Risk Technology Awards 2021

By Commercial Editorial | Advertisement | 13 September 2021

Recognising vendor excellence in credit, operational and enterprise-wide risk management

The 2021 Risk Technology Awards recognise vendors that have excelled in helping the industry meet its various challenges in the fields of anti-money laundering, credit and operational risk, as well as wider enterprise risk management. 

The award winners were decided by a judging panel, consisting of technology users and the editors of Risk.net, and based on the strength of entries alone. These awards include 21 categories, focusing on enterprise risk, operational risk and credit risk.

Op risk data: DeFi-ant crypto hacker steals $610m

By ORX News | Opinion | 8 September 2021

Also: Amundi fined for index manipulation; Wells pays out over client fraud. Data by ORX News

August’s largest loss saw crypto platform Poly Network fall victim to a hacker who stole approximately $610 million worth of crypto assets. The thief, dubbed Mr White Hat, in a nod to the activities of so-called ethical hackers, reportedly targeted a vulnerability in the digital contracts Poly Network used to move assets between different blockchains.

Poly is a decentralised finance (DeFi) network, which allows buyers, sellers, lenders and borrowers to interact with a strictly software-based middleman, rather than a company or institution facilitating a transaction. Poly Network was able to negotiate with the hacker, and recouped most of its stolen assets.

However, it did not constitute a rapid recovery: nine days later, $269 million was still tied up in so-called multi-signature crypto wallets, and, separately, by crypto firm Tether, which said it froze client assets to prevent laundering of funds, and to assist Poly in its recovery.


August’s second-largest loss concerns a $110 million Ponzi scheme involving Livingston Group Asset Management, its subsidiary Southport Capital and executive John Woods.

According to a US Securities and Exchange Commission suit, while working for an investment adviser – not named in the suit, but identified in a subsequent investor class action as boutique investment bank Oppenheimer – Woods started a fund in 2008 called Horizon Private Equity, and encouraged Oppenheimer customers to invest, promising 6–7% returns over two years.

Woods later founded Southport Capital and employed his brother, a colleague at Oppenheimer, as CEO as well as his cousin, who was also an employee of Oppenheimer. The SEC complaint stated that Southport had more than $824 million in client assets under its management. Woods concealed his involvement with Southport Capital and Horizon from his employer, the suit claims, adding that Southport Capital operated from an office that was next door to Oppenheimer’s office.

In public statements on the suit, lawyers for Southport Capital have said the firm intends to defend itself against the SEC’s allegations.

The third-largest loss of the month was a $100 million fine from US regulators Commodity Futures Trading Commission (CFTC) and Financial Crimes Enforcement Network, against crypto exchange BitMEX.

According to the watchdogs, between November 1, 2014, and December 12, 2020, BitMEX offered leveraged trading of cryptocurrency derivatives (including bitcoin, ether, and litecoin derivatives) to retail and institutional customers in the US, despite not being authorised to do so. The order found the exchange was aware that US customers could access the platform via VPNs, and that US customers were placing orders directly through BitMEX’s user interfaces.

Additionally, the exchange failed to collect, verify and keep records of specific customer information, as well as failing to build a know-your-customer programme, and an anti-money laundering (AML) programme. At least $209 million in transactions were made through BitMEX with known darknet markets or unregistered money services businesses providing mixing services, as well as transactions involving high-risk jurisdictions and alleged fraud schemes.

The order recognises that BitMEX has engaged in remedial measures, including developing an AML and user verification program, and that the bourse has certified to the CFTC that US customers are prohibited from accessing the BitMEX trading platform.

The fourth-largest loss reported in August featured another cryptocurrency platform: Japan-based Liquid. The firm announced that it had detected unauthorised access to some crypto wallets it managed during which some $97 million in cryptocurrencies was stolen.

In an August 19 statement on Twitter, the firm said: “We are sorry to announce that Liquid Global warm wallets were compromised, we are moving assets into the cold wallet” – ie, from online accessible wallets to offline cold storage.

The firm is keeping investors updated on recovery efforts via its website.

The fifth-largest loss this month occurred as French regulator Autorité des marchés financiers (AMF) fined two majority-owned subsidiaries of Crédit Agricole – funds giant Amundi Asset Management and Amundi Intermédiation, its trading arm – for alleged price manipulation of futures contracts on the Euro Stoxx 50, and for failing to have policies and procedures in place to detect market abuse and to manage conflicts of interest between its different fund classes.

In its decision of August 4, 2021, the AMF fined Amundi Asset Management, Amundi Intermédiation, Tullett Prebon and three of their former employees, Ludovic Delion, Gregory Saey and Thomas Vignon, between €20,000 and €25 million – totalling over €37 million – over the alleged use wash trades to manipulate the price of futures on the index.

The watchdog also handed down two warnings and two 10-year bans for Delion and Saey on practising related services.



Spotlight: Wells pays out over fraudulent client

Wells Fargo agreed to pay $1.9 million in compensatory damages to Electronic Funds Transfer Corporation, a payment processing company, for misrepresenting the financial health of one of its clients, Checkcare. The now-defunct firm specialised in guaranteeing clients’ payments on the face value of a cheque, a process that necessitated drafting its own remotely created cheques (RCCs) – which, as the judge noted, remain unsigned, and are hence highly vulnerable to fraud.

