Barclays’ cyber chief: try to break your own IT defences

By Alexander Campbell | News | 26 April 2018

Banks “must go beyond vulnerability assessments”, conference hears

Vulnerability assessments are good as far as they go, but banks need to go beyond them to use ethical hacking, penetration testing and red-team physical testing, delegates at the OpRisk Asia conference in Singapore heard yesterday (April 25). Theo Nassiokas, Barclays’ director of cyber security for the Asia-Pacific region, warned vulnerability assessments could only be part of a proper cyber risk assessment.

“Ethical hacking – we go way beyond that,” he said. “We don’t just do vulnerability assessment and pen testing, we also have red teams. And the red teams won’t just hack our systems, they will perform unauthorised physical intrusion on buildings that are secure and then hack them. No-one knows what they will be targeting next except maybe a couple of people in the organisation – it’s kept very secret, and the reports go to senior stakeholders so they can see the real state – so that we know what our weaknesses are.”

Vulnerability assessments alone, he added, were limited to checking known weaknesses had been addressed. “When you do a vulnerability assessment, you can only check the vulnerabilities that have been reported – that’s the problem. Yes, we have it, yes, it’s very effective, but as with all industries it’s only effective against things we know about.”

The risk associated with unknown vulnerabilities is very real, he added. Once a vulnerability is reported to a software manufacturer, it won’t be publicly revealed until a patch is available – this is a common-sense measure to minimise the risk of an exploit, but it still means weeks or months can elapse before a company becomes aware of its exposure. Furthermore, a criminal or state-sponsored attacker is likely to hoard weaknesses he discovers rather than report them.

Barclays is not the only bank adopting a more active approach to cyber defence, with pen testing and ethical hacking widely used; Maybank recently revealed it uses ethical hackers to test its defences through red-teaming, and also to gain intelligence about developing threats through watching chatter on the dark web.

Insurance

Nassiokas also called on financial institutions to take a closer look at their cyber risk insurance and scenario analysis. “Cyber insurance is really a bunch of products, some of which have existed for a long time – it’s things like insuring against extortion… and fraud,” he noted.  “They’re insuring against an outcome from a cyber attack. Some companies have very cleverly packaged that and called it cyber insurance, because cyber is sexy and scary and people are more likely to buy it.” As cyber risk became better understood, he said, cyber insurance would become more commoditised, in line with insurance covering other areas of risk.

He also described the four-stage process of scenario development and analysis Barclays uses as part of its cyber risk management. “Scenario analysis, when done properly, is a great way to understand the real concept of a cyber attack,” he said. “The way I have done it is to first have a workshop of technical specialists who understand what is truly possible in our specific network in our specific company – the infrastructure guys, the firewall guys, the application specialists who can define what is technically possible. Make sure you document that accurately. Workshop two is the operations people, the ones who operate the manual controls when the automatic systems fail – you have to know how long you will survive if those systems fail. And number three is the business piece… you can talk to them and say here’s what we know, here’s the size of the trades and frequency of trades… and your risk folks can bring that together and produce something that is at least defensible. It’s not perfect, but it is at least a defensible approach to quantifying something most people really don’t understand properly.”

Credit Suisse sheds $11bn in op risk RWAs

By Alessandro Aimone | Data | 25 April 2018

A deal struck with the Swiss financial regulator, Finma, helped Credit Suisse cut the risk-weighted assets of its strategic resolution unit by almost a third in the first quarter.

The SRU’s total RWAs fell from $34.4 billion to $23.3 billion, or 32%, in the first three months of the year. The reduction was driven largely by a shake-up in operational RWAs authorised by Finma.

The regulator allowed the bank to write-off Sfr2.5 billion ($2.6 billion) of operational RWAs, most of which were held against its now-sold US private banking business. It also signed off on a change of methodology for allocating operational RWAs, which saw Sfr8.9 billion exit the SRU to be reassigned across other divisions.  

The SRU’s leverage exposure also dropped 45%, from $83 billion to $45 billion, in the first quarter. The bank credited the reduction to lower liquidity requirements, the effects of a series of derivatives compression runs, and asset sales.

Since the first quarter of 2015 – when the unit was established – Credit Suisse has reduced SRU’s leverage exposure by $174 billion, or 79%.

What is it?

As previously reported, Credit Suisse and Finma entered talks to review the appropriateness of the level of RWAs relating to op risk in the SRU last year. The regulator accepted the bank’s argument that progress of the SRU in exiting toxic businesses over the last two years meant it should have been allowed to cut the value of op risk RWAs held against the unit.

The SRU contains restructured onshore businesses in Western Europe and the US, legacy cross-border and small markets businesses, legacy asset management businesses and discontinued operations, legacy investment banking portfolios and bundles of non-Basel III-compliant debt.

When it was created, the expectation was that the unit's RWAs and leverage exposure would be reduced by approximately 80% by 2020, but the bank said it is on track to wind down the unit by the end of 2018 – two years ahead of schedule.

Who said what

“Credit Suisse approached Finma with a request to review the appropriateness of the level of the risk-weighted assets relating to operational risk in the strategic resolution unit, given the progress in exiting businesses and reducing the size of the division over the last two years, with the aim of aligning reductions to the accelerated closure of the strategic resolution unit by the end of 2018” – Credit Suisse quarterly report.

Why it matters

The slimming down of the SRU will give Credit Suisse room to free capital for investment, and boost earnings.

