Singapore banks step up their game against internal fraud

By Steve Marlin, Blake Evans-Pritchard | News | 8 June 2021
Monetary Authority of Singapore

Firms respond to MAS warnings about dangers of remote working spurred by Covid

Singapore’s banks are responding to prompts from their governing authority to beef up defences against internal fraud, since remote working – a necessity sparked by the pandemic – has increased the risk of staff misconduct.

The Monetary Authority of Singapore (MAS) warned in March of the increased risks created by remote working, including lack of physical oversight, circumventing controls, collusion with insiders or external parties and inappropriate communications with customers.

“It sets the bar quite high,” said John Keogan, head of internal fraud at Standard Chartered, during a recent Risk.net webinar on insider fraud. “There has been an uptick in awareness around breaches of controls. The world isn’t going to go back to the way it was, and people will be working in environments which can’t be controlled.”

While Singaporean financial institutions have policies in place to make sure that trading data is being properly captured in line with regulations, without the ability to monitor people at home, they have no way to ensure these guidelines are being followed.

Traditional business continuity plans (BCPs) for trading floors involved having a second trading floor somewhere else in case the primary site wasn’t working, says Chris Fordham, managing director at Alvarez & Marsal’s disputes and investigations team in Hong Kong.

“Organisations wouldn’t necessarily have had a BCP where everyone was suddenly working from home. If you weren’t on the trading floor, you weren’t trading. That would have been the concept previously,” he adds.

Organisations will need to evaluate what the right balance is and what culture they want to have. Do they want to have a more controlled … or a more collaborative kind of culture?

John Lee, Maybank

The MAS’s March paper sends a clear message to banks that they need to do a better job of managing controls over remote working environments. It recommends banks conduct periodic reviews of remote access activities – especially for staff in higher-risk functions, such as trading and client investment advisory – to identify any suspicious incidents and trends. It also recommends enhanced surveillance of trades, to ensure they were transacted in accordance with established procedures, and monitoring of keystroke logging.

“The recommendations … are trying to encourage organisations to move in the right direction,” says John Lee, Singapore chief executive of Maybank. “Organisations will need to evaluate what the right balance is and what culture they want to have. Do they want to have a more controlled … or a more collaborative kind of culture?”

Banks were already struggling with addressing and measuring risk culture, but Covid has accelerated the need to assess areas where they might need to improve, says Alvarez & Marsal’s Fordham.

“Organisations find it very difficult to measure culture because it’s a concept: it’s not something you can easily score,” he says. “Now, it’s even more important to be able to measure it if they are to reduce opportunities to commit fraud – especially when the economic environment is under stress.”

Remote interest

Many firms are at a critical juncture in determining how and to what extent people should be permitted to work remotely. Whereas offices provide a controlled environment in which access to parts of the business is restricted, and controls are placed around technology access, increased remote working has blurred some of these lines.

Firms are now under pressure to consider changes to the controlled environments they enacted during the crisis, and are working through which jobs are suited to working remotely, and what is needed to support them. The technology support and risk management framework required will inevitably depend on the individual employee’s role.

Maybank says it is investing in technology to create a ‘working bubble’ at home, which allows employees to access certain systems – with security protocols in place to govern access to email or copying a document from a personal device to a work device. For some firms, this this will entail a significant upgrade in technology.

“If you have older systems, introducing some of these practices can be harder,” says Maybank’s Lee. “I think it is probably safe to say that all banks and financial institutions are now looking at this to an extent. I don’t think anyone is able to say at the moment: ‘Yes, we are fully prepared for this.’”

Op risk data: UBS, Nomura, UniCredit hit with $450m cartel fine

By ORX News | Opinion | 3 June 2021
Nomura, UBS and UniCredit

Also: State Street collared for expense overcharging; S&P’s Vix mix-up. Data by ORX News

In May’s largest operational risk loss, UBS, Nomura and UniCredit were fined a total of €371 million ($453.5 million) by the European Commission for breaching European Union antitrust rules in primary and secondary market trading of government bonds.

The EC found that traders at seven investment banks (Bank of America, Natixis, Nomura, NatWest Group, UBS, UniCredit and WestLB, now Portigon) had participated in a cartel between 2007 and 2011. The traders were in regular contact, mainly in chatrooms on Bloomberg terminals, where they exchanged commercially sensitive information on prices and volumes offered in the run-up to bond auctions. They reportedly discussed bidding strategies for primary issuance of euro-denominated bonds, and trading parameters in the secondary market.

UBS received the largest fine of €172.4 million, Nomura was fined €129.6 million, and UniCredit was fined €69.4 million. UBS was given a 45% reduction in its fine for co-operating with the EC’s investigation. NatWest Group, which reported the cartel to the EC, was given full immunity and avoided a fine of around €260 million. Portigon avoided a fine after it posted no net turnover in the last business year. Natixis and Bank of America were not fined, as their participation in the cartel occurred more than five years before the EC’s investigation began.

Individually, the UBS, Nomura and UniCredit fines were the first-, second- and fourth-largest losses in May.

