On the selection of loss severity distributions to model operational risk

By Daniel Hadley, Harry Joe, Natalia Nolde | Technical paper | 11 September 2019

Aussie regulator signals tougher misconduct stance

By Aileen Chuang | News | 10 September 2019
Sydney business district

Asic warns it will use new powers to punish misconduct in wake of excoriating Royal Commission review

A repeat of the kind of conduct risk failures that saw Australia’s largest banks and insurers bribing staff to hit sales quotas and selling life insurance to dead customers will be met with the full force of newly beefed-up laws, a senior regulator at the Australian Securities and Investments Commission has warned.

Cathie Armour, a commissioner at Asic, said her watchdog intended to take full advantage of recent changes to the law when it comes to conduct risk enforcement, which have seen jail terms ramped up for criminal offences such as market rigging and rogue trading, and a dramatic rise in fines for individuals and companies.

February’s Royal Commission enquiry into conduct failings in the Australian financial sector led to close scrutiny of the performance of Asic as a financial markets supervisor. But in the years when the scandals occurred, “some of the key provisions in our laws actually didn’t have a penalty” sufficient to deter wrongdoing, said Armour, which she attributed to past lobbying by the financial sector.

“We, Asic, are reinventing or redoubling our efforts around enforcement, and we’ve reviewed how we do that. It’s important for the effectiveness of our financial system that the community sees that the problem is effectively, efficiently and often very publicly dealt with,” said Armour, speaking at Asia Risk Congress in Singapore on September 10.

Recent amendments to Australia’s treasury laws have significantly increased penalties and prison terms for corporate and financial sector misconduct. They have also added penalties for certain types of misconduct that were not previously punished – for example, there are now penalties for firms that fail to report breaches and for operating a financial services business without a licence, among other practices. The amendments took effect in March this year, a month after the Royal Commission’s report was published.

Prison terms for the most serious criminal offences, such as market rigging or unauthorised trading, have risen to 15 years from five years, while civil penalties for individuals guilty of serious misconduct can now be fined the greater of A$1.05 million (US$720,000) or three times the financial benefit gained from the misconduct. The maximum misconduct penalty for civil breaches by companies will be either A$10.5 million, three times the benefit derived by the misconduct, or 10% of the company’s turnover, capped at A$525 million per breach.

Both Asic and the prudential banking regulator – the Australian Prudential Regulation Authority – have publicly welcomed the amendments, and signalled they intend to make full use of them.

To date, the prudential regulator’s response has been to slap multi-billion dollar capital add-ons on the Big 4 banks. This is in addition to more than US$1 billion Aussie banks had already provisioned to meet the cost of expected fines and redress related to the scandals as of the second quarter of this year.

Decent penalties

Armour praised the response of the Australian government to the misconduct scandals, saying: “In Australia, we had a situation where there were all sorts of exceptions in our rules which were the product of very effective lobbying over the years. The government has very quickly changed the framework to ensure that there are decent penalties now.”

She added: “It’s really incumbent on us all to make sure that we do have a regulatory system that is fit for purpose and it does have the appropriate penalties.”

Armour’s comments chime with those of Commissioner Sean Hughes, who said in an August speech that the focus on enforcement would be on both corporate and individual accountability. Asic will pay close attention to whether people at the executive and board levels are carrying out their legal responsibilities.

“The community is looking to see accountability more and more,” added Armour.

Editing by Costas Mourselas and Tom Osborn

Op risk data: Sanctions-busting fines cost banks $20bn

By ORX News | Opinion | 6 September 2019

Also: ABN pays out for risk profiling fail; Deutsche settles nepotism charges. Data by ORX News

Jump to Spotlight: Bulgaria data breach | In Focus: Sanctions fines

In August’s largest operational risk loss, ABN Amro provisioned €114 million ($127.7 million) for a customer due diligence remediation programme after a probe by the Dutch central bank found that the lender had given most of its retail customers a neutral risk profile.

The central bank ordered ABN Amro to screen its five million retail customers in the Netherlands for criminal activity, including money laundering, and to ensure those customers are allocated the appropriate risk profile. ABN Amro must also look at how it onboards new clients.

The bank may face an additional fine, but it said that it had not considered this in its provision as it could not estimate the amount of a potential fine.

The Dutch central bank has increased its focus on customer due diligence since ING paid €775 million in 2018 for anti-money laundering and counter-terrorism financing violations.

The second largest publicly reported loss is a $60 million settlement between ITT Educational Services, a now-defunct US educational institution, and the Consumer Financial Protection Bureau. The CSFB found that ITT pressured college students to take out tuition fee loans it knew they could not afford.

Students were provided with incomplete or inaccurate information about the loans and were often unaware they had a private loan until receiving collection calls. The academic credits issued by ITT were not transferable to non-profit schools, and ITT used the prospect of expulsion and loss of money already spent to pressure students into taking out private loans. 

The third-largest loss saw commercial lender Central Bank of India defrauded of 3.55 billion rupees ($49.6 million) by Moser Baer India Limited, a manufacturer of data storage devices. MBIL is accused of obtaining commercial loans from Central Bank of India since 2009 using forged and fabricated documents.

