The economic cost of a fat finger mistake: a comparative case study from Samsung Securities’s ghost stock blunder

By Yongkil Ahn | Technical paper | 14 April 2021

Op risk data: Sberbank suffers $108m supermarket clean-out

By ORX News | Opinion | 9 April 2021

Also: Copper trader buys $36m of worthless bricks; big lenders hurt in $400m mortgage fraud. Data by ORX News

March’s largest operational risk loss was an 8 billion ruble ($108 million) commercial loan fraud at Russia’s Sberbank. The loans were made in January 2018, but the fraud only came to light last month after Russian authorities made three arrests.

The arrested individuals were former managers and employees of Russian supermarket owner InterTorg. The group reportedly gave the bank false information to obtain the loans, and then siphoned off the money for their own use.

InterTorg has since been declared bankrupt.



The second largest publicly reported loss was a settlement of $105 million by Sandell Asset Management and its owner Thomas Sandell in a tax evasion lawsuit brought by US authorities.

Sandell allegedly deferred paying taxes on $450 million of management and performance fees he had earned from overseeing offshore hedge funds. A 2008 change in deferred fee income recognition rules required Sandell to pay the taxes owed by the end of 2017. However, New York state authorities claim he tried to escape liability by relocating to London, even though his company continued to operate in New York.

The settlement arose after a whistleblower made claims under the New York False Claims Act in October 2018. The settlement covers damages, taxes, penalties, interest, legal fees and a $22 million payment to the whistleblower.

In March’s third largest loss, student debt relief company Hutton Ventures was ordered by a US district court to pay $53 million in penalties for misconduct.

Debt relief companies help borrowers to apply for loan forgiveness schemes or consolidate their loans to reduce their debt levels. Hutton was found to have violated US state and federal laws by providing false or misleading information to borrowers and charging fees for services that were otherwise available for free. In one example, company representatives told borrowers that no interest would be charged on the financing of a fee, when 20.99% interest was charged to nearly all New York customers in violation of the state’s 16% interest rate limit.

In fourth place, Swiss commodities trader Mercuria suffered a $36 million fraud when it discovered that it had been sent painted paving slabs instead of copper in a number of shipments from Turkey, according to a report by Bloomberg.

Mercuria is said to have agreed to buy $36 million of copper from Turkish company Bietsan, a supplier it had done business with before. The copper was initially loaded into a first shipment of containers, and was surveyed by an inspection company, which affixed anti-fraud seals to the containers. Soon after, the containers were allegedly opened, and the copper was replaced with painted paving stones. The perpetrators swapped fake and real container seals to avoid detection before the cargo left Turkey. Five shipments on separate days were reportedly switched in this manner.

While the cargo ships were at sea, Mercuria paid $36 million in five instalments. The fraud was discovered once the ships began arriving in the Chinese port of Lianyungang.

The fifth largest loss is a $22 million settlement by Swiss bank Rahn+Bodmer for helping US account holders evade tax. According to the US Department of Justice, the bank enabled customers to conceal their control of funds held in undeclared accounts. It did so by opening accounts for customers under pseudonyms or in the names of non-US legal entities to conceal their beneficial ownership. This allowed hundreds of US customers to evade paying a total of $16.4 million in US taxes between 2004 and 2012.

The DoJ announced a three-year deferred prosecution agreement with Rahn+Bodmer, in addition to the settlement.



Spotlight: Morgan accused of multi-million mortgage fraud

Mortgage fraud comes in all shapes and sizes; in the case of New York real estate kingpin Robert Morgan the size is upwards of $400 million.

That figure is the amount of loans that Morgan’s company is alleged to have fraudulently obtained, with losses to government-sponsored enterprises and banks including Fannie Mae, Freddie Mac, Deutsche Bank and UBS estimated at $9.5 million.

On March 4, the US Department of Justice announced that it had charged Morgan and fellow individuals from his property firm, Morgan Management, as well as a broker from another real estate firm, in a wide-ranging mortgage fraud scheme.

According to the DoJ, the individuals fraudulently obtained funds from financial institutions over a period of 12 years, by providing false information in support of mortgage loan applications for dozens of properties, including apartment blocks.

The defendants are said to have artificially inflated rents and reduced property expenses to make it look as if the properties were more profitable than they were. This way, they justified an unrealistically large mortgage loan amount.

In some cases, Morgan and others tried to conceal the fraud by making vacant units appear occupied during inspections by turning radios on, placing welcome mats and shoes in hallways outside vacant units, and paying individuals to pretend to be tenants in units the inspectors would enter.

The charges follow a separate investigation in 2020 by the US Securities and Exchange Commission, which resulted in an order for Robert Morgan to repay $63 million to investors affected by his fraud scheme.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Fed economist sounds alert over op risk capital arbitrage

By Steve Marlin | News | 6 April 2021

Insurance payouts could allow banks to pare back capital without equivalent reduction in risk, says paper

Recent research has reignited debate over how banks use insurance to reduce operational risk capital, with experts warning that incoming rules may encourage firms to “arbitrage” the system.

The standardised approach for operational risk allows banks to deduct insurance payouts from their op risk capital calculation. Marco Migueis, an economist with the US Federal Reserve Board, says this may incentivise banks to insure predictable, small-ticket op risk losses at the expense of large, black-swan events.

As a result, banks may be left without sufficient capital to cover fat-tailed risks such as a major systems outage, natural disaster or other catastrophe, argues Migueis in a paper published in February in the Journal of Operational Risk.

The opinions expressed in the paper are Migueis’s own, and do not necessarily represent those of the Federal Reserve.

An op risk capital head at a large bank says: “I agree that the current approach doesn’t focus on mitigating the risk in the tail, which is what capital is there for, and the way it has been designed provides incentives to protect the wrong type of losses.”

