LCH leads top CCPs on operational failures

By Louie Woodall, Abdool Fawzee Bhollah | Data | 14 October 2019

LCH Ltd posted the highest number of operational failures among big central counterparties (CCPs) over the 12 months to end-June, Risk Quantum analysis shows.

The London-based clearing house disclosed that core systems used for clearing failed 15 times over this period. These failings caused the systems to be offline for seven hours and 35 minutes in total.

Ice Clear Europe reported six failures, lasting a combined total of two hours.

Ice Clear Credit and the Depository Trust & Clearing Corporation each recorded three failures each. 

CME Group and LCH SA reported two operational failures apiece, and the Options Clearing Corporation (OCC) just one.  

Ice Clear US, the Japan Securities Clearing Corporation and Eurex recorded no operational failures over this period. 

What is it?

In public disclosure templates put together by CPMI-Iosco (the Committee on Payments and Market Infrastructures and International Organisation of Securities Commissions), central counterparties report the number and duration of operational failures affecting core systems over the previous 12 months on a quarterly basis.

Core systems are described as those that handle the acceptance and novation of trades and the calculation of margin and settlement obligations.

Why it matters

CCPs may not have suffered many operational failures over the past year, but as they are essential cogs in the financial system, any outages will have ripple effects that can disrupt the smooth functioning of markets.

How to pay for the costs of these outages is a topic of hot debate. Recently, the OCC filed a rule change to shift part of the costs of operational losses to clearing members, whereas Ice Clear Credit has exempted members from having to chip in under its own proposed change.

Clearing executives say operational failures produce low-value losses. But a prolonged disruption to a CCP’s core systems could lead to damages in the millions of dollars. Small wonder that some clearing houses like the idea of sharing the potential burden of covering these losses with their members.

Correction, October 16, 2019: A previous version of this article incorrectly reported that Ice Clear Europe had seven failures lasting a combined three hours and 45 minutes.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. You can drop us a line at abdool.bhollah@risk.net, or send a tweet to @RiskQuantum.

Tell me more

US clearers move to dole out losses besides default

Banks and CCPs clash over non-default losses

CCPs must step up cyber risk efforts, says EU legislator

View all CCP stories

US clearers move to dole out losses besides default

By Steve Marlin | News | 11 October 2019

ICC wants members to chip in on investment and custodial losses; the OCC, on the whole op risk enchilada

A long-simmering debate in the clearing world on who should swallow losses that have nothing to do with defaults received a jolt as two US clearers proposed ways of divvying up part of those costs among their members.

On August 21, Options Clearing Corporation (OCC) filed for a rule change that would distribute part of operational losses – cyber, fraud, theft and others – to its members. The very next day, Ice Clear Credit (ICC) went in a completely different direction: it filed to have its members cover part of the cost of investment and custodial losses, but excluded plain vanilla operational risk.

Both clearing houses are seeking comment on their rule proposals, which require approval from the Securities and Exchange Commission and the Commodity Futures Trading Commission.

The debate may be largely academic at present – the cost of any of these events generally has been small, and certainly no threat to the clearing houses. But the filings provided a measure of tranquility to clearing members who’d been hearing rumblings since 2012.

“We’d rather live with a known devil than complete uncertainty,” comments the head of clearing at a large US dealer in New York, which, as a clearing member, would be shouldering part of any such losses.

ICC and OCC are being “more progressive” than other central counterparties, where the rules are “completely opaque”, he says.

“The rule changes by ICC and OCC are the first in a line of many,” he predicts.

So-called non-default losses cover a span from investment and custodial losses to the operational losses known to any business: data breaches, physical damage, legal entanglements and any number of catastrophic events.

Extreme events are rare, but could leave devastating losses. Central counterparties (CCPs) and their clearing members have long been uneasy about who would be on the hook for them.

Clearing houses differ with respect to allocation of losses not tied to defaults. Some allocate a portion of investment losses to their members, while others take any and all investment losses. Nasdaq Clearing, for instance, bears sole responsibility for losses both operational and investment – anything not caused by a default.

It is not entirely clear why ICC and OCC sought help with different types of losses. OCC, as a non-profit, is looking to defend its regulatory capital by having members help out in “trigger events”. ICC is a private company.

While sizable operational losses are most ordinary for banks, for CCPs, they are generally smaller and more manageable.

Clearing houses differ with respect to allocation of losses not tied to defaults. Some allocate a portion of investment losses to their members, while others take any and all investment losses

“Operational losses are far more common. However, they’re typically small,” says one clearing executive. “If we lose €50,000 [$55,100], that’s a lot. Many smaller events, but not big ones.”

Custodial losses have almost a random quality to them, but are generally unheard of. It is investments that could pile up the kinds of losses clearing houses might want to dole out, with the spiking of the federal funds rate last month adding some urgency to this category.

Under the ICC proposal, members would share in investment losses exceeding $20 million and in custodial losses exceeding $32 million. All losses resulting from operations would be borne entirely by ICC.

