More on the ‘C-factor’ in Regulation: Business Model Analysis

Business model analysis (BMA) is one of those terms that are becoming common currency in regulatory discussions, hence the reference to a ‘c-factor’ or common factor in an earlier post (here).  

The PRA published a useful article in the Bank of England March Quarterly Bulletin setting out how they intend to apply BMA to insurance.  It suggests that there are two aspects to a BMA.

Firstly, there is a company dimension, which is obviously not spelt out in great detail for the obvious confidentiality reasons.  In general terms, this would recognise that:

• there is an ‘inverse production function’ in insurance – the fact that insurers collect premium before the service has been delivered and can earn an investment return until claims are paid; and
• insurers must price the product without full knowledge of production costs – hence the ‘experience analysis’ of reserves.

Secondly, there is a market dimension, which recognises that a business model is not static and will respond to changes in regulation, culture, society and technology.  This is evidenced in the article by reference to two developments:

• price comparison web-sites in the UK motor industry; and
• non-standard annuities.

Overall, the PRA sets out a helpful and clear vision about BMA:

‘The PRA’s capital requirements help to make insurers resilient against short-term shocks.  But to be confident that insurers will remain viable over the longer term, the PRA needs to know whether an insurer’s profits are sustainable.  In other words, the PRA will need to analyse the risks of an insurer’s particular business model.’

I found quite remarkable and refreshing to see this level of clarity from supervisors. 

The recent UK budget announcement about removing the requirement for compulsory annuitisation will provide wide ground to test the practice of BMA from a regulatory perspective and, probably, from a company perspective as well.

If you found this post interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email; you will need to provide an email address and then confirm the subscription; your email address will not be shared.  Alternatively, you can choose "follow" Isaac Alfon in the relevant LinkedIn group.

Risk and Compliance Management: Horizons for 2014/15

The UK’s FCA published recently its Risk Outlook and its Business Plan for 2014/15.  They provide a useful indication of the breadth of the regulatory challenges and evidence of a top-down approach to address them. 

The structure of the Risk Outlook is similar to last year’s.  The inherent risk factors such as information asymmetries, do not change overnight unlike the economic and market environment.  The main aspects of the changing market environment that caught my attention were:

1.    the continuing household indebtedness reflecting the growth of unsecured lending, mainly credit card, and forecast increasing household leverage (Figures 6, 18 and 19 of the paper);

2.     lenders’ forbearance in the mortgage market, supported by low interest rates; and the FCA concerns about the cost to consumers (fees and accrued interest);

3.     the stable and risky profile of mortgage lending; about 40% of mortgages have high-risk features – LTV in excess of 90%, loan to income ratios in excess of 3.5 and terms in excess of 25 years (Figure 22);   

4.     the differential impact of increasing interest rates (mortgage customers, those accumulating wealth and near retirement and those considering an annuity purchase).

The FCA then translates these observations into statement about risks.  Again, the ones that caught my attention were:

1.     the challenge of making ‘appropriate’ profits; for example, making profits from non-core activities could undermine fair treatment of consumers or financial crime responsibilities; for insurers, this could manifest itself in the response to the Retail Distribution Review and moves to direct sales;

2.     the implications of short term cost-cutting strategies materialise as demand starts to grow and could result in poor management of firms’ back book;

3.     the adoption of technology may not be supported by adequate systems and controls or expertise; this could manifest itself on insufficient spending on existing technology or the use of big data without appropriate controls;

4.     plans to mitigate the risk of failures do not give adequate consideration to conduct implications such as in respect of the changes to terms and conditions in stress conditions.

The Business Plan then identifies priorities for the key sectors.  For life insurance, the priorities appear to be:

1.       suitability of products and services sold;

2.       fair treatment of the back book;

3.       the governance of with-profits funds.  

Interestingly, the FCA business plan also reflects new responsibilities which include supervising 50,000 firms in respect of consumer credit, enforcing competition law, implementing changes to the approved persons regime and the establishing a new payment systems regulator.   

All in all, it’s going to be a busy 2014/15 for everyone.

If you found this post interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.

Risk Management Lessons: Reacting to a Regulatory Breach

My last post covered the breach by the Yorkshire BS (YBS) of the FCA mortgage rules related to the calculation of arrears charges. The FCA's announced this breach in February 2014 together with a brief outline of the lender’s reaction and the FCA decision not to take enforcement action. 

