Op risk data: JP fined $135m over depository receipts
By Risk staff | Opinion | 16 January 2019
Top five losses, plus review of Barclays whistleblower fine. Data by ORX News
In December’s largest loss, JP Morgan reached a $135.2 million settlement with the US Securities and Exchange Commission over allegations that the firm wrongly distributed pre-released American Depositary Receipts, or ADRs. These are equivalent shares of foreign companies that are traded in the US, with the original shares held by a custodian outside the US. Pre-released ADRs represent shares that have been issued but not yet delivered.
JP Morgan provided pre-released ADRs to brokers when neither the broker nor the customers had the corresponding foreign shares, in violation of deposit and pre-release agreements, according to the SEC. Consequently, JP Morgan facilitated short-selling and dividend arbitrage using ADRs that were not backed by corresponding shares.
The SEC has imposed eight fines for improper ADR pre-release practices since February 2017, so far costing firms a total of $364.5 million. Three of those fines have been large enough to feature in our monthly top loss roundups.
In the second loss, insolvency proceedings at Ukrainian lender Fortuna-Bank revealed fraudulent loans totalling $79.8 million. Two bank officials are reported to have issued insider loans through a bank shareholder, according to Ukraine’s banking resolution authority. Affected loans comprised around 98% of the bank’s overall lending portfolio. Additionally, over half of all loans issued by the bank were unsecured.
The resolution authority valued Fortuna-Bank’s assets at around $21.2 million, compared to $82.9 million reported by the bank when liquidation proceedings began in April 2017.
The third largest loss is from La Banque Postale, which was fined $56.9 million by France’s bank supervisor for failures in its anti-money laundering and counter-terrorist financing programme. The bank failed to detect and block transactions carried out by individuals subject to asset-freezing measures due to terrorist activities or violations of international law.
In fourth place, a second firm settled with the SEC over its alleged mishandling of pre-released ADRs. BNY Mellon agreed to pay $54.2 million for failing to ensure compliance with its pre-release agreements and consequently enabling abusive practice using ADRs that were not backed by corresponding shares.
Finally, Santander must pay $41.5 million in fines to the UK banking watchdog for failings in its probate and bereavement process. Santander opened probate and bereavement cases which would then, however, stall and remain incomplete. As a result, the firm failed to transfer around $231.1 million to beneficiaries.
Spotlight: Barclays fined over Staley whistleblower interference
UK bank Barclays is facing a $15 million fine following a regulatory investigation into attempts by its chief executive to identify the author of two whistleblowing letters.
New York’s Department of Financial Services found that, in June and July 2016, Barclays chief Jes Staley personally directed the head of the firm’s security department to identify the author of two letters that flagged concerns over the appointment of a senior member of staff in the bank’s New York office.
In its December ruling, the NYDFS acknowledged that Barclays had a suitable set of whistleblowing policies and procedures in place, trained its staff annually on the subject of whistleblowing, and ran a competent, well-trained and adequately staffed unit dedicated to handling and investigating whistleblowing complaints.
However, in this case, several senior executives and board members failed to follow or apply the whistleblowing policies and procedures, and failed to ensure the independence of the whistleblowing function and the importance of fostering anonymity. These actions risked undermining and jeopardising the independence of the bank’s whistleblowing function, the NYDFS said.
In addition to the $15 million fine, Barclays must also submit plans to ensure compliance with best practice for its whistleblowing programmes, as well as a plan to improve board and senior management oversight of these functions. Finally, Barclays must submit a report containing further details of whistleblowing complaints since January 1, 2017.
The ruling follows a separate UK-led investigation into Staley’s actions by the Financial Conduct Authority, which culminated in a fine of £640,000 ($820,000) levied against Staley personally last May.
In Focus: Info sec risks cloud the Horizon
The ORX Operational Risk Horizon 2019 study has revealed its members’ leading risk concerns for 2019 and beyond. IT-related risks top the charts, showing that the digital agenda will continue to dominate the operational risk conversation in 2019. Perennial issues such as conduct and fraud remain key worries, joined by the likes of transaction processing and regulatory compliance risks.
Forty-eight ORX members took part in the study, comprising 11 insurers and 38 banks, including some of the largest in their sector. In late 2018 they submitted ranked lists of their top risks for the coming year and, looking further ahead, their emerging risk concerns. ORX aggregated these risks using its operational risk taxonomy to create its top and emerging risk ranking for 2019.
This is the second year ORX has conducted its Horizon study. Over the two years, several key risks have remained static. For example, information security and conduct remain the top two current risks, far outstripping the next closest risk: fraud. Conduct’s high ranking is driven by retail mis-selling concerns from European participants, whereas information security is a global worry. Digital disruption remains the top emerging risk, and we are seeing the risks evolve as technologies and marketplaces mature.
Among changes across the two periods, transaction processing has jumped up the rankings from seventh last year, potentially driven by some high-profile fat finger errors leading to increased regulatory scrutiny. In emerging risks, geopolitical tensions, including those around Brexit, US politics and international trade, continue to affect financial markets. This is reflected in this risk category rising one place to third this year.
Overall, this year’s study shows that industry concerns are dominated by digital. But it must not be forgotten that digitalisation affects every risk in this study; no single risk exists in a vacuum.
Editing by Alex Krohn
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.
Fed economists float new way to project op risk losses
By Steve Marlin | News | 10 January 2019
Researchers suggest combining firm’s size with loss history to best predict losses under CCAR
Companies should look at their size and past loss experience in tandem to get the most accurate projection of operational risk losses under stress conditions, three US Federal Reserve economists have proposed.
In a paper submitted for publication in the Journal of Operational Risk, the researchers – Marco Migueis, Filippo Curti and Robert Stewart – constructed new benchmarks to forecast op risk losses under stress scenarios. The views in the paper are those of the authors and do not represent current Fed policy.
Qualitative methods for projecting op risk losses, such as scenario generation techniques, are often criticised for being inherently subjective compared with the quantitative models banks employ for gauging credit and market risk capital. The authors’ proposed benchmarks are intended to address this by creating a quantitative measure of projected losses “that can be used to understand the conservatism of operational loss projections”, they note in the paper.
The benchmarks were created using operational loss data and projections submitted by banks that participate in the Comprehensive Capital Analysis and Review (CCAR), as well as financial data such as total assets, risk-weighted assets and gross income compiled from publicly available FR Y-9C reports. The paper did not use the models the Fed uses to determine whether banks have the minimum capital needed to stand up to the most severe economic scenario.