 

 

In the third-largest publicly reported loss, State Street agreed to pay a $115 million penalty to the US Department of Justice to settle claims that bank employees overcharged for expenses relating to custody of client assets.

The Department of Justice (DOJ) found that bank executives added mark-ups to “out-of-pocket” expenses charged to customers and hid them by claiming that they were pass-through charges for which the bank was not earning a profit. Out-of-pocket expenses include transaction fees for Swift messages, among other charges. Executives were also found to have misled clients when they inquired about the expenses.

Through the scheme, which took place over a seven-year period to December 2015, State Street was found to have defrauded its clients of more than $290 million. State Street voluntarily disclosed the conduct, and agreed to fully reimburse victims for the amount they were overcharged.

Including the latest criminal penalty, earlier settlements and promised reimbursements, the issue looks set to cost the bank around half a billion dollars.

*Subsequent to this article’s publication, ORX has re-categorised State Street’s fine as a legacy loss; the bank reached a settlement with the SEC over the same issue in 2019. As of next month’s column, in the monthly running tally of all losses (Figure 2), this loss amount will no longer appear under May 2021’s total.

In May’s fifth-largest loss, Swiss Life agreed to pay $77.4 million to the US Treasury for enabling US clients to evade taxes.

The DOJ found that Swiss Life created insurance products called Private Placement Life Insurance policies. These were marketed specifically to US tax evaders who were seeking a new way to hide their offshore assets because of heightened US tax enforcement efforts. Via subsidiaries in Liechtenstein, Luxembourg and Singapore, Swiss Life ran approximately 1,600 PPLI policies between 2005 and 2014.

The penalty consists of $16.3 million in restitution to the Internal Revenue Service representing the unpaid taxes, forfeiture of $35.8 million in gross fees earned on the policies, and a penalty of $25 million.

In May’s sixth-largest loss, Bank of America agreed to pay $75 million to settle a class action lawsuit in which the bank was accused of charging multiple overdraft fees to customers who should have only been charged once.

The lawsuit claimed that the bank charged multiple $35 fees for overdrafts and insufficient funds notices relating to individual transactions by customers. The bank did so despite contractually agreeing not to charge more than one fee per transaction and not to make more than one attempt to process a declined transaction. According to the lawsuit, the bank had said that a customer must first have made another attempt at the transaction before any additional fee could be charged.

The lawsuit also claimed that the bank wrongly applied fees to transactions when customers moved funds between Bank of America accounts.

In May’s seventh-largest loss, Norway’s biggest bank, DNB, was fined $48 million by the country’s financial regulator for due diligence failures and breaches of anti-money laundering and counter-terrorist financing laws.

The bank was accused of handling bribes paid from an Icelandic fishing company to Namibian government officials for fishing quotas. The bribes were first exposed by Wikileaks in 2019. Official investigations into DNB found inadequate risk classification of customers, among other monitoring and reporting failures.

*Update, June 3Subsequent to this article’s publication, ORX has re-categorised State Street’s fine from the DOJ as a legacy loss; the bank reached a settlement with the SEC over the same issue in 2019. As of next month’s column, in the monthly running tally of all losses (Figure 2), this loss amount will no longer appear under May 2021’s total.

 

Spotlight: S&P in a fix over Vix

The US Securities and Exchange Commission (SEC) fined S&P Dow Jones Indices $9 million last month for disclosure failures on its inverse volatility index. The index is a short volatility tracker that follows short-dated futures prices on Cboe’s Vix volatility index. The failures led to S&P publishing and disseminating stale index values during a period of volatility on February 5, 2018. The error reportedly caused investors in linked tracker funds to lose an estimated $1.8 billion.

S&P licenses its Vix Short-Term Futures Index to users such as Credit Suisse. The Swiss bank used the index to construct an exchange-traded note series called XIV, which offered investors an inverse of the Vix. However, unbeknown to Credit Suisse and XIV investors, the index was subject to an auto-hold feature that freezes the published intraday index value during periods of extraordinary movement. The values are unfrozen only when the auto-hold is released.

On February 5, 2018, one of the two employees tasked with monitoring the index was out of the office, and the remaining employee was left to monitor the benchmark, one of thousands of indexes the individual was tasked to monitor that day. During the trading day, the employee knew about and specifically commented on the market volatility, which spiked 115% higher and triggered alerts.

Following the close of the equities markets at 4pm, but before the close of the futures markets, prices of Vix futures contracts spiked and, as a result, a series of auto-holds were triggered by breaches of the hourly threshold. Despite receiving alerts regarding auto-holds, the employee did not release them manually or investigate their cause. Instead, the employee, based on oral instructions from their supervisor, prioritised end-of-day validations over real-time price and index-level monitoring.