“Checkcare would deposit the RCCs in its Wells Fargo account, and if they were returned, it would attempt to collect the cheque amount, plus large penalties, from the payor. Because RCCs are not signed, they are subject to a high risk of abuse and fraud by creating and depositing an RCC against a customer’s account without the customer’s approval,” the judgement noted.

A Florida court found Wells Fargo misrepresented that the now-defunct Checkcare’s account appeared to be in good standing, when in fact Wells had already decided to terminate its relationship with Checkcare over concerns it was engaging in high-risk or fraudulent business practices. This misrepresentation induced EFT to continue its ongoing business relationship with Checkcare, ultimately resulting in EFT incurring substantial losses.

New China data law threatens KYC efforts

By Karen Lai | News | 31 August 2021

Local banks will need permission to export any data that could end up in the hands of foreign law enforcement bodies

A new Chinese data protection law that will come into effect in September threatens to make it harder for the offshore know-your-customer (KYC) functions of global banks to meet risk management and regulatory obligations.

While personal data laws are not new to China – and have been gradually tightened in recent years – the new requirements add a fresh twist by preventing domestic organisations and individuals from providing data stored onshore “to foreign justice or law enforcement bodies without the permission of the competent organs of China”. Industry sources say they expect regulators such as the China Banking and Insurance Regulatory Commission and the China Securities Regulatory Commission to be tasked with granting such permission – an untested regime that could slow or stop the flow of information from banks in China to their foreign offices.

“Most banks will have a small team of people set up as part of their financial investigation unit who are tasked with seeing across all countries,” says a former senior executive at one global bank. “They wouldn’t look at every customer relationship, but sometimes they would be able to spot a potentially high-risk customer from one country appearing in another. This new China data law may make it harder to run such a team.”

Banks around the world are under pressure to show they can safely run cross-border networks after a series of money-laundering scandals and accompanying heavy fines – in 2012, HSBC was hit with a $1.9 billion penalty by US authorities for failures relating to business with banks in Japan, Mexico and Saudi Arabia. The final cost of Danske Bank’s more recent failure to shut down suspicious activity in its Estonian branch is not yet known, but could run to more than $3 billion, according to some estimates.  

It is usually up to a bank’s financial investigation unit to examine transactions in order to make sure the clients involved are in line with the bank’s KYC policy. If there are any red flags then the bank may have to prevent certain transactions from going ahead. Such investigations rely on data-sharing between the different units involved in a particular transaction.

But China’s new data law appears to give Beijing the right to stop data leaving the country if there is a chance it could end up in the hands of overseas authorities, potentially as part of a formal investigation of financial crime – which, given a bank’s regulatory obligations, is often a very real possibility.

“There’s quite a lot of uncertainty in this provision, because it’s not clear what relationship it has to an international bank and its overseas law enforcement agencies – or even what constitutes a ‘law enforcement agency’,” says Alex Roberts, a Shanghai-based technology and data lawyer for Linklaters.

This puts international banks in a difficult position. In order to get hold of the data needed for internal KYC risk management, a bank would have to convince the Chinese authorities that the data would not be shared any further. This could leave the bank in conflict with its home regulator.

For example, in the US, the 2018 Cloud Act stipulates that US government bodies must provide access to data-under-management of US companies in situations where such data may be pertinent to criminal investigations.

“The Chinese government is now effectively saying that data in China cannot be disclosed to other regulators without the authority’s consent. This may present something of a dilemma for international businesses,” says Yang Xun, a lawyer at Chinese law firm Llinks.

The law is particularly likely to hit cross-border transactions, where each of the banking entities involved needs to have a good insight into the customers they are doing business with, so they can stay in compliance with local laws.

“If data requirements keep getting stricter, then international banking may become more domestically focused in some of these places,” says the former senior bank executive. “This might work for many areas, but not when it comes to business that is inherently cross-border, such as trade finance, international project finance or investment flows between countries.”

Given the size and the importance of the Chinese market, few banks would want to put their Chinese business at risk by not conforming to the new data law.

Local units

China has been gradually tightening up its data protection laws. In 2017, the country introduced a far-reaching cyber security law, which promoted data localisation over cross-border data-sharing.

In response to these tighter data restrictions, some banks have chosen to set up new data teams in order to look at how data can be analysed onshore before being aggregated into high-level reports – that are in line with China’s data laws – and sent to head office.

“We use our group technology to mine data in China and provide a report to our management in [head office],” says the head of China at one Asian bank. “Perhaps this isn’t the easiest way of doing things, especially if we want to perform some analytics on both group and China data together, but it is manageable – and for most cases, it is enough.”

This can put a lot of pressure on local staff, however, who have to stay on top of regulatory obligations in other jurisdictions as well as in the local Chinese market.

“If we can’t share the data offshore, then we have to leave it up to our local staff to understand things like customer behaviour and how deals are structured – and when it comes to global deals this might not be easy,” says one regional head of compliance at a US bank.

The former senior bank executive says this may not sit well with regulators. “How can banks make sure the guys in the local market have done their jobs?” he asks.

This is even harder in the current environment, where ongoing travel restrictions make quick and effective communication of any new rules all the harder.

“A lot of being able to understand different practices, laws and rules in different jurisdictions comes from travelling, talking and meeting people, and we can’t do that at the moment so effectively,” says the managing director from one data vendor in the region. “Of course, there’s always virtual meetings, but these are not as good as direct interaction.”