The researchers found that stress-loss projections were closely correlated with both company size and loss history, with the highest correlation achieved when size and loss history were combined.
Several senior operational risk practitioners who discussed the paper with Risk.net praised it as a worthy attempt to solve a problem that is vexing for both banks and regulators: namely, the wide variation and consequent lack of comparability in loss projections between lenders.
At the same time, some pointed to the proposals’ limitations – in particular, the lack of an attempt to factor in macroeconomic factors that can influence losses, which the authors acknowledge introduces a high degree of uncertainty into the projections.
“These benchmarks give us a sense of what stressed losses look like, but they don’t tell us whether the intensity of losses is tied to an economic downturn,” says an operational risk expert at a large management consultant.
“Should we accept that stress-testing of operational risk is not a macroeconomic exercise, but is simply an idiosyncratic risk that isn’t connected to capital?” he adds.
In using the benchmarks to make comparisons, assumptions need to be made about whether operational risks are unique to each bank or whether they are equally likely to occur at all banks, such as for credit or market risk, others point out.
Should we accept that stress-testing of operational risk is not a macroeconomic exercise, but is simply an idiosyncratic risk that isn’t connected to capital?
Operational risk expert at a large management consultant
Donna Howe, chief executive of Windbeam Risk Analytics in New York, notes banks have their own particularities that may also skew comparability: “Given the difference in business-line composition and off-balance-sheet exposure, the objectivity is not necessarily consistent across the bank holding companies.”
The panoply of operational risks today makes studying a bank’s history a bit like fighting the last war, argues Jo Paisley, co-president of the Garp Risk Institute in London and former global head of stress testing at HSBC, while even stress tests do not envision the evolving threats faced by banks.
“As the nature of operational losses evolve – more cyber, third-party, data-related losses – firms need to continue to be vigilant about the potential for tail losses, irrespective of their history,” she says.
Paisley adds that, while industry benchmarks are useful, firms still need to analyse their own vulnerabilities: “As the paper points out, it’s not clear if the potential for large losses is truly concentrated in the institutions that experienced them in the past or whether these large losses could occur on other firms of similar size.”
Other research by Fed economists suggests that extreme losses for some types of op risk, such as fraud, are highest during periods of economic stress. For instance, a company might engage in riskier transactions when revenues are under pressure, or turbulent trade could even contribute to fat-finger errors.
The Fed has access to op risk losses and projections for CCAR banks – hence its benchmarks would be applicable primarily to US institutions. However, bank-led op risk consortium ORX collects loss data for global banks, so it could in theory perform a similar analysis.
“For anything that doesn’t need the CCAR projection, we would have a larger dataset to perform similar analysis,” says Luke Carrivick, head of analytics and research at ORX.
The management consultant expert comments that testing for operational risk weakness at US and foreign banks still remains a chequered affair: “The definition of stress-testing for operational risk is still not standardised.”
Editing by Joan O’Neill and Tom Osborn
AIIB risk chief on steering China’s World Bank rival
By Aileen Chuang | Profile | 3 January 2019
Martin Kimmig on the Asian Infrastructure Investment Bank’s challenge of overcoming patchy credit data
A taxi driver in Beijing doesn’t need a map to take you to the headquarters of the Asian Infrastructure Investment Bank. The lender may only be two years old and boast some 200 employees, but – given the sheer volume of infrastructure projects being sponsored by the world’s second-largest economy – the number of trips ferrying bankers and investors from the airport to the development bank is enough to prompt an immediate “oh, of course I know where the AIIB is” from a cabbie.
Rapid growth in what are still young capital markets comes with its own risks, however. And, like any lender, the AIIB, which began operations in January 2016, needs a strong risk management framework. Spearheading the work is Martin Kimmig, who joined the bank as chief risk officer in September 2016, after more than two decades at the World Bank Group and the International Finance Corporation (IFC).
Beijing wants to build the AIIB into a global rival to the likes of the Manila-based Asian Development Bank (ADB), in which the US and Japan are the largest shareholders, and Kimmig’s alma mater, the World Bank Group, which is based in Washington, DC. The bank’s senior executives are notable for their political connections as much as their financial expertise: its president is Jin Liqun, China’s former vice-minister of finance, while Danny Alexander, former chief secretary to the UK Treasury, is a vice-president.
The bank’s ambitious goal – to help bridge Asia’s estimated $26 trillion infrastructure funding gap to 2030 – carries obvious risks. The bank funds projects in emerging markets such as Myanmar, Pakistan, Egypt and Turkey, which have experienced highly challenging credit cycles in the recent past.
“From the start, we set up a risk management framework which imposed comprehensive risk limits in all areas – investment, treasury, liquidity risk, market risk – the whole bank, at one shot,” says Kimmig. “Given the type of loans we provide are infrastructure-heavy, you want to have a capital concept that is very sensitive to concentration, credit quality and to tenor. That, essentially, allows you to more meticulously manage your assets.”
The bank’s loan book reached $6.4 billion in September 2018, and is set expand to $45 billion in loans and $2.5 billion in equity investments by 2027, according to its latest investor report – representing potential funding needs that have already made the bank an attractive client for large multinational dealers.
Its funding requirements are expected to grow from a few billion dollars per year in the first few years of operations to in excess of $10 billion per year in the mid-2020s. At the time the AIIB was founded, its longer-established peer, the ADB, had annual funding needs of $12 billion to $15 billion.
Joining the bank nine months after its 2016 inauguration, Kimmig’s principal task was to draw up the bank’s economic capital framework. Hitherto, the bank had been using a more static concept of capital-to-loan ratios to gauge credit risk – although it had a tiny book of just half a dozen loans.
The fundamental weakness of static capital ratios is their failure to size capital requirements against a loan by the credit risk they pose, as well as ignoring an instrument’s tenor or concentration. Under the new framework, if an investment is concentrated on a certain asset type or geographical area – road bridge building in Lesotho, say – capital charges ratchet up.
The bank had a march on most of its peers when it came to implementing new expected credit loss accounting rules – reporting standard IFRS 9, for all International Accounting Standards Board jurisdictions – that require lenders to set aside reserves against loans when they suffer a material change in impairment – a step change from the previous incurred loss approach, which only required banks to make allowances for loans where a counterparty had already breached its obligations.
