Estimation of losses due to cyber risk for financial institutions

By Antoine Bouveret | Technical paper | 21 May 2019

Banks grapple with social media risk

By Costas Mourselas | News | 16 May 2019

In shadow of Metro Bank WhatsApp episode, panellists warn banks need to deftly handle social media blow-ups

Just last weekend, Metro Bank was besieged by depositors lining up at its branches to pull out cash and empty safety deposit boxes. Why? A WhatsApp message had claimed the bank was “facing a lot of financial difficulties and may be shut down”. The unsubstantiated message took off like a shot through social media.

Metro Bank responded via Twitter, categorically denying the allegations and trying to reassure its depositors by pointing to its latest financial statement, which showed profits and revenues down, but the bank clearly in the black.

But the damage had been done.

“I think social media [is] already creating an alternative reality, in which the propagation of fake news, because of interconnectedness, has a huge impact,” said Cosimo Pacciani, chief risk officer of the European Stability Mechanism, at the OpRisk Europe conference in London on Wednesday.

The Metro Bank episode is a case in point, said Pacciani, who previously served as head of commercial credit risk at RBS. “It started up on WhatsApp, and it started propagating,” he said, speaking on a panel discussion of emerging risks. “It had a huge, huge impact on the share price of the bank. It can trigger a crisis.”

Metro Bank’s share price fell by as much as 8.2% to a low of £4.89 ($6.26) in early Monday (May 13) trading, before recovering.

A poll of attendees at the panel discussion found 70% believed bad crisis management on social media could actually imperil a bank. In’s top 10 operational risks survey this year, multiple respondents mentioned the reputational damage a company could suffer if it did not make its case effectively on social media in the aftermath of an IT disruption or other event.

Reputational risk is a notoriously difficult area to quantify – yet large banks and insurers are putting time and energy into preventing it, given the compounding effect it can have on any setback or misstep, such as a loss or cyber breach.

Research has also shown that bad news at one bank can spill over to its peers: consumers can assume that, if one bank loses money or is charged with malfeasance, its peers might be, too. 

The UK chief risk officer of a global bank said social media was a “double-edged sword” for risk managers.

“Without question, it can generate risk for your organisation. But I also think it can be a fantastic tool in helping you manage risk,” she said. Used right, it can give a bank a huge edge.

“Things go wrong in all organisations – it’s inevitable. You cannot control [risk] to zero, even with infinite pockets of money,” she added. “But social media can sometimes allow you to take a negative and turn it into a positive.”

A spokesperson for Metro Bank, one of the better-capitalised lenders in the UK and Europe, confirmed there were “increased queries” on withdrawals in some of its branches over the weekend. 

However, customers should have no concerns with regard to its financial position, the spokesperson reiterated to on Wednesday: “There is no truth to these rumours, and we want to reassure our customers that there is no reason to be concerned.”

After markets had closed today (May 16), Metro Bank formally announced plans to raise £350 million in capital through the issuance of new ordinary shares, priced at £5 per share. It is expected to publish a prospectus on May 17, and admit the placing shares on June 5.

It’s been a difficult year for the bank. The WhatsApp sideswipe follows an accounting scandal in January, in which incorrect risk weights were applied to two sizeable loan portfolios, so the bank’s capital ratios were not as high as they should have been.

Metro Bank first said it had discovered the incorrect risk weights itself, but it later became clear that the Bank of England had detected them. Former regulators and legal experts told the poor management of the episode only deepened concerns around the bank’s risk management practices.

The bank stock’s is down more than 70% since reaching a January 22 high of £22 a share.

WhatsApp itself has made some attempts to curb the spread of fake news. In January, it limited the number of times a message may be forwarded. It set up a tip line to monitor the spread of fake news ahead of India’s national election.

Editing by Joan O’Neill and Tom Osborn

FCA may delay enforcement of UK’s expanded conduct regime

By James Ryder | News | 15 May 2019

Smaller firms won’t be penalised right away, says head of regulatory decisions committee

Firms that become subject to the UK Financial Conduct Authority’s (FCA) Senior Managers and Certification Regime after its December 2019 expansion are unlikely to face immediate enforcement actions while they get their houses in order, the head of the watchdog’s regulatory decisions committee said today (May 15).

The SM&CR requires firms to clearly define responsibility for 17 key functions across the institution, such as the roles of chief risk officer and head of anti-money laundering controls. It also includes basic requirements for institutions to act with integrity at all times and treat customers fairly. The regime came into force for larger banks and prudentially regulated firms in 2016.