India law enforcement officials arrested MBIL’s former executive director Ratul Puri on August 20. MBIL is thought to have obtained 60 billion rupees from at least 13 state-owned banks.

In fourth place, Deutsche Bank reached a $16.2 million settlement with the US Securities and Exchange Commission for improperly hiring relatives of Chinese and Russian government officials in order to solicit their business. The hired individuals were not subject to minimum academic grade requirements and undertook no competency tests or interviews. Some candidates received assistance from Deutsche employees in drafting resumes. The practice occurred between 2006 and 2014 and is estimated to have led to profits of at least $10 million for the bank.

In 2016, JP Morgan agreed to pay $264.5 million to US authorities and, in 2018, Credit Suisse agreed to pay $76.8 million, both for similar misconduct.

Finally, Nationwide said it would refund £6 million ($7.3 million) in excessive overdraft charges to customers. The UK-based building society failed to give account holders sufficient warning that they were about to be charged fees for unarranged overdrafts, according to the Competition and Markets Authority.

The problem began in February 2018 and affected 320,000 customers, almost a third of individuals who went overdrawn during the period. The CMA directed Nationwide to immediately improve its practices and regulatory compliance. Refunds will start in November.


Spotlight: Bulgarian bank in data breach

DSK Bank, based in Sofia, was fined 1 million lev ($567,000) by Bulgaria’s data protection commission on August 28 for failing to adequately protect customer information, resulting in unnamed third parties gaining access to data from more than 33,000 customers.

The data was taken from around 23,000 loan files, which also contained the personal information of customers’ related parties, such as relatives, vendors and loan guarantors. It comprised names, personal identification numbers, addresses, scanned copies of ID cards that contained certain biometric data, full tax and income information, bank account numbers and information about property deeds.

DSK Bank had failed to implement appropriate technical and organisational measures and ensure the confidentiality, integrity, availability and sustainability of its personal data administration systems, the commission said. The commission gave no further details about when or how the data breach occurred but the bank said it had not been the victim of a cyber attack.


In Focus: Banks pay penalty for sanctions violations

Fines issued for sanctions violations have cost firms $19.9 billion since 2009, according to ORX News data. Of this total, $19.4 billion was levied in the US. Sanction fine totals have risen each year since 2016.

In April, UniCredit and Standard Chartered settled with several US regulators for $1.3 billion and $947 million, respectively, for moving funds through the US financial system on behalf of sanctioned clients. The clients were entities in Iran, Myanmar and Sudan in the case of UniCredit, and Iran and Zimbabwe in the case of Standard Chartered.

In June, MUFG Bank settled with the New York Department of Financial Services for $33 million for continuing to inadequately screen transactions and failing to co-operate with an independent consultant appointed after a 2014 settlement with the financial watchdog.

While total fines have risen since 2016, the average size of individual fines has also increased. This appears to indicate that regulators, particularly those with jurisdiction over firms operating in the US, remain vigilant for sanctions violations.

It is worth noting that almost half of the total loss severity since 2009 relates to a single event in 2014, when BNP Paribas settled with US authorities for $8.97 billion. The bank had processed transactions in Switzerland for entities in Sudan, Cuba and Iran.

Some banks have sued successfully against fines they deemed unjustified. In June, Iranian lender Bank Mellat won £1.25 billion in damages from the UK government over 2009 sanctions that “irrationally and disproportionately” prevented the bank from doing business in the UK because of alleged links to Tehran’s nuclear programme.

According to the ORX’s annual risk horizon report, banks view financial crime, including sanctions and anti-money laundering, as the seventh most important operational risk.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

The use of business intelligence and predictive analytics in detecting and managing occupational fraud in Nigerian banks

By Chioma N. Nwafor, Obumneme Z. Nwafor, Chris Onalo | Technical paper | 4 September 2019

Complex op risk models open to high error, study finds

By Alexander Campbell | News | 2 September 2019

Measuring 1-in-1,000 year loss events ‘unrealistic’, researchers say

Operational risk models used by many large banks could produce flawed results when calculating extreme tail risk events, upcoming research shows. The findings suggest that firms may be holding too much, or too little, capital against these risks.

The Basel II capital rules gave banks the option – at their regulators’ discretion – of using internal models to calculate their own Pillar 1 capital requirements for operational risk, under the advanced measurement approach (AMA), one of three options for op risk capital calculation. Most AMA banks used the loss distribution approach, which became a near-industry standard – and a de facto requirement for big US banks.

Modelling for operational risk capital purposes is set to be phased out in the coming years with the introduction of the new standardised approach in place of the AMA. But modelling will still play a role in internal capital and risk management decisions, and many banks are also looking at using models developed under AMA for calculating Pillar 2 capital requirements.

The potential for a risk model to produce an erroneous result is itself a risk – model risk – and falls under the general heading of operational risk. So it’s ironic that upcoming research has found that operational risk modelling, thanks to its focus on tail risks in the 99.9th percentile, is especially susceptible to model risk.

The study, by researchers from Standard Bank and North-West University in South Africa and due to be published later this year in the Journal of Risk Model Validation, found that cutting the target threshold from 99.9% to 95% could reduce model risk by up to three-quarters.

