Op risk data: Crypto exchange BitConnect hit with $2bn lawsuit

By ORX News | Opinion | 12 October 2021

Also: Legacy €1bn tax liability levied on WestLB ‘bad bank’; ABN and Wells Fargo compensate clients. Data by ORX News

September’s largest operational risk loss was an astonishing $2 billion, in a Securities and Exchange Commission (SEC) lawsuit against former online crypto lending platform BitConnect, its founder Satish Kumbhani and lead US promoter Glenn Arcaro, along with his company Future Money. The SEC says that, from January 2017 to January 2018, the platform embezzled approximately this amount in investor funds in an international Ponzi-type scheme involving digital assets.

BitConnect launched with an initial coin offering (ICO) at the end of 2016 and by mid-December 2017, its eponymous cryptocurrency, BitConnect Coin, or BCC, boasted a market cap of over $2.5 billion and a peak value of $400 a coin. The platform offered BCC in exchange for bitcoin on its exchange and claimed that customers would receive a daily profit, thanks to their trading bot and volatility software, and that returns would be as high as 40% per month “with no risk”. Instead, the SEC found the defendants passed investors' funds through their own digital wallets and siphoned them off for personal profit. Of the approximate 325,000 in bitcoin investors paid to BitConnect, only 8% was invested on any digital-asset trading platform.

In January 2018, the market for BCC crashed after two state-level US securities regulators issued public letters warning investors of the platform’s questionable nature. BitConnect then shut down its BCC exchange, which led to a price collapse and left investors with a near-worthless currency.

The SEC said BitConnect and Kumbhani conducted a Ponzi-like scheme to lure newer investors to satisfy other investor withdrawals and conceal the fact they were deploying investor funds purported to be allocated to the trading bot they had advertised.



A €1 billion ($1.17 billion) tax dispute between the two succeeding entities of the former WestLB – Erste Abwicklungsanstalt (EAA) and Portigon – makes up the second largest loss of the month. The dispute centres on the cum-ex tax debt, for which WestLB was found liable after a 2016 German prosecutor’s investigation. In 2012, when the former German bank was split into two, Portigon took control of the viable financial services, while EAA took on the role of ‘bad bank’ to complete the winding up of non-performing assets.

The cum-ex trades involved buying a share just before the dividend rights expired and then re-selling it, allowing both the buyer and the seller to claim a capital gains tax refund. The transactions took advantage of a loophole in German tax law that closed in 2012. The Frankfurt-am-Main regional court established that EAA had intentionally assumed the disputed tax-risk positions and found EAA liable for the tax debt, a decision EAA said it would appeal. It was given one month to do so.

In September’s third largest loss, ABN Amro has provisioned €250 million ($297 million) to compensate consumers who were charged too much interest on revolving credit. The ruling resulted from a July 2018 client complaint that the bank had extended an interest-only flexible credit with a variable interest rate, which was not reduced despite a fall in the market rate when other lenders lowered their rates. The customer allegedly overpaid €25,000 in interest.

The Dutch financial ombudsman ruled that interest should remain in line with market interest rates and confirmed the interest rate series published by the central bank should be used as the reference rate for credits from 2010. Prior to this date, the Dutch statistical office’s interest rate series adjusted by 0.91 percentage points should apply. ABN Amro said it would voluntarily add 5% to the compensation as a good will gesture.

The fourth largest loss of the month saw Interactive Brokers fined $84.3 million for the incorrect configuration of its oil futures electronic payment system, which failed to function when oil futures prices went negative for the first time ever on April 20, 2020. Interactive Brokers reported its system issues to the US Commodity Futures Trading Commission (CFTC) the next day and cooperated with its investigation. By April 22, the firm had engaged in customer compensation and systems remediation efforts, but these were deemed insufficient and caused losses of $82.6 million to 227 clients.

September’s fifth largest loss of $72.6 million came after a whistleblower informed the US Department of Justice that financially incentivised and poorly supervised Wells Fargo employees had systematically charged small and medium size businesses and financial institutions higher markups on foreign exchange transactions and concealed the overcharges through various misrepresentations and deceptive practices..

In one alleged strategy, dubbed the ‘big figure trick’, if the correct hypothetical price to buy a euro was $1.0123, an FX sales specialist would switch the price to $1.0213. If caught, they would falsely claim the digits had been mistakenly transposed. Members of its San Francisco FX desk would celebrate large sales margins by ringing a bell on the trading floor.

Wells Fargo accepted responsibility and took actions against more than 20 FX employees, including various disciplinary actions and separation of employment, and affirmed it has taken various steps in an effort to comply with industry FX best practices.


Spotlight: Meme-stock misstep means $4m fine for MassMutual

A $4 million fine for MassMutual Investors Services has focused minds on the matter of monitoring employees’ social media activity. The US Securities and Exchange Commission fined the firm for supervisory failures that allowed former employee Keith Gill to misuse social media and carry out excessive trading in his personal account. Under the alias ‘Roaring Kitty’, Gill made hundreds of hours of YouTube videos explaining his trading strategies along with extensive online contributions to Reddit forums, encouraging millions of hobbyist day traders to pump shares into bricks and mortar video game retailer GameStop, among others.

From April 1, 2019, until January 28, 2021, broker-dealer agent Gill worked as product management director on MassMutual’s marketing programme ‘In Good Company’ to attract and retain investors with educational offerings and advice. At the same time – and over various media, using different aliases – Gill garnered thousands of followers as a meme-stock trader. Massive demand from meme-stock traders sparked a dramatic surge in GameStop’s price in January 2020, bringing global attention to the story.

And while the media discovered Gill’s aliases and activities in a day, MassMutual policies and procedures failed to detect his social media activities for almost two years, including over 250 hours of YouTube videos and almost 600 securities-related posts on Twitter alone, but also on other social platforms. Nor did MassMutual detect the 1,700 trades Gill carried out in the accounts of three further individuals. The firm had used a flawed third-party electronic trading surveillance programme that also failed to detect Gill’s trades, which were at twice the firm’s pre-determined per-transaction limit of $250,000.

The SEC found that Gill’s actions contributed to diminished investor confidence in the market and highlighted that MassMutual’s compliance failures, continuing until at least September 15, 2021, were systemic and not uniquely related to Gill.

In focus: Cloud providers float up the list of regulators’ concerns

For some years now, regulators around the world have kept an uneasy eye on financial institutions’ growing use of a handful of service providers, notably cloud computing firms. In the past few months, the Bank of England – usually a pioneer regulator when it comes to non-financial risks – has come out with some of its strongest statements on the dangers of such concentration.

At its September meeting, the bank’s Financial Policy Committee noted the financial system’s growing dependence on cloud service providers and other critical third parties (CTPs).

“The increasing criticality of the services that CTPs provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight,” the FPC said, doubling down on the central bank’s 2019 suggestion that cloud providers should be more tightly regulated.

The committee went on to say that additional policy measures, some requiring legislative change, were likely to be needed to mitigate resulting risks to financial stability. Both comments built on a similar statement contained in the FPC’s July Financial Stability Report.

The cloud service market is indeed dominated by only three providers. In the second quarter of this year, Amazon Web Services held 31% of the market, followed by Microsoft Azure with 22%. Google Cloud was third, accounting for an 8% share, according to estimates by Canalys, a technology research firm.  

As bank risk managers are well aware, a service disruption at any one of the three could have severe repercussions for scores of financial firms. Although the major cloud providers have so far proven resilient, two cyber attacks that affected many more institutions this year underscore the risks of relying on a small number of suppliers.

