Regulators voice concerns over cloud risk

By Steve Marlin | News | 18 November 2020

Risk USA: failure of big cloud service provider could cause “a very large shock”, says NY Fed exec

Concerns are growing among regulators that an outage or failure at a tech giant that provides outsourced cloud services to a large number of institutions could cascade through the financial system, according to a senior executive from the Federal Reserve Bank of New York.

Regulators acknowledge there is a trade-off between relying on a handful of vendors to provide services that improve institutions’ resilience to shocks on an individual basis – for instance, by enabling workers to ‘remote in’ to systems from home while they are unable to come into the office during the Covid-19 pandemic – versus the risk that an attack on such a firm that could cause outsized disruption to the entire system.

“The vulnerabilities in a third-party provider might plague multiple institutions at once, and that can lead to a very large shock that wouldn’t be possible if we had a more diverse ecosystem of controls and practices,” said Michael Lee, a New York Fed financial economist, during a panel discussion at Risk USA on November 17, where he was speaking in a personal capacity.

The issue of concentration risk has attracted the attention of the Financial Stability Board, which earlier this month issued a discussion paper on outsourcing and third-party relationships. The paper is based on a survey of national supervisors that says systemic risk arising from concentration of services to financial institutions is likely to increase.

While the benefits and cost savings of moving critical operations to the cloud are compelling, operational risk executives have long feared an overreliance on the big three service providers – Amazon, Google and Microsoft – could place financial institutions and their customers at risk.

Concentration risk is part of a broader set of outsourcing risks that have arisen since the start of the pandemic, which has caused institutions to reassess the resilience of their third-party suppliers, scrutinising everything from their financial well-being to their ability to switch to other providers, should their primary ones fail.

“You have an ecosystem of third parties we all tend to use, and that leads to concentration risk. Almost all of us have a significant reliance on one of the top three large service providers: Amazon, Google and Microsoft. That’s where we start seeing concentration risk,” said Mandar Rege, managing director of operational risk management, technology and cyber security at Citi, during the same panel discussion.

Regulators have noted that as larger numbers of financial institutions migrate to the cloud, a small number of service providers could represent a single point of failure and therefore pose systemic risks.

The Bank of England, in a 2019 report, suggested that cloud providers should be regulated. It called on the Prudential Regulation Authority “to engage with service providers directly to ensure they meet supervisory expectations”, and assess third-party risk management at the individual firm level, such as service level agreements and fallback arrangements.

“Most banks use AWS [Amazon Web Services], and some are very reliant. This creates a huge concentration risk for regulators. I would not be surprised to see a systemic label applied to a select number of vendors like Amazon,” says Evan Sekeris, head of model validation at PNC Financial Services Group, and a former Fed regulator.

NY Fed’s Stiroh: ‘cultural capital’ at risk in pandemic

By James Ryder | News | 16 November 2020
Kevin Stiroh

Risk USA: remote working could “erode” the culture of financial firms, says senior regulator

The shift to remote working as a result of the Covid-19 pandemic is threatening to erode the organisational culture of financial firms – potentially heightening the risk of misconduct, a senior regulator at the Federal Reserve Bank of New York said today (November 16).

Kevin Stiroh, executive vice-president and head of the supervision group at the New York Fed, pointed to a range of factors related to the pandemic that could deplete “cultural capital” – which he described as an “intangible asset that impacts how a firm operates and ultimately performs” – of banks and other financial firms.

“As we look across the industry [and] hear the experiences of firms, one can identify factors that are likely to impact, and possibly erode, cultural capital,” said Stiroh. These factors include the “loss of personal interactions, severed networks, uncertainty, and decreased monitoring and oversight”.

Stiroh was speaking at the annual Risk USA conference, held virtually this year.

After shifting to remote working at the onset of the pandemic, companies have been grappling with when – and how – to recall employees to the office. Goldman Sachs and JP Morgan began asking some senior staff to return to offices in September, on a rotating schedule. Other firms, including Capital One and Deutsche Bank, have extended their work-from-home policies well into 2021. There are hints that flexible working may become permanent at some firms, such as HSBC and UBS. 

Stiroh praised the industry’s initial response to Covid-19, but said the adoption of remote working in the long term could have downsides.

