Shift to remote working sees asset managers focus on comms, tech and cyber risks
In an ironic twist on the notion of futurism, it is conceivable that, for asset managers, the post-Covid landscape will look less like Fritz Lang’s Metropolis and more like Little House on the Prairie. Certainly, managers are preparing for an operating environment that will look dramatically different from the densely city-centric concentrations of the pre-Covid world – with a greater dispersion of capabilities and a higher proportion of staff working from home.
As the pandemic continues to unfold, bulge bracket managers are reassessing their ability to maintain mission-critical operations with fewer staff in the office. Some believe the model for the future will feature many – if not most – employees working from home, bringing its own challenges for IT, cyber security and communications – including employee engagement. And with these changes, they say, will come a reduced need for office space, less reliance on outsourcing and a heightened sensitivity towards key risk indicators.
“The future is going to look very different in many respects from the way things are today,” says Mike Weigand, Covid leader at T. Rowe Price, which is one of many firms expecting to sustain a substantially remote workforce.
When lockdown began in March, companies started formalising plans to move employees. This required monitoring activities and controls from an operational risk standpoint – including people, technology, communications, business continuity and crisis management.
“While many of our entities were already accustomed to working remotely on a regular basis, the pandemic brought about a new scenario which saw us having to adapt to this situation on a long-term basis,” says Ernie Overholt, head of enterprise risk strategy at Vanguard.
Although firms have been able to adapt quickly and maintain a high standard of work during the pandemic, it has highlighted the need to maintain lights-out readiness should another disaster strike. Companies are developing detailed, documented business recovery plans that identify their major processes across the organisation globally and highlight the associated risks.
And just as banks are reworking their op risk scenarios, asset managers are now factoring pandemic risk into their own scenarios. As many of the losses experienced by buy-side firms during the crisis have been operational in nature – such as errors in tracking fund indexes – managers are developing models that attempt to predict the probability of an operational error and the potential loss.
“Op risk used to be an audit function, looking at errors after the event. In the modern era, it’s become highly quantitative, and you need models to identify where you have concentrated risk,” said Edward Fishwick, global co-head of risk and quantitative analysis at BlackRock, during a Risk.net webinar on July 1.
Companies are also evaluating future technology risk and building up their IT infrastructure so that when the next crisis hits, they can provide secure remote access to company assets and allow for smooth team collaboration. An increased usage and scalability of cloud capabilities will enable companies to sustain new demands or react quickly during a crisis. “When all or most of your employees are working remotely, you have to look at what risks that presents from an IT operations standpoint,” says Overholt.
With a large segment of the workforce at home, IT and networking issues have become more critical. “From a technology perspective, this means investing in infrastructure to make it more resilient to support working from home. You need to set up processes to work remotely, to be able to monitor communications, exercise supervisory controls,” says Andrew Chin, chief risk officer at AllianceBernstein.
In its IT evaluations, Axa is focusing specifically on identifying control deficits and new risks. It is conducting a ‘rapid impact assessment’ to identify emerging technology risks, vulnerabilities and threats related to Covid-19 before they materialise.
By progressing to the next stage in this new reality, we need to define the new standards of risk and control
Frederik Simeon, Axa
These include changes to security controls, the impact Covid-19 may have on compliance and regulatory obligations and any new technology or unexpected changes to the environment resulting from Covid-19. Axa’s changes will also include providing summaries for executive leadership and the board of the effects Covid-19 has had on the organisation, and its technology strategy.
“By progressing to the next stage in this new reality, we need to define the new standards of risk and control, which will inevitably change with new ways of working and greater influence from a technology consumption perspective,” says Frederik Simeon, head of the Axa operations global crisis management team.
Firms must also address the rising threats of cyber attacks, as perpetrators seek to exploit vulnerabilities in networks. Although companies are used to people working remotely, the scale and duration of remote work will require strong cyber security measures to mitigate this risk.
T. Rowe Price has incorporated remote access risk scenarios into its analysis and alerting systems, says Weigand, who nonetheless notes that such risks, by their nature, are constantly changing. Companies must ensure they are also adapting to the changing environment, he warns, adding that the firm educates and tests its associates regarding cyber risks on a regular basis.
“Axa has put security awareness campaigns in place and mandatory security training to support all employees, as they are all first line of defence when it comes to protecting against cyber attacks,” says Arnaud Tanguy, Axa group chief security officer. “With the majority of our people working remotely, the risk profile has certainly changed – with controls, such as a secured office environment and controlled internal network, becoming less relevant,” he adds.