Editing by Blake Evans-Pritchard

Stronger together: CLS’s chief risk officer on risk culture

By Costas Mourselas | Profile | 19 August 2021
Deborah Hrvatin

Deborah Hrvatin discusses integrated risk management, mega-hacks and model risk

The scale of the losses sustained by Credit Suisse when a now-infamous client defaulted in March shocked the financial industry. Many things went wrong at the bank to result in the haemorrhage of $5.5 billion, but one of the most unexpected was the fact that the person managing the risk posed to Credit Suisse by Archegos was a former sales and marketing executive, rather than a risk management professional.

A recently published tell-all independent report lists, among other missteps by Credit Suisse, a litany of mistakes made under the leadership of the inexperienced risk manager. These include a failure to invoke liquidity add-ons previously agreed with Archegos and avoidable delays in moving the family office to dynamic margining. The bank’s US Delta One traders – the first line of defence – also come in for criticism for missing multiple red flags.   

The pile-up of errors is an example of the kind of risks that Deborah Hrvatin, chief risk officer (CRO) at foreign exchange settlement giant CLS, has spent much of her career fighting. Before her current role, she held operational risk positions at Citi, Deutsche Bank and Bankers Trust, which was bought by Deutsche in 1999.

“Your second line has to be a credible, independent challenge to your first line, and your first line has to own the risks they are taking,” Hrvatin says. “More widely in the organisation, risk management should not just be the domain of risk teams – the whole organisation must understand and manage risk.”

An overarching risk culture is necessary to bring together the core pillars of operational, financial and other risks, she argues.  

“If you don’t have a good risk culture, the rest of the individual parts of your framework will not gel together,” Hrvatin says. “A lot of firms have siloed their risk management activities, but I believe the industry needs to move towards integrated risk management.”

A lot of firms have siloed their risk management activities, but I believe the industry needs to move towards integrated risk management

Deborah Hrvatin

This involves a shared risk taxonomy, which everyone from the first line to the third line must understand, and requires everybody at the firm to think like a risk manager. It also helps when the CRO has a hard reporting line to both the chief executive and the board, which raises the profile of the risk function and helps improve the risk culture from the very top of the organisation, she says.

Hrvatin’s other belief mirrors the distinctive approach of her former boss, as well as mentor and friend, Deutsche CRO Stuart Lewis. When he became CRO of the bank’s notoriously aggressive investment banking division in 2010, he repeatedly raised concerns about the way the business was run. Lewis continued with this proactive approach when he was promoted to CRO of the entire bank in 2012, managing to keep the trust of five successive chief executives that have headed the bank since then.

Hrvatin takes a similar view.

“As a CRO, you have to be forthright and you have to really influence the organisation to adapt and understand that a certain behaviour may have an impact on a broader [business] goal, or the ecosystem at large,” she says, adding that, as a market infrastructure firm, CLS needs to be particularly conscious of its potential impact on the financial system.

Supply chain and model risks

Hrvatin displayed the same prudence when she decided to significantly increase the scrutiny of CLS’s fourth and fifth parties, to get advance warning of the risks stemming from its third parties. She believes that cyber criminals are focused on large technology vendors because, through them, they can infiltrate the numerous organisations the vendors serve.

A striking example of this is the hacking of SolarWinds last year, which gave criminals a way into the US government agencies and large companies that used the provider’s software.

“As soon as we see a vendor has been impacted by a cyber attack, we immediately try to determine if they had a relationship with our primary third parties. We interrogate that data daily,” Hrvatin says.

“We are putting just as much rigour into investigating fourth parties as we do when checking our own third parties. That’s why I prefer to call it supply chain risk, because the risk extends further, and closer scrutiny is needed to ensure operational resilience.”

Equally, Hrvatin and her team clearly put a lot in during the FX market convulsions set off by the Covid-19 pandemic last year – sources say CLS handled the crisis well.

We want to be able to run our own fully independent challenger models in-house

Deborah Hrvatin

Smooth sailing was a tall order during that turbulent period. The average daily traded volume submitted to CLS in March 2020 was a record $2.19 trillion, up by around one-fifth compared both with February that year and March 2019. And Hrvatin coped with the trading spikes with only a few months’ experience as a CRO under her belt, as she joined CLS in November 2019 in her first such role. According to the firm, its settlement services were available 100% throughout 2020.

Another area where Hrvatin has already left her mark is CLS’s model risk management.

“This is an area where there used to be a lot of outsourcing,” she says. “But I need the subject matter expertise in-house, so I’ve been investing in our team significantly to improve the balance. We want to be able to run our own fully independent challenger models in-house.”

Hrvatin has recently hired two model risk managers as part of her drive to reduce reliance on external consultants. CLS currently uses the services of around 14 PwC advisers to support model validation.

“I think I’ll always use outsourcing to some extent because it’s really easy to scale up when we need to,” Hrvatin says.  

Including the two new model risk managers, she manages five people in this function, as well as seven liquidity and market risk managers, four credit risk managers, three enterprise risk managers, four information security risk managers and 16 operational risk managers.

All hands on deck

Hrvatin’s position as a CRO builds on her previous experience working across all three lines of defence. In addition to other roles, she has worked as a risk and capital strategist in the first line risk function at Deutsche and as a bank examiner at the Federal Reserve Bank of New York, which some see as a fourth line of defence.  

Hrvatin’s role at CLS also gives her exposure to a market that’s new to her – and she moved to the firm partly because she found the challenge of minimising settlement risk in the vast FX market “exciting”.