“Personal interaction is critical to forming trusting relationships,” he said, noting that such bonds were essential to a company’s cultural capital. “The lack of personal interaction at the workplace has the potential to weaken trust between colleagues, within teams and across organisations.”

The lack of personal interaction at the workplace has the potential to weaken trust between colleagues, within teams and across organisations

Kevin Stiroh, Federal Reserve Bank of New York

Stiroh questioned whether relationships of trust could be sustained in conditions where interpersonal interaction is both less frequent and, in many cases, wholly virtual.

“Severed networks”, Stiroh added, could be one outcome of reduced interactions. The personal relationships that staff developed over years of working together in the office likely contributed to the industry’s ability to maintain core services and operations through the pandemic-related disruption, he said.

“As people came together during the initial months of the pandemic, it is likely that they relied on their existing networks, and leveraged the strength of existing relationships,” said Stiroh. Financial firms could see such networks “deteriorate” after a long period of remote working. That could result in the emergence of silos and less collaboration. Firms may find it more difficult to ensure that new employees that join a remote environment “understand and appreciate both the written and unwritten ways that work is done within a given organisation”.

Stiroh also expressed concern over the ability of financial firms to properly monitor employees working remotely: “Limited contact with managers and leaders within the organisation has the potential to leave employees lacking clear guidance, feeling isolated and willing to take on more risk.”

While laying out his concerns about the potential side effects of remote working in the long term, Stiroh stopped short of calling for a quick return to the office. It was “too early” to say whether firms should push for office attendance as a way to preserve cultural capital, he said, but that this was “exactly the right question” to be asking.

Stiroh, together with four colleagues at the New York Fed, introduced the concept of cultural capital in a white paper published in late 2017. Since then, some firms have developed internal metrics to measure this intangible. This could be done “with heat maps, dashboards and reporting”, said Stiroh. It was a complex task, he conceded, that required a “wide variety of inputs” that would differ across firms. He encouraged firms to continue with this work, especially in light of the pandemic.

“Each firm would need to figure out the insights and metrics that are most appropriate to their business model,” he said, adding that the Fed had no plans to specify a universal approach to measurement or reporting any time soon. Rather, Stiroh said, the regulator wanted firms to recognise the importance of cultural capital and find the data most relevant to them.

US systemic banks’ op risk charges fell in Q3

By Louie Woodall | Data | 13 November 2020

Capital held against operational risks fell $11 billion (-7%) in aggregate across the eight US systemic banks over the third quarter, driven by a model change at Bank of America that reduced its charge by a whopping 26%.

Total op risk capital held by the firms totalled $138.2 billion, its lowest level on public record. BofA’s charge fell to $29.7 billion in Q3, down from the $40 billion it had been set at since Q4 2015.

Goldman Sachs also saw its op risk charge decline slightly over Q3, by 3%, after climbing in Q2 in response to its settlement of the 1MDB litigation.


On the flip side, op risk capital increased 5% at BNY Mellon, to $5.1 billion. It was the only US systemic bank to see its charge increase quarter on quarter.

Who said what

“With respect to regulatory ratios, importantly, this quarter, we received approval of our updated model to calculate operational risk RWA [risk-weighted assets], which resulted in $128 billion reduction in our advanced RWA” – Paul Donofrio, chief financial officer at Bank of America, October 14.

What is it? 

Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the advanced measurement approach (AMA). The first two use bank data inputs and regulator-set formulas to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.

Why it matters

Bank of America’s huge op risk capital charge is one legacy of the financial crisis it may finally be able to escape. The lender was hit with huge fines for mis-selling mortgage-backed securities to investors and to atone for the sins of home loan giant Countrywide, which it acquired in 2008. These have long factored into its calculation of op risk capital.

While other systemic banks punished by regulators for their pre-crisis misdeeds, like JP Morgan and Goldman Sachs, started to see their op risk charges decline years ago, BofA had to stick with its $40 billion burden. The Q3 drop suggests the Federal Reserve, which has the final say over model changes, finally got comfortable with the bank erasing the losses it incurred post-crisis from its calculation, or at least reducing their weighting.

Capital relief is always welcome to banks, but at BofA the effect of the op risk charge drop will be limited. This is because the bank currently capitalises according to the standardised approach, which does not factor in op risk. 