The standardised approach for operational risk, part of the Basel III package of reforms due to apply from January 2023, requires banks to calculate op risk capital by multiplying two components. One is a simple measure of bank income known as the business indicator component. The other is a measure of a bank’s op risk losses over the previous 10 years known as the internal loss multiplier. It uses a loss figure that is set to 15 times the bank’s average annual net losses during the lookback period.

Large banks could be encouraged to arbitrage and become speculative by financing high-frequency losses in an insurance policy type construct

Alex deLaricheliere, Marsh

To show how banks can use insurance to create arbitrage opportunities, Migueis offers a hypothetical example of a bank with average annual losses of $20 million, in which case its loss component would be $300 million. If by purchasing insurance the bank is able to reduce its losses to $5 million, then its loss component would fall to $75 million. However, its exposure to fat-tailed risks will not fall in proportion to this decline, potentially leaving the bank with insufficient capital to cover future losses.

“Insurance netting in the loss component may result in arbitrage opportunities, as banks can reduce their capital requirements without a commensurate decrease in risk,” Migueis writes.

Insurance for operational risk losses generally falls into two categories: policies that cover everyday losses such as credit card fraud; and those for rare but costly events.

According to Migueis, if a bank is able to buy insurance that covers small-dollar losses, it can use the payouts to net down its overall loss figure and thus reduce its capital requirements. In fact, it could just have insurance for these smaller losses and remain uninsured for big losses – and still receive a hefty decrease in capital. 

Alex deLaricheliere, US financial institutions and professional services industry leader at Marsh, says: “The research is pointing out that large banks could be encouraged to arbitrage and become speculative by financing high-frequency losses in an insurance policy type construct, and that could have capital implications.”

Covering the tail

Under the previous advanced measurement approach (AMA), which the standardised approach is to replace, banks could insure against their tail risk losses and use the anticipated recoveries to offset their capital requirements. However, during the discussions on amending the op risk capital rules, regulators felt this practice was too dependent on forward-looking estimates. Instead, they settled on a more retrospective view, one based on the recoveries that could actually be achieved based on historical losses.

“Regulators felt that if you are already purchasing insurance it’s only fair that part of that coverage be deducted from your capital. That’s how it was under the AMA, and they tried to transfer over this concept to the standardised approach. So they said: ‘Look at historical coverage of losses: what did you lose and what did you recover? Then we’re only going to go off the net losses,’” says a risk capital executive at a large US bank.

Others suggest it could be difficult in practice for banks to arbitrage their capital calculation in the way that Migueis describes.

For one, insurers and banks would need to agree on precisely what repeat operational risks are insurable and what the recoveries would be. Pricing such a policy would be highly complex, with premiums guided by past claims and likelihood of recurrence.

An example would be losses arising from a breakdown of some or all of a bank’s IT and communications systems, where the failure might have cost the client future expected business.

“Insurance companies take great care in, amongst other things, being very clear what risks they are insuring, and what losses they will allow a claim for. Therefore, insurance is not going to provide cover for all operational risks, and will not provide a payout for elements of a loss that is not provided for in the policy wording,” says Edward Sankey, an independent risk management consultant.

Migueis argues that the standardised approach should be changed to permit banks to receive capital benefits from protecting against tail risk losses, either by insurance or improved risk management.

Banks can and do insure against tail risk losses. Such policies are bespoke and expensive, but banks reason that the coverage would be valuable in the event of a large, unforeseen operational risk loss. It is likely that some banks would continue to use such policies even though they attract little, if any, capital reduction under the standardised approach.

But experts warn against banks financing small-dollar losses with insurance policies, and using this coverage as a reason to focus their risk management efforts solely on tail risk.

“Bank supervisors could well be uncomfortable by such a selective reduction of effort, so the efficiency gain may not be achievable,” says Sankey.

Editing by Alex Krohn

Users clash with ASX over changes to its DLT settlement system

By Luke Clancy | News | 2 April 2021
Australian Securities Exchange

Industry groups and tech experts worry that proposed last-minute changes will introduce new risks

Changes proposed by Australia’s top exchange to its new blockchain-based settlement system for stocks have drawn fire from prominent sections of users, who fear that the amendments will create new risks.

Under the proposal published in February, the Australian Securities Exchange (ASX) will move to an exception-only reporting model, meaning that clearing brokers will no longer receive confirmation messages for trades that settle successfully. The overnight netting cycle will also be replaced by a continuous process, which ASX says will result in greater capacity.

The consultation closed on March 18. Based on’s conversations with seven industry sources, ASX will have received some unhappy feedback – pointing to hiccups in the rollout of distributed ledger technology (DLT) in finance as the technology’s popularity grows around the world.

“The proposed changes in functionality shift substantial processing load and risk onto clearing brokers,” says Damian Jeffree, senior director of policy at the Australian Financial Markets Association (Afma). “[The changes] will require substantial rework of systems and processes at what is quite an advanced point in the project, and this increases risks.”

ASX’s new settlement system will replace its current ageing system, known as Chess. Under Chess, both securities and funds settle on a net basis across participants, and this will be retained.

But individual confirmation messages for successful transactions will no longer be sent out. Rather, participants will be notified of the total funds settled, as well as of the instructions that have failed. They will be able to request the details of the underlying instructions that formed part of settlement for a specified account, security, basis of movement, and settlement date.

Participants will be required to self-determine settlement finality by performing additional processing, reconciliation and verification activities

Judith Fox, Stockbrokers and Financial Advisers Association

Judith Fox, chief executive of Australia’s Stockbrokers and Financial Advisers Association (Safaa), echoes Jeffree’s criticisms of the proposal, arguing that it will result in “a significant increase” in operational risk for participants.

“They will no longer be provided with an auditable settlement chain to definitively identify the settlement obligations being netted and fully settled,” she explained in her consultation response seen by “Participants will be required to self-determine settlement finality by performing additional processing, reconciliation and verification activities for a large volume of client transactions during business hours.”

Fox also agrees with Jeffree that market participants will have to redo much of the work they have already completed.

