Credit Suisse’s op risk up $6.5bn on subprime-era litigation
By Lorenzo Migliorato | Data | 29 July 2021
Increase offsets the removal of Archegos-related capital add-on by Finma
Credit Suisse’s operational risk-weighted assets (RWAs) rose 7.8% in the second quarter, as models reacted to recent developments in court cases stemming from the bank’s subprime mortgage-era activities.
Externally-mandated parameter and model updates added Sfr5.9 billion ($6.5 billion) to op RWAs, which hit Sfr68.4 billion at end-period.
The updates stemmed from an increase in provisions to the tune of $850 million announced in Q4 2020 for legal disputes related to US residential mortgage-backed security (MBS) cases, one of which, brought by insurer MBIA over a 2007 MBS, ended in a $600 million settlement in April.
In the first quarter, the annual recalibration of in-house models under the advanced measurement approach (AMA) added Sfr791 million to op RWAs, compounding an Sfr4.1 billion increase from currency swings.
The second quarter’s operational RWA hike resulted in a 25-basis point drag on the bank’s Common Equity Tier 1 capital ratio.
Overall RWAs dropped Sfr19.3 billion or 6.4% in Q2, to Sfr283.6 billion. The CET1 ratio rose 150bp to 13.7%.
What is it?
Basel II rules lay out three methods by which banks can calculate their capital requirements for operational risk: the basic indicator approach; the standardised approach; and the advanced measurement approach. The first two use bank data inputs and regulator-set formulae to generate the required capital, while the AMA allows banks to use their own models to produce the outputs.
Under incoming Basel III rules, all banks will be required to shift to a revised standardised approach. Credit Suisse currently calculates all its op RWAs using the AMA.
Why it matters
Credit Suisse made headlines this morning as the Swiss regulator removed a temporary add-on in response to the Archegos Capital blowout, relieving the bank of the Sfr5.8 billion extra capital buffer. However, the relief was brief, as the bank had to take on just as much in op RWAs.
That the op risk hike was telegraphed in the first quarter’s results doesn’t make it any less painful. The bank is also facing a new Sfr1.9 billion add-on over losses in its Greensill-backed investment funds.
With management mishaps making its capital burden ever heavier, the bank boosted solvency by slashing the balance sheet and increasing capital. A large chunk of the second quarter’s RWA savings came from clean-ups in the investment bank, which were but a given after the Archegos debacle, while the capital raise came from an issuance of hybrid notes and gains from the initial public offering of wealth management fintech Allfunds.
In other words, the tailwinds that produced the overall 150bp increase in CET1 ratio were likely all one-offs. The flurry of add-ons that hit the bank since the start of the year won’t recur either – but with profit margin taking a backseat in favour of derisking, the capital buffer may at some point start to erode.
On modeling contagion in the formation of operational risk loss
By Xiang Gao, Zhan Wang | Technical paper | 27 July 2021
‘It’s the economy’: forecasting an op risk climate change spike
By Michael Grimwade | Opinion | 20 July 2021
History of op risk suggests economic impacts of climate change could exacerbate losses, writes op risk head
Climate change is coming – and it should be a big wake-up call for operational risk.
In the summers of 2014 and 2015, the meteorological effects of El Niño – which produces heavier rains and warmer weather in South America, but drier weather in South-east Asia – meant monsoons were later and less forceful than usual. It caused a 13% drop in pea production and a 70% increase in the price of chickpeas in India by the end of 2015 (see figure 1).
And, while op risk’s past behaviour suggests that similar economic consequences of certain climate change scenarios could inflict a significant increase on firms’ losses, the industry seems to be more focused on credit risk.
In two recent papers, the Basel Committee on Banking Supervision noted that there had been only “a very limited focus” to date on the impacts of climate change on op risk, and that data for “climate-related operational risks is scarcer than for other risk types”. Consequently, parallels need to be drawn with past crises.
Analysis suggests that the economic shocks over the past three decades, including the 2008 financial crisis, exacerbate existing op risk losses, uncovering historical failures and also poor responses from banks and other stakeholders – increasing in turn the occurrence of incidents, their detection, duration and velocity of impact. Shocks that lead to spikes in op risk are characterised by both rapid and significant changes in key economic metrics.
