Machine learning enters battle against financial crime
By Steve Marlin | News | 20 February 2019
Standard Chartered and Barclays using AI to detect money laundering violations
With money laundering playing an ever-larger role in penalties and reputational damage, banks are marshalling machine learning to bulk up their monitoring systems. Early results show the technology can help avoid false positives of nefarious activities from reams of transactions, enabling banks to zero in on truer indications of crime.
“Where 98% of our time is spent mitigating cases that turn out to be not suspicious, machine learning can help figure out which cases are more likely to fall in that 1–2% pool of cases that are actionable,” said Evan Weitz, managing director and head of controls for Europe and Americas at Standard Chartered Bank, during a Risk.net webinar on February 20.
In a December 2018 policy statement, US regulators encouraged banks to use technologies to fight financial crime – variations of the word “innovate” appeared no fewer than 26 times in the three-page document. Regulators said they would not penalise banks if machine learning exposed weaknesses in their current anti-money laundering systems, nor would they subject banks to increased supervision.
The statement, said Weitz, removed “the perverse incentive not to innovate for fear of remediation costs”.
Standard Chartered is in the midst of a machine learning pilot in Singapore to weed out false positives in screening real-time transactions for money laundering violations. The technology, which learns by analysing transactions and recognising suspicious patterns over time, will enable the bank to more quickly process transactions in its banking business, said Weitz.
ORX data shows money laundering fines reaching $1.96 billion in the US from 2014 to 2017, while in Europe and the UK, the total was just $214 million. However, during the first three quarters of 2018, fines in both regions were converging, with just over $1 billion in the US and $918 million in Europe and the UK.
Humans still required
As well as screening incoming transactions, banks may use machine learning to augment rules-based systems to monitor existing transactions for money laundering. Although the technology will not replace human judgement, it is cutting the time spent investigating false positives, prevalent in transaction monitoring and screening, and instead allows money to be spent on those cases with a high probability of being illegal.
In using machine learning to sift for possible crime, banks are willing to run the risk of turning up false negatives – that is, labelling a small number of transactions as legitimate when they are actually problematic – on the grounds that the savings in not investigating them justify the risk.
Standard Chartered says the percentage of suspicious transactions detected by its current system that are missed by machine learning is in the ‘single digits’. In other words, out of every 100 cases that scored low based on machine learning, the bank is willing to accept that a very small number of them might have been suspicious.
In addition to filtering transactions, machine learning can be used to understand all the relationships a customer might have within a bank. For example, a customer could have accounts in a bank’s corporate, correspondent banking and institutional brokerage businesses. Analysing the transaction activity among these different relationships could give an indication that the customer is a potential money laundering risk.
Machine learning is cutting the time spent investigating false positives, prevalent in transaction monitoring and screening, and instead allows money to be spent on those cases with a high probability of being illegal
Barclays is rolling out a prototype machine learning system for its institutional brokerage business this year.
“It will augment rules-based monitoring. It will give us more information on where investigations should focus, to see the benefit of being able to view the network that was not visible to us before,” said Jayati Chaudhury, global investment banking lead on financial crime and money laundering transaction monitoring at Barclays, during the webinar. “For example, if someone has a corporate account, where are they making payments? Those linkages are coming to the surface.”
Just how much innovation regulators will be happy with remains to be seen, the supervisory joint statement notwithstanding. Unlike models developed for market, credit and operational risks – which are subject to SR 11-7 in the US – models to fight financial crime have not been intensively vetted. When banks have used machine learning in other areas, they have had trouble explaining the machines’ output. Will banks be able to sell machine learning for financial crime to regulators – or internal auditors – if it involves tolerating a few misses in the name of greater efficiency?
“How can regulators become comfortable [that] these systems are effective? If even the machines’ creators cannot know the reasons why the machine has made its recommendations, how can a regulator?” said Rob Gruppetta, head of the financial crime department at the UK’s Financial Conduct Authority, in a 2017 speech.
Barclays’ Chaudhury said: “I have reservations about the extent to which regulators understand machine learning solutions. While there is encouragement for trying new solutions, there is risk of a limited level of understanding. It will be a challenge to explain solutions.”
Aussie banks: a right Royal mess
By Tom Osborn | Opinion | 11 February 2019
Misconduct probe sparks board changes and bout of introspection at Big 4
It’s been a rough year for Australia’s banks. Last April, Ian Narev, chief executive of the nation’s largest lender, Commonwealth Bank of Australia (CBA), departed following probes from several of the country’s regulators into widespread money laundering violations and the mis-selling of payment protection insurance, among other offences.
The scandals sparked a national outcry, and helped prompt a Royal Commission inquiry into misconduct in the banking, superannuation and financial services industry. When the 500-page tome finally thudded onto desks on February 4 this year, it made for grim reading, finding the nation’s big banks guilty of everything from paying cash bribes to branch staff as an incentive to hit quarterly targets, to selling life insurance policies to long-dead customers.
The fallout from the report was still being felt, with National Australia Bank announcing on February 7 that its chief executive Andrew Thorburn and chairman Ken Henry would both step down.
The events in Australia have thrown into sharp relief the challenge faced by those charged with overseeing banks’ risk-taking activities: their risk committees. A new Risk.net survey of the board-level risk committees at the region’s banks, offers for the first time a comprehensive list of the 136 board risk committee members at 24 of Asia-Pacific’s largest banks.
The findings reveal a wide diversity of skillsets, but not much frontline risk management experience: only four directors are former chief risk officers, while almost two-thirds have never worked for a bank.
Does that matter? It depends who you ask. Some argue it shows banks deliberately tailoring the skillsets of their boards to the risk profiles of their institutions. In India and China, for example – where most banks were until recently publicly owned, and most of the counterparties they deal with still are – making risks in the political sphere a key consideration, banks’ boards feature a host of former regulators and government officials.
As the scandals in Australia show, even where boards have a heavy presence of former bankers with risk management experience, learned the hard way from running trading and sales businesses, that alone may not be enough to tackle the complex array of non-financial and conduct risk challenges banks face today.
Take the case of the prudential inquiry into CBA. It found that, although the bank’s chief risk officer and its risk committee were highly experienced, “with the benefit of hindsight, their strengths were heavily weighted toward financial risk management, and brought less experience to bear in operational risk and compliance matters”.