In contrast, OCC would use a formula to allocate losses from cyber attacks, theft and fraud, lawsuits, physical damage and other operational incidents to members. Were the proposal to go into effect right now, members would have to pick up as much as $1.5 million each if any such mishap caused OCC’s capital to fall below a certain threshold.

ICC, which clears credit default swaps, holds collateral of $35 billion in the form of cash and securities. According to its investment policy, cash collateral that’s posted in US dollars is either held in ICC’s account at the Federal Reserve Bank of Chicago or invested in reverse repurchases of US Treasuries. If a counterparty to a repo transaction were to default, both ICC and its members could face sizeable losses.

Central banks represent an obvious way station for cash, as there is no risk of default.

“The safest and soundest place for cash is the central bank, because you’re protected from insolvency, so you don’t have any investment risk,” says Kevin McClear, chief risk officer at Intercontinental Exchange, ICC’s parent company, in Chicago.

But foreign-denominated cash cannot be stashed in a central bank. When an ICC member posts margin in euros, for example, it’s either deposited in a commercial bank or invested in reverse repos, exposing it to investment loss.

European clearing houses have a similar problem when members post margin in US dollars.

Marcus Addison, Eurex Clearing

“If clearing members give me collateral in US dollars, then I need to keep those US dollars somewhere,” says Marcus Addison, head of default management at Eurex Clearing in Frankfurt. “If I have to invest them, there’s a chance there could be an investment loss.

“We’ll tell you where we have central bank access, but if you insist on giving us something where we don’t, we will cover some part of that loss, but the remainder needs to be covered by those clearing members who have given us respective currency.”

To the extent that clearing members have a say in investment policy – a representative on a clearing house’s board or risk committee – they should also bear the risk of investment losses, the clearers say.

SIX x-clear in Switzerland, for example, last year set a series of thresholds on the amount of losses it would cover from investments in various asset classes.

“If we go beyond that limit, then clearly we’ve made operational mistakes, and that is for us to cover,” says Roger Storm, deputy head of clearing, risk and policy at SIX x-clear in Zurich. “But up to that limit, we think it’s fair that our members, who have been part of formulating the investment policy, should bear the better part of those losses.”

The market is well aware of the regulatory push to parcel out losses.

“Regulators are requiring clearing houses to have comprehensive loss allocation for non-default losses related to custody, settlement bank and investment risk, so it puts them in a tough position,” says Marnie Rosenberg, global head of clearing house risk and strategy at JP Morgan. “I understand why clearing houses seek to disclaim responsibility for events that take place outside of their organisations as long as they perform duty and care.”

The European Union’s recovery and resolution regime, currently wending its way through the legislative process, would set a floor on the amount of a clearing house’s capital it would be required to contribute in the event of a non-default loss, an idea fought by an industry reluctant to pay for losses it has little to do with.

But some say the amount is not sufficient to cover losses in an extreme event, such as a particularly damaging cyber attack.

“At an international level, this is still being debated in the context of resolution, but when you talk about non-default, CCPs may not have enough capital for them to recover in the event of a cyber attack,” says Rosenberg.

On the question of custodial risk, the Futures Industry Association said in a comment letter in response to the ICC filing that, since members have no say in a clearing house’s choice of custodian, they should not bear any risk.

The challenge is not that the clearing house is providing little choice of custodians, it’s that there are very few custodians – there are only two large custodial banks

Head of clearing at a US dealer

Others, however, take a more nuanced view, recognising that since two custodians – State Street and BNY Mellon – hold the bulk of custodial assets, as a practical matter, members have little say on which custodian to use, anyway.

“The challenge is not that the clearing house is providing little choice of custodians, it’s that there are very few custodians – there are only two large custodial banks,” says the head of clearing at a US dealer.

The clearing houses did not create the situation, he notes: “You might want to share the loss.”

Defaults by clearing members are fairly rare – Eurex Clearing, for example, has had only four member defaults in the last 17 years, none exceeding the collateral of the defaulting member. Yet, in comparison, investment and custodial losses are almost non-existent. None of the four clearing houses interviewed has ever had a situation where it’s had to allocate non-default losses to members.

But risk management is about countenancing the cataclysmic. If a hacker succeeded in looting a custodial account, for instance, or if a clearing house were attacked by terrorists, the resulting loss could swamp a clearing house’s capital.

“If all the collateral is gone, the members aren’t going to put in new collateral, and shareholders are not going to pony up the difference,” says Arnoud Siegmann, chief risk officer at EuroCCP.

“The first step to a solution is to distinguish between what a company can be expected to recover from and acts of God. That does not seem to be part of the debate now.”

UK banks accelerate RWA increases in Q2

By Abdool Fawzee Bhollah | Data | 10 October 2019

Risk-weighted assets across UK banks increased in Q2 at twice the pace of the preceding quarter, Bank of England data shows.

Total RWAs climbed £44 billion ($54 billion), or 1.5%, to £2.9 trillion in the three months to end-June. Over Q1 2019, the increase was just £19 billion (0.7%).