Office space and data centres are also being re-evaluated as future operating models move towards having individuals and groups of staff that can work from home effectively.
Business continuity plans dictate that there should be adequate segregation of responsibilities should one group be infected and not able to perform their duties.
Before the pandemic, many business continuity plans were predicated on getting critical staff to a contingency site, which in the present circumstances is impossible.
“A legitimate question is: what is the role of a contingency site? We now know that we can plan for a broader recovery working from home than pre-pandemic,” says Nigel Smith, head of operational risk at Federated Hermes.
AllianceBernstein is re-assessing the need for multiple disaster recovery sites when alternative work arrangements can be made. “Why do we need those DR sites? Maybe our backup is that we work from home. We’re rethinking how many DR sites we need,” says Chin.
Before the pandemic, some companies stipulated that offshore employees had to work from a physical office to maintain more effective controls. Inevitably, such contracts had to be reversed in short order to accommodate working from home.
If it turns out that a significant percentage of employees chooses to work from home, will it cause asset managers to rethink their real estate needs?
“Absolutely,” says Weigand. “That’s something we’re thinking about from a personnel and team standpoint, as well as corporate services in terms of a global footprint.”
Many expect to see a tangible reduction in real estate costs. Among them is Goldman Sachs, which in normal times expects between 85–90% of buildings to be populated – but is planning for a future where physical space is needed for only 65–70% of employees, said Anthony Mirabile, regional head of consumer and investment management division operations at Goldman.
Further impact on the global footprint could occur in the adjustment of outsourcing arrangements. For companies such as T. Rowe Price that have outsourced segments of their operations, close contact with service providers has been critical to ensure they can continue to perform these services in a timely manner, as workers transition to a work-at-home environment.
We are considering whether to take things back from offshore to mitigate the risks of disruptions from the pandemic
Andrew Chin, AllianceBernstein
“We have regular touch points with them,” says Weigand. “So we are very mindful of that and continue that ongoing dialogue throughout.”
As part of its own Covid-19 response, Axa’s global procurement team assessed and monitored key suppliers and their remote capabilities, including service continuity capabilities. In France and Morocco alone, its teams were able to source and supply almost 2,000 laptops within a very short space of time to ensure business continuity in these regions. In addition, all of its near and offshore suppliers were able to provide frictionless services.
But outsourcing relationships are being reviewed critically by some managers, and there is likely to be a reduction in the number of third-party vendors as managers take the opportunity to re-evaluate them. Some with service providers in India, for example, are revisiting these relationships for reasons not necessarily related just to the pandemic. While the country’s sudden imposition of lockdown gave firms little or no warning about being locked out of their premises, some also cite weather-related worries about brownouts and related grid shutdowns during monsoon season.
“We were concerned about that,” says AllianceBernstein’s Chin. “We are considering whether to take things back from offshore to mitigate the risks of disruptions from the pandemic. To prepare for that, we started training our staff here to take over those functions. Because of the heightened risk, we might have to duplicate what we had in India,” he adds.
The issues experienced early on in the move to remote working were quite different from those managers are now facing. In the first few weeks, concerns revolved around whether employees could perform their jobs remotely, with an acute focus on logistics.
“Our first priority was making sure we had the right equipment. There were lots of technology issues – we couldn’t get Wi-Fi, screens,” says Chin.
“We surveyed employees to see what they needed to work effectively from home. Instead of asking employees to buy equipment on their own, we ordered equipment for all our employees based on the survey,”
However, the conversation has since shifted from day-to-day operations to maintaining employee morale through coaching, mentoring and training, from senior leaders conducting town halls to encouraging employees to take time off to spend with family and recharge.
“We had to guard against becoming an organisation that just focuses on processing, but continue to focus on the people aspect,”said Goldman’s Mirabile, on a recent webinar. “We’ve become much more connected than pre-Covid.”
The sudden transition from having employees physically in the office to working remotely also underscored the importance of establishing trust in working relationships.
“As a manager, I learned to deal differently with employees who are working remotely. If there is a time where my company needs all the positive effects of trust at work, it is now,” says Simeon.
Communication is arguably never more critical than during periods of uncertainty, and the crisis has thrown into sharp focus the need for clear communication channels. By embedding agile elements at company or team levels, they are far better equipped to respond to the challenges of the crisis.
On a team level, asset managers have invested both time and technology in communications that include mission-critical initiatives, such as crisis portals, but also tools for sharing tips and tricks during lockdown and for collegial well-being, such as virtual coffee meetings, after-work drinks and staff celebrations.