In this regard, CBA has taken its medicine. Last year, under the watch of new chief executive Matt Comyn, it established a non-financial risk committee at the group management level, as well as strengthening its risk management function by including members with compliance and operational risk experience. Anne Templeman-Jones, who held a number of roles at rival Westpac – including risk director and head of strategy for operational risk – joined the risk committee in March last year.
Westpac, in turn, last week appointed former Morgan Stanley Australia chief Steven Harker to its board, while ANZ has recently added former New Zealand prime minister John Key.
In the wake of the Royal Commission’s findings, those seem unlikely to be the only director-level changes among the country’s banks.
Apac bank boards: light on risk experience
By Aileen Chuang | Features | 10 February 2019
Survey of 24 large Apac bank board risk committees shows dearth of risk managers
Banks have spent the decade since the global financial crisis overhauling their risk management frameworks, upending the oversight of everything from model risk to data breaches. But when it comes to the ultimate overseers of a bank’s risk profile – its board – how much has actually changed? For banks in many Asia-Pacific (Apac) countries, frontline risk management experience is still sorely lacking.
Risk.net has analysed the risk committees of 24 of the largest banks in the region, comprising some 136 members, combing through annual reports, regulatory disclosures and databases in order to compile the first comprehensive overview of its kind.
The survey comes as some directors in the region find themselves squarely in the firing line: the recent Australian Royal Commission inquiry into misconduct in the financial sector excoriated boards for not doing enough to prevent a series of scandals that have shamed the nations’ banks and claimed the scalps of National Australia Bank and Commonwealth Bank of Australia’s chief executives.
At first sight, the numbers show cause for concern. Only four directors are former chief risk officers (another is a former global head of risk management) – a markedly lower proportion than for the largest 15 US and European banks.
In addition, less than half have spent their careers in finance: 49 are former bankers, while 16 have worked for asset managers or insurers – again, a much lower proportion than in the US and Europe, where the tally was 61%. In their place comes an army of former regulators and senior government officials, who account for just over 20% of board directors across the region, versus 7% in the US and Europe – largely a function of Chinese and Indian banks, many of them currently or previously state-owned, boasting a heavy board presence from senior public officials.
Risk managers and consultants, while expressing some surprise at the findings, also try to explain the apparent lack of hard-bitten risk nous: chief among them a shortage of seasoned risk professionals in some countries, and a lack of prescriptive regulation on committee composition.
Keith Pogson, senior partner for Asia-Pacific financial services at EY in Hong Kong, argues banks are hamstrung by a basic problem: there are simply fewer career risk officers to go around in most Apac nations. Banks in jurisdictions with less mature capital markets may only have appointed their first recognised chief risk officer in the wake of the 2008 crisis, he points out – at least a decade later than many of their US or European peers.
That leaves banks with a different set of skillsets from which to pick when looking for professionals to fill their boards, he says: “The availability of highly seasoned risk professionals is in development in some of the Asian markets. In some markets, they are further along than others. We all dream of having the ideal team. Sometimes they just don’t have the decks to pick from,” he says.
Others are more scathing: given the sheer range and complexity of threats that banks face today – from the theft of highly sensitive customer information through cyber attack or a model risk failure that threatens huge losses – should those who’ve never worked for a bank be the ones to sign off on its risk-taking activities? Put another way, is there sufficient oversight of the risks facing the region’s lenders when two-thirds of the execs on their committees have never worked for a bank?
If you don’t have the experience, there’s a good chance that you are prone to error. How do you provide effective management challenge if you are not an expert in risk?
Craig Spielmann, RiskTao
“If you don’t have the experience, there’s a good chance that you are prone to error. How do you provide effective management challenge if you are not an expert in risk?” says Craig Spielmann, chief executive of consultancy RiskTao, and the former global head of operational risk systems and analytics at RBS, who has worked with major financial institutions and regulators in Asia. “You are looking for people who can provide an independent view, perspective, and understand the level of materiality to the firm. The only way to do that is by having the experience.”
To be sure, the committees of many of the region’s banks feature plenty of big names, plucked from fields including politics and infrastructure development. John Key, former prime minister of New Zealand, sits on Australia & New Zealand Banking Group’s risk committee, as did Lee Hsien Yang (the son of Singapore’s founder, Lee Kuan Yew), a former chief executive of Singapore Telecommunications, until his retirement in December 2018; Sheila Bair, hard-line former chair of the US Federal Deposit Insurance Corporation, is a member of Industrial and Commercial Bank of China’s committee; and David Higgins, the 2012 London Olympics supremo, is with the Commonwealth Bank of Australia.
Allowing for regional caveats, however, perhaps Asian banks aren’t so far out of sync with their global peers. Given that almost all lenders in the region have far smaller investment banks, is the proportion of directors with recognisable career risk management experience – just over one-fifth, or one per committee, roughly comparable to the US and Europe – sufficient?
That tally would mean most boards were compliant with the post-crisis minimum in the US, which stipulates that banks with more than $50 billion in assets appoint “at least one risk management expert having experience in identifying, assessing and managing risk exposures of large, complex financial firms” to their risk committees. Those rules are broadly drawn, however, such that execs would qualify if they had previously run a trading desk or had had a senior financial management role.
Such global standards – the UK and European Union have similar, though less prescriptive, requirements – have informed supervisors in Apac when drawing up local regimes, says Eric Pascal, senior adviser for risk consulting at KPMG in Singapore.
“Singapore and Australia have more detailed guidelines on board risk committee composition,” he says. “The boards of banks in Malaysia and Indonesia are equally ambitious, though have not quite reached the same level of oversight as Singapore and Australia.”
Where jurisdictions force banks to have a board-level risk committee, requirements tend not to be onerous. Australia, for instance, simply stipulates the committee’s chair must be an independent director, and cannot also chair the bank. That suggests Philip Chronican – former chief executive of ANZ’s Australia business and of institutional banking at Westpac, after serving as the latter’s chief financial officer – may have to relinquish his current role as chair of NAB’s risk committee once he takes over as interim chief executive, following the exit of Andrew Thorburn in the wake of the inquiry.
