Good risk management is not just about good ideas

One might say that this is stating the obvious and that it is understood that implementation also matters.  A recent FCA enforcement case against Moneybarn would suggest that it is not so obvious after all.

Moneybarn is a lender that provides motor finance for used vehicles to ‘non-standard’ customers.[1] The case against them related to the regulatory expectations for treatment of and communication to customers that fall into financial difficulties, i.e. the exercise and communication of appropriate forbearance by the lender.  Here, we seek to tease out the implications of this case for the risk management activities of FCA regulated business.

1.  Appropriate policy design

As one would expect, policies need to cover the appropriate ground.  This can include articulating the appropriate range of options (in this case, for customers forbearance and resolution), the considerations that would be taken into account and the governance that would apply to different options. 

It is worth noting that in this enforcement case, it appears that the FCA had no obvious concerns about the relevant policies and procedures reviewed.  

2.  Implementation

The challenge is how these policies and procedures are translated in the business, e.g. whether the call scripts are consistent with the policies.  In some case, this means that calls would be far from “linear”.  Customer service agents will have to consider a range of options and guide the customer.  This would have implications for training and tools available for customer service agents. 

The FCA notes that “from the review of the sample the use of any other forbearance options”, other than clearing their arrears over a short period of time, “despite the fact that policies and procedures referred to other available options”.   

3.  Monitoring and assurance

There is usually a combination of first line monitoring and oversight by 2^nd and 3^rd line functions.  To some extent, who provides assurance becomes less important than whether assurance is provided.

It is important to recognise that assurance should be provided about the processes and about the outcomes.  Where the nature of the issue involves considering customers’ individual circumstances in response to financial difficulties, then it is important to evidence that the range of options set out in the policy have been delivered.   This is more challenging to monitor than following a process. 

It is interesting that in this enforcement note there are no references to assurance or to the role of 2^nd and 3^rd line functions.

4.  Regulatory relationship management

The FCA initial engagement starts with a seemingly low-profile review of a “limited number” of files and call records leading to a visit in July 2016 to assess forbearance and termination practices.  There were then several interactions with the FCA in September 2016 and January 2017, leading to a formal request for imposition of a requirement in June 2017 and eventually enforcement action.  One must wonder if a more proactive engagement with the FCA would have prevented the escalation to enforcement.

It is usually noted that proactive engagement with the FCA and the issues raised would have been expensive.  Hindsight may be a powerful tool but it is not clear that the cost of the proactive engagement would have been unlikely to exceed the enforcement costs, which ended up being very substantial – the fine of £2.7m, the impact on senior management’s time, and the £30.3m of compensation paid to customers potentially affected by these failings. 

This post is part of the materials discussed in episode 3 of RegNut Podcast.   If you found this post of interest, subscribe to RegNut.  You can also subcribe to the blog and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

---

[1] Non-standard customers are those that cannot access finance from mainstream lenders because they have a poor or no credit history or past problems with credit due to unemployment, ill health or other adverse events.

Monitoring the Risk and Business Impact of AI-Based Solutions

AI-based solutions can shape how financial services businesses make money, whether the business model is the same or not. For an existing financial services business, the motivations may vary and range from efficiency to expanding the business. There would be project risk as with any development, but leaving that important consideration aside, it is worth bearing in mind that AI-based solutions would also impact the risk profile of the business. This may or may not be the original intention, but it becomes more likely. The key implication is that implementing an AI-based solution would require a radically different risk oversight approach by the business.

Standard computer algorithms which are not AI-based can—and do—solve complex problems. The main feature of such algorithms is that the problem is somehow defined and an algorithm developed to solve it which will produce the same answer as long as the same inputs are provided. So a credit-scoring mechanism calibrated to capture a certain type of client gives you just that.

The answers offered by an AI-based system may change over time. New data is used to reassess the underlying relationships and recalibrate the relationship between the target variable and the potential explanatory variables. This “learning” can also happen in a standard programme when there is a process of recalibration. The difference is that in the case of AI, learning would happen on a real-time basis—that’s the essence of AI.

Alternatively, with AI a target variable may not have been defined. That’s not as unusual as it might sound. For example, algorithms assessing a loan or credit card underwriting may fall in this category because there is no single rule to predict a borrower’s likelihood of repayment. New data can lead to a certain recalibration or can be used to identify new relationships between certain data. For example, over time an AI-based system might identify that outstanding debt is a better predictor of the likelihood of borrower repayment than repayment history and penalise someone with a relatively good track record of timely repayments.