A hack of Accellion, a US software vendor, led to a long string of its customers and their customers reporting data breaches. The victims included Morgan Stanley, which said in July that personal data of some of its corporate clients had been stolen, according to Reuters. The bank said the criminals had accessed the information by exploiting a vulnerability in the software used by one of its vendors, Guidehouse. The software, called FTA, was provided by Accellion.

In January, New Zealand’s central bank reported a data breach through the same Accellion software, which it used to share and store information.

Putting a spotlight on the vendor’s behaviour, the bank’s governor Adrian Orr later commented: “We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the bank for five days that an attack was occurring against its customers around the world and that a patch was available that would have prevented this breach.”

Accellion, for its part, said in January that it had discovered a “vulnerability” in FTA in mid-December, resolved it and released a patch within 72 hours to the fewer than 50 customers affected. A later update stated that the software had been the target of a cyber attack and that Accellion had notified all FTA users of the attack on December 23.

The second incident involved the hacking of Microsoft Exchange email servers, used by businesses around the world. The company said in March the attacks were carried out by a previously unknown Chinese-based “actor” that it dubbed Hafnium. The European Banking Authority, one of the victims, said the attacker might have accessed personal data held by the EBA. It was also reported in March that at least 30,000 organisations across the US had been hacked through their Microsoft Exchange servers.   

At least in the UK, regulators are increasingly alarmed by the financial sector’s reliance on a clutch of critical service providers and are planning to publish a joint discussion paper on regulating these firms next year.

For now, the sector’s best defence against the risks CTPs harbour is to closely follow rules on operational resilience – of the kind published by the Bank of England earlier this year. As part of the UK rules, firms must make sure each of their important business services can continue operating in a range of disruptive scenarios. An outage at or an attack on their cloud provider should surely be one of those scenarios.

Editing by Louise Marshall and Olesya Dmitracova

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Basel III heralds 41% op risk jump for EU banks

By Lorenzo Migliorato | Data | 11 October 2021

Capital requirements set to rise almost 88% for those G-Sibs that don’t currently use the AMA

Revised rules for calculating operational risk will cause European Union banks’ capital requirements to surge by 40.5% from end-2020 levels, data from the European Banking Authority (EBA) shows.

As part of the Basel III reforms, banks worldwide will have to discontinue the use of the advanced measurement approach (AMA) by 2028 and assess operational risk exclusively through a new standardised measurement approach (SMA).



Op risk Tier 1 capital charges are expected to jump 43.5% for those banks currently using the AMA, and by 36.3% for those that don’t.

The switch could be particularly costly for global systemically important banks that don’t use the AMA, which would see op risk charges rise 87.9% higher, compared with a 48.1% jump for those migrating from the AMA.

Of the bloc’s G-Sibs, Groupe BPCE and Santander rely on the standardised approach (SA) alone to calculate operational risk charges; ING and Deutsche Bank exclusively on the AMA; and Crédit Agricole and Societe Generale on a mix of the two. UniCredit and BNP Paribas use both methodologies as well as the basic indicator approach (BIA).

The impact on other large banks would be more contained. Across lenders classified as Group 1 – internationally active firms with more than €3 billion ($3.5 billion) in Tier 1 capital, including G-Sibs – capital charges would rise 44.2% for those migrating from the AMA, and 40.8% for the rest.

Smaller, Group 2 banks would see more modest hits, of 15.3% for AMA users and 19.8% for the rest.

What is it?

Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the BIA, the SA and the AMA.

The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.

Under incoming Basel III rules, all banks will be required to shift to a revised standardised approach, the SMA.

The Basel III monitoring report, issued semi-annually by the EBA, assesses the effects of new regulatory standards on the EU’s large banks. The latest operational risk analysis was conducted on a sample of 101 banks using December 2020 data.

Basel Committee on Banking Supervision countries must implement the final batch of reforms by 2023 and adopt them fully by the start of 2028.

Why it matters

The discontinuation of the AMA in favour of the SMA is one of the more consequential reforms contained in the Basel III package. The EBA’s analysis puts forward several reasons why larger EU banks – and the eight G-Sibs among them – are set to be more heavily affected by the transition.

First, among those banks are several AMA users whose capital requirements are currently significantly lower than at peers that use indicator-based approaches. Those efficiencies will be all but lost once the SMA becomes binding for all.

Second, larger banks tend to be complex organisations that rely heavily on fees. Fee-driven businesses generally attract a higher operational risk, and the SMA has been conservatively calibrated to account for that.

And third, one of the components of the new formula is the business indicator, which to an extent is proportional to the size of risk exposures. In this sense, it is naturally higher for bigger banks.

That said, the EBA noted operational risk charges will ultimately represent a smaller proportion of total capital requirements for Group 1 banks than Group 2 banks. That’s because Group 1 banks’ activities are diversified across interest and fee-based business – whereas some Group 2 firms are so specialised they don’t have any credit or market risk exposure at all.

Get in touch

Like Risk Quantum? Sign up for free to our daily newsletter and check @RiskQuantum for the latest updates.

If you have any thoughts on our latest analysis or want to suggest other ways to present and analyse the data, you can email us.

Tell me more

European banks set for 17.6% capital hike under Basel III

Credit Suisse’s op risk up $6.5bn on subprime-era litigation

Commerzbank’s op RWAs hit 10-year low

View all regulator stories

Cyber optics: are banks downplaying the SolarWinds hack?

By Luke Clancy, James Ryder | Feature | 11 October 2021

In the wake of the watershed breach, banks eye supply chain risk while talking down the hack’s impact

It was the most daring cyber security breach of all time. When state-sponsored Russian hackers manipulated IT-monitoring software from technology vendor SolarWinds to access thousands of organisations – US government agencies and ubiquitous technology companies among them – it sent the vendor’s clients scrambling to patch their systems.

The incident, which came to light in December 2020, blew open a major new front in the fight against cyber crime – exposing the need for firms to monitor and risk-manage their reliance on third-party suppliers.

“SolarWinds is what we call the Pearl Harbor of cyber,” says Jayaraj Puthanveedu, global head of operational resilience and third-party technology risk at BNP Paribas. “The landscape has shifted. We have identified supply-chain risk as one of the most significant cyber risk types following SolarWinds.”

The prevalence of such third-party software makes verifying its integrity a daunting task for large financial firms. For them, the suppliers they trust to run their networks, systems and databases can run into the thousands. “Everywhere in the industry, software like this is trusted,” says Puthanveedu.

But firms have been tight-lipped about the hack’s impact and how they might be responding.

Of the more than two dozen SolarWinds customers contacted by Risk.net, many – including Credit Suisse, the Federal Reserve Bank of New York and the Federal Reserve Board – declined to discuss the issue. Many more – American Express, Nasdaq and Visa among them – didn’t respond to requests for comment.

Many firms were saved only because they didn’t make the top-50 list of who the attackers were going after

CEO of a large US financial firm

Of those that did, Mastercard and Equifax contend their systems were not affected by the event, but declined to comment further. US broker TD Ameritrade says the firm ended its relationship with SolarWinds “well before the incident occurred” and that its systems, client accounts and information remain secure. Malta’s APS Bank also says the hack happened after its relationship with SolarWinds was terminated, while ING says it makes “no detailed statements about its security measures or partnerships”.

Where a public position has been forthcoming, most institutions’ stance is that the hack has been investigated and that nothing of value was lost or stolen.

But cyber experts think this attitude could be complacent – if not disingenuous. And many believe it is hard to tell how far the perpetrators – thought to be co-ordinated by the Foreign Intelligence Service of the Russian Federation (SVR) – exploited vulnerabilities at financial entities.

