Risk Live virtual week playback: BlackRock’s Fishwick on buy-side risk
By Risk.net staff | Opinion | 3 July 2020
BlackRock’s co-head of risk discusses challenges facing firms today, including compliance and op risks
Ahead of the Risk Live in-person event, rescheduled for November, Risk.net is running a selection of key sessions online between June 30 and July 3.
In this presentation, Edward Fishwick, global co-head of risk and quantitative analysis at BlackRock, discusses the evolution of buy-side risk management over the past decade.
The biggest change, Fishwick argues, is the diversity of challenges facing firms today, including numerous new regulations, the rise of private assets and the modelling of risks linked to sustainable investing.
Operational risk has also moved up the agenda, especially for passive investment funds, which are less concerned about market risk, and the approach to managing op risk has become more quantitative, Fishwick says. Meanwhile, the importance of reducing operational errors has grown as fees have come under sustained pressure, he notes.
An emergent taxonomy for operational risk: capturing the wisdom of crowds
By Luke Carrivick, Steve Bishop, Tom Ivell, Valerie Wong, Ramy Farha | Technical paper | 2 July 2020
Banks eye post-pandemic shake-up of op risk scenarios
By Steve Marlin | News | 1 July 2020
Firms seek better handle on impact of global shocks, and hope to avert regulatory attention
Covid-19 has forced banks to revisit their assumptions about the impact that pandemics can have on every aspect of their business – not least, their operational risk frameworks. While practitioners fear the full effects of the crisis will take years to get their arms around, many are already revising the scenarios used for capital planning and stress-testing. Their objective is to better anticipate the range and severity of future shocks, to bolster resilience – and avoid regulatory intervention.
Despite spending millions of dollars a year on vendor and bespoke applications for op risk scenario generation, banks acknowledge their scenarios signally failed to prepare them for the pandemic.
Op risk scenarios have typically considered events – such as a blackout or terrorist attack – in isolation. And, more often than not, impacts have been regional, rather than global. Banks would have assigned such a low probability to a global pandemic as to ignore it.
They now need to consider not only the probability of a pandemic-level disaster, but the second-order impacts it could have on other risks.
“Across the industry, many banks have generated scenarios that are narrower in scope because catastrophic scenarios are seen as too extreme, and there’s the question of how do these scenarios overlap with economic scenarios,” says Evan Sekeris, head of model validation at PNC Financial Group.
“The pandemic is a perfect example where you have a true op risk event, but it also triggers a macroeconomic event.”
Firms now face the challenge of incorporating the effects of a pandemic into the risk assessment process. They must decide between upgrading their standalone scenarios for pandemic risk or treating it as an event that can trigger other operational risks, such as rogue trading, mis-selling, fraud and physical attacks.
“Is a pandemic a separate risk or a stress on other scenarios? We’re just starting to discuss that and how to deal with that in the construct of our existing frameworks,” says the head of op risk quant at one large bank.
The goal is not so much trying to assign probabilities to specific events, but instead to ask what happens, should an event occur. Op risk professionals say the inventory and types of scenario and attendant narratives are likely to undergo revisions – without necessarily changing the likelihood of the scenario actually happening.
Is a pandemic a separate risk or a stress on other scenarios? We’re just starting to discuss that and how to deal with that in the construct of our existing frameworks
Head of op risk quant at a large bank
“The key is to think about the risks that you’re facing, and making sure the inventory of scenarios reflects those risks,” says an operational risk expert at a large US bank.
“The whole point of the exercise when you have large-tailed events is it helps push thinking further out on the tail.”
Risk.net is running a crowd-sourced project to help readers gauge the economic damage that could result from Covid-19, as measured by your estimates of the pandemic’s impact on key financial indicators.
We are seeking a diversity of opinions, and yours is important: let us know your views by taking our two minute survey, and receive an exclusive preview of the results once voting closes.
So, rather than a set of standalone scenarios for individual risks, the focus will be on creating scenarios for multiple interlinked events.
“Our scenario analysis work will now account for multiple events with simultaneous scenarios – given the ongoing Covid pandemic, coupled with civil unrest,” says Gus Ortega, head of operational risk management at Voya Financial.
“People will treat [a] pandemic as a causal environmental factor that affects the portfolio of scenarios, rather than articulating a standalone scenario,” adds an operational risk executive at a large UK bank. “If you do a standalone scenario, you end up building an artificial representation.”
Although firms were able to handle well some of the unanticipated consequences of the pandemic – the transition to working from home being a prime example – they felt the underestimation of impact in various areas.
Among these was credit card fraud, when artificial intelligence fraud detection systems were overwhelmed by a large number of false positives, owing to radical changes in customer behaviour patterns, such as shopping online instead of in person. In some cases, banks have had to completely shut down their machine learning-based systems and use manual processes instead.
The speed with which banks are introducing products under government stimulus programmes also increases the risk of conduct-related losses, as they face lawsuits for mis-selling. Banks say there is an increased risk of operational failures associated with processing the surging volumes of loan applications from individuals and small businesses.
