US banks set for sharp falls in Pillar 1 requirements, but regulator-set add-ons cloud SMA’s impact
The transatlantic divide that exists between US and European banks on expected changes in operational risk capital under Basel III could be smaller than it first appeared. While European banks in general will likely see an increase in their capital requirements, and US banks a decrease, the differences may be offset at least in part by Pillar 2 adjustments.
For European banks tipped to see a steep rise in Pillar 1 capital under the new approach, such clemency would be good news. But it could also breed uncertainty, and make capital planning difficult for banks – something Basel’s new standardised measurement approach (SMA) for operational risk capital, through its simplicity and predictability, was supposed to avoid – and fuel complaints of an unlevel playing field when it comes to prudential regulation.
“Since the financial crisis, the entire focus has been on Pillar 1,” says an op risk capital executive at a European bank. “Today, with the core Tier 1 ratios from most banks sufficiently stable, the focus is shifting to Pillar 2.”
The standardised approach rips up the previous own-models method for calculating op risk capital in favour of a set formula. A figure for a bank’s total income is combined with a multiplier, which depends on the bank’s size, to produce the business indicator component. This component is combined with an expression of the bank’s previous op risk losses, known as the internal loss multiplier, to produce the firm’s total op risk capital requirement.
The Basel Committee on Banking Supervision’s quantitative impact study, published alongside the final package of revisions to Basel III in December, projected that global systemically important banks (G-Sibs) migrating from the AMA to the standardised approach would see a reduction on average of 35% in op risk capital. The European Banking Authority’s own impact study predicted that Europe’s largest banks migrating from the AMA would see a 28% increase on average.
Taken together, this implies non-European banks could see significant reductions in capital requirements.
“The European banks will see an increase in RWAs [risk-weighted assets] due to the fact that they are relatively small in comparison to the US banks,” says an op risk capital executive at a European bank. “For the ones that are reducing their footprint because they’ve pulled out of some businesses since the financial crisis, this is leading to a lower balance sheet. As a consequence, every bank will take measures to align RWAs to their balance sheet. On one hand, you have a lower business indicator, but you still carry along the legacy issues.”
A lot of European regulators don’t do too much in Pillar 2. It’s all done in Pillar 1
Head of operational risk at a large European bank
Basel’s QIS noted one G-Sib migrating away from AMA will see a 222% increase. Practitioners suggest this is likely to be a bank that has incurred large conduct-related fines post-crisis while dramatically shrinking its footprint, so that its proportion of op risk-weighted assets to total assets has shot up.
Many have also speculated as to how individual banks will fare under the SMA. People familiar with the matter say that, among European banks, Santander could see a 50% increase in capital, and Societe Generale could see a 100% increase. Santander and Societe Generale declined to comment.
There are caveats to both impact studies, however. The standardised approach is not due to take effect until 2022, by which time some of the penalties under the 10-year lookback period will have dropped off. Both impact studies were based on 2015 data.
Even if some losses haven’t rolled off by 2022, regulators have latitude to allow banks to downplay past losses by setting a bank’s internal loss multiplier to 1. Under the final agreed framework, national regulators will be allowed to neutralise the loss component within the calculation, which may benefit banks with outsized recent losses (see box: Basel’s internal loss multiplier). Banks will still be expected to disclose their historical op risk losses.
A bank calculates its internal loss multiplier by dividing the loss component (a percentage of the average annual op risk losses for the bank over the previous 10 years) by the business indicator component (an expression of the bank’s size, based on its income, assets, and book size). This quotient is expressed in exponential terms.
Where the loss component and business indicator component are equal, the internal loss multiplier is 1. If the loss component starts to exceed the business indicator component, the multiplier creeps up beyond 1. So, as Basel explains, a bank whose op risk losses are higher relative to its overall size is forced to hold proportionately more capital.
Conversely, a bank that has suffered low op risk losses would enjoy an internal loss multiplier lower than 1, enabling it to hold less capital.
Those banks that settled their mortgage securitisation-related penalties early with US authorities are in better shape than those that didn’t, as these losses are in line to drop off sooner under the SMA’s 10-year lookback. UK bank RBS, for example, which has only recently settled its liabilities for mortgage misconduct, may see these fines linger painfully.
The impact of regulators’ attitudes here for individual banks could be sizeable. Deutsche Bank, for instance, had been tipped to see its op risk capital rise massively under the SMA, as a result of the large mortgage-backed securities mis-selling and Libor-rigging penalties it has incurred, among other regulatory fines and settlements. But if its regulator chooses to set its internal loss multiplier to 1, the bank could in fact see a neutral to positive impact to its minimum required capital, observers suggest. Deutsche Bank declined to comment.
Banks are also hopeful that by divesting or shuttering legacy businesses that suffered op risk losses, they can appeal to their domestic regulator for discretion to exclude these losses from their calculations.
The other area where regulators have latitude to dramatically shape the overall capital impact of the new op risk regime is their attitude to Pillar 2 add-ons.
A brief disclaimer in Basel’s QIS noted its projections “do not show supervisor-imposed capital add-ons. Therefore, increases in minimum required capital may be overstated and reductions may be understated.” Operational risk capital experts at banks suggest the impact could be significant.
US banks that anticipate falls in op risk capital requirements under the SMA may see balancing adjustments imposed by the Federal Reserve if the regulator decides that the amount of capital banks carry after migrating from AMA is insufficient.
“JP Morgan is a massive bank, and they have one of the highest op risk RWA charges under their current model,” says the op risk capital executive. “If they use the standardised approach, then they will see a massive drop. If the Fed says that’s what we consider the minimum requirement, we will simply give you an add-on under Pillar 2 to disallow you to benefit from any new regulation.” JP Morgan declined to comment.
Evan Sekeris, a partner at Oliver Wyman, agrees: “If your standardised capital drops compared to AMA, I suspect that banks would then adjust their economic capital numbers to decrease that gap. Banks might have to increase their Pillar 2 number a little bit to keep it above the new Pillar 1, but they’re not going to do a one for one increase.”
Similarly, not all European banks expect to see an increase in op risk capital under the new regime. “If you’re in a jurisdiction where AMA expectations were pretty loose, and the introduction of the SMA increases your Pillar 1 capital, then the gap should decrease,” Sekeris says.
Banks calculate their Pillar 2 capital requirements using their own methodologies. Regulatory expectations as to what should be modelled tend to be less prescriptive for Pillar 2, practitioners say – though some regulators do ask banks to model to a higher confidence interval. However, the principal regulatory expectation under the regime is that banks have a process for assessing their overall capital adequacy in relation to their risk profile.
One other major element of uncertainty is that regulators tend to be idiosyncratic in their approach to Pillar 2 add-ons. One European AMA bank complains of a seemingly arbitrary near-30% increase in Pillar 2 charges last year: “The regulator looks at our calculation and may or may not increase the capital that we calculate,” says an op risk manager at the bank. “We have our add-on, they have theirs. The regulator last year added on something in the region of 30%. No explanation, absolutely nothing.”
Regulators in the US and UK make heavy use of Pillar 2, says the head of operational risk at another large European bank. Others, such as in Germany, tend to focus primarily on Pillar 1, he adds.
“A lot of European regulators don’t do too much in Pillar 2. It’s all done in Pillar 1. In the UK, you have a Pillar 1 calculation and Pillar 2, and any adjustments to the Pillar 1 number are done in Pillar 2. In Germany, they are doing their adjustments in Pillar 1. So I think those regulators will shift their attention to Pillar 2. That’s been my experience from talking to a number of regulators,” he says.
UK regulators are said to be weighing capital add-ons under Pillar 2A for conduct-related risks. In 2017 guidance, the Prudential Regulation Authority noted the challenges associated with modelling conduct risk. Unlike other types of op risk that can be modelled using a loss distribution approach, conduct risk tends to carry much larger losses in the form of punitive legal and reputational costs. The loss distribution is unusually fat-tailed, with infrequent but very large losses, and there is a scarcity of data.
The PRA notes that its approach to Pillar 2A capital for conduct risk is informed by supervisory knowledge of a firm’s exposure to conduct risk; a firm’s largest conduct losses over the past five years; the level of expected annual loss for conduct risk; and conduct-related scenarios where potential exposures over a shorter time horizon (eg, five years) are considered. As a result, the determination of additional Pillar 2A capital for conduct risk is driven predominantly by supervisory judgment.
The regulator looks at our Pillar 2 calculation and may or may not increase the capital that we calculate: last year they added on something in the region of 30%. No explanation, absolutely nothing
Op risk manager at a European bank
This would seem to suggest that modelling Pillar 2 capital must by definition involve some degree of scenario analysis – something which, ironically, the SMA explicitly excludes for Pillar 1 capital.
“There is currently no quantitative methodology for estimating Pillar 2 capital for conduct risk,” says Ruben Cohen, an independent risk consultant. “The only viable option is scenario analysis, which one might be able to use to translate fines and penalties into Pillar 2 capital.”