Op risk’s observed sensitivity to economic shocks is critical. Both the physical consequences of climate change (physical risk) and the transition to a low-carbon economy (transition risk) have economic consequences: rising defaults, increased market volatility and changing asset values in both directions (see figure 2).
And while the physical consequences of climate change lead primarily to the disruption of supply, transition leads primarily to changes in economic demand.
Physical and transition risks can also combine. One of the contributing factors to the recent spike in tin prices, for example, was the drought in China’s Yunnan province, which led to a shortage of renewable hydroelectric power, forcing local tin smelters to halt production for a time.
And although extreme weather events have in the past caused business disruption, systems failure and damage to physical assets – in 2012, Hurricane Sandy was responsible for a two-day suspension of trading on the New York Stock Exchange – the economic consequences of climate change on op risk may yet prove to be much more significant.
A future spike
In its recently published climate change stress-testing guidance, the Bank of England has set out the economic consequences of three scenarios reflecting a range of potential responses: early action; late action; and no additional action.
The only BoE scenario that forecasts both significant and rapid economic change is the ‘late action’ scenario, which results in changes in some economic metrics that are comparable to the 2008 financial crisis (see figure 3).
A severe idiosyncratic physical risk – most likely in the ‘no additional action’ scenario – could also foreseeably lead to a significant and rapid change in economic metrics – as the El Niño example shows (figure 1).
Such a risk could also cause a significant and rapid change in economic metrics through the disruption of physical infrastructure.
A 2013 joint study by the World Bank and the Organisation for Economic Co-operation and Development highlights that the cities where flood risk will increase the most are not necessarily the cities currently at high risk. The study cites New York as one of the top 10 cities at greatest risk – and Hurricane Sandy provided a taste of the potential consequences.
Additionally, just as with the Covid-19 pandemic, it is likely that professional criminals will respond opportunistically to exploit any changes in customer behaviours or uncertainty and to disruption in firms’ processes and controls. For example, the average daily rate of UK payment fraud – the number of attempted frauds as a proportion of overall transactions – was up 117% between October 1 and November 15, 2020, versus the same period a year earlier, as criminals attempted to exploit the huge growth in online shopping caused by the pandemic.
Analysis of the losses suffered by banks during and after the 2008 financial crisis reveals a spike in client, product and business practice losses linked to rising unemployment and defaults, falling asset values and behavioural changes – mortgage-backed securities and collateralised debt obligation litigation, inappropriate foreclosure, mis-selling of derivatives, inappropriate disclosures, etc.
Conduct risk again
The most striking characteristic of op risk is its sensitivity to economic shocks, which can exacerbate existing op risk losses and lead to both the uncovering of historical failures and inappropriate responses.
Both the physical and transitional risks of climate change could have economic consequences – driven by the potential for physical risk to disrupt supply and for transition risk to affect demand (figure 2). The most rapid and significant economic impacts could arise from transition risk in the ‘late action’ scenario and potentially physical risk in the ‘no additional action’ scenario.
And as climate change can alter to varying degrees the occurrence, detection, duration and velocity of op risk losses, then firms should stress their existing portfolios of scenarios – in particular, clients, products and business practices – for significant and rapid economic changes (figure 3) that arise from either transition risks under the ‘late action’ scenario or from a severe idiosyncratic physical risk.
The most significant financial op risk impacts of climate change will likely arise from conduct risk again.
Michael Grimwade is head of operational risk at ICBC Standard Bank. He is the co-author of Managing operational risk. The contents of this article represent his own views.
Libor is ending, and corporates need to know their options
By Tom Deas, Tom Hunt, Tom Quaadman | Opinion | 19 July 2021
Banks must speak to Main Street now if US Libor transition is to succeed, argue ARRC working group leaders
In the six months Libor has left, thousands of Main Street borrowers face a critically important choice: what rate to use in place of the outgoing benchmark?