The first type of AI-based solution is called “supervised machine learning” and the second one “un-supervised machine learning”. The key difference is the extent of autonomy that goes with the learning.

Consider the potential impact on conduct risk of AI-based tools. One of the expectations from Treating Customers Fairly (TCF) with respect to product governance is that they are designed to meet the needs of identified consumer groups and are targeted accordingly. This requires a clear business strategy, including identification of the target market through a combination of qualitative and quantitative research and oversight of the business to ensure that it is aligned with initial expectations of customers and business generated. Take the example of automated investment services covered in a recent FCA review. These providers would rely on some type of AI-based solution, whether supervised or unsupervised machine learning. The possibility of capturing different customers or the advice generated being different from what was envisaged cannot be ruled out. The challenge is how to put in place a monitoring approach which ensures that outcomes and risks which arise are consistent with the expectations in the business plan.

Something similar can apply from the perspective of credit risk, impacting the quality of the portfolio and performance. Suppose you have been targeting retail customers with a specific risk rating for a credit card business. If you roll out an AI-based solution to enhance the efficiency of product underwriting, you would need to have in place mechanisms to ensure that the credit quality of the portfolio is consistent with your expectations—or else change those expectations. Both options are fine. You may want to keep your target credit rating constant and seek more volume, or perhaps you see AI-based solutions as a more robust tool to support decision making and, in a controlled manner, can relax your target rating. Regardless of your choice, you would need to put in place a credit risk monitoring approach that is suited to the new AI-based solutions, as well as ensure that the business understands the portfolio implications of “learning” that is at the core of an AI-based solution system.

The salient point to take away is that the roll-out plan of AI-based tools may focus on the launch. However, the greatest challenge may well be the need to provide for the ongoing and timely monitoring of the AI-based tools and their integration in business governance and risk management, which I will cover in the next post.

Conflicts of Interest: Connecting Enforcement and Supervision

The FCA announced enforcement action against a commercial broker and a fine of £4 million in late 2017 as a result of failures associated with the broker’s management of conflicts of interest. The details of the case are here.

Conflicts of interest can be anywhere, and firms are well aware of that. However, there is a qualitative difference between the conflict of interest that an individual might have with, say, a supplier, and what the FCA identifies as an ‘inherent conflict of interest’ in the business model or ownership structure. This is the risk that commercial intermediaries must manage.[1] It is not static, and it changes as intermediaries take up other activities where they act as an agent of the insurer.

The FCA has also undertaken a thematic review of commercial insurance intermediaries focusing on this issue. (It published the results in 2014 here.) The FCA evidence included a survey of small and medium enterprises (SMEs).[2] This suggests that many SME customers do not fully understand the intermediary’s role and how it may have changed in recent years. For example, four of five SME customers expect an intermediary to get quotes from two insurers, which is not consistent with how intermediaries operate, in particular for micro SME customers (fewer than nine employees).

There are wider messages from this enforcement action for the practical management of inherent conflicts of interest. To begin with, there should be a regular process to identify conflicts of interest.  This might be challenging but following the sources of revenue would enable a robust identification of conflicts and of the impact of changes in the business model.

While a policy on conflict of interest is a regulatory requirement, it needs to be comprehensive enough to enable staff in the business to actually manage conflicts of interest. This would require specific guidance articulating how to deal with customers, including what information to collect, what checks to undertake, and the production of meaningful management information.

Business arrangements such as ‘preferred facilities’ are not ruled out but must be managed and monitored carefully, taking into account links to brokers’ remuneration, how the firm presents itself to SMEs, the existence of ‘Chinese walls’ and customers’ (probably limited) understanding of the intermediary’s role.

Any quality reviews by the first line should be designed with a view to oversee how inherent conflicts of interest have been identified, managed and mitigated. The process should be risk based, i.e. always applying the same degree of checks to all brokers is unlikely to be appropriate.

Last but not least, as ever, culture is a factor. If statements from senior management do not recognise and support the need to manage inherent conflicts of interests, don’t expect much of the above to be in place.

The FCA will usually say something about how the case was discovered, by either supervisory activity or internal review. I was puzzled that the FCA was rather vague on this occasion. On reflection, I suspect (but cannot be certain) that there may be a dependency with the FCA’s thematic review on conflicts of interest mentioned earlier. If that’s the case, it is useful for firms to understand the potential consequences of being unprepared for a thematic review when invited to participate.

