Op risk data: SEC issues first fine under cyber risk rule

By Risk staff | Opinion | 10 October 2018

SocGen provisions for sanctions violations; has the SMR prompted more bank CEO resignations? Data by ORX News

In the largest publicly declared operational risk loss from September, Societe Generale provisioned €1.1 billion ($1.28 billion) to cover penalties it expects to receive from the US authorities over sanctions violations. SocGen is being investigated for alleged breaches involving Iran, Cuba and Sudan in 2014.

The investigation involved the Department of Justice and the Treasury Department, as well as federal and New York state attorneys, the Federal Reserve and the New York Department of Financial Services. On September 3, SocGen said it had entered a more active phase of discussions with US authorities and expected to reach a resolution in September 2018 – although no resolution has yet been publicly reported.

In second place, ING paid €775 million to settle allegations it violated anti-money laundering regulations. This settlement is the second-largest AML loss recorded in the ORX News database, excluding sanctions losses. The Dutch public prosecutor found that ING had insufficiencies in its internal policies and had participated in culpable money laundering. Specifically, between 2010 and 2016, ING allegedly failed to prevent the laundering of hundreds of millions of euros due to shortcomings in its client due diligence policy.

According to the prosecutor, for a number of years ING lacked focus and awareness of its client due diligence obligations. It also said ING had prioritised commercial objectives over compliance, failed to implement long-term improvements, had dysfunctional and fragmented controls and a deficient escalation culture.

The third-largest loss was a settlement of $250 million paid by insurer State Farm to settle allegations it had rigged the election of an Illinois high court justice to overturn a $1 billion judgment against the firm.

State Farm was ordered to pay out $1.19 billion in 1999, after a class of customers claimed the insurer had replaced their crashed car parts with generic rather than branded parts. The amount was reduced on appeal to $1 billion, and in 2005 was thrown out completely after the election of Lloyd Karmeier to the court.

The class claimed that State Farm had paid $3.5 million to Karmeier’s election campaign because of his sympathy for tort reform. The class sought $1 billion in damages and $1.8 billion in interest, which could have been tripled under the Racketeer Influenced and Corrupt Organisations Act if successfully prosecuted. State Farm did not admit to any liability or wrongdoing as part of the $250 million settlement, which has a final approval hearing scheduled for December.

In the fourth-largest loss, Punjab National Bank has been allegedly defrauded of 5.39 billion rupees ($74.2 million) in loans by a telecommunications and power equipment manufacturer between 2013 and 2014. The alleged loss appears to be far from an isolated case: earlier this year, the Indian bank was the subject of intense media attention after it revealed a massive $2.23 billion letters of undertaking fraud by diamond businessman Nirav Modi in May. In September of last year, it was one of a number of banks caught up in the 50 billion rupee loan fraud allegedly perpetrated by Kingfisher Airlines founder Vijay Mallya – the seventh-largest publicly declared op risk loss of 2017.

Lastly, hackers stole $59.6 million worth of cryptocurrency from Japanese cryptocurrency exchange operator Tech Bureau in just two hours on September 14 after breaching a hot wallet – cryptocurrency storage that is connected to the internet. Tech Bureau plans to refund all affected customers.

Story spotlight: Voya Financial pays $1 million under SEC cyber rule

On September 26, fund manager Voya Financial agreed to pay $1 million to the Securities and Exchange Commission after hackers impersonated three Voya Financial independent contractors and gained access to the personal information of 5,600 customers. It was the regulator’s first enforcement of its 2013 identity theft red flags rule, which requires firms to have written procedures in place that could highlight attempted identity thefts.

According to the SEC, the hackers phoned Voya’s technical support line in April 2016 and pretended to be the independent contractors requesting a password reset. Despite informing staff not to provide usernames or password resets over the phone following the first attempt, the hackers successfully impersonated contractors twice more.

The hackers could then access customer information including addresses, dates of birth and last four digits of social security numbers. Voya neither admitted nor denied the SEC’s findings.

In focus: is the SMR behind bank CEO departures?

September saw a spate of high-profile resignations following major operational risk events. TSB’s Paul Pester, Danske Bank’s Thomas Borgen and ING’s CFO Koos Timmerman all stepped down in response to IT and anti-money laundering failures, respectively.

Those aren’t the only cases in 2018. Earlier this year, Australia had two high-profile resignations after Commonwealth Bank of Australia chief Ian Narev stepped down following the bank’s AML crisis and Craig Meller of fund manager AMP resigned in the wake of revelations from the Royal Commission into conduct in the financial industry.

On the face of it, it would be easy to conclude from this that banking executives are increasingly resigning after major operational risk events; ORX News examines the data to determine if this is really the case.

Accountability does not just rest with the CEO, says the FCA

There has certainly been a shift in the conversation around accountability. The UK Financial Conduct Authority’s Senior Managers Regime, introduced in 2016, formalised the concept that although a senior manager may delegate tasks, they cannot delegate the responsibility for the outcome. Since then, Australia, Hong Kong and Singapore have adopted or started to adopt similar schemes. The Irish central bank has called for more accountability for senior managers, and in the US the Department of Justice has increased its focus on pursuing executives, while the Federal Reserve is updating its risk rating scheme for banks.

All of this comes in the context of increased regulatory scrutiny of conduct issues, a growing focus on culture, and continued public distrust of banks – much of it a legacy of the financial crisis that sees the public still questioning how bankers “got away with it”.

On examining the data, however, there is no clear trend of increasing resignations.

The first thing to clarify is that it is rare for a CEO to step down as a result of breaches that happened outside of their tenure, even though they may often have been in senior positions during this time. Of those chief executives who departed this year, all had held their role for at least two years of the period where wrongdoing was happening. In fact, that trend holds true for all departures in the last six years.

With those taken out of the equation, the picture is mixed. For example, Barclays’ Bob Diamond resigned over Libor allegations in 2012, and so did Rabobank’s Piet Moerland in 2013. But other CEOs have not.

This raises the question: should a CEO resign if a major event happens under their watch? Each individual case will be unique. Ultimately, is it up to a bank’s board whether a CEO stays or goes. If their competency and ability to run the firm outweigh any financial or reputational damage, there may be no clear business reason to resign. But if investor, media or regulator reactions are sufficiently negative there may be no choice.

One part of the SMR and similar schemes is that accountability does not just rest with a bank’s head employee. A shift in the culture of accountability should devolve personal responsibility through the ranks of senior and middle managers, preventing situations that create the need for a high-profile resignation.

Basel III op risk capital savings dissipate for G-Sibs

By Louie Woodall | Data | 5 October 2018

An upcoming switch to the operational risk framework will have a more subdued effect on big banks’ capital requirements than previously estimated, a Basel Committee study shows. 