As a result, the FCA did not have to publish a detailed outline of the circumstances of the case.  It was therefore difficult to develop a practical sense of the steps that the YBS may have taken to mitigate the risk of FCA enforcement after the breach was discovered.  I thought there might be a similar enforcement case of ‘back-office’ related activities which enabled an inference of what actions may mitigate the risk of enforcement action when errors are discovered. 

I found a similar case from September 2013 regarding Clydesdale Bank (CB; enforcement notice is here).  The details of the CB breach itself are relatively simple: an unintentional error in the bank's IT system in 2005 meant that mortgage payments were incorrectly calculated when there was a change in interest rates.  This was discovered in April 2009.  The outcome of the case was a fine of £8.9m and the write-off of the amounts not charged to customers (about £22m). 

There are five main lessons for regulated entities about how to mitigate the risk of enforcement action in these circumstances. 

1.  The starting point for the "relevant period" of the breach that the FCA refers to as the basis for enforcement action is the point when the CB discovers the error (April 2009) and management has the possibility of taking remedial action. 

2.   Timely reaction to correct the error after it has been discovered and alert customers who may be relying on the firm’s communication while the issue is fully addressed.   CB took six month to fix the IT error.  There were no interim measures taken in respect of any new mortgages sold between April and September.

3.  A regulatory expectation that recovering a mortgage underpayment should not be targeted where the underpayment arises from an administrative error and the lender is fully to blame.  CB initially aimed to avoid this and recover up to £22m.  The YBS offered a generalised redress to customers.  

4.   The need to actively consider the Ombudsman precedents and guidance, where available and relevant.  This was available in the case of CB.  Further, the materiality of the expected shortfall from not recovering the underpayments has limited relevance from a regulatory perspective.

5.  Fair and clear customer communications about the issue and the potential customer outcomes. Where a phone discussion is required to assess a customer’s position, staff are briefed appropriately to proactively gather relevant data.  In the FCA’s view, this did not apply in the CB case.  The YBS avoided much of this by offering a generalised redress to customers.

And finally a puzzle.  Enforcement notices tend to outline how the issue was discovered.  This can be an aggravating factor where it is discovered by the regulator as in the case of the YBS.  Alternatively, where the firm discovers the breach, it represents a mitigating factor.  In the case of the CB, I could not find any reference to how the issue was discovered.  I am not inclined to view this as an oversight.  At the same time, I don’t really understand this outcome: either party would want to take credit for discovering the issue. 

I would be interested to hear your thoughts.

If you found this post interesting, you can subscribe to future posts at http://crescendo-erm.blogspot.co.uk and receive them by email.  You will need to provide an email address and then confirm the subscription.  Your email address will not be shared.

Continuing 'Music' Lessons from FCA Enforcement – Even When There Isn’t

I continue my review of FCA enforcement cases to draw practical lessons about risk management.  See my previous posts here and here.  One example of a music note is a ‘rest’, which tells you not play your instrument.  I have come across a similar one in terms of FCA enforcement.  This is about an FCA announcement that explains a breach of FCA rules where no enforcement action in terms of a fine is mentioned.  

The case relates to charges of mortgages arrears by the Yorkshire Building Society.   The FSA handbook only allows charging cost-reflective arrears fees (MCOB 12.4R).  However, arrears is defined in the FSA glossary as missing more than two payments.    

The FCA press release (here) does not provide a lot of details about the case.  It suggests that the issue was discovered after the FCA raised concerns.  It is usually not an ideal starting point when a regulatory breach is discovered in the course of a supervisory visit.  The Yorkshire Building Society found that “some of its customers in arrears may have been charged fees incorrectly”.  So in this case, we cannot learn what the actual breach was.  Was it that the building society charged arrears too early? Were the charges “excessive”, i.e. with respect to costs?  I don’t know but we can still learn from this silence.  

The FCA press release says that the building society “will voluntary refund all administration fees for mortgage arrears since January 2009”, which means that “borrowers who were charged correctly will also receive a refund”.  The amounts involved are not trivial: £8.4m to be refunded to nearly 34 thousand customers.  Just to put this in context for the business, this represents about 5% of the societies' profits in 2013.  This would probably underestimate the total cost which will include running an operation to reach out former customers and make the refunds as agreed with the FCA.  

The FCA handbook includes a section on enforcement, which sets out the considerations that the FCA will take into account to decide whether to take action for a financial penalty or public censure.  There are two considerations for the FCA: the seriousness of the breach and the response of the regulated firm.  You read about the specific considerations in the enforcement notices as part of the decision process to set the fine.  They usually include a reference to the co-operation of the firm in the investigation of the breach.  The considerations also include “any remedial steps the person has taken in respect of the breach” and “the likelihood that the same type of breach will recur if no action is taken”.  