---

[1] This risk is not exclusive to commercial intermediaries. It exists in other parts of financial services and has also been covered in other FCA enforcement activities.

[2] Businesses with fewer than 250 employees.

Risk Is Exciting

You hear people say that risk management and regulation are not exciting topics.

However the 30,000 pageviews on this blog since Nov 2014 suggest that risk management and regulation are more interesting than it seems.  Your comments have also been very useful and instructive.  Please keep them coming.

Thank you all!    

Is It FCA Supervision or Enforcement?

One of the observations in my latest post about enforcement (here) was that fines can become a relatively small component of the cost of regulatory enforcement.  This observation was made in a context where, in addition to the fine, the firm had agreed to a number of specific measures which included replacing its executive management team and a comprehensive review of its governance structure. 

This week I came across an even better example of the blurring line between formal enforcement and where a firm agrees with the supervisor to a set of measures.  The Times reports that the London office of Deutsche Bank has been put on ‘enhanced supervision’ (here). 

Enhanced supervision is a new power acquired by the FCA, the use of which is articulated in a paper from June 2014 (here).  It explains that the application of enhanced supervision is not enforcement, although that may follow.  Enhanced supervision requires the firm’s Board to formally commit to remediation measures.  The paper sets out a comprehensive list of indicators of the failures that would lead to enhanced supervision:  

• “the observation of numerous or specially significant conduct failings or repeated failings that when examined individually might not be considered serious  
• “occurrence of failings in several business areas, as this is an indicator of wider cultural issues within the firm 
• “a poorly functioning Board, for example failing to challenge executives or take a lead in considering conduct  
• “evidence of control areas such as Risk, Compliance and Internal Audit being poorly managed, under-resourced or unable to make their voices heard at Board level 
• “evidence of weak risk management (we may consider the PRA’s findings in relation to prudential risk management), or 
• “evidence of other weaknesses in the way in which the Board and senior management influence key cultural factors, for example ‘tone from the top’, pay and incentives and their adherence to the organisation’s values.” 

There has been no formal statement from the FCA about this case. 

Perhaps the main point arising from this development is the further recognition that formal enforcement may not necessarily be the most effective tool from the point of view of meeting supervisory objectives and that fines may not be the most effective deterrent.  

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases reviewed.

FCA Enforcement: Going Global

With the advent of 2015, some people have talked about New Year's resolutions but frankly I still had one enforcement case from the Financial Conduct Authority (FCA) from 2014 I was keen to review.  

The case concerns a general insurer, Stonebridge, selling a range of accidental protection products offering cash compensation.  The FCA imposed a fine of £8.4 million as a result of the breaches identified.  (Click here to read the full details of the case.)

The business involved outsourcing sales process to a number of third party companies.  The products were sold in the UK and in a number of European countries (France, Germany, Italy and Spain) over the phone on a non-advised basis.  Names of potential clients were obtained from a range of business partners which were remunerated when sales were made.  These business partners were not involved in selling the products. 

The case results from the breaches of FCA principles concerning the fair treatment of customers (Principle 3) and appropriate systems and controls, including appropriate risk management (Principle 6).  The case provides a number of interesting lessons about the interaction of risk management and regulation.

1.  Fines may become a small component of the cost to firms of regulatory enforcement

In this case and in addition to the fine, the company committed to undertake a range of voluntary measures.  This includes a review of past business sold in the UK and European countries and compensation where losses arise as a result of the failings identified in this case.  

In addition to that, the company has replaced its executive management team, has ceased distribution of all products in the UK and European countries and has undertaken a comprehensive review of its governance structure, including new terms of reference and risk management framework.

2.  The FCA is applying UK requirements to non-UK operations

This is intentionally blunt!  In more subtle phraseology, the enforcement notice makes a distinction between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my emphasis) and the failure to implement adequate systems and control which applies to the entire business, including European business.  The FCA identified significant failures which included inadequate management information, executive and board oversight and compliance oversight.   

3.  The importance of proactively managing the process

I have already written on the importance of proactively managing the enforcement process and contrasted two different responses to technical breaches (here and here).   This case provides an alternative perspective.  

The starting point seems to be an FCA review of a sample of sales calls during March and April 2012, an action presumably arising from the FCA’s ongoing supervision of Stonebridge.  The enforcement case ends up covering sales all around Europe, post-sale cancellation and the company’s systems and controls. 