The median global systemically important bank (G-Sib) is expected to see its op risk capital decrease 5.1% when the revised standardised approach (SA) is implemented in 2022, based on end-2017 data. This is a far milder effect than the 19% decrease estimated using end-2015 data in an earlier study.

Big banks transitioning from the advanced measurement approach (AMA) to the revised SA in particular may not realise the savings previously anticipated. The median AMA G-Sib was expected to see capital requirements drop 27.1% at end-2015, whereas the end-2017 data suggests a saving of just 5%. 

The median G-Sib held $6.1 billion of operational risk capital at end-2017, compared to $5.5 billion at end-2015, Risk Quantum analysis shows – an increase of 12%. Aggregate G-Sib op risk capital increased 1% to $280 billion from $277 billion over the same period. 

This implies the change in Basel’s impact assessment is not the result of banks reporting lower capital requirements between 2015 and 2017, but because of changing assumptions on how the SA will affect bank capital calculations once implemented. 

In addition, national watchdogs maintain discretion over certain elements of the SA and their decisions on how it should be implemented would raise or lower op risk capital requirements. If regulatory assumptions changed between 2015 and 2017, it could explain the reduction in expected savings.  

The median ‘Group 1’ bank – internationally active firms with more than €3 billion in Tier 1 capital – is estimated to see its op risk capital requirements drop 4.7%, compared to 1.2% in 2015 . The median ‘Group 2’ bank – with less than €3 billion in Tier 1 capital – is expected to see no change in its requirements, compared with a 3.9% uplift expected in 2015.   

What is it?

Basel III replaces the existing three methods of calculating op risk capital – the basic indicator approach, the standardised approach, and the advanced measurement approach – with a new revised standardised approach (SA). 

This uses a simple accounting measurement of bank total income – known as the business indicator – to divide firms into three size buckets. A separate business indicator multiplier is then applied to each bucket to produce the business indicator component. The product is then subject to an internal loss multiplier (ILM), a scaling factor based on a bank’s average historical losses and business indicator component. 

The Basel monitoring report applies the revised SA to estimate the change to minimum required operational risk capital versus the end-2017 levels generated using the existing approaches. 

The analysis takes into account two discretionary measures that national regulators can apply: to set the internal loss multiplier equal to one, thereby basing op risk capital requirements solely on the business indicator component for all banks in a jurisdiction, and to have ‘Bucket 1’ banks measure their ILM using their loss history, thereby linking capital requirements to incurred op risk losses.

The results exclude existing national regulator-imposed capital add-ons for op risk, which would have diluted the effects of the methodology change for Group 1 banks.

Why it matters

The Basel Committee attributes the higher total estimated capital uplift under Basel III to be partly due to “more conservative assumptions for the implementation of the revised operational risk standards in some countries”, suggesting that now jurisdictions have got to grips with the revised SA, their understanding of how best to implement it to achieve their own policy goals has sharpened. 

Some may have informed Basel that they now intend to tie the ILM to banks’ loss histories, which would be expected to produce higher capital outputs than if the ILM was simply set to one. Whatever the reason, those banks looking forward to huge capital savings when the revised SA is rolled out are likely to be disappointed. 

Get in touch

What other factors explain Basel’s turnaround on the SA’s op risk capital savings? Email louie.woodall@infopro-digital.com or tweet @LouieWoodall or @RiskQuantum to share your thoughts

Tell me more

European banks junk op risk modelling

Basel III changes set to create big winners and losers

View all regulator stories

Danske admits ‘major deficiencies’ in money laundering case

By Alexander Campbell | News | 20 September 2018
Danske Bank

CEO quits as bank publishes internal investigation into irregular operations at Estonian branch

Danske Bank has admitted its governance and risk prevention methods were deficient in preventing major money laundering at its Estonian branch.

An internal investigation, a report of which was published on September 19, found suspicious payments amounting to €200 billion ($234 billion) flowed through the bank’s Estonian branch between 2007 and 2015. Immediately after the publication of the report, chief executive Thomas Borgen resigned.

“There is no doubt that the problems related to the Estonian branch were much bigger than anticipated when we initiated the investigations,” says Danske chairman Ole Andersen. “The bank has clearly failed to live up to its responsibility in this matter. This is disappointing and unacceptable, and we offer our apologies to all of our stakeholders – not least our customers, investors, employees and society in general.”

The bank has identified “a series of major deficiencies” in its governance and control systems, which allowed the Estonian branch to be used for these irregular activities.

Danske traces the origin of its problems to the acquisition of Sampo Bank in 2007 – a situation that lasted until it terminated that customer portfolio in 2015.

“We had a large number of non-resident customers in Estonia that we should have never had, and they carried out large volumes of transactions that should have never happened,” says the report.

Danske concludes its Estonian branch was not focused on tackling money laundering, and the management complied with procedures while neglecting the identification of risks.

The bank’s investigation examines customers and transactions, and analyses whether managers, employees and members of the executive board or board of directors fulfilled their obligations. The internal work “established that a number of former and current employees, both at the Estonian branch and at group level, have not fulfilled their legal obligations”, says Danske.

Despite Borgen’s resignation, the investigation – led by Danish law firm Bruun & Hjejle – establishes that the board, chairman and chief executive “did not breach their legal obligations towards Danske Bank”.

The research covered 15,000 customers and 9.5 million payments. Around 12,000 documents and more than 8 million emails were studied, along with more than 70 interviews with both current and former employees and managers.

The financial conduct authorities of Denmark and Estonia have been involved in the case.

Home country responsibility

In May, Estonia’s Finantsinspektsioon and the Danish FSA made clear that the supervision of banks operating in several countries lies with the supervisory body of the home country; in this case, Denmark. But anti-money laundering measures are supervised by the authorities of the host country – Estonia.

As a result, the Danish FSA conducted an investigation into Danske’s management and controls related to the branch in Estonia, while Finantsinspektsioon researched compliance with anti-money laundering rules within the same branch.

Additionally, on September 13, the Danish supervisory authority declared that co-operative bank Københavns Andelskasse is likely to fail.

The supervisor says the bank, “in several instances, had breached the same regulation as observed during previous inspections”. Furthermore, it “could not correctly calculate its own funds, their individual capital requirement or their liquidity”. And it also observed a significant number of “serious breaches of [anti-money laundering] regulation during the inspection”.

As a result, the Danish FSA decided to report Københavns Andelskasse to the police on August 23.

The FSA decision is the first step for Finansiel Stabilitet, the Danish resolution mechanism established in October 2008, to initiate the resolution of the institution.

This story originally appeared on Risk.net’s sister website, CentralBanking.com.

Do two sizes fit all? Banks aim to standardise vendor risk

By Dan DeFrancesco | Features | 20 September 2018

Banks created TruSight and KY3P to vet supplier risk with standard questionnaires. Is it enough?

Wall Street can be cold, dark. For some of its champions, success is measured in personal triumphs. For others, there is deep satisfaction in the failures of others. Winning isn’t enough. Everyone else has to lose.

