Financial fraud and fat fingers loom large, but annual top 10 op risk losses still show fewer fails. Data by ORX News
Ask any op risk manager to imagine the perfect storm for fomenting loss and they might well describe the scene for 2020. Many feared the pandemic, which forced employees to up sticks overnight and work from home indefinitely, would stir up a squall of problems, such as money laundering, fraud and cyber attacks for their op risk profiles.
Yet, as the numbers clearly show, 2020’s reported incidents and op risk losses confounded these expectations and, along with capital levels, trended lower for most banks (see figure 1). Total losses fell to $26.7 billion for the year, a modest dip from $29.2 billion in 2019 – and a major drop from the number in 2016, the industry’s Armageddon, at $60.2 billion, as tracked by ORX News.
Inevitably, there were notable exceptions, but the prevailing direction was downward – loss incidents dropped to 407 – less than half of the rolling average for the previous four years. Regulatory fines in particular fell sharply in almost every jurisdiction as the US and most of Europe entered lockdown – a trend some viewed as a form of regulatory relief granted to beleaguered banks.
Of course, op risk losses have a notoriously long tail. Just ask any of the banks appearing in this list of 2020’s largest losses – all but one feature some form of fraud, and they arguably all have roots in incidents and control environment failures that date back years (jump to table A).
Almost half the losses in the 2020 top 10 are multi-billion-dollar fraud schemes – most of them relatively unsophisticated – and all of them undetected for a period of several years or more.
A prime example is 2020’s largest loss, in which Goldman Sachs shelled out a combined $5 billion in fines and settlements to various parties for its involvement in extensive fraud at Malaysian sovereign wealth fund 1Malaysia Development Berhad. Goldman agreed to pay $2.5 billion to the Malaysian government to settle criminal proceedings over the $4.5 billion fraud perpetrated by its executives that, between 2009 and 2015, lost 1MDB up to $5.7 billion.
According to the US Securities and Exchange Commission, former Goldman executive Tim Leissner and other senior executives worked throughout 2012 and 2013 to obtain and retain business from 1MDB through promises and payments of bribes and kickbacks to government officials in Malaysia and Abu Dhabi – financed in part by embezzled proceeds from $6.5 billion in bond offerings that Leissner helped the fund to raise. The SEC estimates that Leissner and others misappropriated more than $2.7 billion to this end.
The Malaysian government sought as much as $7.5 billion and agreed to return at least $1.4 billion in proceeds from assets linked to 1MDB. Goldman agreed to pay a criminal penalty of $2.32 billion to the US Department of Justice and a disgorgement of $606 million to settle an investigation into the bank’s role in the fraud. The Hong Kong Securities and Futures Commission announced a further fine of $350 million against the firm’s Malaysia operation over its deficient controls.
The fine leaves Goldman with a steep rise in op risk capital: the bank’s op-risk-weighted assets surged 12% to a record $132.5 billion over the three months to the end of June 2020 – its steepest level by that measure on record.
In second place for the race to the bottom, the Blue Cross Blue Shield Association agreed to pay $2.67 billion to settle a class action lawsuit over anti-competitive practices. The multi-district litigation against the BCBSA, a federation of 36 separate US health insurance companies that insure more than106 million people, was first filed in January 2013. The complaint alleged that it had violated the Sherman Antitrust Act by entering into an unlawful agreement to restrain competition among the BCBSA member plans in the market for health insurance.
The BCBSA reportedly allocated geographic territories, limited member plans in competing against each other, restricted rights of member plans to be sold to a non-member of BCBSA and agreed to other ancillary restraints on competition. In agreeing to the $2.67 billion settlement, the group agreed to significant, unprecedented and far-reaching changes to its rules and regulations.
The potential penalty for 2020’s third-largest loss puts these hefty financial fines into perspective. Cai Guohua, former chairman of China’s Hengfeng Bank, was found guilty of causing the bank 10.3 billion yuan ($1.6 billion) in damages through various illegal schemes. Between 2014 and 2016, he allegedly issued illegal rewards and incentives to employees and used his position to transfer 4.8 billion yuan of the bank’s funds in the form of trust loans to a company under his control. In 2018, Cai is alleged to have issued 3.5 billion yuan in loans to a borrower who did not meet loan conditions, and assisted eight other firms and individuals in obtaining loans and other assistance in exchange for bribes.
The China Banking Regulatory Commission investigation into Hengfeng found Cai guilty of abuse of power, corruption, embezzlement, bribery and illegal loan issuance – and sentenced him to death with a two-year reprieve, which will allow his sentenced to be commuted to life imprisonment.