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. You can drop us a line at or send a tweet to @RiskQuantum.

Tell me more

Systemic US banks’ RWAs edge lower in Q3

Though Covid crisis rages, US banks’ op RWAs fall

Emergency Covid loans carry high mis-selling risk, banks fear

Banks race to adapt AML systems for the coronavirus age

Virus weakens banks’ defences against internal fraud

View all bank stories

Op risk data: firm-wide control fails cost Citi $400m; CRO exits

By ORX News | Opinion | 9 November 2020

Also: Deutsche draws fire and AML fine over Danske trades. Data by ORX News

Jump to In focus: US hawks eye firm-wide risk as banks fall foul of rules | Spotlight: Deutsche lands AML fine for Danske deals

In October’s largest loss, Citi was fined $400 million by the US Office of the Comptroller of the Currency over deficiencies in enterprise-wide risk management, compliance risk management, data governance and internal controls.

The OCC found that, over several years, Citi failed to comply with its guidelines for establishing minimum standards for the design and implementation of a bank’s risk governance framework – 12 CFR part 30, Appendix D. These guidelines also set out minimum standards for the bank’s board of directors in providing oversight to the framework’s design and implementation of guidelines.

The regulator identified various unsafe or unsound practices in the bank’s internal controls, including an absence of clearly defined roles and responsibilities. These deficiencies in Citi’s risk management controls led to multiple violations of US laws, it found.

The Federal Reserve also announced an enforcement action against Citi over the bank’s failure to take prompt and effective actions to correct practices in these same control areas. It decided, however, not to impose an additional fine on Citi.


Two weeks after the OCC’s decision, it was further reported that Brad Hu, Citi’s chief risk officer, would be departing the bank. Hu is understood to have made clear the decision to leave was his own.

As recently as September, the bank incurred major losses after accidentally wiring $900 million to a group of lenders to cosmetics giant Revlon, with which it was already embattled in a lending dispute.

Similar failings were at issue in October’s second-largest loss. The OCC imposed a fine of $85 million on the USAA Federal Savings Bank over its failure to implement and maintain an effective compliance risk management programme and an effective IT risk governance programme.

Having identified unsafe or unsound banking practices in these governance areas in January 2019, the regulator found in October 2020 that USAA had failed to maintain an effective programme of risk management or IT risk governance. The OCC also found that USAA had deficiencies in all three lines of defence in its compliance risk programme, and that its deficiencies resulted in multiple violations of US laws. It noted, nonetheless, that these deficiencies were being remediated pursuant to the January 2019 order.

In October’s third-largest loss, the OCC fined Morgan Stanley $60 million for failing to exercise proper oversight relating to the decommissioning of two data centres in the US. It found that the firm failed to effectively assess or address the risk associated with disposing of its hardware, of using third-party vendors to do so, or to maintain an appropriate inventory of customer data stored on the devices.

In July 2020, Morgan Stanley notified customers that their data had potentially been breached during an incident in 2016. It said the firm had engaged a vendor to remove the data, but had subsequently learned that certain devices could still contain some unencrypted data. A similar incident in 2019 involved the incomplete disposal of unencrypted data in local branch offices.

In its consent order, the OCC recognised that Morgan Stanley had undertaken initial corrective actions. The firm could still face customers’ class actions over the potential exposure of sensitive data, however.

Reliance Trust saw October’s fourth-largest loss when it agreed to pay $39.8 million over the alleged mismanagement of the 401(k) savings funds of Insperity Holdings, for which it was the plan fiduciary.

A class action complaint alleged that Reliance Trust did not limit the investment funds to non-proprietary funds of third-party investment managers, but selected and retained its own high-cost and poorly performing funds to benefit itself at the expense of plan participants.

The complaint alleged that plan participants would have made a further $50 million, had Reliance Trust invested in other, better-performing plans.

In October’s fifth-largest loss, AGM Markets, an over-the-counter derivatives dealer, was ordered to pay A$35 million ($24.8 million) by the Australian Securities and Investments Commission (ASIC) over “systemic unconscionable conduct”.

Numerous investors had complained of high-pressure sales tactics and misleading statements about the potential profitability of trades. AGM, and its associate companies, used account managers who were not licensed to advise clients, and made representations that were false, misleading or deceptive, it found.