Firms have seen value in team-wide video calls or broadcast sessions during which senior team members provide updates and answer questions. Internal portals keep employees in the loop with important updates. Many firms also increased their use of social media to ensure internal or customer needs are addressed in a timely manner.
Soliciting employee feedback has also played a critical role in establishing next steps. When T. Rowe Price surveyed its employees on their general concerns, mass transit ranked near the top, especially in major cities. With schools and summer camps being closed, working parents were prevented from returning to the office. In preparation for a phased, voluntary return that was scheduled to begin in early July, it divided employees into three groupings on a rotating basis, with the office outfitted with floor markers, elevator capacity limits, physical separation and free face masks.
“We want associates who voluntarily choose to enter the office to feel as comfortable as possible,” says Weigand.
Also: Wirecard dominates legacy losses; SEB hit with massive AML fine. Data by ORX News
June’s largest loss was Nordic lender SEB’s $107 million fine for anti-money laundering failures in its Baltic operations. This is the second fine for AML failure handed out this year by the Swedish regulator (FI), which in March fined Swedbank $397 million for similar failures in its Baltic subsidiaries.
FI’s investigation covered the period between 2015 and the first quarter of 2019, in which period it found the bank had insufficient governance and control of Baltic subsidiary banks with regard to AML. It identified that the bank had deficiencies in identifying and managing the risk of money laundering in respect of non-resident customers and of resident customers with non-resident owners. Nor did it identify and manage the elevated compliance and reputational risks that some of these customers imposed on the group.
Despite repeatedly receiving information about deficiencies in some of the central pillars of AML work in the Baltics, SEB did not take sufficient action. Furthermore, the investigation found, the Baltic subsidiary banks did not have sufficient resources to combat money laundering.
FI ordered SEB to redesign its automated transaction monitoring system and to ensure it assesses transactions that its system has flagged as suspicious. SEB has until July 30, 2021 to report that it has complied with the terms of the order.
The Estonian regulator, FSA, also fined SEB’s Estonian subsidiary, SEB Pank, €1 million ($1.14 billion) for its AML failures.
In June’s second largest loss, MetLife paid $84 million to settle a class action over claims the company underreported the value of its life insurance death-benefit backup funds. The misrepresentation caused investors to purchase common stocks at an artificially inflated price. On June 11, 2020, the preliminary approval for the settlement was rejected in court over a legal technicality. However, ORX has kept the story in its database, as MetLife had agreed to pay and provision that amount to settle the case. The motion may be approved at a later date.
The class action of investors alleged that in 2007, MetLife had a $25 million shortfall in its backup funds that it held for incurred but not reported death-benefit claims. The litigation alleged that MetLife had knowingly omitted the shortfall when presenting its financial statements in quarters following the discovery in 2007. As a result, the class alleged that in 2010, the company’s stock was traded at artificially inflated price.
The judge said that the investors must resubmit a motion that does not suggest that the court expresses a view as to the fairness of the settlement.
June’s third largest loss occurred at JP Morgan Chase, in which Chase Bank settled a lawsuit brought by US military servicemembers for $62.5 million.
The suit alleged that Chase had violated the Servicemembers Civil Relief Act (SCRA) by charging illegal interest rates and improper fees. Under SCRA, all debts incurred by service members before being called to active duty are reduced to a 6% interest rate. Under its own program, Chase represented that during servicemembers’ active military service, all debts would accrue interest at 4% and that all fees would be waived.
The class action alleged that Chase had charged more than 6% interest and failed to forgive overcharged interest. As a result, the bank improperly inflated the balances on servicemembers’ accounts and collected compound interest. In addition, the class action alleged that Chase had violated the Truth in Lending Act by making material misrepresentations about the servicemembers’ interest rates.
In settling the case, the bank did not admit any wrongdoing, but agreed to pay $62.5 million in compensation to class members.
South Africa’s Postbank incurred June’s fourth largest loss of $62.1 million after employees printed off and stole the master key the bank uses to control customer accounts. Employees reportedly printed the key in plain, unencrypted language and in clear text on at least one laptop. The theft occurred during a data centre move in July 2018. Social grant beneficiaries were the most affected by the incident as the perpetrators were able to steal a total of $3.35 million from these accounts. By December 2019, bank officials had registered around 25,000 fraudulent transactions on their systems, occurring between March 2019 and December 2019.