Credit and counterparty RWAs contributed most to the overall rise, growing £33 billion (1.6%) to £2.1 trillion on the quarter. Over Q1, the increase was 1.2%.

Aggregate market RWAs and operational RWAs also increased over the quarter, by 1.9% and 1.6% each, to £371 billion and £310 billion, respectively. Over Q1, market RWAs decreased 0.8% and op RWAs 1%.

Credit valuation adjustment (CVA) RWAs dropped quarter-on-quarter, by 1.2% to £86 billion. But the rate of decline was far slower than in Q1, when these RWAs shrank by 6.5%

Other RWAs, those related to settlement risk, securitisation exposures and regulatory adjustments, saw no change quarter-on-quarter, after increasing by one-third from end-2018 to end-March.

In spite of the quarterly increase, year-on-year total RWAs were down 1.8%. 

The total capital ratio for UK banks has remained static over the last three months, at 21.2%, but up from 20.4% in Q2 2018.

What is it?

The Bank of England publishes quarterly statistical releases on the capital levels and RWAs of the UK banking sector. 

RWAs are used to determine the minimum amount of regulatory capital that must be held by banks. Each banking asset is assessed on its risks: the riskier the asset, the higher the RWA and the greater the amount of regulatory capital that must be put aside.

Why it matters

That market risk increased for UK banks in Q2 is small surprise – global equity markets proved bumpy late on in the quarter, not to mention the sterling foreign exchange rate. Large banks, such as HSBC, also upped their derivatives exposures.

Operational RWAs are now at their highest since Q2 2017. It may be that certain supervisory penalties incurred by some banks have filtered through into their op risk calculations, boosting the aggregate RWA amount, or it could be the product of model changes by certain firms.

The only consistent trend is the decline of CVA RWAs, which is likely a by-product of higher volumes of derivatives being channelled through clearing houses. The slower pace of decline in Q2, however, could indicate that banks have now transitioned the majority of products that can be cleared, meaning further RWA efficiencies may be harder to come by. 

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

 Let us know your thoughts on our latest analysis. You can drop us a line at abdool.bhollah@risk.net, or send a tweet to @RiskQuantum.

Tell me more

Top UK banks cut CVA charges by 9% in Q2

UK bank RWAs inch up on credit and counterparty risk

View all regulator stories

Op risk data: Rogue trading costs Mitsubishi $320m

By ORX News | Opinion | 7 October 2019

Also: QR code scam costs ING customers; Australia banks hit with Pillar 2 add-ons. Data by ORX News

Jump to Spotlight: QR code fraud | In Focus: Aussie capital hikes

September’s largest operational risk loss saw a rogue trader at a Mitsubishi subsidiary, Petro-Diamond Singapore, lose $320 million on unauthorised crude oil derivatives transactions. The transactions began in January, with the trader disguising them as hedges, the firm said in a statement. The trader also manipulated data in the firm’s risk management system so that the transactions would appear to be associated with customers of the firm.

Petro-Diamond Singapore discovered the fraud during the trader’s absence in mid-August, and closed the positions. Mitsubishi said July’s fall in the price of crude oil resulted in the loss – and ironically, it unwound the positions before September’s dramatic spike in oil prices.

After an internal review, Mitsubishi said the subsidiary’s internal controls were sufficient and that the firm had already tightened its governance to detect similar misconduct at an earlier stage in future. As of September 20, Mitsubishi said it was examining the total loss and how it would impact its 2019 forecast.

The second largest publicly reported loss is an €82 million ($90.4 million) fine levied on Caixa Geral de Depósitos by Portugal’s competition authority for exchanging sensitive commercial information with 13 other banks between 2002 and 2013. As part of the action, Millennium BCP also paid €60 million, Santander €35 million and Banco BPI €30 million. Considered individually, the fines constitute September’s fourth, fifth and seventh biggest losses, respectively.

The authority found that the banks had shared information about retail mortgages and commercial loans. This included spreads that would be applied to mortgages and the values ​​of loans issued during the previous month – information that competitors would not otherwise have had access to. The collusion enabled the banks to avoid offering competitive conditions to customers. The fines for the 14 firms cost a total of €225 million.

In the third largest loss, a Brazilian court ordered Santander’s local unit to pay $274 million reis ($67.4 million) in compensation for “morally harassing” employees through abusive employment practices. Santander employees were reportedly subject to unfair production targets and excessive charges which led to a high rate of work-related mental health issues.

The bank has been previously convicted of bullying and discriminatory practices. Between 2012 and 2016, Santander employees reportedly represented 26% of bankers who claimed sickness benefits from the country’s social security agency.

September’s fourth and fifth largest losses are related to the Portugal competition authority fines. The next largest loss is the $38 million in fines, disgorgement and prejudgement interest that two subsidiaries of Canadian bank BMO were ordered to pay by the US Securities and Exchange Commission for conflicts of interest in fund investments. The subsidiaries invested around 50% of client assets in mutual funds managed by one of the firms, which resulted in additional fees to the firm. Also, the subsidiaries selected higher-cost share classes when lower-cost versions were available, without informing clients.

