Operational Resilience

By Shirley Beglinger, Advisory Board Member, Crescendo Advisors

In today's interconnected financial world, "organisational resilience" must be taken to mean much more than just "a fully tested disaster recovery plan". Regulators are requiring boards to see beyond the walls of their own firm and identify its position in the economic, IT and service-delivery ecosystem with an emphasis on important services provided. This is a completely different perspective on risk.  Boards and CROs need to reconsider many tried and tested risk methodologies and metrics.

In reviewing the drivers of potential operational disruption, the CRO may identify several which are difficult or expensive to address. "Reliance on legacy infrastructure" for example will likely lead to a lengthy boardroom discussion of the expense and dangers of IT integration projects. Supply chains and data sharing quickly lead to the realisation that even if the firm's own arrangements are top-notch, there are probably other firms in their ecosystem who may not have the same level of preparedness.

Having identified potential sources of disruption, the board must then quantify potential costs (internal and external) and assess the ability to recover from severe and plausible scenarios of operational disruption and compare these with the firm's stated tolerance for operational disruption. Where necessary, remediation plans must be put in place.

While no board member wishes to explain to the regulator why their firm was the first domino in the ecosystem to fall over, such far-reaching change needs to be carefully managed.  To implement these requirements firms will benefit from a pilot that enables them to develop an understanding of the steps that would be required.  This will be less disruptive and more beneficial than a firm-wide initiative.

However, the need to scale up means that firms will need to identify or acquire in-house "resilience capabilities". A key aspect of the output from a successful pilot project would be to identify exactly what capabilities are required and how they can best be embedded within the firm's business.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

Artificial Intelligence and Machine Learning in Financial Services: Implications for Credit Risk Management

A recent paper from the Financial Stability Board[1] considers the implications for artificial intelligence (AI) and machine learning in a number of financial services sectors, including credit risk.

The paper includes a useful section on background and definitions, and provides a clear reminder that these tools identify patterns and correlations rather than causality. I suspect that we will need to be reminded of this distinction more and more, as these tools are being used to explore complex relationships. 

When it comes to credit risk scoring, the FSB is clear that AI may help to make lending decisions quicker. However, regulators are not persuaded that AI credit scoring models outperform traditional models – or at least, “it has not been proved”. For example, a recent paper from Moody’s[2] compares the performance of their own credit scoring model for corporates against three machine learning approaches. Moody’s finds that, on average, the accuracy levels of the four models are comparable, and notes that the key to enhancing credit scoring models is data.  

The FSB notes that the deployment of these AI tools would also allow access to credit to people or businesses whose creditworthiness cannot be reliably assessed through traditional credit scoring models. The FSB believes that this would be a positive development for countries with shallow credit markets (emerging markets?), though less positive for countries with deep credit markets (developed markets?). You have been warned…

Regulators are also concerned with the overall auditability of artificial intelligence models used for credit scoring and the wider impact on credit risk governance. There is an important dimension here about how the model is used in business. Is it operating with some human oversight? This is an important issue for business culture as it forces a consideration of who is ultimately in control. I suspect that the distinction between retail and commercial lending in terms of volume of transactions may become important; the volume of retail transactions might make human oversight more challenging. 

Where does that leave the CEO, CFO or CRO of a bank contemplating the use of AI tools? Here are a few suggestions: 

1.  Have a shared view of the expected business outcomes from deploying AI tools.

2.  Keep monitoring credit risk exposures and alignment with risk appetite even more intensively, as the AI tool might have unintended effects.

3.  Focus on the auditability of the AI tool and its impact on credit risk governance.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

---

[1] Financial Stability Board, “Artificial intelligence and machine learning in financial services. Market developments and financial stability implications”, Nov 2017.

[2] Bacham, D and J. Y. Zhao, “Machine Learning: Challenges Lessons and Opportunities in Credit Risk Modelling”, Moody’s Analytics Risk Perspectives, July 2017.

Out Outsourcing?

Well, not really.  But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services.  It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here).  There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.

1.  The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same.  I have heard this before but I was still expecting to see a recognition that there may be a difference.  I could not really find an obvious distinction in the enforcement notice.  This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial).  This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.