The authors say their results make the use of a 1-in-1,000 year standard for operational risk modelling “unrealistic”. Research under way will investigate using a multiplier on the more accurate 95% result to upscale it to the 99.9th percentile.

The study divided model risk into two types: errors in the choice or design of the model, known as misspecification risk; and errors in the parameters fed into the model, known as estimation risk. The authors simulated loss datasets with sparse data and heavy-tailed severity distributions – both typical features of operational risk loss datasets – and drew samples from them in order to construct models under the loss distribution approach.

The research set out to eliminate misspecification risk and isolate estimation risk by ensuring that the models always used the ‘correct’ form of distribution – that is, the one used in the simulated data itself. So, the data and models used either lognormal or Burr distribution for severity and Poisson distribution for frequency. In a real-world example, the true distribution would be unknown, producing misspecification risk as well as estimation risk, and future research will look at this issue, the authors say.

Then, for each new simulation, the authors calculated the true value of a given quantile of the distribution using a Monte Carlo simulation. They then drew a sample of data points and used them to construct a model of that distribution, and calculated the same quantile with the model. The difference between the true value and the modelled value, they argue, is a measure of the estimation risk for that model, and repeating the process for several samples – 1,000 for each distribution – will allow a measure of the range of model error. In this case, the measure used was the interquartile range of the distribution of model errors.

The model error varied depending on the distribution used and on the number of data points in the sample used to calibrate the model. Heavier-tailed distributions with a higher extreme value index – a statistical property used to measure tail-heaviness – showed model risk with an interquartile range of between 2.1% (Burr distribution, 1,000 data points) and 26.9% (lognormal, 100 data points).

The authors say they are confident their simulations are comparable to actual practice: “Based on experience from banks, our assumptions … are completely in line with the actual distributions that banks use in their op risk models. Also, by including a case with Burr distribution parameters where the extreme value index is equal to 0.5, we include a case where the tail behaviour is on the border of implying an infinite mean model, which represents an upper limit for a practically usable model.”

And, although model risk was relatively low for estimating the mean, when it came to estimating extreme quantiles, the risk grew substantially. When estimating the 99.9th percentile, the model risk interquartile range grew to 79.5% for a 100-point sample and a heavy-tailed Burr distribution – and tended to be an overestimate, which would lead to holding excess capital. If, instead, the model was used to calculate a 95th percentile, the range dropped to just 19.9% – “the estimation risk reduced by 75% when requiring the 95th percentile instead of the 99.9th percentile for sparse heavy-tailed loss data”, the authors write.

The research also found a significant advantage to modelling categories of operational risk separately. Although previous studies found that all types of non-conduct operational risk tended to behave similarly, leading to arguments that splitting loss data into different units of measure was unnecessary, the researchers also investigated the effect of using different models for each unit of measure – a business line or loss type, for example. This portfolio approach reduced estimation risk substantially compared with a single-model approach. At the 99.9th percentile, estimation risk for the portfolio approach was only 14.1%, well below the 20% average estimation risk for a single-model approach.

The scale of model error in operational risk models is difficult to determine, the authors say. But they point out that it’s possible to put upper bounds on it: “The interquartile range for the AMA capital divided by revenue of 37 banks is between 10.4% and 20.4%, implying that some banks’ AMA diversified capital can be almost double that of other banks’ relative to their revenue.”

This variation can be attributed to model risk, and other factors such as model misspecification and risk profile, the study concludes.

The authors of the paper are Kevin Panman, Liesl van Biljon and Leendert Haasbroek of Standard Bank, and WD Schutte and Tanja Verster of North-West University.

Editing by Alex Krohn

New op risk taxonomy set for October debut

By Steve Marlin | News | 20 August 2019

Project is being closely watched by banks and regulators amid frustrations with legacy Basel approach

A new standardised taxonomy for operational risk developed by industry consortium ORX is set to be unveiled in October.

After spending over a year sifting through a vast dataset composed of the taxonomies of more than 60 of its members, ORX has completed a first draft of the new taxonomy, which is currently being reviewed by a member advisory group, says Steve Bishop, head of risk information and insurance at ORX.

The project is not intended to supplant taxonomies at any one financial institution, but rather serve as a reference for firms to benchmark against their peers, and compare what is, by definition, standard practice across the industry.

“We do not see this as a one-off project, more of a starting point,” Bishop says. “Our intention is to repeat the work over a number of years. This will allow us to update the reference taxonomy, continuing to use a data-driven approach, and monitor whether we see convergence in the industry – potentially reaching an agreed standard in the future. It will also serve to identify new or evolving risks.”

The project – which Mark Cooke, head of op risk at HSBC has called “the most important structural development in operational risk management for 15 years” – is being watched keenly by banks and regulators, with the industry still largely wedded to the Basel Committee’s risk taxonomy, which dates from 2001.

Originally intended as a way to assign operational losses into buckets for the purpose of calculating op risk capital, taxonomies have evolved to serve as a common language for understanding the sources of risk and their business impacts. Most firms have used variants of the legacy Basel approach as a starting point for developing their own taxonomies, which may include more recent risks such as cyber attacks.