Speaking at’s OpRisk Europe conference, Tim Parkes suggested the forthcoming expansion of the SM&CR to all FCA-regulated firms – some 58,000 – would not result in the immediate penalisation of individuals or firms if they fail to comply with the rules to the letter from day one.

“There will be a little bit of scope, I think, as the rules come in, for ‘speed of adoption’, if you like,” said Parkes. But he added that firms would be on a strict timer and should not expect a long phase of clemency, pointing out there “are some pretty hard-wired dates in there in relation to when you’ve got to get staff certified”.

The expansion of the SM&CR will spell increased personal accountability at nearly every level of a given organisation – “pretty well everybody unless you’re making the tea”, as Parkes put it.

The roles falling under the updated regime will include senior managers, certified staff and non-ancillary staff. The augmentation of the SM&CR can be seen, Parkes suggested, as a response to the ever-growing complexity of banks and the potential for blame-shifting when firms misbehave or make damaging mistakes.

A key goal, he explained, is to ensure that all employees are certain of their areas of responsibility.

“People said [of personal accountability] after the crisis, ‘Can I really be expected to know?’” Parkes said. “[We have] responsibility maps that are designed to pin individuals down. The FCA will pay attention to matrix management. In the big institutions, more than one person will have responsibility.”

He referred to a recent survey conducted by Thomson Reuters which showed that, among employees in UK financial services, there was “a distinct increase in the feeling of exposure to personal liability that practitioners were expressing”.

“I’m not surprised. That’s exactly what the Senior Managers Regime is designed to encourage,” Parkes said. 

Banks have protested that increased personal accountability has made recruitment for senior management positions challenging. Firms have also expressed fears over rising costs, arguing the expanded regime will force them to revamp HR assessments and background checks for employees.

Parkes advised smaller firms to work together to lower compliance costs. “It’s tougher for smaller firms – [they should] use trade organisations to help [them],” he said.

Efforts to improve communication and understanding among firms would, Parkes said, help to ease regulatory pressure on the market.

“At the compliance level, there ought to be much more sharing of experience and information,” he said. “If somebody gets ‘done’ by the FCA, it’s a public matter; there’s embarrassment. I encourage institutions to talk about these things and learn from each other. Otherwise you’re trying to learn from the FCA.”

Editing by Tom Osborn

It’s a dangerous world: stress-test your managers

By Alexander Campbell | News | 15 May 2019

Ex-British Army chief tells banks: “You need to see how your peers react when the pressure is on”

To prepare for disaster, companies should stress-test management teams, as well as their operations and exposures, delegates at the OpRisk Europe conference in London were told on Wednesday (May 15).

Peter Wall, former chief of the general staff of the British Army and today a leadership consultant, said cohesive management teams are vital to resilient operations.

“You need taut teams who know by default what to do and can make good collective decisions – because they understand and respect each other,” he said. “Military command teams exercise together regularly.

“I’m not sure how many commercial management teams stress-test, but I would advocate it – you need to see how your peers react when the pressure is on.”

Familiarity with behaviour under stress is more important than even the nature of the scenario, Wall added: “You are better off checking your resilience culture before [a crisis] if possible – that’s why I advocate stress-testing. The Bank of England (BoE) stress-tests the network and individual institutions, but can you put your people in stress scenarios?

“It’s very difficult to create the real thing, unless you hold people over hot coals, but you can put people under some sort of pressure on a completely different sort of problem and see how they cope.”

Ability to handle risk is distinct from resilience – the first is “more tactical”, the second institutional, said Wall. But pushing responsibility as far down the ladder as possible is key to developing both: adopting a mission-command approach, in which junior managers are given “a clear idea of what you want them to do, and the bounds they are operating in”, ensures that risk decisions are taken where the best information is available. It also means that, in times of crisis, junior managers “will have the experience of taking decisions rather than just following the orders they get from their superiors”, he continued.

Regulators conduct regular stress tests of large financial firms to see how they would perform in a severe recession. Besides the regulatory stress-testing that banks do once a year, some bank chiefs are advocating it as an ongoing exercise throughout the year.

More recently, operational resiliency has become a buzzword in regulatory circles. The BoE published a discussion paper on the topic last year, and the Basel Committee on Banking Supervision has also formed an operational resilience working group to co-ordinate regulatory policy on the subject among Group of 20 member states.