“The attackers had keys for signing [security] certificates, and they could go to any cloud system – Office 365, Gmail,” says Oliver Tavakoli, chief technology officer (CTO) at cyber security firm Vectra. It’s likely that large banks were targets, he says, but have been quiet about any impact because it’s unlikely large amounts of customer information were leaked, requiring them to disclose breaches for compliance purposes.

Some financial firms have been slightly less cagey, confirming that they checked on business partners. One major European bank acknowledges it was induced to conduct a monitoring review of its numerous third-party suppliers – but declines to share further detail.

The central bank of Denmark acknowledges the attack had “generally affected the financial infrastructure in Denmark” and concedes that the bank itself was “exposed to the vulnerabilities in SolarWinds’ software” via suppliers and subcontractors – but it denies that it had been hacked and says the exposed systems “were quickly contained”. Denmark’s largest bank, Danske Bank, says its systems were not penetrated via its connections to the central bank.

And although financial firms weren’t the main target of the attack, an April 2021 report from the New York State Department of Financial Services (DFS) suggests nearly 100 companies it supervises were indeed compromised by having ‘backdoors’ installed – allowing hackers remote access to visit and revisit at leisure.

Others say the hackers were targeting intelligence – including non-public market information to facilitate frontrunning and insider trading. One senior figure at a technology firm with a wide range of financial clients says that, while banks can legitimately claim that nothing was directly “taken” from them, “the reality is that non-public information was viewed”.

If the cyber intruders did not fully exploit those vulnerabilities, it may be because they were preoccupied downloading data from the IT vaults of various US government agencies.

“They compromised far more institutions than they could actually dedicate resources to exfiltrate secrets and proprietary info from,” says the chief executive of a large US financial firm that was breached in the attack. “Many firms were saved only because they didn’t make the top-50 list of who the attackers were going after.”

When Cosmic Gale reached a system, it automatically deleted logs associated with anomalous behaviour

But cyber experts say that, after establishing backdoors into thousands of companies, it’s unclear whether yet more intrusion points remain in systems affected by the breach.

“If you’re in someone’s network for nine months, you can pretty much do whatever you want,” says Andy Norton, European cyber risk officer at security platform Armis, describing it as “a free hit”.

Indeed, the most sophisticated piece of the SolarWinds campaign was a malware device known as ‘Cosmic Gale’, which was used to cover the hackers’ tracks and create new vulnerabilities. When it reached a system, it would automate the deletion of logs associated with anomalous behaviour, creating a secondary backdoor on a sleep cycle that was hidden in an image file via steganography – a technique for hiding data in ordinary files.

So, while the vendor says it has responded to the incident by drastically improving its security practices, the possibility of lasting damage hangs heavily over the hacked SolarWinds clients.

How it happened

While the SolarWinds breach was made public in December 2020, the hackers responsible had infiltrated the company’s customer networks from at least the spring of the same year and had accessed SolarWinds itself as early as September 2019.

SolarWinds has not revealed the methods used to gain initial entry, but industry figures describe the intruders’ subsequent actions as impressive in their stealth and sophistication. Once inside its systems, the group gradually added its own code to the SolarWinds software development and build process for the firm’s Orion IT management suite – a platform with more than 30,000 users at the time of the breach, spanning financial services, technology and government entities.

“Forensic analysis suggests that the code was inserted over time,” says Stephen Boyer, CTO and founder of cyber security company BitSight. “A little bit at first, just to see if anyone would notice.” But no-one did, says Boyer, and they effectively installed a backdoor.

The undetected hackers then lay in wait before rolling out backdoor entryways – an exercise dubbed ‘Sunburst’ – to thousands of separate SolarWinds customers inside Trojanised software updates within Orion.

There are vulnerabilities that haven’t been discovered yet or haven’t been known to the public

Roy Horev, Vulcan Cyber

Once installed, Sunburst would wait up to two weeks before sending randomly timed and apparently innocuous domain name systems (DNS) requests to the hackers via the internet, allowing them access to the various systems that had downloaded the hacked software update. Disguised as legitimate Orion performance-data communications, they contained information about the infected systems that helped the hackers decide which networks could be worth further inspection.

“This was signed software,” says Boyer. “It wasn’t a rogue version: it was the signed software that SolarWinds attested was correct, and that was put in all these networks.”

The hackers then spent months digging through databases and emails, using the Sunburst backdoors at leisure, gathering information from companies and networks that had unwittingly welcomed them.

Once the breach was made public knowledge – following its detection by leading cyber security firm FireEye – financial firms had to figure out if they had been compromised and what lessons they could learn. And because the Orion breach was a supply chain attack – a type of hack that targets highly connected networks then branches out laterally through their various users – a key fear for banks was trust of third parties.

“We were in touch with all our major suppliers,” says BNP Paribas’s Puthanveedu. “SolarWinds didn’t affect us directly, but some of our suppliers must have been. So we had to reach out to them to see what they were doing about it.”

He declines to name any of the third parties that could have been involved, but says the French bank would terminate any third-party relationship if security controls at partner firms were found to be inadequate.

“Cyber risk is very dynamic, and constant monitoring and assessment is needed,” says Robert Hannigan, chairman of cyber security firm BlueVoyant and a former director of GCHQ, the UK government’s intelligence and security organisation. “Because systems are interconnected and we don’t always understand the degree of connection between them, it’s extremely hard to say which tier of suppliers we should be worried about. The real risk may come from tier 50 out of your 10,000 providers.”

The secondary entry point created by Cosmic Gale was designed with countermeasures to Sunburst in mind. After the hack became public, companies across the world worked quickly to hunt for SolarWinds-related malware on their systems, seeking out the Sunburst backdoor FireEye had identified, while Cosmic Gale allowed the hackers to stay a step ahead.

“The second you terminated the first backdoor, like many incident response teams did at banks, a 48- to 72-hour timer was turned on, and then Cosmic Gale would come alive inside you,” says the senior technology firm professional. “And you’ve moved on – you think you’ve cleaned up. That’s really elegant, and it allowed them to come back in and to propagate again.”

Secondary – and even third and fourth – backdoors are a favoured tool of sophisticated hackers, says Armis’s Norton. “It’s like a disaster-recovery plan – what if they spot our first implant? Many different implants make the breach more complicated to clean up.”

Others agree there is a risk that IT systems may not be fully purged from the hackers’ malicious code.

“There are vulnerabilities that haven’t been discovered yet or haven’t been known to the public,” says Roy Horev, founder and CTO of security firm Vulcan Cyber, of potential backdoors lurking in SolarWinds’ software. “They exist, and they will continue to exist as long as technology evolves.”

“What the Russians seem to have done here is very clever, no question,” says BlueVoyant’s Hannigan. “Once their malware was inside the update, the way it hid itself and propagated, it was very innovative.”

An ill wind

Before the event, SolarWinds had presented itself as being extremely secure. It has since been targeted in a US class action lawsuit. Plaintiffs including its shareholders argue that the firm overstated the strength of its security architecture.

The suit claims that SolarWinds’ internal cyber security practices were “woefully deficient and not as represented”, and that its chief executive and private equity firms controlling the company “sacrificed cyber security to boost short-term profits”.

In response, a spokesman for SolarWinds says that, of 18,000 compromised downloads, only around 100 companies and nine federal agencies were affected. He adds that SolarWinds’ US Securities and Exchange Commission (SEC) filings contained “plain and unambiguous warnings” that, despite its security measures, it could suffer cyber attacks from hacks, including those from foreign governments.

SolarWinds believes it has consistently invested appropriately in cyber security and that a single company cannot be expected to protect itself against attack from a foreign government, says the spokesman: “The plaintiff is strangely attempting to convert one of the most sophisticated cyber attacks in history into a class action claim against SolarWinds and some of its valued employees. SolarWinds disputes the allegations made by the plaintiff, and intends to defend against the claims.”