The year’s fourth-largest loss dates back to 2017, when executives in Russia’s Promsvyazbank were alleged to have embezzled 87.2 billion rubles ($1.18 billion). The Investigative Committee of the Russian Federation found that several of the bank’s executives conspired to transfer billions of rubles to foreign companies, ostensibly as payment in a bogus securities purchase. The funds were transferred to Cyprus, where the owners of the bank laundered the funds and disposed of them through further illegal transactions. Several of the bank’s former executives are wanted in connection with the embezzlement.
JP Morgan Chase paid a whopping $920.2 million in the year’s fifth-largest op risk loss – the largest penalty order ever issued by the US derivatives watchdog. Three separate regulators found the firm’s traders had engaged in spoofing and market manipulation of precious metals futures and US Treasury markets from 2008 to 2016.
The Commodity Futures Trading Commission (CFTC), the DoJ and the SEC all found that Morgan’s traders had engaged in misconduct during the eight-year period. The CFTC ordered Morgan to pay restitution to the amount of $311 million for the damage done to other market participants and a disgorgement of $172 million, representing its profits from the scheme, and a civil monetary penalty of $436 million. DoJ and SEC penalties were offset by the CFTC’s order.
In April 2020, it was reported that HSBC had been potentially defrauded of up to $600 million in financing, extended to Singapore oil trader Hin Leong, in 2020’s sixth-largest loss. In the first half of April, it was reported that some lenders had stopped issuing new letters of credit to Hin Leong and on April 17, it filed for bankruptcy. The firm’s founder and director said in an affidavit that he had instructed its finance department not to disclose $800 million of losses incurred in futures markets over several years. Hin Leong owes around $3.85 billion to more than 20 banks.
Seventh and eighth places in the largest losses list were stunning examples of sheer brass neck – or rather, copper. Two Chinese banks – Minsheng Trust and Hengfeng Bank – lost 4.07 billion yuan and 3.89 billion yuan ($575 million and $549 million) respectively, when one of China’s largest gold jewellers, Kingold, used an estimated 83 tons of fake gold bars as collateral for 20 billion yuan in loans from them and other lenders. The scheme was discovered by Hengfeng in 2019, when incoming management sued Kingold for unpaid loans and moved to dispose of the collateral. A test of the bars found they were “all copper” – and when another investor tried to liquidate its collateral to cover defaulted loans, it discovered its own gold bars were a gilded copper alloy. The total outstanding amount owed by Kingold to its investors was 18.4 billion yuan.
In ninth place, Russia’s VTB Bank lost $535 million in a fraud involving loans to state-owned companies in Mozambique. Between 2013 and 2016, three Mozambique companies borrowed over $2 billion to finance maritime projects. The loan comprised $535 million from VTB, $622 million from Credit Suisse and an $850 million Eurobond, arranged by VTB and CS. The loans were guaranteed by Mozambique’s government.
Mozambique Asset Management, which took the $535 million loan from VTB, defaulted in May 2016, after generating virtually no income. In January 2019, three former CS employees pleaded guilty to conspiracy to commit money laundering and wire fraud and were charged in the US. VTB filed a lawsuit against Mozambique Asset Management and the Mozambique state on January 6, 2020, to recover its $535 million.
And, rounding out the list, the year’s 10th-largest loss event occurred at Citi, which accidentally wired $900 million to a group of Revlon lenders. Bank and lenders were already disputing a soured loan to the private-equity-backed cosmetics giant.
The bank was able to stop some of the payments, but, as of August 21, it had not recovered a total of $520.4 million, for which it is suing the lenders involved. They argue that Revlon had defaulted on its loans and that they were therefore using the funds to pay back the loan. The day after Citi’s payment, the lenders sued Revlon.
Editing by Louise Marshall
Appointment follows departure of Bakhshi to CRO role at LSEG
Deutsche Bank has picked a replacement for its head of non-financial risk, Balbir Bakhshi, who has left the bank to join London Stock Exchange Group (LSEG) as chief risk officer.
Adrian Munday, formerly the bank’s chief operating officer for non-financial risk management, stepped into Bakhshi’s role on January 1, initially on an interim basis, while the bank completes its approvals process for replacing a key function-holder.