As a result, the SEC found that S&P had violated Section 17(a)(3) of the Securities Act. Reuters reported that the stale data contributed to a 96% drop in the value of Credit Suisse XIV notes.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Cyber attacks top threat to US financial system – bank CEOs

By Sharon Thiruchelvam | News | 28 May 2021

Lawmakers signal readiness to act as finance chiefs warn of heightened cyber risks

Cyber attacks pose the most serious threat to US financial institutions and the system as a whole, the chief executives of four of the nation’s largest banks told Congress yesterday.

Asked by Representative Bill Huizenga of Michigan to name the biggest risk facing the financial sector, the CEOs of Citigroup, Goldman Sachs, Morgan Stanley and Wells Fargo each singled out cyber threats.  

“Cyber, and specifically the potential impact on consumer data and data privacy,” said James Gorman, CEO of Morgan Stanley.

Charles Scharf, Wells Fargo’s CEO, simply replied “cyber”, while David Solomon, CEO of Goldman Sachs, named “cyber, central clearing risk and growing government debt around the world”.

Jane Fraser, Citigroup’s CEO, also picked out cyber security. “[It] keeps all of us up at night,” she said.

The bank CEOs were testifying at a hearing of the US House Financial Services Committee on May 27.

The CEOs of Bank of America and JP Morgan pointed to other concerns. “As a financial institution, the number one question is what the economy is going to do,” said BofA’s Brian Moynihan, while JP Morgan’s Jamie Dimon said he was worried about “public policy not being properly executed”.

Cyber attacks on banks have escalated since the onset of the Covid-19 pandemic, with the growth in digital banking and the shift to remote working providing an opportunity for hackers to target weak spots in banks’ defences. The deluge of cyber attacks shows no sign of subsiding. The Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) issued a joint warning on heightened cyber risks in January.

US president Joe Biden responded by issuing an executive order (14028) on cyber security on May 12, 2021.  

At a hearing of the Senate Banking Committee on May 26, Senator Bill Hagerty of Tennessee said the US Congress was prepared to introduce legislation to tackle the problem.   

“You’ve got bipartisan support here in the United States Senate to address this significant problem and I think with our largest banks we can make significant progress and set the standard, frankly, for our entire financial system,” Hagerty said.

US Treasury Secretary Janet Yellen also signalled the Financial Stability Oversight Council (FSOC) would examine cyber security at a meeting on March 2021.

However, external experts say regulations and new laws will do little to thwart cyber attacks, and could even be counterproductive. “Multiple uncoordinated or piecemeal cybersecurity regulations and laws can actually make managing cyber risk both more difficult in terms of compliance, cost and transparency,” analysts at Fitch Ratings wrote in a note published on March 25, 2021.

They called for increased global co-ordination on cyber security and enforcement – a point echoed by Citigroup’s Fraser at the hearing. She described the sharing of intelligence as “critical” and said US intelligence agencies should play a bigger role in defending companies against cyber attacks.

To date, cyber attacks have not resulted in ratings downgrades for banks, but that may change. On May 24, S&P Global said it expected cyber attacks to trigger more rating actions as cyber incidents become more frequent and complex.

S&P says it will consider cyber risks at both system-wide and entity-specific levels, and will scrutinise banks’ risk management policies, resilience and contingency plans in the event of attacks when making rating decisions.

Commerzbank’s op RWAs hit 10-year low

By Lorenzo Migliorato | Data | 13 May 2021

Commerzbank’s operational risk-weighted assets (RWAs) dropped to their lowest level in at least 10 years in Q1, following updates to its internal model.

Op RWAs at the German bank stood at €16.7 billion ($20.2 billion) at the end of March, down €1.6 billion (9%) from December. In Q1 2012, they hit a high of €27.7 billion, and averaged €21.9 billion over the next 38 quarters.

 

In its quarterly results, Commerzbank said the drop was the result of “changes in loss database and improvements in qualitative model indicators”. It offset a €1.5 billion rise in credit RWAs from currency headwinds, leaving the bank’s total RWAs flat on the quarter at €178.5 billion.

The bank added 20 basis points to its Common Equity Tier 1 (CET1) capital ratio in Q1, which stood at 13.4%.

What is it?

Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the advanced measurement approach (AMA). The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.

Why it matters

Commerzbank tweaking its internal model provided a 9% drop in its op risk capital charge in just one quarter. But the reduction is likely to be short-lived, with the bank’s management expecting higher operational and credit RWAs in Q2. 

In yesterday’s earnings call, chief financial officer Bettina Orlopp said the bank will see an increase of between €3 and €5 billion in RWAs over the next quarter, driven by higher op risk charges and the Targeted Review of Internal Models. As a result, the bank’s CET1 ratio is expected to drop. 

In February, Commerz presented its four-year plan in which op RWAs were expected to remain flat at around €18 billion by 2024. Whether the bank can achieve this remains to be seen. So far, the use of the AMA has helped it sway its RWAs, but the upcoming Basel III rules may put an end to this as Commerz will be required to switch to using the new standardised approach.

Get in touch

Sign up for free to the Risk Quantum daily newsletter.

Let us know your thoughts on our latest analysis. You can email the author or send a tweet to @RiskQuantum.