“This introduces additional costs. Furthermore, all additional change at this stage in the project incurs additional delivery risk,” she wrote in her response.

The proposal was put forward as late as five years after work on the Chess replacement began, and only two years before its delayed go-live date.

ASX itself said in its consultation that software providers might need to “refactor” – in simple terms, restructure – some of the software they had been developing in preparation, depending on whether they had already developed to the code delivered to the “customer development environment”.

Afma and Safaa are calling for an independent review of the proposal to determine if it poses any additional risks to users.

Scale, but at a cost

Some software vendors are also critical of the changes being considered by ASX.

An executive at a vendor that connects to Chess says reducing the number of confirmation messages could introduce systemic risk in the event of a counterparty failure or liquidation event.

“Today, everything is kept in sync, and all participants are fully informed as to how the cancellation and netting process works. There are never any concerns about missing anything,” the person says, referring to so-called novation netting, in which offsetting transactions are cancelled and replaced with a new, net transaction.

“But because they need to reduce their messaging volumes, the ASX is no longer going to tell the market how those trades have been cancelled. They’re just going to expect that participants in the market will work it out themselves.”

The executive also worries that the ASX proposal will introduce further reconciliation points in a system that was designed to require far fewer reconciliations than Chess.

We are not putting operational risk on our customers, but are proposing to do things a different way than we have done historically over the past three decades

Tim Hogben, ASX

The exchange denies that the changes – which it says are supported by regulators – shift more work to users and expose them to additional risks.

“We are not putting operational risk on our customers, but are proposing to do things a different way than we have done historically over the past three decades,” Tim Hogben, chief operating officer at ASX, tells “Customers are still going to get all the information they need. They are just going to get it through different means and different workflows.”

He argues the changes are necessary to ensure the new system can scale “so we never have to talk about capacity again”. They will allow the Chess replacement to handle 15–20 million trades a day and ultimately up to 40–50 million, he says. Chess has the capacity to cater for 7 million trades per day over multiple consecutive days. It is unclear what the new system would be able to handle without the changes.

ASX decided to revisit the design of the DLT system after experiencing a major spike in trading volumes in March 2020, when activity exceeded previous peaks by more than seven times, the exchange said in its consultation.

The Australian Securities and Investments Commission has also expressed “significant concern” about an outage at the exchange on November 16. ASX has said the incident was caused by a software glitch during the rollout of its updated platform for equities. Asic is investigating the incident, which includes assessing whether ASX has sufficient technological resources to operate its markets.

Dividing opinion

A spokesperson for the exchange provides further defence of its suggested changes. He says ASX received around 30 responses out of a total of approximately 70 “relevant stakeholders”, which includes vendors, clearing and settlement participants, alternative market operators and industry associations.

“The less than 50% submission rate could reflect a general satisfaction with the proposals being consulted on and/or confidence that an overall view will be accurately captured in the submissions made by the vendors and industry associations,” the spokesperson says in an email.

He adds that the feedback included confidential comments in support of ASX’s efforts to “reduce the number of messages” it sends and “scale to much higher volumes”.

But for some market participants, the envisaged changes to the netting process are a bigger concern. ASX determined that, as volumes increase, netting would take increasingly longer and would at some point exceed the time available for overnight processing. It decided the best option would be to calculate netting on a continuous basis as trades are registered and novated to its clearing house, ASX Clear.

Will the proposed new workflow create a global precedent for netting pre-settlement obligations on a distributed ledger? Or might it be a consequence of a technology that may not readily scale up to ‘net’ peak trade volumes?

Paul Conn, Computershare

Paul Conn, president of global capital markets at vendor Computershare, argues that continuous netting could undermine “settlement discipline” by enabling a short position to remain open and unchecked for an extended period without either a penalty or the risk of being closed out “through a buy-in arrangement, for failing to deliver [securities]”.

“These are two mechanisms that can be used by a settlement system operator to encourage on-time settlement and enforce settlement discipline,” says Conn, who helped develop Chess when he held senior roles at ASX earlier in his career.

In a blog published on March 15, he also wrote that the planned changes raised a number of questions, including: “Will the proposed new workflow create a global precedent for netting pre-settlement obligations on a distributed ledger? Or might it be a consequence of a technology that may not readily scale up to ‘net’ peak trade volumes?”

Several other exchanges and market infrastructures, including the US Depository Trust and Clearing Corporation, are developing DLT platforms to handle post-trade processing.

ASX plans to release completed code for the Chess replacement at the end of June, it said in its consultation in February. More recent comments by Hogben chime with this timeline: he says the exchange is on track to complete “customer-facing functionality” in June, with testing starting after that.

Asic did not respond to a request to comment about the proposed changes. ASX’s other regulator, the Reserve Bank of Australia, declined to comment.

Editing by Olesya Dmitracova

Fraud op risk losses edged up at UK banks in 2020

By Louie Woodall | Data | 24 March 2021

External and internal fraud accounted for the lion’s share of the operational risk losses at five top UK banks in 2020, and made up a greater portion of the average total than the year before, Risk Quantum analysis shows.

At Barclays, Lloyds, NatWest Group, Santander UK and Standard Chartered, fraud was cited as the cause behind 38% of total op risk losses by value on average. The year before, it was 22%.

Santander UK attributed 59% of total op risk losses incurred last year to fraud, compared with 30% in 2019. As a share of actual op risk incidents, fraud made up 89% of the total, up from 80% in 2019.


NatWest Group reported the largest percentage-point increase in the share of losses attributable to fraud across the banks. In 2020, fraud accounted for 72% of all losses, compared with just 6% in 2019. The amount lost to fraud came to £88 million ($120 million) last year and £57 million the year before that. NatWest said that year-on-year increase was a function of the group having “an increased liability for reimbursing customers impacted by authorised push payment scams”. As a share of op risk incidents, NatWest said fraud accounted for 94% of the total.