The models need to reflect the source of the losses, such as region, business unit, loss type, and further data categories that are relevant to the type of loss and the circumstances of the loss.
“We anticipate that the regulators would like banks to incorporate their improved data models into their Pillar 2 methodology,” says Chris Cormack, a partner at MP Capital Advisory Services. “We would expect the regulator to see a clear picture on how a loss arose within the context of the control frameworks that were in place to limit the losses.”
Although a forward-looking and more granular Pillar 2 model would be a desirable outcome, one of the criticisms of the AMA was that the modelling approaches weren’t comparable between banks. Therefore, regulators might seek to impose stricter standards on Pillar 2 in an effort to promote comparability, including for banks that weren’t on AMA.
Typically, European banks were understood to have made more use of the forward-looking nature of scenario analysis under the old AMA to lower their capital by downplaying the effect of previous losses.
Some expect the Federal Reserve and European regulators to publish more formal guidelines on their expectations for Pillar 2 capital. “There will be guidance, some kind of rules coming out of the Fed regarding inclusion and non-inclusion of losses,” says Kabir Dutta, senior consultant at Charles River Associates.
The European Central Bank is expected to eventually specify expectations for Pillar 2 as part of its Supervisory Review and Evaluation Process for European banks. “This might result in banks being rewarded for advanced risk management techniques, but also being punished if they don’t have such techniques,” says David Nicolaus, manager of KPMG’s ECB office in Germany.
Also: Japanese crypto exchange loses ¥58 billion in hack; Deutsche, UBS, HSBC settle spoofing claims. Data by ORX News
January’s largest loss was a $608 million liability racked up by US Bank for a penalty it expects to pay as a result of an investigation into the bank’s anti-money laundering and Bank Secrecy Act compliance. The investigation by the US Attorney’s Office in Manhattan centres on the bank’s relationship with Scott Tucker, a businessman who ran a $1.2 billion predatory payday loan scheme and was convicted of racketeering on October 13, 2017.
US Bank reported the liability in a filing with the SEC, revealing that the pending loss includes a deferred prosecution agreement and civil money penalties. US Bank first disclosed the investigation in August 2016 (see In focus below).
Tucker, a professional racing driver, was sentenced to 16 years and 8 months in prison for the scheme, which offered payday loans with interest up to 1,000% per annum. The scheme operated through companies that hid their beneficial ownership by exploiting a legal loophole in the status of Native American tribal territories. These tribes are considered sovereign states separate to the US and, as such, not subject to the full range of federal and state law. By cloaking the ownership of the payday loan companies behind the tribal entities, Tucker sought to sidestep legal and regulatory oversight, US enforcement agencies found.
In second place, a Japanese cryptocurrency exchange, Coincheck, lost around ¥58 billion ($530 million) of XEM tokens in a hack. XEM is a cryptocurrency unit, similar to bitcoin, that is issued by the platform NEM. The hackers obtained the private cryptographic key for the exchange’s hot wallet and extracted the funds. A hot wallet, as opposed to a cold wallet, is a place to store cryptocurrencies which is connected to the internet and therefore vulnerable to web-based attacks.
The exchange said it will refund around ¥46 billion to its customers from its own funds. Japan’s financial regulator, the FSA, conducted an on-site inspection of the exchange at the start of February, to assess the Coincheck’s response to the attack.
The third biggest loss continues a recent pattern of Chinese regulatory fines within the banking sector. Postal Savings Bank of China lost a total of 3.09 billion yuan ($488.5 million) in relation to a 7.09 billion yuan illegal bank bill trading scheme. An investigation by the China Banking Regulatory Commission revealed that PSBC’s employees had defrauded 3 billion yuan from the bank’s wealth management products to pay for the bill trading.
The regulator fined PSBC 90.5 million yuan, and 11 other banks almost 205 million yuan. This is the second consecutive month that PSBC has suffered one of the five largest op risk losses globally, after its 521 million yuan fine for illegal interbank lending.
In fourth place, Rabobank announced a provision of €310 million ($372 million) for a settlement it expects to reach with the US Department of Justice over an investigation into its anti-money laundering compliance. According to US authorities, the bank’s suspicious transaction reporting was inadequate and employees had withheld information during a 2013 inspection by the Office of the Comptroller of the Currency. Rabobank will likely plead guilty to one offence relating to the employees withholding information, it said.
Finally, hedge fund Pershing Square agreed to pay $193.8 million to settle allegations within two class action lawsuits that it engaged in insider trading with Valeant Pharmaceuticals during the attempted hostile takeover of Botox manufacturer Allergan in 2014.
Deutsche Bank, UBS and HSBC will pay a total of $46.6 million to the US Commodity Futures Trading Commission over allegations some of their traders used spoofing to manipulate the precious metals market for five years between January 2008 and December 2013.
Spoofing is the practice of logging orders to buy or sell a security without then executing a trade, in an attempt to trigger activity from other participants and manipulate prices within the market. Spoofers will position to benefit from those price movements.
Deutsche Bank agreed to a civil money penalty of $30 million, while HSBC and UBS were fined $15 million and $1.6 million respectively.
The US Department of Justice has also charged eight individuals in connection with their roles in the spoofing. Although exchanges have barred the practice for years, it was made illegal as part of the Dodd-Frank Act in 2010, particularly in response to concerns over the scale algorithmic trading could lend to possible manipulation.
In January, two provisions by US Bank and Rabobank related to anti-money laundering and legacy losses for Western Union and Mega Bank (see above) were joined by a $70 million fine levied on Citi by the Office of the Comptroller of the Currency for failing to comply with a 2012 consent order over AML compliance. This has pushed the total losses for AML violations to $1.1 billion in the first month of 2018, compared with a total of $1.3 billion for the whole of 2017, according to ORX News data.
Such a high loss severity so early in the year puts 2018 on track to overtake the previous record year for AML penalties – 2012 – when financial institutions lost almost $2 billion. The year after, 2013, saw losses plunge to $110 million. But bank chiefs who thought the low level of losses would become a trend were soon proved wrong as the total steadily grew over successive years (see chart).
A contributing factor to the increase is the higher average loss amount per event. In 2013, a typical AML loss event amounted to a measly $6.1 million. The figure for 2018-to-date stands at $210.6 million per loss event. So while the aggregate number of loss events dropped between 2016 and 2017, the total loss value rose.
Although authorities throughout western Europe, Asia-Pacific and in South Africa are active at penalising AML compliance violations, US regulators drive losses in this area. Regulators including the Office of the Comptroller of the Currency, financial crime agency FinCEN, and the New York Department of Financial Services levy enormous fines several times a year. For example, in 2017 the NYDFS fined Habib Bank $225 million for AML failures, following the regulator’s introduction of new risk-based anti-terrorism and AML legislation from January 1, 2017.
Cash clearing is the business line that carries the highest risk of large AML penalties, especially when paired with the risk of penalties for breaching US sanctions (not included in this analysis). Banks are all too aware of the danger this poses: in a 2015 World Bank survey, 95% of large banks gave concerns about AML and counter financing of terrorism (CFT) as a reason for withdrawing from correspondent banking relationships. Accordingly, the Financial Stability Board reported a 6% global fall in correspondent banking between 2011 and 2016.
Pulling out of risky banking relationships may not be enough to stop the AML risk for financial institutions, however. The know-your-customer challenges posed by anonymous cryptocurrency transactions open a new avenue to regulators for potentially heavy penalties. A possible precursor to these fines was a $110 million penalty FinCEN imposed on cryptocurrency exchange BTC-e in 2017 after it found the exchange’s AML controls were inadequate.
Models will still be needed to measure forward-looking risks under Pillar 2
Reports of the demise of op risk modelling may have been greatly exaggerated. Although the Basel Committee on Banking Supervision has officially declared the end of the advanced measurement approach for operational risk capital, AMA models and their developers will not be decommissioned. Instead, they will be redeployed for calculating Pillar 2 capital.
Banks are taking the opportunity to build risk-sensitive Pillar 2 models to complement Basel’s new standardised measurement approach, or SMA, for Pillar 1. In doing so, they are cherry-picking the most applicable elements of the AMA process to best capture the risks assessed under Pillar 2.
“I anticipate that regulators would look favourably on a retained AMA for Pillar 2,” says an op risk model development executive at one Canadian bank. “It’s in a unique position to capture things that were dropped for SMA. My biggest fear is that’s going to be lost.”
For some op risk managers, that fear may be realised: although many banks are expected to repurpose their model apparatus – quants, model validation experts, infrastructure – for Pillar 2 needs, some banks may see the demise of the AMA as a chance to make cost savings. Many say privately that job losses are likely.
The new, standardised approach dispenses with bank-modelled efforts to calculate op risk capital in favour of a straightforward Basel-defined formula. A simple accounting measurement of bank total income – dubbed the business indicator – is used to divide firms into three different size buckets. A multiplier is then applied to each bucket to produce the business indicator component. This is combined with historical op risk losses to produce the overall capital requirement under Pillar 1.
