Op risk data: Money laundering gaffes cost ABN €480m in penalties

By ORX News | Opinion | 10 May 2021

Also: Turkish crypto exchange’s missing $2bn; online payment scams rise during Covid. Data by ORX News

Turkish cryptocurrency exchange Thodex was responsible for April’s largest operational risk loss, after the platform ceased operations leaving its 400,000 users unable to access an estimated $2 billion in digital assets.

On April 19 and 20, Thodex announced that trading would be halted for six hours for maintenance following transaction problems on its platform. On April 21, Thodex users reported difficulties transferring money before the website became inaccessible and traders were barred from their accounts. It later emerged that the exchange’s founder, Fatih Faruk Özer, had left Turkey, reportedly travelling to Albania or Thailand.

Traders subsequently filed criminal complaints alleging that Özer had taken the money they had deposited for trading on the platform with him when he left Turkey.

Turkish authorities suspended all Thodex user accounts, blocked the exchange’s Turkish bank accounts, and began a criminal investigation. As of April 25, 68 suspects had been arrested in Turkey as part of the probe and warrants for a further 80 suspects had been issued.

Özer released a statement saying the allegations were unfounded and part of smear campaign against the company. As of April 26, Özer was still at large.


In April’s second largest publicly reported loss, ABN Amro paid penalties totalling €480 million ($580 million) after the Dutch public prosecutor found “serious shortcomings” in the bank’s anti-money laundering processes between 2014 and 2020.

An investigation by Dutch government agencies found that important client information was missing from files and that risk assessments were deficient. Notably, the bank had failed to close undesirable client accounts quickly enough, and then allowed some terminated clients to open new accounts. There were also gaps in client due diligence and wider reporting failures.

The settlement consisted of a fine of €300 million and disgorgement of €180 million, based on the amount of money that the bank was estimated to have saved by failing to employ the requisite number of compliance staff.

April’s third largest loss saw JP Morgan paying up to $18.8 million to settle a class action lawsuit in which the bank was accused of mortgage malpractice. A number of mortgage borrowers alleged that its retail bank, Chase, had not paid the legally required 2% interest on amounts held in escrow, a legally guaranteed minimum in some US states. The bank was also accused of other deceptive business practices, breach of contract and unjust enrichment.

In the fourth and fifth largest losses, Bank of America and Credit Suisse were fined €12.6 million and €11.9 million respectively by the European Commission for colluding in secondary market trading for bonds.

Crédit Agricole was also fined €4 million for its own role in the cartel and Deutsche Bank, which was involved in the cartel, avoided a €21.5 million fine after it reported the activities to the European Commission.

The commission found that between 2010 and 2015, a core group of traders working in each bank’s dollar sovereign, supranational and agency (SSA) bond division were in regular contact via online chatrooms. The traders provided each other with updates on their trading activities, swapped commercially sensitive information, co-ordinated on prices shown to their customers, or to the market in general, and aligned their trading activities in the secondary market for SSA bonds.


Spotlight: Overcharging on overdrafts costs CBA A$7m

Commonwealth Bank of Australia was ordered to pay a penalty of A$7 million ($5.5 million) by the Federal Court of Australia for charging substantially higher interest on business overdraft accounts than it had advised customers.

An Australian Securities and Investments Commission investigation found that CBA had overcharged customers on 12,119 occasions, violating two sections of the Asic Act.

CBA admitted to providing certain customers with statements relating to a rate of around 16% a year – in most cases – but that it had charged more than 1,510 customers a different, higher overdraft rate – in most cases around 34% a year – due to a systems error.

Total overcharged interest exceeded A$2.2 million.

In announcing the penalty in April, Asic said CBA had remediated A$3.74 million to customers for a total loss of A$10.7 million.

In Focus: Sharp rise in Covid-era scams could bite banks

Financial fraud and attempted scams increased by two-thirds for some UK firms in the first half of 2020, as fraudsters took advantage of a year of Covid-induced disruption. Figures from Barclays showed a 66% increase in reported scams during the first UK lockdown starting in March 2020, versus pre-pandemic levels.

Evidence of cryptocurrency fraud during the March 2020 UK lockdown has since emerged, as fraudsters were reported to be offering fake investments to target marks. Similarly, impersonation scams, where fraudsters trick victims into believing they are tax officials, utility providers or bank staff – covertly seeking payment or personal information – have come to light. In June 2020, reports of impersonation scams to Barclays were double those of the previous month. In addition, fraudsters have also targeted government loan schemes aimed at providing pandemic relief.

And with nine UK banks now party to UK Finance’s voluntary code to protect customers against authorised push payment (APP) scams – and agreeing to reimburse eligible customers who fall victim to these – any sharp increase in the number of frauds could create a financial headache for those banks.