As things stand, most borrowers are aware of the need to transition. Many have a preference for a replacement that is based upon the secured overnight financing rate, or SOFR – the officially endorsed successor to US dollar Libor – rather than one of the credit-sensitive alternatives that could see the cost of borrowing climb at times of stress. But the majority have not yet been approached by their banks to discuss the available options in detail, or to thrash out transition plans.
We call on banks to begin this process expeditiously by reaching out proactively to borrowers and working out a plan together.
As members of the Alternative Reference Rates Committee (ARRC), the group of private-market participants convened to help ensure a successful transition from US dollar Libor to a more robust alternative reference rate – and leaders of its working group for non-financial corporates, which aims to prepare this sector of the market for transition – we feel strongly that considering and incorporating the perspective of borrowers is essential to ensuring a smooth switch away from Libor. It’s why we recently wrote a letter to key financial market regulators to explain this perspective, why it’s so important, and how we recommend factoring it into their thinking.
It is critical that Main Street borrowers – all the non-financial corporates and organisations holding contracts that still reference Libor – are enabled to transition smoothly. As we enter the final leg of this multi-year effort, non-financial corporates still face myriad issues and risks they will need to navigate – including not only the operational and legal complexities involved in switching contracts from Libor to an alternative rate, but potentially also delays in supplies and business operations, state and federal court cases, contracts without fallback provisions, and more. In short, it’s a daunting task to move new contracts away from Libor by the end of this year, even with the additional time that Libor’s regulator, the UK Financial Conduct Authority, recently granted that will allow many legacy contracts to wind down.
Most non-financial corporates now have a solid grasp of the transition at a high level. They know the cessation of Libor is coming, they know it could pose significant financial stability risks if not properly managed, and they know waiting until the last minute is not an option.
The very real problem at this late stage in the transition is that they don’t know what their options are for an alternative rate and what that means for ensuring the readiness of their internal compliance and technology systems.
In a March 2021 survey conducted with our working group’s members, a full two-thirds of respondents said they have not received detailed proposals or timelines for transition implementation from their bankers. While banks are facing their own considerable challenges in preparing for the transition, non-financial corporates need this important information now to be able to rework their contracts and their internal compliance and technology systems before new Libor contracts become unavailable. Non-financial corporates have the additional challenge of reviewing and amending their commercial contracts with suppliers and customers that often have Libor references to adjust for payment delays that occur in the normal course of business.
It’s critical that lenders proactively start conversations with their borrowers now – and that they talk corporates through their full range of options in selecting an alternative rate
A smooth Libor transition is especially important for small to medium-sized Main Street companies that have limited staffing and resources to handle these complex transition-related issues in tandem with their day-to-day business operations, especially while they’re trying to recover from the effects of Covid-19.
Ultimately, if Main Street borrowers are not fully ready for the adoption of SOFR, the ARRC’s preferred alternative to US dollar Libor, and if they don’t have a roadmap in place now that will guide them through transitioning all of their contracts away from the old benchmark, then borrowers and issuers could face disruptions and bear higher interest and financing costs. This could ultimately force cost-cutting elsewhere, including potential job cuts.
Against this backdrop, it’s critical that lenders proactively start conversations with their borrowers now – and that they talk corporates through their full range of options in selecting an alternative rate and preferably the ARRC-recommended risk-free rate using SOFR. Depending on the type of contract they hold – whether it’s a term loan, floating rate note, or asset securitisation – the borrower must carefully consider which form of SOFR is optimal. As we saw in the same survey of our members, 94% want to be offered a range of SOFR-based rate choices, including both in-arrears and in-advance options, and 88% want to borrow using alternatives based on SOFR rather than credit-sensitive rates that could move up – as Libor has done – in times of economic stress.
Banks, regulators, legislators, and industry groups must work together in the coming months to not only incorporate the borrowers’ perspective and priorities into Libor transition planning, but to also proactively find ways to educate non-financial corporates and help them chart a clear and informed roadmap toward SOFR. The success of the Libor transition depends on it.
About the authors
The authors of this article lead the Non-Financial Corporates Working Group of the ARRC – the industry body convened by US regulators to support efforts to transition away from US dollar Libor. They are Tom Deas, National Association of Corporate Treasurers; Tom Hunt, Association for Financial Professionals; and Tom Quaadman, United States Chamber of Commerce.