Pillar 2 requirements are imposed by domestic regulators to supplement core Pillar 1 capital. Regulators have informally told banks that they expect the use of models for these calculations.
“SMA is about Pillar 1, which means that for the jurisdictions and regulators that require Pillar 2 calculations, the only way you can do Pillar 2 is to model it,” says a regional head of operational risk at one Asia-Pacific bank.
One element of AMA modelling which op risk professionals are keen to preserve is its forward-looking nature. The SMA, with its reliance on historical loss data, makes no allowances for this, managers complain. Op risks that are primarily capitalised using techniques such as scenario analysis at the moment will be harder to capture under the SMA’s blunt method, which relies on historical loss data. Dealers fear that could leave them undercapitalised against emerging threats which have low realised losses – cyber attacks being the most obvious example.
Accordingly, managers are planning to retain scenario analysis to capture forward-looking risks under Pillar 2. Scenario analysis was one of the four original required elements of the AMA, alongside internal loss data, external data, and business environment and internal control factors (BEICFs). For banks that leant heavily on internal and external loss data for AMA calculations, scenario analysis is an area that will require attention.
“Banks want a model grounded in sound statistical practices, but they also want to incorporate scenario impact analysis in a straightforward way,” says Chris Cormack, managing partner at consultancy MP Capital. “Some clients have struggled with scenario analysis.”
Tony Blunden, head of consulting at Chase Cooper, a risk software vendor, agrees: “Most AMA banks majored on losses and struggled with BEICFs and scenarios.”
Even banks that developed AMA models but subsequently chose not to adopt the advanced approach are now in a position to use that modelling capability for Pillar 2.
“For the purpose of prudential risk management under Pillar 2, we are going to continue with our AMA process,” says the head of operational risk methodology for one European bank. “We are not an AMA bank, but we still use an AMA-compliant methodology to calculate – currently – regulatory capital. We will still use it for prudential control, which is something the SMA doesn’t give us.”
For black-swan losses – extreme events at the tail end of the loss curve – so-called loss distribution analysis, or LDA, may be more effective. This technique plots a range of losses according to statistical principles – for example, lognormal or generalised Pareto – to extrapolate future losses.
For the jurisdictions and regulators that require Pillar 2 calculations, the only way you can do Pillar 2 is to model it
Regional head of operational risk at an Asia-Pacific bank
The challenges associated with modelling operational risk under AMA will continue under Pillar 2. These include establishing an appropriate methodology that compensates for inadequate historical risk event data, and an evolving operational risk framework that may not have a common taxonomy throughout a bank.
“Operational risks continue to evolve, and historical data doesn’t represent this evolution,” says the US op risk executive.
One way of tackling these shortcomings is through risk and control self-assessments (RCSAs). These require firms to identify specific risks to designated business objectives, and determine the controls to mitigate these risks. Importantly, RCSAs also establish who in the firm is responsible for performing these controls.
“In the UK, regulators have stressed that banks should take not only internal and external loss data into account, but also build RCSAs into their Pillar 2 modelling,” says Blunden. “As operational risk is about the style of management and culture of the firm, it makes sense to use qualitative data as well as losses.”
In the US, much of the focus in modelling has shifted toward stress testing under the Comprehensive Capital Analysis and Review. “For those banks, it will be an opportunity to build models that are useful from a risk management point of view,” says Evan Sekeris, partner at Oliver Wyman. “Instead of building AMA, you can apply them to specific types of operational risk to help management in the identification of root causes.”
Freed from the constraints imposed under Pillar 1, banks will be able to modify their models faster. Under Pillar 1, getting a model approved was a lengthy process, requiring up to two years, says an op risk capital executive at a second European bank. “Under Pillar 2, you can do this easier,” he says. “The development teams keep simply working on the AMA with the benefit that you can introduce any model changes more quickly.”
But as attention switches to modelling under Pillar 2, so the likelihood increases that regulators will impose additional guidelines or restrictions on these models. As Luke Carrivick, director of research at industry association ORX, says: “Pillar 2 has always been based on principles. If there is a shift to Pillar 2, some of those principles may need to be turned into rules. At the moment, it’s quite an opaque process.”
One of the criticisms of the AMA was that the modelling approaches weren’t comparable between banks. Although the standardised approach was intended to correct this, the Basel Committee has given national regulators discretion to minimise or ignore historical op risk losses within the SMA, which might still lead to a lack of uniformity.
Therefore, regulators might seek to impose stricter standards on Pillar 2 in an effort to promote comparability, including for banks that weren’t on AMA.
“On the one hand, the Basel Committee says get rid of models for operational risk for Pillar 1 because they create too much discrepancy between banks. On the other hand, European regulators seem to ask for models for Pillar 2. Clearly, this obvious divergence between appetite for Pillar 1 and Pillar 2 modelling will raise questions,” says Thomas Kaiser, director of the financial risk management practice at KPMG.
I’m told that the number of vacancies in op risk modelling is diminishing. If there’s nothing to model, there’s no point in getting anybody to do it
Op risk executive at a European bank
Bankers may find an answer to the question of how regulators intend to make Pillar 2 requirements between banks comparable in the shape of greater disclosure of these add-ons. UK authorities have already revealed plans to force banks to disclose their total Pillar 1 and 2A capital, to promote comparability between organisations.
“If they’re disclosed – which is a big shift – then they’d have to make the process more balanced and similar for different institutions,” says Carrivick. “At the moment, Pillar 2 is different in different places.”
That means the distinction between Pillar 1 and 2 is becoming blurred in terms of gauging a bank’s required capital, practitioners argue.
“With required disclosures increasing, total capital will be very visible shortly anyway,” says a senior op risk manager at a UK bank. “As soon as you disclose what your total capital is, analysts will look at it and say, ‘I’m going to ignore Pillar 1 going forward’. The ability to see return on capital will then be relatively easy – and it’ll be easier for them to do a firm-by-firm comparison.”
Another issue arising from the move to the SMA is the fate of those tasked with the painstaking job of developing AMA models. Several banks tell Risk.net that staff have left op risk modelling development teams. “Two or three people left the development team and I’m not aware of any replacement in the near future,” says the op risk executive at the first European bank. “Unless the bank decides it wants to actively improve the AMA model for Pillar 2 purposes, why should you invest too much in something that is dying?”
“I’m told that the number of vacancies in op risk modelling is diminishing,” says an op risk executive at a third European bank. “If there’s nothing to model, there’s no point in getting anybody to do it.”
Unlike the AMA, which requires sophisticated modelling techniques, the standardised approach relies on more readily obtainable data – sharply reducing the need for people with advance statistical training.
“If you’re an AMA bank, you have a lot of components you have to implement. You need highly qualified people to do that,” says Kaiser at KPMG. “Then you have a new proposal on the table which says you need accounting figures and historical losses, which is readily available. So banks might be tempted to get rid of a bunch of people in their central risk management department for operational risk.”
Others argue that, while the need for modelling under Pillar 1 may be diminishing, those skills can still be transferred to Pillar 2 efforts. When the initial SMA consultation came out in 2016, Oliver Wyman published a paper saying that banks would take the opportunity to perform more advanced modelling for Pillar 2 purposes.
“In the US, we already have seen a repurposing of these individuals,” says Sekeris. “Modelling requirements and loss projection requirements have not disappeared.”
“In a lot of organisations, your Pillar 1 modellers are your Pillar 2 modellers as well, so they’ll keep modelling,” says the op risk executive at the third European bank. “There’s stress test modelling as well. The modellers are still okay. There are lots of other things they can focus on.”
Platforms and reporting entities develop individual solutions, but no silver bullet
High-profile hacks have made cyber security a growing focus for the financial industry, with the likes of Bangladesh Bank, Equifax and Tesco Bank falling foul of criminals. A new piece of European legislation is now threatening to add to the risk of a breach by requiring firms to hold and exchange vast amounts of personal data on individual traders and clients.
“People don’t necessarily want to share that private information,” says Vikas Srivastava, chief revenue officer at foreign exchange platform Integral, based in London. “People don’t want that information sent around electronically via whatever transmission message and they are concerned about how you make sure that private information doesn’t end up somewhere it shouldn’t.”
To curb this cyber risk, industry participants have devised a way of converting personal data into unique numbers known as short codes. These codes are already in use on certain trading platforms, but they have not yet been approved for regulatory purposes amid unease over their application and administration.
The second Markets in Financial Instruments Directive (Mifid II), the updated directive governing financial market activity in the European Union, came into force on January 3. The legislation, and accompanying regulation Mifir, requires platforms and investment firms to collect personal information that will identify individual traders and clients to aid regulators in their crackdown on market abuse. Platforms now hold records on every order placed, and this information must identify the persons responsible for making both the investment decision and executing the order.
The identification takes the form of a code, which varies depending on the individual’s nationality. The list includes sensitive information such as passport or national ID numbers, tax codes or social security numbers (see box: Cracking the code).
Platforms have been vocal about the difficulties of obtaining passport numbers from clients outside of the EU. But even when platforms are able to get these details, they must address the danger of cyber attacks.