But there are situations, be they few and far between, where the benefits of working together to accomplish something overwhelm those of going it alone.

In the recent past, this has happened twice. KY3P and TruSight were cobbled together by two different camps of big banks to vet their ‘third parties’ – any company that provides an ongoing service to a bank, from cloud computing and air-conditioning to web-hosting or central clearing.  

KY3P – the name stands for ‘Know your third party’ – has been up and running since 2015. Goldman Sachs, Morgan Stanley, HSBC and Barclays provided the seed money and use a platform provided by IHS Markit. The four banks and Markit developed the platform.

In April of this year, JP Morgan, Bank of America, Wells Fargo and American Express set up a rival service, TruSight, with BNY Mellon joining later as an investor. The platform is used by its founders, who assay their suppliers through it and share the information among themselves. It is currently taking on new users.

The task of exhaustively poring over vendors to be certain of their cyber safety and resilience as a going concern – a regulatory requirement – is a time- and money-chewing effort that, once complete, creates no competitive edge for banks.

So, some banks are happy to come together to get it done.  

Michael Beck, head of global supplier assurance at Barclays, one of KY3P’s backers, says the differences between banks’ approaches to vendor interviews don’t cancel the benefits of a standardized format. 

Banks are “not exactly the same, but we have a lot of the same requirements,” he says. “What if we could pool our resources and not have to ask each supplier that we have independently to be able to demonstrate that they have good environments and they can protect data?”

If you can centralise the data collection and the validation of the integrity of the data through a utility, it makes a heck of a lot of sense

Executive at a large bank with responsibility for third-party management

Risk managers at larger banks note that it could work for smaller banks. Already stretched thin to meet the surveys, they would get to piggyback off what’s being used by the biggest banks.  

Harshal Vora, a manging director in operational risk at BNP Paribas, which is not invested in either platform, echoes that point. For Vora, a smaller bank might think, “OK, if it is acceptable for JP Morgan, for example, why not me?”

It could work for suppliers, too: at present, they are engulfed by mostly similar questions from every bank they do business with. 

“The vendors are sick and tired of different folks knocking on their door,” says an executive at a large bank with responsibility for third-party management, noting that as a banks he goes through this with multiple suppliers. “If you can centralise the data collection and the validation of the integrity of the data through a utility, it makes a heck of a lot of sense.”

Beth Dugan

Even regulators believe there could be benefits to standardising assessments. Beth Dugan, deputy comptroller for operational risk at the Office of the Comptroller of the Currency, says in certain situations a significant portion of due diligence questionnaires could be shared among firms.

“I think there are going to be some situations where they may get 80% there,” Dugan says.

“A lot of it is understanding, are your vendors in good standing? What does the general risk management look like? Do they get audits? What are they finding there? How have they dealt with it? What is their financial health?” she says. “Those are a lot of those things that could be done and shared throughout the client base.”

Jim Connell, a managing director at JP Morgan, which backs TruSight, adds that having a company just focused on evaluations will likely get a “more comprehensive and effective set of standards out the gate, and in a much more sustained fashion going forward,” he says.

A horse and a zebra

After the 2008 financial implosion, supervisors noticed blind spots in the banks’ supplier networks. Guidance  followed. The US Federal Reserve Board and Office of the Comptroller of the Currency issued separate guidance notes on third-party risks in 2013.

Vendors shoulder the bulk of the regulatory burden. Banks bury them in queries and often top it off with an onsite visit, requiring suppliers to have teams to squire the banks around.

But large vendors –  big data providers and software creators, for instance – and bodies that run the infrastructure of the financial markets – exchanges, clearing houses, payments systems and others – have balked at sharing detailed information. These institutions, which typically offer critical services and hold sizeable market shares, cite privacy concerns over sharing granular details regarding their processes.

Banks have also struggled with the management of  subcontractors, known as fourth parties.

TruSight and KY3P share a similar goal – streamlining the way banks conduct vendor risk – but they are slightly different.

The biggest of their differences is structural. TruSight is a ‘utility,’ owned solely by banks, with an organization much like the Depository Trust & Clearing Corporation, for instance. KY3P, in contrast, is a for-profit company, though it appears to function as a utility.

TruSight was created by combining the standards of its four founders along with those of Citi, which was first involved in the project but later declined to be a founding shareholder.

We can’t ask our suppliers to pay a quarter-million dollars to do an SOC2 assessment each year

Jim Connell, JP Morgan

One of the first discussions the group held was to determine the platform’s scope, agreeing that supplier evaluations would be the focus. Grading third parties by risk – high, medium, low – was quickly set aside as being too unique to each bank.    

Banks went through each question to get to the core of what was being asked of the supplier, the best way to ask it and the type of evidence that would be required to substantiate the answer.

“The two main reasons that shared assessment as a concept has failed is either they don’t have standards upon which to actually do the assessments or the standards they have are completely over-engineered,” Connell says, referring to an excess of detail saddled onto the questionnaires to mollify some of the banks.

“We can’t ask our suppliers to pay a quarter-million dollars to do an SOC2 assessment each year,” Connell says, referring to the ‘system and organisation control’ information-security standard.

KY3P is a slightly different creature. IHS Markit owns and runs the platform as a for-profit business, but Goldman, HSBC, Barclays and Morgan Stanley also have stakes in it and were part of its build-out. While TruSight focuses solely on vendor assessments, KY3P hawks other services banks might find useful in managing their third parties. BitSight, for instance, offers cyber security ratings, and RapidRatings specialises in financial scores. Both are partners of KY3P and can stream data onto the platform for subscribers.

But the crux of KY3P nonetheless remains the standardised assessment.

Ellen Schubert, chief executive of KY3P, says putting the questionnaire together was the hardest part. “Every bank, hedge fund and asset manager had the starting point of, ‘I need to create my own question set. I need to understand what risks I am most concerned about, and how do I frame a question in a way that gives the response from the vendor that will tell me whether or not I need more information’,” she says.

Schubert says KY3P has over 100 financial firms engaged on the platform and thousands of vendors signed on. Every year, IHS Markit meets with its partners to update the questionnaire, for instance, in the event of new regulation.    

Getting delta

One difference between the two platforms – at least for now – is the more swinging-door discussion of the questionnaire at KY3P. Users are able to include additional queries to their questionnaire, known as ‘delta questions’. These are then reviewed by Markit and its design partners at the yearly review on an anonymous basis to see whether there are themes that come up repeatedly, and that should be incorporated into the questionnaire.

Scalability at both platforms is a consideration: as more banks join, the more they want things in the questionnaire pertinent to their needs. While both platforms want to grow, more users will make standardisation trickier.

For some, this is a sticking point. The executive responsible for third-party risk management at a big bank takes issue with KY3P’s willingness to take delta feedback on its questionnaire from so many different sources.