Alone of the five banks, StanChart reported a drop in the share of op risk losses attributable to fraud between 2019 and 2020. These made up 25% of its total in 2020, down from 39% the year before. The bank did not disclose how many fraud incidents it had or what percentage share of the total these amounted to.

Across the five banks, losses due to execution, delivery and process management failures were responsible for the second-largest share of op risk expenses in 2020, making up 33% on average.

What is it?

Many banks disclose operational risk losses and event volumes broken down by categories set down in the Basel II framework. Basel standard-setters defined seven categories of operational loss event types: internal fraud; external fraud; employment practices and workplace safety; clients, products and business practices; damage to physical assets; business disruption and system failures; and execution, delivery and process management.

The business disruption and system failures category encompasses hardware, software, telecommunications and utility outages and disruptions. Execution, delivery and process management events include “losses from failed transaction processing or process management, from relations with trade counterparties and vendors”.

The calculations for Barclays, Lloyds, NatWest Group and Santander UK are based on the volume and value of events where the associated loss is more than or equal to £10,000. Standard Chartered’s report did not disclose whether this threshold applied. Legal and conduct risks are excluded from the banks’ operational risk event templates.

Why it matters

Push payment schemes were cited by NatWest, Santander and Lloyds in their annual reports, with the first two explicitly linking their increased fraud losses to these rackets.

In a typical scheme, fraudsters impersonate legitimate investment firms and trick individuals into transferring funds to their own accounts set up with high street banks.

Last year’s surge in cases coincided with the outbreak of the coronavirus crisis and the blanket lockdowns imposed across the UK shortly thereafter. The Financial Conduct Authority, a UK watchdog, said reports of push payment scams increased 29% from March to April 2020 and warned that the pandemic may have made people more susceptible to the schemes, since many are looking for ways to improve their finances in the aftermath of the largest shock to the UK economy for centuries.

Get in touch

Sign up to the Risk Quantum daily newsletter to receive the latest data insights.

Let us know your thoughts on our latest analysis. Email louie.woodall@infopro-digital, or send a tweet to @LouieWoodall or @RiskQuantum. You can also get in touch via LinkedIn.

Tell me more

Execution issues dominate UK bank op risk losses

Fraud makes up bulk of UK bank op risk loss events

View all bank stories

US regulators seek to tighten cyber incident reporting

By Steve Marlin | News | 23 March 2021
Europol has taken down a network used to sell tools to cyber criminals

New federal rule, mindful of Covid, will force firms to report serious incidents within 36 hours

US regulators are zeroing in on the design of banks’ critical incident response protocols as a key means of ensuring the safety and soundness of the financial system. High-profile threats from malicious actors affecting banks and their service providers can quickly erode confidence in the current climate.

Although the Bank Service Company Act already allows a bank’s primary federal regulator to examine bank operations performed by third parties, it contains no notification requirement in the event of a service disruption. A proposed rulemaking from federal regulators, set to enter force later this year, will change that.

“It doesn’t matter if the service is being performed by the bank itself or if it’s performed by a third party on behalf of the bank – we’ll have the ability to conduct examinations and to make sure that the third party is meeting the same standards as the financial institution itself,” said Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency, at’s OpRisk Global conference on March 22.

The notice of proposed rulemaking issued by the Federal Reserve, OCC and the Federal Deposit Insurance Corporation in January, will require banks and their service providers to notify supervisors within 36 hours once they learn of cyber security incidents that meet certain criteria that mark them as ‘notification incidents’.

These could include large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, system outages by a critical bank service provider, a failed system upgrade or change, a computer hacking incident, or infection by malware or ransomware.

Parallel legislation drafted by the European Union – the Digital Operational Resilience Act – would require financial institutions to report to authorities within one day of a major incident.

During the comment period, which ends on April 12, banks are expected to weigh in on the additional compliance burdens of the new rule. Questions are being asked as to whether computer security incidents should include only those that result in actual harm to the confidentiality, integrity, or availability of an information system, and whether the 36-hour notification requirement should be modified.

During the pandemic, federal regulators have warned banks to make sure their control environments are robust enough to spot potential gateways for malicious actors to gain access, as well as stressing the importance of properly vetted change management processes, with banks having to rapidly redesign many controls to adhere to Covid-19 restrictions, such as permitting front-office staff to trade remotely, and also quickly develop processes to support government stimulus programmes.

If someone hasn’t turned on the security or changed default passwords, they will exploit it

Kevin Greenfield, OCC

Greenfield noted that stolen credentials are one of the primary gateways for cyber criminals to gain access to systems, and regulators are emphasising the need for strong authentication. Firms that implement multifactor authorisation tend to fare better against attacks, he said.

“Malicious actors have access to the same manuals for these tools, and they look to see if it’s misconfigured, and if someone hasn’t turned on the security or changed default passwords, they will exploit it,” said Greenfield.

Speaking during an earlier panel at OpRisk Global, Arthur Lindo, deputy director for policy at the Federal Reserve Board’s division of supervision and regulation, noted that cyber criminals had still been “showing up for work every day” during the pandemic.

Vendor risk underlies many of the operational resilience principles issued last year by US regulators, which are intended to ensure financial institutions maintain critical services during a disruption. The pandemic has heightened the need for due diligence over vendors, many of them in offshore locations where personnel have difficulty accessing systems, and where financial firms may struggle to perform requisite penetration testing.

The impact of culture upon operational risk management guidelines in the banking sector of selected Asian countries

By Mihaela Mocanu | Technical paper | 19 March 2021

Clear, concise, consistent, doable – rules for a risk policy

By Charles Fishkin and Jay Newberry | Opinion | 18 March 2021

Effective risk policies may be elusive, but they’re a must, say two veterans of the art

No shirt, no shoes, no service. The pithy policy at many a beach bar entrance lays clear ground rules for management, employees and clients alike.

For financial institutions, however, creating and implementing a written risk policy is no day at the beach; it is often a struggle that can leave them vulnerable to serious problems. Some of the more harmful ones are financial loss, reputational damage, regulatory action and strained relationships with clients. Failure to set a clear risk strategy can also blur a firm’s mission.