UK banks’ RWAs near record low – BoE
By Lorenzo Migliorato | Data | 12 July 2021
Lower credit and counterparty RWAs led the quarterly drop, latest figures show
UK lenders’ risk-weighted assets (RWAs) ticked lower in the first quarter of the year, hitting their lowest level since Q4 2019, the latest Bank of England data shows.
The country’s banking sector reported a combined £2.8 trillion ($3.9 trillion) in RWAs under their belt as of March 31, down 0.6% from three months earlier and 7.4% from the same quarter a year ago, when the pandemic first hit.
The latest figures are just £17 billion above Q4 2019’s levels, when RWAs fell to their lowest level since the BoE began aggregating data at the start of 2014.
Credit and counterparty RWAs – accounting for 72% of the total – dropped 0.4% to £2 trillion over the first quarter, and 7.3% from a year prior.
RWAs relating to a credit valuation adjustment dropped 2.6% quarter on quarter and 13.8% year on year, to £75 billion. Operational RWAs fell 1.4% and 4.4% over the respective periods, to £285 billion.
Market RWAs were the only category that crawled up from end-December, by 0.5% to £381 trillion, though that still marked a 7.5% decrease from the year-ago level.
Other uncategorised RWAs totalled £28 billion, down 20% in the three months since Q4 2020 and 22% year on year.
What is it?
The Bank of England publishes quarterly statistics on the capital levels and RWAs of the country’s banking sector. The data goes back to Q1 2014.
RWAs are used to determine the minimum amount of regulatory capital that must be held by banks. Each banking asset is assessed on its risk: the riskier the asset, the higher the RWA and the greater the amount of regulatory capital that must be put aside.
Why it matters
After the financial crisis of 2008, all but a handful of UK banks have refocused on plain business and retail lending, leaving more complex dealings to the likes of Standard Chartered, Barclays and HSBC.
In the process, domestic lenders’ books have become more weighted towards credit and counterparty RWAs. Those are arguably less prone to sudden increases in risk levels – and thus capital charges – since the macroeconomic trends that influence them move more slowly and can be better telegraphed than equity or bond market shocks.
The pandemic risked throwing a wrench in that restructuring. As the UK went into lockdown early last year, swathes of borrowers found themselves unable to pay back their loans. In Q1 2020, credit and counterparty RWAs at the country’s banks rose 9% to their highest in four years.
That they are now at a near-record low – in part thanks to government guarantees and forbearance schemes – is good news for banks’ capital levels, but possibly less so for the economy.
After all, asset quality is unlikely to have recovered from Covid already, meaning at least part of the latest RWA decrease has come from smaller balances. At this point in the recovery, however, UK policy-makers would very much like to see banks lend more to aid the recovery.
Op risk data: Robinhood to cough up $70m over meme stock failings
By ORX News | Opinion | 9 July 2021
Also: Deutsche Bank’s wine corked after €10m FX swaps settlement. Data by ORX News
In June’s largest operational risk loss, Deutsche Bank provisioned €100 million ($122 million) to compensate customers after Germany’s high court ruled that past increases in current account fees at its retail Postbank subsidiary were unlawful.
For many years, German banks relied on tacit approval from their customers when raising account fees or changing terms and conditions. However, a consumer rights group challenged this and brought a case against Postbank.
The German Federal Court of Justice ruled on April 27 that banks must obtain customer consent when changing the terms and conditions of their accounts and that tacit approval was disadvantageous to customers. The ruling means customers can reclaim unlawfully charged fees backdated at least threeyears.
Deutsche Bank says it expects a €200 million revenue shortfall over the second and third quarters of 2021. The bank also says it will re-establish the fee agreements invalidated by the court ruling by the fourth quarter of 2021, and expects the loss of revenue to be temporary.
In the second largest publicly reported loss, trading platform Robinhood has agreed to pay $69.6 million for supervisory failures following its role in this year’s meme stock episode. The penalty consists of a $57 million fine and $12.6 million in restitution to customers.