The lesson is rather simple.  We focus on risk management as the tools of reducing the likelihood or impact of events.  However, the unpredictable can happen and then proactive risk management is about working with the regulators to address the issue in a way that minimises legal costs and reputational costs.  Compensating customer is the ultimate form of redress.  It suggests that delivering extensive compensation (here to all customers on mortgage arrears since 2009) and, I guess, quickly can have an effect.  

The FCA has shown that it is willing to read the Handbook in the round and not take enforcement action when, in its judgement, it’s in consumers' interest.  

Solvency 2 Training

Solvency 2 implementation is approaching fast.  I am running a training course in early April organised by Euromoney.   Over three days, I will provide a solid overview of Solvency 2.

Further details about the course, including an overview and dates, can be found here.

More ‘Music’ Lessons from FCA Enforcement

I mentioned in my previous post (here) about the contrast between the inability to learn music from the noise that a grand piano would make if dropped down a staircase and the ability to learn lessons about risk management from FCA enforcement actions.   On this occasion, I am reviewing the FCA enforcement notice against ‘JLT Speciality Limited’ (JTLSL) from December 2013 (here – all references are to this document).  

JTLSL provides insurance broking, risk management and claims management.   The enforcement case concerns failures of its anti-bribery and corruption arrangements.  This is a specialised area of the FCA Handbook.  However, the lessons are quite wide and applicable to other areas of financial regulation.

The ‘relevant period’ of the breach appears relatively long: from Feb 2009 to May 2012.   The resulting fine was £1.9m. 

Interestingly, while the FCA has been emphasis outcomes as a driver of regulatory intervention (‘The FCA approach to advancing its objectives’, July 2013), in this case the FCA seems less keen on it.  The FCA acknowledges that there is no evidence that the company had permitted any illicit payment or inducement to any overseas introducer.   

As it is usually the case, there were policies and other high-level statements setting out the company’s expectations in terms of how the risk of bribery and corruption should be managed.  At different times, it appears that the shortcomings were related to the:   

(a)   lack of practical requirements to enable the appropriate activities to take place; this includes the lack of requirement on employees to take steps to establish whether the introducer was connected to the client (para 4.22); and the lack of ‘any’ guidance to enable employees to operate the high-level anti-bribery and corruption procedures in place (paras 4.11 and 4.12);

(b)    failure to follow the company policy requirements;  the FCA refers to the failure to gather the required information to assess the risk (para 4.36) and to follow up the actions required in the policy, typically, an enhanced sign-off if certain conditions were evidenced (paras 4.37 and 4.38).

These are important lessons to anyone working in the implementation of regulatory requirements.  

A slightly different, and equally interesting, remark in the enforcement notice is about the challenges of gap analyses, in particular where FCA rules and legislation (Bribery Act, 2010) cover the same area.  Typically, financial services regulators impose more onerous and comprehensive requirements than general legislation so the choice of benchmark is vital.  This means that the extent to which gaps may be identified and the reassurance provided by a gap analysis would depend heavily on the benchmark selected. 

I mentioned earlier that this enforcement case relates to a period of over 36 months. During this time supervisors visited the company three times to assess systems and controls in relation to bribery and corruption.  JTLSL also accepted a voluntary variation of permission such that it ‘was unable to enter into a new relationship with third parties without prior approval from an independent skilled person’.  

Not surprisingly, the FCA recognises the costs incurred by JTLSL, in terms of financial costs, opportunity costs and management time. 

I am therefore left with a simple question: why wasn’t this fixed in a timely manner to avoid enforcement action?  I don’t really know.  I have read and discussed the importance of the ‘tone from the top’ on regulatory issues which sets out priorities for employees.  I wonder if this could have been a factor.  

The Piano, FCA Enforcement and Lloyds TSB, Halifax and Bank of Scotland

I heard once that you can’t learn music from the noise that a grand-piano makes when you drop it down a staircase.  Alas, we should be able to learn something about risk management from the FCA’s enforcement notices.  That’s one of my ambitions for 2014. 

I am starting with the FCA’s enforcement action on Lloyds TSB, Halifax and Bank of Scotland announced on 10^th December 2013 (here – all references are from this document).  The case relates to the lack of appropriate controls around financial incentives to advisers in branches.   

