Securitisations and Solvency II: An opportunity? Or one to be missed?

To put it mildly, securitisations did not a get a good reputation as a result of the financial crisis.  Things are now changing.   This is illustrated well in a discussion paper from the Bank of England and the European Central Bank extolling the virtues of securitisations (here).    It is difficult to disagree with the key message; securitisations can be a win-win transactions that enhances the ability to redistribute risks more efficiently in the economy while enabling institutional investors to access a wider pool of investment.  

The Solvency II Delegated Acts (‘implementing measures’) built up a more favourable capital treatment for securitisations.  It is now recognised as a category of its own for the purposes of spread risk.  This evolution can be evidenced in the Commission’s Impact Analysis published at the time of the publication draft Delegated Acts (here).  As recognised in the Delegated Acts, this even includes recognising the name ‘securitisation’ instead of the name used in the Solvency II Directive in 2009: ‘investment in tradable securities or other financial instruments based on repackaged loans’.

As one would expect, the calibration of the standard formula spread risk for securitisation reflects the maturity of the exposure and its credit rating.  However, there is an interesting innovation.  The Delegated Acts identify two types of securitisation exposures: ‘good’ and ‘bad’, or in policy terms, type 1 and type 2.  The criteria are set out in the Delegated Acts and are quite detailed.  

Exposures of type 1 must meet 20 conditions including a rating of ‘BBB’ or above, the seniority of the exposure in the securitisation, SPV arrangements, listing in an OECD or EU exchange, and backing by residential loans, commercial loans or auto loans and leases.   The list of conditions is somewhat shorter for securitisations that were issued before the Delegated Acts came into force. Type 2 securitisations are simply those not meeting these criteria.  

Figure 1 shows the significant difference that meeting the conditions for type 1 makes to the capital charges.  It is a noticeably a more important consideration than the rating or maturity of the exposure.  

Figure 2 shows an alternative view of the spread risk capital requirements for type 1 securitisations compared against the equivalent ones for corporate bonds of equivalent ratings.   The differences aren’t that large in particular for short maturities.

All this raises a number of interesting considerations for an insurer’s capital management strategy. 

Firstly, there may be tactical adjustments where insurers find that they are holding type 2 securitisation paper as part of the Solvency II implementation work.  In this case, the insurers may seek to dispose of these investments before 1 Jan 2016 to avoid the capital increases that Figure 1 suggests.  However, given insurers’ relatively small holdings of securitisations, this may not be a material issue.

The bigger issue is the extent to which there is an appetite to consider the capital treatment of type 1 securitisation as a more strategic opportunity and readjust investment strategies.  Indeed, would it be possible to do so before 1 Jan 2016 to enhance the matching of cash flows of annuity liabilities and subject to Matching Adjustment? 

In any event, Figure 2 above suggests that there may be an interesting question about the risk and return trade-off of corporate bonds versus type 1 securitisations.  Would the returns from securitisations be sufficiently higher to justify the additional capital requirements?  Figure 2 suggests that for low maturities, e.g. up to 7 to 10 years, this could be finely balanced in particular for ‘BBB’ bonds.  If so, would insurers be willing to tilt their investment strategies to include more type 1 securitisation?  The answer to this question requires appropriate consideration, cash-flow matching including risk appetite, stress testing and governance.   

However, even if the risk and return trade-off mentioned above appears appropriate, it seems that there may be a limited supply of type 1 securitisations.  If so, there would be a limited opportunity for insurers in the short to medium term.  This would be more of an opportunity for investment banks to structure securitisation transactions.

This post is part of a series of posts on Solvency II.  To see the list, click here. 

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Reverse Stress Testing (RST): The Return of ‘Adequacy’

RST is one of the additional challenges that financial regulators have added following the financial crisis.  I spoke today on the subject at an event organised by the Institute of Risk Management. 

The effective implementation of RST builds on the articulation of the underlying business model.  This is something that UK supervisors have put on the agenda recently to signal a more holistic approach to supervision.  I have written a number of posts on the subject which you can access here.   