Cyber security is a key concern with Mifid as we need to think about storing this personal information… It is not information you want out in the public
Ben Pott, Nex Group
“Cyber security is a key concern with Mifid as we need to think about storing this personal information. We are working hard on our cyber defence to make sure data is shielded away from hackers because that is proprietary information that pertains to individual traders. It is not information you want out in the public,” says Ben Pott, head of government affairs at Nex Group, a platform provider that runs its own post-trade reporting service, Nex Regulatory Reporting.
“The trading venues don’t want to hold lots of personal data because it constitutes a specified risk under new markets and data regulations, and is a cyber-security concern. Holding personal data is a cost and has no benefits,” says Alex McDonald, chief executive of the European Venues and Intermediaries Association, a lobby group for platform operators and brokers.
Storing this data is only half of the problem. Mifid II also places requirements on investment firms to disclose to local regulators details of all trades, even those conducted on platforms. These reports must be submitted by the end of the working day after the date the trade took place.
Under guidance from the European Securities and Markets Authority, investment firms and platforms must assign a unique identifier to each individual conducting a trade within the scope of Mifid. Esma has created a list of accepted ID forms for each country, in order of preference. So, for example, the preferred identifier for a UK national is their national insurance number. If that information is unavailable, the second preference is a ‘Concat’ number, which is an amalgam of full name, nationality and date of birth. First-preference identifiers for other countries include the tax identification number (Spain and Portugal), national ID card number (Belgium, Poland, Sweden) and passport number (Netherlands, all non-EU countries). Alongside the unique code, reporting firms must provide the individual’s full name and date of birth.
Investment firms deliver these reports to regulators through approved reporting mechanisms (ARMs) or platforms. This also applies to trades concluded off-venue in instruments deemed equivalent to those traded on-venue.
In turn, platforms are required to file reports for firms not regulated by Mifid II. This includes third-country firms, together with asset managers and hedge fund managers regulated under the Alternative Investment Fund Managers Directive.
Passing this information between firms, clients, ARMs, platforms and regulators increases the risk of cyber breaches because hackers have more points of attack.
The International Swaps and Derivatives Association highlighted the risks of cyber attacks brought on by Mifid II in a letter to the European Securities and Markets Authority on October 2, 2017.
The letter, seen by Risk.net, states: “This unmasked personal information will be stored in multiple locations and will be transmitted multiple times amongst firms, trading venues and national competent authorities. We believe these requirements increase the risk that the personal information of traders, decision-makers and clients will be inappropriately exposed, either through error or cyber attack.”
Cyber threat and client protection are not the only concerns caused by handling personal identifiers. In May, firms in the EU will be subject to the General Data Protection Regulation, which will impose hefty fines for data breaches.
“GDPR has more obligations to identify data breaches and notify the owners of the data. There are some pretty onerous fines for any serious data breach,” says Nick Moss, head of product management at Trax, the ARM owned by credit-trading platform MarketAxess.
GDPR could expose market participants, venues and reporting facilities to potentially huge fines for serious data breaches of up to 4% of their global turnover.
In tackling the dangers of data storage and transmission, platforms and ARMs are developing ways to anonymise identifiers by replacing them with short codes, thus reducing the frequency with which sensitive data passes through the chain. Some have already made progress with this task.
The principle behind the use of short codes is that the trading platform assigns one to each individual trader who signs up to their venue. Traders will then transmit this short code to the platform or ARM when they execute an order. When the platform or ARM needs to send transaction reports to regulators they will translate the short codes and report the personal identifier.
The solution has obvious advantages to tackling the threat of cyber attack, as it cuts down the number of times personal identifiers are transmitted, which consequently means fewer points of attack for hackers.
In an ideal situation the regulators would accept short codes, and industry participants therefore wouldn’t have to pass personal data backwards and forwards on transaction reports
Nick Moss, MarketAxess
However, there is a weakness in the chain: currently, regulators do not accept short codes, says Moss of Trax, so reports to regulators still need to contain personal information, despite the trader reporting only the short code to their platform or ARM.
“In an ideal situation the regulators would accept short codes, and industry participants therefore wouldn’t have to pass personal data backwards and forwards on transaction reports,” he says. In this ideal scenario, the personal data would be held in an external centralised store, to be accessed by regulators upon request.
There are hopes that regulators will eventually accept short codes. Although they would not be able to identify individuals immediately, they would be able to discern that specific actions had been taken by one trader, which would help to monitor irregularities or abuse. It would have the ultimate benefit of almost completely eliminating the transfer of personal details in the chain of reporting.
But regulators are not completely comfortable with the idea of accepting short codes. Moss suggests they are resistant to the possibility because they fear traders may be tipped off about a regulator’s interest.
“If [regulators] are going to accept short codes, but don’t have the personal data stored centrally, it will mean they need to go back at some point to request that information. They will need to go to a firm and ask for that information. That firm then knows they are doing an investigation into that trader and someone in the company could tip the trader off about the investigation,” he says.
This could affect the forms of some short-code solutions. Two platform sources tell Risk.net that some market participants want to be responsible for translating their own short codes. This arrangement would ensure the maximum possible protection for traders, as their own human resources departments would administer the short code and only they would know the translation. But this would seem to heighten the risk of tip-offs if the translation was undertaken in the same institution rather than an external repository.
Pott of Nex Group warns against this arrangement, as it would place platforms in an awkward position when it comes to fulfilling the obligation to hold records of orders. If they are unable to obtain the trader’s identity upon the request of a regulator, they may be in breach of the obligation.
“For most venues it would be pretty unacceptable for them not to have access to the short-code translation,” says Pott. “The problem is that the venues are responsible for order record-keeping and for transaction reporting on behalf of non-Mifid firms. They can hardly say to the regulator, ‘we don’t have that information, but if you ask for it we will try and get it’. The most practical solution would be to use a central utility that venues have access to for short-code purposes.”
This also places a question mark on whether the short-code solution is compatible with the legislation. Some suggest formal acceptance of short codes may require a change in the law, since the list of acceptable identifiers was contained in a technical standard issued by Esma.
But Nathaniel Lalone, a London-based partner at law firm Katten Muchin Rosenman, believes Mifid II could be flexible enough to allow short codes within the existing framework.
“Deep in the back of Mifid II are provisions that say: none of this overrides data-protection laws. This is about trying to reconcile the Mifid obligations and protecting personal data in a way that satisfies both sets of requirements,” he says.
Lalone is referring to Article 78 of Mifid II, which states the regulation should be carried out in accordance with EU directives and regulations on data protection, established in 1995 and 2001, respectively.
The directive requires member states to protect the fundamental rights of natural persons – in particular, their right to privacy with respect to processing personal data. But this interpretation may need the nod from regulators before it is widely adopted by market participants.
Regulators would need to adapt their systems to accept the platforms’ short codes, and with each venue developing its own proprietary solution, the task becomes more complex. This has already been an issue for market participants, who had to ensure their systems were compatible with individual platform requirements.
“Each major venue seems to have its own approach and so one venue’s solution will be different to another,” says Lalone. “They have a common goal, but they are making it operational differently, which causes problems for firms as they then have to be able to interface with all these different systems.”
The performance of the regulators’ own reporting systems at the start of Mifid II proved to be temperamental, which hardly engenders confidence that they can make the switch to short codes smoothly.
Is it better or worse to have only one place or 10 different places? I would say if the venue has robust security measures around its short-code reconciliation document, it is probably the least worst option to have it in just one place
Nathaniel Lalone, Katten Muchin Rosenman
The simple answer would be for platforms and ARMs to develop a standardised short-code convention, but there is competition in this space. Both Bloomberg and Nex Regulatory Reporting confirmed they have their own solution using short codes that investment firms can adopt, while Trax says it will consider offering its central repository to other platforms and investment firms not using Trax or MarketAxess. Bloomberg’s Global Personal Identifier (GPI) short codes are held in a reference database, which investment firms and software vendors can access to meet the transaction-reporting requirements.
“This GPI is a randomly generated, unique, alphanumeric reference ID, or identifier, used to represent a natural person’s record in a secure and anonymised way throughout the transaction lifecycle. This means national ID, birth date or other personal data that may be required for transaction records is maintained in a secure static reference database and not transmitted throughout the transaction lifecycle,” says a spokesperson at Bloomberg.
Nex’s Industry Standard Common Identifier short code can be used by trading venues and investment firms that use Nex Regulatory Reporting as their ARM. TP Icap announced in a press release on January 3 that it is using Nex Regulatory Reporting and that firms should submit their data to the ISCI portal.
Trax maintains the personal information in a repository called the Trax European Data Store. This is used for those trading on MarketAxess and investment firms using Trax as their ARM. But, after clients expounded the benefits of allowing other platforms to use the service, the firm is considering extending Trax EDS to other platforms not using Trax as their ARM.