Losses are already material: in the year to March 2020, TSB paid out £17.5 million ($24.4 million) in reimbursements to affected customers. TSB has gone a step further than some of its peers, introducing measures that exceed those outlined in the voluntary code and promising to refund all who fell victim to an APP scam, rather than just those that passed certain ‘no-blame’ criteria in the voluntary code. In its 2020 annual report, TSB said it paid out to 99% of customers that suffered loss from an APP fraud during the year, against an industry average of 38%.

In total, UK Finance said that £208 million had been stolen in APP scams in the first half of 2020, which was broadly in line with the total from the same period in 2019. However, the same period saw some sharp increases in some specific fraud types. For example, impersonation frauds in the UK increased 84% between the first half of 2019 and the first half of 2020. And internet banking fraud was up 32% during the same period. There was a decline in older types of fraud such as cheque or telephone fraud.

UK consumer group Which? found that just 41% of claims under the UK Finance voluntary reimbursement code are paid. As a result, there have been calls from consumer groups for more effective procedures to ensure more customers are reimbursed, and for sanctions against fraudsters to be stepped up in the upcoming UK online safety legislation.

However, banks may not be able to quantify the impact of pandemic-related fraud for some time, as losses from increased Covid-19 related fraud may not yet have fully materialised.

And the method of compensating fraud victims is changing. Previously, reimbursements made under UK Finance’s voluntary code were taken from a fund supplied by the signatories. But, in April 2021, UK Finance announced the banks themselves would oversee the end-to-end refund process and allowed banks to pay back customers individually, rather than through the central shared funding pot.

Editing by Alex Krohn and Louise Marshall

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

New UK op risk rules elevate risk management over measurement

By Steve Marlin | News | 7 May 2021
Bank of England

Under op resilience rules, firms must plan for all severe stresses, whatever their probability

The aphorism “If you can’t measure it, you can’t manage it” is often attributed to Peter Drucker, the influential management thinker. But he neither said it, nor does the quote accurately reflect his view on the value of measurement.

The latest challenge to the popular mantra has come from an unlikely place: the Bank of England’s final rules on operational resilience for financial firms, published at the end of March. Firms will now be required to prepare for a variety of “severe but plausible” disruptions, whatever their probability.

Benedict Roth

“We are not modelling probabilities any more. This is very different from previous approaches to operational risk,” says Benedict Roth, a risk management expert and former supervisor at the BoE. “In the old days, risk people used to say some risks were so small you wouldn’t bother worrying about them.”

Evan Sekeris, a former regulator with the US Federal Reserve, agrees: “This is the evolution of the discipline away from focusing on quantification, but on risk management [instead].”

The new rules from the BoE’s Prudential Regulation Authority will require a big investment of time and effort by many affected firms and necessitate major organisational changes. Their reach may also eventually extend well beyond UK borders as US and European Union regulators could copy many of the requirements – the most detailed yet.

In broad terms, the principles laid out by the PRA call for three things. Firms must first identify their important business services. They must then set an “impact tolerance” for each – that is, the maximum level of disruption the service could withstand without causing “intolerable harm” to the firm’s clients or, for the largest firms, posing a risk to the UK financial system. Third, firms must make sure each important service can continue operating in a range of disruptive scenarios.

Important business services must be identified and impact tolerances set by March 31, 2022. And starting from March 31, 2025, or sooner if achievable, firms must ensure they can remain within their impact tolerances.

In a speech on May 5, Lyndon Nelson, PRA deputy chief executive, provided further insight into the regulators’ expectations. He said they understood that mandated tasks such as mapping – the identification of the people, processes, technology and information needed to deliver each important business service – and testing through scenarios would evolve and grow in sophistication over time.

“So, by March 31, 2022, I would expect that you will be able to set out a compelling gap analysis. You will know where your major shortcomings are and therefore which areas need more work,” he said.

To-do list

The PRA itself recognises the novelty of its freshly published rules. It says firms should focus not on worst-case scenarios, but on severe but plausible ones: “This is a shift away from the operational risk approach, which focuses on likelihood, and towards an outcomes-based approach that focuses on firms building their operational resilience.”

A risk management expert at a large international bank welcomes this move away from putting numbers on probabilities: “Identifying remote but plausible scenarios is made easier by not having to estimate probability.”

But he adds: “The real challenge is mapping, for the important business services, the various dependencies – processes, people, systems, applications, infrastructure, and third and fourth parties. Scenarios will relate to the failure of each of these dependencies.”

What’s more, when setting impact tolerances for individual important business services, firms will have to assess the potential impact of other important services failing at the same time.

“This creates a complex problem if you have to consider all the interconnections,” says Luke Carrivick, head of research and information at ORX. “Given the potential scale of this, the approach taken should be proportionate, and suggests that individual firms may not consider [links between] large numbers of critical services.”