The FCA clarifies at the outset that there is nothing in the rules against “[incentivising] staff to sell a particular product” provided that a firm’s “systems and controls are sufficiently robust and sophisticated to mitigate effectively the risk of any adverse impact the incentives may have on staff behaviour”.

It is therefore not entirely surprising that the FCA articulates in detail the specific features of the remuneration system that added to the risk of consumer detriment, including

1.       variable basic salaries;
2.       bonus thresholds disproportionate effects for marginal sales;

3.       uncapped bonuses; and
4.       advanced bonus payments that could result in advisers being in debt. 

The FCA makes an interesting comment about the sophistication of the performance reward and the concern that senior management did not appreciate the potential consequences.  “The root cause of these deficiencies was the collective failure of the Firms’ senior management to identify sufficiently remuneration and incentives given to advisers as a key area of risks.” 

I was puzzled as to why this could happen.  Here are my own explanation from reading the details of the case.

1.     The complexity of the system makes it challenging understanding the incentive properties.  It seems that the system involved: (a) translating premium and product features into “points” (see example in page 15); (b) checking against target “points” monthly and on a rolling three months basis; and (c) translating points into pounds.  Inferring the incentive properties and potential product bias would not have been straightforward for busy executives. 

2.      A possible misunderstanding of the incentive properties of headline bonuses.  In some cases, the incentives could be small in absolute terms, e.g. £5,000 over a year if monthly targets were consistently met.  However, I wonder if there was an appreciation of the impact on behaviour for someone on a £33k salary (mid-tier adviser, para 4.29)  Indeed, the FCA says that the relevant governance committee “only considered the [remuneration] schemes at a high level” (para 4.104(1)).

Given that, it is not surprising that these performance incentives were not backed by appropriate controls.  In particular, it is not surprising that quality controls such as file reviews focused on sales that were regarded as ‘high risk’ by reference to customer rather than the adviser profile or track record. 

There are also two interesting comments in the enforcement notice about controls. 

1.       The main failure was not the absence of controls but the lack of appropriate linkages between relevant controls.  In particular, while there were certain quality assessments of sales, advisers could receive their bonuses even if issues had been identified.

2.       “The large number of people involved in the process [of governance over the incentive schemes] and the fragmented nature of the controls.” 

This is a good illustration of the observation that the main challenge of risk management is to apply the appropriate “top down” vision and strategy.  In its absence plenty of activity and resources, leading to potential complexity, will take place as evidenced here but with limited effectiveness.  In this case, the fine was £28m which excludes remediation costs, compensation and management time.

Risk Culture in Financial Services

One of the many issues that seems to puzzle some academic researchers seems to be the multiplicity of risk management approaches and, by implication, risk cultures.  One implication is to urge caution about codifying risk management.  The hope is that over time experience will accumulate, which will help us understand the need for this variation (here). 

I recently came across an interesting research report from Michael Power, Simon Ashby and Tommaso Palermo (here).  It seeks to explain this variation based on some field work covering UK banks and insurance.  

The report doesn’t look at risk culture by identifying instincts, attitudes, habits, and behaviour.  Rather it focuses on a number of observable building blocks that are associated with the design of risk management structures and identifies the underlying trade-offs, which I have summarised in the table below.

Building block	Trade-off
Design of oversight structures	Business partner and independent advisor
Enhance the organisational structure of risk management	Informal network and formal processes
The real organisational life of risk appetite in the form of limits and tolerance	Risk and control
The openness of organisations to outsiders in progressing change	Internal change and the use of advisors
The extent of the footprint of the regulator on organisation processes	Own risk and regulatory culture
Choices in designing leverage over behaviour	Ethics and incentives

I found the section on risk appetite particularly interesting and, in particular, the articulation of the trade-off between risk and control.  The difference between the focus on the choices within the risk appetite limits and the focus on the enforcement of the limits.

The report considers the above building blocks in the context of the three lines of defence governance models.  The trade-offs also suggest that any current model would be built on tensions and that the lines of defence would be likely to be less than ‘straight’ lines.  

The report has helped me make sense of my own observations.  I am sure it will help you too.

Conduct Risk Regulation: the Global Dimension

I wrote a post not so long ago about conduct risk in the UK (here).  In the course of producing that work, I discovered an emerging global dimension to conduct risk and I have been looking into it.  There seems to be three strands to this:

1.  Work on financial consumer protection focusing on credit and coordination with other international bodies by the Financial Stability Board (here).