Finma’s dealmaking also augurs well for Swiss banks once the revised Basel methodology for operational risk, known as the standardised measurement approach, comes into effect. The new rules allow banks to petition their regulators for op risk capital relief on a case-by-case basis. The Credit Suisse agreement suggests the watchdog would be open to similar discussions going forward, giving Swiss banks hope that future op risk requirements will be better tailored to their understanding of their exposures.

Get in touch

Do you reckon Credit Suisse will remain on course to shut down its SRU by year-end? And what’s next for the bank? Get in touch by sending a tweet to @aimoneale or @RiskQuantum, or an email to alessandro.aimone@infopro-digital.com.

Tell me more

Credit Suisse accelerates wind-down of legacy businesses

Credit Suisse seeks capital relief for resolution unit

View all bank stories

3LOD helps bolster risk culture – banks

By Tom Osborn | News | 25 April 2018

Credit Suisse links metrics gleaned from first- and second-line risk managers to pay decisions

Establishing a strong risk culture across a large universal bank with a global footprint remains an immense challenge, risk managers agree – but a well-implemented and -managed three lines of defence (3LOD) framework can help.

Speaking earlier today (April 25) at the OpRisk Asia conference in Singapore, Eva Gessner, head of business risk organisation for South-east Asia at UBS Wealth Management, suggested first-line risk managers had to have confidence that they would not be penalised for calling out perceived failures in their own business unit – something that required trust between employees across all three lines of defence.

“Admittedly, we struggle to measure culture: what is good culture? Do you put buzzwords around it, like ‘integrity’ or ‘honesty’? We’ve embarked on a big risk culture journey, and one of the biggest questions we asked was ourselves was: how will we measure whether we succeed or not? Do we succeed if we have fewer client complaints? If staff give us feedback that they feel more empowered, that our culture has changed? What is a measure of culture? I think that is an almost impossible question to answer. But if we have the three lines of defence working together, when people [highlight] a risk, if you have a culture in the first line of people being able to speak up, pointing out where things could go wrong, and discussing it without fear of being penalised by ‘the police’ coming after us in the second or third line – if we can create that culture, then we are moving in the right direction,” she said.

A Risk.net survey of bank staff earlier this year found near-universal agreement that a strong risk culture – in which employees were free to challenge decisions and call out potential pitfalls – was a critical element of a strong risk management framework. Yet barely half of respondents said their firm had done a good job of defining its risk culture, with just over one-third saying it was well recognised and rewarded.Most bankers agreed it should be the job of front-office staff to take ownership of risk decisions – one of the goals of the 3LOD model, which seeks to embed responsibility for risk taking within firms’ business units.

But many banks – particularly larger, diversified firms with a global footprint – have found that making the three lines of defence work for their organisation is a daunting, multi-year task. As originally conceived by the Basel Committee’s Principles for the sound management of operational risk in 2011, the model consists of a first line made up of: risk takers within business units; risk managers in the second line of defence checking up on them; and a third line – internal audit – reviewing both.

In practice, larger banks say the 3LOD model leaves them with a vast, unwieldy first line, in which everyone from a bond salesman to the head of fixed income could be considered a first-line risk owner

In practice, larger banks say this leaves them with a vast, unwieldy first line, in which everyone from a bond salesman to the head of fixed income could be considered a first-line risk owner. Many have opted to implement intermediate lines between the first and second, to clarify responsibility for risk controls.

Speaking on the same panel as Gessner, Harkanwal Sodhi, director for risk framework and initiatives at Credit Suisse in Singapore, said the bank was seeking to drive changes in its risk culture by factoring in conduct risk breaches by client-facing staff when setting their remuneration – a move other banks have also pursued. The policy is easier to enact successfully when a bank is able to combine and factor in the results of first-line control testing, Sodhi suggested, as well as checkups from second-line risk managers.

“Risk culture is a tricky one. It’s not tangible and measurable. We’ve tried to tackle it … by creating a risk and compliance scorecard for all our client-facing staff. The scorecard gets input from key risk indicators – how individuals are performing according to those parameters; from our second-line colleagues – what exclusions they’ve noted, what breaches, what compliance observations they’ve had; and there’s a lot of first-line control monitoring that goes on, too. All this translates into a score, which gets taken into consideration when their annual remuneration is awarded. So this is a small way of making risk culture slightly [more] measurable, by directly linking it in a more defined manner to annual remuneration: rewarding good risk behaviour and penalising poor risk behaviour,” he said.

Many local regulators have never formally insisted banks implement and rigidly adhere to a 3LOD framework – but may still use it to hold banks to account when assessing their governance and risk controls. The US Federal Reserve is currently consulting on guidance that would see the model’s principles of risk ownership by business lines incorporated into its overall method of assessing a bank’s financial health.

Lee Hsia Foo, head of operational risk for Asia-Pacific at Westpac, suggested establishing a solid risk culture where risk owners in the first line are not afraid to challenge themselves and one another was more important to the day-to-day business of a risk manager than worrying about whether a bank has enough capital to withstand a loss if there is a breach – notwithstanding if they use the soon-to-be-discontinued own models approach to calculating op risk capital.

“The last organisation I worked for used the standardised approach. The current one uses the advanced approach. Because of this, the whole focus of the investment bank is: ‘How do we use our internal models to calculate capital, how do we stack up op risk capital in an efficient way against the bank becoming insolvent due to a major event?’ But at a day to day level, really, the conversation is not about how much op risk capital to put aside. The real conversations on the ground are: ‘If I have a control weakness or a gap, what is the culture of our organisation?’ Am I willing, as a business manager, to put my hand up and say: ‘You know what, I have a weakness or a gap there – am I willing to assign it to somebody to fix it, and give visibility to it and get it done?’” said Foo.