Australia also requires risk committees to have a minimum of three independent non-executive directors, and for a majority of members to be independent. Indonesia, Malaysia and Singapore have similar requirements.
In Japan, home to the region’s banks with perhaps the most exposure to global markets, a board risk committee is not mandatory: company law only requires banks to have committees that oversee nomination, compensation and audit. In recent years, the country’s three largest banks – Mitsubishi UFJ Financial Group, Sumitomo Mitsui Financial Group and Mizuho Financial Group – have voluntarily set up risk committees, with MUFG taking the lead in 2013.
But Nomura, the nation’s biggest investment bank, has yet to establish a board risk committee. Instead, it relies on an integrated risk management committee at the group level, instead of at the board level – a structure Nomura believes “works very effectively”, a bank spokeswoman tells Risk.net.
The longevity of a risk committee is no guarantee of success, of course. Australia is home to some of the region’s largest and oldest banks. Its risk committees – longer-established than most other countries – have by far the highest proportion of current and former C-level executives in the region, and the highest concentration of directors with banking experience.
Yet the recent Royal Commission inquiry squarely criticised the quality of board oversight at the country’s banks, questioning whether they fulfilled their mandate to provide effective independent challenge.
The final report said: “The evidence before the commission showed that too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks.”
China has also proposed guidelines on risk oversight and governance. In 2016, the nation’s banking regulator set out principles for the creation of board risk committees – although it stopped short of placing specific conditions on their composition. At present, almost one-third of the risk committee members across the four largest banks in the nation are from the government sector, the survey shows, and the proportion increases to more than half if those from the regulatory sector are included.
“In Chinese banks, where a lot of the counterparties are in the state sector, having someone who understands the political risks that exist in the state sector or the regional enterprise risks might be quite useful, because your real risks are going to be political changes,” says EY’s Pogson.
Several observers agree the higher proportion of committee members with non-financial backgrounds is a matter of design, rather than the default option, in many jurisdictions. They point to the need for members who can guide a bank to tackle ever-morphing challenges, such as cyber risk and conduct risk – functions where corporate experience is still highly relevant, and where banks can hardly claim to have done a good job of protecting themselves in the past.
As such, the make-up of boards represents banks’ diverse businesses and risk profiles. Tan Teck Long, chief risk officer of DBS, Singapore’s largest lender, tells Risk.net: “We’ve broadened our board risk management committee agenda to include topics such as financial crime, cyber risk and data protection. We also continue to fine-tune our risk reporting processes to the board risk management committee by enhancing the bank’s data and reporting platforms.”
Anthony Neoh, a career barrister and regulator, who now chairs the board risk committee at ICBC and had the same role at the Bank of China previously, says his responsibilities have shifted dramatically in recent years. They have primarily changed within the past two years from taking care of financial risks and complying with the Basel Committee on Banking Supervision’s rules to looking at non-financial risks, such as conduct, compliance and cyber-security risks.
Let’s say we have 100 minutes of time. We now spend at least 70 minutes on operational and conduct issues, and 30 minutes on financial risk issues
Anthony Neoh, ICBC
“Let’s say we have 100 minutes of time. We now spend at least 70 minutes on operational and conduct issues, and 30 minutes on financial risk issues,” he tells Risk.net.
Still, some fear that loading boards with directors who lack a risk manager’s instinct to challenge decisions and assumptions could be an even bigger hindrance in jurisdictions where a culture of face-to-face challenge is still not the norm.
“There are some cultural challenges in Asia, as the region is so diverse. It can be tougher for people to provide effective challenge and pushback when they believe things are going off the rails,” says RiskTao’s Spielmann. “That’s what you really need, though – you need to manage risk with your eyes wide open. If people don’t want to speak out and make others uncomfortable, then your risk committee could be ineffective.”
Others dispute this. A senior risk professional who has worked for both Asian and European banks says that, even where cultural norms dissuade direct confrontation, directors still provide effective challenge through other channels, such as pointed questions and requests for supplementary information after meetings.
“Japanese culture is orientated towards consensus, rather than face-to-face challenge. So presentations are often received in silence, but are followed by a series of very sensible one-to-one questions in emails,” he tells Risk.net.
ED&F Man’s commodities loss; cyber events spiral in 2018. Data by ORX News
General Electric experienced January’s largest operational risk loss, with its $1.5 billion settlement in principle with the US Department of Justice over subprime mortgage failings at a now-defunct subsidiary. The settlement resolves the DoJ’s investigations into activities at WMC Mortgage, which was the sixth-biggest subprime mortgage lender when it was acquired by GE Capital in 2004. After the US subprime lending industry collapsed in 2007, GE Capital wound up WMC later that year. The settlement is equal to a reserve set aside in April 2018 to resolve the matter.
The second largest reported loss was at UK-based broker ED&F Man over a commodities fraud. The firm paid $284 million to two Hong Kong companies for nickel that was certified using falsified warehouse receipts, according to a London lawsuit filed by the broker. The suit claims the two Hong Kong firms knew or had sufficient reason to believe the receipts were forged. The metal was collateral in a repo transaction between the parties. ED&F Man sold the nickel on to Australia’s ANZ Bank in 2015. After the forgery came to light, ANZ itself lodged a court filing in the US in 2017 as it attempted to recover losses from the deal.
In the third largest loss of the month, Crédit Agricole was ordered to pay €70 million ($80.1 million) over allegations its Italian subsidiary, FCA Bank, participated in a cartel in the auto financing market. According to the Italian competition authorities, FCA Bank and others regularly exchanged sensitive information about their trade policies, including economic conditions and contracts applied to dealers and consumers, allowing the competition dynamics of the auto financing market to be manipulated.
In total, Italian competition authorities imposed fines of €678.4 million against 12 entities, mainly financing companies wholly owned by auto firms. As these lenders are in the automotive sector rather than financial services, they have not been included in this month’s top five.
Fourth, BNY Mellon agreed to pay $72.5 million to settle a class action lawsuit claiming the firm overcharged American Depositary Receipt holders when converting their foreign currency dividends and other payments to US dollars. The practice enabled the bank to generate excess revenues on top of its standard fees, according to the lawsuit. The bank is accused of using this practice for 20 years, but this was only revealed as a result of a 2015 lawsuit and subsequent disclosure. The settlement is awaiting preliminary approval.