Execution risk also increased significantly as financial markets collapsed then rebounded. “The pandemic was a very low-probability scenario in pretty much all firms, and not much thought was put into this scenario – therefore, there was indeed an underestimation of the impacts,” says Marcelo Cruz, a risk management consultant.
One of his clients, a large broker, saw its operational risk morph into credit and market exposures when its system could not match its clients’ orders because of large volumes. The broker had to honour the prices the clients entered, producing a significant financial loss.
“The experience has provided us [with] tremendous information in understanding how a pandemic impacts the world and our customers, as well as the institution itself,” says the op risk quant.
Banks say stress scenario planning for the purposes of operational resilience – which was already a concern of regulators, pre-pandemic – has now risen to the top of their agenda. While most firms have been shown to be resilient during the present crisis, the possibility of a second wave, coupled with a prolonged recession, will mean regulatory scrutiny will intensify.
Last year, the Basel Committee on Banking Supervision signalled its intention to update its operational resilience principles, and the US Federal Reserve had plans to issue its own guidance. But those steps had not been taken when Covid-19 struck. In the absence of fully fledged resilience programmes, banks have had to fall back on existing business continuity plans that are designed to address point-in-time situations, rather than the long-term events that are unfolding today.
“The ideal scenario would have been to build an op resilience framework and then … a chance to test the framework. But no-one’s finished with the framework, so we got locked into crisis management,” says Sam Lee, head of operational risk for Europe, the Middle East and Africa at Sumitomo Mitsui.
While banks have come through with little intervention so far, they expect regulators to make the push to address resilience with renewed vigour over the coming months.
“At the macro op resilience level, which is where all regulators want to get to, it’s going to be an interesting exercise which transcends individual banks. What they’ll be doing is make sure the banks have finished their op resilience framework,” concludes Lee.
Managed support services provider of the year – Exactpro Systems
By Commercial Editorial | Advertisement | 24 June 2020
Risk Technology Awards 2020
With increasing regulatory and business pressures, firms are looking for the most efficient ways of ensuring the quality and stability of the platforms on which their products and services depend. Quality assurance (QA), therefore, is a vital part of operational activities. Effective validation and verification processes are best achieved through independent software testing, carried out by a third-party specialist that is unbiased and able to provide objective information about systems in a useful format.
Exactpro specialises in providing managed software testing services for mission-critical financial markets technology. The company focuses on functional and non-functional testing of systems that process wholesale financial products. Clients include global systemically important financial market institutions and utilities – such as the London Stock Exchange, Australian Securities Exchange and interdealer broker Tradition.
The company builds software to test software, and offers a test automation solution with a wide coverage and a focus on systems’ maintainability and sustainability. This helps clients mitigate operational risks in trading, clearing, risk management, market surveillance, securities data distribution, post-trade activities and other areas. Risks associated with different business flows and the use of different technologies are addressed through a diversity of testing techniques and automation solutions. These apply a variety of data analysis and machine learning techniques to improve the thoroughness and efficiency of automated functional and non-functional testing under load (expected normal and peak usage).
Exactpro follows a set of core principles to ensure it provides the best testing for its clients. First, it approaches software testing as relentless learning, investing significantly in research and development and continuous improvement. It values expertise – its team has a depth of experience in working with a wide range of financial instruments and understanding the specifics of their lifecycles and parameters. The company develops bespoke test tools, enhancing them with customised dictionaries and simulators tailored to specific clients’ needs. It takes a holistic end-to-end approach to testing, as most defects tend to occur at the confluence of different business flows and system components. Notably, it releases its tools into the open-source community, which further ensures their high quality.
As part of its continuous research and innovation, over the past year Exactpro created a robust test automation framework aimed at distributed ledger technology-based post-trade systems, and improved the QA services it provides in cloud-based and hybrid environments.
The judges said:
Exactpro is tightly focused on independent software testing and quality assurance, with extensive tools and test library.
Many operational resilience events have been caused by issues when migrating to new platforms. Exactpro deals with this risk and provides a source of quality assurance.
Rigorously developed testing tools, technologies and processes.
Iosif Itkin, co-chief executive officer and co-founder, Exactpro, says:
“We are honoured and thank Risk.net for this valuable recognition. We build software to test software for exchanges, clearing houses, security depositories and technology vendors in 20 countries on all six continents. The best software-testing instrument is the human brain, and we are very proud of our team at Exactpro and their incredible work and relentless effort to ensure the highest quality and resilience of platforms that underpin global financial markets.”
How UBS kept workers plugged in during the pandemic
By Joanna Wright | News | 23 June 2020
Swiss bank’s A3 virtual desktop system offers a blueprint for remote working
In the 1980s, Italian drinks brand Martini promoted itself with the slogan: “Any time, any place, anywhere.” Banking giant UBS is channelling a similar spirit for its remote working setup.
The system, dubbed A3 – “anytime, anywhere, and any device” – has been put to the test during the Covid-19 lockdowns that have confined banking employees across the world to their homes since March.
A3 is a virtual desktop infrastructure, or VDI. It aims to give remote users the same access and functionality they would have if they were in the office – a home away from home, so to speak. Mike Dargan, head of group technology at UBS, believes that in this regard, it has succeeded.