2.  The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights.  The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above.  This also includes signing the contracts!  Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined.  This can include determining the different roles of people and teams probably sitting near each other.

3.  The legal form of the outsourcing provider does not matter.  A JV form that effectively provides an outsourcing activity should also be treated as outsourcing. 

4.  The consequences of a lack or breakdown of controls matter a great deal.  If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.

Last but not least, the response when the issue is discovered remains crucial.  In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group.  In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA.  As in other cases, the fine may not have been the largest cost to the bank.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis but I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of the blog.

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 

One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

Is the Governance Map Also the Territory?

One of the financial crisis’s lessons for regulators has been discovering the ‘accountability firewall’ of collective responsibility which prevents actions against individuals even if they are approved for specific roles.  This was one of the lessons from the UK Parliamentary Commission on Banking Standards from 2013.

UK regulators have been tasked with the challenge of breaking down that ‘firewall’ for both banks and insurance.  The UK has had a regime of approved persons for some time.  The PRA and the FCA have been consulting on proposals aimed at strengthening the accountability of senior management.  For insurers, this is referred to as the Senior Insurance Managers Regime (SIMR).

The proposals may well increase the scope of senior managers, and will strengthen conduct requirements that apply to them.  It seems to me that the most innovative (and, dare I say, revolutionary) aspect of the proposals is the requirement that firms produce a ‘governance map’.   As with all good ideas, it is simple.  The regulator identifies a set of responsibilities and then asks firms to map them to senior managers who are subject to regulatory approvals and sanctions.  

The list of responsibilities is long.  For example, the list for insurers is as follows:

1.       ensuring that the firm has complied with the obligation to satisfy itself that persons performing a key function are fit and proper;

2.       leading the development of the firm’s culture and standards;

3.       embedding the firm’s culture and standards in its day-to-day management;

4.       production and integrity of the firm’s financial information and regulatory reporting;

5.       allocation and maintenance of the firm’s capital and liquidity;

6.       development and maintenance of the firm’s business model;

7.       performance of the firm’s Own Risk and Solvency Assessment (ORSA);

8.       induction, training and professional development for all the firm’s key function holders;

9.       maintenance of the independence, integrity and effectiveness of the whistleblowing procedures, and the protection of staff raising concerns;

10.   oversight of the firm’s remuneration policies and practices.

For banks, there is no direct equivalent to 7 even if there is an ICAAP.   However, the list includes the following additional responsibilities:

1.       funding is also mentioned in 5. above as well as an additional responsibility in respect of the bank’s treasury management functions;

2.       developing a firm’s recovery plan and resolution pack and overseeing the internal processes regarding their governance;  

3.       managing the firm’s internal stress-tests and ensuring the accuracy and timelines of information provided to the PRA and other regulatory bodies for the purpose of stress testing; 

4.       safeguarding the independence of and overseeing the performance of the compliance function, internal audit and risk function respectively; these are three different responsibilities.

There are some interesting differences between banking and insurance.

The overall message is rather simple: there is an individual presumption of responsibility in the event of a breach.  In those cases, the relevant individual will need to demonstrate that he took reasonable steps to prevent the breach in the relevant area. 

Firms’ senior managers will spend time discussing the mapping of responsibilities.  This may well be the easy part.  Undoubtedly, the challenge for senior managers will not be the map, but the territory, i.e. how to manage the relevant responsibility.  For some responsibilities there will processes, teams and awareness within the company to ensure that something happens; think of item 7 above, the ORSA.  In other cases, the challenge will be determining which business function will assume the relevant responsibility and what approaches, processes and resources will be needed as evidence that reasonable steps were taken.  What should be done to prove that ‘firm’s culture and standards’ are developed and embedded?  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Securitisations and Solvency II: An opportunity? Or one to be missed?

To put it mildly, securitisations did not a get a good reputation as a result of the financial crisis.  Things are now changing.   This is illustrated well in a discussion paper from the Bank of England and the European Central Bank extolling the virtues of securitisations (here).    It is difficult to disagree with the key message; securitisations can be a win-win transactions that enhances the ability to redistribute risks more efficiently in the economy while enabling institutional investors to access a wider pool of investment.  