There are a number of challenges to deliver a RST.  The return of ‘adequacy’ might seem an odd title for my presentation.  It seeks to convey a simple message about the main challenge of RST: the assessment and judgement about the resilience of the business model.  It’s a ‘return’ because the term ‘adequacy’ used to be more prominent.  You may remember the Capital Adequacy Directive before it became the Capital Requirement Directive.  Anyway, the graph below seeks to illustrate the challenge of adequacy, which also serves to bring on a page the various stress and scenario tests that banks and insurers are considering on a regular basis. 

The key message from the graph is that if business failure scenarios are ‘close’ to the 1-in-200 scenarios, the adequacy of the business model and the strategy could be challenged.  Management may need to consider how to mitigate the risks to the business model. 

The full set of slides is available here.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox.  

Creating Your Own Risk Wave

During a recent family vacation, I had the opportunity to watch something unusual in the Mediterranean Sea.  The sea was rough and I saw people surfing at a beach where one usually sees children paddling.  There were about twenty surfers in the sea waiting for a wave.  When a wave came, a few would successfully ride it.  Then they had to paddle back to the ‘line’ and wait for the next wave.

It reminded me of blogging (in general, not just this one).  You start by identifying a number of ideas, like the surfer’s positioning to wait for a wave.  You develop one of them into a post and publish it.  You then need to start all over again, like the surfers paddling back out to sea after they have caught a wave.  As with surfing (I guess) that’s the fun of it.

But it also reminded me of risk management: you implement an enterprise risk management (ERM) system, then wait for the events (or the wave) which will come sooner or later and learn about the effectiveness of ERM implementation. 

It occurred to me that the differences between surfing and risk managements are more revealing.  Firstly, surfers look for the best opportunity to ride a wave.  Risk management, on the other hand, usually aims to protect a business franchise rather than embrace risk taking. But see this post for an alternative view.

Secondly, the existence of a back book in banking and insurance means that there is not an obvious notion of going back to the beginning as there is in surfing and paddling back out to sea.  

Finally, building up a banking or insurance back book, or acquiring one, involves more choice than a surfer has in choosing a wave.  Indeed, it may be the equivalent of creating your own wave.  In some cases, it would be a wave of longevity risks.  In other cases, it would be a wave of ‘interest rate risk mismatch’. 

So next time you happen to see a surfer, think like one of them and consider how risk management can help your business thrive.  But also remember that if surfers have dreams, they probably dream of creating their own wave.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Risk Is Exciting

You hear people say that risk management and regulation are not exciting topics.

However the 30,000 pageviews on this blog since Nov 2014 suggest that risk management and regulation are more interesting than it seems.  Your comments have also been very useful and instructive.  Please keep them coming.

Thank you all!    

Losses Are Not Failures of Risk Management

Well, not necessarily.  But we need to remind ourselves and our stakeholders that that’s really the point.  Losses will happen with certain regularity.  This is the message of a system of a risk appetite system where the limits are calibrated to a 1-in-10 chance over a one-year horizon.   Whether the implications are really appreciated is a different point. 

A paper by Rene Stulz (here) is a good reminder that losses may not represent a failure of risk management.  This is particularly the case where “managers [know] exactly the risks they faced―and they decided to take them.  Therefore there is no sense in which risk management failed”.  He goes on further to say that “deciding whether to take a known risk is not a decision for risk managers.  The decision depends on the risk appetite of an institution.” 

This is consistent with the practitioner’s view as expressed by James Tufts, Group CRO of Guardian Financial Services, expressed in a guest post in this blog: “[T]he objective of the ‘Risk Function’ should not be ‘risk management’.  That’s a business objective.  The objective of the ‘Risk Function’ is to provide the ERM [Enterprise Risk Management] framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.”

There may be risk management failures nevertheless and Stulz’s paper goes on to provide a useful classification:

1. Mismeasurement of known risks  
2. Failure to take risks into account 
3. Failure in communicating the risks to top management 
4. Failure in monitoring risks 
5. Failure in managing risks 
6. Failure to use appropriate risk metrics

I find these categories rather intuitive and I wonder how they can be used in practice.  There is an increasing regulatory expectation of formal assessment of the effectiveness of risk management and these categories could usefully feed into that process in two complementary ways. 