Like any lender, Kimmig acknowledges the new rules will make capital planning a bigger headache: “At the moment, our loan book is small. But as it matures, loans might transition through IFRS 9 stages. There is significant volatility around provisioning when you move from stage one to stage two. Not only do you have to downgrade the loan, on top of that, you’re suddenly moving from 12-month provision to loan-life provision – which, for an infrastructure bank, might be 25 years.”
Published in November 2016, the bank’s risk management framework determines how much capital the AIIB is required to hold after a worst-case fair-value loss. The worst-case scenario refers to a tail probability of loss of 0.03%, reflecting a desired confidence level for economic solvency of 99.97% over a three-year horizon.
There is significant volatility around provisioning when you move from [IFRS 9] stage one to stage two … You’re suddenly moving from 12-month provision to loan-life provision – which, for an infrastructure bank, might be 25 years
The first phase of the framework was developed with Oliver Wyman in 2016, with the second phase subsequently developed with the support of Moody’s Analytics, as the bank powered up to full functionality.
Each investment proposal is also assessed by an investment committee against a series of qualitative and quantitative criteria, taking into account the riskiness, complexity and size of a deal. Given that long-term infrastructure projects often span borders, proposals also need to pass sovereign and counterparty credit risk assessments. The investment committee evaluates whether the borrowing country has the capacity and willingness to service external debt obligations, and whether the nation’s existing debt burden is sustainable.
Kimmig also instituted the idea of risk-adjusted return on capital, or Raroc, while setting the economic capital structure. The 93-member bank has set separate soft Raroc hurdles for non-sovereign businesses, or the private-sector businesses, as well as for its sovereign lending.
Like any lender, a strong second-line risk management function – charged with scrutinising and challenging the bank’s client-facing business function – is critical to its health, Kimmig tells Risk.net: “The second line of defence is independent, and really has the whole institution to look after. Every investment proposal gets a credit score card rating at the beginning and throughout the life of the deal. With that credit score, we calculate the capital consumption and Raroc. So, risk is an inseparable element of the activity that everybody does.”
Given the nature of its activities, the vast bulk of the bank’s capital base is allocated to credit risk – currently at 80% – with the remainder split between treasury and operational risk. Kimmig expects this proportion to rise to 90% as the bank’s loan book matures.
As a multilateral institution without a central bank as a de facto lender of last resort, the AIIB needs to hold enough capital and liquidity to sustain its operations during times of crisis. The bank’s risk limits policy states that its risk appetite is set at no greater than the bank’s available capital. Its liquidity portfolio should cover at least 40% of net cash requirements for the upcoming 36 months and 100% of net cash requirements for any upcoming 12-month period, and is expected to be well in excess of policy requirements for first five years of operations, the bank said in an investor presentation in November 2018.
Kimmig’s initial efforts appear to have borne fruit: the bank received AAA credit ratings from the three major rating agencies last July in its inaugural ratings review, with particular mentions for its robust capital adequacy, strong governance framework and solid shareholder support. It continues to earn praise for its risk management mechanism.
He joined the bank after a brief stint at the RockCreek Group hedge fund, where he covered emerging market equities. Before that, he spent 24 years at the World Bank Group, mostly in the IFC – which he joined in 1998, at the advent of the Asian financial crisis – going on to leadership positions in both investment operations and risk management in Washington, DC, Turkey and South Africa.
Kimmig’s encounters in developing economies spurred his interest in the AIIB job. “I enjoy the type of people you meet and infinite opportunity to access institutions and also pursue other objectives than just financial interests,” he says. “That’s why I [took] the opportunity that was offered here.”
But he hada hesitation, he says. When he joined, the bank’s lending and investment businesses were already up and running, but its risk framework was still a work in progress: “The challenge was: ‘How quickly can you catch up while the bank is already operating and put a proper risk function in place?’ That, to me, that was the key challenge.”
I enjoy the type of people you meet and infinite opportunity to access institutions and also pursue other objectives than just financial interests. That’s why I [took] the opportunity that was offered here
He arrived after his predecessor, Kyttak Hong, took a leave of absence in June 2016. Hong, former chairman and chief executive of the Korea Development Bank, took a leave of absence from the bank amid criticism of his supervision of KDB-controlled Daewoo Shipbuilding and Marine Engineering, which is under investigation for alleged accounting fraud. The AIIB made no comment on the investigations, merely confirming Hong’s departure.
From just one staff member when Kimmig joined, there are now around 12 people in the bank’s risk function – about 6% of the overall staff of 200, roughly in line with other peer banks. The bank intends to add more credit risk officers as its loan volumes increase. When hiring credit officers, Kimmig says he looks for people with 15–20 years of experience – on par with a project’s investment director – in order to add a sufficient extra layer of oversight.
The bank also employs a small quant team to manage its scenario library, headed by Oliver Burnage, who joined last year from Santander International, where he was head of the quantitative risk group.
In June 2018, the bank named Lynne Regenass its head of operational risk. She had initially joined as senior risk officer, and previously worked as the head of governance, risk and controls at Barclays Africa.
The size and remit may be different, but, as do other bank CROs, Kimmig recognises that a lender’s biggest losses can come from unexpected sources – many of them non-financial in nature. Operational risks and compliance issues for a fast-growing lender need to be taken on as seriously as credit risk, he says.
“I’m much more worried about franchise stakeholder risks – that would be more around compliance and operational risks. I do believe they will be more detrimental to the bank than a particular financial loss,” Kimmig says.
“Investing involves taking risks, making informed decisions and applying judgement. Hence, it’s inevitable to make a judgement error, but it’s not OK to not follow due process. To cut corners is never OK. We will be able to digest a judgement error here and there as long as we have consistent processes in place. That’s our risk culture.”
Biography – Martin Kimmig
2016–present: Chief risk officer, Asian Infrastructure Investment Bank
2014–16: Managing director and senior adviser, RockCreek Group
1998–2014: Chief investment officer, chief credit officer and chief risk officer, Africa, International Finance Corporation
1991–1998: Portfolio manager and head of international fixed income, World Bank Group
Editing by Tom Osborn and Narayanan Somasundaram
Brexit may spur higher op risk losses – EBA
By Louie Woodall | Data | 14 December 2018
The top five operational risk losses incurred by European Union banks in 2018 cost €35.4 billion ($40 billion) in total, equivalent to 2.1% of their Common Equity Tier 1 (CET1) capital on average – and higher costs are expected next year, driven in part by Brexit uncertainty.