The Australian Federal Court further found that AGM contravened its Australian financial service licensee obligations by not providing services “efficiently, honestly and fairly”.


Spotlight: Deutsche lands AML fine for Danske deals

In October 2020, Deutsche Bank accepted a €13.5 million ($16 million) administrative fine for failing to submit suspicious activity reports in a timely fashion. The bank allegedly failed to disclose more than a million suspect money transfers, for which it was correspondent bank with Danske Bank Estonia. The transfers occurred over a five-year period after a whistleblower at Danske had flagged them as suspicious transactions.

German prosecutors launched an investigation to determine if Deutsche Bank employees had sanctioned these transactions and whether they had subsequently attempted to cover them up.

Deutsche withdrew from its position as a correspondent bank for the Estonian subsidiary over increasing concerns about potential misconduct by Danske, and launched two internal investigations into the matter under the scrutiny of US regulators.

The Frankfurt Public Prosecutor’s Office cleared Deutsche of money laundering, but found that between 2010 and 2015, it had failed to send timely alerts of potentially suspicious transactions to law enforcement authorities on an astonishing 627 occasions. For each of these failures, Deutsche Bank was fined between €12,500 and €30,000.

In focus: US hawks eye firm-wide risk as banks fall foul of rules

Operational risk has been seared into the public consciousness of late. While the US as a nation has been consumed by questions about the integrity of its electoral process, its financial regulators are zeroing in on tighter controls at the enterprise level.

In October, the US Office of the Comptroller of the Currency handed out fines for both Citi and the USAA Federal Savings Bank. Both fines – $400 million in Citi’s case and $85 million in USAA’s – were incurred for deficiencies in enterprise-wide risk management programmes – the first time the OCC has levied such fines for firm-wide failures.

And while two fines in close succession do not necessarily constitute a trend, their proximity – along with the similarities in deficiencies and sheer size of the penalties involved – could suggest that regulators are more closely scrutinising internal controls and risk management programmes.

In Citi’s case, the OCC identified that the bank had, over a period of several years, failed to implement and maintain an enterprise-wide risk management and compliance risk programme, internal controls, or a data governance programme commensurate with its size, complexity and risk profile.

Specifically, the regulator identified that Citi had not complied with Appendix D of its safety and soundness standards, which set out more stringent criteria for certain large insured national banks, and establish minimum standards for the design and implementation of a bank’s risk governance framework. At the same time, the US Federal Reserve Board announced a related enforcement action against the bank.

Just a week later, the OCC announced the fine against USAA, noting that it had also failed to implement and maintain an effective bank-wide risk management programme. Significantly, the OCC had entered into a consent order with the bank in January 2019, identifying that its internal controls and information systems had failed to comply with Appendix A of the same standards.

That the OCC came back and issued the fine – while nonetheless noting that USAA had begun to remediate the deficiencies – would seem to demonstrate a focus on repeat offences and a firm intention of stamping out deficient internal controls and risk management programmes.

Notably, the OCC identified that both banks’ risk management failures had led to violations of US law: in Citi’s case, the Fair Housing Act and the Flood Disaster Protection Act for which the bank was fined $25 million and $17.9 million respectively; in USAA’s case, the Military Lending Act and the Servicemembers Civil Relief Act.

While these are the first fines the OCC has handed out for company-wide risk management failures, in 2018, it famously fined Wells Fargo $500 million for deficiencies violating the Federal Trade Commission Act. As with USAA, the OCC identified deficiencies in the bank’s first and second lines of defence.

Remedial efforts required of the banks in these cases are also significant, demonstrating that a monetary fine relative to an institution’s size is merely one of several measures that regulators can implement in correcting risk management deficiencies. In all three of the above examples, the banks were required to form a compliance committee to meet quarterly, to update the banks’ boards on the progress of remediation efforts and, in turn, to notify regulators of their progress. Citi and Wells Fargo were also required to submit reports to the OCC, underlining the root causes of the identified deficiencies within the relevant business lines.

The fines reflect the OCC’s Bank Supervision Operating Plan for 2020, in which it sets out its intent that supervisory strategies should focus on control functions and leverage a firm’s audit, loan reviews and risk management processes, alongside other priorities for supervision.

