Also: ING mirrors ABN client loan loss; CS lands huge fine for tuna bonds. Data by ORX News
October’s largest operational risk loss was a €180 million ($206 million) provision made by ING towards compensation for retail customers who did not receive the best interest rates on variable loans. The affected customers paid rates that were not in line with the variable market interest rate. The compensation applies to around 10% of the contracts for these products.
ING will make the provision in the third quarter of its 2021 compensation scheme and expects to close the matter before the end of 2022.
The loss echoes the $297 million provision made ABN Amro in September this year. In a ruling on February 5, 2020, the Dutch Financial Services Complaints Tribunal (Kifid) stated that interest charged on flexible credits should remain in line with market interest rates, and that the interest rate published by the Dutch central bank De Nederlandsche Bank should be the reference rate used for all loans originated since 2010.
The ruling resulted from a complaint by an ABN Amro client to Kifid on July 26, 2018. ABN Amro had extended an interest-only flexible credit to the client with a credit limit of €50,000 and a variable interest rate. Despite the market rate falling and the fact that other lenders had offered lower rates, the interest rate on the credit was not reduced. The client allegedly overpaid €25,000 in interest and called for the interest rate to be reduced retroactively for the period from 2006 to June 26, 2018.
The month’s second largest loss involved a hacker stealing $139.2 million in cryptocurrencies from decentralised finance (DeFi) network Boy X Highspeed. BXH is based on cryptocurrency exchange Binance’s Smart Chain (BSC), which has proved vulnerable to attacks. The hacker stole 4,000 ethereum as well as bitcoin and BSC cryptocurrenices.
BXH offered a $1 million bounty or a reward for the hacker if the money was returned. Its chief executive Neo Wang has reportedly said that if the hacker was not found or the funds not returned, BXH would take full responsibility for the incident and make a user repayment plan.
The third largest loss took place at Cream Finance, another DeFi network, which suffered the theft of some $132 million in cryptocurrencies. Peckshield, a blockchain analytics company discovered a flash loan had exploited the platform and reported it. This marked the third successful hack on the platform in the past year.
Cream Finance management reportedly stated they believed around $40 million of the stolen funds could potentially be recovered.
The month’s fourth largest loss occurred when Colonial First State was ordered by the Australian Securities and Investments Commission to pay A$170.1 million (US$124 million) for misleading pension customers on their superannuation funds.
ASIC found that on at least 12,978 occasions, Colonial, which is owned by Commonwealth Bank of Australia, made deceptive representations regarding investment directions to members of its FirstChoice Fund. The bank told customers that because of legislative changes, Colonial was required to contact them and obtain an investment direction to stay in the FirstChoice Fund rather than a default product with lower fees, which it was in fact required to offer under the new legislation.
Additionally, Colonial failed to tell members that if it did not receive an investment direction from the customer, it was required to transfer their superannuation contributions into the default product.
The fine consisted of A$20 million and a restitution of A$150.1 million.
The month’s fifth largest loss is a tale of derring-do, executed when the manager of an unnamed Emirati bank approved a $35 million transfer after an apparent call from the bank’s chief executive officer. In reality, the manager had been duped by voice-cloning technology – deepvoice – which convincingly imitated the CEO.
In January 2020, the branch manager received the call from what sounded like the bank’s CEO, instructing the manager to make transfers of $35 million to several accounts as part of an acquisition, which would be handled by a lawyer named Martin Zelner. At the same time, the manager received emails from Zelner in relation to the phone call, supporting this instruction and including a letter of authorisation signed by the CEO.
Obligingly, the bank manger followed his instructions and transferred the funds to the accounts specified.
An ongoing investigation has identified 17 known and unknown defendants to date.
Credit Suisse faces a total of $675.2 million in fines and other payments for its failings in the so-called ‘tuna bond’ scandal.
US, UK and Swiss regulators separately penalised the bank for granting syndicated loans to risky Mozambican state-owned entities contracted to buy boats from Privinvest, a Lebanon-based shipbuilder. The Securities and Exchange Commission (SEC), the Financial Conduct Authority (FCA) and the Swiss Financial Market Supervisory Authority (Finma) all fined the bank in their respective jurisdictions.
Credit Suisse UK arranged two loans totalling $1 billion to two state-owned companies, Proindicus and Ematum. The loans, which equalled roughly 6% of the size of Mozambique’s GDP, were state-guaranteed. When the tuna fleet Ematum had difficulty with repayments in 2016, the loans were swapped for bonds issued by Mozambique. Credit Suisse carried out the debt restructuring.