Human beings, however, are not stress-tested. Yet.

Wall echoed comments from the BoE’s director of supervisory risk specialists, Nick Strange, at the conference on Tuesday. “Plan on the basis that disruption will occur, and test your ability to stay within [your] tolerances through severe, but plausible, scenarios,” Strange told delegates.

The financial world seems to be “trying to come up with a response to everything that could possibly go wrong, rather than building a psyche that says it will happen and this is how we will deal with it and work without that hampering our ability to do our job”, said Wall.

The key was to emulate military resilience in getting the basics right – response to a crisis is much easier by relying on a standard operating procedure, he said, although he quickly added that adversaries might soon learn and exploit those procedures. But, he noted, “in the heat of the moment, standard operating procedures mean that the command element knows what to do.” He also warned delegates against reacting too rapidly to initial reports of a crisis.

Wall retired from the army in 2015 after serving in Rhodesia – now Zimbabwe – the Balkans, Iraq and Afghanistan. He is co-founder of Amicus, a consultancy specialised in “imparting military and commercial leadership expertise”. He is also president of Combat Stress, a veterans’ mental health charity. 

Royal Commission refunds weigh on Aussie banks

By Louie Woodall | Data | 14 May 2019

Australian banks continue to count the cost of misconduct, illuminated by the Royal Commission inquiry report, published in February.

The Big Four banks collectively subtracted A$1.7 billion ($1.2 billion) pre-tax from their first-half earnings (September 2018 to March 2019), up from A$1.3 billion in the second half of last year. 

Westpac took A$896 million of provisions in H1, the majority of which were used to refund customers bilked by the group’s financial planners and mis-sold certain loans.

National Australia Bank posted a A$464 million hit, much of which was used to compensate customers mis-sold credit insurance and overcharged for financial-planning services.   

The Commonwealth Bank of Australia (CBA) deducted A$221 million from its earnings, including amounts used to bolster its financial crimes compliance unit and its ‘Better Risk Outcomes’ programme, intended to change the bank’s culture to prevent a repeat of the scandals that came to light through the Royal Commission.

ANZ reported a A$100 million dent to its income because of remediation costs to customers given bad financial advice by the company’s employees. Legal costs connected to responding to the Royal Commission hit A$13 million for H1, down from A$39 million in the previous half. 

What is it?

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry was established in December 2017, to probe the profit-making activities of financial institutions that inflicted substantial losses to customers. The final report was submitted on February 1.

Why it matters

The fallout from the Royal Commission extends far beyond the doling out of refunds to wronged customers. The Big Four are also spending on internal reviews and restructuring efforts designed to shake up company culture and overhaul operational risk management processes. These could elevate operating expenses over the coming quarters, although the banks would hope their investments will result in lower fines and remediation charges in future. 

Then there are the regulatory capital effects. Operational risk-weighted assets ballooned 19% in 2018, with CBA having to swallow a A$1 billion add-on applied by the Australian watchdog as punishment for management failings. 

Similar to the effect of fines imposed on large UK banks post-crisis, Aussie banks could find their financial performance shackled by the sins of the past for years to come.

Get in touch

Risk Quantum has launched a daily newsletter. Sign up to receive the latest data insights.

Do you expect remediation costs to rise or fall now that the Royal Commission has shut up shop? Help us to understand by emailing, sending a tweet to @LouieWoodall or messaging on LinkedIn.

You can keep up with the Risk Quantum team by following @RiskQuantum.

Tell me more

Commonwealth Bank hit by A$1bn op risk add-on

Aussie banks: a right Royal mess

Op risk past is prologue for UK banks

View all bank stories

Want to catch misbehaviour? Watch the electronic chat

By Alexander Campbell | News | 14 May 2019

“It’s amazing how many people have arguments on chat” – BNP surveillance executive

The monitoring of internal electronic messages has become among the most potent tools of first-line risk managers, a BNP Paribas executive has told

“It is amazing how many people have arguments on chat – between sales and trading over who is responsible for a loss, for example, if they have to report it, say, within 24 hours,” said Andrew Brodie, global head of front office conduct surveillance at BNP Paribas, listing some eavesdropped chats at the OpRisk Europe conference in London on Tuesday. “We can just look at the chat and flag it to operational risk.”