In finance, it is a necessity that risk management policies be clear, concise, actionable and consistently followed. Although creating and maintaining effective risk policies is an organisational challenge, it is achievable over time with planning, expertise, sustained effort – and support from senior management.

Effective risk policies are not about box-checking or simply meeting compliance requirements; they express the most fundamental criteria for an organisation’s strategy, identity and approach to risk-taking.

In describing such efforts, the words ‘policy’ and ‘procedure’ are often used interchangeably, but they have different roles that are frequently misused or misunderstood.

Broadly speaking, a risk policy is a formal written statement – designated as such – describing actions that are either required or prohibited. Procedures, however, provide employees with instructions on how to perform a function, such as opening an account for a new customer.

Charles Fishkin

While policies typically apply to an entire organisation, procedures often vary by business. A global credit policy might be supported by separate policies and procedures for different divisions, such as wholesale trading, corporate lending, retail or credit cards.

Many organisations have separate policies for significant risks or functions and might have hundreds of policies. In functional terms, these can include new client approvals, vendor selection, permitted investments and safeguarding data privacy – or such risks as model risk, market risk, credit and operational risk.

Large global organisations often maintain multiple policy tiers, where broad statements of global risk appetite are supported by more detailed statements for specific divisions or business units.

Although written policies are essential, they can be a challenge for organisations to create and maintain. Policies frequently lack a clearly stated purpose – because organisations have no consistent or common agreement on what a policy should accomplish. It thus becomes difficult to determine whether a policy is fulfilling its intended purpose. Often – and certainly in smaller firms without a developed operational risk function – no-one owns the process for creating and maintaining policies.

It is a frequent occurrence that organisations will intentionally avoid creating policies on ambiguous or controversial issues – just where they are most needed. Examples include approval of complex or novel transactions, approving questionable customers or expanding the use of existing products for new and riskier applications.

If there is no formal policy, there can be no violation – and no added requirement to determine whether a policy might have been followed. A portfolio manager who invests in private equity transactions, for example, may want to retain broad flexibility to structure deals – and might therefore resist requirements to review investment terms with an oversight group. Yet such flexibility could also exclude an appropriate assessment of reputational risk and other key risks.

Where they do exist, policies frequently have either insufficient or excess detail. Some are overly general or high level and some state the obvious; they often fail to offer guidance on the most essential matters. Others are so specific and expansive in their detail as to make it hard for readers to identify key requirements. Consequently, staff members maintain their usual established practices, regardless of policy requirements.

One frequent complaint from staff members is that policies are overly complicated and difficult to use. A firm’s employees should not need a lawyer to determine what a policy requires. A related outcome is that even the most well-intentioned employees do not know which policies apply to their specific roles. For example, when Credit Suisse’s operational risk head, a former trader, took over his role, he concluded that the bank’s handbook for traders was so long no-one would finish it, so he set it aside and rewrote it

In larger firms, such as multinational banks, it can also be unclear who has authority to make policy exceptions. Without a clear process to follow, it can be difficult for organisations to quickly make decisions or respond to clients. Again, Credit Suisse provides a recent example of making an exception to perceived policy rules.

Errors of omission

A firm’s senior leadership or its board of directors is rarely involved in the creation of risk policies – a regrettable oversight because such leaders and board members should ultimately define an organisation’s appetite and tolerance for risk.

Policies are often not flexible enough to address extreme and unexpected conditions effectively, such as a global pandemic, severe power outages or insurrection. Consider the recent market disruption relating to GameStop, which exposed the vulnerabilities of organisations to extreme market volatility. The situation highlights the theme that effective policies must be in place before a crisis occurs.

It is not a one-time exercise to create effective risk policies. It is an ongoing process. Although there is no easy fix, organisations can make substantial progress over time 

On an important and related theme, some employees are effectively treated as exempt from policy requirements. Usually the ‘stars’ of the organisation – those who generate the largest amounts of revenue or have significant client relationships – sometimes ignore behaviours that contravene their own firms’ policies. Yet an unchecked minor infraction can escalate into serious problems, resulting in regulatory fines, legal settlements and fees. Consider the many familiar situations, such as the inappropriate sale of financial products, efforts to manipulate Libor or taking on clients that expose an organisation to reputational risk.

During his 2015 trial over Libor-rigging, for instance, Tom Hayes spoke of a culture he claimed failed to reprimand revenue-generators for questionable behaviour, admitting he was rarely challenged over his actions.

Moreover, often policies are not revised when there are changes in an organisation’s strategy, significant reporting relationships or product and service offerings. For example, the chief risk officer at Citizens Financial Group expressed this theme in relation to the separation from Royal Bank of Scotland. The point was also discussed recently by the chief risk officer of Nordea Asset Management, when he moved to the fund from a bank.

As a result, employees often come to view policies as irrelevant and ignore them.

Jay Newberry

It is not a one-time exercise to create effective risk policies. It is an ongoing process. Although there is no easy fix, organisations can make substantial progress over time if they provide the necessary motivation, effort and resources to explore creative and pragmatic solutions.

Among specific steps to consider, a useful start is to establish a team of professionals who can develop and oversee the creation and revision of policies.

Involve the necessary experts, whether internal or external, in both design and content. Ask this team to create a comprehensive inventory of all policies – followed by a thorough review of each – both as standalone documents and as components of existing policies.

Alongside this, create an efficient process for exceptions and describe it clearly in the policy itself. Design policies in a consistent style and format that can be understood by the people using them. Create policies in digital form within a comprehensive library so that they can be organised, accessed, searched and cross-referenced easily.

Examine the effectiveness of policies and revise them as needed. As appropriate, remove policies that are obsolete or no longer needed. Provide anonymous and safe channels for individuals to report observations of non-compliance.

As with all other policies, risk policies must be relevant, usable and applied consistently.