According to an internal memo seen by Risk.net, Munday will report directly to Stuart Lewis, Deutsche’s chief risk officer (CRO). He will also join the CRO’s executive committee. Munday’s remit and reporting lines will be the same as Bakhshi’s, although he will also formally oversee DWS, the bank’s asset management arm, as CRO, from a group perspective.
Munday, who, according to his LinkedIn profile, is based in London, has been with the bank since 2006 in a variety of roles within the investment bank and the risk function, including head of risk architecture for Deutsche’s CIB, chief operating officer for liquidity management and, more recently, head of its benchmark and index control group.
Bakhshi, meanwhile, will start his new role as LSEG CRO on January 25, reporting to chief executive David Schwimmer. Bakhshi replaces Diane Côté, who is retiring.
In addition to his duties as head of non-financial risk, Bakhshi also served on Deutsche’s culture integrity and conduct committee, and on its senior executive compensation committee, as well as on the supervisory board of the bank’s Luxembourg unit, where he chaired the risk committee.
Bakhshi joined Deutsche in 2017 from Credit Suisse, where he was group head of op risk. Before that, he spent most of his 12 years at the bank in a variety of senior market risk-focused roles. Early on in his career, he worked as a risk analyst at LCH, the clearing house now majority owned by LSEG.
Deutsche is no stranger to operational risk challenges: the bank has shelled out more than $20 billion in fines and settlements in a number of jurisdictions since the financial crisis.
Speaking to Risk.net last year, Lewis acknowledged that non-financial risk issues had been a perennial weak spot for Deutsche in the aftermath of the crisis. He pinned many of the problems on a failure of individual business lines to adhere to protocols set by the risk function when policing employee conduct. This is a pattern of behaviour the bank has made good progress on reversing, he insisted, with the emphasis during Bakhshi’s tenure on greater use of preventative controls.
Additional reporting by Natasha Rega-Jones
When we examine what’s required of them, do risk committees hold water, asks ex-SEC risk oversight chief
It is often said that a camel is a horse designed by a committee. It has all the parts required – and then some – but the result does not necessarily meet the objective.
A risk committee is an integral component of an overall risk management programme – long viewed as a necessary forum for complex risks to be identified, evaluated and managed by experienced committee members.
Yet, as we attempt to respond to a global pandemic – which we were arguably ill-prepared to prevent or manage – it is time to re-evaluate the perception of their necessity and examine what risk committees actually do. Whether they serve a useful role or are perhaps – like the camel – being asked to accomplish a goal that is unachievable.
Such questions are important because they address the fundamental value and structure of risk management programmes. If they are inadequate, they can expose an organisation to significant financial loss and serious damage to its reputation.
We have seen this many times. HSBC, for example, was prompted to introduce no fewer than 24 separate risk committees – for individual national subsidiaries, regions, and businesses, and along product lines – after being severely penalised in the US in the aftermath of widespread money laundering by Mexican drug cartels through its branch network.
Typically led by a chief risk officer or a senior risk manager, risk committees usually take the form of regular meetings, with members representing legal, compliance and operations groups as well as business unit leadership.
While some organisations have one general risk committee, others have separate committees for different risks, including credit, market, operational and reputational risk. Some maintain related committees that address specific topics such as fraud, conflicts and new products.
A committee can be helpful in promoting consensus, but it can shift accountability away from individuals – and can create ambiguity about who is accountable for decisions
These committees differ from board-level risk and audit committees, which are formal subcommittees of a board of directors and perform an oversight role on behalf of the shareholders.
Risk committees also vary in their scope. Some review errors and operational risk incidents; some review aggregate credit or market risk exposures; and some discuss key trends and emerging issues. Many have formal agendas with detailed handouts and minutes.
Yet risk committees, like many other corporate committees, are limited in what they can accomplish.
A committee can be helpful in promoting consensus, but it can shift accountability away from individuals – and can create ambiguity about who is accountable for decisions. This can be a concern, for example, when there is disagreement among committee members, or if a member with a diverging view misses a particular meeting.
It is also worth considering whether – as in the current pandemic – video meetings can affect outcomes for better or worse.
Committees meet only periodically, naturally, but this can be an issue if an organisation needs an immediate answer on a pressing issue or pending trade, as is often the case in transactional businesses such as investment banking. It is important to consider alternative ways to obtain approval – such as contacting an available member of senior management – that serve as an adequate substitute.
Committees are also a direct reflection of their participants – including their personalities, backgrounds, agendas and biases. They are not, therefore, inherently distinct structures that perform consistent roles over time.
Committees, moreover, can be cautious and passive. They are inclined to reaffirm existing practices – a trait General Motors CEO Mary Barra described as “the GM nod”.