Tell me more

Op risk update lops £72m off NatWest’s capital requirement

Fraud op risk losses edged up at UK banks in 2020

Easing of op risk add-on boosts Commonwealth Bank

View all bank stories

Op risk data: Money laundering gaffes cost ABN €480m in penalties

By ORX News | Opinion | 10 May 2021

Also: Turkish crypto exchange’s missing $2bn; online payment scams rise during Covid. Data by ORX News

Turkish cryptocurrency exchange Thodex was responsible for April’s largest operational risk loss, after the platform ceased operations leaving its 400,000 users unable to access an estimated $2 billion in digital assets.

On April 19 and 20, Thodex announced that trading would be halted for six hours for maintenance following transaction problems on its platform. On April 21, Thodex users reported difficulties transferring money before the website became inaccessible and traders were barred from their accounts. It later emerged that the exchange’s founder, Fatih Faruk Özer, had left Turkey, reportedly travelling to Albania or Thailand.

Traders subsequently filed criminal complaints alleging that Özer had taken the money they had deposited for trading on the platform with him when he left Turkey.

Turkish authorities suspended all Thodex user accounts, blocked the exchange’s Turkish bank accounts, and began a criminal investigation. As of April 25, 68 suspects had been arrested in Turkey as part of the probe and warrants for a further 80 suspects had been issued.

Özer released a statement saying the allegations were unfounded and part of smear campaign against the company. As of April 26, Özer was still at large.

 

In April’s second largest publicly reported loss, ABN Amro paid penalties totalling €480 million ($580 million) after the Dutch public prosecutor found “serious shortcomings” in the bank’s anti-money laundering processes between 2014 and 2020.

An investigation by Dutch government agencies found that important client information was missing from files and that risk assessments were deficient. Notably, the bank had failed to close undesirable client accounts quickly enough, and then allowed some terminated clients to open new accounts. There were also gaps in client due diligence and wider reporting failures.

The settlement consisted of a fine of €300 million and disgorgement of €180 million, based on the amount of money that the bank was estimated to have saved by failing to employ the requisite number of compliance staff.

April’s third largest loss saw JP Morgan paying up to $18.8 million to settle a class action lawsuit in which the bank was accused of mortgage malpractice. A number of mortgage borrowers alleged that its retail bank, Chase, had not paid the legally required 2% interest on amounts held in escrow, a legally guaranteed minimum in some US states. The bank was also accused of other deceptive business practices, breach of contract and unjust enrichment.

In the fourth and fifth largest losses, Bank of America and Credit Suisse were fined €12.6 million and €11.9 million respectively by the European Commission for colluding in secondary market trading for bonds.

Crédit Agricole was also fined €4 million for its own role in the cartel and Deutsche Bank, which was involved in the cartel, avoided a €21.5 million fine after it reported the activities to the European Commission.

The commission found that between 2010 and 2015, a core group of traders working in each bank’s dollar sovereign, supranational and agency (SSA) bond division were in regular contact via online chatrooms. The traders provided each other with updates on their trading activities, swapped commercially sensitive information, co-ordinated on prices shown to their customers, or to the market in general, and aligned their trading activities in the secondary market for SSA bonds.

 

Spotlight: Overcharging on overdrafts costs CBA A$7m

Commonwealth Bank of Australia was ordered to pay a penalty of A$7 million ($5.5 million) by the Federal Court of Australia for charging substantially higher interest on business overdraft accounts than it had advised customers.

An Australian Securities and Investments Commission investigation found that CBA had overcharged customers on 12,119 occasions, violating two sections of the Asic Act.

CBA admitted to providing certain customers with statements relating to a rate of around 16% a year – in most cases – but that it had charged more than 1,510 customers a different, higher overdraft rate – in most cases around 34% a year – due to a systems error.

Total overcharged interest exceeded A$2.2 million.

In announcing the penalty in April, Asic said CBA had remediated A$3.74 million to customers for a total loss of A$10.7 million.

In Focus: Sharp rise in Covid-era scams could bite banks

Financial fraud and attempted scams increased by two-thirds for some UK firms in the first half of 2020, as fraudsters took advantage of a year of Covid-induced disruption. Figures from Barclays showed a 66% increase in reported scams during the first UK lockdown starting in March 2020, versus pre-pandemic levels.

Evidence of cryptocurrency fraud during the March 2020 UK lockdown has since emerged, as fraudsters were reported to be offering fake investments to target marks. Similarly, impersonation scams, where fraudsters trick victims into believing they are tax officials, utility providers or bank staff – covertly seeking payment or personal information – have come to light. In June 2020, reports of impersonation scams to Barclays were double those of the previous month. In addition, fraudsters have also targeted government loan schemes aimed at providing pandemic relief.

And with nine UK banks now party to UK Finance’s voluntary code to protect customers against authorised push payment (APP) scams – and agreeing to reimburse eligible customers who fall victim to these – any sharp increase in the number of frauds could create a financial headache for those banks.