Finally, the SEC ordered two Prudential subsidiaries to pay $32.6 million in fines and disgorgement for failing to disclose to 94 mutual funds they advised that changes in their organisation would have negative consequences for the funds but tax benefits for Prudential. The subsidiaries self-reported to the SEC in 2016 after initially failing to report the issue during an examination. They voluntarily reimbursed the funds $155 million.

 

Spotlight: QR code fraud affects ING customers

ING Bank said in September it would compensate retail customers in the Netherlands after fraudsters exploited a QR code function in the bank’s mobile app to steal funds. Customers were tricked into clicking a code that enabled the thieves to access their accounts and withdraw funds.

The fraudsters obtained customers’ account numbers under the pretence of paying for goods posted for sale by the victims in online marketplaces. Using the account numbers, the fraudsters generated QR codes on ING’s app which acted as coded instructions to install the mobile banking app on a second device. The fraudsters then sent the QR codes to customers, claiming that scanning the code would confirm payment. In fact, by scanning the QR codes, customers unknowingly activated ING’s mobile app on the fraudsters’ devices, giving them access to their accounts. The perpetrators defrauded ING customers of thousands of euros in this way, an investigation found.

ING initially refused to compensate customers, as it claimed they were responsible for the linking of third-party devices to their own accounts. However, in September the bank said it would provide a “considerable amount” of compensation as a goodwill gesture, according to local media reports.

ING’s QR code system was more vulnerable than other banks’ systems as it required fewer steps to link a device, a domestic consumer affairs report found. The bank promised to introduce additional measures to increase customer security.

 

In focus: Aussie regulator piles on capital for banks

In May 2018, the Australian Prudential Regulation Authority (Apra) announced it had applied a A$1 billion ($754.8 million) Pillar 2 capital add-on to Commonwealth Bank of Australia’s minimum operational risk capital requirement. This followed a prudential inquiry into the bank, initiated in October 2017, which examined its frameworks and practices in relation to governance, culture and accountability. The inquiry found CBA’s continued financial success had dulled the bank’s senses to signals of deterioration in its risk profile.

Several high-profile incidents led to the inquiry. Between 2003 and 2013, CBA’s advisers missold investments to thousands of customers, for which the bank paid compensation totalling A$87 million. Between 2011 and 2018, CBA violated anti-money laundering and counter-terrorism financing laws in relation to its intelligent deposit machines, which in June 2018 cost the bank A$702.5 million in legal costs and the largest civil penalty in Australian corporate history.

After the inquiry into CBA, Apra asked 36 of Australia’s largest financial institutions to conduct risk governance self-assessments to identify whether the weaknesses at CBA existed within their own businesses. Common issues identified across firms included a failure to prioritise customers’ interests, an insufficient approach to managing conduct risk and compliance, a lack of clarity on accountability, and challenges in identifying, escalating and remediating issues.

As a response to the self-assessments, this year Apra imposed additional capital requirements of A$500 million each on ANZ Banking Group, National Australia Bank and Westpac, and an additional requirement of A$250 million on the Australian unit of German insurer Allianz. As of September, financial institutions were holding an extra A$2.75 billion at the regulator’s request.

This type of sanction has been adopted elsewhere, too. As of October 2018, Denmark’s Financial Supervisory Authority had ordered Danske Bank, still under investigation over a €200 billion ($31.85 billion) money laundering scandal, to increase its Pillar 2 capital reserves by 10 billion kroner ($1.59 billion). The increase was ordered because the bank’s compliance and reputational risks were found to be higher than previously assumed, even before the scandal was revealed. In July of this year, the FSA also imposed a capital add-on of 39.2 million kroner to Gefion Insurance’s solvency capital requirement after uncovering failures in the firm’s corporate governance.

Similarly, in June 2013 the Monetary Authority of Singapore ordered 19 banks to forfeit S$12 billion ($9.6 billion) for one year following a benchmark rate-rigging investigation that uncovered deficiencies in governance and risk management. The authority returned the money 18 months later, having decided the firms had made sufficient improvements.

There are two reasons for this regulatory approach. First, by increasing capital, financial institutions bolster their resilience against high-impact operational risk events, protecting consumers and financial markets. Second, large capital add-ons may act as an incentive for firms to come up with solutions to systemic issues. The add-ons remain in place until financial institutions have remedied their issues.

In the case of CBA, the levy imposed by Apra brought the bank’s Common Equity Tier 1 ratio below the desired threshold of 10.5% in May 2018, though the methodology used by Apra to calculate CET1 is conservative by international standards.

This regulatory activity reflects an ongoing focus in Australia on how financial institutions have treated their customers and how the industry must adapt to benefit consumers, following the critical findings of the Hayne Royal Commission.