Evan Sekeris

Indeed, the PRA says in its final document that it expects firms to consider these “extra layers of complexity” only where there are significant benefits for op resilience.    

Ex-Fed regulator Sekeris picks out not the individual thorny tasks mandated by the regulators, but the overhaul of the entire op risk function that the new rules will require.

“The difficulty for firms is the need to reorganise op risk functions and rethink not just op risk, but who is in charge of resilience … Is it the first line or the second line?” he says.

“We already have business continuity, scenario workshops, risk identification processes. The flip side is that all these elements have been developed in different silos. All of it needs to come together in one coherent whole.”

Room for judgement

The new rules on op resilience raise a whole raft of other questions that firms will need to answer in order to comply.

Nelson at the PRA said the body had received an “avalanche” of requests for detailed guidance – for example, whether firms should set up op resilience committees, and how many important business services they should have.

But he suggested such guidance was not forthcoming: “Rigid and overly prescribed regimes are just what we need to avoid for a risk that is constantly evolving and where key parts of it (such as cyber risk) actually [have] a conscious opponent seeking to do harm.”

This double-edged latitude given to firms is also highlighted by Risk.net’s sources.  

“The message appears to be that regulators want to make firms really think about their specific critical services, and therefore tolerances, rather than assuming a supervisory view of what is important,” says Carrivick at ORX.

The same approach applies to selecting the scenarios for testing important services. In its document, the PRA says it has decided not to provide a detailed definition or lists of severe but plausible scenarios. Instead, it expects firms to select their own scenarios in line with their size, complexity and importance to the financial system, and supervisors will ask how and why these particular possibilities have been chosen.

“If a firm tests itself to scenarios that are insufficiently severe, then boards and senior management would be taking inappropriate risks with the management of their businesses,” the document states.

Former BoE supervisor Roth translates this into more direct language: “My reading is that if a firm goes soft in its internal planning, then it will be criticised by the regulator for not planning bad enough outcomes.” 

Orders without borders

The new principles on op resilience are not the first time the UK has designed some of the most advanced rules on non-financial risk management globally – for instance, other jurisdictions have taken up iterations of the country’s Senior Managers and Certification Regime.

Sekeris predicts the new rules will have a similar impact: “A lot of what’s in here will find its way to other jurisdictions.”

There is certainly room for more detail in the equivalent US guidance, published in October 2020 by the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation.

The brief paper sets out the agencies’ broad expectations on op resilience, but does not amend their existing rules and guidance.

“The Fed document was more them saying this is the direction and sounding out the industry, whereas this [PRA] document is very detailed in its expectations,” Sekeris says.

The PRA rules also cover outsourcing and third parties, and may influence the European Union’s evolving guidance on outsourcing.

What makes the UK approach to op resilience a particularly good example to follow is its proximity to the high-level principles for op resilience published by the Basel Committee on Banking Supervision in March.   

“It’s helpful to see the intent align with the BCBS,” says Carrivick at ORX.

Speaking on May 5, Nelson at the PRA was more forthright: “I do think, when we look at the latest Basel operational resilience text, we are approaching a greater level of harmonisation than many thought was possible … I feel confident that our approach will deliver the Basel principles for the UK.”

Now, over to banks and investment firms to deliver on these expectations.  

Editing by Olesya Dmitracova

Op risk update lops £72m off NatWest’s capital requirement

By Louie Woodall | Data | 29 April 2021

NatWest’s annual recalculation of its operational hazards led to a 4% drop in its regulatory capital charge for these risks over Q1, to £1.7 billion ($2.4 billion).

It was the largest one-quarter drop since a similar recalculation in Q1 2018. Total operational risk-weighted assets (RWAs), used to calculate capital charges, amounted to £21 billion in Q1, down from £21.9 billion the prior quarter and £22.6 billion in Q4 2019. NatWest generally recalculates its op risk charge in the first quarter of each year.

Though op RWAs have fallen steadily over the past five years, they have lagged reductions across other risk categories. As a result, op RWAs now make a larger share of NatWest’s total, at almost 13%, then they did in Q2 2016, when they accounted for around 10%.


The bank’s ratio of RWAs to Common Equity Tier 1 (CET1) capital stood at 18.2% at end-March, down from 18.5% in Q4 2020. The fall in op RWAs was offset by a faster drop in capital, some of which was deployed over the first quarter in a directed share buy-back.

What is it?

Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the advanced measurement approach (AMA). The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.  

Under incoming Basel III rules, all banks will be required to shift to a revised standardised approach. NatWest currently calculates all its op RWAs using the standardised approach.

Why it matters

NatWest is sitting on a mountain of capital right now, the result of a battery of efforts to downsize and restructure in the wake of the global financial crisis. The op risk recalculation provided an additional bit of headroom above its minimum regulatory capital requirements, and therefore gives NatWest more freedom to distribute capital to shareholders going forward, as chief executive Alison Rose intimated on today’s earnings call (April 29).

