Monetary Authority currently requires banks to identify any ultimate beneficiary of a company or trust – the so-called ‘beneficial owner’ – that holds at least 10% of the entity, while in other jurisdictions the threshold is 25%.

Not only do such differences make it difficult to standardise operations across the region, but they also create problems when banks try to cater to customers with accounts in more than one country.

###### It’s an old quote in the industry that identifying and preventing money laundering is like looking for a needle in a hay stack. It still rings true

David Howes, Standard Chartered

“If you’ve successfully onboarded a customer in Hong Kong, asking them for extra documents or more information when they then onboard in Singapore, or vice versa, tends to result in a negative customer experience,” says Chee Kin Lam, the head of legal and regulatory risk management at Singaporean bank DBS.

The consequences can be as severe as losing customers. According to the Thomson Reuters poll on the impact of KYC regulations on financial companies and their corporate clients, the two main complaints of bank customers – both globally and in Asia-Pacific – were a lack of common KYC requirements across banks and having to deal with many different people at the bank during onboarding.

“Many are voting with their feet: 12% [globally] report that they have changed banks as a result of KYC issues,” the survey said.

There are signs regulators are aware of the need for common standards: the authorities in Hong Kong have proposed relaxing the beneficial owner identification threshold to “more than 25%”, citing “the prevailing FATF standard and international practice”, and requiring banks to record basic information about the recipients of wire transfers, again to fall in line with FATF recommendations. Subject to legislative approval, the amendments will come into force in March.

One commonality between national AML regimes is a risk-based approach, recommended by FATF, which allows financial institutions a certain amount of discretion in applying the rules.

Speaking at a financial crime seminar in July, Chua Kim Leng, then assistant managing director at Singapore’s central bank, described the regulator’s approach to financial crime prevention this way: “Our inspections go beyond rules-based compliance and focus on an institution’s risk understanding and risk management.” Among other things, the Monetary Authority of Singapore evaluates whether senior managers are “setting the right tone from the top” and whether there is “sound risk culture” at the firm, he added.

###### Throwing more bodies at the problem is not a sustainable solution

Chua Kim Leng, former assistant managing director at Singapore’s central bank

A lack of explicit rules can complicate compliance. A local financial crime consultant gives an example of onboarding a very complex client, with a number of beneficial owners and trust structures involved: “Where do you stop? How deep do you drill down? How many directors do you verify? Where do you draw the line? Regulations don’t stipulate how far you should go.”

So, given the difficulties, what’s a bank to do? Part of the solution lies in using smarter technology and shared databases.

Current customer due diligence processes, based on applying pre-set rules, thresholds and scenarios to financial activity, tend to generate high numbers of ‘false positives’, which usually require human intervention to assess, at high cost.

“Throwing more bodies at the problem is not a sustainable solution,” Singapore’s Chua said at the seminar. He noted the potential of machine-learning techniques, saying they can help identify unusual patterns of transactions across a network of entities and across time. “These systems show promise and could succeed in picking out suspicious activities that are impossible for the human eye today.”

Howes at Standard Chartered is equally optimistic about the role new technology can play in fighting money laundering. He cites as examples better use of data analytics to identify true and false positives, greater automation of certain processes using robotics and – something Standard Chartered is experimenting with – machine learning.

But more low-tech solutions, such as databases, can also help. Howes singles out India’s requirement that bank accounts be linked to the customer’s Aadhaar national ID number, based in part on biometric information, as a major measure against money laundering.

Earlier this year Singapore’s government gave locally registered businesses access to its MyInfo database of residents’ personal data, after a successful pilot with four banks that allowed individuals to auto-populate application forms for new bank accounts or credit cards.

###### To the extent that banks are onboarding the same customers, if that can be done in a KYC utility, using digital data, it can be done in a much more efficient manner

Phil Rodd, EY

And last year, the Indonesian government allowed financial institutions to access the country’s ID card database for KYC purposes.Private companies, including Swift, Thomson Reuters and IHS Markit, are developing similar shared KYC databases. “To the extent that banks are onboarding the same customers, if that can be done in a KYC utility, using digital data, it can be done in a much more efficient manner,” says Rodd at EY.