“This morning I went into the office, and now I am back home, and it feels no different,” he says.
Running a remote office environment for a large financial institution brings risks, though. Home working increases what experts call the “attack surface” for cyber criminals to exploit. The effect is magnified when such a high proportion of staff are exiled from the office and scattered among thousands of locations across the globe. The confusion of the pandemic is also fertile ground for phishing attacks and attempted hacks.
Luckily for UBS, the bank had already begun to introduce A3 in 2016, which meant the system was already embedded and tested before the pandemic struck.
With VDI, individual apps are hosted in the cloud or in a central server, rather than loaded on laptops or workstations. It’s a more elaborate setup than a virtual private network (VPN), where users tunnel into a corporate network from outside.
A3 users log into a remote desktop via a home device such as an iPad or laptop, running an ordinary browser like Chrome. The interface is customised for each individual: employees working in operations, for example, see a different screen from traders.
To deliver its virtual desktop, the system requires an extra layer of technology. A3 runs Microsoft’s Remote Desktop Services across a server provided by Citrix, one of the largest VDI providers.
This morning I went into the office, and now I am back home, and it feels no different
Mike Dargan, UBS
Critics of VDI say the setup requires a hefty initial outlay on new hardware and servers. UBS spends 10% of its revenues on IT every year, in line with the level of investment by other large banking groups such as JP Morgan and Bank of America. But Dargan argues the system saves the bank money in the long run.
How? Since many corporate VPNs are typically built to support 20% to 30% of staff working remotely at any given time, some firms have had to allow access to their VPN on a rotational basis to avoid overwhelming the system during the pandemic.
UBS’s A3 system is not limited in this way. At the height of the lockdown, the bank had 95% of its 90,000 staff working remotely across more than 50 countries. Even now, at peak working hours, some 60,000 staff are logged in simultaneously to the A3 environment. High staff productivity goes some way to ensuring the bank sees a return on its IT investment.
The bank also claims to save money by being able to patch the system remotely. If UBS were operating in a hard laptop environment, with users tunnelling into the corporate network via VPN, Dargan’s team would have to fix each device separately. Now, it can just patch the database.
“We have a golden image, if you like, that exists in the data centre. We just patch that, and everything is sorted [out],” Dargan says.
The transition to A3 took place at the same time that UBS moved into its new offices in the City of London in 2016, and started doing away with fixed seating and workstations. The bank introduced thin clients – computers that run from a central server instead of a local hard drive – and equipped mobile staff with laptops. At the time, few rival banks had made this shift, with Citigroup’s Manhattan office a notable exception.
For firms that don’t use VDI or a similar kind of virtual solution, the pandemic has forced them to figure out how to very swiftly ship – or fly – laptops to staff. HSBC, for example, says it is considering providing virtual desktop capabilities to staff.
Early in the lockdown, financial firms along the Street scrambled to get their traders equipped to work from home effectively, as volatility triggered a spike in trading volumes. UBS itself saw 300% more activity than normal in March, Dargan says. For many firms, it wasn’t always easy.
With A3, traders get special treatment. Their VDIs are hosted on a super-server called A3 Dedicated. “This is a dedicated blade or server in the data centre with higher processing power,” Dargan says.
In addition, home-working traders have two 34-inch screens and a thin client. To complete the array, UBS provides a “network wrap device”. Dargan says this is “a remote access protocol and a voice turret that interfaces into the system through the data centre. So it’s effectively what you would see on the trading floor: the turret, the screens, and so on.”
Dargan says UBS is researching a virtual product offering with multiple screens for traders, but that is “still in the lab”.
In another nod to user-friendliness, Skype and Microsoft Teams are fully integrated into the VDI setup. UBS says bank staff make around 3 million Skype calls per week, and the bank continually tracks the quality of calls. If a user is experiencing echo, the system spots it and alerts the user to mute themselves or to change device. UBS engineers are also trying to improve the quality of video calls by synchronising audio transmission with the image, if they’re mismatched.
In development are tools that will help diagnose issues with hardware or the user’s home Wi-Fi, Dargan says.
With great virtualisation comes great responsibility. A system such as A3 needs constant monitoring and, here, UBS has a 24/7, follow-the-sun approach. The bank has tech operations centres in three cities – Nashville, USA; Zurich, Switzerland; and Pune, India – that perform resilience monitoring and handle ongoing problems.
While some IT workers have to be on-site, most of the monitoring and maintenance is done remotely. “If you have people working on the hardware, for example the mainframe, they need to be on-site. But it’s a small number of people who need to be in the office, as we have virtualised our support functions,” Dargan says.
Hand in hand with a rise in home working comes an increase in the range of cyber risks that the bank is exposed to. In response, UBS has stepped up its monitoring of incoming emails, scanning for potential phishing attacks. Analysts report that phishing attempts are growing as scammers look to exploit the panic and uncertainty around the pandemic, although UBS has not noticed a significant increase in such attacks.