What’s becoming clear, though, is that once NatWest completes its planned divestments and overhaul of its markets division, op RWAs will be a larger share of its overall capital requirement than before, unless future recalculations shave off much more. Managing these op RWAs then, may soon become a core focus of the bank’s capital boffins.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. Email louie.woodall@infopro-digital, or send a tweet to @LouieWoodall or @RiskQuantum. You can also get in touch via LinkedIn.

Tell me more

NatWest cut markets unit RWAs by almost one-third in 2020

Fraud op risk losses edged up at UK banks in 2020

Op risk past is prologue for UK banks

View all bank stories

The economic cost of a fat finger mistake: a comparative case study from Samsung Securities’s ghost stock blunder

By Yongkil Ahn | Technical paper | 14 April 2021

Op risk data: Sberbank suffers $108m supermarket clean-out

By ORX News | Opinion | 9 April 2021

Also: Copper trader buys $36m of worthless bricks; big lenders hurt in $400m mortgage fraud. Data by ORX News

March’s largest operational risk loss was an 8 billion ruble ($108 million) commercial loan fraud at Russia’s Sberbank. The loans were made in January 2018, but the fraud only came to light last month after Russian authorities made three arrests.

The arrested individuals were former managers and employees of Russian supermarket owner InterTorg. The group reportedly gave the bank false information to obtain the loans, and then siphoned off the money for their own use.

InterTorg has since been declared bankrupt.



The second largest publicly reported loss was a settlement of $105 million by Sandell Asset Management and its owner Thomas Sandell in a tax evasion lawsuit brought by US authorities.

Sandell allegedly deferred paying taxes on $450 million of management and performance fees he had earned from overseeing offshore hedge funds. A 2008 change in deferred fee income recognition rules required Sandell to pay the taxes owed by the end of 2017. However, New York state authorities claim he tried to escape liability by relocating to London, even though his company continued to operate in New York.

The settlement arose after a whistleblower made claims under the New York False Claims Act in October 2018. The settlement covers damages, taxes, penalties, interest, legal fees and a $22 million payment to the whistleblower.

In March’s third largest loss, student debt relief company Hutton Ventures was ordered by a US district court to pay $53 million in penalties for misconduct.

Debt relief companies help borrowers to apply for loan forgiveness schemes or consolidate their loans to reduce their debt levels. Hutton was found to have violated US state and federal laws by providing false or misleading information to borrowers and charging fees for services that were otherwise available for free. In one example, company representatives told borrowers that no interest would be charged on the financing of a fee, when 20.99% interest was charged to nearly all New York customers in violation of the state’s 16% interest rate limit.

In fourth place, Swiss commodities trader Mercuria suffered a $36 million fraud when it discovered that it had been sent painted paving slabs instead of copper in a number of shipments from Turkey, according to a report by Bloomberg.

Mercuria is said to have agreed to buy $36 million of copper from Turkish company Bietsan, a supplier it had done business with before. The copper was initially loaded into a first shipment of containers, and was surveyed by an inspection company, which affixed anti-fraud seals to the containers. Soon after, the containers were allegedly opened, and the copper was replaced with painted paving stones. The perpetrators swapped fake and real container seals to avoid detection before the cargo left Turkey. Five shipments on separate days were reportedly switched in this manner.

While the cargo ships were at sea, Mercuria paid $36 million in five instalments. The fraud was discovered once the ships began arriving in the Chinese port of Lianyungang.

The fifth largest loss is a $22 million settlement by Swiss bank Rahn+Bodmer for helping US account holders evade tax. According to the US Department of Justice, the bank enabled customers to conceal their control of funds held in undeclared accounts. It did so by opening accounts for customers under pseudonyms or in the names of non-US legal entities to conceal their beneficial ownership. This allowed hundreds of US customers to evade paying a total of $16.4 million in US taxes between 2004 and 2012.

The DoJ announced a three-year deferred prosecution agreement with Rahn+Bodmer, in addition to the settlement.



Spotlight: Morgan accused of multi-million mortgage fraud

Mortgage fraud comes in all shapes and sizes; in the case of New York real estate kingpin Robert Morgan the size is upwards of $400 million.

That figure is the amount of loans that Morgan’s company is alleged to have fraudulently obtained, with losses to government-sponsored enterprises and banks including Fannie Mae, Freddie Mac, Deutsche Bank and UBS estimated at $9.5 million.

On March 4, the US Department of Justice announced that it had charged Morgan and fellow individuals from his property firm, Morgan Management, as well as a broker from another real estate firm, in a wide-ranging mortgage fraud scheme.