Fed risk rating system unifies stress testing and 3LOD

By Steve Marlin | Features | 25 April 2018

Some banks have qualms over potential downgrades and overlap between first and second lines

Traditionally, US colleges evaluate student admission applications by coldly ranking them according to grades, scores on standardised tests and extracurricular activities, using these metrics to come up with an overall score. Recently, however, schools have started playing down the importance of grades and test scores, and given greater emphasis to qualitative factors such as leadership ability, overcoming hardships and celebrating unique talents.

In much the same way, the Federal Reserve is proposing to amend its rating system for large banks, in a bid to provide a better gauge of the true financial state of the institutions it supervises, rather than simply doling out ‘pass’ or ‘fail’ grades. The system would evaluate banks according to three pillars: capital, liquidity and governance.

The industry’s reaction to the new system has been generally positive, with many hoping it will provide greater granularity than the old one, which dates to 2004.

“The old system was like a report card. The new one tries to evaluate firms on a wider degree of metrics. Boards will get a better idea as to what the specific weaknesses are in the company,” says the head of regulatory affairs at a large US bank. “We’re watching to see how the old ratings map over to the new ones.”

The rating system for large banks represents an attempt to bring together into one framework all the post-crisis tools it has developed for stress testing, particularly its Comprehensive Capital Analysis and Review (CCAR) programme. In the wake of the financial crisis, regulators issued waves of principles, guidance and regulations intended to shore up the financial system. As the economy has righted itself, regulators are institutionalising these reforms into business-as-usual activities.

The rating system will apply to all banks with assets greater than $50 billion. The capital and liquidity pillars will be informed primarily by CCAR and the Capital Liquidity Analysis and Review (CLAR), while the pillar on governance and controls will be informed by a risk guidance proposed by the Fed in January, which makes responsibility for risk-taking between business units clearer – an apparatus borrowed from the Basel Committee on Banking Supervision’s three lines of defence framework.

It would be odd for the Federal Reserve to have such a large programme for capital adequacy and planning and not use it in its rating system

William Lang, Promontory Financial Group

The rating system is yet another sign of the Fed’s determination to incorporate stress testing into the fabric of banks’ everyday business activities. Just as the recently proposed stress capital buffer is intended to make stress testing a major determinant of a bank’s capital levels, the rating system makes stress testing a core component of the supervisory framework.

Integrating existing capital and liquidity stress tests makes the new rating system more reflective of both the quantitative and qualitative assessments the Fed is undertaking with large banks.

“CCAR has been the central tool to look at whether a company has both the quantitative capital it needs as well as how it manages its capital positions,” says William Lang, managing director at Promontory Financial Group. “It would be odd for the Federal Reserve to have such a large programme for capital adequacy and planning and not use it in its rating system.”

With its focus on capital, liquidity and risk governance, the rating system reflects the three pillars of the Federal Reserve’s post-crisis supervisory approach. For example, even though it has removed the qualitative objection under CCAR for large and non-complex banks, those banks are still subject to a horizontal capital review, whereby Fed examiners assess the strength of capital planning processes as part of the normal supervisory review.

Supervisors are at an informational disadvantage in that banks always know more about their own operations. Horizontal review programmes, such as those for CCAR, CLAR and recovery and resolution planning, are designed to correct this imbalance and enable the Fed to gain a clearer picture of how banks compare.

Some banks would like the Fed to make the linkage between CCAR and CLAR and the capital and liquidity ratings more explicit, instead of merely stating they will be ‘directly reflected’ in the ratings. If a firm receives no quantitative objection to its capital plan under CCAR, then it should receive a satisfactory rating for the quantitative portion of the capital pillar under the new rating system, banks say. They argue companies are subject to more specific qualitative standards under CCAR than they are under existing supervisory guidance.

We’re all hoping the rating system isn’t used as an opportunity to treat people worse than today

Head of regulatory affairs at a large US bank

“If the Fed wishes to set more specific standards to assess capital adequacy, it should subject them to the standard administrative procedures of public notice and comment,” said Goldman Sachs executive vice-president John Rogers in a comment letter on the rating system proposal.

The new rating system uses a four-point scale: Satisfactory, Satisfactory Watch, Deficient -1 and Deficient -2. If a firm receives a Deficient -2 rating, then it could be subject to restrictions on growth through expansion or acquisitions. Some banks are concerned that they could be subject to a ratings downgrade if deficiencies aren’t corrected within 18 months.

The time needed to correct a deficiency that results in a Satisfactory Watch rating could vary depending on circumstances. For example, the design, testing and installation of a new IT system could take as long as three to five years.

“We’re all hoping the rating system isn’t used as an opportunity to treat people worse than today,” says the head of regulatory affairs. “We’re hoping whatever happens to us in our ratings today will be the same thing that happens in our ratings tomorrow. We don’t know that yet.”

The Fed, in its proposal, says the time specified by the Federal Reserve for resolving issues will eventually become more precise, and may be extended as circumstances warrant. Indeed, some observers note the Fed will take into account how diligently a bank is working to address the problem, and will not impose artificial deadlines.

Deborah Bailey

“A major IT overhaul is not something that can be done in 18 months, which I assume the Fed understands,” says Deborah Bailey, managing director in KPMG’s financial services regulatory practice.