Consider what occurs at too many risk committee meetings that we have attended, observed or heard about. They are often ‘scripted’ and do not allow for discussion of controversial themes. Committee members might be concerned that they will be perceived as argumentative if they raise concerns. Individual members may not attend or carefully read the handouts. They may be distracted by emails or interruptions – or they may just be thinking about other matters.
Meetings can also consume precious time and prevent individuals from attending to other important matters. “I spend my day in meetings and can’t get any work done” – this is a common reaction of senior professionals, who increasingly now need to work longer hours to perform their roles.
There are indeed challenges associated with any committee. That is, however, why we need to carefully understand who is responsible for the management of specific forms of risk and uncertainty. There may be a perception that the risk committee is performing such a role – creating a process that is inherently flawed.
Risk committees should not be a substitute for clearly delegated authority of individuals to assume distinct forms of risk and uncertainty – subject to agreed limits, whenever possible.
One familiar example is the flexibility provided to portfolio managers to make investment decisions subject to written investment policies. Another example is an approval of a derivatives dealer to incur unsecured credit exposure to a counterparty up to a certain limit, a level beyond which requires the posting of collateral.
The most valuable purpose of a risk committee is arguably to provide a forum for individuals across the organisation to discuss emerging trends and issues that span divisions and operating units. Another useful purpose is to discuss organisational implications of issues such as regulatory developments, strategic trends and changes in market practice.
There is no simple solution or template for a risk committee because each organisation is different. We can, however, begin to adjust our thinking and practice by asking essential questions. Do we need another committee? Are the existing committees effective? Do they have a clear purpose? Do we understand their value and limitations? It is perhaps illuminating that HSBC’s response to widespread evidence of risk management weaknesses was to institute more committees.
Risk committees have a purpose and a role, but we must adjust our expectations of what they can achieve
We can also strive to make the meetings useful for the participants. This involves planning by the committee organiser, who should allow time for candid discussion of controversial issues.
In addition to what the committee does, it should be clear who has the authority within an organisation for taking risk and in what amounts. We should also avoid sessions with predetermined outcomes – why have them?
Risk committees have a purpose and a role, but we must adjust our expectations of what they can achieve. To be thoughtful managers of risk and uncertainty, organisations need clearly defined risk management programmes.
The pandemic has demonstrated how much risk management matters. Every aspect of a risk programme must be effective and serve a valuable purpose. Organisations will otherwise struggle to respond to another global crisis we have yet to consider.
Charles Fishkin is the former director of the Office of Risk Assessment at the US Securities and Exchange Commission. He is an adjunct faculty member in the Master’s Programme in Financial Engineering at Bernard M Baruch College of The City University of New York. The views expressed here are his own, and do not necessarily reflect the views of any other organisation.
Editing by Louise Marshall
Less than 20% of European banks use models to calculate their operational risk capital requirements, data from the latest European Union-wide transparency exercise shows. Those that do, though, rely on them almost to the exclusion of all other methods.
Of 135 named banks from the EU, European Economic Area and the UK in the sample, just 23 had op risk-weighted assets generated using the advanced measurement approach (AMA), which uses banks’ own op risk models, as of end-June. The AMA was used to generate 84% of these banks’ op RWAs on average.
The AMA appears to be the preserve of the very largest banks. Fifteen of the 23 were in the top quartile of the distribution by total RWAs. The 23 in aggregate accounted for 48% of all op RWAs sample-wide. Of aggregate op RWAs sample-wide, the AMA accounted for 42%.
The standardised approach (SA) for calculating op RWAs was the most widely-used, being employed by 92 banks in the sample. SA RWAs accounted for 53% of aggregate op RWAs.
As for the basic indicator approach, it was in use by 48 banks, making up just 6% of total op RWAs. The majority of these banks had total RWAs lower than the median.
Op RWAs accounted for 10% of total RWAs across the 135 named banks.
Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk – the BIA, the SA and the AMA. The first two use bank data inputs and regulator-set formulas to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.
The finalised Basel III framework, published in December 2017, will replace these three with a revised standardised approach. This uses a simple accounting measurement of bank total income – known as the business indicator – to divide firms into three size buckets. A separate business indicator multiplier is then applied to each bucket to produce the business indicator component. The product is then subject to an internal loss multiplier, a scaling factor based on a bank’s average historical losses and business indicator component.