When confronted with the initial findings from a regulator, there may be a temptation to challenge the findings.  This would be appropriate up to a point.  

An alternative approach would be to accept the substance of the findings and consider how the underlying events could have happened from a risk governance perspective.  This would require reviewing governance arrangements through the company, the risk management framework and the effectiveness of the oversight provided by the second line of defence.  Hindsight is always a powerful tool but it seems that this course of action could have been more effective in limiting the potential consequences.

Finally, this case also illustrates other failures such as controls of outsourcing and a skewed sales incentive mechanism.

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases I have reviewed.

Financial Conduct Authority Enforcement: The Sum and the Parts

In previous posts I have covered the lessons for risk management from a number of enforcement cases from the UK Financial Conduct Authority (FCA) (e.g. here and here). 

An alternative approach is to capture summary data about all fines and assess their evolution over time.  This is what NERA – National Economics Research Associates – have been doing for a number of years.  The latest paper of this series is available here.  (Full disclosure: I worked at NERA several years ago.)

The latest report from NERA evidences the overall increase in FCA (and FSA) enforcement in the last two years.  Total fines to firms have increased from £59 million in 2011-12 to about £420 million in each of the last two full financial years.  The typical fine is also getting larger with the median fine increase from £1.4 million in 2011-12 to £5.6 million in 2013-14.  

There were also some other interesting observations:

• The overall number of cases against firms does not necessarily predict the total fines.
• While five out of the 10 top fines against firms relate to LIBOR market manipulation, the others cover “classical” issues such as client assets, unsuitable investments and mis-selling.
• The total of fines against individuals (as opposed to firms) has diminished from £19.9 million in 2011-12 to £3.9 million in 2013-14.  A similar trend is observed for number of cases pursued against individuals.

There are two points that I would like to consider.

1.    The impact of the FCA revised penalty framework

The increase in FCA fines against firms may be influenced by the reliance on the revised penalty framework.  It is summarised in five steps:

• Step 1: removal of any financial benefit derived directly from the breach  
• Step 2: the seriousness of the breach 
• Step 3: mitigating and aggravating factors
• Step 4: an increase to the result from the above steps to reflect an adjustment for deterrence 
• Step 5: settlement discount

This applies to conduct that took place since 6 March 2010.  Given the lead times for enforcement cases, this framework is probably starting to bite in earnest now and fines could stay at the current higher level and even increase further.  It will also be interesting to read in the enforcement notices how economic considerations shape the regulator’s view about the size of any financial benefit derived by the company from the breach.

2.    The decline in enforcement cases against individuals

NERA also wonders if this decline is consistent with the regulatory ambition of using enforcement to provide a “credible deterrent”.  

One possible reason for the decline in enforcement against individuals is the targeted diversion of resources to other investigations such as LIBOR and currency manipulation.  In this case, the decline would be reversed in the not-so-distant future. 

An alternative is to consider whether the change reflects the view that enforcement against firms provides a more efficient “credible deterrent”.  If this were the case, then the decline of enforcement action against individuals would not be reversed.  I have not come across evidence to support this claim but here are two arguments to consider:  

• A stronger deterrent effect is provided by the overall size of the fines, which tend to be larger for firms, than personal accountability.  
• Enforcement cases related to individuals tend to reveal individuals’ determination to breach the rules rather than weaknesses in risk management.  There may be a more limited scope for improvement in risk management while providing an effective service to customers.

I would be interested in your thoughts about the likely impact of the FCA revised penalty framework and the decline in enforcement cases against individuals.

You can subscribe to future posts here.

Business Model Analysis Coming of Age?

I wrote a few months ago (here) that one of the common areas of prudential and conduct supervision is the focus on understanding business models.  The Prudential Regulation Authority (PRA) published an interesting paper about the application of business model analysis to developments in the insurance sector (here).

However, it still felt that business model analysis remained something confined to policy and supervisory circles.  I was therefore pleasantly surprised to read about it in a quick Q&A session with Sir Win Bischoff in The Times (Saturday, 6 September).  In response to a question about his views on leadership, he said, “establish the business model, set the strategy and then let management get on with it.”

Given Sir Win Bischoff's role as a former chairman of several major banks, there are a number of messages in this answer: 

1.  confirmation of boards' interest in oversight of the business model, meaning it is not just a supervisory issue; and   

2.  a pecking order with the business model setting the wider parameters for the strategy.