Editing by Alex Krohn and Joan O’Neill

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Risk oversight at Aussie banks under fire again

By Aileen Chuang | News | 3 October 2019

Asic criticises boards and management for immature oversight of op risks

Almost two years after the revelation of widespread, often brazen misconduct at Australia’s largest banks and insurers, the country’s financial sector still has a lot of work to do, according to the country’s markets regulator.

In a study assessing the quality of non‑financial risk oversight at seven large financial firms – including the big four Aussie banks – published on October 2, the Australian Securities and Investments Commission’s (Asic) corporate governance task force found important elements of the management and oversight of non-financial risk at firms was still “less mature than needed”.

The review follows February’s excoriating Australian Royal Commission inquiry into misconduct in the banking, superannuation and financial services industry, which detailed widespread money laundering violations and the mis-selling of payment protection insurance, among other offences. The report, heavily trailed in the year preceding its publication, led to senior heads rolling at both board and management level among the country’s largest financial institutions.

But it seems firms still have a way to go. Highlighting what it called “significant” failures in oversight in its current study, the task force found management at financial firms often operated outside board-approved risk appetites; boards,for their part,stand accused of not taking ownership of the information they are receiving.

“While many boards and companies have started addressing these issues, they appear to be at an early stage,” wrote Asic chair James Shipton. “Rectifying these issues requires immediate and sophisticated responses from companies and boards that will need to be prioritised.”

Material information about non-financial risks was often buried in dense information packs, the study found, and risk committees were not actively engaged in highlighting risks in a timely and effective manner.

Risk appetite statements were a particular problem, Asic noted, finding the statements and accompanying metrics for non-financial risk “immature” compared with those for financial risk. Not only was management operating outside of the approved risk appetites for months and years at a time at some firms, it said, metrics designed to measure risk also failed to provide a representative sample to the board of the level of true exposure.

In reality, op risk professionals note this is often the case at banks in most jurisdictions.

“Risk appetite statements are generally done to please regulators in a lot of companies,” says Craig Spielmann, chief executive of consultancy RiskTao. “They don’t align with what the firm cares about or what the firm considers material risk.”

Rectifying these issues requires immediate and sophisticated responses from companies and boards

James Shipton, Asic chair

Asic also said information flows to boards should be more concise. It found the average document sent to members of risk committees was 300 pages, with one organisation’s paper averaging more than 700 pages long.

Such packs are often delivered with time constraints as well: chairs of board risk committees estimated they needed five to 12 days a month to perform their duties, the report found, which had increased over recent years.

As a result, board risk committees were often found to be not actively engaging with the substance of issues in minutes. The regulator defined active engagement as requiring directors to take action to prevent failures from reoccurring rather than merely expressing concern, such as requesting further information and action from management, asking questions and driving implementation of changes to address identified failures.

A Risk.net survey of board risk committees at 24 large Asia-Pacific banks found that only four directors are former CROs, while almost two-thirds have never worked for a bank. In Australia, which has some of the most experienced risk committees, boards still faced stinging criticism from the Royal Commission enquiry for not doing enough to prevent a series of scandals that led to the loss of public trust, the departure of top executives and the change of board members.

Risk appetite statements are generally done to please regulators in a lot of companies

Craig Spielmann, RiskTao

Asic also found many firms had no clear escalation processes for urgent material risks. Instead, there were discussions between the chief risk officer and the board risk committee chair, impromptu board or board risk committee meetings, or with no board risk committee meeting, the escalation went straight to the next monthly full board meeting.

Finally, the corporate watchdog identified a further counterintuitive trend: increasingly, firms are inviting all non-executive directors to board risk committee meetings, not just the risk subcommittee. The trend is seemingly borne of a desire to make sure every director is on the same page, but, warns Asic, it could result in a crowding-out effect, where conversations are stifled and deep dives into topics become impossible.

Asic has already signalled a tougher stance on corporate wrongdoing, pledging to use the full force of new laws including lengthy jail terms and stiff fines for egregious offences.

Some observers caution the findings could mask progress made by banks in the months since the Royal Commission published its own review, saying the extent to which the interviews and documents Asic reviewed may overlap the period the inquiry was looking at is unclear. “It’s hard to talk about whether corporate Australia is improving or not at the moment,” said one Asia-based consultant.

Basel output floor to bind 29% of big banks

By Alessandro Aimone | Data | 3 October 2019

Almost a third of large international banks will be constrained by the new Basel III output floor on internally modelled capital requirements.

Figures from the latest Basel Committee monitoring report show the output floor – which bars banks from reducing their modelled capital requirements below 72.5% of the amount generated by the revised standardised approach – will set the binding Tier 1 capital requirement for 29.1% of Group 1 banks: those internationally active firms with more than €3 billion ($3.3 billion) in Tier 1 capital. Currently, 16.3% of Group 1 banks are constrained by the present output floor.

But risk-based requirements will continue to bind the largest share of Group 1 banks, 39.5% of the total sampled. Right now, these constrain 46.5%.

The leverage ratio is expected to be the binding constraint for 31.4% of banks, down from 37.2% currently. 