“Some of our clients have asked us to centralise and provide short codes in one place for other venues to use,” says Moss of Trax. “Off the back of that, we started to have conversations with various different trading venues around how that process could work. We formed a working group to discuss the different models around that and it looks like there is significant demand for this type of solution. If there is demand, we may look at building out the Trax EDS in order to facilitate the secure sharing of personal data across the industry.”
Whether the service providers heed calls for greater standardisation remains to be seen.
“This is not something that anybody is going to win or lose. It makes sense for all sides to come together and partner with each other to solve the problem, rather than coming up with their own individual solutions,” says Srivastava of Integral.
But central repositories have their own cyber-security concerns, as there is a trade-off between vulnerability to cyber attacks versus the amount of data hackers can get away with following an individual attack. One single repository means the transferral of personal identifiers between fewer parties, but a breach of the central hub would give hackers access to far more personal information than if data were stored in separate locations.
“You are putting your eggs in one basket, because rather than having diffuse risk, you have it centralised in one single spot,” says Lalone. “Is it better or worse to have only one place or 10 different places? I would say if the venue has robust security measures around its short-code reconciliation document, it is probably the least worst option to have it in just one place.”
At the moment, there are no serious attempts to standardise the solution and create a central hub. In its letter, Isda proposes the idea of a central hub to Esma as one of many potential solutions to the cyber-security threat, but Esma has yet to respond.
Clive Ansell, head of market infrastructure and technology at Isda, says: “Once we have a response from Esma, the industry can work out what is the best way forward and the respective roles of all relevant parties. However, we do think this is something that needs to be co-ordinated at the global level and that definitely needs regulatory involvement.”
Method’s reliance on past losses and lack of scenario analysis could weaken cyber risk defences
The bluntness of the Basel Committee on Banking Supervision’s revised approach to calculating operational risk capital could leave banks undercapitalised against a rise in future losses from cyber attacks, risk managers at Asia-Pacific banks fear. Some even argue the new method could disincentivise banks to quantify such exposures.
One of the major determinants of a bank’s op risk capital under the standardised measurement approach (SMA) is its losses from past op risk breaches. Yet with realised losses from cyber attacks among Apac banks relatively low, many argue this approach is inherently flawed. The new method precludes the use of scenario analysis in calculating op risk capital requirements – a key part of current cyber risk quantification practices under the current own-models approach, and one that has encouraged banks to invest heavily in internal op risk modelling capabilities.
Both of those facets combined could lead to a dangerous weakening of cyber risk management standards when the SMA comes into force from 2022 – something banks should be vigilant against, says Stuart Williams, head of operational risk for Asia markets at ANZ in Hong Kong.
“The SMA, as a formula, has zero benefits for encouraging structural analysis for cyber risk quantification,” says Williams. “With the advanced measurement approach (AMA), you can actually apply scenarios when you’re analysing different types of cyber threats. But regardless of the regulatory capital framework, it is possible to put a dollar range on all types of cyber risks, even tail-end events,” he says.
Under the AMA, banks are permitted to use four different inputs to determine capital requirements: internal loss data, external data, scenario analysis, and business environment and internal control factors (BEICF). Basel acknowledges that, in the case of business lines with a fat-tailed loss distribution and a small number of observed losses, scenario analysis and BEICF may play a more dominant role in the risk measurement system.
But the SMA does away with these freedoms in favour of a rigid approach, which sets a bank’s required op risk capital largely according to its size. This is then scaled according to its average losses over the past decade.
Bharan Guntupalli, who heads operational and enterprise risk for a large publicly listed Indian bank, says the SMA is a problematic tool for calculating cyber-related op risk capital. His bank is switching from the old standardised approach under Basel II, but has been doing parallel runs with the AMA to calculate op risk capital for several years.
The SMA, as a formula, has zero benefits for encouraging structural analysis for cyber risk quantification
Stuart Williams, ANZ
Under the AMA, his bank uses internal loss data for risk modelling. At the same time, he uses external loss data for scenario analysis when quantifying cyber risk.
“We are able to see the potential impact from using this analysis. We have inputted the impact of regulatory fines, external event losses, then we estimate the potential loss. That becomes critical input in our business capital model. This is also important when you’re taking out a cyber risk insurance policy,” he says.
Modelling cyber risk is notoriously difficult in any event, op risk practitioners say, primarily because of the difficulty in predicting the frequency of attacks and the severity of losses, and the non-linear relationship between risk controls and losses.
The lack of a universally used approach in measuring cyber threats has prompted risk managers to apply solutions that are unique to a specific bank’s needs. Some prefer to use scenario analysis, which requires a great deal of subjective interpretation; others, projections driven by purer forms of modelling.
Risk managers face challenges in assessing cyber risk at both ends of the probability distribution. More common threats include instances of breaches involving consumer data, malware, ransomware, or an isolated incident such as a distributed denial of service attack. At the other extreme are so-called zero-day attacks – external threats that exploit unforeseen breaches in a bank’s defences, to catastrophic effect.
Conduct risk-related additions to Pillar 2 capital raise questions over scope of UK’s Senior Managers Regime
Risk managers are well versed in the mechanics of operational risk capital. By now, they should be equally familiar with UK authorities’ latest attempt to make bank executives accountable for the failings of their firms, known as the Senior Managers Regime. Few, though, would have placed those two elements together, one contingent on the other.
But that was what Bank of England governor Mark Carney appeared to do in a speech last November, when he suggested that misconduct by senior bankers could result in additional capital add-ons for their institutions.
Since then, operational risk managers have been trying to decode Carney’s words and establish when, and how, the UK’s financial supervisors might use the recently implemented SMR as a means of jacking up banks’ capital requirements.
“In the way the SMR was originally written and the way it was initially communicated it didn’t draw links to explicit capital charges,” says a senior risk officer at a US bank in London. “If you’re having a notable problem in risk management you are likely to have some of your Pillar 2A assumptions questioned, but I haven’t seen that link made explicitly before.”
Pillar 2A is the additional capital that local supervisors force banks to hold to take account of risks not covered under Pillar 1, or core, capital. In the case of UK banks, the Prudential Regulation Authority determines its Pillar 2A requirements for conduct risk using a principles-based, rather than rules-based approach. Instead of sticking to a set formula, the authority exercises what it terms “supervisory judgement”.
This leaves room for discretion, and some observers believe Carney’s remarks were deliberately ambiguous, designed to give the regulator ammunition when it comes to assessing an individual bank’s operational risk controls and its management’s fitness and propriety.
The Bank of England, when asked to amplify Carney’s words, commented: “There has been no change in policy on Pillar 2A capital.” It stressed that failures in firms’ governance, culture and accountability are addressed in the first instance through the SMR – prevention being better than cure (see box: The BoE on conduct risk capital).
But, it added, if the PRA assessed the governance of a firm to be particularly weak, then it may also size its buffer to cover the risks posed by those weaknesses. “This will generally be calibrated by scaling the amount of Common Equity Tier 1 required to meet Pillar 1 capital requirements, plus Pillar 2A capital requirements,” the Bank said.
This looks a lot like a capital add-on, observers point out: “Regulators have always, especially post-crisis, utilised risk management and governance scalars in Pillar 2B; it’s been almost the norm to see scalars applied. Moreover, governance is obviously all about operational risk – so the scalar is often really an op risk [capital] add-on in another name,” says Jimi Hinchliffe, regional chair of the Institute of Operational Risk and a former UK senior regulator.
Not everyone agrees this is what Carney meant, however. “I don’t read Carney’s comments as suggesting the PRA will leverage additional capital,” argues a senior bank lobbyist. “In practice, should shortcomings in SMR occur, then this will have the logical consequence of demanding more capital. He’s simply making an observation.”
Others see the debate over the catalyst for any additional capital as moot: “I was surprised at the suggestion that the SMR could be used as a trigger to add capital, but it doesn’t really matter as the home regulator already has the power to levy Pillar 2A capital. The failure to comply with the SMR could be a trigger for them to use existing powers,” says a senior op risk manager at a UK bank.
The op risk manager is not alone in expressing surprise that the ambit of the SMR has been seemingly broadened to include punishment by extra capital burdens. This isn’t what bankers understood the SMR to be about. The thrust of the regime is about accountability for business decisions, and ensuring that banks had clear and unambiguous reporting lines so that individual managers can and will be held responsible for incompetence and unprincipled behaviour.
But though the scope of the regime is vast, its power is largely untested; with the SMR less than two years old – it entered into force in March 2016, and currently only applies to larger banks and insurers – banks are still waiting for the first enforcement actions under the regime.
No senior individual has yet been targeted by regulators for special attention, either – though these will inevitably come: “If there aren’t any prosecutions, people will get lax,” Paul Fisher, former deputy head of the PRA, told Risk.net in September.
An early trial of the Senior Managers Regime may come in the form of the Financial Conduct Authority’s ongoing investigation into Barclays chief executive Jes Staley, and his role in attempting to unmask an anonymous whistleblower.
Staley admitted that his actions, which came to light last year, were “a mistake”, and offered a public apology. He faces internal punishment in the form of a cut to his bonus for the 2017/18 financial year. The FCA is due to conclude its probe in the coming weeks.