In September 2019, South Africa’s Reserve Bank set Postbank a deadline of 18 months to replace 12 million compromised cards at a cost of $58.7 million.
In June’s fifth largest loss, Commerzbank was fined $47.7 million by the UK’s Financial Conduct Authority for AML systems and controls failures.
The FCA found Commerzbank London’s financial crime control applicable to intermediaries was inadequate, and that certain business areas did not always adhere to Commerzbank London’s own policy of verifying the beneficial ownership of clients. Furthermore, a significant backlog of existing clients requiring timely refreshed know-your-client checks, developed in part because of understaffing problems at the bank. The FCA also found there was a lack of clarity around responsibilities throughout several departments.
Commerzbank London’s systems and controls failures occurred between October 2012 and September 2017. As the bank agreed to resolve the matter at an early stage of the investigation, it qualified for a 30% discount.
Messaging provider Telegram was fined $18.5 million by the US Securities and Exchange Commission for an illegal offering of securities between January 2018 and March 2018.
Under the securities’ purchase agreement, a Telegram subsidiary was to issue a new cryptocurrency by the name of Grams. The SEC deemed Grams was not in fact a cryptocurrency, as no products or services could be purchased with it. Instead, the SEC found Grams to be a security, as investors expected to profit from its purchase if Telegram delivered on the promised functionalities.
Telegram had hoped to use the proceeds from selling Grams to fund the development of its new blockchain technology and had planned a secondary offering of Grams in October 2019.
Because the SEC considered Grams a security, it was able to secure an injunction against the secondary offering of Grams, as Telegram had failed to file a registration statement with the regulator.
In consenting to the final judgement, Telegram agreed to pay a civil penalty of $18.5 million. Furthermore, the judgement ordered the company to return $1.22 billion of funds to investors.
For the first half of 2020, total op risk losses at financial firms were approximately half of recorded losses for the same period last year. ORX News recorded $7.93 billion in op risk losses between January 1 and June 30, 2020, versus a total of $14.28 billion in losses for the first six months of 2019. Of this total, $8.4 billion was recorded at the time and $5.8 billion constitutes legacy losses that have since come to light. The frequency of publicly reported op risk events has also decreased compared with last year by 35%.
While a combination of factors may account for the fall in op risk losses, the Covid-19 pandemic is prime among them. Evidence suggests regulators around the world have focused more on helping firms weather the crisis instead of imposing fines and penalties. In May, when the US and Europe were in near-total lockdown, just €76 million of op risk fines were recorded – one of the lowest monthly tallies ever seen. Misconduct fell sharply compared with the first half of 2019; it accounted for just 28% of the total loss amount so far for this year – down from 74% last year.
Despite the shift in regulators’ approach during the first half of the year, regulatory fines began to rise again in June. Two of 2020’s largest losses in the category of ‘improper business or market practices’ took place in June. SEB Group was fined $107.3 million for anti-money laundering failures in its Baltic operations (see this month’s Top 5). And ABN Amro disclosed that it had paid $338.4 million to Italian tax authorities over alleged cum-ex trading by one of its subsidiaries between 2004 and 2008.
External theft and fraud this year accounts for 55% of the op risk total losses; however, the frequency of such events has fallen, with 37% of op risk events being assigned to this category. Nearly three quarters (74%) of these losses were incurred by banks that had credit agreements with Singaporean oil trader Hin Leong. In total, 21 banks incurred a total of $3.68 billion in losses in this respect. Individual reported amounts include $600 million at HSBC, $300 million at ABN Amro, $290 million at UBS and $250 million at OCBC Bank. Other large external fraud losses include VTB’s $535 million loss in the Mozambique loan fraud scheme.
Commercial banking was the most frequently affected business line, accounting for 30% of events in the year-to-date; many of the largest losses also occurred in this business line as part of the collapse of the aforementioned Hin Leong. And while retail banking was the second most frequently affected business line, losses in this business line accounted for only around 13% of total losses.
During the pandemic, many firms are focused on trying to continue with business as usual and many are yet to formally report op risk losses due to the pandemic. However, firms have reported signs of an elevated exposure to some risks caused, for example, by increased phishing attacks related to the pandemic or the huge shift to home working and other business process changes.
Editing by Louise Marshall
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.
Six jurisdictions told the Financial Stability Board (FSB) they’ve identified financial products that cannot be moved off Libor, the soon-to-be-extinguished interest rate benchmark. Most said legislative action would be needed to deal with these so-called ‘tough legacy’ contracts.