2.  Principles for financial consumer protection led by the OECD.    The OECD has developed 10 principles of consumer protection (here).  I have summarised them below.  They summarise neatly the extent of the challenge.  The OECD continues its work.  It has issued a draft paper (here) setting out more detail on some of the principles.  

3. Work on financial education through International Network on Financial Education (INFE) coordinated by the OECD.   There is an interesting set of principles developed by the OECD (here) and a web-site listing financial literacy programmes and related research (here). 

I find this interesting for a number of reasons. 

1.  If you believe that regulation can be improved by pooling knowledge and expertise, then there is something valuable here.  Given the domestic nature of retail financial markets, this is going to be an interesting experiment of supervisory design where the challenge will be to articulate workable approaches that can be tailored to national conditions rather than prescriptive solutions.

2.  While financial consumer protection is a good case of a market failure, in the genuine economic sense, not every policy intervention would necessarily pass a cost-benefit test.  If there was scope for an 11^th principle it would be assessing the costs and benefits of policy initiatives.  Interestingly, the principles on national strategies for financial education include impact assessment. 

3.  The explicit recognition in the OECD principles that effective competition in the relevant markets can deliver appropriate outcomes for consumers. 

4.  While the above points together with the underlying market failure add up to a reasonable case for this activity, it is interesting that policy-makers interest on this issue stems from the financial crisis – a feature of G20 summits since 2010.   

The G20 interest together with the OECD endorsement of the principles should give these initiatives momentum.  It would be interesting to see what are the national impacts of these initiatives.   

=================

OECD 10 principles for financial consumer protection

1. Financial consumer protection should be an integral part of the legal, regulatory and supervisory framework. 

2.  There should be oversight bodies explicitly responsible for financial consumer protection with the necessary authority to fulfil their mandates. 

3.  All financial consumers should be treated equitably, honestly and fairly at all stages of their relationship with financial service providers. 

4.  Consumers should be provided with key information about the fundamental benefits, risks and terms of the product, including conflicts of interest where an agent is also involved in the sale.  

5. Financial education and awareness should be promoted by all relevant stakeholders and clear information on consumer protection should be accessible. 

6.  Financial service providers and their agents should have an objective to work in the best interest of the consumer and be responsible for upholding consumer protection. 

7.  Financial service providers should put in place mechanisms to protect financial consumers’ assets from fraud, misappropriation and other misuse.

8.  Personal information should be protection through appropriate control mechanisms. 

9.  Financial consumers should have access to complaints and redress mechanisms that are affordable, independent, fair, accountable, timely and efficient. 

10. Competitive markets should be promoted to provide consumers with greater choice, create competitive pressure on providers to offer competitive products, enhance innovation and maintain service quality.

Supervisory Stress and Scenario Tests: Does It Lead to Business Benefits?

I read a good question about stress and scenario tests: whether they are just a regulatory requirement or whether they are also a useful business tool.      

It is certainly a regulatory requirement in many jurisdictions, including the UK.  In my view, the supervisory application of stress testing is really re-writing regulatory requirements by formalising a new minimum level of capital which allows a bank to meet its minimum capital requirement after experiencing stress conditions.  I have written about this more extensively in my blog (here) following the publication of a paper on this subject by the Bank of England.  

If stress testing is a regulatory requirement, the next question is how it can be done so that the activity adds value to the business.  When I think about this, two aspects come to mind.  

Firstly, there is something about 'how' stress tests are done to add value to the business.  In this sense, there is something to take from the Bank of England paper.  The paper mentions examples of shortcomings that the UK supervisor has identified in banks' practices of stress testing, including the lack of Board engagement.  See my previous posting (link above) for a full list.  Interestingly, most of the shortcomings are related to governance.  It follows then that it is unlikely that banks will wish to derive value for their business if the governance has not been appropriate.

Secondly, there is something about 'what' is the source of business value.  Is the source of value the knowledge of the actual stresses?  Knowing the actual stresses prompts a question along the lines of 'so what'.  I believe fleshing out the answer to this question and identifying the management actions, planning them and seeking board approval would be the real value to the business.  Not surprisingly the paper from the Bank of England also stresses this aspect.  In a trading environment, the action could be adjusting appropriately the portfolio.  In a banking environment, this would need to be identified below the institutional level and may not be straightforward to identify.  

My view is that there may be an aspect of a 'catch 22' here.  If there is limited appreciation of the business value of stress testing then there will be limited incentives to improve the governance of stress testing to rely on them from a business perspective.  Supervisory intervention might then challenge this situation and as a by-product generate genuine business benefits.