Losses are already material: in the year to March 2020, TSB paid out £17.5 million ($24.4 million) in reimbursements to affected customers. TSB has gone a step further than some of its peers, introducing measures that exceed those outlined in the voluntary code and promising to refund all who fell victim to an APP scam, rather than just those that passed certain ‘no-blame’ criteria in the voluntary code. In its 2020 annual report, TSB said it paid out to 99% of customers that suffered loss from an APP fraud during the year, against an industry average of 38%.

In total, UK Finance said that £208 million had been stolen in APP scams in the first half of 2020, which was broadly in line with the total from the same period in 2019. However, the same period saw some sharp increases in some specific fraud types. For example, impersonation frauds in the UK increased 84% between the first half of 2019 and the first half of 2020. And internet banking fraud was up 32% during the same period. There was a decline in older types of fraud such as cheque or telephone fraud.

UK consumer group Which? found that just 41% of claims under the UK Finance voluntary reimbursement code are paid. As a result, there have been calls from consumer groups for more effective procedures to ensure more customers are reimbursed, and for sanctions against fraudsters to be stepped up in the upcoming UK online safety legislation.

However, banks may not be able to quantify the impact of pandemic-related fraud for some time, as losses from increased Covid-19 related fraud may not yet have fully materialised.

And the method of compensating fraud victims is changing. Previously, reimbursements made under UK Finance’s voluntary code were taken from a fund supplied by the signatories. But, in April 2021, UK Finance announced the banks themselves would oversee the end-to-end refund process and allowed banks to pay back customers individually, rather than through the central shared funding pot.

Editing by Alex Krohn and Louise Marshall

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

New UK op risk rules elevate risk management over measurement

By Steve Marlin | News | 7 May 2021
Bank of England

Under op resilience rules, firms must plan for all severe stresses, whatever their probability

The aphorism “If you can’t measure it, you can’t manage it” is often attributed to Peter Drucker, the influential management thinker. But he neither said it, nor does the quote accurately reflect his view on the value of measurement.

The latest challenge to the popular mantra has come from an unlikely place: the Bank of England’s final rules on operational resilience for financial firms, published at the end of March. Firms will now be required to prepare for a variety of “severe but plausible” disruptions, whatever their probability.

Benedict Roth

“We are not modelling probabilities any more. This is very different from previous approaches to operational risk,” says Benedict Roth, a risk management expert and former supervisor at the BoE. “In the old days, risk people used to say some risks were so small you wouldn’t bother worrying about them.”

Evan Sekeris, a former regulator with the US Federal Reserve, agrees: “This is the evolution of the discipline away from focusing on quantification, but on risk management [instead].”

The new rules from the BoE’s Prudential Regulation Authority will require a big investment of time and effort by many affected firms and necessitate major organisational changes. Their reach may also eventually extend well beyond UK borders as US and European Union regulators could copy many of the requirements – the most detailed yet.

In broad terms, the principles laid out by the PRA call for three things. Firms must first identify their important business services. They must then set an “impact tolerance” for each – that is, the maximum level of disruption the service could withstand without causing “intolerable harm” to the firm’s clients or, for the largest firms, posing a risk to the UK financial system. Third, firms must make sure each important service can continue operating in a range of disruptive scenarios.

Important business services must be identified and impact tolerances set by March 31, 2022. And starting from March 31, 2025, or sooner if achievable, firms must ensure they can remain within their impact tolerances.

In a speech on May 5, Lyndon Nelson, PRA deputy chief executive, provided further insight into the regulators’ expectations. He said they understood that mandated tasks such as mapping – the identification of the people, processes, technology and information needed to deliver each important business service – and testing through scenarios would evolve and grow in sophistication over time.

“So, by March 31, 2022, I would expect that you will be able to set out a compelling gap analysis. You will know where your major shortcomings are and therefore which areas need more work,” he said.

To-do list

The PRA itself recognises the novelty of its freshly published rules. It says firms should focus not on worst-case scenarios, but on severe but plausible ones: “This is a shift away from the operational risk approach, which focuses on likelihood, and towards an outcomes-based approach that focuses on firms building their operational resilience.”

A risk management expert at a large international bank welcomes this move away from putting numbers on probabilities: “Identifying remote but plausible scenarios is made easier by not having to estimate probability.”

But he adds: “The real challenge is mapping, for the important business services, the various dependencies – processes, people, systems, applications, infrastructure, and third and fourth parties. Scenarios will relate to the failure of each of these dependencies.”

What’s more, when setting impact tolerances for individual important business services, firms will have to assess the potential impact of other important services failing at the same time.

“This creates a complex problem if you have to consider all the interconnections,” says Luke Carrivick, head of research and information at ORX. “Given the potential scale of this, the approach taken should be proportionate, and suggests that individual firms may not consider [links between] large numbers of critical services.”

Evan Sekeris

Indeed, the PRA says in its final document that it expects firms to consider these “extra layers of complexity” only where there are significant benefits for op resilience.    