Four of these jurisdictions said products like floating rate notes and securitisations have high consent thresholds for changing their terms, meaning they could not be transitioned through simple contractual fixes.
Legislative intervention was the most cited solution to handling these troublesome contracts. The US is working on a “safe harbour from legal action” for contracts that would be in dispute post-Libor, while the UK has yet to sketch out suitable legislation. Two of the jurisdictions, though, admitted that legislative solutions may not come to pass.
The six jurisdictions were among 57 that answered a questionnaire sent out by the FSB earlier this year on Libor transition, the results of which were published today (July 9).
A majority of respondents told the standard-setting body that challenges agreeing contract amendments, the lack of term rates for the risk-free rates that will replace Libor, and a lack of liquidity in these new benchmarks were impediments to transition.
But 38% also said that a lack of engagement from market participants was also to blame, and 12% cited barriers thrown up by local prudential regulatory frameworks.
However, most respondents said that they would not consider supervisory sanctions, such as the imposition of capital add-ons, if a bank was ill-prepared for the transition. Authorities said they have other tools to hand, such as on-site inspections and the ability to request business improvement and risk mitigation plans.
In 2017, the UK Financial Conduct Authority told market participants that Libor will be discontinued after end-2021, when panel banks will no longer by compelled to support the interest rate benchmark by submitting quotes for unsecured funding.
The FSB sent a questionnaire to 96 member and non-member jurisdictions earlier this year on the current state of their transition away from the dying benchmark, and received 57 responses, 24 of which were from FSB jurisdictions.
Time is running out for firms of all shapes and sizes to get ready for Libor’s demise. Despite the ticking clock, though, national authorities’ efforts to address the challenge of ‘tough legacy’ Libor contracts have left the industry wanting.
A report published in May by a UK taskforce on derivatives, bonds and loans that cannot transition off Libor suggested a legislative quick-fix, together with a synthetic version of Libor to serve as a stopgap measure, but both measures had been floated in 2019, and market observers say little progress has been made putting flesh on the bones of the plan.
The US has made bigger strides, though, having issued a 20-page report in March with ready-to-go draft legislative text.
But as the FSB survey makes plain, success via the legislative route cannot be guaranteed. If planned quick-fixes fail, then Libor’s death would trigger a storm of legal disputes, with counterparties wrangling over what rate should be used as a successor.
BlackRock’s co-head of risk discusses challenges facing firms today, including compliance and op risks
Ahead of the Risk Live in-person event, rescheduled for November, Risk.net is running a selection of key sessions online between June 30 and July 3.
In this presentation, Edward Fishwick, global co-head of risk and quantitative analysis at BlackRock, discusses the evolution of buy-side risk management over the past decade.
The biggest change, Fishwick argues, is the diversity of challenges facing firms today, including numerous new regulations, the rise of private assets and the modelling of risks linked to sustainable investing.
Operational risk has also moved up the agenda, especially for passive investment funds, which are less concerned about market risk, and the approach to managing op risk has become more quantitative, Fishwick says. Meanwhile, the importance of reducing operational errors has grown as fees have come under sustained pressure, he notes.
Firms seek better handle on impact of global shocks, and hope to avert regulatory attention
Covid-19 has forced banks to revisit their assumptions about the impact that pandemics can have on every aspect of their business – not least, their operational risk frameworks. While practitioners fear the full effects of the crisis will take years to get their arms around, many are already revising the scenarios used for capital planning and stress-testing. Their objective is to better anticipate the range and severity of future shocks, to bolster resilience – and avoid regulatory intervention.
Despite spending millions of dollars a year on vendor and bespoke applications for op risk scenario generation, banks acknowledge their scenarios signally failed to prepare them for the pandemic.
Op risk scenarios have typically considered events – such as a blackout or terrorist attack – in isolation. And, more often than not, impacts have been regional, rather than global. Banks would have assigned such a low probability to a global pandemic as to ignore it.
They now need to consider not only the probability of a pandemic-level disaster, but the second-order impacts it could have on other risks.
“Across the industry, many banks have generated scenarios that are narrower in scope because catastrophic scenarios are seen as too extreme, and there’s the question of how do these scenarios overlap with economic scenarios,” says Evan Sekeris, head of model validation at PNC Financial Group.
“The pandemic is a perfect example where you have a true op risk event, but it also triggers a macroeconomic event.”
Firms now face the challenge of incorporating the effects of a pandemic into the risk assessment process. They must decide between upgrading their standalone scenarios for pandemic risk or treating it as an event that can trigger other operational risks, such as rogue trading, mis-selling, fraud and physical attacks.