“KY3P seemed to be a lot more eager to please,” the executive says. “Of course, you have to be flexible over time. You live and learn, and you may tweak things a little bit. But from the get-go, if you keep things too flexible, then things get out of control very quickly.”

Schubert denies this. It is too soon for a platform like KY3P to ignore feedback. “The industry aspires for a single standard and is moving in that direction, but is not there yet,” she says. Clients are using the questionnaire, but some “like the ability to add three to five delta questions of their own.” The deltas don’t detract from standardization, she says. When the market is ready for just one standard questionnaire – with no deltas – “we will be as well,” she adds.

It may just be too soon for the subject of deltas to have arisen at TruSight. TruSight is only five months old – it has yet to undergo even a first yearly review.

TruSight’s chief executive, Abel Clark, admits the addition of new users is a hurdle. But he does not deny that the questionnaire will “evolve.”

“Will it be a little more challenging? Probably,” he says. “I think I would phrase it a little differently, which is, there is a fantastic opportunity to bring more expertise across the industry into our advisory board that helps evolve and maintain the standard as best practice, and to ensure it meets the needs of all industry sectors.”

But can one questionnaire capture it all?

Deltas aside, that is not to say KY3P or TruSight’s questionnaires cover every single thing. Banks maintain they will still have questions, but are confident KY3P and TruSight will provide the bulk of what they need.

Charles Forde, global head of outsourcing and third-party risk at UBS, one of the design partners of KY3P, notes that those who use it like “the unique flexibility to add questions to address specific requirements, such as regional or divisional risk appetite.”  

In other words, getting most questions answered does not negate the need for a little bit more.

Chris Ritterbush is an executive director at consultancy Ernst & Young, which has a partnership with TruSight to help with the third-party assessments, a bit of outsourcing of TruSight’s very mission. He says while some small additional questions can be expected, anything too arduous could turn off vendors. Third parties will view the platforms’ questionnaires as pointless if they know they will continue to be peppered with even more questions from their clients.

If banks start “sending out other questionnaires and saying, ‘I have to come on site’, I don’t know. I just don’t know if that could work,” Ritterbush says.

Abhishek Khare, director of outsourced services operational risk at Societe Generale,  disagrees, saying suppliers won’t mind answering a few extra questions if the questionnaire dispatches a majority of them. 

“None of the vendors are going to be unhappy if they have to provide one standardized template for 90% of the assessments and then deal with the clients on the remaining 10%,” Khare says. “Today they are dealing with 100% with every single client. It will save them huge money and time.”

It’s early days at both TruSight and KY3P. Some speculate it will take at least two years for them to acquire critical mass and solidify their standards.

It’s also not a zero-sum game. In fact, more competitors could enter the business.

Khare at SocGen would prefer the industry not rely on just one – he’d like to see three or four.

“If you just have one utility, there will be over-dependence,” he says. “If you have more than one, first, there will be competition to provide better service. Second, in case one particular utility fails, at least there will be an option for banks or financial institutions to go to another.”

The executive at a large bank agrees the industry is better off with competition and is optimistic on the platforms’ futures.

“I am thrilled to see that the banks are paying a lot of attention and we are coming together and trying to do the right thing for each other and for the industry,” the executive says.

At least for a moment, it’s a kinder, gentler Wall Street.

Cyber security begins a shift to the risk department

By Steve Marlin | Features | 19 September 2018

Normally the province of IT, cyber defence is increasingly seen as a critical part of operational risk

Those who are paid to worry are converging on a similar thought: cyber risk is too important to be left to IT. 

In tech departments, unsurprisingly, the view is different: suits who model risk have neither the skills nor the alacrity to deal with real-world, moving-target cyber threats.

Either way, the two sides are already seeing a lot more of each other. Some banks, cognisant of the financial and reputational hazard cyber breaches represent, have been seeding risk departments with hardcore tech people, in some cases, even putting them in front-and-centre op risk roles.

At others, tech departments remain in charge, the board convinced that risk people are too ruminative to be effective on a battlefield as furtive as tech.

Goldman Sachs took a very direct approach. Phil Venables, its chief information security officer, was made chief operational risk officer at the beginning of last year. Part of a strategic reshuffling of risk management, Venables brought with him a cadre of technologists to provide independent oversight and challenge, not just on the threat of outside cyber assailants, but on all tech risks, like flaws in software platforms, and others.

Elsewhere, the head of operational risk at an international bank in London hired a former cyber security expert from MI5, the UK intelligence agency, to strengthen its risk management. Since then, the risk team has held the chief information security officer’s feet to the fire on a number of occasions over whether threat assessments were being set too high or too low.

While moving Venables to the risk department was the most visible sign of the shift at Goldman, of equal significance was the critical mass of IT professionals who came with him. The full-court press ensured cyber risk would be examined with the same rigour as Goldman’s other non-financial risks.

Says Venables: “Rather than just taking some elements of our technology risk team and placing it alongside the wider risk team, we more fundamentally integrated it into a broader operational risk function,” in order to manage cyber “as a first-class business risk”.

You’ll hear a lot from folks that believe they’re modelling risks well, but the big question of, ‘At what point are we taking more risks than we can bear?’ is still a real hard question to answer

Chief information security officer of a large US bank

Several factors are driving the migration of cyber security to the risk fold. Ever-more digitalised banking and the reliance on cloud computing have raised awareness at the board level.

Regulators have signalled that banks need to incorporate cyber into risk management alongside other tech risks. In 2017, three US regulators published a notice of a proposed rule that would have required a cyber risk management role reporting to the chief risk officer. Though the proposed rule has been put on hold, companies want to be prepared for the day it becomes law.

Setting chains of command

At Morgan Stanley, the risk division is responsible for setting policy, while IT is in charge of building the digital battlements. The risk division has a head of cyber risk reporting to the head of op risk, who in turn reports to the chief risk officer. IT, meanwhile, has a dedicated head of technology risk.   

The dual structure is designed to align cyber with the way other risks are managed.   

“It’s appropriate for oversight to be outside of the area where you do execution,” says Gerard Brady, Morgan Stanley’s chief information security officer. “We want them to be independent. Right now, the balance is consistent with the way the firm manages other risks.”

There is some trepidation in risk departments on leaving IT to police its own cyber defence efforts. But even companies that have shifted cyber oversight to risk departments have left a large measure of responsibility within their tech units. Goldman, for example, hired Andy Ozment from the Department of Homeland Security to replace Venables as chief information security officer. Ozment was assistant secretary for cyber security and communications at DHS.

Ozment’s mission is to integrate security into the way the company builds and operates technology, accompanied by a cyber-capable risk management that holds business lines accountable. As for Venables, in his former job he was responsible for engineering and embedding control; in his current job, he models, quantifies and sets limits on risk.

“What we do is establish regularly monitored quantitative risk limits on cyber risk and then partner with the rest of the firm to find innovative ways of staying within those limits,” he says.