Another vital weapon against money launderers is greater information sharing between banks and law enforcement agencies, say financial crime experts in the region.

On that front, there are signs of progress. In May, Hong Kong’s police, central bank, the Hong Kong Association of Banks and 10 retail banks, including Citibank, DBS, HSBC and Standard Chartered, started a 12-month pilot project aimed at sharing information and resources to fight fraud and money laundering.

Similarly, in April, the Monetary Authority of Singapore and the city-state’s police force launched the Anti-Money Laundering and Countering the Financing of Terrorism Industry Partnership. Eight local and foreign banks as well as the Association of Banks in Singapore are involved in the initiative.

“These [two] taskforces represent the two parties coming together to focus on a common goal: catching the bad guys,” says Lam at DBS. “We are very, very supportive.”

Such innovative practices are welcome, but much more is needed to combat a truly formidable and constantly evolving threat. The total amount of money laundered globally may be around $1.5 trillion a year, according to estimates by the United Nations and the International Monetary Fund. “It’s an old quote in the industry that identifying and preventing money laundering is like looking for a needle in a hay stack. It still rings true,” says Howes at Standard Chartered. # Apac banks expect muted op risk capital hit from softened SMA By Afiq Isa | News | 21 December 2017 Chinese lenders have largest capital requirements in region; banks expect muted increase on average Asia-Pacific banks are set to benefit from the Basel Committee on Banking Supervision’s decision to soften its new approach to calculating operational risk capital requirements, with most banks in the region expecting a muted impact on capital under the new framework – while some could be in line for sizable cuts. The standardised measurement approach (SMA) – the final iteration of which was agreed upon by global policymakers as part of a package of reforms to the Basel III framework earlier this month – gauges a bank’s op risk capital requirements according to their gross income, with lenders grouped by size into three buckets and a multiplier applied to each to produce the business indicator component (BIC). This is then multiplied by a bank’s loss history to produce its final requirement. With a smaller revenue base and lower op risk losses compared with their larger US and European peers, many Apac lenders are hopeful of a relatively muted impact when adapting to the new approach – something they must do by 2022. “In our case, I do not expect a significant impact,” says Stuart Williams, head of operational risk for Asia markets at ANZ. “From the Australian banks’ perspective, they are somewhere in the middle bucket for the business indicator component.” One reason banks expect final op risk capital charges to be lower than previously estimated is the recalibration of buckets and coefficients when calculating the BIC. Whereas the previous iteration of the SMA set a punitive 29% coefficient for banks in the largest bucket, its revised iteration has rowed back from this: the new coefficients are set at 12% for banks with a BI range below €1 billion ($1.2 billion); 15% for those with a BI of between €1 billion and €30 billion, and 18% for those whose BI exceeds €30 billion.

The switch was achieved by merging the second, third and fourth buckets from the March 2016 proposal into one. The decision to merge the buckets – and rein in the 15%, 19% and 23% coefficients that came with them – means few Apac banks will find themselves hit with the 18% multiplier applied to banks with a BI of greater than €30 billion.

“We already have approval to use the AMA. But with the switch to SMA we do not see a major impact, and we might even see some savings,” says Bharan Guntupalli, who heads op risk management for a large, publicly traded Indian bank. “Our bank is not classified in the highest bucket, so we get a lower coefficient and ultimately our capital charges will not shift much. Our op risk proportion should remain at around 10% of RWAs,” he says.

Like most Australian banks, ANZ – which had annual revenues of A$20.3 billion (US$15.6 billion) for the year to September 30 – currently uses the advanced measurement approach (AMA) to modelling operational risk. Several other banks in the region do the same, including some of the Chinese megabanks, as well as some larger national lenders – though most others use the old standardised approach (TSA).

A quantitative impact study (QIS) that accompanied the revised Basel III framework indicates global systematically important banks (G-Sibs), most of which currently use the AMA, could see their weighted average op risk capital fall by 30% under the SMA, based on 2015 data. Smaller non-internationally active banks, which are grouped in a separate cohort in the QIS, are expected to see a 6.9% rise in their op risk capital. From the banks in that sample, five are migrating from the AMA, while 62 are migrating from other measurement approaches.