The Solvency II Delegated Acts (‘implementing measures’) built up a more favourable capital treatment for securitisations.  It is now recognised as a category of its own for the purposes of spread risk.  This evolution can be evidenced in the Commission’s Impact Analysis published at the time of the publication draft Delegated Acts (here).  As recognised in the Delegated Acts, this even includes recognising the name ‘securitisation’ instead of the name used in the Solvency II Directive in 2009: ‘investment in tradable securities or other financial instruments based on repackaged loans’.

As one would expect, the calibration of the standard formula spread risk for securitisation reflects the maturity of the exposure and its credit rating.  However, there is an interesting innovation.  The Delegated Acts identify two types of securitisation exposures: ‘good’ and ‘bad’, or in policy terms, type 1 and type 2.  The criteria are set out in the Delegated Acts and are quite detailed.  

Exposures of type 1 must meet 20 conditions including a rating of ‘BBB’ or above, the seniority of the exposure in the securitisation, SPV arrangements, listing in an OECD or EU exchange, and backing by residential loans, commercial loans or auto loans and leases.   The list of conditions is somewhat shorter for securitisations that were issued before the Delegated Acts came into force. Type 2 securitisations are simply those not meeting these criteria.  

Figure 1 shows the significant difference that meeting the conditions for type 1 makes to the capital charges.  It is a noticeably a more important consideration than the rating or maturity of the exposure.  

Figure 2 shows an alternative view of the spread risk capital requirements for type 1 securitisations compared against the equivalent ones for corporate bonds of equivalent ratings.   The differences aren’t that large in particular for short maturities.

All this raises a number of interesting considerations for an insurer’s capital management strategy. 

Firstly, there may be tactical adjustments where insurers find that they are holding type 2 securitisation paper as part of the Solvency II implementation work.  In this case, the insurers may seek to dispose of these investments before 1 Jan 2016 to avoid the capital increases that Figure 1 suggests.  However, given insurers’ relatively small holdings of securitisations, this may not be a material issue.

The bigger issue is the extent to which there is an appetite to consider the capital treatment of type 1 securitisation as a more strategic opportunity and readjust investment strategies.  Indeed, would it be possible to do so before 1 Jan 2016 to enhance the matching of cash flows of annuity liabilities and subject to Matching Adjustment? 

In any event, Figure 2 above suggests that there may be an interesting question about the risk and return trade-off of corporate bonds versus type 1 securitisations.  Would the returns from securitisations be sufficiently higher to justify the additional capital requirements?  Figure 2 suggests that for low maturities, e.g. up to 7 to 10 years, this could be finely balanced in particular for ‘BBB’ bonds.  If so, would insurers be willing to tilt their investment strategies to include more type 1 securitisation?  The answer to this question requires appropriate consideration, cash-flow matching including risk appetite, stress testing and governance.   

However, even if the risk and return trade-off mentioned above appears appropriate, it seems that there may be a limited supply of type 1 securitisations.  If so, there would be a limited opportunity for insurers in the short to medium term.  This would be more of an opportunity for investment banks to structure securitisation transactions.

This post is part of a series of posts on Solvency II.  To see the list, click here. 

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Stress Testing: Reporting or ‘So What’?

The Bank of England (BoE) recently published the results of the first concurrent stress testing of UK banks (click here for a post about the implications of this exercise).  Stress testing is not only relevant to banks; EIOPA also initiated a similar process and carried out an exercise in 2014, which I will cover in a future post.   

Much has been written about the results for individual banks.  I would like to share some observations about an aspect of stress testing with wider implications: the consideration of ‘so what’ that may take place when the stress materialises. 

In the BoE stress testing, banks had to spell out the management actions they envisaged taking.  These actions were subject to scrutiny by the Bank of England and ‘a high threshold was set for accepting’ them. 

There is little detail about the specific management actions that were accepted.  Broadly speaking, they appear to be mainly reduction in costs and dividend.  Furthermore, the BoE clarified that they did not accept management actions that resulted in a unilateral reduction in credit supply in the stress scenario.  This approach meant that management actions had limited impacts, specifically no impact for two banks and, for the other six banks, an average improvement (i.e. an increase in common equity Tier 1 [CET1] after the stress) of 9%.  