“New taxonomies can be useful for emerging risks, where there’s less common understanding, such as cyber and IT risks,” says a senior London-based operational risk executive. 

Over the years, every bank has developed its own taxonomy with its own idiosyncrasies, so ironing them out has been a significant task. The complexity of risk taxonomies has also grown in that time; where the original Basel taxonomy contained seven broad Level 1 risk categories, the ORX taxonomy will have some 16 Level 1 risks, and expects to have between 60 and 80 Level 2 risks, says Bishop.

Those numbers mask a significant disparity in granularity of approach between the firms whose taxonomies ORX surveyed, however, which ranged between 20 and 700 line items, with a median number of 69.

One area of divergence is cyber risk. Some banks treat cyber as a distinct risk, while others view it not as a risk per se but as a vector for other risks, such as external fraud.

New taxonomies can be useful for emerging risks, where there’s less common understanding, such as cyber and IT risks

Senior London-based operational risk executive

Here, banks might need regulators to step in and lay some groundwork. The US Federal Reserve is playing a lead role in defining and measuring cyber risk, with the watchdog formulating a white paper on definitions to be published by the end of this year. Although the Financial Stability Board has issued a lexicon for cyber risk, there is no consensus among financial institutions on terminology.

ORX has hired management consultant Oliver Wyman to help sift through the individual taxonomies and discern common threads.

“Most banks have a Basel taxonomy, but in parallel they have a different tailored taxonomy,” says Evan Sekeris, partner at Oliver Wyman. “We are looking through those 60 bank taxonomies and trying to find common denominators. Are there things that everybody looks at the same way? Are there risks where there are divergences?”

ORX’s project substantially superseded a taxonomy project several of its member banks – including Barclays, HSBC and JP Morgan – had been working on together.

While lauding the project’s aims, seasoned op risk executives point out that changing industry practice is hard.

“Everyone wants a common taxonomy as long as it’s theirs,” says Andrew Sheen, an operational risk consultant. “Firms experience this internally as well. They have financial crimes silos and operational risk silos, all of which have developed their own taxonomies.”

Carney: Germany and France risk Brexit derivatives cliff edge

By Christopher Jeffery, Daniel Hinge, Helen Bartholomew | News | 19 August 2019
Mark Carney

BoE governor says it is in EU countries’ “interest” to ensure full viability of financial contracts pre-Brexit

The failure of Germany and France to amend rules related to the treatment of some over-the-counter derivatives contracts ahead of the UK’s exit from the European Union could cause unnecessary stress to the European financial system, according to Mark Carney, governor of the Bank of England. Carney calls on European lawmakers to address the matter before October 31.

The UK central bank – which has micro- and macroprudential oversight of the UK financial system, as well as resolution responsibilities for banks, insurers and financial market infrastructures – has warned for some time of the need to tackle Brexit transition risks associated with multi-trillion dollar, OTC derivatives contracts. The UK’s new prime minister, Boris Johnson, has repeatedly stated his commitment to the UK leaving the EU with or without a trade deal by October 31.

During a wide-ranging interview with Risk.net’s sister publication Central Banking, Carney says the EU authorities have already tackled one major danger, related to cleared derivatives – at least in the immediate future. “The big thing that has been resolved is for cleared derivatives contracts,” says Carney. “The European authorities have taken measures for temporary permissions for large financial market infrastructures, which is hugely important.”

EU institutions were given temporary access to London-based derivatives clearing services such as LCH, Ice Clear Europe and LME Clear until March 30, 2020.

Problems remain, however, with bilateral, non-cleared derivatives.

Lawyers say there’s no question about the legal enforceability of bilateral, uncleared financial contracts post-Brexit. But there is a problem related to the lack of recognition among some European jurisdictions – notably in the two largest eurozone economies – of so-called ‘lifecycle’ events.

Lifecycle events include amending the terms of trades as well as the ability to compress or cancel derivatives against similar positions, which are very common practices in the derivatives industry. Compression of trades is viewed as an important post-financial crisis technique for reducing operational risks related to derivatives positions.

“For bilateral, uncleared contracts, national legislation has taken care of this in some jurisdictions in Europe, but in a number of the big ones – Germany and France are the most obvious – they have not addressed it,” says Carney. “The consequence of that is there is some risk.”

A lawyer at one bank with a large derivatives operation in London says he is also concerned about the situation highlighted by Carney. He says there have been few signs of an effort to address discrepancies in Germany and France, although Nordic countries, Benelux nations and Italy have all taken steps to address the issues.

“We have a difference of opinion with the European authorities about the seriousness of this risk,” says Carney, adding it is “in Europe’s interest and also ours residually” to address this risk “more clearly”.

Carney questioned the wisdom of increasing operational risks in the event of a no-deal Brexit, and reiterated that the authorities in Germany and France may not have fully grasped the scale of the issue.

“We know some of the largest institutions in London, they perform tens if not hundreds of thousands of these lifecycle events in total on a weekly basis,” says Carney. “So having legal uncertainty or an inability to perform lifecycle events when lots of other things are going on and there is lots of volatility – which would happen with a no-deal Brexit in our view – is not sensible. You can debate the scale of the risks, but it is just not a sensible risk to take.”