Because cyber is new, people think they need to treat it differently. I disagree

Operational risk chief at an international bank

For example, on software security, Goldman’s operational risk team monitors vulnerabilities in the company’s products and establishes timeframes for remediating them. The team works with the tech and business units to develop new ways of managing the software development lifecycle through the introduction of new testing tools, in some cases funding development of new toolkits. This replicates the way that market and credit risk work with businesses on new means of managing those risks. 

In other shops, the new reporting lines have brought the two units closer. Which means communications have had to improve: the two sides have needed to learn each other’s lexicons.  

“As risk people, we also have to be technologists,” says the head of information security at the US subsidiary of a French bank. “We’re not going to be experts, but we need to talk the talk. Otherwise, IT is going to laugh at us.”

And in building up the cyber defence piece, banks must be careful not to take risk management entirely out of the hands of technology departments.

“The people doing risk analysis are risk professionals, not technologists,” says the chief information security officer at a large US bank. “They tend to be more academic in their approach versus being more practical. The expertise to instrument, engineer or architect should be within the IT organisation.”

Hesitation is also a risk. For instance, if a situation arose that required quickly migrating to a new platform to address weak spots, would a risk officer act swiftly enough? Some say a chief technology or chief operating officer might be a better bet.

“Risk people are not technology experts,” says an operational risk executive at a European bank. “Risk is process-driven and methodology-driven – it’s hardly technology-driven.”

And how are you going to do that?

Risk managers love to model things. Which raises a conundrum: How to model cyber?

Most assessment so far has been qualitative in nature, but companies are trying to come up with more structured models. Approaches to quantifying cyber threats do exist, like the factor analysis of information risk (Fair), but there is no universally agreed-upon standard. One obstacle is a lack of information; if a company has been attacked, most try to keep it quiet. And even so, unlike fraud losses, which occur regularly but don’t cost a bank too much, cyber attacks are rare tail events that can hit with catastrophic effect. The dearth of incidents leaves banks little to model: for most large banks, historical losses on cyber would be near zero.

“We do scenario-planning and exercises to help us prepare for worst-case situations,” says Rohan Amin, chief information security officer at JP Morgan. “Losses attributable to cyber security may not be as predictable as other forms of risk, which is why the scenario-planning is important.”

Morgan Stanley is using the scant information available on actual cyber losses to perform ‘tabletop exercises’, in which likely losses from cyber threats are estimated.

“They’re coming closer to becoming quantified risks, but they’re still qualitative,” admits Brady. “But on the outcomes basis, we’re closer to saying that a risk has this potential frequency, with these likely losses.”

The exercise is not just for in-house purposes either. Regulators are prodding banks to come up with more quantitative measures. The Securities and Exchange Commission, for example, has issued guidance that companies should disclose their cyber risks, including the frequency and likelihood of incidents and losses that could be incurred.

As risk people, we also have to be technologists. We’re not going to be experts, but we need to talk the talk. Otherwise, IT is going to laugh at us

Head of information security at the US subsidiary of a French bank

Without a clear method to quantify cyber risk, banks are at a loss to measure their risk appetite. In board presentations, risk executives have had to fall back on simplistic statements about risk appetite, using qualitative terms like ‘critical risks’ and connecting those with ‘possible outcomes’.

“We talk about net new risk and whether we’ll accept that on an incremental basis, but we’re still challenged to define the risk tolerances more completely than that,” says a chief information security officer at another large US bank. “You’ll hear a lot from folks that believe they’re modelling risks well, but the big question of, ‘At what point are we taking more risks than we can bear?’ is still a real hard question to answer.”

To even get to a risk appetite, companies will first need to decide on some metrics: will they be based on granular measures like the number of software patches that need to be applied each week; or are they based on a high-level threat analysis that attempts to calculate the likelihood of attacks and expected losses; or perhaps on how the bank is assessing itself against the National Institute of Standards and Technology bars or other external benchmarks? 

Banks are taking a stab at it.

“We are in the process of establishing that risk appetite,” says Eric Yoss, chief risk officer at Mizuho Americas. “There are the 35 or 50 metrics that we are going to monitor that track our ability to control cyber threats.” Those will be turned over to IT for action.

There is near-universal agreement that achieving a zero appetite for cyber risk is essentially impossible; the only way to do so would be to close down the business.

“In reality, we organise around not having any major events, tolerating small events, but nothing that would cause significant harm,” says the head of operational risk at a large US bank.

“We have to be careful in making outlandish claims,” he says, referring to the zero-risk scenario, “because if that were true, you would spend all the money you’ve got in preference to managing other risks.”

JP Morgan cuts op risk capital by $12.5 billion

By Alessandro Aimone | Data | 17 September 2018

JP Morgan cut its operational risk-weighted assets in the second quarter for the first time since banks started reporting the measure in 2014.

The US lender shed $12.5 billion worth of operational RWAs, or 3.1%, from $400 billion, bringing its Pillar 1 total to $387.5 billion.

In its latest Pillar 3 disclosure, JP Morgan said the reduction was due to “an update to cumulative losses for operational risk RWA, inclusive of rule changes”. The bank did not respond to a request for comment.

Aggregate operational RWAs across the eight US global systemically important banks (G-Sibs) grew $1 billion on the quarter, driven by a $21 billion (7%) hike in Wells Fargo’s total. This was partially offset by reductions across six other G-Sibs. Bank of America’s op RWAs were flat quarter to quarter.  

Op risk accounted for 29% of total RWAs at the eight G-Sibs, as of end-June, up from 28.6% the previous quarter.

What is it?

Risk-weighted assets are used to determine the minimum amount of regulatory capital that must be held by banks. The riskier the asset, the higher the RWA, and the greater the amount of regulatory capital a bank must set aside.

JP Morgan uses the advanced measurement approach (AMA) to quantify its operational risk. This is based on a loss distribution approach, which observes the frequency and severity of past operational risk losses, and measures how much capital banks should set aside in case of reoccurrence.

The bank calculates its risk based on scenarios incorporating a number of different types of operational failures, as well as internal and external actual loss experience.

Updates to the loss experience inputs can cause the total operational RWA amount to vary dramatically. For example, if a large regulatory fine is incurred one quarter, it may result in higher reported op RWAs at the end of that reporting period.

Why it matters

JP Morgan didn’t respond to several requests for comment, so details on what drove the decrease are scarce. Its significance lies in its rarity, however: JP’s op risk capital has been jammed at a static $400 billion since it began reporting it in 2014. This changed for the first time during the latest quarter.

The question is whether this is the start of a new trend for JP Morgan or simply a one-off move. 

The drop is also notable because it was the largest among the other US G-Sibs in the second quarter, both in dollar and percentage terms. Despite this, though, JP Morgan maintains the second-largest share of operational RWAs among the eight G-Sibs.