According to the US Financial Industry Regulatory Authority, Robinhood distributed false and misleading information to customers by showing that certain accounts were not trading on margin when they in fact were. As a result, customers were able to make trades resulting in the use of hundreds of thousands of dollars of leverage.
Robinhood was also accused of displaying inaccurate cash balances and buying power calculations, negligently misrepresenting the risks associated with options spread transactions, and inconsistently applying computer algorithms for trading approval. In addition, the broker suffered repeated systems outages despite warnings from regulators that the firm’s technology supervision was inadequate.
In June’s third largest loss, Collins Asset Group, a US-based debt buyer, agreed to pay $15.8 million to settle claims from investors that it had misled them into lending $24 million to since-defunct shell companies in exchange for promissory notes.
Between at least 2013 and 2018, Collins raised investment capital to purchase distressed accounts receivables by convincing customers to invest in shell companies. In exchange, the investors received unregistered securities in the form of promissory notes or membership interest issued by those entities indicating that the money would subsequently be loaned to Collins. The class action claimed that Collins as a debt buyer profited from collecting on that debt within a fraudulent scheme.
In fourth place, Forex Capital Trading was ordered by the Federal Court of Australia to pay a penalty of A$20 million ($15.5 million) for systemic compliance deficiencies.
Forex CT was found to have offered clients incentives to deposit excessive amounts into their trading accounts; made misleading or deceptive representations to clients; and failed to ensure compliance with financial services laws. The company’s Australian financial services licence was revoked by the financial regulator on June 3, 2020. The company’s director, Shlomo Yoshai, was barred from managing corporations for eight years and ordered to pay a A$400,000 penalty.
In June’s fifth largest loss, Deutsche Bank was reported to have reached a more than €10 million settlement with Spanish winemaker J García Carrión over the alleged mis-selling of foreign exchange derivatives.
The settlement is the result of an internal probe launched by Deutsche Bank following complaints from customers that they had been sold sophisticated derivative products that they did not understand. The investigation revealed possible misconduct affecting “a limited number of customers”, according to reports in the Financial Times. The sale of the currency product contracts subsequently pushed some small businesses into financial difficulty, leading to a series of out-of-court settlements.
The investigation also found that Deutsche Bank had miscategorised client firms under Mifid regulations that require banks to separate their clients by levels of financial sophistication. The probe led to the departure of two senior executives. The settlement compensated J García Carrión for cumulative cash losses caused by the derivative products over a six-year period.
Spotlight: JP inadvertently operated unlicensed brokerage, for 12 years
In June, the US Securities and Exchange Commission announced it had fined electronic trading platform and JP Morgan Chase subsidiary Neovest $2.75 million for operating as an unregistered broker-dealer between 2006 and 2018.
Neovest is an order and execution management system that allows customers to route orders for stocks and options to brokers for execution. JP Morgan acquired Neovest in 2005 and subsequently withdrew the company’s broker-dealer registration in December 2006.
However, the SEC claimed that after withdrawing its registration Neovest continued to operate its platform by participating in the order-taking and order-routing process, soliciting customers and destination brokers. Additionally, Neovest played a part in determining the routing options that were available to its customers.
The SEC added that in exchange for its services, Neovest continued to receive transaction-based compensation by having payments from destination brokers redirected to JP Morgan Securities, a registered broker-dealer, which in turn transferred the proceeds back to Neovest until August 2018.
By failing to register as a broker-dealer, Neovest denied its customers the protections associated with registration, including regulatory inspections and the requirement to establish policies and procedures to safeguard investor information.
In Focus: The long shadow of internal fraud
Internal fraud casts a long shadow in the realm of operational loss – reputationally, financially – and punitively.
As two former Deutsche Bank commodities traders discovered in June, when they were each jailed for a year and a day for their part in metals market spoofing for several years on the run up to 2013.
The legacy of broken controls can reach a firm many years after its root cause has been treated. In May, the European Commission (EC) fined three banks – UBS, Nomura and UniCredit – €371 million for their part in a government bond trading cartel as many as 14 years ago between 2007 and 2011.
These significant fines have put long-tail legacy losses over conduct issues back in the spotlight and are a reminder of the nightmare of op risk modelling to take account of such significant time lags.