Via its main service, CLSSettlement, CLS stands between banks in the market and settles underlying payment instructions of currency trades, releasing currencies between counterparties only once all involved have delivered what they promised. Owned by many of the world’s largest financial institutions, CLS also reduces the size of massive global currency flows by netting down firms’ trade-by-trade gross obligations to more manageable amounts they must deliver in each currency.

Although praised for reducing settlement risk since its establishment in 2002, CLS has faced calls from its members for two main changes. One involves making it easier for non-banks to join CLS, while the other concerns extending CLS’s settlement service to the emerging-market currencies it does not currently cover.

CLS is addressing these calls. As it evolves, Hrvatin will want to make sure her team is an integral part of the process.

“When risk culture is right, risk management isn’t seen as preventing business from advancement, but helping business move in the right direction, aligning with the strategic goals set by the business,” she says.

Put another way, Hrvatin doesn’t want risk managers to be pitted against direct profit-generators, such as traders – instead, the two groups should work together towards the same goals.

The consequences of not doing so are plain to see.  

Biography – Deborah Hrvatin

2019–present: Chief risk officer, CLS

2017–2019: Global head of operational risk management for Institutional Clients Group, Citi

1996–2017: Risk and operational roles, latterly Americas head of operational risk, Bankers Trust and Deutsche Bank

1991–1996: Senior bank examiner, Federal Reserve Bank of New York

Editing by Olesya Dmitracova

Tackling insider fraud – Best practice for banks

By Commercial Editorial | Advertisement | 6 August 2021

Volatile markets, the pivot to remote working and the prevalence of private messaging are just some of the factors contributing to the rising risk of insider fraud. At a recent Risk.net webinar, an expert panel explored the challenges for banks and financial institutions in monitoring and mitigating this complex threat

The panel

  • Omri Kletter, Fraud and Risk Management, Global Vice-President, Bottomline
  • Chandrra Sekhaar, Managing Director, Global Head of Audit, ING
  • John Keogan, Head of Fraud Risk, Internal Fraud Prevention, Standard Chartered Bank
  • Francisco Mainez, Global Head of Analytics, Business Financial Crime Risk, Wealth and Personal Banking, HSBC
  • Moderator: Steven Marlin, Risk.net

Banks and financial institutions worldwide are struggling with the management and control of insider fraud, a growing problem in the current environment. Changes in work practices, financial hardship, new communication channels and heightened market volatility, all induced by the Covid‑19 pandemic, have added to the circumstances in which fraudulent activity may thrive.

Recent Risk Quantum analysis shows that in the UK, external and internal fraud accounted for a major share of the operational risk losses at five top UK banks in 2020, and made up a greater portion of the average total than the year before.

At Barclays, Lloyds, NatWest Group, Santander UK and Standard Chartered, fraud was cited as the cause behind 38% of total op risk losses by value on average. The year before it was 22%. 

The recent surge in insider fraud cases is concerning for the industry. Regulators around the world have recognised these challenges and are united in urging firms to address the problem as part of their operational resiliency agenda and to prevent disruption as much as possible. 

The Bank of England’s policy statement on operational resilience for financial firms, published in March 2021, states that the Prudential Regulation Authority (PRA) expects firms to plan for all severe stresses, whatever their probability. 

To be operationally resilient, companies should be able to prevent disruption occurring to the greatest extent practicable and adapt systems and processes to continue to provide services and functions in the event of an incident, according to the PRA. They must also return to normal running promptly once disruption is over, and learn and evolve from incidents and near misses.

While staff can be reluctant to believe their colleagues are capable of criminal behaviour, firms are waking up to the fact that insiders represent one of the easiest channels through which the most resilient of defenses can be breached. The Monetary Authority of Singapore (MAS) also issued a circular in March, alerting firms to the increased risks of fraud due to remote working, including lack of physical oversight, collusion with other insiders or external parties, circumventing controls and inappropriate communications with customers.

The MAS recommends that banks conduct periodic reviews of remote access activities in higher-risk functions, such as trading and investment advisory, to identify suspicious incidents and trends. It also recommends enhanced surveillance of trades to ensure that they were transacted in accordance with established procedures, as well as monitoring keystrokes logging. 

It is clear that incidents of insider fraud – whether rogue trades, payment frauds or interest rate benchmark collusions – are on the rise. And the lingering effect of such events on data integrity and security, consumer trust and brand reputation is far-reaching and in most cases immeasurable.

To be prepared for these exigencies while being resilient, firms will need to prioritise best practices. They must also adopt agile next-generation technology that can detect fraudulent activity early and effectively with the use of data and smart analytics.

Fraud pandemonium 

Insider fraud – whether internal or external – is not a new phenomenon. Banks and other financial institutions, including certain government departments, have been at risk of internal fraud since the industry’s inception. 

But the risk is in sharper focus now because of the combined challenges brought on by altered working environments and heightened market volatility. In turn it is becoming more essential for firms to re-assess surveillance controls and test their strength across various work arrangements, whether in-office or remote locations. 

Omri Kletter, Bottomline

Omri Kletter, global vice-president for fraud and risk management at Bottomline, said that internal fraud impacts all organisations, big and small, across all regions. “Fraud is becoming one of the main pandemics of our [time],” he warned.

Fraud can be facilitated more easily today across the digital landscape of real-time payments, new user accounts or payment support systems. “Full collusion is 10 times easier when there is a digital application,” Kletter added. 