ProIndicus and Ematum were newly formed state-owned entities with no prior business operations. Their official pupose was to protect the country’s coastline and fishing interests. In reality, they acted as a vehicle for kickbacks to bankers and bribes to government officials to hide Mozambique’s indebtedness to the IMF. Through the scheme, Mozambican officials, the three Credit Suisse bankers and others received improper payments totalling $200 million.
Credit Suisse was aware that Mozambique carried a high risk for government corruption, deficient formal procurement processes and suffered a lack of scrutiny on industrial projects, the regulators found. Indeed, the bank’s former regional chief executive had warned against lending money to Privinvest and Mozambique.
According to the SEC, one Privinvest intermediary was even known as the ‘master of kickbacks’.
Three former Credit Suisse bankers have been arrested and indicted for related corruption and bribery between 2013 and 2016.
Credit Suisse was ordered to pay $475 million in fines and restitution and $200 million in debt relief. The SEC found the bank had violated antifraud provisions, maintained deficient internal accounting controls, failed to properly address known risks concerning bribery and found that the offering materials created and distributed to investors by Credit Suisse hid the underlying corruption and falsely disclosed that the proceeds would help develop Mozambique's tuna fishing industry.
The US Department of Justice also found Credit Suisse liable for defrauding US and international investors. The FCA focussed on Credit Suisse’s failure to properly manage the risk of financial crime within its emerging markets business and the impact of the fraudulent loans that precipitated a debt crisis and significant economic harm for the people of Mozambique. Finma found that Credit Suisse had seriously violated the organisational requirements and the Anti-Money Laundering Act (Amla) reporting obligations.
Russian bank VTB Capital also provided capital for the syndicated loans and consented to pay $6.4 million to the SEC for violations of negligence-based antifraud provisions of the federal securities laws.
Editing by Louise Marshall
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.
Transition to new framework under Basel II pushes op risk to two-year high
Commerzbank’s operational risk-weighted-assets (RWAs) rose 6.7% in the third quarter after the bank switched to the standardised approach to calculate capital requirements.
Operational RWAs – previously calculated under the advanced measurement approach (AMA) – increased by €1.2 billion ($1.4 billion) to €19.8 billion to their highest level since Q3 2019. They now account for 11.3% of total RWAs, up 83 basis points on the previous quarter.
The bank did not disclose the whole amount linked to the switch but said an “RWA buffer was formed” in order to take the methodology change into account. A bank’s spokesperson added the switch will formally happen in the fourth quarter, but its impact was already included in Q3.
Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the AMA.
The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs, using internal loss data, external data, scenario analysis, and business environment and internal control factors.
The incoming Basel III framework, published in December 2017, will replace these three with a revised standardised approach.
This uses a simple accounting measurement of bank total income – known as the business indicator – to divide firms into three size buckets. A separate business indicator multiplier is applied to each bucket to produce the business indicator component. The product is then subject to an internal loss multiplier, a scaling factor based on a bank’s average historical losses and business indicator component.
The standardised approach under Basel II was introduced to help smooth large amounts of variation observed across banks and their own risk calculations and associated regulatory capital. Transitioning to the Basel III framework is expected to trigger a rise in op risk charges for EU banks, according to the European Banking Authority, with some banks likely to be hit harder depending on the methodology they currently use.
Over the years, Commerzbank has relied on the AMA to reduce the heat from op risk spikes. In the first quarter of the year, for example, a tweak to its internal model resulted in a 9% drop in capital charges linked to op risk.
The bank’s medium-term plan is to keep op RWAs at around the €18 billion mark by 2024, but the latest increase makes the task harder since it will no longer be able to model down its charges.
Alongside Commerzbank, other major European banks such as Deutsche Bank and ING have been using the AMA to calculate 100% of their op RWAs.
Correction, November 8, 2021: The summary in the original version of this story stated incorrectly that Commerzbank switched to the standardised approach under Basel III. This has been amended.
If you have any thoughts on our latest analysis or want to suggest other ways to present and analyse the data, you can email us.
Sfr1bn increase expected to accrue over the next six months
Credit Suisse expects its operational risk-weighted assets (RWAs) to rise by Sfr1 billion ($1.1 billion) by next March, as the bank digests a flurry of litigation provisions.
The increase – tentatively quantified by chief financial officer David Mathers on today’s (November 4) earnings call – would have inflated op RWAs by 14% as of end-September, to Sfr70.1 billion, the highest since the third quarter of 2019.