As the pace of hefty fines that hit banks in the aftermath of the financial crisis starts to slow down – and the chances of these losses recurring become, statistically speaking, less and less likely – lenders will see a gradual natural roll down in RWAs each quarter, observers say, something bank chiefs have been longing for.

Get in touch

What do you make of JP Morgan’s op RWAs drop? Let us know your thoughts by emailing us at alessandro.aimone@risk.net, or send a tweet to @aimoneale or @RiskQuantum.

Tell me more

Wells Fargo adds $2 billion to op risk capital

Op risk grows at Swiss banks

Credit Suisse sheds $11bn in op risk RWAs

Has op risk capital peaked for US banks?

Nickel-and-Dimon: why bank CEOs loathe op risk capital

View all bank stories

Swift user break-ins a ‘repeat business’ for hackers

By Steve Marlin | News | 16 September 2018

Cyber thieves have accessed the interbank messaging system through small, developing world banks

Cyber criminals have hit upon a seemingly secure business model: take control of the payment system of a smaller bank in an emerging country; get access to the Swift network; then route fraudulent transactions through banks in developed countries.

The pattern has repeated itself on at least eight occasions in the past three years. 

Banco del Austro, an Ecuadorian bank, sued Wells Fargo in 2016 for approving fraudulent wire transfers totalling $12 million. Cuenca-based Banco del Austro alleged that hackers had penetrated its systems and sent Swift messages to Wells Fargo, which processed the payments. Wells, based in San Francisco, settled out of court this year.

“You will see more losses similar to Wells Fargo because the attackers would rather go via the weakest component of the chain,” says an operational risk executive at a European bank. “The weakest point is when you interact with smaller institutions, especially in the Swift world.”

Swift is a myriad-stranded messaging web that is used to send payment orders around the world. The network transmits over 30 million messages a day, making it the largest international payment network for financial firms. 

The US Justice Department earlier this month charged a member of the Lazarus Group, a North Korea-backed hacking team, with a 2016 attack in which $81 million was stolen from the central bank of Bangladesh through the use of fraudulent Swift messages routed through the Federal Reserve Bank of New York – among other hacks, including that of Sony Pictures Entertainment. The Bangladeshi money ultimately landed in fake accounts in the Philippines, and later, in casinos in Manila.

City Union Bank, headquartered in the small city of Kumbakonam in southern India, suffered an attack earlier this year in which cyber criminals gained access to its Swift payment system and routed fraudulent payments totalling $1.8 million through Standard Chartered Bank and Bank of America. The cash was funnelled to accounts in Dubai, Turkey and China.

The pattern of the Swift hackings suggests interbank payment networks are the soft point of entry. The eight largest Swift attacks to date have all targeted banks in emerging countries, often in very small or secondary cities, to infiltrate the payment system. These banks lack the sophisticated controls that larger banks can afford.

Swift launched its “customer security program” in 2017, designed to allow smaller banks to detect fraudulent transactions by making suspicious payment patterns visible. But the fact that the Swift attacks have continued suggests the protections are not entirely effective.

In response to queries, Swift says it takes the cyber threat “extremely seriously” and continues to evaluate the threat as well as measures to best help customers “defend themselves, detect threats and respond to attacks”.

“There is no silver bullet,” Swift says, “but we are committed to working with the community to raise the level of preparedness and improve the industry’s collective defences.”

Once thieves get inside the Swift network, there’s very little banks can do to stop the transactions from being processed. “How can you mitigate such a thing?” says the operational risk executive.

“In the case of Wells Fargo, somebody got into the systems of Banco del Austro, got in possession of the Swift credentials and simply kicked off Swift transactions,” he says. “Wells Fargo detected the right credentials, nothing seemed to be amiss.”

The Swift attacks are a lucrative, recurring business for criminals skilled at finding security gaps and monetising them. “The Bank of Bangladesh attack became the blueprint for an awesome repeat business for the Lazarus Group,” says the chief information security officer at a large US bank. “If you find ways to monetise flaws in the financial system, you’ve got a business for a number of years, and that’s what we’re seeing with the attacks against payment systems.”

Since banks can’t fix the internal weaknesses of other banks, the only way to prevent attacks is to have stronger controls around the Swift infrastructure itself. This could involve creating a type of regional buffer of added security between banks and Swift to ensure that banks in any particular region have IT security programmers in place. 

“I can think of a layered approach where smaller firms have a stepped security system, and you as a large bank interact with a broader network,” says the head of operational risk at the European bank. “In the case of Wells Fargo, my recommendation would have been to ensure that the broader network in South America is looking after the IT security of South American banks. Only when a bank is in line with local standards should it be allowed to do business with Wells Fargo or another bank.”

Op risk data: Swiss banks suffer tax-dodging fines

By Risk staff | Opinion | 12 September 2018

ZKB settlement takes top spot in August loss list. Data by ORX News

Swiss lender Zürcher Kantonalbank tops the list of operational risk losses in August, with a $98.5 million settlement for helping its clients dodge taxes.

The bank admitted “conspiring to assist US taxpayers in evading their tax obligations” in a case brought by the US Department of Justice against ZKB and two of its bankers.

The activity took place between 2002 and 2009, involving around 2,000 accounts which represented up to $794 million in assets. The unpaid taxes amounted to $39 million, the DoJ said.

The settlement is one of five that the DoJ has reached with Swiss banks over tax evasion this year. Read more in the ‘In focus’ section below.

In second place, four units of Transamerica, a subsidiary of Dutch insurance giant Aegon, paid $97.6 million to the US Securities and Exchange Commission to settle claims they used faulty investment models in 15 mutual funds and investment portfolios between 2011 and 2015.

The SEC found that the models had been developed at one of the units solely by a junior analyst with no experience in portfolio management or formal training in financial modelling. In addition, the units were accused of failing to review the models or inform investors of the risks even after identifying vulnerabilities within the models. Two members of senior management were accused of compliance and oversight failings and settled individually.

Citigroup suffered the third largest loss, for keeping inaccurate books and records and failing to supervise its trading desk. Three traders at its securities dealing house mismarked illiquid positions and made unauthorised trades, leading to $81 million in losses which were not correctly reported, the SEC said.

The agency fined Citigroup $5.8 million. The losses and related fine total $86.8 million.

Fourth is a Russian commercial loan fraud, one of many reported by ORX News this year. In this case, an employee of Sudostroitelny Bank reportedly provided falsified documents to the bank’s credit committee. The documents allegedly overstated the financial activities of firms applying for 3 billion rubles ($44.4 million) of loans, which were granted. The loans were not repaid.

In an interesting twist, Sergey Zykov, who investigators claim was a director of the bank, is claiming that he was actually employed as a clerk in the bank’s credit department. The investigation is ongoing.