As a result, internal fraud has intensified and Kletter estimates that, for some organisations, up to 50% of overall payments fraud today is related directly, or indirectly – in effect, triggered by – internal fraud. 

Cut the silo noise

Organisational silos pose a perennial challenge in fraud detection, but firms are beginning to observe more grey areas and elements to internal fraud, beyond the traditional distinction of internal fraud and external fraud. “The concept of [an] employee is not necessarily as it was before – we have more contractors or vendors now,” Kletter said. “Being open-minded to the different types of employees, not just the different types of fraud, is critical for [the] success of detection.”

Insider fraud can be complex, especially when there is collusion across areas of asset misappropriation, rogue trading, manipulation of indexes, data theft, outright theft, abuse of position and overriding controls. Determining the nature of each risk allows firms to benchmark fraudulent activity levels in better detail.

When implementing data collection and monitoring solutions for clients for instance, Kletter pointed out that the aim is not just to detect fraud but also preempt it. “There are a lot of activities around policy and processes’ violation and those are good indicators sometimes that fraud will follow.”

Collecting and monitoring data and raising the red flag earlier is critical for fraud prevention. A more holistic viewpoint on fraud, irrespective of its business type and silo, can provide clearer insight into the direction fraud risk will travel.

Optimise best practices

Financial institutions and banks across the board are already using analytics to better manage security and controls. Nevertheless, organisation-wide culture, as well as systems and processes, must be adaptable to changing patterns of fraudulent activity. 

John Keogan, head of fraud risk, internal fraud prevention at Standard Chartered Bank, emphasised the importance of having the right message and tone from the top: “It’s absolutely important to have the right culture and the right messaging from the senior management of the bank.” 

Firms must stress to employees that fraudulent activities will not be tolerated, and that staff must display exemplary behaviour in this respect, he said.

“It is a clear message that needs to be shared and this is further cemented by having a very robust training and awareness programme, which focuses on the business and also talks about the business-agnostic types of fraud such as travel and expenses fraud,” Keogan added.  “If you allow small frauds to happen, there is potential for other misdemeanors also.”

How else can firms raise their game in tackling insider fraud? Developing best practices in resource management, prevention and processes is vital. Keogan recommends setting up ‘insider threat working groups‘. 

“Having a group that can get together and look at the [similarities and] common control structures, and share that information about their risk population is a powerful tool,” Keogan said. 

Sharing risk resources that can span areas such as IT specialists for data exfiltration, anti-bribery and corruption risk team members, sanctions violations as well as other fraud management teams must become essential, according to Keogan.

Chandrra Sekhaar, managing director and global head of audit at ING, agreed, recommending that firms set up a cross-business working group to focus on conduct. He also believes controls should be built around risk appetite. 

“What is acceptable and what can be done to keep the risk within that acceptable level? This helps define and drive the strategy on awareness, training courses and market abuse scenarios to help inform data analytics to spot unusual behaviour.”

Risk appetite aside, one of the most crucial aspects of any surveillance process is technological advancements. New tech is at the forefront of early and effective fraud detection. Machine learning, which is also being applied in detection systems and tactical surveillance systems, is becoming more prevalent. 

Next-generation platforms offer automated workflows for payment processing and bill review, and state-of-the-art fraud detection, behavioural analytics, and regulatory compliance solutions.

A way forward

The aim of any surveillance – especially that of fraud risk surveillance – must be deterrence, not just detection. 

Building solid strategy must go hand-in-hand with technology, while making the data available and adopting a proper analytics approach. 

Allowing data inputs to bring in information from external resources and carefully managing them can together prepare firms for the next stage of fraud prediction, prevention, and the resulting future resilience.  

Rendering data collection such that it is non-intrusive is essential in fraud tracking, Kletter noted: “One of the best practices is really to understand the journey of any internal attack and be ready for it.” 


Op risk data: Westpac and Sumitomo among four banks hit by $359m fraud

By ORX News | Opinion | 6 August 2021

Also: Misinformation in Lloyds Bank insurance renewals; AML fail at Amex France. Data by ORX News

In July’s largest loss, Westpac was defrauded of US$255.1 million by Sydney-based equipment lease company Forum Finance. It was one of four financial institutions caught up in the scheme, which involved using false invoices and forged signatures to fraudulently obtain loans.

According to Westpac, the alleged fraud related to a portfolio of equipment leases with Westpac customers that were arranged by Forum Finance. The latter offered and arranged lease financing from banks to its clients for office equipment, computers and software. Banks then paid the funds to an entity and received regular lease payments. Westpac claimed that Forum Finance, related companies, its CEO Bill Papas and his business partner Vincenzo Tesoriero made more than 100 fraudulent transactions, siphoning off A$341 million from the bank between September 2019 and June 2021. Westpac claimed Papas or an associate forged signatures in the name of at least seven of the bank’s corporate clients to secure finance. Westpac sought legal action to have Forum Finance liquidated so that it might recoup the losses.



The second-largest loss occurred at Lloyds Bank General Insurance. The UK’s Financial Conduct Authority fined LBGI $125.2 million for failing to ensure that language used in millions of home insurance renewals communications was clear, fair and not misleading.

Between January 2009 and November 2017, LBGI sent almost 9 million renewal communications to home insurance customers, stating they were receiving a “competitive price” at renewal. However, LBGI did not check the accuracy or substantiality of the competitive price claim. Approximately 87% of renewals were made based on communications containing that price claim. Although LBGI rewrote its renewal communications and began to remove the competitive price claim in 2009, the language remained in a substantial number of communications. Similarly, LBGI also sent out communications that implied it was offering discounted premiums when, in fact, they were higher premiums. This affected approximately 1.2 million renewals.