Frank, unguarded conversations on various forms of instant messaging have been critical to many recent enforcement cases – most prominently, the self-described ‘Cartel’ of foreign exchange traders prosecuted by the US Department of Justice for their alleged involvement in a scheme to time forex trades so their banks could profit at the expense of clients. The three traders were subsequently acquitted.

The behaviour is nothing new. During the global financial crisis, the credit rating agencies were heavily criticised for their business ties to the very issuers of securities they were rating. In 2007, a Standard & Poor’s employee was caught instant-messaging about the agency’s standards for rating structured products: “We rate everything. It could be structured by cows and we would rate it.”

But internal chat surveillance can also catch conduct risk issues before they hurtle from embarrassing to catastrophic.

“There are some people who are always on the edge of their risk limits – they will go over and ask for an extension to the limit, and then a month later they will still be over the limit as the extension is running out, and they’ll say their boss is travelling that week, so can we wing it for a bit longer?” said Brodie.

“We would say that is breaking every rule in the book – that is why we have risk limits! So we find a lot of use in that forum, and my team spends a lot of time there.”

Brodie spoke during a discussion on the three lines of defence model of operational risk management. Having a dedicated head of internal chat and communications monitoring has become a first-line controls role at many large banks. Brodie and others also emphasised the importance of pushing risk responsibility on to front-office business heads.

“A good thing is to put business heads responsible for all the risks in their business,” said Paul Neale, Mizuho International’s head of operational risk. “That’s who the regulators will come after, anyway, even if the failure is actually in a support function like IT.”

The lines of responsibility can be blurry. “The business heads will say they are not experts, it’s not their job – so they will employ people to do that for them,” he added. “You can have a difficult conversation about who is responsible for controls, whether it’s the business head or whether it gets pushed aside.”

William Martyn, global head of risk steward oversight at HSBC, said the parsing of responsibility on things such as internal chat showed that the three-line model can be complicated in practice.

“It’s not easy to implement in a meaningful way,” he said. “At HSBC, we have three key roles in the first line: the risk owner; the control owner, who operates the controls and is often in a function like IT or operations; and the chief control officer. And in the second line, we have the risk stewards, who are the specialists, who set policy and risk appetite and oversee them, and the operational risk function, which sets framework and policy.

“The second line needs to be very slim. You need to keep an eye on the value proposition, on setting the appetite. You can’t just sit there and occasionally speak up – you need to give an opinion, write it down, and get it into formal governance. You need to show that the second line has teeth.”

BoE to scrutinise banks’ op risk tolerance limits

By James Ryder | News | 14 May 2019

Watchdog says banks must prove they can stick to tolerance limits; cyber stress test planned

The Bank of England will publish a consultation paper later this year, asking banks to prove their tolerance limits for operational risk are realistic and can be adhered to consistently, said its director of supervisory risk specialists today (May 14).

Speaking at’s annual OpRisk Europe conference in London, director Nick Strange said the BoE’s operational resilience supervision was due for an upgrade and its revised approach would focus on two key planks: impact tolerance and business continuity.

The BoE defines impact tolerance as a firm’s capacity to withstand operational disruption. This could include the maximum number of customers the firm can tolerate being affected or the maximum period for which it can operate without business services running properly.

“Plan on the basis that disruption will occur and test your ability to stay within [your] tolerances through severe, but plausible, scenarios,” Strange said. 

The regulator will not, he warned, be satisfied with simple tolerance identification; firms must prove beyond doubt that they can meet the tolerances defined.

Strange went on to point out the impact tolerance approach assumes disruption is inevitable and that a given firm’s tolerance to disruption remains consistent, whatever the nature of the shock. What this “cause agnosticism” means is that firms should concentrate on the ability of the board and senior management to minimise the impact of disruptive events, and to recover from them, rather than focusing solely on preventing them altogether.

The second element of the BoE’s updated focus, business continuity, will emphasise substitutability, Strange said: “So long as you can continue to provide a service, we are agnostic as to how you do this.”

Try to work out what the important services are and how you focus on keeping those going – this is one of the important messages to come out of the discussion paper

Nick Strange, Bank of England

If a firm experiences a systems outage, for example, the central bank would encourage a swift move to an alternative or temporary system during the repair phase, rather than sustained disruption to customers. “If you can switch to another system to provide your service, you can take more time to ensure the firm system recovers fully,” he noted.

Strange did not disclose the planned date of the new consultation, although market participants speaking on the sidelines of the conference said they expected it to appear in the third quarter of this year.