Analysts suggest Staley could find himself one of the first senior executives to have his case heard by the Bank of England’s new Enforcement Decision Making Committee – the body the BoE is in the process of setting up to decide any contested enforcement cases brought by the Bank, including the PRA. The Bank says the creation of the body is a response to a 2014 review by the UK Treasury into enforcement – but it appears to presage a likely rise in challenges to judgements against individuals following the implementation of the Senior Managers Regime.
According to the minutes of the November meeting of the Bank’s court of directors, the committee as proposed will constitute a group of five members – at least two including the chair legally qualified – and in any specific case a panel of three of the five would be formed to determine it. Subject to a final consultation, the committee will be established by the court in the first quarter of this year.
“It looks to me as if his case is going to be the first job for the new process, and seems weird to me to do it any other way,” says Dan Davies, senior adviser at Frontline Analysts, “but I suppose they might decide to get it done and let the new committee start with a clean slate.”
Barclays did not respond to a request for comment by time of publication.
In the absence of examples of enforcement, the industry has no concrete indicator of the types of “persistent failings” that Mark Carney suggested might incur the imposition of an additional capital burden.
“Carney is clearly talking about the incentives to encourage good behaviour,” says Edward Sankey, risk consultant and former chair of the Institute of Operational Risk. “There is a carrot and stick approach.”
Hinchliffe says banks have in the past been slow to adapt to regulatory change, only introducing the required processes and systems just in time, but the possibility of capital add-ons will smarten up their act. “It’s a useful mechanism. It’s the one thing that’s guaranteed to get profile in the boardroom and get senior management attention,” he adds
That doesn’t stop the banks wondering, privately, how the PRA would make the required calculations if it deemed a capital add-on was called for. Modelling for conduct risk is notoriously difficult, and a lot of banks have lost faith in it. The data points are too few and the correlation between them virtually nonexistent.
“Conduct risk modelling is very difficult: you have got lots of relatively small pieces of data. We try to combine them, but often they have nothing in common – you can’t combine risks that are not homogenous. I can’t imagine anyone has done it with a great deal of confidence,” says the chief risk officer. This led to view that the AMA, or advanced measurement approach to calculating op risk capital, won’t work for conduct risk under a loss distribution approach, he adds.
Governance is obviously all about operational risk – so the [PRA’s Pillar 2B] scalar is often really an op risk capital add-on in another name
Jimi Hinchliffe, regional chair of the Institute of Operational Risk
One of the reasons conduct risk is so hard to model, say risk officers, is that the fines imposed on banks since the financial crisis (some $320 billion and counting) appear to have been calculated unscientifically and are based upon satisfying a political audience rather than anything else.
“Multi-billion dollar fines come out of perfect political storms and they don’t fit any model. Regulators pick a number they feel comfortable with when asking firms to factor this into capital,” says one.
So what criteria would the PRA use when adjudging capital additions if it deemed them necessary? The answer is not clear. “The SMR is about business accountability and, secondly, effective governance. How might one explicitly include that to include Pillar 2 calculation? There are risks you can model, using scenarios, but I’m not sure how you would use that approach unless the regulators are a little more prescriptive in terms of what they want,” says the UK bank’s op risk manager.
A prescriptive stance, though, would not chime with the PRA’s self-professed “supervisory judgement” approach.
Deficiencies in modelling are no excuse for banks not embracing the principles underpinning the SMR now, and the avoidance of possible capital additions is not difficult, say operational risk consultants. “Where firms don’t have the basics in place, it’s right and proper that they are hit by capital add-ons. The SMR can be seen as a ‘Janet and John’ guide to management and if you can’t even get to that level, then you can’t complain when you’re hit in Pillar 2,” says Hinchliffe.
As Sankey observes: “On the one hand, banks’ concern that they might be hit with capital is justified as there are no precedents and guidelines. But on the other hand, the SMR should be regarded by firms not as the operating standard they are being told to attain but as the minimum accepted standard.”
That is to say, if firms attain the principles and structure outlined by the SMR then they have no need to worry about capital add-ons. Instead, banks should be looking to achieve a quality of performance over and above the precepts of the SMR.
As Colin Lawrence, consultant and former strategic risk director at the PRA, says: “Bank shareholders should be encouraged by what Carney says, but accountable senior executives should be alarmed if they’re not transparent, if they’re not vigilant to what is going on at desk level and haven’t implemented a robust governance structure of identifying, managing and reporting critical risks with a robust control framework.”
The Senior Managers Regime is part of a wider suite of regulations introduced by the Bank of England to tighten up conduct in financial firms. Known collectively as the SM&CR, the regime’s three elements are:
• The SMR, which requires firms to formalise responsibility for 17 management functions among FCA-approved individuals.
• The Certification Regime, which covers individuals who aren’t senior managers, but whose jobs have an impact on clients, markets or the firm. The competence of these individuals is monitored internally.
• The Conduct Rules, which apply to almost all those working in financial services, codifying standards of behaviour.
That has not stopped some firms from exploring ways of following the letter of the law if not the spirit. Industry insiders cite anecdotal evidence that some banks have ‘juniorised’ some roles to avoid responsibility, and also that the PRA has on occasion been obliged to bring interviews with senior managers to a premature halt because the bankers have been so inadequately prepared.
Senior risk bankers refute these suggestions. They stress that the SMR has entailed extensive remapping of procedures and reporting lines, particularly within global banks that operate across jurisdictions and where local managers of local businesses can report to product heads in a different time zone.
Amongst international banks, US firms based in the UK – the largest banking subsidiaries of which are directly supervised by the PRA – are said to have experienced more difficulties adapting to the SMR than their UK or European counterparts. This is partly due to their familiarity with a more prescriptive regulatory system rather than a principles-based system.
The US bank’s senior risk officer disagrees, saying that the CCAR stress-testing regime, which a number of banks in the US have failed, are predicated on similar principles to the regulatory regime across the Atlantic. The officer adds that although the US does not have an equivalent senior managers regime at the moment, it is rumoured that regulators are interested in the concept and have been studying the UK model.
The real test of the SMR and whether, indeed, shortcomings uncovered by the regime will lead to capital additions, will come over the next year or two. Whether banks have made changes, and what sort of punishments the regulator will hand out for what sort of breaches, will become clear only during the period of supervision and enforcement.
Conduct risk modelling is very difficult: you have got lots of relatively small pieces of data, [and] you can’t combine risks that are not homogenous
Senior UK op risk banker
The FCA must first recruit enough senior and experienced supervisors to be “able to see through the presentations made by the banks”, in the words of Edward Sankey, but also it must show the determination to impose punishments in the face of any legal challenges to its judgements.
The paradox, as Paul Fisher points out, is that the more enforcement actions the authorities impose under the SMR, the greater the evidence of the regime’s failure.
Another possible influence on the enactment of the SMR may come in the form of Brexit. Analysts suggest the FCA may seek to differentiate itself from European regulators in an effort to keep banks in the UK. “It is perhaps more likely that the FCA and the PRA will be more relaxed as they want banks to stay. The impression I have is that post-Brexit, regulators in the UK might look again at the bonus system possibly with a view to making it more relaxed,” says Ian Mason, a legal director at DLA Piper and former enforcement head at the FSA.
Some senior risk officers argue this new era of greater transparency and punitive consequences for failures of good governance is all to the good. Others also suggest that banks can hardly be either surprised or outraged by every new demonstration of the iron fist of regulation.
“I think maybe I am an outlier, but I don’t have a problem with regulation as firms have demonstrated time and time again that they are unable to self-regulate. You reap what you sow,” says the UK chief risk officer.
Additional reporting by Tom Osborn
In his November speech, Mark Carney appeared to draw an explicit link between the Senior Managers Regime and banks’ required levels of operational risk capital for the first time.
“For supervisors – us and the FCA – the [SMR] is helping identify weaknesses in governance and accountability. It’s helping us assess the fitness and propriety of senior managers and others in positions of responsibility – and [assess] whether a firm has the appropriate culture and is encouraging the necessary changes. If that isn’t the case, in the first instance, widespread or consistent shortcomings would have consequences for the compensation of individuals. More persistent failings could increase the capital that is set aside for operational risk – so it would have consequences for the firm itself. And in the extreme, it could influence our judgements regarding the fitness and propriety of senior managers.”
In light of Carney’s comments, Risk.net asked the Bank of England to clarify its stance on the mechanism by which failings under the SMR could translate into capital add-ons. Its response was as follows:
“The PRA’s current policy on operational risk Pillar 2A is unaltered. This policy is described in our Pillar 2 statement of policy (SoP). As the governor pointed out, failures in firms’ governance, culture and accountability are addressed in the first instance through the Senior Managers Regime (SMR). These failures are usually not addressed through operational risk capital but rather through another element of the capital stack: the Risk Management and Governance (RM&G) scalar.