The fifth largest loss of the month also involved a class action lawsuit. HSBC and its subsidiary, HSBC Securities, agreed to pay $30 million to settle claims it conspired with 11 other banks to rig the supranational, sub-sovereign and agency (SSA) bond market. The initial complaint, filed in May 2016, alleged that HSBC and others colluded through chatrooms to share price data and co-ordinate trading, therefore boosting profits at customers’ expense.
In August 2017, Deutsche Bank and Bank of America agreed to settle the allegations, paying $48.5 million and $17 million respectively. Barclays, BNP Paribas, Citigroup, Crédit Agricole, Credit Suisse, Nomura, Royal Bank of Canada, and TD Bank are yet to reach settlements.
Spotlight: US reveals charges over database hack
Two US government agencies have announced charges relating to a 2016 hack of a Securities and Exchange Commission database. During the hack, cyber criminals accessed test filings uploaded by companies containing confidential data. The agencies claim the hackers conspired with traders to make at least $4.1 million in profits through insider trades using the information.
The hackers targeted the SEC’s Electronic Data Gathering, Analysis and Retrieval system (Edgar) between February 2016 and March 2017. To gain access, the hackers exploited a software vulnerability, and used targeted cyber attacks including directory traversal attacks, phishing attacks and infecting computers with malware. The hackers then copied corporate filings to servers they controlled, and the confidential information they contained was used to trade before at least 157 earnings releases between May 2016 and October 2016.
The US Department of Justice formally indicted two Ukrainians on various fraud charges. The SEC also filed a civil complaint charging one of the Ukrainian men, six traders in California, Ukraine and Russia, and two entities. Some of those involved had previously been charged by the SEC for a hack of newswire services in 2015.
In Focus: Cyber risk ratchets up in 2018
Financial firms experienced 78 cyber-related data breaches and instances of fraud and business disruption in 2018, costing firms $935 million. Over half (54%) of this number were fraud events. These figures represent an increase of 174% in loss severity from 2017 and 46% in frequency.
There are several trends in the figures that help to explain this increase. The first is data breaches at third parties, which have affected a number of firms. In June 2018, UK internet bank Monzo saw data on approximately 20,000 customers stolen by hackers from the third-party survey provider that it was using at the time.
Another trend is the vulnerability of data held on cloud servers. For example, data of about 2.4 million users of the Blur password manager was accidentally exposed in December 2018 on a mis-configured Amazon Web Services S3 server.
After the price of bitcoin peaked in December 2017, cryptocurrency events have increased in frequency and severity. The two most damaging cyber events of 2018 in the database both relate to virtual currency. The hacking of Japanese cryptocurrency exchange Coincheck and Italian exchange Bitgrail both led to reported losses of hundreds of millions of dollars, although these losses, and any subsequent recoveries, are not publicly reported.
There are also several regulatory factors bringing cyber risk to the fore. In the European Union, the introduction of General Data Protection Regulation has given firms a strong incentive to report data breaches promptly. Regulators around the world are stressing the importance of a firm’s resilience towards a cyber attack, and recognising that it is not possible to eliminate cyber risks, only to manage its impact.
But some regulators are also showing they do not have tolerance for banks that fail to protect customers from foreseeable risks. The Financial Conduct Authority’s fine for UK retail firm Tesco Bank, a subsidiary of the large supermarket operator, shows this. The £16.4 million ($21.3 million) penalty, levied last year for a hacking event in 2016, was for failing to show due skill, care and diligence in protecting account holders against a cyber attack.
These factors help to explain why cyber-related risks remain top of the agenda for risk managers. In the ORX Operational Risk Horizon Study for 2019, cyber risk is the top risk concern for financial firms in 2019 and takes the number two spot for future emerging risks.
Editing by Alex Krohn
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.
ING trims op risk charge by 11% in 2018
By Abdool Fawzee Bhollah, Louie Woodall | Data | 6 February 2019
Dutch lender ING lopped €368 million ($418 million) off its operational risk capital charge in 2018, following a series of updates to its advanced measurement approach (AMA) model.
The bank’s minimum operational risk capital requirement was €2.8 billion at end-December, down from €2.9 billion three months earlier and €3.2 billion in the year-ago quarter.
ING lowered its requirement over three consecutive quarters from end-March. The bank makes exclusive use of the AMA to calculate its op risk capital requirement.
The bank’s total capital requirement for credit, market and operational risk at end-2018 was €25.1 billion, up from €24.8 billion a year ago. The op risk charge has reduced as a share of this total to 11% from 13% over this period.
What is it?
A bank’s minimum capital requirement equals 8% of its total risk-weighted assets (RWAs) for credit, market and operational risks.
Existing Basel Committee rules allow op RWAs to be calculated under the AMA using banks’ own internal models, which use the frequency and severity of past op risk losses to determine how much capital should be put aside to absorb potential future losses.
At end-2017, the committee scrapped the AMA and replaced it with a standardised measurement approach (SMA), under which firms will have to calculate their op risk using the standard-setter’s own formulae. The SMA will be phased in from January 2022.
Why it matters
The evolution of ING’s op risk capital charge demonstrates the responsiveness of the AMA to changes in banks’ loss experiences. The bank cited regular updates to external loss data and the underlying scenarios used to project its op risk for the 11% cut in its requirement. These, in turn, reflect fewer and less severe op risk losses at ING, and across the industry as a whole, as this data is a key input to AMA models.
ING and other banks that use the AMA exclusively to generate their op risk capital requirements may find they attract higher charges once the SMA comes into force. Not only that, the charge may prove hard to reduce as banks will be barred from using their own periodically updated op risk scenarios as an input to the calculation.
Practitioners have blasted the SMA for not being risk-sensitive enough and focusing instead on a bank’s size. Much now depends on how national authorities implement the final rules. If the Dutch regulator takes a conservative line, ING may find its future op risk capital charge is more a tax on its size than a reflection of its actual risk.
Metro Bank execs under scrutiny after loan probe snafu
By James Ryder | News | 6 February 2019
Lender could see capital buffer rise after admitting regulator, not bank, discovered errors
Metro Bank could face a punitive rise in its regulator-set capital buffer, following the startling revelation that the Bank of England – and not the firm itself, as claimed – discovered the lender was applying the incorrect risk weights to two large loan portfolios, former regulators and legal experts warn. They argue the episode calls into question the quality of the bank’s risk management and governance.