If you have people working on the hardware, for example the mainframe, they need to be on-site. But it’s a small number of people who need to be in the office, as we have virtualised our support functions
Mike Dargan, UBS
Phishing can range from marketing emails offering half-off on new office chairs, targeted at employees with sore backs who found themselves suddenly working at the kitchen table, through to messages purporting to contain new information about the coronavirus from seemingly reputable health authorities.
“We measured that in two ways. Firstly, we looked at emails or messages that were specifically related to Covid-19 and to working from home,” Dargan says.
Dargan is wary of giving too much detail on the second element of monitoring for confidentiality reasons, but says the bank uses a layered security approach to detect and block attacks in conjunction with monitoring the underlying IP address of emails that come in.
“We look almost in real time at the origin of the email and the IP addresses related to it, and the subdomain of that IP address. So you can see a partial history of where the email comes from. That needs to be done in real time because we get tons of emails coming through,” he says.
In common with many other firms, UBS runs exercises throughout the year to create awareness among employees of cyber security. This includes sending fake emails to staff to check responses.
As firms emerge, blinking into the light, after the months-long lockdown, Dargan predicts workers will want to stay home more than they used to. “Even if I look at it through my own lens, if I have only virtual meetings, that benefit of being in the office is small. I think there is a subset of the workforce that may want to continue to work from home partially or for good; we haven’t yet got a defined view on this,” he says.
Editing by Alex Krohn
Esma calls for full audits of cloud providers
By Josephine Gallagher | News | 10 June 2020
Regulator says firms must negotiate access rights to books and premises of providers
Clients of cloud service providers (CSPs) such as Amazon Web Services and Microsoft Azure will have to negotiate contract terms that allow them to supervise the providers’ performance and carry out detailed audits under regulatory guidelines currently out for consultation.
The European Securities and Markets Authority’s (Esma) draft guidelines on cloud outsourcing, published on June 3, map how financial firms and regulators will have to monitor and audit cloud providers. Service providers would be asked to hand over detailed information about the resilience of their systems, their security and their performance, as well as where data is located and provisions for personal data protection to the client.
A head of public policy at one investment bank in London says this kind of regulatory guidance – and other consultations, including the European Commission’s Digital Operational Resilience Framework for financial services – will provide clarity around contract terms for both users and providers of technology, and facilitate easier negotiations over contracts.
“We need to be crystal clear to the cloud providers that we need to have it in our contracts that we have rights to on-site inspection. You can understand that the cloud providers were a bit nervous about that originally, because it’s a new world for them in terms of operating with a heavily regulated industry,” he says.
The draft guidelines say that not only firms, but also regulators and national competent authorities must be able to access and inspect “the books, premises, relevant systems and devices of the cloud service provider to the extent necessary to monitor the CSP’s performance under the cloud outsourcing arrangement and its compliance with the applicable regulatory and contractual requirements”.
Cloud providers, however, have been hesitant to provide access to what they see as – in some cases – intrusive audits, says Douglas Wilbert, managing director of the risk and compliance practice at consulting firm Protiviti in New York.
“If you wanted to go into Amazon’s data centres and ask, ‘How do they operate? What is the technology? How does the data move? What are your safeguards? What are your secrets?’ Amazon would not be as forthcoming, as, for example, a smaller software-as-a-service provider that a bank is using,” Wilbert says.
Cloud providers are generally secretive about some aspects of their businesses, he says, and until recently there was little regulatory imperative for them to allow broader scrutiny of their systems, controls, and data. But authorities are beginning to focus on the operational risks posed by chain outsourcing and the reliance of the financial services market on a handful of providers.
We need to be crystal clear to the cloud providers that we need to have it in our contracts that we have rights to on-site inspection
Head of public policy at an investment bank in London
The major names – notably, in the capital markets space, Azure, AWS, Google Cloud Platform and IBM Cloud – command most of the cloud market share in financial services. So individual audits from financial firms are a major consideration for providers.
“Regulators need on-site access and direct access. The problem is, if you are a company that has thousands and thousands of customers, that is logistically quite difficult,” the investment bank’s head of public policy says.
For this reason, these providers have tended to encourage pooled audits. Financial firms already band together to employ third-party providers to carry out pooled audits on the cloud providers, in an attempt to reduce the burden on all parties. Deutsche Börse, for instance, founded a collaborative cloud audit group in 2017, which includes banks and insurance companies, and has performed audits on Azure.
The European Banking Authority’s (EBA) revised guidelines on outsourcing, published in 2019, allow the use of such audits.
Wilbert says cloud providers will have to adapt to the regulatory needs of the industry, while financial firms and regulators will have to understand how cloud providers’ businesses work, and there will be growing pains on both sides.
“It’s going to be a struggle to find what that inflection point is, and I don’t think it’s going to be a very easy process for the cloud providers. They have to educate financial regulators, who are not necessarily used to [a cloud provider’s business model], and the cloud providers are not used to the intrusiveness that some of the financial regulators ask for. So it’s going to take time to work itself out,” he says.
The road to regulation
The Esma guidance outlines the need to identify, address and monitor the risks and challenges associated with cloud outsourcing. The paper follows other published guidance from regulators, including a joint release of consultation papers by UK regulatory authorities in December, aimed at strengthening the operational resilience of financial services firms and modernising the regulatory framework on outsourcing and third-party risk management.