It already took on Sfr6.7 billion in new op RWAs during the first half of the year, after increasing provisions for US misconduct allegations dating back to the global financial crisis.
Op RWAs rose 1% over Q3, due to currency fluctuations. As of end-September, they accounted for just under one-fourth of the bank’s total Sfr278.1 billion RWAs, up from 24% at end-June and 20% at end-December 2020.
“In respect of the litigation provisions [taken in Q3] … I would expect an increase in op risk RWAs, as it works its way through the system over the next couple of quarters, of around Sfr1 billion … I don’t have any more visibility at this point in terms of any other operational risk charges or moderated charges relating to the Archegos matter or, indeed, to the Greensill matter” – David Mathers, Credit Suisse CFO.
Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the advanced measurement approach (AMA).
The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs, using internal loss data, external data, scenario analysis and business environment and internal control factors.
Under incoming Basel III rules, all banks will be required to shift to a revised standardised approach. Credit Suisse currently calculates all its op RWAs using the AMA.
Op risk can be as subtle and unstoppable as the sea tide, slowly submerging ever more of a bank’s capital reserves. And for Credit Suisse, the ghost of misconduct past keeps coming back.
Beyond the high-profile cases of the Greensill-backed investment funds’ collapse and the misselling of bonds at the expense of Mozambique’s state coffers, the bank is still dogged by allegations spanning a decade.
The Q3 financial report lists, among others: a civil action by the state of New Jersey over the misselling of subprime-backed securities, set to go to trial in September 2022; civil actions in California and New York over interbank rate manipulation; two pending cases linked to over-the-counter trading practices; and a lawsuit in Singapore by clients defrauded by a rogue wealth manager.
This is arguably par for the course for any global bank with huge investment banking and wealth management franchises. But for Credit Suisse in particular, the op RWA one-twos just keep coming, and risk diverting precious capital resources from new chairman António Horta-Osório’s sweeping restructuring plans.
If you have any thoughts on our latest analysis or want to suggest other ways to present and analyse the data, you can email us.
Regulators are reluctant to specify cloud risks, despite warning of overreliance on three big providers
Banks are asking US regulators to provide more detailed guidance on the risks presented by cloud service providers, such as Amazon, Google and Microsoft.
The Federal Reserve, Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation are preparing to issue new interagency guidance on managing the risks associated with entering into contracts with external suppliers. A draft version of the guidance, put out for consultation in July, does not distinguish between different types of third-party services, but cybersecurity experts say cloud providers present unique risks that need to be spelled out more clearly.
“Getting more clarity on cloud would be helpful. I would like to see a little more detail on what’s expected,” says a chief information security officer at a North American bank.
The proposed guidance makes it clear that banks are ultimately responsible for the risks of operations that are outsourced to third-party providers. “You can outsource the administration of the operation, but you can’t outsource the risk. That still remains with the bank and the bank needs to have an effective risk management programme,” says a senior regulator involved in drafting the proposal.
Regulators have previously voiced concern that overreliance on the big three service providers – Amazon, Google and Microsoft – could place the financial system at risk in the event of an outage or service disruption. However, they are understood to be reluctant to single out cloud providers for special attention or controls in official guidance, leaving it to banks to identify and manage the risks inherent in these relationships.
“Every cloud is different,” says the senior regulator. “It is the bank that needs to configure and manage the operation in the cloud. The bank needs to understand what parts of the cloud environment are configured and managed by the cloud provider and which still need to be managed by the bank itself.”
Whether using a cloud provider for applications, as a platform or for infrastructure, there will be split responsibility for different levels of security
Charles Forde, former op risk manager
Critics of the proposed interagency guidance – which is based on existing third-party risk guidance issued by the OCC in 2013 – say it is outdated and ignores the realities of dealing with giant technology firms that wield enormous negotiating power. Some in the industry are calling for the contents of an FAQ published by the OCC in 2020 to supplement its 2013 guidance – which addresses risk management expectations with respect to cloud computing in more detail – to be incorporated into the interagency guidance.
While the OCC’s 2020 FAQ reiterates that “third-party risk management for cloud computing is fundamentally the same as for other third-party relationships”, it also concedes that “specific technical controls in cloud computing may operate differently than in more traditional network environments”. Banks are advised to clearly document the division of these control responsibilities between the cloud provider and the bank “in the contract”.
Charles Forde, a former operational risk manager at UBS, says that’s good advice and should be reflected in the final interagency guidance. “Whether using a cloud provider for applications, as a platform or for infrastructure, there will be split responsibility for different levels of security, from physical security, on up to the platform and to the application level. It needs to be clearly defined.”