Data published by the European Banking Authority (EBA) shows that the cost of op risks has increased year to year. In 2017, the five largest losses accounted for just 1.2% of EU banks’ CET1 on average.
Brexit fallout could ramp up op risk losses further in 2019, the watchdog said, as banks are not yet able to handle the legal issues arising from the divorce. More than 50% of respondents to the EBA's most recent Risk Assessment Questionnaire say they expect operational risks to increase.
In addition, almost nine out of 10 banks said cyber and data security threats would increase operational risks, up from just over half of respondents to the previous questionnaire. One in five said money laundering, terrorist financing and sanction noncompliance would act as key drivers pushing op risk higher.
Operational risk-weighted assets made up 10.5% of EU banks’ total RWAs at end-June. Romanian banks had the highest share of total RWAs taken up by operational risk, at 16.2%, and Polish banks the lowest, at 4.8%.
The French banking sector has loaded up on op RWAs the most across the EU, increasing them by €10.4 billion to €247 billion in the six months to end-June. Dutch banks have cut op RWAs the most, by €2.7 billion to €88 billion, over the same period.
Who said what
“The uncertainty around Brexit might also further increase operational risk, as banks cannot yet be fully prepared to tackle legal challenges, such as the status of existing contracts, and regulatory regimes as well as IT systems” – EBA Risk Assessment of the European Banking System, December 2018.
What is it?
The EBA publishes an annual report on risks and vulnerabilities in the EU banking sector. This accompanies the results of the EU-wide transparency exercise, which provides details on capital, leverage and profitability for 130 banks across all member states.
The watchdog also publishes a periodic Risk Assessment Questionnaire, with one set of questions addressed to banks and another to analysts. The results published in the most recent report come from 53 banks and 15 analysts questioned in October 2018.
Why it matters
Brexit presents a plethora of legal, conduct and regulatory challenges to EU banks. Every facet of UK-EU trading will be affected by the break-up, with a no-deal exit likely to trigger the greatest disruption. The uncertainty of what rules will apply to EU firms that deal with UK entities post-Brexit means that many could breach requirements unwittingly, or simply will not be able to re-paper contracts and establish new trading relationships in time for the March 29 exit date.
Regulators have attempted to provide some relief with the introduction of temporary permissions regimes that will allow firms to continue trading as they do at present for a short window post-Brexit, but the coverage they profess is patchy.
This means op risk losses are likely to rack up in 2019 and beyond as firms struggle to keep up with shifting standards. It's possible, however, that watchdogs will indulge those firms that breach requirements but have made good faith efforts to be in compliance. Only time will tell.
Op risk data: SocGen hit with $95m money laundering fine
By Risk staff | Opinion | 7 December 2018
Citi, JP Morgan settle Sibor rigging claims; Europe matches US on AML fines. Data by ORX News
The largest publicly reported op risk loss in November was $95 million paid by Societe Generale to the New York State Department of Financial Services for anti-money laundering (AML) and compliance deficiencies.
The regulator first identified failings in SocGen’s compliance and AML programmes in 2009, and ordered the bank to make improvements. These were successful between 2009 and 2013, but in 2014 onwards the bank’s compliance efforts declined “precipitously”, according to the DFS. SocGen received an unacceptable rating for its compliance function in four consecutive examination cycles.
Failures included weak oversight, governance and internal audit, and deficiencies in procedures around suspicious activity reporting, transaction monitoring and customer due diligence. The flaws culminated in November’s consent order with the regulator, as part of which the bank will pay $95 million.
SocGen also suffered a $1.34 billion op risk loss in November in the form of a settlement with US authorities, including the DFS, over sanctions breaches. This penalty is a continuation of previously reported sanctions provisions, so it is classed as a legacy loss and is not included in November’s overall tally.
In the second loss, Citi agreed to pay $38.8 million to the Securities and Exchange Commission to settle allegations it mishandled transactions involving American Depositary Receipts. ADRs are securities traded in the US that represent shares of a foreign company. For all issued ADRs there must be a corresponding number of foreign shares held by a custodian outside the US. In some cases, it is possible to undertake pre-release transactions, which occur when the foreign securities have been issued but not yet delivered.
According to the regulator, Citi provided ADRs for thousands of pre-release transactions when neither brokers nor customers held the corresponding shares to support the new ADRs, in violation of the pre-release agreements. Citi also kept some of its pre-release transactions open for more than five days, even though its policies said they should be delivered promptly.
The third-largest loss is from US mortgage lender Home Loan Center, which was ordered by a US court to pay $28.7 million in damages over the sale of bad mortgage loans between 2002 and 2007 to Residential Funding Co. Following Residential Funding Co’s bankruptcy, in 2013 its successor ResCap Liquidating Trust filed a lawsuit against Home Loan Center for selling Residential hundreds of loans which were below the standards agreed by the two companies. Home Loan Center was sold by parent LendingTree in 2012.
Fourth, Aetna Life Insurance Company was ordered to pay $25.6 million after a court found it acted in bad faith by refusing to cover proton beam therapy for a cancer patient in 2014. A jury found that Aetna’s doctors had spent insufficient time reviewing the case before denying the patient’s claims.
Finally, Canada’s TD Bank agreed to pay $18 million to settle a derivatives class action lawsuit brought by investors on behalf of TD Ameritrade, TD Bank’s subsidiary. The lawsuit alleged that TD Bank had disadvantaged TD Ameritrade when the two firms jointly acquired Scottrade Financial in 2017 because it reduced the price it paid to purchase Scottrade’s banking division, leaving TD Ameritrade to pay more for the remainder of Scottrade.
Spotlight: JP Morgan and Citi pay $21m over Sibor
JP Morgan and Citi agreed to pay $11 million and $10 million respectively to settle allegations in a US class action that they conspired to manipulate the Singapore interbank offered rate (Sibor), the Singapore dollar equivalent of Libor.
The banks were accused of colluding to submit artificially high or low rates to benefit the positions of their traders. As part of the settlement, JP Morgan and Citi have agreed to co-operate with the complainants in their case against the other defendants in the case, which are the 17 other Sibor panel members including Bank of America, Deutsche Bank and UBS.
In focus: AML in Europe
The latter half of 2018 has revealed a sequence of money laundering cases affecting banks in Europe. In September 2018, ING Bank agreed to pay a record European fine of €775 million ($880 million) for AML violations, and further details came to light of Danske Bank’s own €200 billion scandal. Most recently, Deutsche Bank was raided over money laundering allegations in relation to the Panama Papers disclosures.