And because the incoming Basel III capital requirements are based on the annual loss-per-year for the last 10 years for most firms, the financial fall-out of events almost a decade old could materially impact a bank’s operational risk capital calculations.
In the case of the government bond cartel, the investment banks were fined 10 years after the last banks left the cartel.
In April, Credit Agricole, Bank of America and Credit Suisse were all fined a total of €28 million for their own traders’ participation in a cartel in sovereign, supranational and agency (SSA) bonds between 2010 and 2015. BofA was also found to have breached anti-trust rules in May but wasn’t fined in this instance.
The EC began to investigate both cartels following applications by NatWest and Deutsche Bank under the EC’s 2006 Leniency Notice.
And another hefty historical loss came in 2020 when Goldman Sachs was ordered to pay $5.07 billion in settlements by the Government of Malaysia and the Department of Justice (DoJ) over its role in the 1MDB fraud between 2009 and 2015. Goldman first agreed to pay $2.5 billion to the Malaysian government to settle criminal proceedings against the bank and then later agreed to pay a further $2.32 billion fine and a $600 million disgorgement.
Spoofs and spooks
But one of the most memorable examples of the havoc a legacy issue can cause is the Wells Fargo ghost account scandal. High sales targets and financial incentive programmes tempted branch employees to open accounts in the names of live customers – without their knowledge – between May 2002 and July 2015, before being discovered.
As a consequence, Wells Fargo has paid around $6.06 billion in reimbursements and fines from 14 or so legal cases since September 2016, including a $3 billion fine from the DoJ and the Securities and Exchange Commission (SEC), levied in 2020.
And the scandal could continue to haunt Wells Fargo for some time. A class action filed by former and current employees alleges that the bank’s 401(k) retirement plan administrators did nothing to protect it from the fallout surrounding the scandal and even persisted in purchasing Wells Fargo stock. After the scandal came to light, the employees allege the plan lost as much as $1 billion. While their case was dismissed, the bank could reasonably expect more fallout to follow.
This legacy feature of operational risk events is borne out by ORX News database’s analysis of losses covering publicly reported operational risk events. For losses where there is information about when the loss-inducing event came to an end, for example, there is a median delay of over two years until a financial impact is first publicly reported – as a settlement with regulators or plaintiffs, say. This number is relatively high as data tends to be available for larger losses with more complex regulatory investigations and subsequent settlements.
And these are just a few examples of the financial impact legacy events can have at financial firms. While Wells Fargo and Goldman are the real blockbusters, fines like those meted out to Nomura, UBS and UniCredit are enough of a cautionary tale for op risk modellers of all stripes. They are a timely reminder to those in the field that you can never stop looking over your shoulder. In 2019, Julius Baer booked a provision for a very concrete case of a legacy event – the fall of the Berlin Wall, just 30 years earlier..
Editing by Alex Krohn and Louise Marshall
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.
Mizuho EU CRO reveals his top risks – they may surprise you
By James Ryder | Interview | 5 July 2021
Fears over technology dominate Wolfgang Koehler’s list of greatest risks for Mizuho’s EU unit
The launch of Mizuho Securities Europe in April 2019 was almost derailed – and by an operational problem that is often overshadowed by other risks. Just before the launch, vital fibre optic connections between the investment firm, located in Frankfurt, and its data centres in London broke down.
Now a repeat of such an outage is one of the proverbial worries that keep Mizuho Securities Europe’s risk chief up at night.
“Though we weren’t doing any business yet, we had a short outage which was quite painful,” says Wolfgang Koehler, who as chief risk officer (CRO) oversees risk management, legal affairs and compliance.
“Since then, we’ve increased the redundancy significantly there, which naturally comes at a cost,” he notes, referring to the duplicates of key components of a system that are designed to kick in if the main system fails.
For Koehler, who was previously CRO for Europe, Middle East and Africa at TP Icap, potential further system failures along with cyber crime are among the biggest current risks for his firm. Unusually, cloud risk follows these concerns – and by some distance – rather than precedes them.