Esma’s guidance singles out cloud providers – not just because they are critical third-party vendors to some financial firms, says Wilbert, but also because they do not directly oversee the physical data centres, systems, security and operations in which their data and functions reside.
“As you move your applications and data to the cloud, you can’t touch and feel them; you can’t replace your server. The guy that has the beeper that goes off whenever anything goes wrong is no longer there, and they [cloud providers] become, for many, that critical third-party vendor. The interesting thing there is, they’re not just a critical third-party vendor, there’ll be a critical fourth- and possibly fifth-party vendor if you’re using the software as a service, and you have the same provider for the cloud as your software-as-a-service provider,” he says.
The guy that has the beeper that goes off whenever anything goes wrong is no longer there
Douglas Wilbert, Protiviti
The draft guidelines require financial firms to ensure their CSPs meet all outsourcing contractual obligations, even if they are sub-outsourcing critical or important functions, or part of them, to a fourth party. The cloud provider must also notify and seek approval from the financial firm for any changes to a sub-outsourcing agreement.
Wilbert says cloud regulation will probably take a two-pronged approach.
“Based upon what I’m seeing from some of the cloud providers and within the industry, the regulators are going to start regulating the cloud providers more, and at the same point in time, they’re going to start pressing the industry to be more cognisant of how they use the cloud,” he says.
Cloud providers fall under the regulation of the EU cyber security legislation, the Network and Information Security Directive, but the head of public policy says there are questions about what direct regulation of the CSPs would look like, and whether it should be specific to the financial services industry.
“The real question is, do you treat them as a financial market infrastructure, where they are core to financial services? That is just one vertical, and cloud providers are increasingly used by all areas of the economy. Or do you look at them as a utility? Do you look at them as something that is fundamental to the way the economy runs, or maybe more like telecom networks? So that is the debate,” he says.
Exit strategies and lock-ins
Esma’s draft guidelines provide financial firms – particularly smaller ones – with negotiating power to avoid being locked in to a contract with one CSP. Regulators worry that in a critical failure of a CSP, clients may be unable to easily port their data to another provider, which would have systemic risk implications for financial firms.
Firms can use the regulator’s advice to negotiate terms that would help them move their activities to another provider, or bring them back in-house, if a CSP were to fail at fulfilling their contractual duties or otherwise meeting expectations.
Wilbert says CSPs will probably be regulated according to the services they support. For example, systems that support the critical functions of systemically important institutions will be the most heavily scrutinised.
“I think the regulator is going to say [to systemically important firms]: ‘You’re going to have a different burden when addressing the cloud than a smaller firm.’ And part of that may be that if you go down, how can you move to another cloud provider? If that cloud provider goes down, where’s your data? How is your data secured? Where is your replication of data? Where is the personally identifiable information, and a whole host of other things?” he says.
Ksenia Duxfield-Karyakina, public policy and government relations manager at Google Cloud, says the company already offers insight into its infrastructure, data access and platform resiliency.
“We continuously engage with the financial services regulators to demonstrate our security, privacy and transparency commitments and compliance programmes,” she says.
AWS and Microsoft Azure did not respond in time for the publishing of this story.
The comment period on Esma’s draft guidance closes on September 1, and the regulator aims to publish the final guidelines in Q1 2021.
In May’s largest operational risk loss, Morgan Stanley must pay up to €42 million ($46.8 million) to Dutch tax authorities over alleged cum-ex dividend trades in the 2007/2008 financial year. In such cases, equity transactions are structured so that multiple parties are eligible for a rebate on capital gains tax that only one party has paid.
The Amsterdam Tax and Customs Administration (the Belastingdienst) launched an investigation into the firm’s subsidiary, Morgan Stanley Derivatives Products (Netherlands), which was alleged to have sold forward contracts based on €7 billion of Euronext Amsterdam shares it bought between 2006 and 2010. MSDP allegedly sold the shares on to a third party, repurchased them, then improperly claimed a tax rebate on the dividends, said the Belanstingdienst.
In May’s second largest loss, Norfund, a Norwegian private equity fund, was defrauded of $10 million in a data breach. The fraudsters were able to access information relating to a $10 million loan the fund was making to a microfinance institute in Cambodia. They were able to divert the funds to an account with the same name as the microfinance institution, but in Mexico. Manipulation of communication was a major factor in delaying detection of the fraud, said Norfund. It was discovered on April 30, 2020, when the attackers made a further attempt, which Norfund discovered and prevented.
Morgan Stanley also suffered May’s third largest loss after Morgan Stanley Smith Barney agreed to pay $5 million to settle charges that it had provided misleading information to customers in its retail wrap fee programmes. The programmes offer accounts in which customers pay an asset-based fee that covers investment advice and brokerage services, including trade execution. According to the US Securities and Exchange Commission, the bank failed to provide complete and accurate information concerning trade execution services and transaction costs incurred by customers in their accounts from at least October 2012 until June 2017.