July’s third-largest loss involved the Teachers Insurance and Annuity Association of America. The US Securities and Exchange Commission and New York State attorney general ordered TIAA to pay $97 million restitution to settle charges it made misleading statements and for failing to disclose a conflict of interest. This conflict arose because TIAA incentivised its advisers to move customers from a lower-cost employer-sponsored retirement plan to a higher-fee managed account programme.

From January 2013 until March 2018, TIAA made a series of inadequate disclosures and procedures. Customers were not aware that TIAA’s wealth advisers were compensated for reasons other than the clients’ best interests. Instead, TIAA trained its advisers to make representations that their advice was objective, non-commissioned, that they put clients first and acted in the customers’ best interests as their fiduciaries. The advisers were also encouraged by TIAA to look for ‘pain points’ to convince clients they needed the higher-priced programme. During the period, TIAA increased its annual profit per annum from $2.6 million to $54 million.


The month’s fourth-largest loss was also part of the Forum Finance fraud, which affected four financial institutions and cost them at least $359 million. According to reports, Japan’s Sumitomo Mitsui had an exposure of $73.9 million. Sumitomo began court proceedings against Forum Finance subsidiary Forum Enviro.

Westpac makes another appearance in the fifth-largest loss for July. The Australian bank agreed to pay US$65.1 million compensation to customers over its failure to notify them of corporate actions.

For 14 years, Westpac failed to notify clients of its advisory businesses that held ASX-listed securities about a range of activities. This led to customers missing out on various share-purchasing opportunities, including purchasing additional shares at a discount to the market price, and the creation of temporary rights or options that could have been sold for profit. Up to 2019, approximately 330,000 missed corporate action notifications affected 32,000 customers.

Spotlight: Amex France

In July 2021, the French Prudential Supervision and Resolution Authority (ACPR) fined American Express Carte France (Amex France) €2 million ($2.4 million) for failing to implement adequate anti-money laundering (AML) and counter-terrorist financing (CTF) controls. The fine followed an on-site inspection conducted by ACPR between February 4, 2019, and October 21, 2019.

ACPR criticised Amex France’s risk classification as incomplete and inoperative. In addition, Amex France’s assessment of the AML and CTF risks for card services was deemed inadequate because the risk classification criteria did not take into account the specific products and services offered, customer characteristics and profile, nor geographical locations of customers.

The vast majority of customers – 99.7% of individuals and 98.62% of small businesses – were classified as low-risk. ACPR found that Amex France’s residence criteria allowed customers to register their addresses at post office boxes or at their banks. This meant some customers from high-risk countries were incorrectly classified as low-risk. For example, Amex’s risk-monitoring system considered Tunisia a low-risk country, when, according to European Union Directive 2015/849, it should have been classed as high-risk.

ACPR further identified the system used by Amex France to monitor and analyse business relationships and operations as being incomplete and unfit for purpose. The thresholds for the system to trigger an alert were too high, and only triggered 11 alerts for 73,000 transactions, highlighting the system’s poor calibration.

Amex France outsourced the monitoring of AML and CTF alerts generated by its system to a unit located in the UK. There was no contract between the two parties outlining their role and responsibilities, however.

Finally, ACPR identified that Amex France failed to identify nine politically exposed persons in its database. The company also failed to comply with legal requirements concerning asset freezes, as it only screened its database once a week for people subject to asset freezes.

Amex France spent €5 million to remedy its AML/CTF plan in 2020 and 2021.

Credit Suisse’s op risk up $6.5bn on subprime-era litigation

By Lorenzo Migliorato | Data | 29 July 2021

Increase offsets the removal of Archegos-related capital add-on by Finma

Credit Suisse’s operational risk-weighted assets (RWAs) rose 7.8% in the second quarter, as models reacted to recent developments in court cases stemming from the bank’s subprime mortgage-era activities.

Externally-mandated parameter and model updates added Sfr5.9 billion ($6.5 billion) to op RWAs, which hit Sfr68.4 billion at end-period.



The updates stemmed from an increase in provisions to the tune of $850 million announced in Q4 2020 for legal disputes related to US residential mortgage-backed security (MBS) cases, one of which, brought by insurer MBIA over a 2007 MBS, ended in a $600 million settlement in April.

In the first quarter, the annual recalibration of in-house models under the advanced measurement approach (AMA) added Sfr791 million to op RWAs, compounding an Sfr4.1 billion increase from currency swings.

The second quarter’s operational RWA hike resulted in a 25-basis point drag on the bank’s Common Equity Tier 1 capital ratio.

Overall RWAs dropped Sfr19.3 billion or 6.4% in Q2, to Sfr283.6 billion. The CET1 ratio rose 150bp to 13.7%.

What is it?

Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the advanced measurement approach. The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.

Under incoming Basel III rules, all banks will be required to shift to a revised standardised approach. Credit Suisse currently calculates all its op RWAs using the AMA.

Why it matters

Credit Suisse made headlines this morning as the Swiss regulator removed a temporary add-on in response to the Archegos Capital blowout, relieving the bank of the Sfr5.8 billion extra capital buffer. However, the relief was brief, as the bank had to take on just as much in op RWAs.