Almost half of the global systemically important banks (46.4%) would be bound by risk-based capital requirements, down from 50% today, while 28.6% of them would be confined by the output floor. The remaining 25% are projected to be constrained by the leverage ratio. 

At a regional level, the share of European Group 1 banks bound by the output floor is estimated to be 34.3%. Today, none of these banks are constrained by the current Basel I-based output floor. Forty per cent will be confined by the leverage ratio, down from 60% currently, and 25.7% by risk-based requirements, down from 40%.

In contrast, 50% of Americas Group 1 banks will be bound by risk-based capital requirements, compared with 37.5% today. The share limited by the leverage ratio will climb to 43.8% from 25%, and the output floor will constrain just 6.3% of them, compared to 37.5% under the floor currently in place.

Risk-based capital requirements will be the binding constraint for 48.6% of banks from the rest of the world, down from 57.1%, while the output floor and the leverage ratio will restrict 34.3% and 17.1% of them, respectively, compared with 22.9% and 20% currently.

What is it?

The Basel III monitoring report, issued semi-annually, assesses the effects of new regulatory standards on large banks. Capital, liquidity and profitability metrics are taken from data submitted voluntarily and confidentially by both regulators and banks.  

The Basel III reform package includes provisions that will phase in the output floor from a 50% level in 2022 to the full 72.5% level in 2027. The Basel II transitional floor caps banks’ current modelled capital outputs to 80% of the Basel I-based standardised approach.  

The Basel sample for the comparison of binding capital constraints comprises 86 Group 1 banks (among them 28 G-Sibs), of which 35 are European banks, 16 Americas banks and 35 banks from the rest of the world.

Why it matters

Under the final Basel III framework, the output floor will be the binding requirement for almost twice as many large banks compared with the current levels. This implies that many firms will be limited in the amount of regulatory capital relief they will be able to generate using their internal models.

It’s telling that a third of European banks will be hit by the new output floor considering none are so constrained today, as it suggests their modelled and standardised capital levels are very far apart compared with their peers from the rest of the world. 

What’s also revealing is the high percentage of firms that would still be bound by the leverage ratio under the fully-loaded Basel III rules. This capital measure was initially intended to be a backstop requirement and banks have groused that in its current incarnation it is having too much of an influence over their balance sheets. The monitoring report suggests it will still hold sway over capital decisions under Basel III. 

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

You can drop us a line at alessandro.aimone@risk.net, send a tweet to @aimoneale, or get in touch on LinkedIn

Keep up with the Risk Quantum team by checking @RiskQuantum for the latest updates.

Tell me more

European banks set for 18.6% capital hike under Basel III

Basel III capital shortfall estimate drops by €9 billion

View all regulator stories 

European banks set for 18.6% capital hike under Basel III

By Alessandro Aimone | Data | 3 October 2019

Large European banks are expected to see their average Tier 1 capital requirements increase 18.6% under the fully-loaded Basel III rules from end-2018 levels, figures from the Basel Committee shows.

The average capital increase for European Group 1 banks – internationally active firms with more than €3 billion ($3.3 billion) in Tier 1 capital – is driven by the introduction of the output floor (+7.4%), as well as changes to required capital for credit risk (+4%), operational risk (+3.7%), credit valuation adjustment (+3.4%) and market risk (+2.8%). This is partially offset by reduced capital requirements linked to the leverage ratio, which lowers the total amount by 2.6%.

By contrast, Americas Group 1 banks are expected to see their capital requirements drop 0.4% from end-2018 levels. The savings are driven by lower requirements for op risk (–5%) and the output floor (–2.3%), partially offset by higher charges for market risk (+4.7%), CVA (+2.3%) and credit risk (+0.1%).

Dealers from the rest of the world stand to see their capital requirements fall the most among Group 1 banks, by 5.4% on average, driven by lower required capital for credit and operational risk. 

On aggregate, Group 1 banks are set for a 3% increase in their capital requirements from end-2018. Global systemically important banks, which are part of Group 1, would see their expected Tier 1 capital charge rise 3.3%.

Smaller Group 2 banks – those with less than €3 billion in Tier 1 capital – are expected to see their capital requirements jump 8%, with most of the increase driven by higher charges for credit risk (+6.8%) and the output floor (+4.8%), partially offset by lower leverage ratio requirements (-5.8%).

What is it?

The Basel III monitoring report, issued semi-annually, assesses the effects of new regulatory standards on large banks. Capital, liquidity and profitability metrics are taken from data submitted voluntarily and confidentially by both regulators and banks. 

For the October 2019 report, data was obtained for 181 banks, including 105 Group 1 banks (among them all 29 current G-Sibs) and 76 smaller Group 2 banks.

Why it matters

The Basel III package, finalised in December 2017, will weigh heavily on European banks.

The new output floor on modelled capital requirements, for example, will become the binding regulatory constraint for 34.3% of the European banks in the sample.

Changes to the operational risk framework will also have a significant effect on European banks. The three existing methods of calculating op risk capital – the basic indicator approach, the standardised approach and the advanced measurement approach – will be replaced with a new revised standardised approach. That change will also disproportionately hit European banks, which are far more reliant on internal models than their US counterparts.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insight.