Some European officials, notably those in France, would like to see legacy (and new) bilateral, non-cleared derivatives held between UK and EU counterparties moved from the UK to Europe via a process called novation. “That approach in France [on life events] is combined with an approach to encourage moves and make it easier to move,” says the lawyer at a large bank in London. “So I wouldn’t anticipate France providing any relief. It’s not really aligned with their priority of encouraging clients away from London.”

The authorities in Germany, meanwhile, do not appear to have engaged with market participants even to discuss the issue. “Germany has simply enabled the creation of a regime,” says the bank derivatives lawyer. “They’ve given the regulator the authority to provide relief but, in fact, that ability hasn’t been triggered.”

Asked if he expected European authorities to tackle the issue of derivatives lifecycle risks by the Brexit deadline of October 31, Carney replies: “It is very much in the interests of France and Germany to make some movement on that.”

This article originally appeared on Risk.net’s sister website, CentralBanking.com.

Uniform? Op risk capital rules go their own ways

By Steve Marlin | Features | 15 August 2019

Europe and Canada set to include historical losses in new standardised approach; Australia probably not

An effort to harmonise op risk capital rules around the world appears instead to be another case of regulation fracturing into national variants right out of the gate.

In 2017, national regulators were given leeway under Basel III to allow banks to ignore the impact of past losses when calculating capital under revisions to the new standardised approach – with the potential to dramatically affect how much capital lenders would be required to hold.

So far, Europe, Australia and Canada appear to be rippling in different directions: Europe and Canada have proposed including historical losses in capital calculations; Australia may be leaving them out.

“It defeats the purpose of the whole exercise,” says Evan Sekeris, a partner in the financial services practice at Oliver Wyman in Washington, DC. “With this new approach, which feigns convergence, all of a sudden we start having different implementations.”

Other big regulators – the Federal Reserve and the Bank of England – have not yet spoken on what direction they will take. National regulators have until 2022 to put their plans into effect.

The new standardised approach is composed of two core elements: a business indicator component, that ranks firms by revenue and then applies a multiplier to determine a baseline capital requirement; and an internal loss multiplier (ILM), which scales this base number according to the banks’ losses over the previous decade.

Evan Sekeris

But regulators in places with heavy loss histories are said to have demanded the option of excluding them, saying they would weigh too heavily on bank capital. To excise them, the ILM would be set at one – in other words, a wash. Capital requirements would then be based only on the size of a bank’s business.

Some banks with subsidiaries in jurisdictions with conflicting standards fear they will have to comply with the more stringent set of requirements.

“If the fiscal regulator at the top has a different pronouncement from one of the sub-regulators, inevitably you will end up with a capital calculation which is the highest outcome,” says an operational risk executive at a major European bank.

An analysis by the Basel Committee and the European Banking Authority (EBA) showed op risk capital for European banks would increase 44.7% over June 2018 levels once the new standardised approach is adopted. For those banks coming from the advanced approach, op risk capital would rise 40.1%, the analysis found.

The EBA also predicted regulators with discretion to set the ILM would use it – upending one of the key goals in setting aside the advanced measurement approach in favour of the standardised one.

“One could argue that including historical losses is counterintuitive to a forward-looking risk-based approach – but the regulators want consistency on a pan-European basis,” says the op risk executive. “Otherwise, it creates arbitrage opportunities.”

There are other ways regulators could tweak the impact of historical losses, observers point out: according to the final agreed framework, the minimum threshold for including a loss in the 10-year rolling lookback is €20,000 ($22,000). At national regulators’ discretion, this may be raised to €100,000 for mid-sized and large banks.

One could argue that including historical losses is counterintuitive to a forward-looking risk-based approach – but the regulators want consistency on a pan-European basis. Otherwise, it creates arbitrage opportunities

Risk executive at a major European bank

Who’s doing what

Canada’s Office of the Superintendent of Financial Institutions (Osfi) has recommended including past losses in op risk capital calculations because it makes the requirements more risk-sensitive, says a spokesperson. It is still weighing whether to make that inclusion mandatory, though.

Osfi has elected to move up the effective date for its new requirements to 2021, a year ahead of the final deadline, saying the earlier date shouldn’t present any difficulty to Canadian banks because they will not need to build additional models. Osfi is also analysing the impact of the revised Basel III requirements using data submitted by banks.

In Europe, where EU legislators have yet to take up the matter, the EBA this month concurred with Canada on including historical losses, recommending against allowing national regulators to set the ILM to one. To do so, they argued, would result in an increase in op risk weighted assets (RWAs) of less than 20% for the largest banks – essentially giving the largest banks a walk on the losses of the last decade. In contrast, an ILM with a bite would jack up RWAs more than 50%.

The EBA also wants a higher ILM because it would encourage banks to avoid losses that would be branded into their op risk capital for a long while.

Australia, meanwhile, has proposed excluding historical losses – capital would in effect be based entirely on a bank’s size. In a characteristically plain-speaking 2018 consultation paper, the Australian Prudential Regulation Authority (Apra) said including loss history would skew capital calculations, because doing so would mean including losses from businesses a bank had already exited.