That the op risk hike was telegraphed in the first quarter’s results doesn’t make it any less painful. The bank is also facing a new Sfr1.9 billion add-on over losses in its Greensill-backed investment funds.

With management mishaps making its capital burden ever heavier, the bank boosted solvency by slashing the balance sheet and increasing capital. A large chunk of the second quarter’s RWA savings came from clean-ups in the investment bank, which were but a given after the Archegos debacle, while the capital raise came from an issuance of hybrid notes and gains from the initial public offering of wealth management fintech Allfunds.

In other words, the tailwinds that produced the overall 150bp increase in CET1 ratio were likely all one-offs. The flurry of add-ons that hit the bank since the start of the year won’t recur either – but with profit margin taking a backseat in favour of derisking, the capital buffer may at some point start to erode.

Get in touch

Like Risk Quantum? Sign up for free to our daily newsletter and check @RiskQuantum for the latest updates.

If you have any thoughts on our latest analysis or want to suggest other ways to present and analyse the data, you can email us.

Tell me more

Finma add-on inflates Credit Suisse’s credit RWAs

Op risk data: Robinhood to pay $70m for meme stock failings

Could global regulators miss another Archegos whale?

View all bank stories

On modeling contagion in the formation of operational risk loss

By Xiang Gao, Zhan Wang | Technical paper | 27 July 2021

‘It’s the economy’: forecasting an op risk climate change spike

By Michael Grimwade | Opinion | 20 July 2021

History of op risk suggests economic impacts of climate change could exacerbate losses, writes op risk head

Climate change is coming – and it should be a big wake-up call for operational risk.

In the summers of 2014 and 2015, the meteorological effects of El Niño – which produces heavier rains and warmer weather in South America, but drier weather in South-east Asia – meant monsoons were later and less forceful than usual. It caused a 13% drop in pea production and a 70% increase in the price of chickpeas in India by the end of 2015 (see figure 1).

And, while op risk’s past behaviour suggests that similar economic consequences of certain climate change scenarios could inflict a significant increase on firms’ losses, the industry seems to be more focused on credit risk.


In two recent papers, the Basel Committee on Banking Supervision noted that there had been only “a very limited focus” to date on the impacts of climate change on op risk, and that data for “climate-related operational risks is scarcer than for other risk types”. Consequently, parallels need to be drawn with past crises.

Analysis suggests that the economic shocks over the past three decades, including the 2008 financial crisis, exacerbate existing op risk losses, uncovering historical failures and also poor responses from banks and other stakeholders – increasing in turn the occurrence of incidents, their detection, duration and velocity of impact. Shocks that lead to spikes in op risk are characterised by both rapid and significant changes in key economic metrics.

Op risk’s observed sensitivity to economic shocks is critical. Both the physical consequences of climate change (physical risk) and the transition to a low-carbon economy (transition risk) have economic consequences: rising defaults, increased market volatility and changing asset values in both directions (see figure 2).

And while the physical consequences of climate change lead primarily to the disruption of supply, transition leads primarily to changes in economic demand.


Physical and transition risks can also combine. One of the contributing factors to the recent spike in tin prices, for example, was the drought in China’s Yunnan province, which led to a shortage of renewable hydroelectric power, forcing local tin smelters to halt production for a time.

And although extreme weather events have in the past caused business disruption, systems failure and damage to physical assets – in 2012, Hurricane Sandy was responsible for a two-day suspension of trading on the New York Stock Exchange – the economic consequences of climate change on op risk may yet prove to be much more significant.

A future spike

In its recently published climate change stress-testing guidance, the Bank of England has set out the economic consequences of three scenarios reflecting a range of potential responses: early action; late action; and no additional action.

The only BoE scenario that forecasts both significant and rapid economic change is the ‘late action’ scenario, which results in changes in some economic metrics that are comparable to the 2008 financial crisis (see figure 3).


A severe idiosyncratic physical risk – most likely in the ‘no additional action’ scenario – could also foreseeably lead to a significant and rapid change in economic metrics – as the El Niño example shows (figure 1).

Such a risk could also cause a significant and rapid change in economic metrics through the disruption of physical infrastructure.

A 2013 joint study by the World Bank and the Organisation for Economic Co-operation and Development highlights that the cities where flood risk will increase the most are not necessarily the cities currently at high risk. The study cites New York as one of the top 10 cities at greatest risk – and Hurricane Sandy provided a taste of the potential consequences.

Additionally, just as with the Covid-19 pandemic, it is likely that professional criminals will respond opportunistically to exploit any changes in customer behaviours or uncertainty and to disruption in firms’ processes and controls. For example, the average daily rate of UK payment fraud – the number of attempted frauds as a proportion of overall transactions – was up 117% between October 1 and November 15, 2020, versus the same period a year earlier, as criminals attempted to exploit the huge growth in online shopping caused by the pandemic.

Analysis of the losses suffered by banks during and after the 2008 financial crisis reveals a spike in client, product and business practice losses linked to rising unemployment and defaults, falling asset values and behavioural changes – mortgage-backed securities and collateralised debt obligation litigation, inappropriate foreclosure, mis-selling of derivatives, inappropriate disclosures, etc.

Conduct risk again

The most striking characteristic of op risk is its sensitivity to economic shocks, which can exacerbate existing op risk losses and lead to both the uncovering of historical failures and inappropriate responses.