The vendor has also responded to the incident by improving its security practices, adds the spokesman. Through its ‘secure by design’ initiative, it has changed its software development process by creating parallel build environments, which means its software is now built concurrently in multiple environments with different security accesses. It would require a threat actor, for example, to break into three different environments and change the code in the same way.

But this may be shutting the stable door after the horse has bolted. Ian Thornton-Trump, SolarWinds’ former global cyber security strategist, told lawyers leading the class action that the company failed to follow a host of basic cyber security practices. It had no security team, password policy or documentation regarding data protection and controls. Nor did it provide employee cyber security training or perform basic background checks on them. It also failed to limit user-access controls, exposing itself to a potential hack.

Security slip-ups were painfully sloppy. From June 2018, for 18 months, the password to its update server was publicly available on the internet. Set by an intern to ‘solarwinds123’, it violated the most basic password policies. The class action alleges this compromise “allowed anyone to enter SolarWinds’ internal systems”.

In 2017, after his suggestions to address deficient cyber security practices had been rejected, Thornton-Trump said he resigned in protest.

Financial firms picking up the pieces in the wake of the attack have looked to specialist firms such as BitSight for tailored assistance, to dig through their own systems for evidence of intrusion and also through those of third parties.

Affected companies would not necessarily know of their compromise, Boyer explains, and in some cases – usually for public relations or legal reasons – would not admit to being compromised even if they were aware.

If organisations believe that the actor is sophisticated, they will hire multiple forensics organisations and spend millions

Andy Norton, Armis

BitSight and other security specialists were needed to provide financial firms with a clear idea of which vendors required investigation and which remained secure.

“Forensic team success depends on the initial hypothesis about the nature of the threat actor,” says Armis’s Norton. “If organisations believe that the actor is sophisticated, they will hire multiple forensics organisations and spend millions.”

A cyber-literate vendor might give banks assurances about their in-house threat detection and clean-up capabilities, says Boyer, but where banks don’t have confidence in such promises, they would go ahead and insist on their own investigation.

He confirms that some of BitSight’s financial clients chose to terminate supplier relationships as a result of SolarWinds compromises. In one case, the threat of termination was sufficient for a supplier to upgrade security practices.

Scorched-earth approaches such as firing vendors or reformatting internal networks aren’t too common following investigations, but they do happen, say cyber experts.

Norton recalls conducting one investigation into an intrusion, which took more than 12 months, and concluded with a full reformatting of the organisation’s IT systems: “They wanted guarantees we couldn’t give them, so they nuked everything.”

Regulatory response

The difficulties of guarding against third-party vulnerability could be helped by forthcoming regulations to mitigate against suppliers’ misleading claims to adequate security practices, giving clients more rights to scrutiny.

The European Union is preparing two pieces of regulation that seek to address supply chain risk. The Digital Operational Resilience Act (Dora), proposed in September 2020, would consolidate third-party risk approaches across financial sector companies and impose cyber security standards on key IT suppliers.

And an updated EU directive on the security of network and information systems (NIS 2), issued in December 2020, contains revised cyber security requirements for companies involved in the provision of ‘critical infrastructure’ across Europe, and applies to banks, trading venues and central counterparties.

“Dora, NIS 2 – and the data protection elements of the General Data Protection Regulation – place an emphasis on the supply chain,” says Antonis Patrikios, a partner in the global privacy and cyber security group at law firm Dentons. “These pieces of legislation will give additional comfort to financial services because they start to place direct obligations and liability on service providers in the supply chain.”

Lawyers say the new EU legislative packages should, besides increasing security for the financial sector, bring clarity to complex legal terrain. Right now, some argue, it’s difficult for banks to point the finger at a particular software supplier in the event of a breach or outage.

Stuart Davey, partner at Pinsent Masons, a law firm that has represented multiple financial companies in claims against cyber-stricken third parties, says: “It’s challenging because you’re beholden to the provider to tell you what’s happened. A financial company might not understand the technical architecture and what the vulnerability was.”

Andrew Moir, global head of cyber and data security at Herbert Smith Freehills, says the regulations will make it easier for a bank to pinpoint vulnerabilities in the case of outages or hacks: “They’ll be able to point to specific requirements under Dora and NIS 2, and seek assurances from the suppliers that those requirements are being met.”

Patrikios says he‘s confident Orion-type software would be deemed critical by NIS 2: “It would likely be considered a critical service because it taps into critical systems and databases, as software that helps banks to operate. If that goes down, the bank might not work properly.”

Cyber experts are watching the legislative progress with interest. But views are currently mixed. BlueVoyant’s Hannigan says it’s “worthwhile” to make tech firms liable for meeting basic resiliency standards, but questions how far the EU can go, drawing the analogy that if Microsoft were to be made fully liable for the various flaws and vulnerabilities in new Windows operating systems, it might never release another version.

The order impacts those who want to do business with the federal government, and that’s going to have a ripple effect

Michael Bahar, Eversheds Sutherland

And the impending legislation would not absolve financial firms of their obligations to ensure supply chains are secure. Patrikios says it would simply codify practices at larger firms, which already keep to rigorous security standards, while smaller firms might struggle with implementation.

Dora is expected to be in force by 2023 at the latest, while NIS 2 remains subject to negotiations between co-legislators. The European Commission did not respond to a request for comment.

Cozy Bear baits American eagle

In the US, the proposed bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, contractors and critical infrastructure operators to notify the government when a breach is detected, with limited immunity granted to companies that do so. Serious incidents would need to be reported within 36 hours.

Bill Satchell, a partner at Allen & Overy, says the rulemaking expands the scope of incidents that must be reported to regulators – beyond intrusions that compromise customers and those with criminal intent – and accelerates the timing of notifications.

A further proposed bill seeks to create a federal government-trusted list of software suppliers, while another would subject cyber criminals targeting critical infrastructure, including the US financial sector, to stiff penalties.

But the highest-profile official US response to SolarWinds came directly from its president. In an executive order released in April this year, the Joe Biden White House announced a fresh set of economic sanctions on Russia, levied for what the US described as “harmful” and “destabilising” behaviour, including “malicious cyber activities, such as the SolarWinds incident”.

The order formally named the SVR and a team of accomplished cyber criminals known as Cozy Bear as perpetrators of the hack, stating that US intelligence services had “high confidence” of the group’s responsibility.

In May, Biden issued a second executive order on cyber security improvements. While SolarWinds is not mentioned by name, the statement cites “persistent and increasingly sophisticated malicious cyber campaigns” as a key impetus for its policies. These include: reducing logistical snags in government-level cyber incident responses; moving towards “zero-trust” cyber security architecture for government agencies; and consulting on improving the management of software supply chain risk.

“The order impacts those who want to do business with the federal government, and that’s going to have a ripple effect. Everybody who subcontracts through the government will also have to maintain a degree of cyber security,” says Michael Bahar, a partner and co-leader of the cyber security and data privacy practice at Eversheds Sutherland. “If you’re marketing to the government, you’re probably also marketing to big banks and financial institutions. They are going to benefit from that high-watermark approach to cyber security.”

Frankly, it was a big middle finger to the cyber security industry as well as the US government

Senior technology executive

This summer, the SEC also announced an investigation into the hack. The agency sent letters to companies it believes “may have been impacted by the SolarWinds compromise”, although it wouldn’t reveal how it had learned which firms were implicated. Nor has it named the companies contacted or released any information about response rates. Responses are voluntary, says the agency.