Outages are something of a sore point for Mizuho Financial Group, Mizuho Securities Europe’s ultimate parent. The group suffered far-reaching system failures in 2002, 2011 and earlier this year, and in June released a report on measures, both completed and planned, to prevent further mishaps.
In the latest example, four system breakdowns occurred between late February and mid-March. The first of these, on February 28, played havoc with Mizuho’s automated teller machines (ATMs) in Japan, causing them to retain more than 5,000 cards and bank books and disabling 4,318 ATMs.
Mizuho Securities Europe was not affected by any of the outages and, Koehler says, also avoided reputational impact from the troubles.
But they will have still brought home the potential consequences of system failures. Mizuho Financial Group imposed penalties on its chief executive Tatsufumi Sakai and the head of Mizuho Bank, Koji Fujiwara, halving their pay for six and four months respectively.
Though we weren’t doing any business yet, we had a short outage which was quite painful
On another of his top concerns – cyber crime – Koehler says it is “undoubtedly” on the rise and should be a “key priority” for any CRO today.
Cyber attacks on banks have escalated since the onset of the Covid-19 pandemic, as growth in digital banking and the shift to remote working, including at financial firms, have increased opportunities for hackers.
One way Mizuho Securities Europe tackles the risk of cyber crime is through penetration testing specific to its offices in Frankfurt, Madrid and Paris. As one of its goals, the exercise tests the security of wireless and local area networks, Koehler says. If necessary, passwords are lengthened in order to slow down a potential hacker.
Koehler adds that such intruders might be a disgruntled employee already in the building, or a hacker sneaking into the building as a part of the cleaning team to seek out physical local area network ports, or somebody working from a laptop in a nearby cafe or restaurant. In Frankfurt, there is less of a focus on the last type of cyber criminal as Mizuho Securities Europe’s office there is “150 metres above the ground” in a skyscraper, he says.
A cloudy issue
While risk managers often mention the risk of service disruption at a major cloud provider, Koehler brings up this concern last. He agrees with the frequent description of Amazon Web Services, Google Cloud and Microsoft Azure as a triopoly in the market for cloud services, meaning that an outage at any one of the three could have severe repercussions for a large number of financial institutions.
However, Koehler says his conversations with cloud providers have given him confidence that the risk of an outage is “relatively low” – due to the number of redundancy processes these firms have set up.
“If your data sits, say, with a cloud-based provider somewhere in Norway, it will still be sitting in another place in California and maybe somewhere in New York state as well,” he adds. “So I think they have sufficient redundancy in their systems.”
For Koehler, there are bigger worries about cloud providers. One is a lack of clarity on where exactly in the world they store different sets of data. Although the main cloud providers are American companies, they have data centres and server farms all over the globe. This presents a challenge to cloud users in the European Union where the location of private data determines applicable laws.
They take the view, Amazon or Microsoft, that as part of their security they don’t let anybody on site
Consultants at Deloitte point to another problem, under the EU’s General Data Protection Regulation.
“In general, under the GDPR personal data may not be stored longer then needed for the predefined purpose,” they write on Deloitte’s website. “The difficulty here is that data can be stored on multiple locations, under multiple jurisdictions, by cloud service providers, and therefore there is the challenge to identify and manage multi-jurisdictional retention requirements.”
Even when the location of personal data is known, if at any point it is transferred from the EU to a country outside the bloc, the transfer is subject to burdensome rules under the GDPR.
The second concern Koehler has about cloud providers is their dislike of external audits. Mizuho Securities Europe’s main supervisors, Bafin and Germany’s central bank, expect financial companies to perform due diligence on external service suppliers, in part to identify weaknesses that hackers might exploit. But such checks often require visits to the cloud providers’ data centres, and that is when banks run into difficulties.
“They take the view, Amazon or Microsoft, that as part of their security they don’t let anybody on site,” Koehler says. “So the only thing you get is literally written confirmations, which will most likely be true, but you can’t really control it. That’s always a difficult thing for a risk manager: if you have never seen it, how much reality is behind [those responses]?”
Compliance with the due diligence rules will become even trickier if, as Koehler suspects, regulators start requiring more detailed reviews of cloud providers and other contractors.