“Is a pandemic a separate risk or a stress on other scenarios? We’re just starting to discuss that and how to deal with that in the construct of our existing frameworks,” says the head of op risk quant at one large bank.
The goal is not so much trying to assign probabilities to specific events, but instead to ask what happens, should an event occur. Op risk professionals say the inventory and types of scenario and attendant narratives are likely to undergo revisions – without necessarily changing the likelihood of the scenario actually happening.
Is a pandemic a separate risk or a stress on other scenarios? We’re just starting to discuss that and how to deal with that in the construct of our existing frameworks
Head of op risk quant at a large bank
“The key is to think about the risks that you’re facing, and making sure the inventory of scenarios reflects those risks,” says an operational risk expert at a large US bank.
“The whole point of the exercise when you have large-tailed events is it helps push thinking further out on the tail.”
Risk.net is running a crowd-sourced project to help readers gauge the economic damage that could result from Covid-19, as measured by your estimates of the pandemic’s impact on key financial indicators.
We are seeking a diversity of opinions, and yours is important: let us know your views by taking our two minute survey, and receive an exclusive preview of the results once voting closes.
So, rather than a set of standalone scenarios for individual risks, the focus will be on creating scenarios for multiple interlinked events.
“Our scenario analysis work will now account for multiple events with simultaneous scenarios – given the ongoing Covid pandemic, coupled with civil unrest,” says Gus Ortega, head of operational risk management at Voya Financial.
“People will treat [a] pandemic as a causal environmental factor that affects the portfolio of scenarios, rather than articulating a standalone scenario,” adds an operational risk executive at a large UK bank. “If you do a standalone scenario, you end up building an artificial representation.”
Although firms were able to handle well some of the unanticipated consequences of the pandemic – the transition to working from home being a prime example – they felt the underestimation of impact in various areas.
Among these was credit card fraud, when artificial intelligence fraud detection systems were overwhelmed by a large number of false positives, owing to radical changes in customer behaviour patterns, such as shopping online instead of in person. In some cases, banks have had to completely shut down their machine learning-based systems and use manual processes instead.
The speed with which banks are introducing products under government stimulus programmes also increases the risk of conduct-related losses, as they face lawsuits for mis-selling. Banks say there is an increased risk of operational failures associated with processing the surging volumes of loan applications from individuals and small businesses.
Execution risk also increased significantly as financial markets collapsed then rebounded. “The pandemic was a very low-probability scenario in pretty much all firms, and not much thought was put into this scenario – therefore, there was indeed an underestimation of the impacts,” says Marcelo Cruz, a risk management consultant.
One of his clients, a large broker, saw its operational risk morph into credit and market exposures when its system could not match its clients’ orders because of large volumes. The broker had to honour the prices the clients entered, producing a significant financial loss.
“The experience has provided us [with] tremendous information in understanding how a pandemic impacts the world and our customers, as well as the institution itself,” says the op risk quant.
Banks say stress scenario planning for the purposes of operational resilience – which was already a concern of regulators, pre-pandemic – has now risen to the top of their agenda. While most firms have been shown to be resilient during the present crisis, the possibility of a second wave, coupled with a prolonged recession, will mean regulatory scrutiny will intensify.
Last year, the Basel Committee on Banking Supervision signalled its intention to update its operational resilience principles, and the US Federal Reserve had plans to issue its own guidance. But those steps had not been taken when Covid-19 struck. In the absence of fully fledged resilience programmes, banks have had to fall back on existing business continuity plans that are designed to address point-in-time situations, rather than the long-term events that are unfolding today.
“The ideal scenario would have been to build an op resilience framework and then … a chance to test the framework. But no-one’s finished with the framework, so we got locked into crisis management,” says Sam Lee, head of operational risk for Europe, the Middle East and Africa at Sumitomo Mitsui.
While banks have come through with little intervention so far, they expect regulators to make the push to address resilience with renewed vigour over the coming months.
“At the macro op resilience level, which is where all regulators want to get to, it’s going to be an interesting exercise which transcends individual banks. What they’ll be doing is make sure the banks have finished their op resilience framework,” concludes Lee.
Risk Technology Awards 2020
With increasing regulatory and business pressures, firms are looking for the most efficient ways of ensuring the quality and stability of the platforms on which their products and services depend. Quality assurance (QA), therefore, is a vital part of operational activities. Effective validation and verification processes are best achieved through independent software testing, carried out by a third-party specialist that is unbiased and able to provide objective information about systems in a useful format.