Three former senior regulators whom Risk.net spoke to for this article claim that, if the regulator decides the initial booking error and Metro Bank’s subsequent response to it suggest its governance and risk control processes are flawed, the Prudential Regulatory Authority could order the bank to increase the size of the regulatory capital buffer it requires it to hold.
“If this arose not just from somebody making a stupid mistake, but because systems checks were not properly in place, you can imagine Metro Bank would have a Pillar 2 scalar added until they’ve sorted it out,” says one former senior UK regulator. “If you spot something marginal, you might threaten to do it and give them a chance to fix it. But, here, somebody has made a very basic error on the calculations. This is not a matter of opinion or a marginal judgement, where you might classify assets one way or the other.”
Metro Bank declined to comment.
In a trading update on January 23, the lender reported a 20% jump in risk-weighted assets (RWAs) to £8.9 billion ($11.7 billion), largely as a result of reassigning two loan portfolios to higher risk buckets under the standardised approach to credit risk capital. A portfolio of loans backed by commercial real estate had been booked at a risk weight of 50%, which was then raised to 100%; a portfolio of loans for buy-to-let residential properties was raised from a weight of 35% to 100%.
On a call with analysts on January 23, Metro Bank chief financial officer (CFO) David Arden said the errors “came to light following an internal review, in preparation for our year-end [results filing].”
A Metro Bank spokesperson repeated the claims to Risk.net on January 25, saying: “We spotted that certain of these mortgages were in the wrong band […] at which point we notified the PRA.”
The accountability regime is supposed to prevent exactly this kind of thing
A second former senior UK regulator
However, following revelations in the UK’s Daily Mail on January 27 that it was actually the BoE that first flagged the inconsistencies in Metro’s loan book, the lender issued a new statement, saying: “Ongoing supervision by the PRA helped to identify potential inconsistencies in certain loans which were raised with the bank. Metro Bank then undertook a comprehensive review in order to establish the full picture before our year-end, which identified the need to make adjustments.”
In recent years, the BoE has sought to head off failures in firms’ governance, culture and accountability in the first instance through the Senior Managers and Certification Regime (SM&CR) – the logic being that prevention is better than cure.
“The accountability regime is supposed to prevent exactly this kind of thing,” notes a second former senior UK regulator.
CFO “in firing line”
The first former regulator argues the error was basic enough to raise questions about the fitness and propriety of the firm’s CFO, regardless of their obligations under the regime.
“If there’s an error here, the CFO is going to be in the firing line. He could well be in trouble under the SMR, but it’s difficult to see how he wouldn’t have been in trouble anyway for an error as basic as this,” he says.
If the PRA deems the initial error to have material implications for the quality of Metro Bank’s risk management – and the miscommunication over who discovered it to have compounded the mistake – the result could be a capital top-up.
The BoE’s statement of policy on its method for setting Pillar 2 capital says: “Where the PRA assesses a firm’s risk management and governance to be significantly weak, it may set the PRA buffer to cover the risks posed by those weaknesses until they are addressed. This will generally be calibrated in the form of a scalar applied to the amount of Common Equity Tier 1 required to meet Pillar 1 capital requirements plus Pillar 2A capital requirements. Depending on the severity of the weaknesses identified, the scalar could range from 10% to 40%.”
Commentators also suggest the episode could have broader implications for the UK’s regulation of challenger banks, championed by government as a means of shaking up competition in the sector.
In its Pillar 2 statement of policy, the BoE does discuss taking into account the size of a bank when supervisors are setting the buffer, saying: “The PRA will continue to apply a more flexible approach to new entrants and expanding smaller banks when setting the PRA buffer.”
The second former regulator says the episode could colour the PRA’s attitude to regulating challenger banks – though he argues such firms are not subject to light touch regulation currently.
“I guess that will be something they’ll consider. But it wouldn’t be reasonable to say regulators haven’t been focusing on challenger banks. I think they recognise there are particular types of operational risks that are inherent to the challenger banks, just in terms of their business model, in that it’s very much an outsource type of a model, and, obviously, quite rapid growth as well. Regulators are always concerned to see that the controls are in place and robust [enough] to be able to cope with the growth.”
Editing by Tom Osborn
Model risk chiefs warn on machine learning bias
By Tom Osborn | News | 31 January 2019
ML model outputs open to “potential bias sitting in your datasets”, says RBS model risk head
Banks’ rapid adoption of machine learning techniques to augment the modelling of everything from credit card approvals to suspicious transactions has left model managers scrambling to make sure their risk frameworks can accommodate them, senior executives are warning.
Banks hope models that make use of machine learning (ML) – a subset of artificial intelligence that relies on automation to create accurate predictions from large, dense datasets – can dramatically speed up manually intensive processes such as anti-money laundering checks and credit decisioning, cutting costs and improving their customers’ experience.
But dealers acknowledge ML models’ predictive power leaves them open to potentially unethical biases – which could also be harmful for business: denying a mortgage or a credit card to everyone in a certain postal district or suburb, for instance, simply because the bank’s database shows a higher risk of non-payment based on other customers historically served there, for instance.
That raises ethical and reputational questions banks’ model risk managers have previously not had to confront, according to Peter Nowlan, head of model risk at RBS.
“One of the debates I’m having across the organisation is, model risk within ML and AI is only one of a number of risks the organisation is exposed to. I have to work much more closely with my operational risk colleagues – and in some cases with my conduct risk colleagues, depending on how models are deployed – and potentially reputational risk as well. You have to think more broadly and reach out to colleagues more widely, in order to understand what exactly the organisation wants to do with them, how it’s going to deploy them, and therefore what are the controls that need to be put in place,” he warns.
Nowlan, who made the comments at a model risk management forum run by S&P’s Crisil on January 24, says his team is being asked to weigh in on “20 or 30” ML models currently being developed by RBS.
Nowlan alluded to another common complaint levelled against ML models: namely the difficulty developers have in explaining how they reach their outputs. Models based on deep learning techniques, for instance, which seek out non-linear correlations in large, dense datasets, often feature strong self-learning elements, with model outputs used to inform future inputs. This creates a dynamic feedback loop that can make it difficult for model developers to explain how a model will behave in future.