According to the DoJ, the individuals fraudulently obtained funds from financial institutions over a period of 12 years, by providing false information in support of mortgage loan applications for dozens of properties, including apartment blocks.

The defendants are said to have artificially inflated rents and reduced property expenses to make it look as if the properties were more profitable than they were. This way, they justified an unrealistically large mortgage loan amount.

In some cases, Morgan and others tried to conceal the fraud by making vacant units appear occupied during inspections by turning radios on, placing welcome mats and shoes in hallways outside vacant units, and paying individuals to pretend to be tenants in units the inspectors would enter.

The charges follow a separate investigation in 2020 by the US Securities and Exchange Commission, which resulted in an order for Robert Morgan to repay $63 million to investors affected by his fraud scheme.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Fed economist sounds alert over op risk capital arbitrage

By Steve Marlin | News | 6 April 2021

Insurance payouts could allow banks to pare back capital without equivalent reduction in risk, says paper

Recent research has reignited debate over how banks use insurance to reduce operational risk capital, with experts warning that incoming rules may encourage firms to “arbitrage” the system.

The standardised approach for operational risk allows banks to deduct insurance payouts from their op risk capital calculation. Marco Migueis, an economist with the US Federal Reserve Board, says this may incentivise banks to insure predictable, small-ticket op risk losses at the expense of large, black-swan events.

As a result, banks may be left without sufficient capital to cover fat-tailed risks such as a major systems outage, natural disaster or other catastrophe, argues Migueis in a paper published in February in the Journal of Operational Risk.

The opinions expressed in the paper are Migueis’s own, and do not necessarily represent those of the Federal Reserve.

An op risk capital head at a large bank says: “I agree that the current approach doesn’t focus on mitigating the risk in the tail, which is what capital is there for, and the way it has been designed provides incentives to protect the wrong type of losses.”

The standardised approach for operational risk, part of the Basel III package of reforms due to apply from January 2023, requires banks to calculate op risk capital by multiplying two components. One is a simple measure of bank income known as the business indicator component. The other is a measure of a bank’s op risk losses over the previous 10 years known as the internal loss multiplier. It uses a loss figure that is set to 15 times the bank’s average annual net losses during the lookback period.

Large banks could be encouraged to arbitrage and become speculative by financing high-frequency losses in an insurance policy type construct

Alex deLaricheliere, Marsh

To show how banks can use insurance to create arbitrage opportunities, Migueis offers a hypothetical example of a bank with average annual losses of $20 million, in which case its loss component would be $300 million. If by purchasing insurance the bank is able to reduce its losses to $5 million, then its loss component would fall to $75 million. However, its exposure to fat-tailed risks will not fall in proportion to this decline, potentially leaving the bank with insufficient capital to cover future losses.

“Insurance netting in the loss component may result in arbitrage opportunities, as banks can reduce their capital requirements without a commensurate decrease in risk,” Migueis writes.

Insurance for operational risk losses generally falls into two categories: policies that cover everyday losses such as credit card fraud; and those for rare but costly events.

According to Migueis, if a bank is able to buy insurance that covers small-dollar losses, it can use the payouts to net down its overall loss figure and thus reduce its capital requirements. In fact, it could just have insurance for these smaller losses and remain uninsured for big losses – and still receive a hefty decrease in capital. 

Alex deLaricheliere, US financial institutions and professional services industry leader at Marsh, says: “The research is pointing out that large banks could be encouraged to arbitrage and become speculative by financing high-frequency losses in an insurance policy type construct, and that could have capital implications.”

Covering the tail

Under the previous advanced measurement approach (AMA), which the standardised approach is to replace, banks could insure against their tail risk losses and use the anticipated recoveries to offset their capital requirements. However, during the discussions on amending the op risk capital rules, regulators felt this practice was too dependent on forward-looking estimates. Instead, they settled on a more retrospective view, one based on the recoveries that could actually be achieved based on historical losses.

“Regulators felt that if you are already purchasing insurance it’s only fair that part of that coverage be deducted from your capital. That’s how it was under the AMA, and they tried to transfer over this concept to the standardised approach. So they said: ‘Look at historical coverage of losses: what did you lose and what did you recover? Then we’re only going to go off the net losses,’” says a risk capital executive at a large US bank.

Others suggest it could be difficult in practice for banks to arbitrage their capital calculation in the way that Migueis describes.

For one, insurers and banks would need to agree on precisely what repeat operational risks are insurable and what the recoveries would be. Pricing such a policy would be highly complex, with premiums guided by past claims and likelihood of recurrence.

An example would be losses arising from a breakdown of some or all of a bank’s IT and communications systems, where the failure might have cost the client future expected business.

“Insurance companies take great care in, amongst other things, being very clear what risks they are insuring, and what losses they will allow a claim for. Therefore, insurance is not going to provide cover for all operational risks, and will not provide a payout for elements of a loss that is not provided for in the policy wording,” says Edward Sankey, an independent risk management consultant.