That would mean “a significant misalignment between current exposure and capital”, the watchdog noted – in effect, closing the barn door after the horse has run off.

An analysis by the authority found that excluding historical losses would result in a small decrease in op risk capital under the new standardised approach for the largest banks migrating from the current advanced measurement approach, an Apra spokesperson says. Like Canada, Australia has opted for a 2021 effective date.


Still, Apra can at any moment impose capital add-ons if it thinks a bank’s op risk capital is insufficient. Last year, the authority demanded a $744 million add-on from the Commonwealth Bank of Australia; this year, it required $348 million from each of three other banks: ANZ, the National Australia Bank (NAB) and Westpac. Apra underscored that these cases were based on non-financial aspects of op risk that would not be apparent historical loss data.

In the US, the Fed has given no indication of when it will pronounce on the new standardised approach. Practitioners speculate that, when it does, it might let banks seek permission to exclude some loss events from their histories, perhaps by raising the threshold at which losses are included in a bank’s 10-year window.

“The Fed has a strong desire to coordinate internationally,” says a second op risk consultant. “What they might touch is individual loss data, because other regulators are signalling they might do that. There’s language that gives local jurisdictions the ability to allow the exclusion of specific data points.”

The Fed declined to comment.

The Prudential Regulation Authority (PRA), the rule-making arm of the Bank of England, has not given any hint as to whether it will set the ILM to one, but practitioners speculate the watchdog might do so given its emphasis on the qualitative aspects of operational risk over quantitative.

“The PRA would always want to have some sort of direct capital oversight,” says the first op risk executive. “If you move to a new standardised approach, then Pillar 2 becomes close to obsolete. The idea that the PRA is not against a multiplier of one seems reasonable.”

The Bank of England declined to comment.

Many banks have a knee-jerk reaction: ‘We don’t want the ILM, we want it set to one’. If you believe you have a handle on your losses, then it’s in your interest to keep the ILM in

Evan Sekeris, Oliver Wyman

The promise of absolution

One spanking new feature of the revised standardised approach is the use of a moving 10-year window on losses. The window will be a boon to banks laden with crisis-era losses: by the time the standardised approach is fully phased in, the window will have largely scrubbed those old losses from banks’ op risk calculations. Large banks, particularly those in the US, would benefit since under the advanced model they have had to use loss data stretching even decades back.

“If the standardised approach goes live in 2022 or ’23, then many of these losses would disappear,” says an op risk executive at a second large European bank.

The moving 10-year window would also soften the effect of an ILM of more than one.

“While in the short term, many banks might suffer from the ILM, in the long run they would benefit as the moving window expunges crisis-era data,” Sekeris says. “Many banks have a knee-jerk reaction: ‘We don’t want the ILM, we want it set to one’. If you believe you have a handle on your losses, then it’s in your interest to keep the ILM in.”

Loss history is a major component – though by no means the only one – of op risk RWAs for banks using the current advanced approach. Since each bank uses its own model, and each decides how conservative to be, the amount of RWAs could vary even among banks with very similar loss histories. Also, op risk RWAs as a percentage of the overall total will depend on the composition of a bank’s businesses: a bank with relatively low credit or market risk RWAs could have proportionately higher op risk RWAs.

Another factor is the treatment of losses at businesses a bank has exited. Some banks have placed those RWAs in ‘capital release units’, or ‘bad banks’, and may then ask regulators to disregard them for purposes of op risk capital on grounds the losses have nothing to do with the ongoing business. (See box, ‘A case for clemency?’)  

Still, some insight can be gleaned from looking at op risk RWA percentages. Out of 19 European banks, UBS had the highest percentage of op risk RWAs for 2018, at 29.4%. Rounding out the top were Deutsche Bank with 26.3% and Credit Suisse at 24.9%.

At the bottom of the European scale, Intesa Sanpaolo had op risk RWAs of 6.4%, along with UniCredit at 8%, DZ Bank with 8%, CaixaBank at 9% and Groupe BPCE with 9.7%. The remaining banks hovered between 10% and 14%, with the exception of ABN Amro which came in at 18.1%.

The five large Canadian banks had percentages between 12% and 13%, with the exception of Scotiabank at 11.2%. Of the big Australian banks, ANZ, Westpac and NAB were all below 10%; the Commonwealth Bank of Australia was an outlier at 12.7%.

The Basel accords aimed first and foremost to fortify cash bulwarks at banks after the financial meltdown caught them woefully undercapitalised. Uniformity in capital rules was always a secondary aim. Still, some observers blame the knot of coming national rules on the Basel Committee itself: if it wanted homogeneity, why allow discretion that would predictably torpedo it?

“All the divergence and deviations from a unified capital model come from a serious lack of confidence in what the standardised approach has to offer,” says an operational risk consultant. “The only thing that flexibility does to a model is destroy the credibility of the model.”

A case for clemency?

One way banks can shed risk-weighted assets quickly is by convincing their regulators to let them disregard historical losses they consider no longer relevant when calculating capital – usually, where the losses occurred within a business the bank has subsequently exited.