The DFS report identified 88 firms in New York alone said to have used a “corrupted version of Orion”. Of those, the DFS said 36 were using versions infected with Sunburst, and 52 had versions vulnerable to Supernova, a separate malware strain that Microsoft has said is likely the work of a different hacking group. Ten of the implicated firms opted to decommission Orion. The DFS, like the SEC, did not name any firms in its report.

The report adds that “no DFS-regulated company has reported that the hackers behind SolarWinds actively exploited their company’s network”. Risk.net sought further detail on this point from the DFS, asking whether it took steps to confirm the claims from firms and if they could evidence that backdoors were not accessed. The DFS did not respond to several requests for comment for this article.

Whatever the exact reach of the incursion, the senior technology executive succinctly sums up its effect: “Frankly, it was a big middle finger to the cyber security industry as well as the US government.”

European banks set for 17.6% capital hike under Basel III

By Lorenzo Migliorato | Data | 4 October 2021

Output floor expected to push Tier 1 capital requirements up 7.3% alone, latest BCBS monitoring report shows

Large European banks are expected to see their Tier 1 capital requirements increase by 17.6% under the fully loaded Basel III rules compared with end-2020 levels, figures from the Basel Committee on Banking Supervision (BCBS) shows.

The average capital increase for European Group 1 banks – internationally active firms with more than €3 billion ($3.5 billion) in Tier 1 capital – is driven by the output floor, which is expected to hike their minimum required capital (MRC) by 7.3% over eight years.



Tweaks to required capital for credit risk would inflate MRC by 4%, and those for operational risk by 3.8%, while changes to required capital for market risk and credit valuation adjustment (CVA) components would push MRC up 2.1% each. On the other hand, reduced capital requirements linked to the leverage ratio would bring associated Tier 1 minimums down 1.6%.

The reforms’ estimated impact on banks in other geographies is much milder. Group 1 lenders in the Americas were projected to see MRC rise by 2.5% as lower requirements for op risk, the output floor and CVA help offset rises elsewhere.

Dealers from the rest of the world stand to see their capital requirements fall the most among Group 1 banks, by 5.8% on average, driven by lower required capital for credit and op risk.



On aggregate, Group 1 banks are set for a 2.9% increase in their capital requirements from end-2020. Global systemically important banks, which are part of Group 1, would see their expected Tier 1 capital charge rise 3.5%.

Smaller Group 2 banks – those with less than €3 billion in Tier 1 capital – are expected to see MRC rise by 6.4% on average, with a 13% increase in risk-based requirements partially offset by a 6.6% drop in the leverage ratio constraint. The BCBS did not break down results by region for Group 2 banks.

What is it?

The Basel III monitoring report, issued semi-annually by the Basel Committee, assesses the effects of new regulatory standards on large banks. Capital, liquidity and leverage ratio metrics are taken by data submitted by national supervisors on a representative sample of institutions in each country. BCBS countries must implement the final batch of reforms by 2023 and adopt them fully by the start of 2028.

The latest report, based on end-2020 data, covers 178 banks. These include 111 Group 1 banks, 30 of which are G-Sibs, and 67 Group 2 banks.

The MRC analysis is based on 89 Group 1 banks and 54 Group 2 banks.

Why it matters

The writing is on the wall for Europe’s largest banks, so it’s not surprising they have been seeking lawmakers’ help to dilute Basel III reforms with country-specific amendments.

Proposals to tackle the outsized impact of the output floor – which bars banks from reducing their modelled capital requirements below 72.5% of the amount generated by the revised standardised approach – have not been without controversy. The European Commission, for instance, appears to have backtracked on a ‘parallel stack’ approach that would have eased the floor’s impact, though it is still pursuing amendments to make the reforms easier to digest.

For their part, the continent’s national regulators, both inside and outside the European Union, have been already imposing output floors on riskier parts of the credit book, like mortgages. Meanwhile, sweeping corrections imposed by the European Central Bank’s years-long targeted review of internal models have reduced the divergence between standardised and in-house risk outputs.

Such regulatory moves may well preempt a cliff-edge hit to capital adequacy from Basel III, by bringing forward its ultimate effects. They may also make any future, quasi-protectionist adjustments in one jurisdiction more acceptable to fellow BCBS board members.

Get in touch

Like Risk Quantum? Sign up for free to our daily newsletter and check @RiskQuantum for the latest updates.

If you have any thoughts on our latest analysis or want to suggest other ways to present and analyse the data, you can email us.

Tell me more

ECB sees slim gains, larger losses if EU tweaks Basel III

ECB’s models review heaped €275bn of extra RWAs on banks

EU changes to Basel III would soften capital blow

View all regulator stories

Establishing an effective conduct risk framework

By Commercial Editorial | Advertisement | 30 September 2021

The Panel

  • Steve LoGalbo, Director of Product Management, NICE Actimize
  • Yaron Naor, Vice-President and General Manager, Americas, eLoomina
  • Michael Kenney, Vice-President Operational Risk, Freddie Mac
  • Christian Hunt, Founder, Human Risk
  • Moderated by: Phil Harding, Commercial Editor, Risk.net

The stakes have never been higher when it comes to conduct risk. Regulators now look to hold senior managers personally liable for the misconduct of their employee populations and, with teams more globally dispersed, managing conduct and culture is more challenging than ever.

Key topics discussed:

Risk Technology Awards 2021

By Commercial Editorial | Advertisement | 13 September 2021

Recognising vendor excellence in credit, operational and enterprise-wide risk management

The 2021 Risk Technology Awards recognise vendors that have excelled in helping the industry meet its various challenges in the fields of anti-money laundering, credit and operational risk, as well as wider enterprise risk management. 

The award winners were decided by a judging panel, consisting of technology users and the editors of Risk.net, and based on the strength of entries alone. These awards include 21 categories, focusing on enterprise risk, operational risk and credit risk.

Op risk data: DeFi-ant crypto hacker steals $610m

By ORX News | Opinion | 8 September 2021

Also: Amundi fined for index manipulation; Wells pays out over client fraud. Data by ORX News

August’s largest loss saw crypto platform Poly Network fall victim to a hacker who stole approximately $610 million worth of crypto assets. The thief, dubbed Mr White Hat, in a nod to the activities of so-called ethical hackers, reportedly targeted a vulnerability in the digital contracts Poly Network used to move assets between different blockchains.

Poly is a decentralised finance (DeFi) network, which allows buyers, sellers, lenders and borrowers to interact with a strictly software-based middleman, rather than a company or institution facilitating a transaction. Poly Network was able to negotiate with the hacker, and recouped most of its stolen assets.

However, it did not constitute a rapid recovery: nine days later, $269 million was still tied up in so-called multi-signature crypto wallets, and, separately, by crypto firm Tether, which said it froze client assets to prevent laundering of funds, and to assist Poly in its recovery.



August’s second-largest loss concerns a $110 million Ponzi scheme involving Livingston Group Asset Management, its subsidiary Southport Capital and executive John Woods.

According to a US Securities and Exchange Commission suit, while working for an investment adviser – not named in the suit, but identified in a subsequent investor class action as boutique investment bank Oppenheimer – Woods started a fund in 2008 called Horizon Private Equity, and encouraged Oppenheimer customers to invest, promising 6–7% returns over two years.

Woods later founded Southport Capital and employed his brother, a colleague at Oppenheimer, as CEO as well as his cousin, who was also an employee of Oppenheimer. The SEC complaint stated that Southport had more than $824 million in client assets under its management. Woods concealed his involvement with Southport Capital and Horizon from his employer, the suit claims, adding that Southport Capital operated from an office that was next door to Oppenheimer’s office.