You can drop us a line at alessandro.aimone@risk.net, send a tweet to @aimoneale, or get in touch on LinkedIn

Keep up with the Risk Quantum team by checking @RiskQuantum for the latest updates.

Tell me more

Basel III capital shortfall estimate drops by €9 billion

Basel members make progress on regulatory alignment

Basel III op risk method a stronger guard against losses – EBA

View all regulator stories 

A behavioural lens could help manage human risk

By Christian Hunt | Opinion | 3 October 2019

Human decision-making needs careful watching. For that, behavioural science can help

“We’ve just opened a new desk; it’s going to be very profitable,” the regional head of an international bank enthused. Nothing too unusual in that, except this was happening right after the financial crisis, and I was his UK regulator.

“Talk me through the risk profile,” I said.

“Sure. Let me get the desk head,” he replied.

“How about you explain it to me?” I responded.

It turned out he couldn’t – so I suggested he suspend trading, until such time as he could.

Business leaders can’t help being compulsive promoters of their own projects, even after the need for caution had been hammered home by the financial crisis.

Ask almost any risk professional what skills their discipline requires, and behavioural science probably doesn’t make the list. It should, though, given how flawed human decision-making can be. And not just in the obvious context of conduct risk, where regulatory fines, remediation costs and reputational damage can make errors dizzyingly expensive. It’s also because poor decision-making represents a higher risk to organisations than it ever has.

As a recovering risk and compliance officer and regulator, I’m often asked for the most egregious things I saw on my watch; I normally avoid any specific answer. Not because I’m short of stories, but because when I tell them, people tend to conclude that what I’m describing could never happen in their firm – either because they’ve fixed that particular issue or because they presume their organisation is somehow immune from that type of poor decision-making.

The track record of our industry is littered with the names of people who made some very bad decisions: from rogue employees such as Kweku Adoboli and Jerome Kerviel, to executives like Fred Goodwin and Dick Fuld, who disastrously overplayed their hands. It is why regulatory regimes such as the UK’s Senior Managers and Certification Regime (SMCR) are increasingly focused on decision-makers rather than just their firms.

With technology and regulation galloping ahead, it is tempting to think human foibles are out of the equation. The opposite is true: people getting things wrong, through action or inaction, remains the most significant risk facing financial firms.

Indeed, there is evidence tech is fostering human inanity. As the number of people blindly following their GPS and driving into rivers attests, the more reliant we are on black boxes, the less we feel the need to understand or push back on what they are doing. This applies equally to trading and risk management: if the machine is letting me do something, who am I to argue?

Logic dictates that risk management is there to ensure that residual risk is lower than inherent risk. One big reason that might not be true is that human risk might not be properly recognised and managed

It is hardly any wonder the weakest link in cyber defences is people.

The evolution of social media and smartphones allows every employee to damage their employer’s brand in ways that used to be the exclusive preserve of the C-suite. As machine learning and AI become more prevalent, people will spend more time doing jobs machines can’t: things involving judgement, nuance, creativity and emotional intelligence – all fertile fields for human risk.

Traditional taxonomy-based approaches to risk often miss the importance of the human element. Just as we accuse economists of relying on models that ignore real human behaviour, the established categorisations of risk can downplay the significance of human decision-making. The map, as explorers used to remind cartographers, is not the territory. 

Logic dictates that risk management is there to ensure that residual risk is lower than inherent risk. One big reason that might not be true is that human risk might not be properly recognised and managed. People can mitigate risk, but they can also make it far, far worse.

Christian Hunt

For this, a behavioural lens that can look across the taxonomies could identify common themes. If we only look at root causes of risk, we won’t have an accurate picture of an organisation’s risk or its ability to respond. 

By a behavioural lens, I don’t just mean looking at conduct, which by its nature focuses on what went wrong; it is more comfortable and feels more defensible to track when things go wrong. Rather, I mean taking a hard look at how good an organisation really is at managing risk; does it have blind spots or delusions in the way it considers its risk profile?

Behavioural science can offer some insight. Humans are not the rational decision-makers that traditional economics long insisted we are. We’re subject to cognitive biases, the automatic ways we respond to things. Confirmation bias is one, where we more clearly see information that bears out what we think we know, and ignore anything that contradicts it.

In risk management, this reduces our willingness to question ourselves or be questioned by others. Take former star fund manager Neil Woodford. Because of his stellar record, he is likely to have faced less resistance to his ideas than another fund manager would have.

Optimism bias can also blind us. It partly explains why Bernie Madoff was able to persuade lots of sophisticated investors to buy into his schemes, even when there was plenty of evidence that the returns he was offering were too good to be true.

We are blind to our own biases. And we are not necessarily made wiser by experience

We are blind to our own biases. And we are not necessarily made wiser by experience. If you’ve worked in the industry long enough, you’ll know of ‘rainmakers’ who ride rough-shod over the rules, while insisting anyone of lower rank strictly comply with them.