The guidance that will inform the third pillar of the rating system – governance and controls – represents a tacit endorsement by the Fed of Basel’s three lines of defence model. Though it has never officially endorsed 3LOD, which formed an important part of Basel’s 2011 Principles for the sound management of operational risk, the Fed’s examiners employ the concept in their supervision of banks. For example, since 2012, banks have been subject to the Fed’s consolidated supervision framework, which requires that governance extend to the management of each business unit. However, the new guidance makes the roles of the three lines of defence more explicit.

The Fed’s guidance on making business units responsible for risk management raises familiar questions about a potential blurring between the first and second lines of defence. Some banks have expressed concern that the Fed would potentially be imposing the same duties on different groups within the organisation, resulting in overlap and duplication. Others counter that the Fed is not trying to create inefficiencies, but is instead encouraging banks to have clear definitions of duties, wherein the first line performs active risk management and the second performs risk oversight.

The Fed could be clearer about where it expects testing of controls to take place, and who’s responsible for that

Michael Alix, PwC

One of the things the guidance seeks to accomplish is to make clear the ownership of risk lies in the first line. In some sense, the Fed has built natural redundancy into the guidance by design; banks must determine where first line responsibility ends and second line responsibility begins.

Debates over how much clarity could or should be provided in supervisory guidance are a natural consequence of a principles-based regulatory regime. The Fed wants to encourage banks to adapt the guidance to their own particular circumstances, and to foster innovation in risk management.

Still, some argue the Fed could be clearer about its expectations for banks in coming up with a line of demarcation between the first and second lines.

“The Fed could be clearer about where it expects testing of controls to take place, and who’s responsible for that… [that would help firms] understand the various expectations for specific businesses and at what level: is it at the higher business level, the actual desk, or subunit level? That kind of clarity can inform the right kind of organisational tweaks to achieve the objective of proper governance while avoiding overlap,” says Michael Alix, financial services risk leader at PwC.

Same standards

The guidance also stipulates that support and back-office operations will be held to the same risk standards as revenue-generating units. For the largest banks, the guidance would apply to all business lines, including associated operations and support to meet the bank’s business needs.

In this respect, the guidance aligns the Fed’s approach with the OCC’s heightened standards for financial institutions, which were issued in 2014. Those standards defined front-line units as providing operational support or servicing to any organisational unit or function within the bank, or providing related technology services.

“The OCC approach included support functions as front-line activities. The proposed guidance takes a similar approach,” says Edward Hida, global risk and capital management leader at Deloitte. “It’s realigning the mind-set of how organisations look at those functions. In the past, there would generaly not have been an independent risk function monitoring them.”

Banks would like the Fed to clarify the guidance should only apply to those businesses that generate material risks. Their position is that existing risk management frameworks are designed to manage all the risks the firm faces. The front-line business units generate credit, market, or liquidity risks, whereas supporting functions do not, they argue. The support functions do generate operational risk, but existing operational risk frameworks would cover those risks.

I don’t have a huge amount of sympathy for comments that say the Fed should tell us what is material and what is not

Former supervisory official at the Federal Reserve Bank of New York

“We’re asking for clarification from the Fed about how the term business line is interpreted by the Fed,” says a regulatory affairs executive at another large CCAR bank. “We hope it will clarify that you are not meant to have the entire framework apply to units that are not front-line risk-generating units.”

As with the distinction between first and second lines, it’s likely the Fed is being intentionally vague about the distinction between front-line and supporting business unit, according to some observers: it wants to force banks to examine the relationships between the two, and the relative risks they generate. In effect, it wants banks to establish a baseline for defining which risks should be regarded as material and where they’re being generated, which will then form a baseline for its supervisory examinations.

“I don’t have a huge amount of sympathy for comments that say the Fed should tell us what is material and what is not,” says the former supervisory official at the Federal Reserve Bank of New York.

The Fed will not expect to examine all of a firm’s business lines during a single year, it said in the guidance. Instead, it will apply a risk-based approach to determine which business lines to examine during the year, taking into account such factors as the size and complexity of the business line, recent supervisory experience, relative growth and maturity of the business line, and significant change to strategy, structure and management since the last exam cycle.

“Based on the Federal Reserve’s historic supervision approach and statements in their proposed guidance, it is unlikely they would focus on every business line, but would instead take a more risk-focused approach,” says KPMG’s Bailey.

Editing by Tom Osborn

Wells Fargo cuts deposits to meet Fed order

By Louie Woodall | Data | 18 April 2018

Wells Fargo shed billions in deposits in the first quarter as part of its efforts to comply with the extraordinary asset cap applied by the Federal Reserve in February, which prevents the bank from growing at all until it overhauls governance and risk management practices.

The California-based lender pushed out $15 billion of commercial deposits from financial institutions in direct response to the asset cap. The total decline in financial institution deposits over the quarter was $32.3 billion. Outstanding loans in its legacy consumer real estate loan portfolios were also cut.

The total asset decline was $36.4 billion.

What is it?

The Federal Reserve slapped a cease-and-desist order on Wells Fargo on February 2 in response to the lender’s “ghost account” scandal – in which bank employees opened hundreds of thousands of deposit and credit card accounts without customers’ consent.

The order prevents Wells Fargo from increasing total consolidated assets beyond its end-2017 amount of $1.952 trillion.  