Industry sources are also pushing for other elements of the OCC’s FAQ to be worked into the forthcoming guidance. For instance, the OCC concedes in its FAQ that banks may have to deal with vendors that “do not allow banks to negotiate changes to their standard contract, do not share their business resumption and disaster recovery plans, do not allow site visits, or do not respond to a bank’s due diligence questionnaire”.
The document goes on to detail a series of actions banks should take when faced with this situation, including considering alternate providers, being prepared for service interruptions, and “determining if the risk to the bank of having limited negotiating power is within the bank’s risk appetite”.
In a comment letter sent to US prudential regulators on October 4, the Securities Industry and Financial Markets Association called for much of this language to be included in the interagency guidance. It also called on regulators to confirm that banks may continue to enter into arrangements with cloud service providers despite the high degree of concentration among vendors, provided that appropriate steps are taken to address the other risks highlighted in the proposed guidance.
OpRisk North America: banks warned of “disconnect” between theory and practice
Banks in the throes of drawing up a playbook for how to cope with a repeat of the coronavirus pandemic or disaster of a similar sweeping magnitude need to make sure first-line employees understand it and could implement it at short notice, a senior bank examiner has warned lenders.
“I’ll be disappointed if I go into a firm, and resiliency people show me graphs and PowerPoints, and then I go to senior management or people on the front line and they can’t explain it. If I see a disconnect between the culture of resilience versus the planning, that is a warning sign,” said Rick Cech, a supervisor in operational risk governance at the Federal Reserve Bank of New York, at Op Risk North America on October 22.
Cech, who previously spent more than two decades in various op risk roles at JP Morgan before becoming a bank examiner, emphasised he was expressing his own views, and not those of the New York Fed or the US Federal Reserve System.
US prudential regulators last year released guidelines on resilience planning for banks. The guidance set out expectations that banks conduct scenario analysis to determine their abilities to maintain business operations in the event of severe disruption, as arising from cyber attacks or natural disasters, which involves mapping interdependencies of core business lines and critical operations.
However, the Fed has refrained from providing detailed rules for constructing scenarios, preferring to allow firms to tailor them to their own requirements. “Supervisors don’t have the expertise to prescribe a scenario-testing programme,” noted Cech.
Instead, supervisors are looking for a systematic approach to operational resilience. This means not only having a group of expert scenario planners, but also that they possess the leadership skills to combine both planning and execution throughout the organisation, including senior management, according to Cech. Data needs to be granular enough to describe the impacts of events on business activities.
Some firms just count up loss events, but it’s more important to say what drove the event
Rick Cech, Federal Reserve Bank of New York
“Firms need to organise metrics and figure out what they need, adding predictive data so the data speaks to you, as opposed to masses of information. Some firms just count up loss events, but it’s more important to say what drove the event,” he said.
Because operating models have changed during Covid, resilience plans are also expected to account for pandemic planning, and account for new models of behaviour and business processes, as well as an increased dependence on third parties. Dependence on critical third parties will be even more important in a post-Covid world, Cech noted.
This means subjecting resilience scenarios to constant re-evaluation through simulations known as ‘tabletop’ exercises.
“You need to stress them to identify the gaps with your playbook, not mirror what that playbook is telling you. You know you drafted that playbook for obvious reasons. It’s meant to be well designed, but it’s the operating effect that you’re looking to test,” said Gus Ortega, head of technology, innovation and operations risk at Voya Financial, speaking during an earlier panel on resilience planning at Op Risk North America.
Under the Bank of England’s more punitive regime, banks have until March 2022 to identify their important business services and set an “impact tolerance” – the maximum level of disruption the service could withstand without causing harm to the firm’s clients, or, for the largest firms, without posing a risk to the UK financial system. By 2025 at the latest, they will need to demonstrate that each important service can continue operating in a range of disruptive scenarios.
Although not subject to either set of resilience rules, Freddie Mac has begun formulating impact tolerance statements, said Nita Kohli, its vice-president of operational resilience, at Op Risk North America. When she joined the company two years ago, there was not a clear understanding of what impact tolerances were, but today there’s an organisational imperative to understand vulnerabilities, to set impact tolerances, and to have real-time information when an event is unfolding.
“Having a statement is great, but you need to operationalise that statement. What worries me when we talk about impact tolerances is that it’s a huge challenge for us to get real-time information on all those contributing factors,” said Kohli, who was speaking during the same debate as Ortega.