Spending on non-financial risk management has exploded since the financial crisis, according to one data analytics provider. Increased digitisation of risk management and reporting could provide a key tool for meeting this challenge.

Nonetheless, the regulatory focus on risk management frameworks and reporting, alongside other priorities, such as cyber security and operational resilience, will put increasing pressure on budgets already stretched by the coronavirus pandemic.

Editing by Louise Marshall

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Evaluating cyclic risk propagation through an organization

By Mark S. Gallagher, Daniel S. Fenn, Shane N. Hall | Technical paper | 9 November 2020

Risk Technology Awards 2020: Managed support services provider of the year – Exactpro Systems

By Exactpro | Advertisement | 6 November 2020

Trading software testing firm Exactpro Systems was named Managed support services provider of the year in the Risk Technology Awards 2020.

Exactpro builds software to test software, helping systemically important clients such as the London Stock Exchange to mitigate operational risks in trading, clearing, risk management, market surveillance, securities data distribution, post-trade activities and other areas.

Co-founder and chief executive of Exactpro Systems, Alexey Zverev, discusses the challenges of maintaining client systems in the current environment, the launch of its new open source microservices-based test automation platform, th2, and how machine learning and artificial intelligence will help drive innovation in the future.

Read the judges’ comments and find out more about Exactpro’s technology solutions

Ice tees up CDS options launch for November 9

By Costas Mourselas | News | 6 November 2020

Fight for CDS market share heats up as Ice begins clearing options and LCH preps CDX offering

Ice is set to launch clearing of credit default swap index options contracts on November 9 – a long-awaited move that pitches the central counterparty (CCP) into direct competition with LCH in a key market for hedgers.

From Monday, Ice Clear Credit will clear options on the CDX North American Investment Grade and High Yield indexes. Ice is aiming to add options on iTraxx Europe indexes in 2021.

The launch of CDS options clearing at Ice has been long touted and delayed, with the first quarter of 2018, 2019 and the second quarter of 2020 successively flagged as potential launch dates. The consultation process for Ice’s options clearing solution took five years, according to Stan Ivanov, president of Ice Clear Credit, as dealers wrangled over the valuation methodology of the options when constituents of CDS indexes defaulted.

Counterintuitively, says Ivanov, “in some senses, the Covid-19 situation helped with the approval of the options”, with the wild gyrations in credit markets seen in March focusing minds on “how much systemic risk can be crystallised from uncleared CDS option positions upon extreme market realisations”.

LCH’s CDSClear launched index options clearing in 2017, offering contracts on the iTraxx Main five-year benchmark, and the iTraxx Crossover five-year. The CCP has cleared €58 billion in credit index options in 2020 up to October 31. LCH is aiming to extend the offering to the United States CDX investment grade and high-yield indexes in the coming weeks.

LCH has so far failed to make inroads against Ice in US CDS clearing, but has picked up substantial volumes in European CDSs. LCH held €144.3 billion in open interest for European index CDSs as of November 2.

Members and clients will be able to net their cleared options positions with the rest of their products at Ice Clear Credit using the newly implemented Monte Carlo model, adds Ian Springle, head of corporate development at ICC.

“The dealers are interested in clearing options because they can net all their CDS instruments at the clearing house. But this is a very client-heavy business, and they have put a lot of pressure on the dealers to make these instruments cleared too.”

“There are a lot of end-users out there that use credit index options to complement their single-name CDS strategies or to protect against macroeconomic tail risk in a capital-efficient manner,” adds Ivanov.

Ice has built in a number of different backstop measures in a bid to minimise operational risk issues from affecting CDS exercises. The daily options exercise window will be between 9am and 11am eastern time, but the clearing house will facilitate preliminary exercises of options on the day before exercise from 6pm up until 9am on the day of exercise.

If operational issues do occur, the clearing house can reschedule the exercise window for a later period on the same day. Finally, Ice can automatically exercise in-the-money options at the end of the day, should a rescheduled window not be possible, based on an average of the underlying index during the day and day before exercise.

Ice is hoping for a fast start to steal a march on its rival. “We have about nine dealers that most actively trade options. Probably six will be ready in the first two weeks of options launch,” says Springle. “We expect the full gamut of nine dealers by the end of the year, with their affiliated futures commission merchants following in Q1.”