###### With the switch to SMA we do not see a major impact, and we might even see some savings

Bharan Guntupalli, head of op risk management for a large, publicly traded Indian bank

The SMA takes account of banks’ historical op risk losses through an internal loss multiplier (ILM), scaled according to the institution’s size via the BIC. If average annual losses incurred over the previous decade multiplied by 15 are equal to a bank’s BIC, its ILM is set to 1. Where its loss number is greater, its ILM is greater than one; and if lower, less than one.

One of the biggest concessions in the final framework, however, is the freedom afforded national regulators to effectively ignore a bank’s past losses when setting their capital requirements by setting the ILM to 1 regardless. Even where a regulator decides to include historical losses, banks are given the freedom to lobby to have certain losses excluded. Dealers say this could lead to wildly divergent implementations across jurisdictions and reduces firms’ incentives to monitor and model operational losses.

Most Asia-Pacific banks have avoided the mega-fines for crisis-era misdeeds such the mortgage mis-selling or rate rigging scandals that have befallen their global peers. As such, the impact of their loss histories on op risk capital calculations under the SMA are likely to be relatively muted.

### China megabanks

One constituency that could see a sizable impact is China’s four megabanks, which currently hold the highest minimum required capital (MRC) for op risk of any grouping that participated in Basel’s QIS save the largest US G-sibs, according to an analysis by Risk.net.

Calculating the MRC – which was floored at 8% of Tier 1 and Tier 2 capital in 2015 – versus each bank’s total op risk RWAs suggests the four Chinese banks currently hold op risk capital of between $9 billion and$14 billion: Bank of China holds $9.6 billion; Agricultural Bank of China$11.3 billion; China Construction Bank $12.2 billion; and Industrial and Commercial Bank of China, which uses the AMA,$14.2 billion.

Basel’s projection of a 30% average reduction in total op risk capital under the SMA means the Chinese banks could see as much as a $4 billion reduction in op risk MRC. Only Citi ($26 billion), JP Morgan ($32 billion) and Bank of America ($40 billion) had higher op risk MRC in 2015, all of whom have been hit with multi-billion dollar fines and settlements for various breaches post-crisis – though the size of their MRC can be partly explained by the Chinese banks’ vast asset bases.

US G-sibs that currently use the AMA are predicted to see a bigger drop in capital requirements under the SMA on average versus their global peers, however, partly owing to the US’s stricter implementation of the own-models approach. European banks are more likely to see an increase in total op risk capital from the SMA, as they will no longer be permitted to use scenario generation to calculate their requirements as they did under the AMA.

The Basel figures also mask wide divergences between firms: one G-Sib would see its minimum op risk capital requirement spike by 222% under the SMA, while another would see it drop by 66.1%.

A large proportion of Apac banks are not represented in the study, either. Excluding banks in Australia, China, India, Japan and South Korea, as well as two Singaporean banks, no bank in other Apac countries contributed sufficient data for the op risk component of the study. For example, while the big three Singaporean banks have the largest asset base in South-east Asia, the next 10 biggest banks hold more than $80 billion in total assets on average, yet none of them participated in the op risk study. ###### We make AMA calculations, but for regulatory capital adequacy ratio computation purposes, the BIA is used Head of op risk at an Indian bank Most Apac lenders still use the TSA or basic indicator approach (BIA), both of which the SMA also supersedes. Typically, banks need regulatory approval to switch from BIA to the more sophisticated TSA and cannot revert to a simpler approach once it has made a switch. The head of op risk at an Indian bank with total assets exceeding$100 billion says his firm is currently operating on a parallel-run basis, despite having regulatory approval to use AMA.

“We make AMA calculations, but for regulatory capital adequacy ratio computation purposes, the BIA is used. The intention is that once the regulator is satisfied our AMA models fairly reflect the capital charges, we can finally ditch the BIA. We believe the regulator will let us run the SMA on a parallel basis once it comes into force,” he says.