SocGen provisions for sanctions violations; has the SMR prompted more bank CEO resignations? Data by ORX News
In the largest publicly declared operational risk loss from September, Societe Generale provisioned €1.1 billion ($1.28 billion) to cover penalties it expects to receive from the US authorities over sanctions violations. SocGen is being investigated for alleged breaches involving Iran, Cuba and Sudan in 2014.
The investigation involved the Department of Justice and the Treasury Department, as well as federal and New York state attorneys, the Federal Reserve and the New York Department of Financial Services. On September 3, SocGen said it had entered a more active phase of discussions with US authorities and expected to reach a resolution in September 2018 – although no resolution has yet been publicly reported.
In second place, ING paid €775 million to settle allegations it violated anti-money laundering regulations. This settlement is the second-largest AML loss recorded in the ORX News database, excluding sanctions losses. The Dutch public prosecutor found that ING had insufficiencies in its internal policies and had participated in culpable money laundering. Specifically, between 2010 and 2016, ING allegedly failed to prevent the laundering of hundreds of millions of euros due to shortcomings in its client due diligence policy.
According to the prosecutor, for a number of years ING lacked focus and awareness of its client due diligence obligations. It also said ING had prioritised commercial objectives over compliance, failed to implement long-term improvements, had dysfunctional and fragmented controls and a deficient escalation culture.
The third-largest loss was a settlement of $250 million paid by insurer State Farm to settle allegations it had rigged the election of an Illinois high court justice to overturn a $1 billion judgment against the firm.
State Farm was ordered to pay out $1.19 billion in 1999, after a class of customers claimed the insurer had replaced their crashed car parts with generic rather than branded parts. The amount was reduced on appeal to $1 billion, and in 2005 was thrown out completely after the election of Lloyd Karmeier to the court.
The class claimed that State Farm had paid $3.5 million to Karmeier’s election campaign because of his sympathy for tort reform. The class sought $1 billion in damages and $1.8 billion in interest, which could have been tripled under the Racketeer Influenced and Corrupt Organisations Act if successfully prosecuted. State Farm did not admit to any liability or wrongdoing as part of the $250 million settlement, which has a final approval hearing scheduled for December.
In the fourth-largest loss, Punjab National Bank has been allegedly defrauded of 5.39 billion rupees ($74.2 million) in loans by a telecommunications and power equipment manufacturer between 2013 and 2014. The alleged loss appears to be far from an isolated case: earlier this year, the Indian bank was the subject of intense media attention after it revealed a massive $2.23 billion letters of undertaking fraud by diamond businessman Nirav Modi in May. In September of last year, it was one of a number of banks caught up in the 50 billion rupee loan fraud allegedly perpetrated by Kingfisher Airlines founder Vijay Mallya – the seventh-largest publicly declared op risk loss of 2017.
Lastly, hackers stole $59.6 million worth of cryptocurrency from Japanese cryptocurrency exchange operator Tech Bureau in just two hours on September 14 after breaching a hot wallet – cryptocurrency storage that is connected to the internet. Tech Bureau plans to refund all affected customers.
Story spotlight: Voya Financial pays $1 million under SEC cyber rule
On September 26, fund manager Voya Financial agreed to pay $1 million to the Securities and Exchange Commission after hackers impersonated three Voya Financial independent contractors and gained access to the personal information of 5,600 customers. It was the regulator’s first enforcement of its 2013 identity theft red flags rule, which requires firms to have written procedures in place that could highlight attempted identity thefts.
According to the SEC, the hackers phoned Voya’s technical support line in April 2016 and pretended to be the independent contractors requesting a password reset. Despite informing staff not to provide usernames or password resets over the phone following the first attempt, the hackers successfully impersonated contractors twice more.
The hackers could then access customer information including addresses, dates of birth and last four digits of social security numbers. Voya neither admitted nor denied the SEC’s findings.
In focus: is the SMR behind bank CEO departures?
September saw a spate of high-profile resignations following major operational risk events. TSB’s Paul Pester, Danske Bank’s Thomas Borgen and ING’s CFO Koos Timmerman all stepped down in response to IT and anti-money laundering failures, respectively.
Those aren’t the only cases in 2018. Earlier this year, Australia had two high-profile resignations after Commonwealth Bank of Australia chief Ian Narev stepped down following the bank’s AML crisis and Craig Meller of fund manager AMP resigned in the wake of revelations from the Royal Commission into conduct in the financial industry.
On the face of it, it would be easy to conclude from this that banking executives are increasingly resigning after major operational risk events; ORX News examines the data to determine if this is really the case.
There has certainly been a shift in the conversation around accountability. The UK Financial Conduct Authority’s Senior Managers Regime, introduced in 2016, formalised the concept that although a senior manager may delegate tasks, they cannot delegate the responsibility for the outcome. Since then, Australia, Hong Kong and Singapore have adopted or started to adopt similar schemes. The Irish central bank has called for more accountability for senior managers, and in the US the Department of Justice has increased its focus on pursuing executives, while the Federal Reserve is updating its risk rating scheme for banks.
All of this comes in the context of increased regulatory scrutiny of conduct issues, a growing focus on culture, and continued public distrust of banks – much of it a legacy of the financial crisis that sees the public still questioning how bankers “got away with it”.
On examining the data, however, there is no clear trend of increasing resignations.
The first thing to clarify is that it is rare for a CEO to step down as a result of breaches that happened outside of their tenure, even though they may often have been in senior positions during this time. Of those chief executives who departed this year, all had held their role for at least two years of the period where wrongdoing was happening. In fact, that trend holds true for all departures in the last six years.
With those taken out of the equation, the picture is mixed. For example, Barclays’ Bob Diamond resigned over Libor allegations in 2012, and so did Rabobank’s Piet Moerland in 2013. But other CEOs have not.
This raises the question: should a CEO resign if a major event happens under their watch? Each individual case will be unique. Ultimately, is it up to a bank’s board whether a CEO stays or goes. If their competency and ability to run the firm outweigh any financial or reputational damage, there may be no clear business reason to resign. But if investor, media or regulator reactions are sufficiently negative there may be no choice.
One part of the SMR and similar schemes is that accountability does not just rest with a bank’s head employee. A shift in the culture of accountability should devolve personal responsibility through the ranks of senior and middle managers, preventing situations that create the need for a high-profile resignation.