The consultation will build directly on a discussion paper on the concept of operational risk tolerance limits, which was given a trailer at the 2018 OpRisk Europe conference and published a few weeks later.

“Try to work out what the important services are and how you focus on keeping those going – this is one of the important messages to come out of the discussion paper,” he said.

However, executives must also consider how important their services are for customers and the wider economy, even if some of those services are not such a major focus for the bank itself.

“If you’re one of two or three players providing a service, it may not be particularly important to you, but were it to disappear, there would be wider repercussions,” said Strange.

Cyber risk co-operation

Strange also announced the BoE plans to pilot a new cyber stress test later this year, and will “test the test” with a “small number” of firms.

The development of a cyber stress-testing programme could prove problematic for firms that struggle with cyber risk modelling, although new research into the area could ease the burden.

Strange urged firms to consider pooling resources and sharing information to benefit systemic safety. “In short, to what extent can [firms] develop non-competitive solutions to a shared threat?” he asked, and went on to suggest the BoE’s plans could compel such teamwork.

“A possible outcome of the cyber stress-testing we are piloting may be that, on their own, firms cannot meet the proposed tolerance for [a] payments systems outage. By working together, solutions can be initiated within the sector itself,” he said.

Co-operation between banks would naturally be encouraged by greater co-ordination between regulators – something banks have consistently supported. Strange stressed the important role of international regulatory co-operation in matters of operational resilience and cyber risk management. The BoE has been noted as a thought leader on operational resilience as a cohesive policy area.

Mindset change

At a recent Washington conference, Strange said the BoE’s 2018 discussion paper became “the focus of discussions” and he felt there was a “mindset change” among Basel Committee members on the importance of operational resilience.

He welcomed the Basel Committee’s recently established Operational Resilience Group (ORG) and praised its report on cyber resilience, released in December 2018. He added that initiatives such as the G7 Cyber Expert Group, as well as the BoE’s own leadership with widely adopted measures, including the CBEST threat-led penetration test, are a step in the right direction.

One of the architects of the BoE’s CBEST framework, Cameron ‘Buck’ Rogers, has been poached by HSBC to serve as its inaugural head of resilience risk.

Asked whether every bank should have a head of operational resilience, Strange said such a role would “certainly [be] useful” for firms looking to establish an organisation-wide focus on resilience as a risk management discipline in its own right.

HSBC hires BoE’s cyber risk chief

By Tom Osborn | News | 13 May 2019

Watchdog’s CISO will serve as UK bank’s first head of resilience risk

HSBC has hired the chief information security officer (CISO) of its primary regulator, the Bank of England, as its first head of resilience risk – a policy area the UK watchdog has made a priority following a string of high-profile service outages among high street banks over the past 18 months.

Cameron ‘Buck’ Rogers is set to join the bank on June 3, according to two people familiar with the matter. In a sign of the critical importance with which the role is viewed within the bank, Rogers will report directly to chief risk officer Marc Moses, and will also join HSBC’s group management board. The BoE has confirmed Rogers’ departure. HSBC did not provide a comment when contacted.

Rogers will be responsible for overseeing HSBC’s resilience risk subfunction, a second-line risk oversight function that the bank is understood to have formed recently to reflect the growing importance of operational resilience as a regulatory policy priority.

A year ago, the BoE launched a discussion paper to assess options for banks to deal with an uptick in resilience failures among UK lenders, including service outages and near misses, such as TSB Bank’s botched IT migration last May that left retail customers without online banking services for more than a week.

The watchdog is understood to be mulling how best to address the findings in the form of active policy changes, but one prominent idea is to force banks to maintain a minimum level of service provision during a “severe but plausible” operational disruption.

The Basel Committee on Banking Supervision has also formed an operational resilience working group, with a view to co-ordinating regulatory policy on the subject among Group of 20 member states.

Rogers took over as CISO at the BoE in May 2016, after serving as deputy CISO. His responsibilities included drawing up information security policy, as well as acting on threat intelligence and investigations.

Rogers’s CV boasts a previous short stint at HSBC as head of intelligence, as well as more than a decade spent working for the UK’s Ministry of Defence, which came after a 15-year career in the Royal Navy, a biography provided by industry charity The Cyber Trust shows.

After joining the BoE in 2013, Rogers was heavily involved in the development of the controlled, bespoke, intelligence-led cyber security tests, or CBEST framework on cyber risk penetration testing. Launched in 2014, CBEST is widely viewed as the gold standard for banks and insurers looking to test their cyber defences against realistic threat simulations, based on credible intelligence.