In an earlier post (here), I suggested the consideration of ‘so what’, including the ability to carry out actions that mitigate the impact of the stress as one of the potential benefits of stress testing.  How should we reconcile this with the limited scope of management actions recognised in this exercise?

A useful starting point would be to make a clear distinction between stress testing undertaken for different purposes and audiences.  This is summarised in the table below:

	‘Internal’	‘External’ / BoE
Purpose	Identifying vulnerabilities and addressing them	Evidencing overall resilience
Focus	Lines of business/ business units	Enterprise wide

Given the BoE’s intention to continue stress testing and make them an integral part of the supervisory landscape, the question would be how to integrate these two different perspectives of stress testing. 

Ideally, a bank would start an internal review of stress vulnerabilities at the business unit level as soon as the submission to the BoE is delivered.  This would enable the bank to identify and put in place the appropriate risk mitigation.  For example, the bank may choose to adjust its credit risk mitigation by transferring loans or hedging credit before the next BoE stress testing.  Given the focus on addressing vulnerabilities, which could require board approval, it would make sense to review stress vulnerabilities of specific business units/lines of business on a staggered basis. 

Adopting this approach over time would deliver a virtuous cycle of identification of stress vulnerabilities and enhanced risk mitigation which would be reflected in the next stress testing for the BoE.

In conclusion, while the BoE may have adopted ‘a high threshold’ for accepting management actions, banks can still build in a process to identify and implement these management actions and evidence how they address vulnerabilities in key business units and product lines.

You can subscribe to future posts here.

Solvency II: The Beginning of the End?

This week I spoke at a client breakfast event organised by Protiviti in London. 

The ‘beginning of the end’ is not just a rhetorical question about Solvency II but the challenging issue I had to address about Solvency II becoming effective on 1 Jan 2016.  I spoke about the ‘end point’ and focused on two issues:

• whether this is the end point we expected from a policy perspective (a measured yes, though it feels more different from the current ICA regime than expected, partly because of the financial crisis), and  

• whether insurers are engaging in contingency planning to reflect regulatory uncertainties around the end point that they are targeting.

I suggested that instead of thinking that this is the ‘beginning of the end’, we consider whether this is in fact the ‘end of the beginning’ – the implementation.  Now the real challenge begins: operating Solvency II in a BAU environment.  I offered a few suggestions to facilitate that transition; take a look at the slides. 

You can subscribe to future posts here.

Business Model Analysis Coming of Age?

I wrote a few months ago (here) that one of the common areas of prudential and conduct supervision is the focus on understanding business models.  The Prudential Regulation Authority (PRA) published an interesting paper about the application of business model analysis to developments in the insurance sector (here).

However, it still felt that business model analysis remained something confined to policy and supervisory circles.  I was therefore pleasantly surprised to read about it in a quick Q&A session with Sir Win Bischoff in The Times (Saturday, 6 September).  In response to a question about his views on leadership, he said, “establish the business model, set the strategy and then let management get on with it.”

Given Sir Win Bischoff's role as a former chairman of several major banks, there are a number of messages in this answer: 

1.  confirmation of boards' interest in oversight of the business model, meaning it is not just a supervisory issue; and   

2.  a pecking order with the business model setting the wider parameters for the strategy.

With hindsight, it is possible to see that what may have seemed changes to business strategy were really changes to the business model.  Seeking to separate decisions about business model and strategy would go some way to supporting an enhanced oversight of risk taking.  How would risk functions rise to this challenge?     

If you work in financial services, I would be keen to hear your thoughts about business model and risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here and receive them by email about once a week.   

More on the ‘C-factor’ in Regulation: Business Model Analysis

Business model analysis (BMA) is one of those terms that are becoming common currency in regulatory discussions, hence the reference to a ‘c-factor’ or common factor in an earlier post (here).  

The PRA published a useful article in the Bank of England March Quarterly Bulletin setting out how they intend to apply BMA to insurance.  It suggests that there are two aspects to a BMA.