We also make use of heuristics, rules of thumb that allow us to draw quick conclusions. IPO valuation metrics are a good example. As we’ve seen with companies like WeWork, changing the description of a company’s business model has often been used to justify higher multiples to be applied to forecast earnings.

Our ability to assess ourselves as risk managers is not as sophisticated as we think. Above all, we tend to ignore the role of luck. For instance, when a firm loses a large amount of money, a post-mortem is done to see what went wrong and, of course, who’s to blame; profitable transactions, however, are rarely put through the same drill. Yet it is entirely possible that loss-making transactions were subject to far better risk management and decision-making than those that turned out well. 

If we really want to see into things like this, behavioural science would help. By building a behavioural lens into risk management, we can start to see the errors in the ways we are thinking about risk, and do something about them.

Christian Hunt is the founder of consultancy Human Risk. He previously served as the head of compliance and operational risk control EMEA at UBS, and before that as chief operating officer of the UK Prudential Regulatory Authority.

FCA has active pipeline of misconduct investigations

By Tom Osborn, James Ryder | News | 25 September 2019

As expansion of SMR to smaller firms looms, regulator says plenty of bankers are under scrutiny

Since the UK’s Senior Managers and Certification Regime (SMCR) was implemented in 2016, there has been much carping about its failure to lead to a rise in high-profile scalps of individuals found guilty of significant wrongdoing in the financial industry. But the Financial Conduct Authority has plenty of live investigations pending into senior individuals suspected of “serious misconduct”, according to a senior regulator.

David Blunt, head of conduct specialists at the watchdog – in charge of expanding the conduct regime to some 47,000 FCA-regulated firms from December 2019 – said the framework was fulfilling its purpose to attribute responsibility for serious wrongdoing to named individuals, of whom there are roughly 3,000 at the 900 banks and deposit-taking institutions caught in the regime’s initial phase.

“There is indeed a pipeline of individuals under investigation, because we’ve seen circumstances to suggest that they may have engaged in serious misconduct. That’s the threshold for starting an investigation. And there are individuals who’re going through the process of disciplinary action after an investigation has concluded. As to what that action looks like, there is actually quite a wide variety of behaviour that has led individuals to be subject to investigation – but the key common factor is that the conduct we’ve seen appears to be serious misconduct. Once we’ve crossed that threshold, we are committed to investigate,” said Blunt, who was speaking at an industry conference earlier today (September 25).

Going live in March 2016, the regime ushered in a step change in individual accountability for misconduct by financial firms – something that was perceived to be lacking in the wake of the financial crisis. Firms in scope must name individuals to a number of key functions, from chief risk officer to chief money laundering reporting officer – and, from next month, the person in charge of assessing their firm’s financial exposure to climate change.

Under extreme circumstances, individuals whose conduct had been found to have recklessly endangered their bank could be sentenced to up to seven years in jail and face an unlimited fine. Following much lobbying from banks, the burden of proof in such cases was reversed from the initial stance, which required the banker in question to prove their conduct had not imperilled their firm – instead, the regulator must now prove that it did.

There is … a wide variety of behaviour that has led individuals to be subject to investigation – but the key common factor is that the conduct we’ve seen appears to be serious misconduct

David Blunt, FCA

Blunt said he would not give instances of what a specific breach of the regime might look like – but responding to a question on what the watchdog’s enforcement pipeline looked like, he insisted it was healthy. He alluded to the case of Barclays chief executive Jes Staley, who was fined and censured last year for seeking to unmask a whistle-blower at the bank.

“You mention Jes Staley – it’s right to observe that there have been very few cases brought through discipline under the SMCR. Our approach, though, is, where we see serious misconduct – whatever that looks like – to start an investigation into that misconduct. An investigation ends with some findings of fact and a decision prompt: do those findings lead us to conclude that we should be taking disciplinary action? So it’s two-stage process,” said Blunt.

Even where cases do not proceed to a formal disciplinary process, they may well result in interventions at firms that result in material changes to conduct and behaviour, Blunt added, to the collective good of the industry.

“The start of an investigation is an enquiry. The ambition of that is to make a determination: has there been serious misconduct? And it’s only if the answer to that is yes that we move into discipline. There are plenty of cases at the end of investigation that will close with no further action. Or something in the middle, which feel a bit like, in a supervisory sense for a firm, clarity about our expectations about what they might wish to do differently going forward,” he said.

Some 18 months after the regime was implemented, however, Paul Fisher – deputy head of the Prudential Regulation Authority until 2016 and one of the architects of the SMCR, now a senior associate at the Cambridge Institute for Sustainability Leadership – told Risk.net that a rise in enforcement actions from the regulator would, perversely, be seen as a sign of the regime’s failure to effect a change in risk culture.

Paradoxically, though, he noted that “if there aren’t any prosecutions, people will get lax”.

Applying existing scenario techniques to the quantification of emerging operational risks

By Michael Grimwade | Technical paper | 25 September 2019