Bloomberg Tradebook was also fined $5 million by the SEC in May for misrepresenting how it handled customer trade orders between November 2010 and September 2018. The SEC found that Bloomberg routed 6.4 million customer orders, primarily those on relatively low commission rates, using an undisclosed arrangement, referred to internally as the “Low Cost Router”. It allowed three unaffiliated broker-dealers to determine the venue to which some orders would be routed for execution without informing them. In its marketing materials, Bloomberg claimed these would be routed by its own technology.
May’s fifth largest loss saw broker Stifel, Nicolaus & Company ordered to pay $3.7 million by the US Financial Industry Regulatory Authority for providing inaccurate information to customers about the rollover costs from unit investment trusts. The company’s systems and procedures for determining the suitability of early rollovers were also inadequate and resulted in unsuitable recommendations to customers, Finra found. The payment consists of a $1.8 million fine and $1.9 million plus interest in restitution to customers.
Spotlight: JP settles crypto credit card lawsuit
In May 2020, JP Morgan Chase agreed to pay $2.5 million to settle a class action suit over credit card fees it charged customers who bought cryptocurrency using its Chase credit card. The suit was filed in April 2018 by a plaintiff who claimed that over a period of 10 days, beginning in January 2018, the bank switched from processing his cryptocurrency credit card payments as purchases to processing them as cash advances. By February 2018, the plaintiff had been charged more than $160 in cash-advance and interest charges but had not been given notice of the change. The suit alleged that Chase had breached regulations by not giving customers 45 days’ written notice before effecting any change to account terms.
Chase had argued that cryptocurrency purchases fall under the header of “cash-like transactions” and that credit agreements would count as cash advances.
Following negotiations, Chase agreed to pay $2.5 million, which it estimated to constitute more than 95% of the damages sustained by the class members, but denied any wrongdoing.
The bank was one of several to announce in February 2018 that it would no longer allow its credit cards to be used to purchase cryptocurrency following a sharp plunge in the price of several leading cryptocurrencies and concerns over fraud.
In Focus: Assessing Covid impact with scenario analysis
As a risk event for which firms lack any precedent – in its all-encompassing impact on everything from fraud to employee wellbeing – the coronavirus beats all. No more fitting test then of scenario analysis, a long-established technique for quantifying operational risks with no loss history precedent. The technique involves gathering up the brightest minds and war-gaming the impact of a force majeure event, to which a bank can then attribute a dollar value.
In May, around 50 senior op risk managers from member firms discussed their considerations of scenario analysis with ORX and described its use as part of firms’ reactions to the coronavirus pandemic. Most reported a need to reassess scenarios and other plans in light of what we now know. And although many firms deemed it was too early to begin re-examining scenarios while the virus was still at its peak in many countries, they are collecting information from across business lines to re-examine these scenarios in due course.
Some firms said their scenarios and pandemic-related plans lacked some of the necessary details to properly gauge the impact of coronavirus. A common observation was that such scenarios often accounted for only a localised pandemic and not one on a global scale that affects all business lines and locations. Several reported using data from past pandemics, such as Spanish flu, in their scenario planning.
One firm said that, while its scenario had provided a good reflection of how the pandemic unfolded, it did not provide much detail on how the firm could transition back to a normal operating model after the crisis.
Other firms treated coronavirus as a causal factor in other scenarios, rather than as a standalone scenario itself. One reported, for example, that it had a scenario for an increase in cyber attacks or other frauds resulting from a pandemic event.
Most firms reported that scenario workshops had been unaffected by the crisis because these were often done through online collaboration platforms even before the pandemic hit.
Many of the op risk managers noted that the crisis demonstrated the severity of an extreme event – one in 100 years or more – and their consequent willingness to be more mindful of unexpected events.
Editing by Louise Marshall
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.
Data error inflated Wells Fargo’s op risk capital by $5 billion
By Louie Woodall | News | 3 June 2020
Sharp fall in Q1 RWAs followed removal of duplicate data
Faulty data led Wells Fargo to overstate its operational risk capital charge for the fourth quarter of 2019 by $5.2 billion, raising further questions on the soundness of the bank’s op risk management.
In its regulatory filing for the first quarter, the San Francisco-based lender revised its op risk-weighted assets (RWAs) amount as of Q4 2019 to $338.7 billion. The previous filing had pegged the amount at $403.6 billion, 19% higher. Minimum regulatory capital charges are set at 8% of RWAs, meaning Wells Fargo held $32.3 billion of op risk capital at end-2019. As of Q1, op RWAs totalled $335.7 billion, 17% lower than the original Q4 2019 amount.
A spokesperson for the bank said: “The revision was due to duplicative data from a third party, and once the matter was identified the result was a favourable impact to regulatory capital under the advanced measurement approach.”
Wells Fargo did not disclose the identity of the third party – but in its latest Pillar 3 regulatory disclosure, the bank says it uses ORX, the industry op risk data exchange, to source external operational risk loss data. ORX said it does not comment on individual members or their data.
An op risk expert at another US bank said the abrupt revision was unlikely the result of a “fat finger” error. “Given the importance of that number, it’s more likely it’s the result of a change in the categorisation of the loss event,” he said.