These events appear to herald a shift from previous years, where the US saw the majority of AML losses. European regulators appear to be clamping down on AML in 2018. ORX News data shows that between 2014 and 2017, AML fines in western Europe and the UK totalled almost $214 million, compared to $1.96 billion in the US. However, in the first three quarters of 2018, fines in western Europe and the UK have already reached $918 million – almost matching US fines totalling $1.04 billion for the same period.
Although this is a sizeable increase, 84% of the total for 2018 is attributable to the single penalty imposed against ING. Nevertheless, European regulators have steadily increased the number of fines in recent years, from three in 2014 to nine in 2017 and 2018. This will potentially continue as banks including Danske, Deutsche and Nordea face investigations in the region.
The lack of a common regulatory framework may explain why European authorities have imposed fewer penalties than those in the US. The European Banking Authority delegates responsibility for AML compliance and enforcement to national regulators, whereas in the US, the Bank Secrecy Act is implemented across all 50 states.
Another factor may be the dispersion of euro cash clearing activity across Europe. Business is split between the UK, France and Germany – meaning that no one regulator has comprehensive oversight of all banks’ activities. In the US, most clearing happens in New York under the purview of the New York State Department of Financial Services, which has consequently levied a third of all US AML fines between 2014 and 2018.
Things look set to change, however. The Danske Bank scandal has triggered calls for an EU-wide AML body to enforce rules and provide resources to countries and regulators. In September, it was reported that the European Central Bank, the European Banking Authority and the European Commission had circulated a confidential AML discussion paper to national governments and the European Parliament, addressing a lack of collaboration by EU countries and their regulators, and inadequate oversight by the EU.
Andrea Enria, EBA chief and soon-to-be head of the ECB’s supervision arm, said in October that recent violations in AML and counter terrorism financing required an EU-level response. He added that the EBA would review supervision in all Union member states with the aim of introducing a consistent approach across Europe. Enria also called for more resources and greater clarity on the EBA’s powers.
The record fine imposed on ING may therefore set a precedent, rather than a high water mark, demonstrating that EU regulators are becoming tougher on AML violations, resulting in larger monetary penalties for firms that flout the rules.
Editing by Alex Krohn
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.
Integrating cybersecurity and operational risk to meet regulatory compliance
By Alex Hurrell | Advertisement | 5 December 2018
Christophe Delaure, Senior product manager, IBM
Mark Devereux, Senior principal, Promontory Financial Group
Caroline Philippe, Head of operational risk, EMEA, Societe Generale
Sean Titley, Director for business development, Institute of Operational Risk
Moderator: John Anderson, Contributing editor, Risk.net
Financial institutions understand the need to keep up with developments in operational and IT risk and cybersecurity.
New financial service regulatory requirements related to operational, IT, cyber risk and resilience are evolving, and with the EU allegedly facing 4,000 ransomware attacks per day, it is no surprise firms feel under pressure to prepare.
Managing IT risks and cyber threats is of vital importance in today’s data-driven world, however, it is no easy task.
Key topics discussed include:
Approaches to identification and management of the latest threats and vulnerabilities
Integrating IT risk as part of a comprehensive governance, risk and compliance strategy
Understanding IT risks in the context of a business.
Op risk jumps $7 billion at Aussie banks
By Alessandro Aimone | Data | 4 December 2018
Operational risk-weighted assets across the ‘Big Four’ Australian banks rose A$9.6 billion ($7.1 billion) in the fourth quarter of the year.
Westpac posted the largest increase – at 26.8% – with op RWAs jumping to A$39 billion from A$31 billion in the third quarter. Commonwealth Bank of Australia (CBA) saw its op risk edge up 2.4%, from A$56 billion to A$58 billion.
National Australia Bank’s (NAB) and ANZ Bank’s op RWAs were relatively stable on the quarter, at A$37.5 billion and A$37.6 billion, respectively.
Year to year, op RWAs have swelled A$32 billion (23%) at the Big Four. CBA’s increased the most, by A$24 billion (71%), followed by Westpac’s, which grew A$7.9 billion (25%). ANZ experienced a slight increase of A$313 million (0.8%) and NAB a decrease of A$75 million (0.8%).
What is it?
RWAs are used to determine the minimum amount of regulatory capital that must be held by banks. This minimum is based on a risk assessment for each type of bank asset. The riskier the asset, the higher the RWA, and the greater the amount of regulatory capital required.
All four Australian banks use the advanced measurement approach (AMA) for calculating op RWAs. This is based on a loss distribution methodology, which observes the frequency and severity of past op risk losses, and measures how much capital banks should set aside in case of reoccurrence.
Why it matters
Earlier this year, the Australian Prudential Regulation Authority (Apra) applied a A$1 billion op risk add-on to CBA’s minimum capital requirement after having identified “a number of shortcomings in CBA's governance, culture and accountability frameworks, particularly in dealing with non-financial risks”. This resulted in a $12.5 billion increase in the bank’s op RWAs.
The add-on remains today, and will only be removed with Apra’s permission. The bank created an independent reviewer to report to Apra on its progress resolving the deficiencies it identified, and issued its first report in October. A follow-up is expected by the end of the year.
As for Westpac, the bank said the increase in its op RWAs was due to the introduction of a model overlay “to approximate the standardised approach”. This sounds like the bank is clearing a path for the eventual switchover to the revised Basel standardised approach for op risk, which will replace the AMA in January 2022. Barclays and BNP Paribas did something similar this year, too.
Basel turns its attention to operational resilience
By Steve Marlin | News | 4 December 2018
New working group will focus on business continuity in the age of cyber threats
The Basel Committee on Banking Supervisionhas assembled a working group committed to keeping the business of banking humming even in the event of cyber intrusions or just technical snafus.
With typical stealth, the committee set up an operational resilience working group to study “issues related to cyber risk and broader operational resilience”, says the Basel website.
Information has been scant. But last week, at a Basel conference of banking supervisors held in Abu Dhabi, Lyndon Nelson, deputy chief of the Prudential Regulation Authority (PRA) at the Bank of England (BoE), detailed the working group’s brief, whose first task is to “identify the range of existing practice in cyber resilience, and assess gaps and possible policy measures to enhance banks’ broader operational resilience going forward”.
He said it was founded at the beginning of 2018 and aims to provide “a more concrete and specific understanding of the main trends, progress and gaps in the pursuit of cyber resilience in the banking sector”.