Serving suggestions

Carefully designed risk policies will provide their organisation with tangible benefits that easily justify the expense of creating and maintaining them. Not least, this process will provide an enhanced understanding of which risks organisations should take and which they should avoid, enabling the organisation to deploy its people, capital and intellectual assets in the most productive way. It will reduce the number and size of policies, as some are identified as redundant and others obsolete.

Effective risk policies will also provide a clear process to enable potential risk events to be identified, assessed, reported and managed properly. They will increase clarity around the roles of the various stakeholders – including employees, senior management, third parties and the board of directors. They will also create a clear and efficient process for obtaining exceptions and for escalating them to the appropriate levels.

In turn, this will promote employee satisfaction, helping staff members better understand the scope and demands of their jobs and perform them more effectively.

A central aspect of these benefits is the participation of senior management and the board of directors in formalising the expression of an organisation’s appetite and tolerance for risk. This will send a clear message to its shareholders, equity analysts, journalists, elected officials and regulators about the organisation’s mission and strategy.

Well-designed risk policies enable organisations to use their capital, people and technology to the fullest possible extent.

Much more than a mere exhortation to follow a given set of rules, they are a strategic necessity.

The views expressed here are the authors’ own and do not necessarily reflect the views of any other organisation.

Charles Fishkin is the former director of the Office of Risk Assessment at the US Securities and Exchange Commission. He is an adjunct faculty member in the Master’s Programme in Financial Engineering at Bernard M Baruch College of The City University of New York.

Jay Newberry is an independent risk management consultant. He recently retired from a 30-year career at Citigroup. Among his roles there, he was responsible for development and oversight of global risk management policies and served as managing director and global head of Citi’s operational risk management framework. He has also taught in the Master of Science Programme in Enterprise Risk Management at Columbia University in New York.


Op risk data: Pandemic paradox of low, low losses

By ORX News | Opinion | 12 March 2021

Also: Navient gets schooled for scam; Amex holiday let-down; BNL’s Italian Job hit. Data by ORX News

February’s largest loss fell to student loan company Navient, which was ordered to repay $22.3 million after being found to have overcharged the government for student loan subsidies.

A US Department of Education (DoE) audit in 2009 found that Navient – which at the time was the loan-servicing operation of Sallie Mae (SLM Corporation) – had collected overpayments from two separate loan bond funds of special allowance payments on loans funded by tax-exempt obligations that had matured.

In the 1980s, the government guaranteed lenders 9.5% return on loans financed through tax-exempt bonds, which later allowed lenders to make a large profit as interest rates fell. But, after the subsidy was withdrawn in 1993, lenders packaged newer loans with pre-1993 iterations to keep receiving the payments. The DoE’s audit found that Navient had received the higher rate payments when it was no longer eligible to do so and that Navient’s billing practices were not compliant with payments requirements.

A DoE whistle-blower reportedly sounded the alarm after noticing that lenders were transferring loan financing between bonds to increase the volume of loans qualifying for the subsidies.

In 2013, investigators recommended Navient return the $22.3 million, but the firm denied any wrongdoing. In March 2019, a judge found Navient liable for the improperly gained bond subsidies between June 1, 2002, and July 1, 2005, which was upheld in January of this year by the Acting US Secretary of Education, affirming that Navient was liable to repay the subsidies.

Navient was reportedly assessing its options in the wake of the upheld judgment. Navient and Sallie Mae formally separated their operations in 2014, splitting into legally separate entities focussed on loan management and consumer banking, respectively.


In February’s second-largest loss, Hong Kong-based cryptocurrency trading venues Bitfinex and Tether agreed to pay  $18.5 million to settle claims that they misled the market and customers by making false statements about the US dollar backing of the Stablecoin cryptocurrency and about the movement of hundreds of millions of dollars between the two companies to cover up large losses by Bitfinex.

According to their agreement with the New York Attorney General, in 2017 Bitfinex and Tether, both owned by DigiFinex, misled the market about Tether’s one-to-one US dollar backing. Prior to March 2017, Bitfinex and Tether used several Taiwan-based banks to send and receive wire transfers to fulfil client orders for US dollars, with Wells Fargo as the correspondent bank. But in late March of that year, Wells Fargo decided it would no longer process dollar wire transfers from Bitfinex and Tether accounts, forcing the companies to find alternative banking arrangements.

Between then and September 15, 2017 at least, Tether did not have a significant banking relationship, meaning it could not hold sufficient dollars to back purchases either on the Tether website or via the Bitfinex platform.

“Tether’s claims that its virtual currency was fully backed by US dollars at all times was a lie,” said the AG. “These companies obscured the true risk investors faced and were operated by unlicensed and unregulated individuals and entities dealing in the darkest corners of the financial system.”

Bitfinex and Tether neither admitted to nor denied the AG’s finding and agreed to cease all trading activities with New York persons or entities in addition to paying the $18.5 million penalty.

In February’s third-largest loss, Dutch bank Nederlandse Waterschapsbank (NWB Bank) was defrauded of €12 million ($14.3 million) on a loan based on forged documents.

The loan was obtained by an individual posing as a representative of the municipality of Steenbergen in the Dutch province of Brabant. The fraud was discovered in mid-January 2021, when the municipality received a letter requesting the first repayment of €1.2 million on the loan. The municipality had no previous business with the bank and said that none of its employees seemed to have been involved in the fraud, which reportedly involved forged signatures.

February’s fourth-largest loss saw CaixaBank fined €2 million ($2.39 million) by the Spanish Comisión Nacional del Mercado de Valores (CNMV) for its failure to assess the suitability of complex financial products for certain customer profiles.

Spanish law states that when a firm offers services, excluding advisory services, it should collect information about customers and potential customers regarding their knowledge and experience relating to the products or services offered. This information should be used to ensure the product is suitable for the customer.

The CNMV found that CaixaBank had made an inadequate evaluation of its clients in relation to their suitability for the complex financial instruments. The law also states that a copy of a suitability assessment should be provided to the customers explaining whether the complex financial products were suitable for them.