Taken in concert with the potential ethical issues posed by unhelpful biases, the obvious response for the risk function is to apply appropriate controls; but until now, model validators haven’t been faced with the task of overseeing a large numbers of self-learning models, Nowlan pointed out.
“A lot of the historical models you have, the controls can be relatively static,” he said. “However, with ML models, it’s a case of almost constant monitoring, because the model you’re actually validating could change tomorrow, depending on the data that is being input. These models just suck up data. And therefore, [you need to monitor] your evolving dataset, rather than the actual dataset you’ve got when you deploy these models. The outputs can be very different, just because of the bias, or potential bias, which is sitting in your datasets. There’s a lot of work we’re trying to do in understanding the fundamentals of the data and the potential bias around the data.”
Speaking on the same panel, a model risk manager at another bank agreed, adding that the pace of model development within banks was forcing model risk managers to adapt their validation frameworks quickly – not wanting to be accused of stymying development if they slow down the approvals process.
With ML models, it’s a case of almost constant monitoring, because the model you’re actually validating could change tomorrow, depending on the data that is being input
Peter Nowlan, RBS
“There are lots of use cases, but the big challenge is the potential unintended consequences,” said the senior model risk manager. “That’s really what everyone is now waking up to, and realising, ‘hang on: are we introducing biases, are we introducing things which are ethically challenging? Are we creating something that’s storing up problems for the next financial crisis?’ That’s what I think we need to manage very carefully. I think people have woken up to this already; [but] I don’t think all of us have got a framework in place yet to really manage that and understand it. We’re certainly having that dialogue now.”
How a developer proposes to use a model has a major impact on the controls risk managers need to put in place when drawing up a framework to monitor it, Nowlan adds – as does the speed at which a model’s developer wants it to go from development to deployment.
Senior model developers have told Risk.net that a lack of ready explainability for some approaches is already affecting development. At least 10 banks are said to be drawing up explainability frameworks in response to such issues; some have spent big, hiring robotics professors or poaching industry experts from other fields.
Regulators also face warnings from banks that they expect them to keep pace with development through open forums, rather than taking a heavy-handed approach to regulating ML models. Existing model risk regulations, set down under the US’s SR 11-7 framework, already contains high-level principles around a model’s accuracy, robustness and behaviour – though banks have suggested they expect guidance to be updated, as regulators’ understanding evolves and scrutiny increases.
“Most of the fora I’ve been on with regulators, they’re just dipping toes in the water here, because they don’t know what they’re dealing with yet,” noted Nowlan.
Banks divided on op risk approaches
By Louie Woodall, Abdool Fawzee Bhollah | Data | 28 January 2019
US and Australian banks favour the advanced measurement approach for calculating operational risk capital requirements more than their European and Japanese peers, a Risk Quantum analysis shows.
A survey of 47 of the 50 banks in the Risk Quantum sample showed that 20 had 100% of their op risk capital generated under the AMA as of end-June 2018, of which nine were American, four Australian, two Swiss and one Canadian. Only four European banks calculated their op risk capital exclusively using the AMA.
Thirteen banks used a mixture of two or more of the standardised, AMA and basic indicator approaches (BIA), four of which were Japanese, with MUFG calculating the highest share under the basic indicator approach of any bank, at 32% of their total. Six were European, with BBVA having the largest share of its op risk capital calculated using the BIA, at 16.4%. Three were Canadian, though none of these used the BIA.
Fourteen banks, of which two were Japanese and the rest European, calculate op risk capital exclusively using the standardised approach.
What is it?
Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk – the BIA, the standardised approach and the AMA. The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.
The finalised Basel III framework, published in December 2017, will replace these three with a revised standardised approach. This uses a simple accounting measurement of bank total income – known as the business indicator – to divide firms into three size buckets. A separate business indicator multiplier is then applied to each bucket to produce the business indicator component. The product is then subject to an internal loss multiplier, a scaling factor based on a bank’s average historical losses and business indicator component.
The Basel Committee has set member jurisdictions a deadline of January 2022 to implement the revised standardised approach.
The survey features nine US banks, 22 EU banks, four Canadian banks, six Japanese banks, two Swiss and four Australian banks, all included in the Basel Committee's global systemically important bank assessment sample. Those excluded from the Risk Quantum sample were Scotiabank, which said it calculates op risk using the AMA and standardised approach, but did not provide a breakdown between the two, and PNC and Capital One, which are not under the US advanced approaches rule and therefore do not disclose operational risk capital data.
Why it matters
Basel’s overhaul of the capital framework eliminated the raison d’être of internal models for op risk, as banks will have to comply with regulatory charges generated under the revised standardised approach going forward.
For some lenders, the switch will lead to a reduction in op risk-weighted assets – Basel’s own impact analysis suggests an aggregate drop of more than 30%.
However, these savings will not be evenly distributed. European supervisors have generally allowed their banks greater flexibility than their US peers in modelling op risk capital requirements, meaning they have being able to juice more capital savings under the AMA. As a result, they have more to lose from the AMA’s demise.
This may explain why two European banks – Barclays and BNP Paribas – decided to switch from the AMA to the standardised approach in the middle of last year, well ahead of Basel’s timetable. By scrapping their use of internal models now, the banks are frontloading some of the expected capital volatility that will occur when the revised standardised method comes into force, smoothing the transition to the new capital regime.
As for why US banks have yet to switch off their models, there’s a simple explanation – US regulators have yet to transpose parts of Basel III into domestic law, including the op risk framework, and lenders have no recourse under the current advanced approaches rules to shrug off the AMA.
Correction, February 6 2018: This article was amended to include ING as one of the banks that exclusively uses the AMA. It had been wrongly identified as not using the AMA in a previous version.
Mega-fraud at China’s Anbang pushes up total losses year on year; SocGen suffers double blow
Operational risk losses rose by more than a quarter in 2018, reversing the trend of previous years that had seen annual falls in the loss total. However, a large part of last year’s $34 billion total is a single loss: Chinese insurer Anbang’s $12 billion embezzlement case. The number of individual loss events has increased, though, with 2018 seeing 728 incidents against 2017’s 710. The figures refer to losses that are publicly reported.