Both the physical and transitional risks of climate change could have economic consequences – driven by the potential for physical risk to disrupt supply and for transition risk to affect demand (figure 2). The most rapid and significant economic impacts could arise from transition risk in the ‘late action’ scenario and potentially physical risk in the ‘no additional action’ scenario.

And as climate change can alter to varying degrees the occurrence, detection, duration and velocity of op risk losses, then firms should stress their existing portfolios of scenarios – in particular, clients, products and business practices – for significant and rapid economic changes (figure 3) that arise from either transition risks under the ‘late action’ scenario or from a severe idiosyncratic physical risk.

The most significant financial op risk impacts of climate change will likely arise from conduct risk again.

Michael Grimwade is head of operational risk at ICBC Standard Bank. He is the co-author of Managing operational riskThe contents of this article represent his own views.

Libor is ending, and corporates need to know their options

By Tom Deas, Tom Hunt, Tom Quaadman | Opinion | 19 July 2021

Banks must speak to Main Street now if US Libor transition is to succeed, argue ARRC working group leaders

In the six months Libor has left, thousands of Main Street borrowers face a critically important choice: what rate to use in place of the outgoing benchmark?

As things stand, most borrowers are aware of the need to transition. Many have a preference for a replacement that is based upon the secured overnight financing rate, or SOFR – the officially endorsed successor to US dollar Libor – rather than one of the credit-sensitive alternatives that could see the cost of borrowing climb at times of stress. But the majority have not yet been approached by their banks to discuss the available options in detail, or to thrash out transition plans.

We call on banks to begin this process expeditiously by reaching out proactively to borrowers and working out a plan together. 

As members of the Alternative Reference Rates Committee (ARRC), the group of private-market participants convened to help ensure a successful transition from US dollar Libor to a more robust alternative reference rate – and leaders of its working group for non-financial corporates, which aims to prepare this sector of the market for transition – we feel strongly that considering and incorporating the perspective of borrowers is essential to ensuring a smooth switch away from Libor. It’s why we recently wrote a letter to key financial market regulators to explain this perspective, why it’s so important, and how we recommend factoring it into their thinking.

It is critical that Main Street borrowers – all the non-financial corporates and organisations holding contracts that still reference Libor – are enabled to transition smoothly. As we enter the final leg of this multi-year effort, non-financial corporates still face myriad issues and risks they will need to navigate – including not only the operational and legal complexities involved in switching contracts from Libor to an alternative rate, but potentially also delays in supplies and business operations, state and federal court cases, contracts without fallback provisions, and more. In short, it’s a daunting task to move new contracts away from Libor by the end of this year, even with the additional time that Libor’s regulator, the UK Financial Conduct Authority, recently granted that will allow many legacy contracts to wind down.

Most non-financial corporates now have a solid grasp of the transition at a high level. They know the cessation of Libor is coming, they know it could pose significant financial stability risks if not properly managed, and they know waiting until the last minute is not an option.

Missing detail

The very real problem at this late stage in the transition is that they don’t know what their options are for an alternative rate and what that means for ensuring the readiness of their internal compliance and technology systems.

In a March 2021 survey conducted with our working group’s members, a full two-thirds of respondents said they have not received detailed proposals or timelines for transition implementation from their bankers. While banks are facing their own considerable challenges in preparing for the transition, non-financial corporates need this important information now to be able to rework their contracts and their internal compliance and technology systems before new Libor contracts become unavailable. Non-financial corporates have the additional challenge of reviewing and amending their commercial contracts with suppliers and customers that often have Libor references to adjust for payment delays that occur in the normal course of business.

It’s critical that lenders proactively start conversations with their borrowers now – and that they talk corporates through their full range of options in selecting an alternative rate

A smooth Libor transition is especially important for small to medium-sized Main Street companies that have limited staffing and resources to handle these complex transition-related issues in tandem with their day-to-day business operations, especially while they’re trying to recover from the effects of Covid-19.

Ultimately, if Main Street borrowers are not fully ready for the adoption of SOFR, the ARRC’s preferred alternative to US dollar Libor, and if they don’t have a roadmap in place now that will guide them through transitioning all of their contracts away from the old benchmark, then borrowers and issuers could face disruptions and bear higher interest and financing costs. This could ultimately force cost-cutting elsewhere, including potential job cuts.

Against this backdrop, it’s critical that lenders proactively start conversations with their borrowers now – and that they talk corporates through their full range of options in selecting an alternative rate and preferably the ARRC-recommended risk-free rate using SOFR. Depending on the type of contract they hold – whether it’s a term loan, floating rate note, or asset securitisation – the borrower must carefully consider which form of SOFR is optimal. As we saw in the same survey of our members, 94% want to be offered a range of SOFR-based rate choices, including both in-arrears and in-advance options, and 88% want to borrow using alternatives based on SOFR rather than credit-sensitive rates that could move up – as Libor has done – in times of economic stress.

Banks, regulators, legislators, and industry groups must work together in the coming months to not only incorporate the borrowers’ perspective and priorities into Libor transition planning, but to also proactively find ways to educate non-financial corporates and help them chart a clear and informed roadmap toward SOFR. The success of the Libor transition depends on it.

About the authors

The authors of this article lead the Non-Financial Corporates Working Group of the ARRC – the industry body convened by US regulators to support efforts to transition away from US dollar Libor. They are Tom Deas, National Association of Corporate Treasurers; Tom Hunt, Association for Financial Professionals; and Tom Quaadman, United States Chamber of Commerce.