In public statements on the suit, lawyers for Southport Capital have said the firm intends to defend itself against the SEC’s allegations.

The third-largest loss of the month was a $100 million fine from US regulators Commodity Futures Trading Commission (CFTC) and Financial Crimes Enforcement Network, against crypto exchange BitMEX.

According to the watchdogs, between November 1, 2014, and December 12, 2020, BitMEX offered leveraged trading of cryptocurrency derivatives (including bitcoin, ether, and litecoin derivatives) to retail and institutional customers in the US, despite not being authorised to do so. The order found the exchange was aware that US customers could access the platform via VPNs, and that US customers were placing orders directly through BitMEX’s user interfaces.

Additionally, the exchange failed to collect, verify and keep records of specific customer information, as well as failing to build a know-your-customer programme, and an anti-money laundering (AML) programme. At least $209 million in transactions were made through BitMEX with known darknet markets or unregistered money services businesses providing mixing services, as well as transactions involving high-risk jurisdictions and alleged fraud schemes.

The order recognises that BitMEX has engaged in remedial measures, including developing an AML and user verification program, and that the bourse has certified to the CFTC that US customers are prohibited from accessing the BitMEX trading platform.

The fourth-largest loss reported in August featured another cryptocurrency platform: Japan-based Liquid. The firm announced that it had detected unauthorised access to some crypto wallets it managed during which some $97 million in cryptocurrencies was stolen.

In an August 19 statement on Twitter, the firm said: “We are sorry to announce that Liquid Global warm wallets were compromised, we are moving assets into the cold wallet” – ie, from online accessible wallets to offline cold storage.

The firm is keeping investors updated on recovery efforts via its website.

The fifth-largest loss this month occurred as French regulator Autorité des marchés financiers (AMF) fined two majority-owned subsidiaries of Crédit Agricole – funds giant Amundi Asset Management and Amundi Intermédiation, its trading arm – for alleged price manipulation of futures contracts on the Euro Stoxx 50, and for failing to have policies and procedures in place to detect market abuse and to manage conflicts of interest between its different fund classes.

In its decision of August 4, 2021, the AMF fined Amundi Asset Management, Amundi Intermédiation, Tullett Prebon and three of their former employees, Ludovic Delion, Gregory Saey and Thomas Vignon, between €20,000 and €25 million – totalling over €37 million – over the alleged use wash trades to manipulate the price of futures on the index.

The watchdog also handed down two warnings and two 10-year bans for Delion and Saey on practising related services.


Spotlight: Wells pays out over fraudulent client

Wells Fargo agreed to pay $1.9 million in compensatory damages to Electronic Funds Transfer Corporation, a payment processing company, for misrepresenting the financial health of one of its clients, Checkcare. The now-defunct firm specialised in guaranteeing clients’ payments on the face value of a cheque, a process that necessitated drafting its own remotely created cheques (RCCs) – which, as the judge noted, remain unsigned, and are hence highly vulnerable to fraud.

“Checkcare would deposit the RCCs in its Wells Fargo account, and if they were returned, it would attempt to collect the cheque amount, plus large penalties, from the payor. Because RCCs are not signed, they are subject to a high risk of abuse and fraud by creating and depositing an RCC against a customer’s account without the customer’s approval,” the judgement noted.

A Florida court found Wells Fargo misrepresented that the now-defunct Checkcare’s account appeared to be in good standing, when in fact Wells had already decided to terminate its relationship with Checkcare over concerns it was engaging in high-risk or fraudulent business practices. This misrepresentation induced EFT to continue its ongoing business relationship with Checkcare, ultimately resulting in EFT incurring substantial losses.

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

New China data law threatens KYC efforts

By Karen Lai | News | 31 August 2021

Local banks will need permission to export any data that could end up in the hands of foreign law enforcement bodies

A new Chinese data protection law that will come into effect in September threatens to make it harder for the offshore know-your-customer (KYC) functions of global banks to meet risk management and regulatory obligations.

While personal data laws are not new to China – and have been gradually tightened in recent years – the new requirements add a fresh twist by preventing domestic organisations and individuals from providing data stored onshore “to foreign justice or law enforcement bodies without the permission of the competent organs of China”. Industry sources say they expect regulators such as the China Banking and Insurance Regulatory Commission and the China Securities Regulatory Commission to be tasked with granting such permission – an untested regime that could slow or stop the flow of information from banks in China to their foreign offices.

“Most banks will have a small team of people set up as part of their financial investigation unit who are tasked with seeing across all countries,” says a former senior executive at one global bank. “They wouldn’t look at every customer relationship, but sometimes they would be able to spot a potentially high-risk customer from one country appearing in another. This new China data law may make it harder to run such a team.”

Banks around the world are under pressure to show they can safely run cross-border networks after a series of money-laundering scandals and accompanying heavy fines – in 2012, HSBC was hit with a $1.9 billion penalty by US authorities for failures relating to business with banks in Japan, Mexico and Saudi Arabia. The final cost of Danske Bank’s more recent failure to shut down suspicious activity in its Estonian branch is not yet known, but could run to more than $3 billion, according to some estimates.  

It is usually up to a bank’s financial investigation unit to examine transactions in order to make sure the clients involved are in line with the bank’s KYC policy. If there are any red flags then the bank may have to prevent certain transactions from going ahead. Such investigations rely on data-sharing between the different units involved in a particular transaction.

But China’s new data law appears to give Beijing the right to stop data leaving the country if there is a chance it could end up in the hands of overseas authorities, potentially as part of a formal investigation of financial crime – which, given a bank’s regulatory obligations, is often a very real possibility.

“There’s quite a lot of uncertainty in this provision, because it’s not clear what relationship it has to an international bank and its overseas law enforcement agencies – or even what constitutes a ‘law enforcement agency’,” says Alex Roberts, a Shanghai-based technology and data lawyer for Linklaters.

This puts international banks in a difficult position. In order to get hold of the data needed for internal KYC risk management, a bank would have to convince the Chinese authorities that the data would not be shared any further. This could leave the bank in conflict with its home regulator.

For example, in the US, the 2018 Cloud Act stipulates that US government bodies must provide access to data-under-management of US companies in situations where such data may be pertinent to criminal investigations.

“The Chinese government is now effectively saying that data in China cannot be disclosed to other regulators without the authority’s consent. This may present something of a dilemma for international businesses,” says Yang Xun, a lawyer at Chinese law firm Llinks.

The law is particularly likely to hit cross-border transactions, where each of the banking entities involved needs to have a good insight into the customers they are doing business with, so they can stay in compliance with local laws.

“If data requirements keep getting stricter, then international banking may become more domestically focused in some of these places,” says the former senior bank executive. “This might work for many areas, but not when it comes to business that is inherently cross-border, such as trade finance, international project finance or investment flows between countries.”

Given the size and the importance of the Chinese market, few banks would want to put their Chinese business at risk by not conforming to the new data law.

Local units

China has been gradually tightening up its data protection laws. In 2017, the country introduced a far-reaching cyber security law, which promoted data localisation over cross-border data-sharing.

In response to these tighter data restrictions, some banks have chosen to set up new data teams in order to look at how data can be analysed onshore before being aggregated into high-level reports – that are in line with China’s data laws – and sent to head office.

“We use our group technology to mine data in China and provide a report to our management in [head office],” says the head of China at one Asian bank. “Perhaps this isn’t the easiest way of doing things, especially if we want to perform some analytics on both group and China data together, but it is manageable – and for most cases, it is enough.”

This can put a lot of pressure on local staff, however, who have to stay on top of regulatory obligations in other jurisdictions as well as in the local Chinese market.