Migueis argues that the standardised approach should be changed to permit banks to receive capital benefits from protecting against tail risk losses, either by insurance or improved risk management.

Banks can and do insure against tail risk losses. Such policies are bespoke and expensive, but banks reason that the coverage would be valuable in the event of a large, unforeseen operational risk loss. It is likely that some banks would continue to use such policies even though they attract little, if any, capital reduction under the standardised approach.

But experts warn against banks financing small-dollar losses with insurance policies, and using this coverage as a reason to focus their risk management efforts solely on tail risk.

“Bank supervisors could well be uncomfortable by such a selective reduction of effort, so the efficiency gain may not be achievable,” says Sankey.

Editing by Alex Krohn

Users clash with ASX over changes to its DLT settlement system

By Luke Clancy | News | 2 April 2021
Australian Securities Exchange

Industry groups and tech experts worry that proposed last-minute changes will introduce new risks

Changes proposed by Australia’s top exchange to its new blockchain-based settlement system for stocks have drawn fire from prominent sections of users, who fear that the amendments will create new risks.

Under the proposal published in February, the Australian Securities Exchange (ASX) will move to an exception-only reporting model, meaning that clearing brokers will no longer receive confirmation messages for trades that settle successfully. The overnight netting cycle will also be replaced by a continuous process, which ASX says will result in greater capacity.

The consultation closed on March 18. Based on Risk.net’s conversations with seven industry sources, ASX will have received some unhappy feedback – pointing to hiccups in the rollout of distributed ledger technology (DLT) in finance as the technology’s popularity grows around the world.

“The proposed changes in functionality shift substantial processing load and risk onto clearing brokers,” says Damian Jeffree, senior director of policy at the Australian Financial Markets Association (Afma). “[The changes] will require substantial rework of systems and processes at what is quite an advanced point in the project, and this increases risks.”

ASX’s new settlement system will replace its current ageing system, known as Chess. Under Chess, both securities and funds settle on a net basis across participants, and this will be retained.

But individual confirmation messages for successful transactions will no longer be sent out. Rather, participants will be notified of the total funds settled, as well as of the instructions that have failed. They will be able to request the details of the underlying instructions that formed part of settlement for a specified account, security, basis of movement, and settlement date.

Participants will be required to self-determine settlement finality by performing additional processing, reconciliation and verification activities

Judith Fox, Stockbrokers and Financial Advisers Association

Judith Fox, chief executive of Australia’s Stockbrokers and Financial Advisers Association (Safaa), echoes Jeffree’s criticisms of the proposal, arguing that it will result in “a significant increase” in operational risk for participants.

“They will no longer be provided with an auditable settlement chain to definitively identify the settlement obligations being netted and fully settled,” she explained in her consultation response seen by Risk.net. “Participants will be required to self-determine settlement finality by performing additional processing, reconciliation and verification activities for a large volume of client transactions during business hours.”

Fox also agrees with Jeffree that market participants will have to redo much of the work they have already completed.

“This introduces additional costs. Furthermore, all additional change at this stage in the project incurs additional delivery risk,” she wrote in her response.

The proposal was put forward as late as five years after work on the Chess replacement began, and only two years before its delayed go-live date.

ASX itself said in its consultation that software providers might need to “refactor” – in simple terms, restructure – some of the software they had been developing in preparation, depending on whether they had already developed to the code delivered to the “customer development environment”.

Afma and Safaa are calling for an independent review of the proposal to determine if it poses any additional risks to users.

Scale, but at a cost

Some software vendors are also critical of the changes being considered by ASX.

An executive at a vendor that connects to Chess says reducing the number of confirmation messages could introduce systemic risk in the event of a counterparty failure or liquidation event.

“Today, everything is kept in sync, and all participants are fully informed as to how the cancellation and netting process works. There are never any concerns about missing anything,” the person says, referring to so-called novation netting, in which offsetting transactions are cancelled and replaced with a new, net transaction.

“But because they need to reduce their messaging volumes, the ASX is no longer going to tell the market how those trades have been cancelled. They’re just going to expect that participants in the market will work it out themselves.”

The executive also worries that the ASX proposal will introduce further reconciliation points in a system that was designed to require far fewer reconciliations than Chess.

We are not putting operational risk on our customers, but are proposing to do things a different way than we have done historically over the past three decades

Tim Hogben, ASX

The exchange denies that the changes – which it says are supported by regulators – shift more work to users and expose them to additional risks.

“We are not putting operational risk on our customers, but are proposing to do things a different way than we have done historically over the past three decades,” Tim Hogben, chief operating officer at ASX, tells Risk.net. “Customers are still going to get all the information they need. They are just going to get it through different means and different workflows.”