Preparing for the unexpected
Koehler’s tendency to think ahead is perhaps even greater than what is typical of risk managers everywhere, because of the circumstances surrounding the creation of Mizuho Securities Europe. The firm was set up in 2018 in Frankfurt as a subsidiary of Mizuho Financial Group’s outpost in London to ensure continued access to EU clients after Brexit, which was voted for in 2016 and took place in 2020.
With looming Brexit in mind, Mizuho Securities Europe’s staff ran through practice exercises repeatedly to prepare for a spike in client activity that was likely after the UK’s departure. When volumes did balloon, the firm’s handling of the surge ran “like clockwork”, Koehler says.
“The hard Brexit resulted in changes to our client flows, as we expected,” he recalls. “We’ve seen volumes easily tripling if not quadrupling – in terms of volumes on the securities side, in terms of the values of settlements we make and also on the primary market side, though that [primary markets] was more a result of a good buildout of our platform, opening branches and lots of hiring of talent.”
I had not expected a hard Brexit at all. I thought, until the very last moment, that there would be some compromise arrived at
Although Koehler’s team, as others at Mizuho Securities Europe, geared up for a radical rupture between the UK and the EU, he did not think it would happen.
“To be honest, I had not expected a hard Brexit at all,” he says. “I thought, until the very last moment, that there would be some compromise arrived at.”
In the event, the UK left the EU single market and customs union in the so-called hard Brexit at 11pm on December 31, 2020, after a transition period ended. Koehler says volumes leapt up in January, following the close of negotiations, and stayed high through February and March.
Koehler’s diligence in preparing for possible disruptions regardless of their likelihood reflects an approach to risk management that was recently endorsed by the Basel Committee on Banking Supervision in its principles for operational resilience.
It also brings his ethos into harmony with the approach adopted by the first major jurisdiction to pursue dedicated operational risk resilience rules – the UK.
Biography – Wolfgang Koehler
2018–present: Chief risk officer, Mizuho Securities Europe
2017: Chief risk officer Emea, TPICAP
2015: Global head of risk for global broking, ICAP
2013–15: Global head of front-office supervision for global markets, Nomura
2012–13: Emea head of operational risk, Nomura
2010–12: Operational risk executive, Bank of America Merrill Lynch
2008–10: Chief risk officer GTSO, RBS
2007–08: Head of operational risk programme, Barclays Wealth
2005–07: Head of risk IRCB, Barclays Bank
1996–2004: Deutsche Bank (including head of credit control for Tokyo and regional head of ORM for Asia-Pacific)
Editing by Olesya Dmitracova
An approach to simultaneously assess operational risk and maturity levels in information technology management
By Hossein Moinzad , Mohammad Jafar Tarokh , Mohammad Taghi Taghavifard | Technical paper | 30 June 2021
Unlocking the potential of a firm-wide and systematic approach to operational resilience
By Commercial Editorial | Advertisement | 28 June 2021
Rick Cech, Senior Bank Examiner, Operational Risk Governance, Federal Reserve Bank of New York
Paula Fontana, Senior Director of Product Marketing, Fusion
Rich Cooper, Global Head of Financial Service Go-To-Market, Fusion
Michele Ushkowitz, Americas Head of Op Risk, Societe Generale
Jeff Simmons, Chief Risk Officer/Chief Operating Officer, MUFG Securities Europe
Getting operational resilience right continues to be a challenge for financial firms as their business strategies are faced with operational disruptions, digital transformation and regulatory shifts.
This webinar explores best practices in response to regulatory policy and supervisory guidance, offering practical approaches to achieve a mature and robust operational resilience programme.
Where firms are in response to operational resilience, and how they’re interpreting and addressing policy and guidance
The role of regulators and supervisory bodies in collaboration with senior managers of enhancing governance and compliance processes
Ways to improve scenario testing and what can be done more effectively by market participants
How financial firms are leveraging technology for challenges and future opportunities.
Risk governance, market competition and operational risk disclosure quality: a study of the ASEAN-5 banking sector
By Etikah Karyani, Oluwaseun Kolade, Setio Anggoro Dewo | Technical paper | 23 June 2021