A spokesperson for the Basel Committee did not offer further comment on the group’s efforts when contacted.
Its formation, though, may signal a shift in Basel’s thinking on operational risk. Its operational risk working group was disbanded in 2016 after banking regulators opted to abandon the advanced measurement approach – a complex method ultimately seen as too free-wheeling – in favour of the more straightforward standardised approach for measuring operational risk.
Since then, it appears operational risk is shedding its skin of quantifying and capitalising losses to reveal a new layer, ‘operational resilience’ – the ability to rebound from cyber attacks or other disruptions. And the concern with the lurking, present threat of technology gone rogue or haywire is palpable across risk management.
“The development at Basel doesn’t surprise me,” says Jimi Hinchliffe, chief executive of NJ Risk and Regulatory Consulting in London. “Operational resilience has been the main game in town for the PRA for some time, so banks in particular have been focused on this as a key priority. The Financial Conduct Authority has also joined the party more recently.”
The institutions also jointly issued a paper in July focusing on improving resilience in the wake of incidents such as the Royal Bank of Scotland’s 2012 outage in its Irish operations, which ended up costing it £56 million ($88 million); and the blocked services this year at TSB, which will cost it £20 million. In its paper, the BoE aims to establish minimum service levels following incidents like these.
Some believe the UK financial authorities may have encouraged Basel to take this direction. In either case, the emergence of the Basel operational resilience working group is viewed by some as recognition that after the shift to the standardised op risk framework, the purpose of the op risk working group had largely vanished.
“Most firms have had operational risk frameworks in place for over a decade now past Basel II, so the frameworks should be reasonably robust now,” says Hinchliffe, who was a regulator at the UK Financial Services Authority and led the Basel II implementation project within wholesale firms from 2006–08. “Given the decision to drop the advanced measurement approach last year, there probably isn’t much need for an op risk working group focused on the framework and minutiae.”
There seems to be an underlying message with the move to the standardised approach and demise of the operational risk working group that operational risk is less important. Is this really the message the Basel Committee wants to send?
Risk executive at a large European bank
Others, however, see the de-emphasis on operational risk modelling as a mistake. Companies have invested heavily in building out their op risk modelling capabilities following the 2008 financial crisis, they note, adding that the new focus undercuts those efforts. The standardised approach – a traditional, backward-looking method – makes no provision for the possibility of catastrophic cyber risk.
“There seems to be an underlying message with the move to the standardised approach and demise of the operational risk working group that operational risk is less important. Is this really the message the Basel Committee wants to send?” says an operational risk executive at a large European bank. “This does little to reassure me that the Basel Committee really understands the importance of operational risk.”
Other op risk executives have been fostering a perception of resilience around tech in their companies. Cyber attacks are displacing conduct as the main operational threats, they say.
Conduct-driven risks, such as the mortgage-backed securities scandal years ago and the more recent mis-selling practices, are becoming less frequent because of the heavy penalties that follow.
“Ten years ago, if you started such a scam, nothing happened,” says an operational risk executive at a second large European bank. “Now, people are getting sacked and going to jail for such offences. Banks have way more governance in place.”
Industry data backs that up. The average size of operational risk losses plummeted to €206,000 in 2017 from €665,000 in 2012, revealed a report by ORX based on reports from its members.
In 2012, the 10 largest op risk loss events accounted for 35% of total loss. By 2017, they had fallen to 15%. This reduction followed the drop in fines and settlements over misdeeds during the crisis.
“Operational resilience reflects a shift towards regulation which is focused on the impact that a bank has on its customers or the wider market, rather than its own financial stability, ie, capital,” says Luke Carrivick, director of analytics and research at ORX.
The shift was apparent when looking at “impact types” during ORX’s work with banks to develop a new op risk taxonomy, adds Carrivick.
Banks are focusing on reducing more frequent but lower-impact incidents, such as cyber breaches, instead of trying to contain outsized legal settlements and calibrate op risk capital.
“You simply take operational risk capital as a God-given number you can’t influence much,” the second op risk executive says of life under the standardised approach. “It simply comes from a Basel formula, and it’s up to the business owner to get rid of the risks.”
But others warn against complacency on conduct risk. Banks have developed a maze of rules and policies to avert rogue behaviour that may actually make it harder to stop.
“Conduct became the cause célèbre for regulators post-crisis in the UK, and many firms responded by constructing whole new conduct risk edifices, with convoluted new conduct frameworks headed by people with grandiose new titles,” says Hinchliffe. “The result in many cases was duplication, inefficiency and confusion, and the misconduct continued.”
UK bank misconduct charges dwindle
By Louie Woodall | Data | 3 December 2018
UK banks’ rosy performance in the Bank of England’s stress tests was helped along by lower stressed misconduct charges, which were nearly half in the 2018 round what they were the year prior. Actual misconduct charges reported by six of the seven participating firms at end-2017 were also half their prior year level and have continued to trend lower in 2018.
The BoE wrote that stressed misconduct costs – legal and regulatory expenses incurred over and above loss provisions – totalled £25 billion ($32 billion) under the 2018 severe stress scenario at the seven participating firms: Barclays, HSBC, Lloyds, Nationwide, RBS, Santander UK and Standard Chartered. This was down from £40 billion the year prior.
Actual misconduct charges, the cash banks put aside to absorb expected legal and regulatory expenses, were £6 billion at end-2017, which reduced the pre-tax profits of the firms by a fifth.
Each of the participants save Standard Chartered disclose misconduct charges in quarterly and annual disclosures. Together, the six firms set aside £5.3 billion for these charges in 2017, down from £10.4 billion in 2016 and £14.8 billion in 2015. The reduction reflects the banks' expectations that they will incur lower misconduct costs in future years.
RBS reduced misconduct charges the most of the set, to £1.3 billion for full year 2017 compared with £5.9 billion in 2016. As of September 30 this year, misconduct charges totalled £1.2 billion.
HSBC reported a negative charge for 2017, meaning it released cash held in reserve to cover legal and regulatory matters back into net income, of £268 million. Its 2016 charge was £552 million. Up to the third quarter of this year, the charge was £644 million.
Barclays and Santander both curbed misconduct charges only slightly in 2017, to £1.2 billion and £393 million from $1.4 billion and £397 million, respectively. Santander reported lower charges for the first nine months of 2018 of £62 million, and Barclays higher charges of £2.1 billion.