“It could be that they had two events in their loss data set that they initially thought were separate that have now been determined to be the same. For example, they could have previously treated a group of lawsuits as separate events and these have now been classified as one broader event,” he adds.
The snafu did not impact the bank’s risk-based capital requirements, since in both Q4 2019 and Q1 2020 Wells was bound by the standardised approach, which sets capital using credit and market RWAs calculated using regulator-set formulas and does not include an op risk component. Under the US supervisory framework, the constraining risk-based requirement is the higher of that set by the standardised and advanced approaches – which includes op risk capital.
The revision was due to duplicative data from a third party, and once the matter was identified the result was a favourable impact to regulatory capital under the advanced measurement approach
Wells Fargo spokesperson
Big US banks use the advanced measurement approach (AMA) to calculate op RWAs. Wells Fargo’s AMA model incorporates internal loss data from its own database, and external loss data through membership of ORX, which is used to benchmark RWAs to a bank’s peer group, and to help estimate future op risk losses through such techniques as scenario analysis.
However, the frequency and severity of historical losses plays an outsized role in the AMA. Flawed op risk data, therefore, can materially affect the RWA amounts generated by an AMA model.
“AMA models were calibrated in the US under rigorous standards that the Fed has set. One element people dislike is looking at the empirical loss data as a floor, which you need a very strong justification to violate,” says the op risk expert.
The Federal Reserve, Wells’ primary regulator, declined to comment. However a person familiar with the Wells Fargo issue at the Fed said he had not observed a bank restating its op RWAs in this way before.
Bank data fidelity is monitored by the Fed, and issues affecting op risk management systems, processes and data can be dealt with through supervisory actions. For example, the Fed can declare a “matter requiring attention” or “matter requiring immediate attention” following a bank examination if it unearths an issue that could undermine the safety and soundness of an institution or that represents significant noncompliance with applicable laws or regulations.
Since February 2018, Wells Fargo has been bound by an asset cap of $2 trillion imposed by the Fed after it was found to have mis-sold “ghost accounts” to unsuspecting customers. The cap will be lifted at the Fed’s discretion following an overhaul of its op risk management framework.
Speaking at a virtual industry conference in May, Wells Fargo chief executive Charles Scharf said that it’s “very, very clear” what the bank has to do to remove the cap. “We’re doing the work. It’s a hard thing to talk about because we have milestones. We know exactly what we have to accomplish. But ultimately, it’s up to the Federal Reserve to decide when it's been done to their satisfaction.”
Mental health: the new frontline for risk management
By James Ryder | News | 2 June 2020
Rise in stress and anxiety among locked-down staff could open up banks to range of risks
Like millions of others, finance professionals have been working from home since March. It hasn’t been easy. For some, the workload is greater than ever as recent volatility in markets has hiked the number of trades to execute and process. But restrictive home office set-ups and patchy internet connections mean simple tasks can take longer to complete. Virtual meetings help workers stay in touch but it’s not the same as office camaraderie.
HR teams at financial firms are assessing the demands the coronavirus lockdowns are putting on their employees. Errors by stressed-out staff, extended periods of absence, and litigation risk from illness are among the business exposures now facing employers. The pandemic is forcing a new focus on mental health and its attendant risks.
“Safeguarding my team’s mental health is my number one priority right now,” says the head of a front-office quant finance team at a large European bank.
Research conducted even before the coronavirus pandemic struck shows the biggest cause of business disruption across industries globally is poor health, outstripping other factors such as cyber attacks and IT outages. Mental health-related absence can also be more costly for a company than absence from physical illness or injury. Employees who are absent for sickness such as stress, anxiety and depression are off work for 40% longer on average than those absent due to all types of illness and injury, according to recent UK government statistics.
Absence puts additional pressure on staff to cover for their ill colleagues – or for those on furlough, as many companies have had to place staff on temporary paid leave during the lockdown.
Some financial institutions are filling gaps in their output by outsourcing functions. In trading, for example, the pandemic has led to greater interest in outsourced order execution. Investment firms are looking for extra muscle to help them handle a spike in transaction volumes, or for trading unfamiliar asset classes.
Outsourcing brings its own risks, though. Third parties open up a new front for cyber criminals to exploit. Companies have to carefully vet vendors to ensure their standards of data protection, for example, are up to scratch.
Financial pressure on companies often equates to pressure on individuals. The pandemic has upended business-as-usual, slashing revenue streams or magnifying losses. The onus on sales and trading teams to hit targets is greater than ever.
It’s the kind of environment that can give rise to rogue trading or other misconduct. A lack of supervision enabled traders such as Jérôme Kerviel and Kweku Adoboli to rack up 10-digit losses at their respective banks. There are fears that widespread remote working during the pandemic will interfere with supervisory lines of sight, increasing the risk of internal fraud.
The volumes for operations staff in some of the markets in which banks operate were two, three, four times normal
Balbir Bakhshi, Deutsche Bank
Alternatively, pressure to meet sales targets could seed the ground for the next great mis-selling scandal. Incentive schemes and an overly sales-oriented culture were said to be prime factors behind the mis-selling of payment protection insurance by retail banks in the UK. The episode resulted in costs of more than £50 billion ($62 billion) in fines and other charges for the banks involved.