In 2017, Rogers was named a fellow of the Council for Registered Ethical Security Testers for his contribution to information security, a tweet from the BoE reveals. So-called ethical hackers are known in industry slang as ‘white hats’, to differentiate them from malicious ‘black hat’ or ‘red hat’ hackers, intent on theft or damage against firms or individuals.

The BoE declined to comment on who would replace Rogers. However, the LinkedIn profile for Philip Warren, who served as deputy CISO during Rogers’ tenure, shows that Warren appears to have taken on the responsibilities of chief security officer and CISO, although whether this is on a permanent basis or not is unclear.

As legal losses recede, Morgan Stanley's op risk falls

By Abdool Fawzee Bhollah | Data | 10 May 2019

Morgan Stanley’s operational risk-weighted assets fell by 7.4% in the first quarter of 2019, while those of most other big US banks edged upwards.

The New York-based dealer cut op RWAs by $8.2 billion to $102.4 billion in the three months to end-March. They are down 9% year-on-year. 

BNY Mellon was the only other bank to lower op RWAs over the period, by $987 million (1.5%) to $67.3 billion.

In contrast, op RWAs rose quarter-on-quarter by 0.1% to $388.8 billion at JP Morgan; 0.2% to $309.6 billion at Citi; 1.6% to $116.7 billion at Goldman Sachs; 1.7% to $333.8 billion at Wells Fargo; and 2.5% to $47.2 billion at State Street.

BofA Securities op RWAs remain static at $500 billion.

What is it?

US banks use the advanced measurement approach (AMA) to quantify their op RWAs and associated capital charges. 

This approach uses the frequency and severity of past op risk losses to determine how much capital should be put aside to absorb potential future losses. 

Each bank’s exposure is modelled using scenarios incorporating several different types of operational failure, as well as internal and external actual loss experience.

Why it matters

Morgan Stanley stated that the fall in op RWAs reflects how the big legal fines and litigation costs it incurred post-crisis are receding into the past, meaning they have less influence on the outputs of its AMA model.

While this does reduce the bank's op risk charge, Morgan Stanley's binding risk-based capital requirement is not the advanced approach, but the standardised approach. This is because the bank is already below the so-called Collins floor, meaning its credit and market RWAs under the standardised approach are greater than its credit, market and op RWAs under the advanced approach. Under the Collins amendment, banks have to use the method that produces the highest amount of RWAs to set their capital requirements.

As long as the bank is below the floor, op RWA decreases won’t actually lead to any capital savings. It's just another example of how the Collins amendment skews incentives. After all, why would a bank bother to carefully assess and model its operational risks when this has no bearing on its capital requirements?

Get in touch

Risk Quantum has launched a daily newsletter. Sign up to receive the latest data insights.

Let us know your thoughts on our latest analysis. You can drop us a line at, or send a tweet to @RiskQuantum.

Tell me more

Op RWAs surge at Wells Fargo, dwindle at other G-Sibs

Has op risk capital peaked for US banks?

Five US banks below Collins floor

View all bank stories

Op risk data: Chinese regulators levy record fines

By ORX News | News | 7 May 2019

Also: top losses feature two frauds at Russia banks and AML provisions at Nordea. Data by ORX News

A Russian bank is responsible for April’s largest publicly reported operational risk loss. Suspected fraud at Yugra Bank has resulted in the arrest of majority shareholder, Alexey Khotin, according to the Investigative Committee of Russia. Authorities are probing the embezzlement of 7.5 billion roubles ($117 million).

Yugra Bank was declared bankrupt in September 2018 after its licence was revoked by the Central Bank of Russia the previous year. Yugra Bank’s collapse was one of the most expensive in Russia’s history at the time, with payouts to depositors totalling 173 billion roubles ($2.7 billion) under the country’s deposit insurance scheme.

In second place, Nordea provisioned €95 million ($106.1 million) in its first-quarter results for an expected fine in Denmark relating to historical failures in the bank’s anti-money laundering (AML) processes and procedures. In June 2015, the Danish Financial Supervisory Authority began investigating Nordea’s compliance with AML regulations. The case was subsequently handed over to the country’s official prosecutor for further investigation. This follows recent revelations of possible AML violations at a number of European banks, particularly those based in Scandinavia.