Under the new standardised approach, national supervisors will retain this discretion; but as the Basel Committee notes: “The exclusion of internal loss events should be rare and supported by strong justification,” adding that when making their decisions, supervisors “will consider whether the cause of the loss event could occur in other areas of the bank’s operations”.

This can get tricky, as regulators may have their own view of things. Losses related to misconduct, for example, could be construed as part of a wider corporate-culture problem, rather than a few bad apples in one particular business line or subsidiary, and therefore still deemed worthy of inclusion in a bank’s capital number.

One bank currently looking for clemency on past losses is Deutsche Bank. The bank is moving €74 billion of RWAs ­­– €36 billion of that representing operational risks – into a ‘capital release unit’, or ‘bad bank’.

The German lender’s hopes for shedding operational risk-weighted assets rest on whether it can convince regulators that it has truly set aside businesses that were bleeding it of cash. Deutsche, which currently uses the advanced measurement approach to model its capital requirements, plans to unload the assets over the next three years, and gradually wind down the bad bank, reducing its op RWA pile to €28 billion by 2021.

But in taking this step, Deutsche Bank is also hoping to wash the losses from its modelling slate.

“In the operational risk world, you can drop the loss history ultimately from your modelled results if you exit a business, in consultation with your regulators,” James von Moltke, the company’s chief financial officer, said on a July 7 call to analysts.

And those regulators are crucial. In order to get a capital reduction, Deutsche has to prove to them that the losses were in the discontinued businesses, and not part of its ongoing operations.

Regulators will also want to see whether Deutsche Bank has truly closed the door on a business, or merely reduced its presence.

“There has to be a full exit of that market or product,” says Andrew Stimpson, an analyst at Bank of America Merrill Lynch. “The question for Deutsche is whether it’s really a full exit or whether the exits are substantial enough to give regulators that assurance that they aren’t just becoming smaller in a product, but are actually exiting it entirely.”

Deutsche Bank will ultimately need to make its case to the European Central Bank, which is likely to be less accommodating than the bank’s home-country regulator in Germany.  

“To the extent the changes in the operational risk model are material, as defined by applicable EU regulatory standards, they have to be approved by the competent authority, ie, the ECB,” says an ECB spokesperson.

Deutsche Bank declined to comment.

Op risk data: Mifid fines hit $140m

By ORX News | Opinion | 9 August 2019

Top five: Deutsche pays €175m to settle derivatives bribery claims. Data by ORX News

Jump to Spotlight: FBI busts hacker | In Focus: Mifid fines

The largest operational risk loss in July is from a familiar source: a fraud at an Indian bank. Punjab National Bank reported a 38.1 billion rupee ($555.6 million) loss from Bhushan Power & Steel, which is accused of manipulating its accounts to raise funds from a consortium of lenders and misappropriating bank funds.

Bhushan’s former chief financial officer and director, Nittin Johari, was arrested by Indian police in May 2019 over alleged fraudulent activities, including filing false documents with various banks, according to media sources.

Punjab National Bank said it expected a “good recovery” of the losses and had already provisioned 19.3 billion rupees in line with regulation.

In April, it was reported that Bhushan Power & Steel had fraudulently diverted 23.5 billion rupees held in loan accounts at Punjab National Bank, Oriental Bank of Commerce, IDBI Bank and UCO Bank to the accounts of various companies and shell companies. It is unclear whether or not that case is related to the 38.1 billion rupee fraud at Punjab National Bank.

The second largest publicly reported loss is a $314.6 million fine for now-collapsed Dubai private equity firm, Abraaj Group. An investigation by Dubai’s financial regulator found that two of the company’s subsidiaries managed assets without proper authorisation between 2007 and 2018, provided misleading financial information, and failed to maintain adequate capital resources, among other failings.

As early as 2009, Abraaj’s compliance function had raised concerns about the group carrying out unauthorised financial services, the regulator found. However, senior management ignored this.

In third place is another loss related to Bhushan Power & Steel. Kolkata-based Allahabad Bank reported a fraud totalling 17.8 billion rupees ($258.9 million) in Bhushan’s account.

Following an audit of the steelmaker’s borrowings at Allahabad, Indian police filed an initial report against Bhushan and its directors. Allahabad has provisioned 9 billion rupees against the loss, and, like Punjab National Bank, it said it expected a “good recovery”.

The fourth largest loss is the €175 million ($197.1 million) that Deutsche Bank agreed to pay Dutch housing co-operation Vestia to settle allegations that the bank bribed Vestia’s treasury and control manager, Marcel de Vries, to enter the company into interest rate swaps that caused it substantial losses.

Last year, de Vries was convicted of bribery in the Netherlands and sentenced to three years in prison. The bank reportedly paid €3.5 million in commissions to Dutch intermediary First in Finance Alternatives, over half of which de Vries received.

In 2012, Vestia suffered €2 billion in losses on derivatives purchased from banks, including Deutsche, as a hedge against rising interest rates. Deutsche did not admit liability.

Finally, US credit card issuer Capital One said it expected to pay up to $150 million after a hacker accessed the personal information of 106 million credit card applicants and customers and shared it online.