Ice is understood to be hopeful of offering clearing for different debt tranches and total return swaps sometime in the future.

ING’s op risk charge jumped €228m in Q3

By Lorenzo Migliorato | Data | 5 November 2020

ING’s capital charge for operational risk jumped 8% over Q3, wiping out three quarters’ worth of savings. 

Op risk-weighted assets (RWAs) hit €39.9 billion at end-September, translating to a capital charge of €3.2 billion. This reversed a series of quarter-on-quarter declines starting back in Q3 2019.

The bank said the Q3 increase was due to technical updates to its models. ING uses internal models allowed under the Basel Committee’s advanced measurement approach (AMA) to calculate its op risk capital requirement. 


The spike in operational RWAs was offset by quarterly savings across all other risk categories. Credit RWAs dropped by €10.5 billion, thanks to favourable foreign exchange movements and a culling of risky exposures. Market RWAs fell by €2.3 billion.

ING’s total RWAs fell 3% over the quarter, to €312.3 billion.

What is it?

A bank’s minimum capital requirement equals 8% of its total risk-weighted assets (RWAs) for credit, market and operational risks.

Existing Basel Committee rules allow op RWAs to be calculated under the AMA using banks’ own internal models, which use the frequency and severity of past op risk losses to determine how much capital should be put aside to absorb potential future losses.  

At end-2017, the committee scrapped the AMA and replaced it with a standardised measurement approach (SMA), under which firms will have to calculate their op risk using the standard-setter’s own formulae. The SMA will be phased in from January 2022.

Why it matters

ING has run into trouble with financial regulators in recent years, mainly over failings concerning its anti-money laundering (AML) practices.

Last quarter, some of these failings, and their accompanying fines, likely rolled into the calculation window used by its AMA model, pumping up op RWAs.

Further increases could be on their way. In its Q3 report, the Dutch bank said “[we have] experienced heightened scrutiny by authorities in various countries,” which may lead to new investigations and more fines.

ING may end up being grateful it took the higher op risk charge in Q3, when RWA tailwinds to credit and market exposures helped to offset them. Still, the higher charges are likely to stay for some time considering the bank’s recent loss history, putting pressure on its core capital ratio.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. Email louie.woodall@infopro-digital, or send a tweet to @LouieWoodall or @RiskQuantum. You can also get in touch via LinkedIn.

Tell me more

Shift out of models nets ING €8bn of sovereign RWA relief

Model review adds €13bn to ING’s RWAs

ING trims op risk charge by 11% in 2018

View all bank stories

BNP Paribas’ RWAs shrank over €10bn in Q3

By Lorenzo Migliorato | Data | 3 November 2020

BNP Paribas’ risk-weighted assets (RWAs) dropped by more than €10 billion ($11.7 billion) over the third quarter, as its credit and market exposures eased off.

Total RWAs amounted to €686 billion as of end-September, down 1.4% on three months prior but still at a higher level than before the coronavirus crisis. 

Credit RWAs slimmed down to the tune of €9 billion, to €519 billion. Market and foreign exchange RWAs fell in response to lower volatility, dropping €3 billion to €40 billion as a result.


Offsetting these savings was a €1 billion increase in counterparty credit RWAs, to €40 billion, and an edging up of those related to securitisation positions.

The decrease in RWAs helped stoke the French bank’s Common Equity Tier 1 (CET1) capital ratio, which ended the quarter 20 basis points higher than at end-June, at 12.6%.

What is it?

RWAs are used to set minimum capital requirements for banks. Credit assets, such as loans, are assigned a risk-weighting to generate their RWA value. The riskier the loan, the higher the RWA. Market RWAs are set using value-at-risk measures and other gauges of trading risk. Operational RWAs are set using banks’ own models or regulator-set formulae.

Why it matters

As has been the case with its European peers, the drop-off in RWAs at BNP Paribas is partly the result of a normalisation of risk levels after the Covid-induced spike earlier this year. Further falls in credit RWAs are likely, especially considering the bank said the use of credit lines by corporate customers is reverting to the mean. When these are paid back, the bank’s overall credit exposures will shrink. 