The SoP states:
Where the PRA assesses a firm’s RM&G to be significantly weak, it may also set the PRA buffer to cover the risks posed by those weaknesses until they are addressed. This will generally be calibrated by scaling the amount of CET1 required to meet Pillar 1 capital requirements plus Pillar 2A capital requirements. To ensure consistency, RM&G decisions are subject to a supervisory peer review process. As with other risks identified, supervisors will discuss RM&G weaknesses with firms.
The SoP also states:
If an overall RM&G scalar is applied, RM&G weaknesses identified in specific risk categories should not be reflected separately in Pillar 2A capital requirements for those categories.
There are two ways, however, in which failures in governance and culture could indirectly impact the Pillar 2A operational risk capital:
i) If these failures lead to conduct fines, these would be reflected in future years in the conduct part of the operational risk Pillar 2A capital add-on. As stated in the SoP:
Pillar 2A capital for conduct risk is informed by: supervisory knowledge of a firm’s exposure to conduct risk; a firm’s largest conduct losses over the past five years; the level of expected annual loss for conduct risk; and conduct-related scenarios where potential exposures over a shorter time horizon (e.g. five years) are considered.
ii) These failures might influence supervisors’ judgement on Pillar 2A non-conduct operational risk capital. As stated in the SoP:
Supervisory judgement is used to determine the operational risk add-on, taking into account considerations such as: the quality of the firm’s own Pillar 2A assessment; the capital range generated by C1, C2 and C3 for non-conduct risk; confidence in the firm’s scenario analysis process and internal loss data; the quality of the firm’s operational risk management and measurement framework; and peer group comparisons.”
Collins floor may also prevent Morgan Stanley, State Street and Wells Fargo from realising SMA savings
The capital floor imposed on internal models by US regulators could prevent five of the country’s largest banks from realising hoped-for capital savings from the switch to the new standardised measurement approach (SMA) for operational risk.
US dealers were anticipating large reductions in operational risk-weighted assets (RWAs) under the SMA – part of the revised Basel III regulatory framework, which was finalised in December. However, if the SMA were implemented today, an analysis by Risk.net suggests the so-called Collins floor would prevent five of the largest US banks – JP Morgan, Citi, Morgan Stanley, Wells Fargo and State Street – from turning these operational RWA reductions into capital savings.
The amendment, proposed by Republican senator Susan Collins of Maine and implemented by prudential regulators in 2013, requires banks to evaluate their capital adequacy against the Basel standardised methodologies for credit and market risk. Put simply, if standardised credit and market RWAs exceed the total RWAs calculated under the advanced approaches, banks are bound by the former.
“I had thought the SMA would give them some relief, but if they’re already at the floor, they will not get any relief,” says the head of operational risk at a large New York-based bank. “SMA was pushed by these banks, especially JP Morgan, to reduce required capital as opposed to the advanced measurement approach [AMA].”
Jamie Dimon, JP Morgan chief executive, wrote in his 2016 shareholder's letter that operational risk capital “should be significantly modified, if not eliminated”.
A quantitative impact study conducted by the Basel Committee suggests operational RWAs will decline by 30% in aggregate for global systemically important banks (G-Sibs). US banks were expected to see the greatest reductions as they are currently required to hold greater amounts of op risk capital under the AMA than their European peers.
As of the fourth quarter of 2017, five US banks were constrained by the Collins floor (see chart), meaning total RWAs calculated using standardised approaches exceeded total RWAs calculated using the advanced approaches. Wells Fargo did not issue exact figures for its RWA totals as of December 2017, but stated in its earnings release that its capital ratio was calculated under the standardised method.
As a result, even if one of the banks were to realise a reduction in operational RWAs under the SMA, this would not be reflected in their minimum capital requirements. None of the banks had responded to a request for comment by press time.
Among the US G-Sibs currently capitalised according to the advanced approaches, Bank of America Merrill Lynch is closest to being constrained by the floor, with total RWAs calculated under the advanced approaches barely 1% – or $17 billion – above those calculated under the standardised approaches.
Goldman Sachs has $62 billion of headroom, with total advanced RWAs 11% greater than standardised, while BNY Mellon’s advanced RWAs were $19 billion, or 12%, higher than its standardised measure. Those banks above the floor could still derive some benefit from the switch to the SMA.
The actual impact of the Basel reforms on banks will not be felt for some time, since the SMA only begins to take effect from 2022 and won’t be fully implemented until 2027.
SMA was pushed by these banks, especially JP Morgan, to reduce required capital as opposed to the advanced measurement approach
Head of operational risk at a large New York-based bank
The final impact of the switch will also be skewed if regulators impose discretionary Pillar 2 add-ons to make up for perceived shortfalls in capital requirements produced by the SMA. The Basel quantitative impact study does not take into account current Pillar 2 capital add-ons from national regulators – meaning projected capital decreases could be understated and increases overstated.
Furthermore, while not all large US banks may see a reduction in minimum capital from the switch to SMA, they could see a reduction in stressed capital requirements. The Fed has not historically factored the Collins floor into the quantitative portion of its annual stress test, the Comprehensive Capital Analysis and Review.
“Standardised risk weights are used in the stress test, and the stress test is the constraining ratio for the largest banks,” says Brian Kleinhanzl, an equity analyst at Keefe, Bruyette & Woods. “Stress testing is not going away anytime soon, so advanced approaches will likely not factor into constraining ratios near term.”
US banks that are above the Collins floor could still be prevented from reaping capital savings by the Basel Committee’s own capital floor, introduced as part of the final reform package. Under the Basel methodology, banks must hold enough capital to meet 72.5% of all risks calculated using the standardised approaches – including operational risk.
“It’s still unclear as to how the Collins floor will be affected, and how the design of Basel floor will be applied in the US,” says Brad Carr, director of regulatory affairs at the Institute of International Finance. “There is a kind of intricate web of floors that may potentially bind on US banks, so while the intent of the Basel III finalisation was to bring greater certainty, there’s actually some added complexity for US banks at present.”
Past behaviour may subject clients to a 200-millisecond hold period, as US bank tries to avoid losses
Goldman Sachs has disclosed it applies ‘speed bumps’ of up to 200 milliseconds on electronic foreign exchange spot trades, where the client trades in a manner that could expose the bank to losses.
In a disclosure that appears to have been finalised on January 18, the US bank says it applies the hold periods – based on a customer’s trading history – to guard against the risk that prices start moving against the bank. Beyond a threshold price move, Goldman could choose to reject the trade.
“These hold periods currently typically range between 0 and 100 milliseconds for a majority of counterparties, with a hold period of 200 milliseconds applying to a limited number of counterparties,” the disclosure states.
“The hold period that applies to a particular counterparty depends on which pre-defined ‘tier’ it is allocated to, with each tier representing a different hold period.”
A client’s tier is determined in part by “reviews of the counterparty’s trading history, including a review of the amount by which Goldman Sachs’ internal prices have moved for a short period of time following receipt of a counterparty’s electronic trading requests,” the document reveals.
In a footnote, it says there are some vendor price-streaming platforms that establish hold periods the bank is unable to adjust. It also notes it has an “economic events” mechanism that automatically lengthens the hold period temporarily around the release of key economic data.
The bank is not the only one to apply and vary speed bumps by client, but the disclosure is one of the most detailed, and publicly lays out the bank’s policy for the first time.
Goldman Sachs declined to comment.
The disclosures are understood to have been prompted by the release of the global foreign exchange code. A committee of central banks within the Bank for International Settlements started work on the code in 2015 in response to a series of forex scandals at large banks that included collusion to rig benchmark rates and front-running client orders. Since 2014, several large dealers have been hit with billions of dollars of fines by US, UK and Swiss authorities, with more penalties likely to come from an ongoing European Commission investigation.
It’s a kind of buyer-beware situation
A senior forex trader at one bank
The code was finalised in December, with principle 17 stating that “market participants employing last look should be transparent regarding its use and provide appropriate disclosures to clients”.
Despite that, Goldman’s disclosure is notable, says a senior forex trader at one bank, because dealers have generally kept their approach to hold times close to their chest.
“It’s a kind of buyer-beware situation. The notion is ‘You’ve seen our terms of business or our disclosures and how we operate – so, you decide whether you want to trade with us’,” he says.
Among other banks that use speed bumps, Barclays says the hold time applied to clients can vary on the basis of historical trading activity but it does not specify the length of the delay, although clients can request this information if they choose. Bank of America Merrill Lynch disclosures show it applies a speed bump of zero to 50 milliseconds, which it says can differ by customer. BNP Paribas says the “expected or typical period of time for making the deal acceptance decision is between 10 milliseconds and 150 milliseconds”.
The speed bumps generally differ from the so-called last-look window, which is a period in which a liquidity provider checks counterparty credit limits and whether the final price is still valid. The speed bumps are applied in addition to this window, extending it for certain clients depending on their trading behaviour. Some banks, though, describe the client-varying price check as part of last look.
Proponents of speed bumps say they protect the bank from ‘toxic’ customer flow. This can take various forms. For instance, a client may have faster connections than the liquidity provider and trade ahead of a price change; others may break trades up and execute them with multiple liquidity providers simultaneously, leaving those dealers trying to hedge the same position; or they may simply request quotes from a large number of liquidity providers simultaneously, which raises the risk of information leaking into the market.