Capital One will offer credit monitoring and identity protection to all those affected, but as of July 29 does not believe that the compromised information has been used fraudulently. The firm expects costs of up to $150 million to be largely driven by customer notifications, credit monitoring, technology costs and legal support. Customers have so far filed three lawsuits against the firm.


Spotlight: FBI arrests Capital One hacker

Two breaches at a US and a Canadian firm exposed the personal data of millions in the past two months.

On July 29, Capital One disclosed that an external party had gained access to the personal information of its 106 million credit card applicants and customers by exploiting a configuration vulnerability in its infrastructure. The same day, the Federal Bureau of Investigation arrested a person believed to be responsible for the hack. Capital One said the incident could cost it up to $150 million (see above).

According to the FBI, the hacker accessed the data at various times between March 12, 2019 and July 17, 2019, exploiting a vulnerability caused by a misconfigured web application firewall. The hacker was able to decrypt encrypted data, but tokenised data, including account numbers and social security numbers, remained protected. The information was reportedly held on servers rented from Amazon Web Services.

In June, the Canadian credit union group Desjardins revealed that an employee had shared the information of 2.9 million of its members. Desjardins added there had been no spike in fraud cases as a result of the breach.


In Focus: Banks rack up big Mifid trade reporting fines

Though Mifid II has drawn much alarm from the banking world, it is Mifid I, which took root in 2008, that has cost them big in fines so far. Over the life of the directive, European regulators have levied penalties of $139 million – more than half of that attributable to just two fines imposed by the UK’s Financial Conduct Authority in March of this year.

On March 18, UBS was fined £27.6 million ($33.5 million) for failing to submit complete and accurate reports for 135.8 million transactions. The FCA determined the failings were caused by 42 separate errors between 2007 and 2017, touching 7.5% of UBS’s reports.

Shortly after, on March 27, Goldman Sachs International was fined £34.3 million for failings in its transaction reporting. The FCA found Goldman had filed inaccurate or late reports from 2007 to 2017, covering products including equity instruments, cash equity products and other securities.

In total, the FCA has fined 14 firms over reporting failures under Mifid I going back to 2009. In contrast, there have been only a handful of fines over €500,000 outside the UK, perhaps reflecting London’s importance as a hub for settling trades.

Firms must also comply with the stringent European Market Infrastructure Regulation, which requires them to report over-the-counter derivatives positions to trade repositories.

A year ago, the European Securities and Markets Authority reported there were three regulatory penalties under Emir in 2017 – fines of €60,000 and €105,000 by Covip, Italy’s pension fund commission, and another of £34.5 million by the FCA in the UK. This last one, announced in October 2017, chastised Merrill Lynch International for failing to report 68.5 million exchange-traded derivative transactions.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Goldman’s op RWAs fall 8% in Q2

By Alessandro Aimone | Data | 8 August 2019

Operational risk-weighted assets (RWAs) fell 8% at Goldman Sachs in the second quarter of the year, as a series of past op risk events fell out of the internal loss data used to calculate its requirements.

Total op RWAs stood at $107.2 billion at end-June, compared with $116.7 billion the quarter prior and $113.6 billion the same quarter a year ago.

The bank’s total RWAs, calculated under the advanced approach, rose $1.9 billion in Q2 to $558.5 billion, as higher credit RWAs more than offset reductions in op and market RWAs. However, year-on-year, RWAs fell $55.9 billion, or 9%.

Op RWAs currently make up 19.2% of the bank’s RWAs.

What is it?

US banks use the advanced measurement approach (AMA) to quantify their op RWAs and associated capital charges. This approach uses the frequency and severity of past op risk losses to determine how much capital should be put aside to absorb potential future losses.

Each bank’s exposure is modelled using scenarios incorporating several different types of operational failure, as well as internal and external actual loss experience. 

Updates to the loss experience inputs can cause the resulting op RWA amounts to vary dramatically. For example, if a large regulatory fine is incurred during one quarter, it may result in higher reported op RWAs at the end of that reporting period.

Why it matters

Goldman noted that lower operational RWAs reflected “the removal of certain events incorporated within the firm’s risk-based model based on the passage of time”. These likely refer to regulatory fines and other sanctions imposed at the time of the financial crisis, which are now falling out of the backward-looking dataset used as an input to the bank’s AMA model. 

This doesn’t mean, however, that Goldman’s op RWAs will continue to roll down quarter on quarter. Potential op risk losses lurk on the horizon, such as a looming criminal case brought by Malaysian prosecutors in relation to the bank’s involvement in the 1Malaysia Development Berhad scandal.

This could result in fines and fees that would work their way into Goldman’s loss history and counteract the removal of financial crisis-era events.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Share your thoughts with us. You can drop us a line at alessandro.aimone@risk.net, send a tweet to @aimoneale, or get in touch on LinkedIn

Keep up with the Risk Quantum team by checking @RiskQuantum for the latest updates.

Tell me more

Goldman Sachs builds legal reserves

Goldman, Wells cut operational risk

Has op risk capital peaked for US banks?

View all bank stories