Finally, a loss for Wells Fargo is in fifth place. The bank agreed to pay $30 million to settle with borrowers who alleged that the bank had illegally charged them post-payment interest on Federal Housing Administration-insured mortgages.

Spotlight: Nigeria banks fined over fund repatriation

Nigeria’s central bank has slapped a fine of 5.87 billion naira ($16.2 million) on four banks for helping telecoms firm MTN illegally repatriate funds out of Nigeria.

Citibank, Diamond Bank, Stanbic IBTC and Standard Chartered were allegedly involved in the improper conversion of a shareholders’ loan into preference shares which did not have the final approval of the central bank.

The total repatriated funds amounted to $8.13 billion.

In focus: Swiss tax evasion

In 2007 the secretive world of Swiss private banking was blown open when Bradley Birkenfeld, an American working for UBS in Switzerland, broke Swiss banking secrecy laws and disclosed details of alleged tax evasion by US citizens to the US Department of Justice.

Since then, centuries of Swiss banking secrecy were put under strain by further US investigations, eventually leading to the creation of the Swiss Bank Program in 2013. Under the scheme, Swiss banks that were suspected of enabling US tax evasion were able to avoid prosecution by the DoJ in return for providing detailed information on US taxpayer customers and paying substantial penalties.

In total, ORX News has recorded $6.28 billion of losses to Swiss banks for this type of tax evasion. Two big components of this total are fines paid by UBS and Credit Suisse. UBS, the origin of the DoJ’s investigations, paid $780 million in 2009, while Credit Suisse paid a total of $2.91 billion in 2014 – $2.6 billion for settlements with various US authorities and $300 million in legal fees.

Bradley Birkenfeld received a prison sentence for his part in the systematic evasion by UBS, serving more than two years. He was released in 2012. That same year, the US Internal Revenue Service granted him a $104 million reward under the agency’s whistleblower scheme.

The bulk of the Swiss Bank Program losses occurred in 2015, when 61 Swiss banks reached settlements with the DoJ for a total of $1.64 billion, or an average of $27 million per settlement. The rate of settlements fell in 2016, with the DoJ announcing the closure of the Swiss Bank Program in December of that year.

However, in 2018 ORX News has recorded five new settlements by Swiss banks related to US tax evasion, totalling $174 million. It’s unclear why these settlements have started after two years of little activity. It may, however, be related to the imminent closure of the IRS’s Overseas Voluntary Disclosure Program on September 28, 2018. This scheme offers US citizens who voluntarily disclose their offshore assets protection from criminal liability.

According to the IRS, the OVDP is closing because of a decline in disclosure numbers and an increase in the awareness of tax obligations among offshore US citizens and the firms they bank with.

The US investigations have also affected Swiss bank secrecy – and bank secrecy worldwide. In 2010, the US introduced the Foreign Account Tax Compliance Act, or Fatca, which requires non-US banks to report on US customers to the US Department of Treasury. The OECD, an economic forum, has also developed a new standard for the automatic exchange of information (AEOI) on bank accounts between tax authorities worldwide. Switzerland has reached a bilateral agreement with the US under Fatca, and played a significant part in developing the AEOI.

However, the legacy of Swiss-facilitated tax evasion is not over yet. This year, HSBC has provisioned $604 million for tax evasion investigations into its Swiss bank by various authorities, including the DoJ.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Big firms deflect banks’ questions on third-party risks

By Dan DeFrancesco | News | 6 September 2018

From exchanges to software sellers, big players hang back on due diligence questions, banks say

Behemoths that provide critical services to the financial industry are balking at sharing their information with banks trying to conduct third-party risk assessments.

The recalcitrant are mostly companies of some heft, such as big data providers and software creators, as well as bodies that run the very infrastructure of the financial markets – exchanges, clearing houses, payments systems and others.

Data breaches, increasingly common and expensive, have become a source of anxiety for large companies and have led to the vetting of third parties – essentially any external company providing an ongoing service, from stock-trading to web-hosting and heating to air conditioning.  

While most companies have been largely co-operative, firms that command dominant market shares have generally been less so. Some say the effort has become a question of who is bigger – the assessor or the assessed?   

“It is very difficult to get info when you do not have the size,” says a risk manager at a European bank. “The financial intermediaries like clearing houses and exchanges, which are normally your vendors because you use their platforms – those are the ones who are very difficult.”

Another question involves the importance of the service. Market data, trading platforms and clearing services are critical to functioning in the financial markets. The firms providing these services operate as virtual monopolies, giving them far more leverage in handing out their information.  

While outsourced services such as IT support or finance operations can be easily replaced, things like electronic trading services cannot be cancelled easily, says the head of outsourcing at another European bank.

“You can’t just terminate the service. They are needed,” he says, adding that it has always been difficult “to get full engagement on diligence questionnaires and responses” from the big clearing houses, exchanges and such.

Even if you are able to find an alternative, it is not always a quick fix, he adds. “If you move to a different supplier, it is extremely costly.” 

Certain entities that happen to have a major market share, they say, ‘here is our set contract and we tend not to negotiate’

Beth Dugan, Office of the Comptroller of the Currency

Banks’ management of third-party risk came to the fore in 2013, when the US Federal Reserve and the Office of the Comptroller of the Currency published guidance notes on the subject. Firms responded by beefing up vendor risk management programmes, asking for information on everything from specific business processes to the financial stability of the company.

Vendors sometimes refuse to provide any additional information beyond what is on their website, a risk manager at a third European bank says.

A dominant vendor, for instance, knows “they are the market leader. Almost 90–95% of the banks have to go to them. Those are the places where they do not like to provide anything that is non-standardised,” he says, referring to questionnaires requesting individualised information. “There are a few big market data providers I can say who have been quite rigid in these kinds of situations.”

Difficult vendor

One of the risk managers cited Bloomberg as “a very difficult vendor” to get information from.

The company says it has expanded its risk-response capabilities in the past few years, offering “a client-facing Terminal page with commonly requested documents and disclosures”. It also makes “SOC2 [service organisation control] reports available under a unilateral NDA for multiple Bloomberg products”.

As another example, the risk manager at the first European bank gave the Society for Worldwide Interbank Financial Telecommunication, known as Swift. In 2016, penetration of the Swift network by hackers led to attempts of fraudulent transfers totalling nearly $1 billion from Bangladesh Bank. But when the European bank approached Swift about the breach, it provided barely any information, the risk manager says.

Swift could not be reached for comment ahead of publication.

Regulators are aware of the resistance banks face from suppliers on third-party risk assessment. Beth Dugan, deputy comptroller for operational risk at the Office of the Comptroller of the Currency, is aware of the conflicts.  

“Certain entities that happen to have a major market share, they say, ‘here is our set contract and we tend not to negotiate’,” she says.

Replace suppliers?

Dugan says banks should consider replacing suppliers unwilling to undergo risk assessment, while acknowledging the difficulty presented when there are few service providers, or even just one. Indeed, the OCC is examining the concentration of vendors.