Who said what

“We have approximately $200 billion of non-operational deposits, we have $149 billion of financial institutions deposits, that we have identified as a category we could adjust if we needed to to create some headroom for natural growth in the major lending and deposit taking categories. The first stop is financial institution deposits. The deposit-taking in that category tends to have very little to no liquidity value and they tend to be very short-term in nature [and] there are many alternatives that that universe of depositors can go to. My expectation is the impact is very modest” – Neil Blinde, treasurer, Wells Fargo, speaking at the RBC Capital Markets Financial Institutions Conference in New York, March 7

Why it matters

Wells Fargo announced a plan to manage its shackling by the Fed soon after the cease-and-desist order was filed – a plan it appears to be following. It makes sense for the bank to restrict financial institution deposits first because, as Blinde said, these customers are more likely to pull their money out at short notice. Indeed, the draining of non-operational deposits could serve to boost the bank’s liquidity coverage ratio, since these deposits are treated most harshly under that requirement’s cash outflow calculation.

The question is what happens if and when Wells Fargo has to cut back on deposits and assets originated by less sophisticated customers, who may be driven into the arms of rival banks as a result.

Get in touch

How would you rate Wells Fargo’s efforts to comply with the Fed order so far? Send your scores to louie.woodall@infopro-digital.com, or tweet @LouieWoodall and @RiskQuantum.

Tell me more

Top 10 op risks 2018: regulatory risk

CCPs hike spending on cyber defences

By Dan DeFrancesco | News | 12 April 2018

“The thing OCC spent the most incremental funding on in 2017 was improving cyber security,” says COO

The operators of the US’s largest clearing houses say they have ramped up spending on cyber security in the past 12 months, citing the ongoing pernicious, existential threat malicious actors pose to their organisations.

Speaking on April 12 at the World Federation of Exchanges’ clearing and derivatives conference in Chicago, John Davidson, president and COO of the Options Clearing Corporation, said the central counterparty’s biggest area of increased spending last year was cyber security.  

“It is clearly the largest risk facing financial infrastructures everywhere in the world,” said Davidson of cyber security. “The single thing in 2017 that OCC spent the most incremental funding on was improving our cyber-security capabilities.”

Banks and other market participants have repeatedly voiced concerns recently about the potential impact a disabling cyber attack on a critical piece of infrastructure such as a CCP could have on the functioning of markets. OCC alone clears more than 22 million derivatives trades a day, on average.

Clearers also hold highly sensitive information on market positions for all participants, as well as information that could be used to determine trading strategies, which would be highly valuable to rival firms should they find their way into the wrong hands.

Op risk professionals cited IT disruption and data compromise as their top op risks concerns for 2018 when surveyed by Risk.net.

Speaking on the same panel as Davidson, Sandy Frucher, vice chairman at Nasdaq, said the bourse spent more time figuring out how to defend against cyber crime than almost anything else.

“I don’t think there is an area in which Nasdaq is more focused on than cyber security,” Frucher said. “We are literally scouring the world to look at who is out there and who is doing good work in that space.”

Larry Thompson, vice chairman of the Depository Trust and Clearing Corporation (DTCC), agreed cyber was the one risk “that keeps everybody up at night”. He stressed the importance of collaboration between financial institutions – citing the work of organisations like the International Organization of Securities Commissions and the Financial Stability Board – to develop frameworks on what should be considered best practice for market participants in the US and beyond.

Lack of stronger cyber security standards globally have created vulnerabilities in an industry in which participants are intertwined with each other, Thompson added.

“Unfortunately, because it is a global issue – we are all interconnected globally – there are standards out there that are probably not as strong as they should be or could be that probably expose all of us,” Thompson said. “If you have one member of your interconnected group that doesn’t practice the same kind of cyber hygiene that everybody else practices, you are going to be exposed. That is just the reality of what you have to deal with.”

Firms needed to have resiliency plans in place and perform scenario planning on how to deal with attacks, Thompson said. Part of this, he added, could involve talking to similar institutions about serving as backups for each other, to ensure a firm whose systems go down can relying on its sister institutions around the table.

Cyber experts have criticised existing regulations as limiting financial firms’ ability to collaborate and share information on potential cyber threats, however. For instance, restrictions on data sharing contained in the US Patriot Act and at the Financial Services Information Sharing and Analysis Center are hindering efforts to combat cyber attacks, the leader of a cyber crimes unit at Wells Fargo said at the Cyber Risk North America conference in March.

FS-ISAC is an industry-run initiative that allows financial firms to anonymously exchange information on cyber threats. Banks can also share data about money laundering and terrorist activities under Section 314(b) of the Patriot Act, which provides a safe harbour from legal liability. In both cases, the sharing of personally identifiable information (PII) is restricted.

For CME Group president Bryan Durkin, the battle against potential cyber attacks is exhaustive, never-ending and one the firm continues to put money towards.

“I am telling you the minute you feel like you are ahead of it, something else comes your way. You are never totally ahead of it,” Durkin said. “This is an area that we are constantly investing and trying our darndest to advance our intelligence and our capabilities so that we can hopefully be viewed as a premier leader in that respect.”

Editing by Tom Osborn

Sponsored video: Thomas Lee, Vivo Security

By Alex Hurrell | Advertisement | 11 April 2018

Thomas Lee, chief executive and co-founder of Vivo Security – a start-up firm based in Silicon Valley and sponsors at OpRisk North America – talks about how special the banking industry is to Vivo Security and why its approach to model risk management and its top-down approach to quantifying cyber risk aligns synonymously with banks.

Op risk grows at Swiss banks

By Alessandro Aimone | Data | 10 April 2018

Credit Suisse and UBS reported hikes in operational risk-weighted assets (RWAs) in 2017, although they cited different factors for their respective increases. 

Op RWAs at Credit Suisse grew by Sfr9 billion ($9.4 billion), following an update to its loss history and a revision of the costs incurred as a result of legal settlements regarding its crisis era residential mortgage-backed securities (RMBS). 