Damage may not even be intentional. Unexpectedly high volumes of transactions snarled up back-office margin systems in Asia in March, as human errors caused logjams in trade processing.
At Deutsche Bank, group head of non-financial risk Balbir Bakhshi says the operations department is among those under the most strain. The team, which has a big presence in India, endured a leap in its workload throughout March.
“The volumes for operations staff in some of the markets in which banks operate were two, three, four times normal,” he says. “Think about people working in a remote environment getting through more than two times their day job in a fairly seamless way – they did that by working longer hours. The mental health hotspots to watch, from an inherent risk perspective, are in areas like that.”
At times of stress, staff may be more liable to make mistakes. Even something as simple as a misplaced word can have costly consequences, as Samsung Securities discovered in 2018 when a fat-finger error resulted in the company doling out $100 billion worth of company shares to employees rather than the intended $2.6 million in dividends.
See you in court
A decline in mental health among individuals could open up banks to litigation risk as workers look to sue employers for stress-related illness. Last year, JP Morgan faced a lawsuit from the family of a sales executive who committed suicide after suffering from depression.
Lawsuits could come in several shapes and sizes. Nicola Rabson, global head of employment at law firm Linklaters, says individuals who have a psychiatric illness amounting to a disability may claim their bank hasn’t made the adjustments necessary to allow the employee to do their work properly. In a related scenario, the employee might feel they have been discriminated against indirectly, by being passed over for promotions or bonuses.
In the second type, an employee may claim for personal injury. In this scenario, says Rabson, individuals allege that their employer’s treatment of them has caused a psychiatric injury directly.
Kate Field, global head of health, safety and wellbeing at the British Standards Institution, says employee health issues have become more disruptive to companies in part due to a rise in lawsuits. “There has been an increase in civil litigation, which is costing these financial institutions large amounts of money.”
It’s a business risk if we don’t take care of our teammates
Anne Oxrider, Bank of America
Spotting the warning signs of incipient illness may be harder among staff who are working remotely. The signals managers may look out for, like an employee staying late very often or displaying uncharacteristic behaviour, become easier to miss when everybody works from home.
“The risk factor is aggravated – the employer doesn’t know the environment in which the employee is working,” Rabson says.
To combat this, banks are ramping up support services for staff and strengthening lines of communication. Citi has a full-time mental health nurse, while Deutsche Bank has a team of mental health first aiders.
Bank of America has a ‘life event services’ team that assists employees facing a range of personal challenges. The team was in such high demand at the start of the coronavirus crisis that the bank had to redeploy staff from other departments to boost headcount.
“It’s a business risk if we don’t take care of our teammates,” says Anne Oxrider, a senior vice-president in the HR team at Bank of America.
Citi is also using a form of scenario analysis – a tool familiar to operational risk managers – to help train staff. Managers receive an email periodically with scenarios they might encounter among team members, advice on how to handle related conversations, and links to resources for managing remote teams during the lockdown.
For more practical help, the US bank offers financial assistance for employees who earn below $60,000 per year in the form of a one-time payment of $1,000. The cash helps staff deal with the “dislocation” the coronavirus has caused, explains Jenny Grey, regional head of human resources at Citi.
“It’s in recognition that our lower-paid employees may have additional stresses as a result of the virus,” Grey says.
Remote working is not a stress-inducing experience for all staff. One large bank recently conducted an internal survey on the effect of working from home, and found that half of respondents thought that it was a positive experience. One quarter felt it was similar to working in the office, and a quarter found it a negative experience. Tellingly, the ‘negatives’ felt much stronger than the ‘positives’.
“The negative people skew far more negative than the positive people skew positive,” says the bank’s head of liquidity management.
A legacy of the lockdown may be greater awareness of mental health, HR heads at global banks suggest. The kind of discussions that were once taboo in some cultures may now become more commonplace as workers plan for the gradual return to the office.
Editing by Alex Krohn
Elevating enterprise resiliency practices to combat business challenges and disruptions
By RSA | Advertisement | 29 May 2020
James Fong, Solution Lead, South-east Asia and Greater China, RSA Archer
Patrick Potter, Global Risk Strategist, RSA
Yusuf Yasin, Operational Risk Professional, Standard Chartered
Moderator: Dominic Wu, Chairman, Hong Kong Chapter, Institute of Operational Risk
Hosted by Risk.net and RSA, this webinar explores the latest in enterprise resiliency strategies and how they can be effectively communicated throughout all parts of your organisation.
With limited visibility into immediate or emerging business and operational risks that impact on company resiliency, it is often difficult for financial services professionals to demonstrate to senior management that continuity and recovery plans will allow their organisations to withstand impending risks. By covering pertinent risks – including cyber security, third-party management and technological risks – the panel discusses key resiliency practices and upcoming challenges.
Key topics discussed:
Effective crisis management – business continuity activation by visualisation, automation, centralisation and de-escalation.
Business continuity and IT disaster recovery – mitigating increasing cyber security attacks, data breaches and technology risks/disruptions
Third-party risk management – how to work with external partners to achieve peace of mind around vendor recoverability and resiliency.