Firstly, there is a company dimension, which is obviously not spelt out in great detail for the obvious confidentiality reasons.  In general terms, this would recognise that:

• there is an ‘inverse production function’ in insurance – the fact that insurers collect premium before the service has been delivered and can earn an investment return until claims are paid; and
• insurers must price the product without full knowledge of production costs – hence the ‘experience analysis’ of reserves.

Secondly, there is a market dimension, which recognises that a business model is not static and will respond to changes in regulation, culture, society and technology.  This is evidenced in the article by reference to two developments:

• price comparison web-sites in the UK motor industry; and
• non-standard annuities.

Overall, the PRA sets out a helpful and clear vision about BMA:

‘The PRA’s capital requirements help to make insurers resilient against short-term shocks.  But to be confident that insurers will remain viable over the longer term, the PRA needs to know whether an insurer’s profits are sustainable.  In other words, the PRA will need to analyse the risks of an insurer’s particular business model.’

I found quite remarkable and refreshing to see this level of clarity from supervisors. 

The recent UK budget announcement about removing the requirement for compulsory annuitisation will provide wide ground to test the practice of BMA from a regulatory perspective and, probably, from a company perspective as well.

If you found this post interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email; you will need to provide an email address and then confirm the subscription; your email address will not be shared.  Alternatively, you can choose "follow" Isaac Alfon in the relevant LinkedIn group.

Supervisory Stress and Scenario Tests: Does It Lead to Business Benefits?

I read a good question about stress and scenario tests: whether they are just a regulatory requirement or whether they are also a useful business tool.      

It is certainly a regulatory requirement in many jurisdictions, including the UK.  In my view, the supervisory application of stress testing is really re-writing regulatory requirements by formalising a new minimum level of capital which allows a bank to meet its minimum capital requirement after experiencing stress conditions.  I have written about this more extensively in my blog (here) following the publication of a paper on this subject by the Bank of England.  

If stress testing is a regulatory requirement, the next question is how it can be done so that the activity adds value to the business.  When I think about this, two aspects come to mind.  

Firstly, there is something about 'how' stress tests are done to add value to the business.  In this sense, there is something to take from the Bank of England paper.  The paper mentions examples of shortcomings that the UK supervisor has identified in banks' practices of stress testing, including the lack of Board engagement.  See my previous posting (link above) for a full list.  Interestingly, most of the shortcomings are related to governance.  It follows then that it is unlikely that banks will wish to derive value for their business if the governance has not been appropriate.

Secondly, there is something about 'what' is the source of business value.  Is the source of value the knowledge of the actual stresses?  Knowing the actual stresses prompts a question along the lines of 'so what'.  I believe fleshing out the answer to this question and identifying the management actions, planning them and seeking board approval would be the real value to the business.  Not surprisingly the paper from the Bank of England also stresses this aspect.  In a trading environment, the action could be adjusting appropriately the portfolio.  In a banking environment, this would need to be identified below the institutional level and may not be straightforward to identify.  

My view is that there may be an aspect of a 'catch 22' here.  If there is limited appreciation of the business value of stress testing then there will be limited incentives to improve the governance of stress testing to rely on them from a business perspective.  Supervisory intervention might then challenge this situation and as a by-product generate genuine business benefits.  

Banking regulation: a new paradigm, more challenges but similar consequences

The Bank of England recently published a discussion paper (here) setting out a comprehensive framework for coordinated stress and scenario tests of the UK banking industry.  

This process is challenging but necessary to underpin the resilience of the UK financial system.  As set out in the paper, other countries are going through similar exercises and there is a view that they can be instrumental to restore the credibility of the banking system.  

In 2014 the exercise will cover the eight banks covered in the recent regulatory capital shortfall exercise (Barclays, Co-op Bank, HSBC, Lloyds Banking Group, Nationwide, Royal Bank of Scotland, Santander UK and Standard Chartered).  For future years the Bank is considering the inclusion of medium-sized banks.  It is also likely to include UK subsidiaries of foreign globally systemic banks. 