Exactpro specialises in providing managed software testing services for mission-critical financial markets technology. The company focuses on functional and non-functional testing of systems that process wholesale financial products. Clients include global systemically important financial market institutions and utilities – such as the London Stock Exchange, Australian Securities Exchange and interdealer broker Tradition.
The company builds software to test software, and offers a test automation solution with a wide coverage and a focus on systems’ maintainability and sustainability. This helps clients mitigate operational risks in trading, clearing, risk management, market surveillance, securities data distribution, post-trade activities and other areas. Risks associated with different business flows and the use of different technologies are addressed through a diversity of testing techniques and automation solutions. These apply a variety of data analysis and machine learning techniques to improve the thoroughness and efficiency of automated functional and non-functional testing under load (expected normal and peak usage).
Exactpro follows a set of core principles to ensure it provides the best testing for its clients. First, it approaches software testing as relentless learning, investing significantly in research and development and continuous improvement. It values expertise – its team has a depth of experience in working with a wide range of financial instruments and understanding the specifics of their lifecycles and parameters. The company develops bespoke test tools, enhancing them with customised dictionaries and simulators tailored to specific clients’ needs. It takes a holistic end-to-end approach to testing, as most defects tend to occur at the confluence of different business flows and system components. Notably, it releases its tools into the open-source community, which further ensures their high quality.
As part of its continuous research and innovation, over the past year Exactpro created a robust test automation framework aimed at distributed ledger technology-based post-trade systems, and improved the QA services it provides in cloud-based and hybrid environments.
“We are honoured and thank Risk.net for this valuable recognition. We build software to test software for exchanges, clearing houses, security depositories and technology vendors in 20 countries on all six continents. The best software-testing instrument is the human brain, and we are very proud of our team at Exactpro and their incredible work and relentless effort to ensure the highest quality and resilience of platforms that underpin global financial markets.”
Swiss bank’s A3 virtual desktop system offers a blueprint for remote working
In the 1980s, Italian drinks brand Martini promoted itself with the slogan: “Any time, any place, anywhere.” Banking giant UBS is channelling a similar spirit for its remote working setup.
The system, dubbed A3 – “anytime, anywhere, and any device” – has been put to the test during the Covid-19 lockdowns that have confined banking employees across the world to their homes since March.
A3 is a virtual desktop infrastructure, or VDI. It aims to give remote users the same access and functionality they would have if they were in the office – a home away from home, so to speak. Mike Dargan, head of group technology at UBS, believes that in this regard, it has succeeded.
“This morning I went into the office, and now I am back home, and it feels no different,” he says.
Running a remote office environment for a large financial institution brings risks, though. Home working increases what experts call the “attack surface” for cyber criminals to exploit. The effect is magnified when such a high proportion of staff are exiled from the office and scattered among thousands of locations across the globe. The confusion of the pandemic is also fertile ground for phishing attacks and attempted hacks.
Luckily for UBS, the bank had already begun to introduce A3 in 2016, which meant the system was already embedded and tested before the pandemic struck.
With VDI, individual apps are hosted in the cloud or in a central server, rather than loaded on laptops or workstations. It’s a more elaborate setup than a virtual private network (VPN), where users tunnel into a corporate network from outside.
A3 users log into a remote desktop via a home device such as an iPad or laptop, running an ordinary browser like Chrome. The interface is customised for each individual: employees working in operations, for example, see a different screen from traders.
To deliver its virtual desktop, the system requires an extra layer of technology. A3 runs Microsoft’s Remote Desktop Services across a server provided by Citrix, one of the largest VDI providers.
This morning I went into the office, and now I am back home, and it feels no different
Mike Dargan, UBS
Critics of VDI say the setup requires a hefty initial outlay on new hardware and servers. UBS spends 10% of its revenues on IT every year, in line with the level of investment by other large banking groups such as JP Morgan and Bank of America. But Dargan argues the system saves the bank money in the long run.
How? Since many corporate VPNs are typically built to support 20% to 30% of staff working remotely at any given time, some firms have had to allow access to their VPN on a rotational basis to avoid overwhelming the system during the pandemic.
UBS’s A3 system is not limited in this way. At the height of the lockdown, the bank had 95% of its 90,000 staff working remotely across more than 50 countries. Even now, at peak working hours, some 60,000 staff are logged in simultaneously to the A3 environment. High staff productivity goes some way to ensuring the bank sees a return on its IT investment.