Lloyds and Nationwide both marginally increased charges in 2017 compared to 2016, to £2.5 billion and £136 million from £2.1 billion and £127 million, respectively. Charges have, however, reduced substantially over the last three quarters, to £550 million at Lloyds and £15 million at Nationwide.
The aggregate Common Equity Tier 1 drawdown reported by the seven stress-tested banks attributable to misconduct charges for the 2018 round was 1%, down from 1.7% in 2017, 1.6% in 2016, and 1.4% in 2015.
What is it?
Misconduct costs as defined by the BoE are provisions taken against operating income. The BoE uses data supplied by the stress-tested banks directly for its analysis and to calibrate its stress tests. The above data is taken from quarterly and annual reports.
The UK stress tests consist of credit impairment, traded risk and misconduct components. The latter element projects losses due to legal and regulatory failings for each participant bank in excess of end-year provisions over a five-year time horizon.
Why were the stressed costs lower? One big factor was the settlement of a number of big conduct cases over the past year, including Barclays’ £1.4 billion and RBS’ £3.7 billion settlements with the US Department of Justice over the misselling of retail mortgage-backed securities. Now these costs are behind the two banks, they were filtered out of the BoE’s forward-looking stress projections.
However, the central bank has previously stated that misconduct costs are tricky to quantify, and that even where they have materialised or look likely to materialise, it's possible the ultimate charges for these will exceed estimates.
Maintaining high misconduct provisions, therefore, may be the most prudent course for banks to take, despite their deleterious effect on earnings. Not only will these help burnish future stress test results, they will also protect banks’ core capital from expensive settlements and charges in future.
Industry moves to revise out-of-date categories that feature risks such as cheque fraud
In 2001, the Basel Committee set its classification scheme for operational risks. Among the threats it listed was cheque-kiting, a form of fraud that siphons money available between the time a cheque is deposited and when it clears.
But even by 2001, cheques had begun their slow move to the sidelines – online payments were only just starting to gather momentum.
Today, cheque-kiting is an anachronism, and a wistful reminder that Basel’s taxonomy needs to be updated – or scrapped.
“People barely use cheques any more, let alone recall what cheque-kiting is,” says an operational risk executive at a global bank. “The bottom line is: this taxonomy isn’t fit for purpose.”
As a result, many banks today run two taxonomies: an internal one tailored to their particulars, and another mapped to the Basel categories – just in case regulators ask.
“We have our own taxonomy, which is more detailed and comprehensive than the Basel taxonomy, which is consistent with other firms on the Street,” says an operational risk executive at a large international bank in New York.
A taxonomy provides a baseline for quantifying operational losses. Being able to categorise a loss as internal fraud, model errors or an IT glitch, for instance, provides clarity on what precisely went wrong, and how to address it.
A general taxonomy also makes it possible to compare lapses across institutions, allowing banks to see how they compare against their peers and what dangers are brewing in the industry as a whole.
Into the breach has stepped the Operational Riskdata eXchange Association, a private consortium of banks and insurers that focuses on operational risk. The association has been pulling together a ‘reference taxonomy’ that expands on Basel with a contemporary suite of risks: cyber, tech, conduct, regulatory and compliance among them.
Organisations are telling us that as their focus becomes more about managing operational risk and less about measuring it, the taxonomies of the future will be geared toward more active risk management
Luke Carrivick, ORX
ORX has been developing its taxonomy over the past year after surveying its 98 member institutions for what they wanted in a replacement for Basel. And a big part of what they want is to see what might be coming in order to head it off at the pass.
“Organisations are telling us that as their focus becomes more about managing operational risk and less about measuring it, the taxonomies of the future will be geared toward more active risk management,” says Luke Carrivick, head of analytics and research at ORX.
ORX’s project substantially supersedes a taxonomy project several of its member banks – including JP Morgan, HSBC and Barclays – had been working on together, according to a senior op risk manager at one of the banks involved.
From classification to pre-emption
In the past, a taxonomy’s main purpose was to model risk for capital planning – to know how much to set aside to cover operational risk. But that’s no longer enough – and with the revised standardised approach for op risk capital being ushered in by Basel III, the role of a bank’s internal taxonomy in dictating how its losses are mapped and aggregated is set to decline in importance.
The overarching theme that emerged from ORX’s consultations with its members was that independent risk teams are working closely with their business divisions, and need a taxonomy that helps them see threats to be ready for them. The principles that ORX assembled were written to be accessible to the broadest number of a bank’s employees, to reflect changes in the risk management field and to be used as a reference by individual companies and the industry as a whole.
“The work done by ORX is aimed at understanding the changes that institutions have made and collating them in a coherent way,” says Guenther Helbok, head of operational and reputational risk at UniCredit Bank Austria and an ORX board member who oversees the taxonomy. “This evolution in the risk taxonomy will encourage a level of industry convergence.”
There are doubters, though. While praising ORX’s professionalism and agreeing it’s well qualified to develop a standard taxonomy, some ask whether a taxonomy developed by ORX – whose members are mostly large banks – makes sense for smaller banks.
“ORX do good work. If the industry is going to develop one taxonomy, I would have thought ORX best placed,” says the global bank executive. But an ORX taxonomy, he added, “may not be appropriate for smaller banks”.
Carrivick of ORX says its growth has lately come from smaller institutions, and regardless he maintains the framework is suitable for both.
“It isn’t intended as a prescriptive taxonomy to take away and use as is, it’s reference, not standards – so appropriateness is about how useful it serves as a benchmark,” he says. He adds it is “just as relevant to a smaller bank as a bigger one. The idea is that banks would pick from reference as appropriate to their business”.
If ORX are coming out with something, great. But I’m asking the question: why do you want to do this? If it’s to promote your external events, that’s fine, but it doesn’t mean every institution has to use your specific categories
Head of op risk at the London office of a large global bank
Another sceptic, the head of op risk at the London office of a large global bank, says if ORX does become the de facto industry standard, that’s fine, so long as companies realise it might have proprietary reasons for doing so.
“If ORX are coming out with something, great. But I’m asking the question: why do you want to do this?” he says. “If it’s to promote your external events, that’s fine, but it doesn’t mean every institution has to use your specific categories.”
If the industry wishes to compare data, it will need to settle on a common taxonomy, and ORX believes it’s well placed to do this. Banks are developing their own taxonomies in addition to Basel, ORX says, but are doing so largely in isolation. While there is a fair degree of commonality across the data, there is wide divergence in the taxonomies themselves.