Credit Suisse’s total RWAs increased by Sfr1.4 billion to Sfr272.8 billion, as reductions in market and credit risk partially offset the rise in op risk.

UBS reported an op RWA gain of Sfr1.6 billion, although in this case the rise was driven by a change to its advanced measurement approach (AMA) model. UBS gained approval to use the model from Swiss regulator Finma in the first quarter of 2017.

UBS’s total RWAs climbed Sfr14.8 billion to Sfr237.5 billion at the end of 2017, with credit RWAs rising alongside op RWAs.

Why it matters

Comparing rival banks' RWA gyrations helps to shine a light on how sensitive different risk measures can be, and to what degree. In this case, it is clear that op risk calculations under the AMA contain many moving parts. Credit Suisse's disclosure shows how a tweak to a single input – in this case, RMBS legal liabilities – can have a sizeable effect on the total RWA output. UBS's, on the other hand, show how a change to a model itself can produce swings of its own. 

These sorts of fluctuations help explain why the Basel Committee on Banking Supervision formally scrapped the AMA in December, to be replaced by a standardised measurement approach that dispenses with models entirely. 

Get in touch

Do you have any thoughts on what the Swiss banks' op RWAs might look like once they adopt the standardised measurement approach? Let us know by emailing alessandro.aimone@infopro-digital.com or sending a tweet to @aimoneale

Tell me more 

UBS hoping for capital relief for past op risk losses 

Banks await Basel decision on legacy op risk losses 

Basel III: final op risk framework leaves banks guessing

KYC concern slows asset managers’ move into China

By Blake Evans-Pritchard | News | 10 April 2018

Rush into $2.2 trillion China funds market tempered by problems obtaining client data

In the race to corner a share of China’s $2.2 trillion asset management market, global fund managers are hitting a snag: uncertainty over who exactly they are doing business with in the country.

Fund manager caution is understandable, given the global focus on anti-money laundering and China’s own moves to stamp out financial crime and corruption. Failures in the area of know-your-customer (KYC) could result in hefty financial penalties or – worse – irreparable damage to a company’s reputation. Staying out too long or limiting the products on offer, though, leaves fund managers at risk of becoming a fringe player in a market where scale matters.

“Strategically, at board and executive level, large international firms are balancing the huge upside potential of China with the operating risks, such as know-your-customer,” says Julian Chesser, head of Asia for IHS Markit, a data and analysis company. “Most firms require a meaningful China strategy but with an execution plan that carefully navigates a plethora of regulatory and operational risks.”

KYC requirements vary from country to country, but broadly speaking they are underpinned by the principle that firms should know exactly who they are dealing with so as to avoid managing the money of people involved in financial crime or who have otherwise been blacklisted by governments.

“If you’re in China it wouldn’t be too much of a stretch to imagine you’re doing something with North Korea or you’re doing something with politically exposed persons in Russia,” says an Asia-based executive from a vendor firm that does not yet offer services in China.

Firms under US supervision are especially wary of KYC slip-ups, mindful of the sizeable fines meted out to non-compliant firms by US authorities.

Julian Chesser

“Are we going to want to lose a billion-dollar ticket in the US simply because we want to be in China?” asks a senior director within the Asian office of a global asset manager. “From the outset we had a very clear idea of how we were going to set up onshore, which meant being very careful about who we deal with. We could have raised a lot more money much more quickly if we had not cared as much.”

An asset management executive echoes this caution: “KYC is a very big issue for firms wanting to set up in China. Ultimately, if anything goes wrong in the China market, they could face the risk of losing their entire US business through punishment from [US regulator] the SEC.”

US law enforcement bodies have repeatedly warned that some of China’s largest banks are not doing enough to combat financial crime and have accused them of failing to co-operate in cross-border investigations.

Local banks have been slow at introducing new things into their systems, especially when foreign managers have specific KYC needs

Asset management executive

In March, the Federal Reserve ordered the New York branch of China’s largest bank, ICBC, to improve its protection against money laundering – and this isn’t the first Chinese bank that the regulator has targeted for such failings. In 2016, Agricultural Bank of China received a similar warning – and was also fined $215 million. Bank of China and China Construction Bank, the remaining members of China’s so-called ‘big four’, also received warnings in 2015.

Gaps between local and international KYC implementation pose a particular threat to compliance. For example, banks are at risk of unwittingly onboarding clients that have avoided paying tax in the US. While most KYC systems of domestic distributors can easily identify US citizens, they are not always able to identify Chinese citizens who hold a US green card, which grants the holder residential status in the US. Green card holders are obliged to pay US tax.

Domestic measures

But China is starting to show a tougher line on money laundering and financial crime. In February, the government seized control of insurer Anbang, putting the chairman on trial for an alleged 75 billion yuan ($12 billion) fraud and injecting almost $10 billion into the firm to ensure its solvency and stability.

The People’s Bank of China was understood to be examining suspected breaches of anti-money laundering rules at the insurer as far back as 2016, and authorities had warned government-linked business associations against entering into new partnerships with the company.

China’s private fund management (PFM) framework already provides some safeguards for foreign asset managers. The rules prevent foreign firms from offering products to any domestic institutional investors with assets of less than 10 million yuan, while individual investors must have assets of at least 3 million yuan. Furthermore, the minimum investment in a fund is set at 1 million yuan, with a maximum number of 200 investors allowed in a single fund.