He argues the changes are necessary to ensure the new system can scale “so we never have to talk about capacity again”. They will allow the Chess replacement to handle 15–20 million trades a day and ultimately up to 40–50 million, he says. Chess has the capacity to cater for 7 million trades per day over multiple consecutive days. It is unclear what the new system would be able to handle without the changes.

ASX decided to revisit the design of the DLT system after experiencing a major spike in trading volumes in March 2020, when activity exceeded previous peaks by more than seven times, the exchange said in its consultation.

The Australian Securities and Investments Commission has also expressed “significant concern” about an outage at the exchange on November 16. ASX has said the incident was caused by a software glitch during the rollout of its updated platform for equities. Asic is investigating the incident, which includes assessing whether ASX has sufficient technological resources to operate its markets.

Dividing opinion

A spokesperson for the exchange provides further defence of its suggested changes. He says ASX received around 30 responses out of a total of approximately 70 “relevant stakeholders”, which includes vendors, clearing and settlement participants, alternative market operators and industry associations.

“The less than 50% submission rate could reflect a general satisfaction with the proposals being consulted on and/or confidence that an overall view will be accurately captured in the submissions made by the vendors and industry associations,” the spokesperson says in an email.

He adds that the feedback included confidential comments in support of ASX’s efforts to “reduce the number of messages” it sends and “scale to much higher volumes”.

But for some market participants, the envisaged changes to the netting process are a bigger concern. ASX determined that, as volumes increase, netting would take increasingly longer and would at some point exceed the time available for overnight processing. It decided the best option would be to calculate netting on a continuous basis as trades are registered and novated to its clearing house, ASX Clear.

Will the proposed new workflow create a global precedent for netting pre-settlement obligations on a distributed ledger? Or might it be a consequence of a technology that may not readily scale up to ‘net’ peak trade volumes?

Paul Conn, Computershare

Paul Conn, president of global capital markets at vendor Computershare, argues that continuous netting could undermine “settlement discipline” by enabling a short position to remain open and unchecked for an extended period without either a penalty or the risk of being closed out “through a buy-in arrangement, for failing to deliver [securities]”.

“These are two mechanisms that can be used by a settlement system operator to encourage on-time settlement and enforce settlement discipline,” says Conn, who helped develop Chess when he held senior roles at ASX earlier in his career.

In a blog published on March 15, he also wrote that the planned changes raised a number of questions, including: “Will the proposed new workflow create a global precedent for netting pre-settlement obligations on a distributed ledger? Or might it be a consequence of a technology that may not readily scale up to ‘net’ peak trade volumes?”

Several other exchanges and market infrastructures, including the US Depository Trust and Clearing Corporation, are developing DLT platforms to handle post-trade processing.

ASX plans to release completed code for the Chess replacement at the end of June, it said in its consultation in February. More recent comments by Hogben chime with this timeline: he says the exchange is on track to complete “customer-facing functionality” in June, with testing starting after that.

Asic did not respond to a request to comment about the proposed changes. ASX’s other regulator, the Reserve Bank of Australia, declined to comment.

Editing by Olesya Dmitracova

Fraud op risk losses edged up at UK banks in 2020

By Louie Woodall | Data | 24 March 2021

External and internal fraud accounted for the lion’s share of the operational risk losses at five top UK banks in 2020, and made up a greater portion of the average total than the year before, Risk Quantum analysis shows.

At Barclays, Lloyds, NatWest Group, Santander UK and Standard Chartered, fraud was cited as the cause behind 38% of total op risk losses by value on average. The year before, it was 22%.

Santander UK attributed 59% of total op risk losses incurred last year to fraud, compared with 30% in 2019. As a share of actual op risk incidents, fraud made up 89% of the total, up from 80% in 2019.


NatWest Group reported the largest percentage-point increase in the share of losses attributable to fraud across the banks. In 2020, fraud accounted for 72% of all losses, compared with just 6% in 2019. The amount lost to fraud came to £88 million ($120 million) last year and £57 million the year before that. NatWest said that year-on-year increase was a function of the group having “an increased liability for reimbursing customers impacted by authorised push payment scams”. As a share of op risk incidents, NatWest said fraud accounted for 94% of the total.

Alone of the five banks, StanChart reported a drop in the share of op risk losses attributable to fraud between 2019 and 2020. These made up 25% of its total in 2020, down from 39% the year before. The bank did not disclose how many fraud incidents it had or what percentage share of the total these amounted to.

Across the five banks, losses due to execution, delivery and process management failures were responsible for the second-largest share of op risk expenses in 2020, making up 33% on average.

What is it?

Many banks disclose operational risk losses and event volumes broken down by categories set down in the Basel II framework. Basel standard-setters defined seven categories of operational loss event types: internal fraud; external fraud; employment practices and workplace safety; clients, products and business practices; damage to physical assets; business disruption and system failures; and execution, delivery and process management.