Ex-Fed regulator Sekeris picks out not the individual thorny tasks mandated by the regulators, but the overhaul of the entire op risk function that the new rules will require.

“The difficulty for firms is the need to reorganise op risk functions and rethink not just op risk, but who is in charge of resilience … Is it the first line or the second line?” he says.

“We already have business continuity, scenario workshops, risk identification processes. The flip side is that all these elements have been developed in different silos. All of it needs to come together in one coherent whole.”

Room for judgement

The new rules on op resilience raise a whole raft of other questions that firms will need to answer in order to comply.

Nelson at the PRA said the body had received an “avalanche” of requests for detailed guidance – for example, whether firms should set up op resilience committees, and how many important business services they should have.

But he suggested such guidance was not forthcoming: “Rigid and overly prescribed regimes are just what we need to avoid for a risk that is constantly evolving and where key parts of it (such as cyber risk) actually [have] a conscious opponent seeking to do harm.”

This double-edged latitude given to firms is also highlighted by Risk.net’s sources.  

“The message appears to be that regulators want to make firms really think about their specific critical services, and therefore tolerances, rather than assuming a supervisory view of what is important,” says Carrivick at ORX.

The same approach applies to selecting the scenarios for testing important services. In its document, the PRA says it has decided not to provide a detailed definition or lists of severe but plausible scenarios. Instead, it expects firms to select their own scenarios in line with their size, complexity and importance to the financial system, and supervisors will ask how and why these particular possibilities have been chosen.

“If a firm tests itself to scenarios that are insufficiently severe, then boards and senior management would be taking inappropriate risks with the management of their businesses,” the document states.

Former BoE supervisor Roth translates this into more direct language: “My reading is that if a firm goes soft in its internal planning, then it will be criticised by the regulator for not planning bad enough outcomes.” 

Orders without borders

The new principles on op resilience are not the first time the UK has designed some of the most advanced rules on non-financial risk management globally – for instance, other jurisdictions have taken up iterations of the country’s Senior Managers and Certification Regime.

Sekeris predicts the new rules will have a similar impact: “A lot of what’s in here will find its way to other jurisdictions.”

There is certainly room for more detail in the equivalent US guidance, published in October 2020 by the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation.

The brief paper sets out the agencies’ broad expectations on op resilience, but does not amend their existing rules and guidance.

“The Fed document was more them saying this is the direction and sounding out the industry, whereas this [PRA] document is very detailed in its expectations,” Sekeris says.

The PRA rules also cover outsourcing and third parties, and may influence the European Union’s evolving guidance on outsourcing.

What makes the UK approach to op resilience a particularly good example to follow is its proximity to the high-level principles for op resilience published by the Basel Committee on Banking Supervision in March.   

“It’s helpful to see the intent align with the BCBS,” says Carrivick at ORX.

Speaking on May 5, Nelson at the PRA was more forthright: “I do think, when we look at the latest Basel operational resilience text, we are approaching a greater level of harmonisation than many thought was possible … I feel confident that our approach will deliver the Basel principles for the UK.”

Now, over to banks and investment firms to deliver on these expectations.  

Editing by Olesya Dmitracova

Op risk update lops £72m off NatWest’s capital requirement

By Louie Woodall | Data | 29 April 2021

NatWest’s annual recalculation of its operational hazards led to a 4% drop in its regulatory capital charge for these risks over Q1, to £1.7 billion ($2.4 billion).

It was the largest one-quarter drop since a similar recalculation in Q1 2018. Total operational risk-weighted assets (RWAs), used to calculate capital charges, amounted to £21 billion in Q1, down from £21.9 billion the prior quarter and £22.6 billion in Q4 2019. NatWest generally recalculates its op risk charge in the first quarter of each year.

Though op RWAs have fallen steadily over the past five years, they have lagged reductions across other risk categories. As a result, op RWAs now make a larger share of NatWest’s total, at almost 13%, then they did in Q2 2016, when they accounted for around 10%.

 

The bank’s ratio of RWAs to Common Equity Tier 1 (CET1) capital stood at 18.2% at end-March, down from 18.5% in Q4 2020. The fall in op RWAs was offset by a faster drop in capital, some of which was deployed over the first quarter in a directed share buy-back.

What is it?

Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the advanced measurement approach (AMA). The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.  

Under incoming Basel III rules, all banks will be required to shift to a revised standardised approach. NatWest currently calculates all its op RWAs using the standardised approach.

Why it matters

NatWest is sitting on a mountain of capital right now, the result of a battery of efforts to downsize and restructure in the wake of the global financial crisis. The op risk recalculation provided an additional bit of headroom above its minimum regulatory capital requirements, and therefore gives NatWest more freedom to distribute capital to shareholders going forward, as chief executive Alison Rose intimated on today’s earnings call (April 29).

What’s becoming clear, though, is that once NatWest completes its planned divestments and overhaul of its markets division, op RWAs will be a larger share of its overall capital requirement than before, unless future recalculations shave off much more. Managing these op RWAs then, may soon become a core focus of the bank’s capital boffins.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. Email louie.woodall@infopro-digital, or send a tweet to @LouieWoodall or @RiskQuantum. You can also get in touch via LinkedIn.