Additionally, some foreign asset managers limit their fund-of-fund investor relationships to those companies that are registered with the Asset Management Association of China, a self-regulatory body, and whose clients have therefore already been subjected to a screening process.

It will take time for domestic regulations and systems to include more global information, and for global players to fill up the gaps and find alignments

Miao Hui, Cerulli Associates

However, it is far from clear that such measures are sufficient to ensure the necessary level of confidence in KYC compliance. One complaint centres on the provision of data in countries such as China, where access to client information is often restricted.

“Whereas there is an understanding in Europe or the US that certain information needs to be provided to help protect the financial system and identify who the ultimate beneficial owners are, this is trickier in China,” says Julia Walker, head of market development and risk for Asia at Thomson Reuters. “China is still going through its growing pains. You have a lot of state-owned companies and you also have the requirement that data has to remain onshore, which is a challenge for most KYC vendors.”

China’s views on information privacy differ from that of western states, with Beijing often considering company information a state or trade secret, which results in information-sharing challenges. This has hindered the advance of technology vendors in China, many of which have not yet rolled out their platforms in the country, largely because of the difficulty in accessing the necessary data sources.

Besides, the concept of politically exposed persons (PEPs) is also still foreign to many Chinese financial firms and their employees. As a result, financial institutions can struggle to garner enough data to perform thorough KYC checks. Firms lack a comprehensive database to verify names and, in the context of the corruption crackdown underway and the preponderance of state-run companies in the Chinese economy, such PEPs pose a significant risk for the financial industry, Walker says.

Slow going

Such shortcomings help explain why few asset managers have set up onshore operations in the world’s second-largest economy since it opened its doors in 2016; and why none of the global KYC tech platforms are available in China. So far only 11 fund managers have taken up this opportunity, according to Cerulli, an asset management data provider (see table). Others, such as AllianceBernstein, are in the final stages of applying for a PFM licence.

Some firms are exploring alternative avenues, such as engaging a local distribution partner to vet clients. US asset manager Fidelity has taken this approach. “We pay a lot of attention to our reputation in China and globally, which is why we only partner with strong players – those that we know well and believe have very high standards in China,” says Jackson Lee, the firm’s head of China. Fidelity became the first foreign company to be awarded a PFM licence in January 2017.

Lee believes the firm’s long-standing presence in China – it first set up an office in Shanghai in 2004, principally to invest overseas money onshore – gives it an advantage in this respect, allowing Fidelity to comprehend the local dynamics of the market and who it is partnering with.

Singapore-based Fullerton Investment Management has also partnered with a local firm. Mark Li, head of China at Fullerton, says: “We launched our first product in February and we were able to close all [compliance] gaps. Our local partner is able to follow international standards, after certain customisation, and we don’t see a big gap that we cannot overcome.” Fullerton secured its China PFM licence in September.

Domestic banks, which are the principal distributor of foreign asset management products, claim to be able to offer KYC oversight in line with global standards. Under Chinese rules, financial institutions must run background checks on customers that they do business with. But such local rules do not always provide the level of confidence that overseas asset managers and their home regulators require, particularly when it comes to identifying source of funds. Accordingly, insiders report that some foreign firms have pulled back from China. Ultimately it is the overseas asset manager, and not the local Chinese distributor, that will have to answer to the authorities of its home market if things go wrong.

“China’s market has been standing relatively alone for a long time. It will take time for domestic regulations and systems to include more global information, and for global players to fill up the gaps and find alignments,” says Miao Hui, a senior analyst for Cerulli Associates.

The asset management executive agrees: “Local banks have been slow at introducing new things into their systems, especially when foreign managers have specific KYC needs. The foreign firms have realised that, in order to ensure that every penny raised in China is compliant with the regulations of their home markets, they have to increase the headcount onshore in order to go through the process themselves, after the local distributor has done the KYC at their end.”

There is little doubt that asset managers entering the Chinese market are taking KYC concerns extremely seriously, and if they can’t get comfortable with the local onboarding process then they might just have to say goodbye to the opportunities there. It just isn’t worth the risk.

Editing by Alex Krohn

Monthly op risk losses: China’s Anbang faces huge fraud hit

By Risk staff | Opinion | 9 April 2018

Also: in-depth look at multi-billion fraud in Indian banking system. Data by ORX News

In the largest operational risk loss in March, the former chairman and general manager of Anbang Insurance, Wu Xiaohui, has been accused by the Chinese government of embezzling a total of 75.2 billion yuan ($11.99 billion) for improper usage of funds and insurance premiums.

The China Insurance Regulatory Commission seized control of the insurer in February after Shanghai prosecutors charged Wu with fundraising fraud and embezzlement. During his one-day trial on March 28, it was revealed that Wu was charged with diverting 65.2 billion yuan of funds that had been earned from selling wealth management insurance policies. Despite having exceeded the number of sales approved by the regulator by July 2011, Wu had continued to set large sales targets, and then allegedly used the funds for investment and to pay off debts.

In addition, Wu is accused of embezzling 10 billion yuan from Anbang’s insurance premium income and using 6.9 billion yuan of this amount to increase his stake in Anbang through companies he controlled. Wu could receive a maximum sentence of life imprisonment. A court verdict has yet to be delivered.

In the second largest loss last month, Union Bank of India lost 3.14 billion rupees ($48 million) in a loan fraud scheme allegedly carried out by Totem Infrastructure. The Hyderabad-based construction firm obtained loans totalling 13.94 billion rupees from a consortium of eight banks including UBI. The losses for each of the other banks have not yet been reported.