As was the case in 2017, internal theft and fraud continue to dog banks and financial firms, accounting for the three largest losses of 2018. In addition, anti-money laundering and sanctions violation fines almost doubled year on year, leaping from $1.9 billion in 2017 to $3.7 billion in 2018. A large driver of this rise was a loss to Societe Generale, which in November agreed to pay $1.34 billion for violating US trade sanctions in Cuba, Sudan and Iran – the fourth largest loss recorded in 2018.
ORX News also recorded a 40% increase in technology and infrastructure failure events in 2018. The losses caused by these events are often unquantified, but 2018 presented several examples where banks reported loss figures. The most high-profile example is from the UK, where TSB provisioned £145.7 million ($204 million) for redress after its failed IT migration.
Five of the 10 largest losses occurred in the US – though the top three took place in China, Ukraine and India respectively.
The 75.2 billion yuan ($11.99 billion) loss for Anbang Insurance – the largest of 2018 – was a result of an embezzlement scheme headed by Wu Xiaohui, the company’s now ex-chairman and general manager. Wu was accused of falsifying financial statements, which enabled the firm to sell more insurance products than the quota agreed with regulators. Wu also diverted company funds for his personal use, prosecutors claimed.
Following a one-day trial on March 28, during which the court heard that Wu ordered staff to destroy evidence of his activity, Wu was found guilty and sentenced to 18 years in prison. The China Insurance Regulatory Commission seized control of Anbang.
The second largest loss was a multibillion dollar fraud perpetrated against Ukraine’s PrivatBank. The bank was nationalised in 2016, but it wasn’t until January 2018 that the National Bank of Ukraine announced the full extent of fraud losses incurred by the firm – a figure of at least $5.5 billion.
Following a second investigation by risk consultancy Kroll, the NBU confirmed that a complex, multi-pronged fraud scheme had been operating within PrivatBank since at least 2006. The scheme was largely based around “loan recycling”, whereby new loans are issued to pay debts and interest in a similar manner to a Ponzi scheme.
The investigation concluded that “more than 95%” of PrivatBank’s borrowing was to parties related to its former owners, Ihor Kolomoisky and Gennadiy Bogolyubov. The pair disputed the assessments made by the NBU and said the bank was nationalised for political reasons.
In the third largest op risk loss of last year, Punjab National Bank was defrauded of 143.57 billion rupees ($2.23 billion) by employees linked to fugitive diamond dealer Nirav Modi, along with associated companies.
On February 14, PNB notified the Bombay Stock Exchange that the bank had discovered “fraudulent and unauthorised” transactions. The total loss figure increased throughout February, as PNB reported additional unauthorised moves. The activity involved bank employees issuing money to Modi’s firms using financial messaging network Swift and subsequently concealing the transactions, according to Indian government investigators.
The venture, reportedly ongoing since 2011, was detected in January, by which point two of the employees involved in the fraud had left the firm. When Modi’s companies sought new loans without providing guarantees, the bank investigated their credit histories.
In the fourth largest loss, Societe Generale paid out $1.34 billion to US regulators to settle allegations of trade sanctions violations. The bank, the prosecution agreement says, carried out numerous trades, amounting to almost $13 billion, involving Cuba through financial institutions based in New York. SocGen was also found to have facilitated dollar payments involving Iran and other nations currently under US sanctions. The French lender had already provisioned $1.28 billion in anticipation of the fine.
In fifth spot, Wells Fargo was fined a total of $1 billion by two US federal agencies for breaches of mortgage application procedures and inappropriate auto loan insurance. The penalty was the latest in a series of fines for Wells Fargo over its retail products dating back to 2016.
In a case reminiscent of the UK’s long-standing PPI scandal, Wells Fargo has had to cancel almost a third of its collateral protection insurance (CPI) policies because they were found to duplicate insurance already in place. In this case, the bank was found to have wrongly issued CPI to borrowers with vehicle loans without checking if the vehicles were already covered. The firm was ordered to create an internal audit programme and pay back customers affected by its conduct.
The sixth largest op risk loss was the €775 million ($899 million) that ING paid Dutch authorities to settle claims it had violated regulations relating to anti-money laundering and terrorist financing. ING’s Dutch arm failed to prevent hundreds of millions of euros from being laundered in its accounts between 2010 and 2016, investigations found. Due to deficiencies in monitoring, the bank did not identify suspicious clients or illicit transactions.
Following the settlement, it was announced that ING’s chief financial officer, Koos Timmermans, who had been responsible for the firm’s operations in the Netherlands for several years, would resign and vacate his seat on the executive board.
In its second appearance in the top 10 op risk losses of 2018, Societe Generale was subject to a $750 million penalty for Libor manipulation. The bank acknowledged that senior executives had given orders that SocGen’s US dollar Libor submissions be falsely deflated between 2010 and 2011, allowing the bank to borrow money at a more favourable rate.
The eighth largest loss was US Bank’s $618 million settlement with US agencies for anti-money laundering (AML) violations. The super-regional was found to have an inadequate AML and Bank Secrecy Act compliance framework, as it limited the quantity of transactions that its systems would flag up as requiring review based on its staffing levels.
US Bank also failed to report suspicious activity by Scott Tucker, a former US racing driver and businessman. Tucker, who has been sentenced to 16 years in jail, ran an illegitimate payday loan scheme that exploited 4.5 million US borrowers, using business connections with Native American tribes to avoid state usury laws.
In ninth spot, Japanese cryptocurrency exchange Coincheck reported a loss of ¥58 billion ($532 million) as a result of a hack. The exchange lost XEM tokens after hackers acquired a cryptographic key for the exchange’s ‘hot wallet’, that is, a cryptocurrency account with an active internet connection. A cold wallet, a form of offline storage, is not vulnerable to web-based attacks. No other cryptocurrencies were affected by the hack.
The tenth largest op risk loss of 2018 was made by US insurer MetLife, which announced in February that it had provisioned $510 million to pay annuitants it had wrongly overlooked. MetLife had failed to make suitable efforts to locate nearly 13,500 customers before declaring them “unresponsive and missing” and releasing their funds from its reserves. It also faced a $1 million penalty for the failings.