Op risk modelling is headed the way of the dodo. Last year, a number of banks elected to junk the AMA entirely, or begin phasing it out. They have good reason to. With the implementation of Basel III, the AMA will no longer be eligible for calculating op risk capital requirements. Many lenders may question the value of keeping an expensive modelling process operational when the reason for it being built in the first place is soon to disappear.
Changes to the op risk framework are expected to be expensive across banks. The latest Basel III impact study estimated that European banks would see their minimum required Tier 1 capital increase 3.8 percentage points solely because of the switch to the revised SA.
The increase in minimum required operational risk capital in isolation is projected to be 39%. Those migrating from the AMA are expected to be hit harder, though, with their minimum requirements increasing 42%. This is in part because banks currently using models should have produced lower op risk requirements than the regulator-set approaches, and in future will no longer be able to “model down” their charges.
This implies that those large banks yet to move off the AMA could see their op risk capital charges increase significantly once the Basel framework is fully phased in.
Sign up to the Risk Quantum daily newsletter to receive the latest data insights.
Asia Risk 25: Data and AI are top technology priorities for Singapore bank, says Piyush Gupta
This is part of a series of articles marking Asia Risk’s 25th anniversary
Piyush Gupta, the chief executive of DBS, believes artificial intelligence (AI) will transform banking in Asia in the next five years. Luckily, one of the continent’s largest banks has spent the past five years making its data AI-ready, putting DBS in good stead to do battle with the likes of Alibaba and Google.
When it comes to investment in technology, it is such big technology companies – which are disrupting the banking and payment industries – that Gupta uses as a benchmark, rather than its traditional bank competitors.
“If I had to choose any one particular area of technology to watch going forwards, I would say it would have to be the data revolution,” Gupta says. “I think finance is just at the cusp of a massive AI-driven revolution. That’s going to continue to be game-changing over the next five years.”
Since joining DBS as chief executive in 2009 after 29 years at Citi, Gupta has made technology one of his core priorities. Now the bank, by far the largest in South-east Asia, is recognised by its peers in the region as a leader in digital innovation. Within technology, AI and data are currently the main areas of focus for Gupta.
DBS has already had some success using big data and analytics. For example, it has created network analysis models to identify shell companies in money-laundering networks, developed a system to detect abnormal transaction patterns when handling trade finance mandates and used big data to halve the attrition rates of wealth planning managers that are new to the bank. DBS also runs AI models to spot suspicious changes in corporate profiles.
There can be no AI without ready access to data. So Singapore-based DBS has been pulling all of its data together – for instance, taking information about a customer’s mortgage and credit card usage from different systems and putting it in one place. It has also been creating metadata and setting up protocols for handling data.
Two-thirds of the bank’s data are now “in the place where we want it”, Gupta says. And that creates a lot of opportunities.
“The data journey is endless, and so far our use cases have only really scratched the surface,” he says.
DBS has also been hiring data scientists and data engineers and now has an engineering group that is unusually big for a bank. The engineering group looks closely at the practices and tools used at big technology companies, such as Google, and is not averse to copying approaches that could work in finance too.
The data journey is endless, and so far our use cases have only really scratched the surface
Chaos Monkey, developed by video streaming firm Netflix, is one tool that has made the crossover into DBS. The software randomly turns off servers to make sure an organisation’s systems can continue functioning.
DBS is a keen user of other new technologies, such as cloud computing. In recent years, it has invested in a cloud infrastructure and redesigned its applications for use in the cloud. This has enabled the bank to reduce the size of its data centres and servers, cutting down on fixed infrastructure costs.
“As a result, our cost-income ratio is relatively low,” Gupta says.
But there is a more radical innovation that DBS has adopted: blockchain. On December 10, the bank announced it would set up an exchange for digital assets, providing tokenisation, trading and custody services to institutional and accredited investors.
“We believe that this is the first-of-its-kind integrated offering,” Gupta said at the time.
As part of its services, the exchange will provide a regulated platform for the issuance and trading of digital tokens backed by financial assets, such as shares in unlisted companies, private equity funds and bonds.
The digital exchange is based on DBS’s own blockchain technology for fixed income, which in turn is based on Corda, an open source distributed ledger technology platform created by industry consortium R3.
It is in Asia’s fixed-income market in particular that blockchain promises to shine, according to Peter Soh, head of digital business and strategies at DBS.
“If you look at the US or European bond markets, a large amount of this is already on electronic platforms, so why has Asia not been able to follow this lead?” he says. “The simple answer is market fragmentation. There are bond markets in China, Indonesia, India, but all have different regulations and systems, making it very difficult to put these bond issuances in a single place.”