In the fifth largest loss of the month, four individuals were arrested in connection with a caper movie-style bank heist in which an estimated €1 million ($1.19 million) was stolen from the vaults of Banco Nazionale del Lavoro (BNL) in Lecce, Italy, in 2018.

According to the investigation, one or more of the thieves accessed BNL’s vault during the afternoon of Friday, November 9, 2018, before the branch closed for the weekend, allegedly remaining inside the vault until the evening of November 11, when the robbery took place. The thieves reportedly disabled the alarm system from the inside, allowing them to open the armoured door of the vault – which usually opens only when the branch office is open. The alarm system’s signal transmission cables, which transmit alarm and video surveillance data outside of the branch, had also been cut.

An estimated €1 million of cash and jewellery was stolen from 80 of the vault’s 310 safety deposit boxes, which the thieves reportedly forced open using a blow torch.

They were only supposed to blow the Lecce doors off.



Spotlight: Amex takes fake holiday hit

While most of the world has been prohibited from leisure travel, one holiday let proprietor has been getting criminally creative. In February, it was reported that a property owner on the holiday booking website Expedia, cost American Express $1.2 million in advance payments for fake bookings through the site.

The owner apparently made an eye-popping 1,721 fake bookings for a single holiday apartment between at least February 2020 and March 2020. Its Expedia contract stipulated that, as a merchant, the owner use American Express services for advance payments on apartment bookings through the vPayment system, which assigns a single- or multi-use virtual account number to each transaction.

American Express would make an advance payment to the owner’s current account for the full amount of the booking and Expedia would then reimburse American Express for the payment. But a bug in vPayment’s system allowed the system’s numbering to be replicated, which the owner then exploited, transferring the money fraudulently acquired through the merchant account into other accounts.

The investigation into the scheme began after American Express received alerts in the US related to fraudulent vPayment transactions by one of its merchants. Following confirmation from the Fraud Office, American Express took its complaint to the Italian Postal Police.


In focus: The seven-year switch; time for low losses to turn?

For operational risk managers, the great paradox of the pandemic is that op risk losses have dipped dramatically. And while it’s no surprise that Covid-19 has had a huge impact on the day-to-day operations of financial firms globally, few could have foreseen that publicly reported op risk losses would have dipped to their lowest level since 2013. It remains to be seen whether this will continue.

Since March 1, 2020, the number of loss events recorded in the ORX News database has seen a decrease of nearly 54% compared with the previous 12 months. In the past year, it has recorded 394 loss events, versus 853 the prior year. The frequency of events has fallen by more than half in almost every region, barring Western Europe.

Despite this significant drop, total loss severity for the two periods has remained relatively similar. In the 12 months pre-pandemic, total loss severity was $23.75 billion and, since March 1, 2020, loss severity has totalled $24.76 billion.

The fractional increase in total loss severity in this period is skewed by two massive conduct-related fines meted out by regulators in North America. Goldman Sachs agreed to pay $5.07 billion in settlements to the US Department of Justice and the Hong Kong Securities and Futures Commission over its role in the 1Malaysia Development Berhad fraud. Furthermore, the Blue Cross Blue Shield Association agreed to pay $2.67 billion to settle a multidistrict litigation alleging that it had engaged in anti-competitive market practices. These two events alone are responsible for 31% of total loss severity since March 1, 2020. The region’s losses account for nearly 48% of total loss severity for the 12-month timeframe, despite only around 30% of all loss events occurring there.

The number of publicly reported loss events each month since March 2020 has remained relatively low compared with the previous 12 months. Some notable monthly comparisons include the drop-off from 31 events in February 2020 to just 19 in March 2020. The month of May 2020 saw the lowest number of publicly reported loss events since February 2014, with just 13 events that month. February 2021 also recorded just 13 events and the low total loss severity since August 2013 with just $56.6 million of losses recorded.



The frequency of all loss events, according to the Basel risk taxonomy, has also dropped with almost half as many events being assigned to each Basel event type. Notable instances of both external and internal fraud have decreased, although we could begin to see an uptick in these events post-pandemic as more instances of fraud come to light – especially in Covid relief fraud. These relief funds carry a high mis-selling risk – firms are worried about the risk of fines and lawsuits if they are offered to customers inequitably.

There are several possible explanations for the reduction in publicly reported losses. The attention of media around the world has been laser-focused on pandemic-related news, which means there have been fewer resources for reporting on peripheral events. And regulatory activity was itself affected by the coronavirus, leading to a shift in focus and a reduction in fines from regulators.

As countries begin to plan for a time beyond the era of lockdown and other restrictions associated with the pandemic, it may be that publicly reported loss events become increasingly frequent. Regulatory forbearance could come to an abrupt end, as banks recover – and attitudes to potential Covid-era transgressions might change. As firms take stock of their situation post-pandemic, impacts could start to crystallise as losses, and we could begin to see more of these reported in the media.

Editing by Louise Marshall

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Correction, March 12, 2021: A previous version of this article called Navient the publicly-traded arm of SLM Corporation, also known as Sallie Mae. In fact, the two firms have been legally separate since 2014.

GFXC sees no changes to code on pre-hedging

By Laura Matthews, Rebekah Tunstead | News | 11 March 2021

Committee rejects calls to set more strict boundaries to controversial practice

The Global Foreign Exchange Committee (GFXC) pushed back against market participants’ call for change to the pre-hedging principle contained in the FX Global Code, all but killing their hopes to see some detailed guidance around the practice. 

“The essence of the code is principles-based, it’s not prescriptive and it’s not regulatory. Therefore, the point is not to nail down a particular size at which pre-hedging suddenly becomes more appropriate, but instead to talk about how the market should think about pre-hedging as part of an overall toolkit for FX execution,” says Neill Penney, the committee’s co-vice chair. 