Nordea claims to have invested €700 million between 2016 and 2018 in strengthening its risk and compliance activities in its first and second lines of defence.

Wells Fargo experienced April’s third largest loss. The owner of a US farming company defrauded the bank of $68 million by obtaining a loan based on false information and documents. Michael Stamp misrepresented the amount of land he farmed and the value of his assets. In 2012, Stamp’s company filed for Chapter 11 bankruptcy protection, with subsequent investigations unearthing the fraud. Three other individuals pleaded guilty to involvement in the case, including Stamp’s wife, according to local reports.

The fourth largest loss is another embezzlement at a Russian bank. The acting chairman of Bank Eurocommerce stole 3.3 billion roubles ($51.5 million) by fraudulently selling federal loan bonds and funds belonging to the firm, according to the general prosecutor’s office in Russia. The chairman did this after learning that the bank’s licence would be revoked in October 2015. The individual was charged with two counts of misappropriation or embezzlement in April, and investigations are ongoing.

Finally, a commercial loan fraud scheme involving three bank employees cost a state-owned bank in Bangladesh, Agrani Bank, 2.6 billion takas ($30.4 million). Marrine Vegetable Oils, a subsidiary of industrial company Nurjahan Group, obtained a loan from Agrani for the import of palm oil. The company then submitted forged import documents to release the goods from the port and laundered the resulting profits. Bangladesh’s Anti-Corruption Commission is investigating the fraud, according to local reports.

Spotlight: Zurich’s tax evasion fine

Two Zurich Insurance subsidiaries, based in Switzerland and the Isle of Man, have agreed to pay $5.1 million to the United States over insurance policies and accounts used by US customers to evade tax.

US taxpayers used the policies and accounts issued by Zurich to conceal undeclared assets from the Internal Revenue Service and subsequently evade taxes and reporting requirements. Some of these products were unit-linked insurance policies which allowed customers to access potentially higher returns, while for other products the base death benefit was nearly equivalent to the cost of the policy.

Zurich issued 420 of the policies between January 2008 and June 2014, with an aggregate value of $102 million. Some customers fully funded their policies using transfers from offshore bank accounts.

According to the US Department of Justice, Zurich failed to ensure that policyholders complied with tax laws. The company also “knew or should have known” that it was helping taxpayers to conceal assets, the DoJ stated.

Zurich self-disclosed to the DoJ in July 2015 following a global review of its US offshore life insurance, savings and pension businesses. This review followed the introduction of the DoJ’s Swiss Bank Program in 2013.

In addition to the $5.1 million penalty, Zurich is required to implement controls to guard against misconduct involving undeclared US accounts as part of a non-prosecution agreement.

In Focus: China gets tough on financial supervision

China’s financial regulators issued fines totalling $616.5 million in 2018, a near doubling of penalties compared to the previous year. The figure includes publicly reported fines over $1 million.

The China Banking and Insurance Regulatory Commission said that regulators in the country levied a record 3,800 penalties in 2018. The CBIRC was officially launched in April 2018 as a result of merging China’s banking and insurance watchdogs. The merger aimed to consolidate and strengthen financial supervision in the country, and follows previous emphasis placed by Xi Jinping, general secretary of the Communist Party, on controlling risks associated with China’s financial industry. It also gave more authority to the country’s central bank, which is now responsible for drafting key regulations and prudential oversight in banking and insurance.

Additionally, Caixin Global reported that the China Securities Regulatory Commission imposed a record 310 penalties last year totalling $1.54 billion. This included 87 actions on insider trading; the figure is not limited to publicly reported fines over $1 million.

The fines exceed the previous record set in 2017, which may indicate a shift to a more aggressive regulatory approach and heightened focus on disclosure and trading violations. According to ORX News data, instances of fines over $1 million stood at $337.1 million in 2017.

Tough regulatory action in China looks set to continue. In April 2019, the CSRC fined Goldman Sachs and its subsidiary Gao Hua Securities 150 million yuan ($22.3 million) for internal control breaches related to proprietary trading of shares and stock index futures.

Although this is a huge increase for China, it perhaps signals that the country’s regulators are making efforts to align with their foreign counterparts. For example, the frequency and severity of large fines issued in Hong Kong, which has a separate financial regulator, has averaged six and $56.1 million respectively since 2009, though there have been significant variations year-on-year.

The frequency and severity of penalties in the wider Asia-Pacific region has averaged 22 and $802.7 million respectively.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.