Agility is to do with culture, and the challenge is really one of incumbency
The fixed-income market in Asia is not as homogeneous as in Europe or the US, and the differences – such as tax, infrastructure and regulation – often deter international investors. The idea is that Asian bonds issued in Singapore and put on the blockchain will appeal to a broader investor base and more money will flow into the region.
Thanks to distributed ledger technology, a tokenised version of bond issuances can be stored on the blockchain, which also helps reduce the minimum block size that investors have to purchase and cuts processing costs.
DBS’s overall spending on technology amounts to around S$1.2 billion ($900 million) a year, according to Gupta. He notes that 90% of the expenditure used to go on just running the bank – this is now down to 50%, allowing DBS to reinvest more in future growth and in building its customer base.
But monetary investment alone is not enough to make traditional banks, with their legacy systems and entrenched practices, think more like start-ups, Gupta suggests.
“Such agility is to do with culture, and the challenge is really one of incumbency,” he says.
The AI revolution may not have yet begun, but DBS has already revolutionised its culture and is ready for that future.
Editing by Olesya Dmitracova
Asia Risk 25: Even as the level of regulatory scrutiny peaks, meaningful change eludes the region’s banks
This is part of a series of articles marking Asia Risk’s 25th anniversary
It’s early 1994. Derivatives trader Nick Leeson sits at his desk in the plush Singapore offices of Barings Bank. He is not feeling collected, calm or cool. He is feeling sweaty and panicky. He is harbouring an epoch-making secret that will send shockwaves through the financial world and beyond.
Looking back at this time, in conversation with Asia Risk, Leeson shares his incredulity at the lack of intervention in the rogue-trading rabbit hole he had dug for himself: “Every time the phone went, I thought: ‘This is it – somebody is finally going to ask me a decent question.’” But the call never came – and, as we now know, by February 1995, he had piled up losses of £827 million in unauthorised trades – the equivalent today of £1.6 billion ($2.2 billion) – and brought down the bank.
A quarter of a century later, firms across the Asia-Pacific region are still struggling to implement adequate operational risk controls – not least in the area of conduct risk, where major infractions have led to a series of high-profile fines, notably in the Australian banking industry.
Across the region, regulators have grown uneasy about the potential of such risk lurking in unseen corners. A number of Apac countries – including Hong Kong, Singapore and Australia – have introduced new laws addressing conduct risk.
“Regulators have increasingly made it clear they will hold senior management accountable for what happens,” says Ashley Alder, chief executive of Hong Kong’s Securities and Futures Commission (SFC). “Those in charge of financial firms should take gatekeeping seriously and ensure the right people, with the right ethics, are running their business lines.”
On September 10, 2020, the Monetary Authority of Singapore issued a consultation paper on new guidelines for conduct and accountability. In Australia, where the conclusions of a public inquiry were published last year, banks say they are forcibly checking in more frequently with their regulator. From Indonesia to India, regulators are looking at how sentiment on misconduct risk is changing across the region.
But sentiment has been slow to catch up with cold, hard mechanics; it wasn’t until 2015 that many Apac banks began to implement the three lines of defence model – a key plank of the Basel Committee’s 2011 Principles for the Sound Management of Operational Risk, which splits the responsibility for sound op risk oversight between business functions, rather than concentrating it all within risk management.
Regulators have increasingly made it clear that they will hold senior management accountable for what happens
Ashley Alder, SFC
Now, regulatory attention has also led to a slew of fines. Over the past year, all four of Australia’s large banks have received hefty fines for misconduct. Last year, UBS was fined by regulators in both Singapore and Hong Kong for product mispricing. In Japan, one of the country’s struggling regional banks – Suruga – was sanctioned in 2018 for “systemic” misconduct that led to excessive risk-taking. In October of this year, Hong Kong’s SFC issued its highest-ever fine – HK$2.7 billion ($350 million) – to Goldman Sachs, for its part in Malaysia’s 1MDB financial scandal.
And while large fines certainly help focus minds, few believe that fines alone are sufficient. The real challenge, they say, is to change the risk culture within banks.
Implementing cultural change is more easily said than done, however, and the question of how to make meaningful change is also a matter for debate. Some say it could involve placing more accountability directly with management, such as CEO clawbacks, now being seen more commonly in the US and Europe, but also in Japan, where several executive officers at the Tokyo Stock Exchange had their monthly pay cut recently to share responsibility for a hardware issue that led to TSE’s trading suspension for a day.