In the interim, responsibility for third-party risk rests with the bank, says Dugan. “Our expectation is squarely on bank management – they can never offload the management of that risk,” she says, offering similar sentiments when discussing banks’ fourth-party risk management.

Even those few institutions that have received access to information at large entities are not given carte blanche. Exchanges, clearing houses and other market infrastructure are systemically important institutions, and as such give themselves a certain amount of latitude in staving off data requests.   

Among the systemically important is the Options Clearing Corporation in Chicago. John Fennell, its chief risk officer, says a balance needs to be struck between the rigour of due diligence and the information a company would prefer to keep private.

His clearing house is in the process of implementing its own third-party risk management programme and has had some trouble getting big vendors and others to fully answer its questions; at the same time, the clearing house is not eager to offer granular detail on its cybersecurity and business continuity plans.

“What we don’t want to do is give someone a plan on how they [would] be best able to identify potential weaknesses and disrupt us, but still give enough information that they know we’ve taken certain steps to ensure we can absorb a regional, weather-related issue,” Fennell says.

SunTrust’s ‘swim lanes’ keep exposures in line

By Steve Marlin | Profile | 6 September 2018

Bank has five bands of risk – a granular approach it says makes it easier to control exposures

Most banks are happy with the color-coded risk indicators: red, yellow or green.

SunTrust Bank is doing something different. The Atlanta super-regional has assembled no fewer than 215 metrics for risk appetite. Assets are strained through those metrics and placed into one of five “swim lanes”: averse; conservative; balanced; tolerant; or aggressive.   

Should any asset dog-paddle outside its lane, the C-suite and risk committee are alerted.

“Our risk appetite has been stated as moderate for years,” says Jerome Lienhard, SunTrust’s chief risk officer. “The problem is when you get 10 people in a room and ask them what moderate is, it’s hard to get them to agree on when you’re moving from moderate to conservative, or moderate to aggressive. We found it wasn’t helpful to try to determine whether a risk profile is moderate based on who can make the best argument.”

The swim lanes make it a little easier. The metrics are agreed upon by the business units and the risk function. For example, if a portfolio has no loan that is more than 90 days delinquent, the portfolio can be designated as averse; if it has less than 5% delinquent, it is balanced; if more than 30%, that’s aggressive.

Lienhard says the goal is to measure risks at a granular level and aggregate them to give an enterprise view of risk. The system measures current exposures and forecasts where they’re headed, enabling management to either reduce or increase exposures accordingly. The company also has metrics for things such as charge-offs, delinquencies and concentrations. The bank can take steps to either mitigate those risks or deploy more capital as necessary.

“We identify those metrics that most represent what our risk profile is, and then break down the output of those metrics into one or more swim lanes,” says Lienhard.

The swim lanes, which have been in development for two years and went into operation this year, accord with the spirit of the Federal Reserve’s proposed guidance for risk management, which will require banks to quantify their appetite for risk and signal when it’s been exceeded.

We found it wasn’t helpful to try to determine whether a risk profile is moderate based on who can make the best argument

Jerome Lienhard

Credit is by far the biggest asset category on SunTrust’s $208 billion balance sheet, which includes $77 billion in commercial loans and $68 billion in consumer loans. The bank leans heavily on stress-testing to track the performance of these portfolios. In this year’s Dodd-Frank stress-test, its loan losses under the severely adverse scenario were 5.2%, compared with 6.1% for its peer group.

“We’re constantly stressing the portfolio virtually any way you can think about – stress it for rates, stress it for commodity prices, stress it for different economic environments,” SunTrust’s chief William Rogers said on the company’s second-quarter earnings call.

Jerome Lienhard

On the horizon, the Current Expected Credit Loss accounting standard will require expected credit losses to be recognised on the lifetime of all loans, and is already causing headaches, even though it doesn’t take effect until 2020.

Models will need to be adjusted for CECL, notes Lienhard. The Dodd-Frank models, for instance, only project nine quarters into the future; ordinary credit models typically use two to three years – a hiccup next to the cradle-to-expiration timeline of CECL. CECL’s models will also require assumptions about the future growth of a portfolio, instead of using the portfolio’s size on the reporting date.

Across the industry, banks say regulatory capital rules will need to be adjusted to accommodate CECL, which will force an increase in reserves and hit capital.

“It will have a meaningful impact,” says Lienhard. “It’s not clear how the capital regime by the Federal Reserve is reconciled to CECL, and that could cause some challenges.”

In at the deep end

Lienhard, who has been CRO since 2015, joined the company in 2006 as treasurer. In 2011, he became CEO of SunTrust’s mortgage subsidiary. The unit paid nearly $1 billion in 2014 to settle allegations of mortgage abuse that took place prior to Lienhard’s appointment. Before joining SunTrust, he was treasurer at Freddie Mac for six years.

Although he doesn’t have a conventional risk background, the bank saw his years in the mortgage unit as a baptism of fire. “The board and CEO felt the five years at SunTrust Mortgage was an exercise in operational risk and compliance,” he says.  

Emerging risks such as cyber security and conduct are taking up an increasing amount of his time. Data theft represents a growing threat; data compromise ranked second on Risk.net’s Top 10 operational risks for 2018. In April, SunTrust revealed certain information of up to 1.5 million customers may have been stolen by a former employee.

SunTrust declined to comment on what actions it has taken to address the causes of the breach, citing security reasons. A putative class-action suit has been filed.

“We are very focused on data management, in particular security around both client and internal data,” says Lienhard. “We need to ensure we are protected, not only against an external attack, but from an internal perspective, and we have sharpened our focus in both areas.” 

It’s not clear how the capital regime by the Federal Reserve is reconciled to CECL, and that could cause some challenges

Jerome Lienhard

SunTrust has created 25 to 30 metrics on the effectiveness of its operational risk controls, such as the number of account incidents reported or the frequency of software patches.

Conduct and reputational risks have risen to the forefront in the age of social media. SunTrust has established practices committees in each line of business as well as at the enterprise level. The bank hired a chief ethics officer in April, who provides an independent channel to make sure problems are heard at the top levels.

“We need to connect the dots and ensure we are remediating behavioural anomalies,” says Lienhard. “That’s a topic the board has expressed an interest in over the past 12 to 15 months.”

Although SunTrust uses the standardised approach to calculate its regulatory capital requirements, Lienhard says operational risk needs a forward-looking slant. In his view, banks have addressed the operational failures that pervaded the financial crisis. Those issues, therefore, should not be the sole determinant of operational risk capital.

“If all you’re doing is allocating capital based on that look-back, that’s a distorted view that wouldn’t reflect the likelihood of a loss going forward,” he says. “I don’t think you should be ignoring past losses, but it should be a combination of forward-looking considerations and recent losses that may still indicate exposures.”