With hindsight, it is possible to see that what may have seemed changes to business strategy were really changes to the business model.  Seeking to separate decisions about business model and strategy would go some way to supporting an enhanced oversight of risk taking.  How would risk functions rise to this challenge?     

If you work in financial services, I would be keen to hear your thoughts about business model and risk management.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

You can subscribe to future posts here and receive them by email about once a week.   

Guest Post: the Objective of Risk Management – a CRO View

One of the lessons from my post on the objective of risk management was that there are different perspectives on this subject.  I asked a number of leading industry experts to share their perspective on the objective of risk management.

I am delighted that James Tufts, Group Chief Risk Officer at Guardian Financial Services has agreed to share his thoughts.  I will continue sharing perspectives from leading industry experts in the next few weeks.

****************************

The objective of risk management

James Tufts, Group Chief Risk Officer, Guardian Financial Services

Risk management is fundamental to what an insurance company does and the core of its business purpose.  Insurers take on risk and through a variety of different techniques and tools, they manage those risks such that they can charge an appropriate premium to customers, service those customers, meet regulatory requirements and produce an acceptable return on capital for the owners – this is the embodiment of risk management.

Risk management is therefore fundamental to all the activities in the business and the Enterprise Risk Management (ERM) framework is the core model for how the business operates.

Perhaps surprisingly, the objective of the “Risk Function” should not be “risk management”.  That’s a business objective.  The objective of the “Risk Function” is to provide the ERM framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.  It is only when this distinction is fully understood and internalised in a company that risk management adds value.

****************************

If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management.  If you don’t, I would be keen to know if this resonates with your experience. 

You can subscribe to future posts here.   

Enforcement Lessons: 5 Lessons from a Fine Chance*

The UK Financial Conduct Authority (FCA) published recently the details (here) of an enforcement case involving Credit Suisse International (CSI) and Yorkshire Building Society (YBS).  They were fined for failing to meet the requirement that financial promotions are ‘clear, fair and not misleading’ £2m and £1.4m respectively.

Not much new so far but the circumstances of the case indicate how financial services are evolving and the challenges for risks management.

The case involves a structured product providing capital protection, a guaranteed minimum return and the potential for achieving a higher return under certain conditions related to the performance of FTSE100 index.  CSI manufactured the product and YBS distributed (most of) it.  The product raised nearly £800m and reached 84 thousand customers.

At the heart of this case there is a concern that product complexity can reach a level such that it is difficult to ensure that disclosures to retail customers are clear, fair and not misleading.  For example, the FCA was concerned that the disclosures suggested that this was a simple index tracker – it wasn’t.  This can distort customers’ ability to infer the likelihood of a maximum return. 

In addition, there are five interesting points to take away from this case:

1.    Distribution arrangements give rise to significant conduct risk, even if no financial advice is provided.    

2.    The chances of relevant events need to be taken into account in financial promotions.  A ‘maximum return’ that can be achieved with nearly zero probability based on past history is not really a ‘maximum return’!

3.    Third party consumer advocates can have an impact.  The UK Consumers Association (‘Which?’) approached YBS and CSI in September 2010 with concerns about financial promotions and the chance of achieving the maximum return advertised.  This resulted in limited changes to disclosures: more emphasis on the conditions required to achieve the maximum return and less emphasis on the presentation of the maximum return.

4.    The target consumer group has practical importance.  The disclosures will be crucial to ensure appropriate consumer outcomes if you are targeting ‘stepping stone customers’, ‘typically conservative, risk averse customers’, with a structured product and don’t offer advice.

5.    Slow reaction to regulatory developments persists.   The relevant period when the breach took place stretches to 30 months from November 2009 to June 2012.  The earlier intervention by ‘Which?’ and concerns raised by the FCA had limited effect. 

It is interesting to see all these different factors coming together in a case.  This may be one of the few occasions (if not the first) where a fine results because financial promotions did not take into account the chances of the underlying events. 

If you work in financial services, I would be keen to hear your thoughts about these lessons for the management of conduct risk.  If you don’t, I would be keen to know if these lessons resonate with your experience. 

* Thanks to my colleagues for suggesting a title.

If you found this interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email - no more than once a week.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.  Alternatively, if we share a group in “LinkedIn” you can choose "follow" Isaac Alfon.