Totem executives are accused of syphoning the loans out of the company through external bank accounts and via excessive wage payments, according to a statement from India’s Central Bureau of Investigation. Authorities have arrested two Totem staff members, media reports say.

In third place, Bank of America Merrill Lynch paid $42 million to the state of New York to settle an investigation into a number of fraudulent practices in connection with its electronic trading services.

According to the New York attorney general, between 2008 and 2013, BAML concealed from its institutional clients in marketing materials, internal records and bills and invoices that it had routed their trade orders to third-party execution firms, instead telling clients their orders were executed in house. The bank used a technique known as masking, whereby details on the trade confirmation were replaced with a code purporting to show that BAML had processed the trades.

Additionally, BAML was also accused of overstating the amount of retail orders routed to and executed in its dark pool. The fine is the largest ever state recovery in connection with an electronic trading investigation.

The fourth largest loss concerns BNY Mellon, which agreed to a $35 million settlement of a class action lawsuit with a group of trusts that accused the bank of breaching its fiduciary duties by mismanaging their assets. The bank invested trust assets in proprietary financial products that performed poorly, thereby benefiting from higher management fees. The trusts claim that BNY did not disclose this to them, although BNY denies all the allegations. The settlement, which would take the form of fee concessions, still requires formal court approval.

The fifth largest loss was another Indian loan fraud. Last month, State Bank of India confirmed it had suffered a 2.15 billion rupee fraud by Chennai-based Kanishk Gold. The jewellery supplier is accused of misreporting financial statements to secure loans from a consortium of 14 banks, totalling 8.24 billion rupees, of which State Bank of India was the largest lender. The loans were granted over a nine-year period from 2008, but the irregularities were only discovered during recent audits, according to a statement from India’s Central Bureau of Investigation.

Spotlight: Lloyds ordered to cough up £2.3m in withheld share bonuses

On March 27, the UK’s High Court ordered Lloyds Bank to pay more than £2.3 million ($3.2 million) worth of shares to two of its former executives after it found that the bank had unlawfully withheld their bonuses.

The shares had originally been awarded as a bonus linked to the successful acquisition of troubled UK bank HBOS by Lloyds in 2009, and were part of a long-term incentive plan which ran from 2006 to 2012. Although the shares were vested, Lloyds amended the terms of the incentive plan in 2012 to give it the power to reduce individuals’ awards. Lloyds claimed this was in response to changes in the Remuneration Code made by then financial regulator, the FSA, but court records also revealed that the change was motivated by avoiding further bad press following the widely maligned HBOS acquisition.

The court found in favour of the executives. Eric Daniels, the former chief executive of Lloyds, was awarded 2,063,640 shares, and George Tate, former wholesale and international banking director, was awarded 1,424,778 shares. Other executives, including former head of retail Helen Weir and former head of insurance Archie Kane, had their bonuses blocked, but did not file claims against the bank.

The six-year-long court battle has echoes of the litigation that Germany’s Commerzbank fought against former employees over unpaid bonuses. When Commerzbank took over investment house Dresdner Kleinwort in 2008, it slashed promised bonuses to Dresdner staff, despite offering assurances that the remuneration was secure. Many affected individuals subsequently lodged successful court cases to recover those bonuses.

In focus: Indian loan frauds on the rise

Indian banks have lost over $6.3 billion to loan fraud in the last five years, ORX News data shows. This figure includes only publicly reported frauds over $1 million, with a recent Reuters request for information showing a higher figure of $9.58 billion.

Close to a third of this hefty amount comes from just one event revealed in February, a loan fraud at Punjab National Bank involving diamond businessman Nirav Modi. Two PNB employees are thought to have used fake bank guarantees to make a series of bank transfer requests via the Swift network on behalf of Modi’s companies, defrauding PNB of $1.98 billion over the course of eight years. The scam was only detected when Modi’s companies sought new loans after the two employees had retired.

Worryingly, this loss appears to be part of a growing trend of fraud in India, with $110 million worth of commercial fraud cases registered with the Indian Central Bureau of Investigation in the month since the discovery of the PNB loss. The number of publicly reported loan frauds has increased year on year since 2013, and an extrapolation of the figure from the first quarter of 2018 would continue this trend. The total loss amount reported in the first quarter has already exceeded the total amount from the previous four years combined.

The Reserve Bank of India reports that loan frauds have increased by almost 20% in the last five years. But in its June 2017 Financial Stability Report the RBI recognised that loan frauds are not the result of hard to control macroeconomic factors, and the fraud schemes reported by ORX News are rarely particularly complex, even though the amounts involved are high. So why does India have such a loan fraud problem?

The RBI has found “serious gaps” in credit underwriting standards to be a significant cause. These gaps include generous cashflow projections and overvaluation at the application stage, and a lack of monitoring after loans have been granted. Added to this, fraudulent commercial loans, the main source of serious large losses to banks, are normally categorised as non-performing assets for two to three years before being declared fraudulent, making it difficult to detect the true extent of the problem.

A less-than-perfect attitude towards corruption may also be to blame. According to a study by the Indian Institute of Management Bangalore, frauds have long been seen simply as a cost of doing business in India. Navigating the Indian judicial system to secure a conviction in these cases adds another layer of difficulty.

A number of factors therefore conspire to create a fertile environment for fraud. The Indian government is fighting back, however. In February, the government ordered public banks to inspect all bad loan accounts over 500 million rupees ($7.7 million). The RBI recently issued a new framework for the resolution of stressed assets, and has formed a committee to investigate the rising cases of fraud.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.