Tenfold increase in web-enabled devices via 5G and IoT means explosion in cyber threats, says official
An explosion in the number of internet-enabled devices is opening up banks and financial firms to an exponentially greater array of backdoor cyber threats, leaving human risk managers unable to monitor them all. Instead, banks could deploy machine learning-based solutions to monitor the vast amount of threat data in real time, according to a senior official at the US Federal Reserve.
By some estimates, the world will see a tenfold increase in the number of devices with web connectivity in the coming years, thanks to a dramatic speed-up in the roll-out of 5G data networks and Internet of Things (IoT)-enabled devices. Any such device, where it interacts with a bank’s network – or where staff with access to sensitive data might share or store that data on other networks – presents a potential vulnerability.
“In terms of risk management expectations, the way we think about the perimeters has got to be shifted,” said Arthur Lindo, deputy director for policy at the Federal Reserve Board’s division of supervision and regulation. “One of the solutions might be AI-oriented. A part of the risk management toolkit is going to be augmented.”
Lindo, who played a crucial role in drawing up the Fed’s rules on how banks can best ensure operational resilience, added that risk managers would need artificial intelligence to help them deal with threats in the new environment.
“There’s no way, as human beings, [that] we can handle all of that input that’s coming through in a logical way. We’re going to need some assistance. So, part of [the] risk management structure will, by definition, have an AI component,” he said during a panel discussion at OpRisk North America on October 20.
Lindo added that regulators expected financial firms to recognise the dynamic changes in technology about to arrive: “Our expectation is that firms will be resilient in light of all these new technologies, and be aware of these risks. We steer clear of being prescriptive, but the challenges are immense with the amount of data that can be transferred in the new structures.”
The entire industry was currently “not quite there” in meeting that expectation, he added: “There are going to be some laggards. And we’re kind of figuring out what we do with those who do not adjust appropriately. But our message has been clear: we need you to prepare for that level of resiliency.”
There’s no way, as human beings, [that] we can handle all of that input that’s coming through in a logical way … Part of [the] risk management structure will, by definition, have an AI component
Arthur Lindo, US Fed
Thanks to the mass adoption of homeworking by many bank employees, the threat was not limited to devices brought onto a bank’s premises, Lindo pointed out. Company staff working outside the office environment would use a range of internet-enabled devices, such as televisions and cars, expanding the threat landscape far beyond what was traditionally thought of as a work environment, he added.
This threat itself is not new: successful network hacks in the past have exploited devices as diverse as Fitbits and photocopiers. Rather, the change in dynamic stems from the phenomenal growth in the number of devices, coupled with a shift to remote working patterns.
Fred Harris, head of cyber security risk, data risk and IT risk at Societe Generale, said that over the next five years, a tenfold increase in the number of mobile devices was likely: within a decade, the total could be 100 times the number of mobile devices versus today. Because 5G bandwidth is so large, he added, device growth could double year on year for the next century at its current rate without saturating capacity.
Harris agreed with Lindo that, in the new technological environment, AI would be needed to adjust cyber security configurations: “Eventually, you’re going to remove a lot of the human element from change management and configuration change.”
Speaking on the same panel, Mandar Rege, managing director, operational risk management, technology and cyber security at Citi, said: “You can’t overstate how much of a change 5G is going to bring along with IoT. Traditionally, networks were run by an individual company, and you had a well-defined parameter. Open architecture is going to rip that apart and turn it inside out. You will have not a single network: you will truly be part of a global network – at which point, your fridge is going to be talking to somebody in in a completely different country.”
He said another means of protecting a firm’s data would involve greater use of encryption, but this would evolve to focus on protecting particular data elements, as opposed to trying to protect servers and routers.
“The value of a data element is the same, regardless of where it is. How do you now ensure that you are protecting it consistently, whether it is within software on a server, or if you are driving around to pick up gas, and now your car is an IoT-enabled device?” said Rege.
Lindo, who also chaired the Basel working group on operational resilience, concluded that regulatory structures would also have to adjust as the threat landscape transcended jurisdictions.
A more centralised approach could see sectoral, or even cross-sectoral, regulation applied globally, he said: “It’s really going to be a global perspective. We’ve talked about enterprise-wide risk management for a while. But when you think about it, your enterprise is just where you think you have your footprint. Now, your footprint is the globe. If you can be updated from anywhere in the world, you’ve got risk exposures there.”
He added that the Fed has looked at the process to update Federal Financial Institutions Examination Council handbooks, which can take years to update, and concluded that it needed to be speeded up. Lindo said that could be helped if the handbooks identified industry best practices and cross-referenced to those examples, rather than taking the time to reword them.