“If we can’t share the data offshore, then we have to leave it up to our local staff to understand things like customer behaviour and how deals are structured – and when it comes to global deals this might not be easy,” says one regional head of compliance at a US bank.

The former senior bank executive says this may not sit well with regulators. “How can banks make sure the guys in the local market have done their jobs?” he asks.

This is even harder in the current environment, where ongoing travel restrictions make quick and effective communication of any new rules all the harder.

“A lot of being able to understand different practices, laws and rules in different jurisdictions comes from travelling, talking and meeting people, and we can’t do that at the moment so effectively,” says the managing director from one data vendor in the region. “Of course, there’s always virtual meetings, but these are not as good as direct interaction.”

Editing by Blake Evans-Pritchard

Stronger together: CLS’s chief risk officer on risk culture

By Costas Mourselas | Profile | 19 August 2021
Deborah Hrvatin

Deborah Hrvatin discusses integrated risk management, mega-hacks and model risk

The scale of the losses sustained by Credit Suisse when a now-infamous client defaulted in March shocked the financial industry. Many things went wrong at the bank to result in the haemorrhage of $5.5 billion, but one of the most unexpected was the fact that the person managing the risk posed to Credit Suisse by Archegos was a former sales and marketing executive, rather than a risk management professional.

A recently published tell-all independent report lists, among other missteps by Credit Suisse, a litany of mistakes made under the leadership of the inexperienced risk manager. These include a failure to invoke liquidity add-ons previously agreed with Archegos and avoidable delays in moving the family office to dynamic margining. The bank’s US Delta One traders – the first line of defence – also come in for criticism for missing multiple red flags.   

The pile-up of errors is an example of the kind of risks that Deborah Hrvatin, chief risk officer (CRO) at foreign exchange settlement giant CLS, has spent much of her career fighting. Before her current role, she held operational risk positions at Citi, Deutsche Bank and Bankers Trust, which was bought by Deutsche in 1999.

“Your second line has to be a credible, independent challenge to your first line, and your first line has to own the risks they are taking,” Hrvatin says. “More widely in the organisation, risk management should not just be the domain of risk teams – the whole organisation must understand and manage risk.”

An overarching risk culture is necessary to bring together the core pillars of operational, financial and other risks, she argues.  

“If you don’t have a good risk culture, the rest of the individual parts of your framework will not gel together,” Hrvatin says. “A lot of firms have siloed their risk management activities, but I believe the industry needs to move towards integrated risk management.”

A lot of firms have siloed their risk management activities, but I believe the industry needs to move towards integrated risk management

Deborah Hrvatin

This involves a shared risk taxonomy, which everyone from the first line to the third line must understand, and requires everybody at the firm to think like a risk manager. It also helps when the CRO has a hard reporting line to both the chief executive and the board, which raises the profile of the risk function and helps improve the risk culture from the very top of the organisation, she says.

Hrvatin’s other belief mirrors the distinctive approach of her former boss, as well as mentor and friend, Deutsche CRO Stuart Lewis. When he became CRO of the bank’s notoriously aggressive investment banking division in 2010, he repeatedly raised concerns about the way the business was run. Lewis continued with this proactive approach when he was promoted to CRO of the entire bank in 2012, managing to keep the trust of five successive chief executives that have headed the bank since then.

Hrvatin takes a similar view.

“As a CRO, you have to be forthright and you have to really influence the organisation to adapt and understand that a certain behaviour may have an impact on a broader [business] goal, or the ecosystem at large,” she says, adding that, as a market infrastructure firm, CLS needs to be particularly conscious of its potential impact on the financial system.

Supply chain and model risks

Hrvatin displayed the same prudence when she decided to significantly increase the scrutiny of CLS’s fourth and fifth parties, to get advance warning of the risks stemming from its third parties. She believes that cyber criminals are focused on large technology vendors because, through them, they can infiltrate the numerous organisations the vendors serve.

A striking example of this is the hacking of SolarWinds last year, which gave criminals a way into the US government agencies and large companies that used the provider’s software.

“As soon as we see a vendor has been impacted by a cyber attack, we immediately try to determine if they had a relationship with our primary third parties. We interrogate that data daily,” Hrvatin says.

“We are putting just as much rigour into investigating fourth parties as we do when checking our own third parties. That’s why I prefer to call it supply chain risk, because the risk extends further, and closer scrutiny is needed to ensure operational resilience.”

Equally, Hrvatin and her team clearly put a lot in during the FX market convulsions set off by the Covid-19 pandemic last year – sources say CLS handled the crisis well.

We want to be able to run our own fully independent challenger models in-house

Deborah Hrvatin

Smooth sailing was a tall order during that turbulent period. The average daily traded volume submitted to CLS in March 2020 was a record $2.19 trillion, up by around one-fifth compared both with February that year and March 2019. And Hrvatin coped with the trading spikes with only a few months’ experience as a CRO under her belt, as she joined CLS in November 2019 in her first such role. According to the firm, its settlement services were available 100% throughout 2020.

Another area where Hrvatin has already left her mark is CLS’s model risk management.

“This is an area where there used to be a lot of outsourcing,” she says. “But I need the subject matter expertise in-house, so I’ve been investing in our team significantly to improve the balance. We want to be able to run our own fully independent challenger models in-house.”

Hrvatin has recently hired two model risk managers as part of her drive to reduce reliance on external consultants. CLS currently uses the services of around 14 PwC advisers to support model validation.

“I think I’ll always use outsourcing to some extent because it’s really easy to scale up when we need to,” Hrvatin says.  

Including the two new model risk managers, she manages five people in this function, as well as seven liquidity and market risk managers, four credit risk managers, three enterprise risk managers, four information security risk managers and 16 operational risk managers.

All hands on deck

Hrvatin’s position as a CRO builds on her previous experience working across all three lines of defence. In addition to other roles, she has worked as a risk and capital strategist in the first line risk function at Deutsche and as a bank examiner at the Federal Reserve Bank of New York, which some see as a fourth line of defence.  

Hrvatin’s role at CLS also gives her exposure to a market that’s new to her – and she moved to the firm partly because she found the challenge of minimising settlement risk in the vast FX market “exciting”.

Via its main service, CLSSettlement, CLS stands between banks in the market and settles underlying payment instructions of currency trades, releasing currencies between counterparties only once all involved have delivered what they promised. Owned by many of the world’s largest financial institutions, CLS also reduces the size of massive global currency flows by netting down firms’ trade-by-trade gross obligations to more manageable amounts they must deliver in each currency.

Although praised for reducing settlement risk since its establishment in 2002, CLS has faced calls from its members for two main changes. One involves making it easier for non-banks to join CLS, while the other concerns extending CLS’s settlement service to the emerging-market currencies it does not currently cover.

CLS is addressing these calls. As it evolves, Hrvatin will want to make sure her team is an integral part of the process.

“When risk culture is right, risk management isn’t seen as preventing business from advancement, but helping business move in the right direction, aligning with the strategic goals set by the business,” she says.

Put another way, Hrvatin doesn’t want risk managers to be pitted against direct profit-generators, such as traders – instead, the two groups should work together towards the same goals.

The consequences of not doing so are plain to see.  