Others are of the view that the key to cultural change lies in better dialogue with regulators. Those on the industry end of such dialogue say it is slow to happen – and that for supervisors, conduct risk is overshadowed frequently by more tangible and obviously pressing types of op risk.
“In the last few years, the importance of anti-money-laundering protections and cyber security have grown significantly, and this has diverted regulatory attention away from other areas of operational risk,” says a senior risk manager from a Singapore bank. “The boundaries between first and second lines of defence have been set by the organisations themselves, and this often depends on how strong the operational risk manager is.”
Australia has been the poster child for conduct risk over the past year or so. Its banking industry has been forced to respond to the scathing conclusions of a public inquiry that found widespread and systemic abuses across the industry, where short-term profit was pursued at the expense of appropriate fiduciary conduct.
The Royal Commission report drew focus on both sides of the divide – of banks, which have engaged external consultants to help resolve cultural issues – and of regulators, who have implemented fines and have engaged more with banks to make sure they are addressing the issues.
Fines are a blunt instrument, helpful for sharpening attention in the short run – but they can have longer-lived consequences. Risk-weighted assets at the four banks have also risen sharply in the last two years, largely as a result of fines, forcing them to set aside more capital and crimping profitability.
The outlier is Commonwealth Bank, which was hit by a A$1 billion ($700 million) capital add-on by the Australian Prudential Regulation Authority a year before the others, after an inquiry found shortcomings in the bank’s governance and culture. The bank’s 2018 annual report outlined how it was addressing past failings, including paying A$700 million ($500 million) in civil fines.
Ironically, Australian regulators have indicated they will likely retain the flexibility to allow their banks to ignore the impact of past fines when calculating op risk capital under the incoming revised standardised approach, due to come into force from 2023 (see box, Sayonara, AMA).
Five years ago, there was a huge mismatch between the resources allocated to the middle or front office and those allocated to the compliance teams. This has now reversed
Former director, ANZ
No-one currently representing any of the four large Australian banks – ANZ, National Australia Bank (NAB), Commonwealth Bank or Westpac – agreed to discuss such developments for this article.
A former director at ANZ, who worked for the lender in Singapore, insists the bank was already in the process of revamping its approach to managing conduct risk in the advent of mega-fines for mistreating customers.
“In 2014 and 2015, contractors and big consultants started to come in [to ANZ] and embed a proper framework. There was a lot of positive interaction with regulators. Proper guidelines were drawn up. Infrastructure and dashboards were implemented,” he says, describing what he saw as real change. “Five years ago, there was a huge mismatch between the resources allocated to the middle or front office and those allocated to the compliance teams. This has now reversed.”
He argues that Australian regulators paid particular attention at the time to ANZ – then expanding rapidly in Asia and with the largest international footprint of any of its peers – and admits that, without the regulator peering over the bank’s shoulder, ANZ would not have had the incentive to change.
Australia may simply have been “the first cab off the rank”, he adds, but others in Asia also started taking conduct risk more seriously around that time.
Some believe that a cultural shift must reside – or at least start – with senior management. Frankie Phua, head of group risk management of Singapore-based UOB, says that an integrated approach to risk management – from the very top of the organisation to the individual desks – is crucial to getting conduct risk right.
“It is culture that drives behaviour,” says Phua. “If you have very bad risk culture, then behaviour will also be bad and staff will not want to follow all the rules and observations.” His own firm has worked hard on establishing a robust risk culture throughout the organisation, he admits. “We want to make sure that the staff know what is expected of them and let them know that there will be consequences if they fall short. This is enforced at all levels of the business.”
Fines help get people’s attention and reinforce the message that regulators are taking conduct risk seriously, but not everyone in industry thinks they work.
“Fines only penalise the shareholders,” says Phua. “If regulators want to have a strong risk culture, they need to have a constant dialogue with banks and be prepared to hold senior management to account [for any failings].”
Simon Topping, a former partner at KPMG and previously an executive director at the Hong Kong Monetary Authority, says he observed one of the best attitudes he had seen towards administering fines when he visited an Asian regulator with an offending client – both of which he declines to name – a couple of years ago, while at KPMG.
The regulator asked how much the client was going to spend on remediating its errors and making sure that all its customers were satisfied, says Topping. “My client named an amount and the regulator said: ‘I don’t think that’s enough. What I want you to do is pay what you think you need to pay to make things right. Then in a year’s time I am going to fine you the difference between what you paid and what I think you should have paid’.”