Tell me more

NatWest cut markets unit RWAs by almost one-third in 2020

Fraud op risk losses edged up at UK banks in 2020

Op risk past is prologue for UK banks

View all bank stories

The economic cost of a fat finger mistake: a comparative case study from Samsung Securities’s ghost stock blunder

By Yongkil Ahn | Technical paper | 14 April 2021

Op risk data: Sberbank suffers $108m supermarket clean-out

By ORX News | Opinion | 9 April 2021

Also: Copper trader buys $36m of worthless bricks; big lenders hurt in $400m mortgage fraud. Data by ORX News

March’s largest operational risk loss was an 8 billion ruble ($108 million) commercial loan fraud at Russia’s Sberbank. The loans were made in January 2018, but the fraud only came to light last month after Russian authorities made three arrests.

The arrested individuals were former managers and employees of Russian supermarket owner InterTorg. The group reportedly gave the bank false information to obtain the loans, and then siphoned off the money for their own use.

InterTorg has since been declared bankrupt.

 

 

The second largest publicly reported loss was a settlement of $105 million by Sandell Asset Management and its owner Thomas Sandell in a tax evasion lawsuit brought by US authorities.

Sandell allegedly deferred paying taxes on $450 million of management and performance fees he had earned from overseeing offshore hedge funds. A 2008 change in deferred fee income recognition rules required Sandell to pay the taxes owed by the end of 2017. However, New York state authorities claim he tried to escape liability by relocating to London, even though his company continued to operate in New York.

The settlement arose after a whistleblower made claims under the New York False Claims Act in October 2018. The settlement covers damages, taxes, penalties, interest, legal fees and a $22 million payment to the whistleblower.

In March’s third largest loss, student debt relief company Hutton Ventures was ordered by a US district court to pay $53 million in penalties for misconduct.

Debt relief companies help borrowers to apply for loan forgiveness schemes or consolidate their loans to reduce their debt levels. Hutton was found to have violated US state and federal laws by providing false or misleading information to borrowers and charging fees for services that were otherwise available for free. In one example, company representatives told borrowers that no interest would be charged on the financing of a fee, when 20.99% interest was charged to nearly all New York customers in violation of the state’s 16% interest rate limit.

In fourth place, Swiss commodities trader Mercuria suffered a $36 million fraud when it discovered that it had been sent painted paving slabs instead of copper in a number of shipments from Turkey, according to a report by Bloomberg.

Mercuria is said to have agreed to buy $36 million of copper from Turkish company Bietsan, a supplier it had done business with before. The copper was initially loaded into a first shipment of containers, and was surveyed by an inspection company, which affixed anti-fraud seals to the containers. Soon after, the containers were allegedly opened, and the copper was replaced with painted paving stones. The perpetrators swapped fake and real container seals to avoid detection before the cargo left Turkey. Five shipments on separate days were reportedly switched in this manner.

While the cargo ships were at sea, Mercuria paid $36 million in five instalments. The fraud was discovered once the ships began arriving in the Chinese port of Lianyungang.

The fifth largest loss is a $22 million settlement by Swiss bank Rahn+Bodmer for helping US account holders evade tax. According to the US Department of Justice, the bank enabled customers to conceal their control of funds held in undeclared accounts. It did so by opening accounts for customers under pseudonyms or in the names of non-US legal entities to conceal their beneficial ownership. This allowed hundreds of US customers to evade paying a total of $16.4 million in US taxes between 2004 and 2012.

The DoJ announced a three-year deferred prosecution agreement with Rahn+Bodmer, in addition to the settlement.

 

 

Spotlight: Morgan accused of multi-million mortgage fraud

Mortgage fraud comes in all shapes and sizes; in the case of New York real estate kingpin Robert Morgan the size is upwards of $400 million.

That figure is the amount of loans that Morgan’s company is alleged to have fraudulently obtained, with losses to government-sponsored enterprises and banks including Fannie Mae, Freddie Mac, Deutsche Bank and UBS estimated at $9.5 million.

On March 4, the US Department of Justice announced that it had charged Morgan and fellow individuals from his property firm, Morgan Management, as well as a broker from another real estate firm, in a wide-ranging mortgage fraud scheme.

According to the DoJ, the individuals fraudulently obtained funds from financial institutions over a period of 12 years, by providing false information in support of mortgage loan applications for dozens of properties, including apartment blocks.

The defendants are said to have artificially inflated rents and reduced property expenses to make it look as if the properties were more profitable than they were. This way, they justified an unrealistically large mortgage loan amount.

In some cases, Morgan and others tried to conceal the fraud by making vacant units appear occupied during inspections by turning radios on, placing welcome mats and shoes in hallways outside vacant units, and paying individuals to pretend to be tenants in units the inspectors would enter.