The GFXC, the industry body tasked with overseeing currency markets, is expected to meet later this month to discuss potential amendments to the code as part of its triennial review due to be completed by mid-year. It is set to discuss principles around disclosures, algorithmic trading, anonymous trading, last look and pre-hedging.

But Penney anticipates the committee will focus on further educating the market about the pre-hedging practice rather than changing the code itself. To that extent, the GFXC plans to add more illustrative examples to the existing ones to ensure the practice can be better understood.

The move comes despite concerns raised by some market participants around the lack of details in the code on what constitutes pre-hedging. The practice, in which a market-maker builds an offsetting position in advance of a client trade with the aim of managing the associated risk, is open to abuse and can be hard to distinguish from an attempt to front-run a trade.

Principle 11 of the code states that market participants should only pre-hedge a client’s order when acting as principal to the trade, and without disadvantaging the client or disrupting the market. For this reason, dealers are encouraged to be transparent with clients about their execution choices. But some practitioners believe the wording of the code is too vague and the GFXC should do more.

“I don’t think disclosures in the first version of the code are actually disclosures at all. I think they’re disclaimers,” says an industry source. 

Neill Penney

A second industry source says: “Unless you define what the rare case in which pre-hedging can be used is, the issue is, does it apply to everything? That’s where I think [the revised code] should come out.” 

Penney pushes back on the criticism, arguing that those taking issue with the practice and the principle around it are few in number and don’t necessarily reflect the view of the FX market as a whole.

“I think it’s very important to acknowledge that for most market participants, [last look and pre-hedging] are not critical issues. I would push back on anyone who has that view,” Penney says. “You need to look at the bigger picture here: the purpose of the code is to develop and maintain overall good conduct in the market. It’s not to be a technical document that focuses disproportionately on specific execution techniques such as pre-hedging or last look.”

The GFXC’s measured approach is backed by the committee’s own survey published in 2019 in which 68% of respondents did not think the code should be changed or added to. Of the 29% of participants who said that areas of the document should be updated, 6.5% wanted amendments to the illustrative examples around pre-hedging and only 4.25% said the pre-hedging principle in the code needed to be changed.

The purpose of the code is to develop and maintain overall good conduct in the market. It’s not to be a technical document that focuses disproportionately on specific execution techniques

Neill Penney, Global Foreign Exchange Committee

Setting boundaries

In total, spoke to seven sources from a mix of market-makers for this article. The conversations indicate their desire for the GFXC to set more strict boundaries to ensure that pre-hedging can only be used for large transactions. 

Currently, there is no standard definition of what constitutes a large order in FX, which means dealers are making individual judgment calls and interpreting current guidance as they see fit. As a result, this can give way to abuses such as pre-hedging in the last-look window, another item currently under review by the GFXC. 

Practitioners say this could be avoided, for example, by having minimum thresholds linked to different currency pairs, time zones and execution type. Setting minimums and ensuring proper disclosure of how transactions above a certain threshold are pre-hedged will ensure that small trades are not in play for dealers, the argument goes.

“You don’t have to be 100% statistically accurate, but you could just have some sort of cut-off matrix and that would act as a barrier to the exception becoming a common occurrence,” says the first industry source. “You could easily set quantitative guidance at the low end of that, and it still has significant effect within the code and within the market.”

It is understood that some dealers have already created internal thresholds for what they consider to be large orders. These metrics are being used to keep clients updated on the bank’s plans to fill their orders and provide an extra layer of transparency.

But some market participants point out that alongside proper disclosures from the banks, the clients need to take more ownership of how their large orders are being handled and leave clear instructions on how they expect them to be executed.

“Clients should be in that position and be in charge of that. And then the bank can decide, ‘do we want to quote this?’” says the head of e-trading at a European bank. “If the client decides ‘I don’t want you to pre-hedge at all’, which might be a principle that a lot of clients would choose, then the bank can decide if they want to quote the order or not.”

The Johnson case

Pre-hedging has been under heavy scrutiny since the 2016 indictment of Mark Johnson, a former global head of FX cash trading at HSBC. The following year, Johnson was convicted of frontrunning a client’s multi-billion-dollar currency order by tipping off a team of traders at the bank on the timing of the transaction.

In 2020, he was denied an appeal at the US Supreme Court, a move that all but closed the door to further examination on the controversial practice’s legal boundaries. 

Pre-hedging remains a hot topic not just for FX traders but their legal teams too. In a January meeting of the Financial Markets Lawyers Group, an organisation of lawyers sponsored by the Federal Reserve Bank of New York, members were asked for ideas on how to incorporate the Johnson case into the examples that will inform the revised FX Global Code. 

The hope is that such an inclusion would help illustrate the difference between permissible and illegal activity in trading ahead of a client order or be used to strengthen the first three principles of the code that deal with ethics. 

But to the best of Penney’s knowledge, there is no planned change to the code that would make specific reference to the Johnson case. “That would move away from the idea of the code being broad and principles-based,” he says. 

Different perspectives

Discussions on pre-hedging are also under way at a number of European regulatory bodies. A European Securities and Markets Authority spokesperson told Risk,net the regulator has committed to issue guidance on pre-hedging practices next year. This follows feedback from respondents to the Market Abuse Regulation (Mar) review report who asked Esma to provide greater clarity on the definitions of pre-hedging and frontrunning, and the instances where the former is allowed.

The European Commission is also looking into the practice and it is understood it will begin working on the Mar review in the second half of this year. In December, Guy Debelle, deputy governor of the Reserve Bank of Australia and chair of the GFXC, told the EC was particularly interested in the pre-hedging principles in the code. It is not yet clear when the EC work will be concluded.

Penney says the GFXC has been speaking informally with the EC and Esma around the topic to ensure there is consistency in approaching the issue.

“One of the challenges to face is these groups are all different: the mandates are different, the focuses are different, and the timelines are different. If you’re an EU regulator, your perspective on a question like pre-hedging is going to be different than if you are a global voluntary code of conduct,” says Penney.