This example, making the bank take action and responsibility, rather than simply paying up on the fine and hoping the problem will go away, is a good one for regulators to follow, Topping says.
The 2016 introduction of the Senior Managers Regime (SMR) in the UK in 2016 is another example of making personal responsibility a key part of mitigating conduct risk. John Feeney, an independent consultant who coordinated conduct risk management for part of a previous position at NAB in Australia, cites the effectiveness of SMR in altering bank culture for the better.
“When I compare risk data from around the world, I would say the data coming from the UK is among the best,” says Feeney. “The [UK’s] SMR really incentivises people to do things in the right way, because there are very serious consequences, right from the top [if not].”
To date, a single fine under these rules has been levied against Jes Staley, chief executive officer of Barclays, for trying to unmask a whistle-blower within the bank. This does not diminish its effectiveness, says Feeney, who believes the regime is making a difference.
Newly introduced laws in several key Apac jurisdictions seek to ape the SMR; under Hong Kong’s implementation, the SFC has issued a record level of fines over the past few years. Although Alder is proud of this achievement, he accepts this can only work as part of an overall package, which includes personal responsibility for managers and close engagement with institutions.
I think we are in a safer place than we were in 1995, but this is starting from a very low base and there’s still some distance to go
Nick Leeson, ex-Barings Bank
He cites a recent study from the Fixed Income, Currencies and Commodities Markets Standards Board, which looked back over the past 200 years and concluded that, irrespective of how the market has developed, the themes of misconduct have remained fairly consistent.
“This implies that the underlying factors – the fundamental incentives, the lack of transparency and other familiar factors that can increase operational conduct risk – are not going to go away any time soon. Invariably, there will always be someone who tries to game the system,” says Alder.
But he accepts that many institutions in Asia still struggle with conduct risk, adopting what he describes as a “whack-a-mole” approach – and that is why regulators are right to be stepping up their engagement with such firms.
As Leeson, formerly of Barings, puts it: “Banking is a strange industry, where you find a lot of people in mid- or even senior management that don’t want to rock the boat, so people still find it hard to ask the difficult questions.”
That was certainly the case, he argues, when he racked up enough losses to bring down what was then Britain’s oldest merchant bank.
“I think we are in a safer place than we were in 1995, but this is starting from a very low base and there’s still some distance to go,” he says.
Banks that use the advanced measurement approach (AMA) to calculate op risk capital requirements – which in Asia are those in Australia and Japan – acknowledge they will have to think carefully about how to update their operational risk practices once the approach has been junked, to make sure that they don’t lose insight and expertise as they shift on to the new standardised approach. Several key Apac jurisdictions, including Australia and Korea, have already moved to implement the new framework.
The revised standardised approach replaces current methods of calculation with a blunt approach that sets capital chiefly as a crude function of a bank’s size by revenue, scaled according to its misdemeanours over the preceding decade – though as noted, regulators have the flexibility to go easy on their home lenders by down-weighting past losses, or discounting them entirely.
Some worry such a crude approach flies in the face of lenders’ efforts over the past decade to measure and model the impact proactive risk management of op risk has on capital levels – and could render the army of quantification experts banks have amassed in that time obsolete.
“Once capital adequacy is not so dependent on internal operational risk models, there may be temptation for some banks to loosen their management style and attach less importance to operational risk,” says Tsuyoshi Oyama, chief executive of Promontory Japan, a consultancy. This needs to be complemented by a more qualitative solution, he adds.
All of Japan’s three megabanks are currently reassessing their use of AMA as a risk-mitigation tool. A former operational risk manager at one of them says some of these models – and the army of quants paid to run them – can be quite costly to run, adding that, if banks are not getting the same capital incentive for running them, it may make sense to trim resources dedicated to op risk quantification. It’s been suggested that many banks will do just that.
“AMA has a history of more than 10 years in Japan, and so I don’t think the three megabanks should suddenly just collapse their systems, but they may want to look at whether they can streamline them,” says the former operational risk manager. “Maybe instead of having 20 staff that run 100 scenarios, they could have a few staff that run 10 or 20.”
But this should be done very carefully, he adds, arguing that more guidance from Japan’s Financial Services Agency could help. For now, the regulator appears to waiting until after 2023 before making any pronouncements.
For its part, the agency points to its Approach to Compliance Risk Management paper and says it has been monitoring financial institutions’ management of compliance risk, based on these guidelines.
Editing by Louise Marshall