Biography – Deborah Hrvatin

2019–present: Chief risk officer, CLS

2017–2019: Global head of operational risk management for Institutional Clients Group, Citi

1996–2017: Risk and operational roles, latterly Americas head of operational risk, Bankers Trust and Deutsche Bank

1991–1996: Senior bank examiner, Federal Reserve Bank of New York

Editing by Olesya Dmitracova

Tackling insider fraud – Best practice for banks

By Commercial Editorial | Advertisement | 6 August 2021

Volatile markets, the pivot to remote working and the prevalence of private messaging are just some of the factors contributing to the rising risk of insider fraud. At a recent Risk.net webinar, an expert panel explored the challenges for banks and financial institutions in monitoring and mitigating this complex threat

The panel

  • Omri Kletter, Fraud and Risk Management, Global Vice-President, Bottomline
  • Chandrra Sekhaar, Managing Director, Global Head of Audit, ING
  • John Keogan, Head of Fraud Risk, Internal Fraud Prevention, Standard Chartered Bank
  • Francisco Mainez, Global Head of Analytics, Business Financial Crime Risk, Wealth and Personal Banking, HSBC
  • Moderator: Steven Marlin, Risk.net

Banks and financial institutions worldwide are struggling with the management and control of insider fraud, a growing problem in the current environment. Changes in work practices, financial hardship, new communication channels and heightened market volatility, all induced by the Covid‑19 pandemic, have added to the circumstances in which fraudulent activity may thrive.

Recent Risk Quantum analysis shows that in the UK, external and internal fraud accounted for a major share of the operational risk losses at five top UK banks in 2020, and made up a greater portion of the average total than the year before.

At Barclays, Lloyds, NatWest Group, Santander UK and Standard Chartered, fraud was cited as the cause behind 38% of total op risk losses by value on average. The year before it was 22%. 

The recent surge in insider fraud cases is concerning for the industry. Regulators around the world have recognised these challenges and are united in urging firms to address the problem as part of their operational resiliency agenda and to prevent disruption as much as possible. 

The Bank of England’s policy statement on operational resilience for financial firms, published in March 2021, states that the Prudential Regulation Authority (PRA) expects firms to plan for all severe stresses, whatever their probability. 

To be operationally resilient, companies should be able to prevent disruption occurring to the greatest extent practicable and adapt systems and processes to continue to provide services and functions in the event of an incident, according to the PRA. They must also return to normal running promptly once disruption is over, and learn and evolve from incidents and near misses.

While staff can be reluctant to believe their colleagues are capable of criminal behaviour, firms are waking up to the fact that insiders represent one of the easiest channels through which the most resilient of defenses can be breached. The Monetary Authority of Singapore (MAS) also issued a circular in March, alerting firms to the increased risks of fraud due to remote working, including lack of physical oversight, collusion with other insiders or external parties, circumventing controls and inappropriate communications with customers.

The MAS recommends that banks conduct periodic reviews of remote access activities in higher-risk functions, such as trading and investment advisory, to identify suspicious incidents and trends. It also recommends enhanced surveillance of trades to ensure that they were transacted in accordance with established procedures, as well as monitoring keystrokes logging. 

It is clear that incidents of insider fraud – whether rogue trades, payment frauds or interest rate benchmark collusions – are on the rise. And the lingering effect of such events on data integrity and security, consumer trust and brand reputation is far-reaching and in most cases immeasurable.

To be prepared for these exigencies while being resilient, firms will need to prioritise best practices. They must also adopt agile next-generation technology that can detect fraudulent activity early and effectively with the use of data and smart analytics.

Fraud pandemonium 

Insider fraud – whether internal or external – is not a new phenomenon. Banks and other financial institutions, including certain government departments, have been at risk of internal fraud since the industry’s inception. 

But the risk is in sharper focus now because of the combined challenges brought on by altered working environments and heightened market volatility. In turn it is becoming more essential for firms to re-assess surveillance controls and test their strength across various work arrangements, whether in-office or remote locations. 

Omri Kletter, Bottomline

Omri Kletter, global vice-president for fraud and risk management at Bottomline, said that internal fraud impacts all organisations, big and small, across all regions. “Fraud is becoming one of the main pandemics of our [time],” he warned.

Fraud can be facilitated more easily today across the digital landscape of real-time payments, new user accounts or payment support systems. “Full collusion is 10 times easier when there is a digital application,” Kletter added. 

As a result, internal fraud has intensified and Kletter estimates that, for some organisations, up to 50% of overall payments fraud today is related directly, or indirectly – in effect, triggered by – internal fraud. 

Cut the silo noise

Organisational silos pose a perennial challenge in fraud detection, but firms are beginning to observe more grey areas and elements to internal fraud, beyond the traditional distinction of internal fraud and external fraud. “The concept of [an] employee is not necessarily as it was before – we have more contractors or vendors now,” Kletter said. “Being open-minded to the different types of employees, not just the different types of fraud, is critical for [the] success of detection.”

Insider fraud can be complex, especially when there is collusion across areas of asset misappropriation, rogue trading, manipulation of indexes, data theft, outright theft, abuse of position and overriding controls. Determining the nature of each risk allows firms to benchmark fraudulent activity levels in better detail.

When implementing data collection and monitoring solutions for clients for instance, Kletter pointed out that the aim is not just to detect fraud but also preempt it. “There are a lot of activities around policy and processes’ violation and those are good indicators sometimes that fraud will follow.”

Collecting and monitoring data and raising the red flag earlier is critical for fraud prevention. A more holistic viewpoint on fraud, irrespective of its business type and silo, can provide clearer insight into the direction fraud risk will travel.

Optimise best practices

Financial institutions and banks across the board are already using analytics to better manage security and controls. Nevertheless, organisation-wide culture, as well as systems and processes, must be adaptable to changing patterns of fraudulent activity. 

John Keogan, head of fraud risk, internal fraud prevention at Standard Chartered Bank, emphasised the importance of having the right message and tone from the top: “It’s absolutely important to have the right culture and the right messaging from the senior management of the bank.” 

Firms must stress to employees that fraudulent activities will not be tolerated, and that staff must display exemplary behaviour in this respect, he said.

“It is a clear message that needs to be shared and this is further cemented by having a very robust training and awareness programme, which focuses on the business and also talks about the business-agnostic types of fraud such as travel and expenses fraud,” Keogan added.  “If you allow small frauds to happen, there is potential for other misdemeanors also.”

How else can firms raise their game in tackling insider fraud? Developing best practices in resource management, prevention and processes is vital. Keogan recommends setting up ‘insider threat working groups‘. 

“Having a group that can get together and look at the [similarities and] common control structures, and share that information about their risk population is a powerful tool,” Keogan said. 

Sharing risk resources that can span areas such as IT specialists for data exfiltration, anti-bribery and corruption risk team members, sanctions violations as well as other fraud management teams must become essential, according to Keogan.

Chandrra Sekhaar, managing director and global head of audit at ING, agreed, recommending that firms set up a cross-business working group to focus on conduct. He also believes controls should be built around risk appetite. 

“What is acceptable and what can be done to keep the risk within that acceptable level? This helps define and drive the strategy on awareness, training courses and market abuse scenarios to help inform data analytics to spot unusual behaviour.”

Risk appetite aside, one of the most crucial aspects of any surveillance process is technological advancements. New tech is at the forefront of early and effective fraud detection. Machine learning, which is also being applied in detection systems and tactical surveillance systems, is becoming more prevalent. 

Next-generation platforms offer automated workflows for payment processing and bill review, and state-of-the-art fraud detection, behavioural analytics, and regulatory compliance solutions.

A way forward

The aim of any surveillance – especially that of fraud risk surveillance – must be deterrence, not just detection. 

Building solid strategy must go hand-in-hand with technology, while making the data available and adopting a proper analytics approach. 

Allowing data inputs to bring in information from external resources and carefully managing them can together prepare firms for the next stage of fraud prediction, prevention, and the resulting future resilience.  

Rendering data collection such that it is non-intrusive is essential in fraud tracking, Kletter noted: “One of the best practices is really to understand the journey of any internal attack and be ready for it.”