The extra hold period is generally applied to monitor whether a client’s trading activity moves the price beyond the given threshold. Goldman Sachs’ disclosure says that if the price moves in the client’s favour beyond a threshold it will be rejected. If it moves in the bank’s favour beyond a threshold it may be subject to a “price improvement” where the executing price is improved by the difference between the tolerance band and the final price, up to a maximum of 3 basis points.
According to their public disclosures, bank practices on this point vary. Some take a strictly symmetrical approach, rejecting all trades where prices move outside a tolerance band during the last-look or hold period – for or against the client. Deutsche Bank’s default setting is to reject trades if they move against the bank during the window – an asymmetric approach that the bank argues allows it to provide better prices – but clients can opt for rigid symmetry in price checks and trade acceptance.
Given forex spot prices change at five-millisecond intervals, liquidity providers such as XTX Markets claim extended hold times are bad for end-users as it allows the dealer to see multiple price updates before deciding whether to accept or reject a trade. A 100-millisecond hold period would give a liquidity provider the opportunity to see 20 price updates before making a decision on whether to accept a trade, for instance. In theory, this could make rejections more likely; in the past it also enabled practices the industry has since agreed to limit, such as hedging the trade prior to execution, or adjusting the bank’s live quotes, both of which could move the market against the client.
A number of dealers now apply a so-called zero hold time, which means they conduct price and credit checks in less than the five milliseconds it takes for market prices to refresh.
January 29, 2018: This article was updated to clarify that Barclays clients can request the length of the hold time applied to their trades.
Bank of China, ICBC likely to see lower reductions in operational risk capital due to reliance on interest income
China’s four megabanks are set to be among the losers from the switch to a new method of calculating operational risk capital, due to the approach’s comparatively punitive treatment of banks that rely on interest income to generate revenue.
While some of the world’s largest banks are in line for an estimated 30% drop in operational risk capital requirements under the new approach, according to a quantitative impact study, China’s ‘Big Four’ are expected to see smaller reductions.
“[That reduction] is not uniform across all global systemically important banks, and for Chinese banks it should be less as they rely on net interest income,” says Harry Hu, director in the Greater China financial services team at S&P Global Ratings. “Their balance sheet and assets should increase in the coming years; though there might be a slowdown, we do not think [they] will decrease.”
The four Chinese lenders included in the list of global systemically important banks, or G-Sibs, namely Agricultural Bank of China, Bank of China, China Construction Bank, and ICBC, already hold a combined $48.4 billion in operational risk capital, according to their latest filings. Risk.net analysis of G-Sibs’ 2015 minimum required op risk capital puts all four Chinese megabanks in the global top 10, with Bank of America ($40 billion) and JP Morgan ($32 billion) heading the list.
Under the Basel Committee’s new standardised measurement approach (SMA), a bank’s op risk capital requirements are derived from a figure that serves as a proxy for the bank’s size, termed the ‘business indicator’, or BI. The bad news for China’s banks is that the BI formula uses an absolute value for interest income to calculate one of its three components. The more interest-generating business a bank conducts, the higher the BI figure.
The ‘business indicator’ formula under the SMA framework comprises three components: the interest, leases and dividend income component (ILDC), the services component (SC), and the financial component (FC).
The ILDC is calculated as the lesser of: i) a bank’s interest income minus interest expenses, ie, its net interest income; or ii) 2.25% of a bank’s interest earning assets. That figure is then added to the bank’s total dividend income to produce the final ILDC number. The SC takes a figure for other operating income or expenses and adds it to fee income or expenses. The FC is a total of net profit-and-loss for the trading and banking books.
All figures in the above calculations are three-year averages. Net interest income is calculated year by year, then averaged.
Traditional banks with vast assets from deposit-taking or loan-making activities generate interest income that dwarfs other operating income. For instance, net interest income in 2016 for ICBC, China’s largest bank, amounted to 472 billion yuan ($73 billion) or 74% of its total operating income. In comparison, the measure for JP Morgan stood at 43%.
Fees such as trading or investment banking activities go into a separate component of the BI, known as the ‘service component’. This means G-Sibs with more diversified income sources could come out ahead.
“Because of this it will benefit banks with higher fees as a proportion of their overall income. For Chinese banks most of their income is from interest income. They cannot deal in equity investment banking,” Hu says.
The SMA encourages the universal banking model and diversified income streams, according to a Hong Kong-based credit analyst who covers Chinese banks.
“The spirit of the SMA framework and op risk calculation was focused on banks with a universal banking model,” the analyst says. “Chinese banks are focused on commercial banking activities, in part to support the real economy. That’s the reality of the banking system in emerging markets.”
The loan-heavy nature of China banks’ business mix is unlikely to change, with analyst predictions pointing to a continued increase in Chinese bank assets. Loan growth is expected to be 12.5% by the end of the quarter ending March 31, according to Trading Economics’ global macro models. While the pace of growth is predicted to tail off, it compares with a marginal decline in assets held by eurozone lenders, based on data from the European Banking Federation.
The SMA was intended to simplify the previous amalgam of own-model and regulator-set approaches to determining op risk capital. Under the new methodology, lenders are grouped by size into three buckets based on their BI figure and a multiplier is applied to determine what Basel terms the ‘business indicator component’, or BIC. This is then multiplied by a bank’s loss history to produce its final capital requirement. The recalibration of buckets and coefficients within the BIC in the final SMA framework is a key reason for banks to expect final op risk capital charges to be lower than previously thought when they are computed. The highest coefficient was revised down, to 18% from 29% previously, a figure that was said to unfairly penalise G-Sibs.
The new coefficients are set at 12% for banks with a BI range below €1 billion ($1.23 billion); 15% for those with a BI of between €1 billion and €30 billion, and 18% for those with a BI exceeding €30 billion. Asia-Pacific banking analysts confirmed to Risk.net that they expect the Chinese megabanks to be grouped in the middle bucket.
A quantitative impact study that was published alongside the revised Basel III framework in December found that the SMA would result in average savings of 30% of G-Sibs’ current op risk capital – though this figure marks wide variations between banks. In the study, which anonymised the banks, one G-Sib would see its minimum op risk capital requirement spike by 222%, while another would see it drop by 66.1%, based on 2015 numbers. US banks are expected to see a bigger fall than their European counterparts as they are, in effect, subject to a more punitive regime under the Federal Reserve’s existing interpretation of the more advanced, own-models approach.
But the Basel study points out that its projections do not take into account current Pillar II capital add-ons from domestic supervisors. Assuming some supervisors may remove their add-ons under the revised SMA, projected capital decreases could be understated.
Bank of China noted that the CBRC has yet to internalise Basel’s revised op risk framework into domestic regulatory requirements. “Trial calculations of operational risk capital with the new approach will be conducted to gauge its impact on our bank’s operational risk management,” a spokesperson for the bank said in a statement to Risk.net.
AgBank, China Construction Bank and ICBC did not respond to emails seeking comment on their operational risk capital projections.
Even if China’s megabanks were able to benefit from the kind of op risk capital reductions enjoyed by their fellow G-Sibs, the country’s regulators may not be willing for this to happen, and may instead choose to top up individual banks’ requirements via Pillar 2 add-ons. Chinese authorities are now intensifying their enforcement efforts to root out op risk misconduct amid an increase in such behaviour.
The China Banking Regulatory Commission has meted out sizable fines as part of its crackdown. Last year, 2,451 fines were issued totalling 2.7 billion yuan. About 2.1 billion yuan of the fines were made in December in several landmark cases involving op risk misconduct, propelling two China banks into the top five operational risk losses for that month.
The figures, while modest by global standards, are a significant step up for the CBRC. In comparison, in 2016 the regulator fined 267 financial institutions a total of 0.2 billion yuan for various offences.
The CBRC did not disclose whether any of the ‘Big Four’ banks were hit with fines for financial misconduct in 2017.
The offences range from failure of internal control systems, granting of loans in violation of Chinese law, illegal asset transfers, and circumventing regulatory indicators such as risk and capital requirements.
“Given the regulatory preference for banks to exercise greater prudency, as part of efforts to deleverage and cut down on shadow banking activities, there does not seem to be any desire to relax risk capital requirements. Things may change in the future, but for this year we expect further regulatory tightening,” says Nicholas Zhu, senior analyst in the financial institutions group at Moody’s.
While banks can be hopeful of getting capital relief, such as via regulatory discretion to allow banks to ignore historical losses in the SMA calculations, the current regulatory climate in China does not suggest this will be forthcoming. But that does not mean the situation may not change between now and when the new methodology kicks in, says a Singapore-based managing director of a consultancy which advises Asia-Pacific banks on op risk matters.
“The SMA only comes into place in 2022. There is a lot of room for local jurisdictions to apply their own interpretation so your mileage may vary. But we do not see deregulation in China’s financial markets any time soon,” he says.