A stroll down op risk’s memory lane
Banks have not sat idly by waiting for Basel to update its taxonomy. Instead, each has developed its own, using Basel as a starting point, either by marshalling its broad categories for risks that did not exist in 2001, or by adding new categories and subcategories to it.
For instance, the head of operational risk at the London office of an Asia-based international bank has developed a taxonomy to classify the risks of technological change and the threat of cyber attack. How? He reviewed the major op risk events at global systemically important banks over the last 20 years and ‘mapped’ them onto one of the Basel categories.
For example, he uses the Basel category ‘Business disruption and system failures’ for IT risks such as the 2013 malfunction of Goldman Sachs’s electronic trading system, which placed 16,000 erroneous options trades on major exchanges.
For another incident, he created a brand-new category – ‘fraudulent exploitation of algorithms’ – to cover the 2014 manipulation of bond prices with electronic trading algorithms by a former Bank of America Merrill Lynch trader in London. He linked this new category to Basel’s ‘External fraud’. He also filed the 2017 data theft at Equifax under external fraud.
The op risk chief likens the creation of a new risk taxonomy to the work biologists do when they categorise a new life form – they start with the categories they already have. In a similar manner, the op risk head reviewed hundreds of tech and cyber risk losses and categorised them, illustrating each with specific examples.
He believes IT and cyber are the themes that will dominate op risk in the future. They are not, however, new risk categories – IT and cyber cut across the existing seven Basel categories.
At the London office of the large global bank, the head of op risk recalls that when he created a risk taxonomy for his previous employer, a large North American institution, he created 15 or 16 separate risk categories. Some of them – internal and external fraud, for instance – were part of the Basel taxonomy, while others weren’t, such as information security and business continuity.
“When I created the taxonomy, I didn’t ignore the Basel categories – I mapped to them,” he says. “Basel has cheque-kiting and other subcategories that aren’t relevant.”
The London subsidiary updates its taxonomy quarterly, creating new categories when necessary. In the past few months, it’s created three, all on cyber and based on the Basel categories: internal fraud, external fraud and business disruption. As the new subtypes are developed, the bank maps them back to the Basel categories.
When one risk masquerades as another
The Basel working group was disbanded almost as soon as it wrapped up its work on the standardised measurement approach in 2016 – which some took as a signal that operational risk wasn’t high on the regulatory agenda. The Basel Committee declined to comment on whether it planned to update its 17-year-old taxonomy.
“Regulators need to have a common taxonomy. As a regulator, you need to be able to look at data across firms,” says the executive at the global bank. “Do we care that our taxonomy is different than another bank’s? Not in the least. But regulators want to be able to compare like with like.”
But the rationale for a taxonomy goes beyond appeasing regulators: it tracks the relationship between risks and losses. Without clear definitions, an operational risk loss, for instance, could be miscategorised as a credit or market risk loss.
For example, the failure of a system that monitors credit risk exposures could cause a bank to enter into trading positions that increase its credit risk to an unhealthy level. The cause is operational, but the fallout is seen in credit risk.
“There’s always a challenge to assigning a risk type to an incident,” says the operational risk executive at the large international bank’s New York subsidiary. “Having a simple straightforward risk taxonomy that is up to dat and consistent is valuable.”
Such miscategorisations could even be intentional if they’re aimed at reducing operational risk-weighted assets (RWAs), which determine a firm’s op risk capital. Unlike other types of RWAs, op risk RWAs can’t be reduced until the loss has been removed from a bank’s loss history – usually a minimum 10-year wait. Credit or market risk RWAs, in contrast, can be slimmed down fairly quickly and simply.
The difference creates a potential incentive to label op risk losses as something else. Eyebrows have been raised within the op risk community at JP Morgan’s apparent categorisation of the $6.25billion London Whale loss in 2012 as a market risk loss, despite a regulatory probe blaming the event on weak internal controls and the deliberate manipulation of risk models, among other things.
In 2015, ORX’s news site categorised the total loss as market risk, with a smaller amount – the $1.02 billion in regulatory penalties – ascribed to operational risk. ORX says that the news site categorised the losses based on publicly reported data, and that it does not know how JP Morgan characterised the losses internally. Two users of the firm’s private member database – which users submit actual loss data to anonymously – say no loss record exists within it that would match the London Whale losses if they were categorised as op risk losses, however. JP Morgan declined to comment.
ORX says its news site’s categorisation was reviewed by its Definitions Working Group, which concluded that the London Whale trading loss should be considered a market risk loss and the regulatory fines an operational risk loss. The working group’s view reflected a consensus of a wide range of companies belonging to the group, the firm says.
The benefits of in-house taxonomies, mapped to ORX or Basel, are clear: firms can make their taxonomies as detailed as they want, while the mapping ensures a common set of risk types and losses that can highlight operational risk across the industry
Start-up advisory firm Quant Foundry has built a taxonomy that uses machine learning to map a bank’s businesses, processes and controls. By populating the model with actual loss data, it’s possible to pinpoint the cause of loss events with great precision, the company says.
“Banks collect data, but they’re not using that data to manage risks,” says Chris Cormack, a founding partner of Quant Foundry in London. “Our approach is to build a data model that allows banks to understand how risks may have arisen.”
Use their words
One of the arguments for updating the Basel taxonomy is that it’s not written in language that bank executives would use to describe their risks.
“We all need to be speaking the same language,” says Matthew Moore, vice president of operational risk management at Deutsche Bank in New York. “When we are using different data to say the same thing, it takes away from the time we could be spending on managing risk.”
Operational risk executives say the ORX taxonomy offers a way for banks to speak the same language, both inside their institutions and out. And with a common reference point, whether set by Basel, ORX or some other industry consortium, any incident could be reported as an example of a specific risk type, which could then be aggregated to form an industry statistic.
“It’s important that when we have certain types of incidents that we know that we’re talking about the same thing,” says Moore.
Still, the benefits of in-house taxonomies, mapped to ORX or Basel, are clear: firms can make their taxonomies as detailed as they want, while the mapping ensures a common set of risk types and losses that can highlight operational risk across the industry.
In developing taxonomies, banks have to strike a balance between being accessible and being thorough. If the taxonomy takes too simple a view, it might not cover a wide variety of losses. If on the other hand it’s too detailed, it might be incomprehensible to all except op risk experts.
“The most important thing is to identify new risks, add them to the taxonomy and avoid the urge to overcomplicate things,” says the executive at the large international bank’s New York subsidiary.