ORX News also recorded $24.1 billion of legacy losses in 2018. Legacy losses are recorded in the year the first loss relating to the event was reported, so do not contribute to the 2018 total. It is considerably higher than the $14 billion of legacy losses added to the database in 2017, demonstrating that legacy events are a still a major influence in operational risk losses.
As was the case the previous year, conduct risk was the chief culprit in the majority of legacy cases. The top three losses, made by Barclays, Wells Fargo and HSBC respectively, were all settlements related to claims that the firms had mis-sold or misrepresented mortgage-backed securities.
UK banks also incurred significant legacy losses last year, with three British firms taking positions four, five and six. Each loss stemmed from the mis-selling of PPI. Provisions and payments by Lloyds reached £19.23 billion last year, while Barclays’ overall figure climbed to £9.6 billion. Australian bank NAB provisioned £2.2 billion for PPI mis-selling by its subsidiary Clydesdale Bank.
Editing by Alex Krohn
Op risk data: JP fined $135m over depository receipts
By Risk staff | Opinion | 16 January 2019
Top five losses, plus review of Barclays whistleblower fine. Data by ORX News
In December’s largest loss, JP Morgan reached a $135.2 million settlement with the US Securities and Exchange Commission over allegations that the firm wrongly distributed pre-released American Depositary Receipts, or ADRs. These are equivalent shares of foreign companies that are traded in the US, with the original shares held by a custodian outside the US. Pre-released ADRs represent shares that have been issued but not yet delivered.
JP Morgan provided pre-released ADRs to brokers when neither the broker nor the customers had the corresponding foreign shares, in violation of deposit and pre-release agreements, according to the SEC. Consequently, JP Morgan facilitated short-selling and dividend arbitrage using ADRs that were not backed by corresponding shares.
The SEC has imposed eight fines for improper ADR pre-release practices since February 2017, so far costing firms a total of $364.5 million. Three of those fines have been large enough to feature in our monthly top loss roundups.
In the second loss, insolvency proceedings at Ukrainian lender Fortuna-Bank revealed fraudulent loans totalling $79.8 million. Two bank officials are reported to have issued insider loans through a bank shareholder, according to Ukraine’s banking resolution authority. Affected loans comprised around 98% of the bank’s overall lending portfolio. Additionally, over half of all loans issued by the bank were unsecured.
The resolution authority valued Fortuna-Bank’s assets at around $21.2 million, compared to $82.9 million reported by the bank when liquidation proceedings began in April 2017.
The third largest loss is from La Banque Postale, which was fined $56.9 million by France’s bank supervisor for failures in its anti-money laundering and counter-terrorist financing programme. The bank failed to detect and block transactions carried out by individuals subject to asset-freezing measures due to terrorist activities or violations of international law.
In fourth place, a second firm settled with the SEC over its alleged mishandling of pre-released ADRs. BNY Mellon agreed to pay $54.2 million for failing to ensure compliance with its pre-release agreements and consequently enabling abusive practice using ADRs that were not backed by corresponding shares.
Finally, Santander must pay $41.5 million in fines to the UK banking watchdog for failings in its probate and bereavement process. Santander opened probate and bereavement cases which would then, however, stall and remain incomplete. As a result, the firm failed to transfer around $231.1 million to beneficiaries.
Spotlight: Barclays fined over Staley whistleblower interference
UK bank Barclays is facing a $15 million fine following a regulatory investigation into attempts by its chief executive to identify the author of two whistleblowing letters.
New York’s Department of Financial Services found that, in June and July 2016, Barclays chief Jes Staley personally directed the head of the firm’s security department to identify the author of two letters that flagged concerns over the appointment of a senior member of staff in the bank’s New York office.
In its December ruling, the NYDFS acknowledged that Barclays had a suitable set of whistleblowing policies and procedures in place, trained its staff annually on the subject of whistleblowing, and ran a competent, well-trained and adequately staffed unit dedicated to handling and investigating whistleblowing complaints.
However, in this case, several senior executives and board members failed to follow or apply the whistleblowing policies and procedures, and failed to ensure the independence of the whistleblowing function and the importance of fostering anonymity. These actions risked undermining and jeopardising the independence of the bank’s whistleblowing function, the NYDFS said.
In addition to the $15 million fine, Barclays must also submit plans to ensure compliance with best practice for its whistleblowing programmes, as well as a plan to improve board and senior management oversight of these functions. Finally, Barclays must submit a report containing further details of whistleblowing complaints since January 1, 2017.
The ruling follows a separate UK-led investigation into Staley’s actions by the Financial Conduct Authority, which culminated in a fine of £640,000 ($820,000) levied against Staley personally last May.
In Focus: Info sec risks cloud the Horizon
The ORX Operational Risk Horizon 2019 study has revealed its members’ leading risk concerns for 2019 and beyond. IT-related risks top the charts, showing that the digital agenda will continue to dominate the operational risk conversation in 2019. Perennial issues such as conduct and fraud remain key worries, joined by the likes of transaction processing and regulatory compliance risks.
Forty-eight ORX members took part in the study, comprising 11 insurers and 38 banks, including some of the largest in their sector. In late 2018 they submitted ranked lists of their top risks for the coming year and, looking further ahead, their emerging risk concerns. ORX aggregated these risks using its operational risk taxonomy to create its top and emerging risk ranking for 2019.
This is the second year ORX has conducted its Horizon study. Over the two years, several key risks have remained static. For example, information security and conduct remain the top two current risks, far outstripping the next closest risk: fraud. Conduct’s high ranking is driven by retail mis-selling concerns from European participants, whereas information security is a global worry. Digital disruption remains the top emerging risk, and we are seeing the risks evolve as technologies and marketplaces mature.
Among changes across the two periods, transaction processing has jumped up the rankings from seventh last year, potentially driven by some high-profile fat finger errors leading to increased regulatory scrutiny. In emerging risks, geopolitical tensions, including those around Brexit, US politics and international trade, continue to affect financial markets. This is reflected in this risk category rising one place to third this year.
Overall, this year’s study shows that industry concerns are dominated by digital. But it must not be forgotten that digitalisation affects every risk in this study; no single risk exists in a vacuum.
Editing by Alex Krohn
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.