The business disruption and system failures category encompasses hardware, software, telecommunications and utility outages and disruptions. Execution, delivery and process management events include “losses from failed transaction processing or process management, from relations with trade counterparties and vendors”.

The calculations for Barclays, Lloyds, NatWest Group and Santander UK are based on the volume and value of events where the associated loss is more than or equal to £10,000. Standard Chartered’s report did not disclose whether this threshold applied. Legal and conduct risks are excluded from the banks’ operational risk event templates.

Why it matters

Push payment schemes were cited by NatWest, Santander and Lloyds in their annual reports, with the first two explicitly linking their increased fraud losses to these rackets.

In a typical scheme, fraudsters impersonate legitimate investment firms and trick individuals into transferring funds to their own accounts set up with high street banks.

Last year’s surge in cases coincided with the outbreak of the coronavirus crisis and the blanket lockdowns imposed across the UK shortly thereafter. The Financial Conduct Authority, a UK watchdog, said reports of push payment scams increased 29% from March to April 2020 and warned that the pandemic may have made people more susceptible to the schemes, since many are looking for ways to improve their finances in the aftermath of the largest shock to the UK economy for centuries.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. Email louie.woodall@infopro-digital, or send a tweet to @LouieWoodall or @RiskQuantum. You can also get in touch via LinkedIn.

Tell me more

Execution issues dominate UK bank op risk losses

Fraud makes up bulk of UK bank op risk loss events

View all bank stories

US regulators seek to tighten cyber incident reporting

By Steve Marlin | News | 23 March 2021
Europol has taken down a network used to sell tools to cyber criminals

New federal rule, mindful of Covid, will force firms to report serious incidents within 36 hours

US regulators are zeroing in on the design of banks’ critical incident response protocols as a key means of ensuring the safety and soundness of the financial system. High-profile threats from malicious actors affecting banks and their service providers can quickly erode confidence in the current climate.

Although the Bank Service Company Act already allows a bank’s primary federal regulator to examine bank operations performed by third parties, it contains no notification requirement in the event of a service disruption. A proposed rulemaking from federal regulators, set to enter force later this year, will change that.

“It doesn’t matter if the service is being performed by the bank itself or if it’s performed by a third party on behalf of the bank – we’ll have the ability to conduct examinations and to make sure that the third party is meeting the same standards as the financial institution itself,” said Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency, at Risk.net’s OpRisk Global conference on March 22.

The notice of proposed rulemaking issued by the Federal Reserve, OCC and the Federal Deposit Insurance Corporation in January, will require banks and their service providers to notify supervisors within 36 hours once they learn of cyber security incidents that meet certain criteria that mark them as ‘notification incidents’.

These could include large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, system outages by a critical bank service provider, a failed system upgrade or change, a computer hacking incident, or infection by malware or ransomware.

Parallel legislation drafted by the European Union – the Digital Operational Resilience Act – would require financial institutions to report to authorities within one day of a major incident.

During the comment period, which ends on April 12, banks are expected to weigh in on the additional compliance burdens of the new rule. Questions are being asked as to whether computer security incidents should include only those that result in actual harm to the confidentiality, integrity, or availability of an information system, and whether the 36-hour notification requirement should be modified.

During the pandemic, federal regulators have warned banks to make sure their control environments are robust enough to spot potential gateways for malicious actors to gain access, as well as stressing the importance of properly vetted change management processes, with banks having to rapidly redesign many controls to adhere to Covid-19 restrictions, such as permitting front-office staff to trade remotely, and also quickly develop processes to support government stimulus programmes.

If someone hasn’t turned on the security or changed default passwords, they will exploit it

Kevin Greenfield, OCC

Greenfield noted that stolen credentials are one of the primary gateways for cyber criminals to gain access to systems, and regulators are emphasising the need for strong authentication. Firms that implement multifactor authorisation tend to fare better against attacks, he said.

“Malicious actors have access to the same manuals for these tools, and they look to see if it’s misconfigured, and if someone hasn’t turned on the security or changed default passwords, they will exploit it,” said Greenfield.

Speaking during an earlier panel at OpRisk Global, Arthur Lindo, deputy director for policy at the Federal Reserve Board’s division of supervision and regulation, noted that cyber criminals had still been “showing up for work every day” during the pandemic.

Vendor risk underlies many of the operational resilience principles issued last year by US regulators, which are intended to ensure financial institutions maintain critical services during a disruption. The pandemic has heightened the need for due diligence over vendors, many of them in offshore locations where personnel have difficulty accessing systems, and where financial firms may struggle to perform requisite penetration testing.

The impact of culture upon operational risk management guidelines in the banking sector of selected Asian countries

By Mihaela Mocanu | Technical paper | 19 March 2021