The bank also claims to save money by being able to patch the system remotely. If UBS were operating in a hard laptop environment, with users tunnelling into the corporate network via VPN, Dargan’s team would have to fix each device separately. Now, it can just patch the database.
“We have a golden image, if you like, that exists in the data centre. We just patch that, and everything is sorted [out],” Dargan says.
The transition to A3 took place at the same time that UBS moved into its new offices in the City of London in 2016, and started doing away with fixed seating and workstations. The bank introduced thin clients – computers that run from a central server instead of a local hard drive – and equipped mobile staff with laptops. At the time, few rival banks had made this shift, with Citigroup’s Manhattan office a notable exception.
For firms that don’t use VDI or a similar kind of virtual solution, the pandemic has forced them to figure out how to very swiftly ship – or fly – laptops to staff. HSBC, for example, says it is considering providing virtual desktop capabilities to staff.
Early in the lockdown, financial firms along the Street scrambled to get their traders equipped to work from home effectively, as volatility triggered a spike in trading volumes. UBS itself saw 300% more activity than normal in March, Dargan says. For many firms, it wasn’t always easy.
With A3, traders get special treatment. Their VDIs are hosted on a super-server called A3 Dedicated. “This is a dedicated blade or server in the data centre with higher processing power,” Dargan says.
In addition, home-working traders have two 34-inch screens and a thin client. To complete the array, UBS provides a “network wrap device”. Dargan says this is “a remote access protocol and a voice turret that interfaces into the system through the data centre. So it’s effectively what you would see on the trading floor: the turret, the screens, and so on.”
Dargan says UBS is researching a virtual product offering with multiple screens for traders, but that is “still in the lab”.
In another nod to user-friendliness, Skype and Microsoft Teams are fully integrated into the VDI setup. UBS says bank staff make around 3 million Skype calls per week, and the bank continually tracks the quality of calls. If a user is experiencing echo, the system spots it and alerts the user to mute themselves or to change device. UBS engineers are also trying to improve the quality of video calls by synchronising audio transmission with the image, if they’re mismatched.
In development are tools that will help diagnose issues with hardware or the user’s home Wi-Fi, Dargan says.
With great virtualisation comes great responsibility. A system such as A3 needs constant monitoring and, here, UBS has a 24/7, follow-the-sun approach. The bank has tech operations centres in three cities – Nashville, USA; Zurich, Switzerland; and Pune, India – that perform resilience monitoring and handle ongoing problems.
While some IT workers have to be on-site, most of the monitoring and maintenance is done remotely. “If you have people working on the hardware, for example the mainframe, they need to be on-site. But it’s a small number of people who need to be in the office, as we have virtualised our support functions,” Dargan says.
Hand in hand with a rise in home working comes an increase in the range of cyber risks that the bank is exposed to. In response, UBS has stepped up its monitoring of incoming emails, scanning for potential phishing attacks. Analysts report that phishing attempts are growing as scammers look to exploit the panic and uncertainty around the pandemic, although UBS has not noticed a significant increase in such attacks.
If you have people working on the hardware, for example the mainframe, they need to be on-site. But it’s a small number of people who need to be in the office, as we have virtualised our support functions
Mike Dargan, UBS
Phishing can range from marketing emails offering half-off on new office chairs, targeted at employees with sore backs who found themselves suddenly working at the kitchen table, through to messages purporting to contain new information about the coronavirus from seemingly reputable health authorities.
“We measured that in two ways. Firstly, we looked at emails or messages that were specifically related to Covid-19 and to working from home,” Dargan says.
Dargan is wary of giving too much detail on the second element of monitoring for confidentiality reasons, but says the bank uses a layered security approach to detect and block attacks in conjunction with monitoring the underlying IP address of emails that come in.
“We look almost in real time at the origin of the email and the IP addresses related to it, and the subdomain of that IP address. So you can see a partial history of where the email comes from. That needs to be done in real time because we get tons of emails coming through,” he says.
In common with many other firms, UBS runs exercises throughout the year to create awareness among employees of cyber security. This includes sending fake emails to staff to check responses.
As firms emerge, blinking into the light, after the months-long lockdown, Dargan predicts workers will want to stay home more than they used to. “Even if I look at it through my own lens, if I have only virtual meetings, that benefit of being in the office is small. I think there is a subset of the workforce that may want to continue to work from home partially or for good; we haven’t yet got a defined view on this,” he says.
Editing by Alex Krohn