As concerns its trading book, the drop in market RWAs reflected lower market risk. One-day value-at-risk dropped 15% to €54 million over the quarter, thanks to lower credit spreads, and no backtesting breaches occurred in the period.

The RWA savings put the bank’s capital ratio in a strong position to weather the effects of the second lockdown imposed on France in late October. 

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. You can drop us a line at or send a tweet to @RiskQuantum.

Tell me more

BNP Paribas grew share of MMF Treasury repo over Q3

Change to risk-weight floor amps EU banks’ securitisation RWAs

Pandemic exposes design flaws in bank capital buffers

View all bank stories

Banks fold climate, pandemic and cyber risks into CCAR

By Steve Marlin | News | 30 October 2020

OpRisk North America: anchoring idiosyncratic risks to macro scenarios a challenge, say experts

Banks have long faced an uphill task to accurately gauge the financial risks posed by climate change, pandemics and cyber attacks, and to put a dollar value on them for the purpose of capital planning. But while such risks have previously been treated as tail events, the coronavirus has made clear they can significantly affect the losses firms have to project as part of regulatory-mandated stress-testing.

“We’ve incorporated a lot of these risks into our scenarios from a CCAR [Comprehensive Capital Analysis and Review] perspective. We are thinking about both the likelihood and the increased risk, particularly outside the bank, in the infrastructures we deal with,” said Rick Brobst, head of CCAR for operational risk at UBS Americas, during a panel at OpRisk North America on October 22.

Understanding the linkages between operational events and a firm’s risk drivers was especially important in the current climate, he added. Cyber threats have been elevated during the pandemic, with the vast majority of many financial firms’ workforces operating remotely, exposing network vulnerabilities and providing new avenues of attack. A major area of concern, Brobst noted, was the risk associated with third-party vendors not being able to keep up with testing and controls.

The question of how idiosyncratic scenarios were integrated into CCAR went back to the fundamental point of stress-testing operational risk for capital planning, argued Evan Sekeris, head of model validation at PNC Financial Services Group, to expand the stresses that an institution was facing beyond those embedded in the macroeconomic scenarios provided either by the US Federal Reserve or the bank’s own economists.

This involves considering what the world might look like if an additional stress materialises from a tail event that’s idiosyncratic to the institution and operational in nature, and then linking it back to the macroeconomic scenario. Covid-19 had made clear that risks arising from a pandemic was a scenario most banks needed to do more thinking about in their scenario inventories, Sekeris suggested.

“No institution had a pandemic [scenario] that triggered a macroeconomic crisis like the one we observe. Going forward, we will have to think more seriously about how we are going to integrate idiosyncratic risk events that can have a feedback loop into the macroeconomic forecast,” said Sekeris, who was speaking during the same debate.

One of the biggest problems with modelling idiosyncratic risks is the inapplicability or outright lack of historical data that can be used to forecast losses. Brobst noted that, while UBS Americas had experience with previous climate disasters – in particular, Superstorm Sandy – when it came to climate risk in general, “we haven’t had a lot of experience in seeing how this will lead to additional operational risk”.

Regulators have become more attuned to the linkage between climate risk and stress-testing. The Bank of England is consulting on a proposal to require banks to develop scenarios for climate risk, arising from both physical risks such as floods and hurricanes as well as transition risks from global warming and the move away from carbon-intensive industries. The European Central Bank has launched a public consultation on a draft guide on climate-related and environmental risks, with the potential to integrate these risks into the supervisory framework as early as 2021.

As idiosyncratic risks become integrated into stress-testing, the likelihood increases that post-stress capital results will vary between banks depending on whether each bank is more or less conservative in its assumptions. In an effort that could forestall such an eventuality, a group of banks under the aegis of the American Bankers Association are working on standardised scenarios for operational risk that can identify the drivers of future losses. The project’s goal is to understand the losses that can be generated for each scenario based on each bank’s business activities and exposures.

Sekeris said: “The best way to do this will be to find a way that when we have an idiosyncratic event, not have it as an add-on, but as a driver of the macroeconomic scenario. We are on an unavoidable path toward impact from climate and pandemics, so we have to start quantifying it. In severe scenario outcomes, it will have major macroeconomic consequences.” 

Editing by Tom Osborn