At a high-level, the approach is reasonably straightforward.  Staff at the Bank design common stress scenarios for all banks which look into the next three to five years.  The severity of the scenarios is described in qualitative terms – “both sufficiently severe but also plausible”. 

Each bank goes through a similar process and creates specific stress scenarios.  These must be consistent with the bank’s business model and key vulnerabilities and be as severe as the common scenario.  

Then a bank assesses the impact of both types of stress scenarios and considers the management actions that may be needed to ensure that the bank can meet the capital requirements prescribed by the PRA (or at least the internationally agreed minimum capital requirements) after the stress.

Towards the formalisation of a new paradigm …

It seems that there are two major changes to banking regulation in this process. 

Firstly, going forward it would not be enough for a bank to just meet its capital requirements.    A bank should demonstrate that it would meet its capital requirements after a stress has taken place.  This could have implications on a bank’s capitalisation level.

The next change is about reducing the reliance on a bank’s internal models.  Officials at the Bank have raised these concerns before, for example, in this speech of Andrew Haldane (here).  In particular, the evidence about the large number of parameters that need to be calibrated is sobering.  The paper sets out the Bank’s intention to rely on a suite of models to assess capital adequacy, including a bank’s internal models, regulatory models and models of the entire financial system that build in the impact of interaction between institutions. This is consistent with the doubts that have been expressed.  You could say that the message is that a bank’s internal models would be credible if it is operated in a context where the bank has sufficient capital to meet its capital requirements after stress scenarios.

… which creates challenges for the Bank …

I suppose that for a regulator like the Bank defining “sufficiently severe but also plausible” stress scenarios is not perhaps the most significant challenge.  My guess is that the real challenge would be in terms of applying judgements to the results provided by banks and consolidating the impact across a number of scenarios for each bank and for the system as a whole.  One would hope that there will be enough transparency so that a bank’s executives understand where and how their conclusions may differ from those derived by the Bank.  

The other challenge would be the inclusion of medium-sized banks.  The paper is open about the challenge that this may represent for these banks.  The Bank would need to balance that against the recognition that medium-sized banks like Northern Rock can also create systemic disruption and put taxpayers’ money at risk (here).  One possible way of reducing the impact would be to integrate this exercise within the existing ICAAP and Pillar 3 disclosures frameworks.

… and for banks

UK banks have been undertaking stress and scenario tests for regulatory purposes.  The paper includes a list of the shortcomings that the FSA had identified: 

• “insufficient engagement by banks’ Boards and senior management with the stress-testing process;  
• insufficient integration of stress testing with banks’ annual business planning process, including the use of stress tests as a challenge to business plans; 
• inadequacies in scenario design, including the failure to identify key vulnerabilities, overly optimistic baseline assumptions and insufficiently stressful adverse scenarios;
• difficulties in reconciling risk data with reported balance sheets and risk-weighted assets;
• stress-testing infrastructures that have not been suitable for bank-wide stress testing;
• insufficiently justified or internally challenged assumptions and judgements around the translation of macroeconomic shocks into projected losses, including overestimation of banks’ ability to control margins and generate profits in stress scenarios; and
• inadequate determination and quantification of relevant management actions under different stress scenarios.”

The paper does not say much about how generalised these shortcoming are.  However, I found it very interesting that most, if not all, of those shortcomings are related to weaknesses in processes and governance rather than technical issues. 

There are also consequences …

And in case those reading the paper have doubts about the Bank’s determination to see this through, the Bank suggests that failure to address these shortcomings will result in regulatory intervention. 

“The exercise might reveal weaknesses in banks’ stress-testing and capital planning processes and governance. In those circumstances the PRA would consider what action was appropriate to ensure that shortcomings were addressed. The PRA has a variety of formal powers available. Additional capital requirements might be one tool. Withdrawing certain permissions, changing banks’ management and requiring specific actions to improve banks’ stress testing, risk management or capital planning processes are others.”

Summing up, we may be witnessing the formalisation of a new paradigm for banking regulation that places less reliance on a bank’s internal models but the potential enforcement side does not seem to be changing.  

The paper includes a number of specific questions and responses are requested by 10 January 2014.