The charges follow a separate investigation in 2020 by the US Securities and Exchange Commission, which resulted in an order for Robert Morgan to repay $63 million to investors affected by his fraud scheme.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Fed economist sounds alert over op risk capital arbitrage

By Steve Marlin | News | 6 April 2021

Insurance payouts could allow banks to pare back capital without equivalent reduction in risk, says paper

Recent research has reignited debate over how banks use insurance to reduce operational risk capital, with experts warning that incoming rules may encourage firms to “arbitrage” the system.

The standardised approach for operational risk allows banks to deduct insurance payouts from their op risk capital calculation. Marco Migueis, an economist with the US Federal Reserve Board, says this may incentivise banks to insure predictable, small-ticket op risk losses at the expense of large, black-swan events.

As a result, banks may be left without sufficient capital to cover fat-tailed risks such as a major systems outage, natural disaster or other catastrophe, argues Migueis in a paper published in February in the Journal of Operational Risk.

The opinions expressed in the paper are Migueis’s own, and do not necessarily represent those of the Federal Reserve.

An op risk capital head at a large bank says: “I agree that the current approach doesn’t focus on mitigating the risk in the tail, which is what capital is there for, and the way it has been designed provides incentives to protect the wrong type of losses.”

The standardised approach for operational risk, part of the Basel III package of reforms due to apply from January 2023, requires banks to calculate op risk capital by multiplying two components. One is a simple measure of bank income known as the business indicator component. The other is a measure of a bank’s op risk losses over the previous 10 years known as the internal loss multiplier. It uses a loss figure that is set to 15 times the bank’s average annual net losses during the lookback period.

Large banks could be encouraged to arbitrage and become speculative by financing high-frequency losses in an insurance policy type construct

Alex deLaricheliere, Marsh

To show how banks can use insurance to create arbitrage opportunities, Migueis offers a hypothetical example of a bank with average annual losses of $20 million, in which case its loss component would be $300 million. If by purchasing insurance the bank is able to reduce its losses to $5 million, then its loss component would fall to $75 million. However, its exposure to fat-tailed risks will not fall in proportion to this decline, potentially leaving the bank with insufficient capital to cover future losses.

“Insurance netting in the loss component may result in arbitrage opportunities, as banks can reduce their capital requirements without a commensurate decrease in risk,” Migueis writes.

Insurance for operational risk losses generally falls into two categories: policies that cover everyday losses such as credit card fraud; and those for rare but costly events.

According to Migueis, if a bank is able to buy insurance that covers small-dollar losses, it can use the payouts to net down its overall loss figure and thus reduce its capital requirements. In fact, it could just have insurance for these smaller losses and remain uninsured for big losses – and still receive a hefty decrease in capital. 

Alex deLaricheliere, US financial institutions and professional services industry leader at Marsh, says: “The research is pointing out that large banks could be encouraged to arbitrage and become speculative by financing high-frequency losses in an insurance policy type construct, and that could have capital implications.”

Covering the tail

Under the previous advanced measurement approach (AMA), which the standardised approach is to replace, banks could insure against their tail risk losses and use the anticipated recoveries to offset their capital requirements. However, during the discussions on amending the op risk capital rules, regulators felt this practice was too dependent on forward-looking estimates. Instead, they settled on a more retrospective view, one based on the recoveries that could actually be achieved based on historical losses.

“Regulators felt that if you are already purchasing insurance it’s only fair that part of that coverage be deducted from your capital. That’s how it was under the AMA, and they tried to transfer over this concept to the standardised approach. So they said: ‘Look at historical coverage of losses: what did you lose and what did you recover? Then we’re only going to go off the net losses,’” says a risk capital executive at a large US bank.

Others suggest it could be difficult in practice for banks to arbitrage their capital calculation in the way that Migueis describes.

For one, insurers and banks would need to agree on precisely what repeat operational risks are insurable and what the recoveries would be. Pricing such a policy would be highly complex, with premiums guided by past claims and likelihood of recurrence.

An example would be losses arising from a breakdown of some or all of a bank’s IT and communications systems, where the failure might have cost the client future expected business.

“Insurance companies take great care in, amongst other things, being very clear what risks they are insuring, and what losses they will allow a claim for. Therefore, insurance is not going to provide cover for all operational risks, and will not provide a payout for elements of a loss that is not provided for in the policy wording,” says Edward Sankey, an independent risk management consultant.

Migueis argues that the standardised approach should be changed to permit banks to receive capital benefits from protecting against tail risk losses, either by insurance or improved risk management.

Banks can and do insure against tail risk losses. Such policies are bespoke and expensive, but banks reason that the coverage would be valuable in the event of a large, unforeseen operational risk loss. It is likely that some banks would continue to use such policies even though they attract little, if any, capital reduction under the standardised approach.

But experts warn against banks financing small-dollar losses with insurance policies, and using this coverage as a reason to focus their risk management efforts solely on tail risk.

“Bank supervisors could well be uncomfortable by such a selective reduction of effort, so the efficiency gain may not be achievable,” says Sankey.

Editing by Alex Krohn