Firstly, banks and insurers track a range of risk events/incidents.  It would be useful to consider if reported incidents fall into any of the above categories.  Alternatively they may be consistent with risk appetite.

Secondly, insurers and banks using an internal model are expected to use it to support a profit and loss attribution.  This means explaining actual profits and losses by reference to the output of the internal model and the risk categories considered.  It would be interesting to consider if the losses arise from changes in values consistent with risk appetite or any of the reasons set out above. 

The above might seem a simple idea but learning from failures, or risk management failures in this case, is usually anything but a simple idea.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Stress Testing: Reporting or ‘So What’?

The Bank of England (BoE) recently published the results of the first concurrent stress testing of UK banks (click here for a post about the implications of this exercise).  Stress testing is not only relevant to banks; EIOPA also initiated a similar process and carried out an exercise in 2014, which I will cover in a future post.   

Much has been written about the results for individual banks.  I would like to share some observations about an aspect of stress testing with wider implications: the consideration of ‘so what’ that may take place when the stress materialises. 

In the BoE stress testing, banks had to spell out the management actions they envisaged taking.  These actions were subject to scrutiny by the Bank of England and ‘a high threshold was set for accepting’ them. 

There is little detail about the specific management actions that were accepted.  Broadly speaking, they appear to be mainly reduction in costs and dividend.  Furthermore, the BoE clarified that they did not accept management actions that resulted in a unilateral reduction in credit supply in the stress scenario.  This approach meant that management actions had limited impacts, specifically no impact for two banks and, for the other six banks, an average improvement (i.e. an increase in common equity Tier 1 [CET1] after the stress) of 9%.  

In an earlier post (here), I suggested the consideration of ‘so what’, including the ability to carry out actions that mitigate the impact of the stress as one of the potential benefits of stress testing.  How should we reconcile this with the limited scope of management actions recognised in this exercise?

A useful starting point would be to make a clear distinction between stress testing undertaken for different purposes and audiences.  This is summarised in the table below:

	‘Internal’	‘External’ / BoE
Purpose	Identifying vulnerabilities and addressing them	Evidencing overall resilience
Focus	Lines of business/ business units	Enterprise wide

Given the BoE’s intention to continue stress testing and make them an integral part of the supervisory landscape, the question would be how to integrate these two different perspectives of stress testing. 

Ideally, a bank would start an internal review of stress vulnerabilities at the business unit level as soon as the submission to the BoE is delivered.  This would enable the bank to identify and put in place the appropriate risk mitigation.  For example, the bank may choose to adjust its credit risk mitigation by transferring loans or hedging credit before the next BoE stress testing.  Given the focus on addressing vulnerabilities, which could require board approval, it would make sense to review stress vulnerabilities of specific business units/lines of business on a staggered basis. 

Adopting this approach over time would deliver a virtuous cycle of identification of stress vulnerabilities and enhanced risk mitigation which would be reflected in the next stress testing for the BoE.

In conclusion, while the BoE may have adopted ‘a high threshold’ for accepting management actions, banks can still build in a process to identify and implement these management actions and evidence how they address vulnerabilities in key business units and product lines.

You can subscribe to future posts here.

The European Commission’s Impact Assessment of Solvency II: Some Useful Points

The European Commission recently published a draft of the Solvency II ‘implementing measures’.  The ‘implementing measures’ expand on the requirements set out in the Solvency II directive.  Alongside the ‘implementing measures’, the European Commission also published a draft impact assessment.  This is one the many procedural requirements that apply to the policy-making process in the Commission. 

I thought it would be interesting to review the impact assessment.  As a user, I want to consider the extent to which the impact assessment can help me to understand Solvency II. 

What did I learn from this exercise?

1.    The importance of objectives in the EU policy-making process

The impact analysis is structured around a definition of problems that the policy making will address.  During the discussions about the directive, these objectives were enhancing policyholders’ protection and the integration of insurance markets in the EU. 

The Commission’s impact analysis acknowledges that there is now a third objective that has been taken into account: fostering growth and recovery in Europe by promoting long-term investment.  In the case of insurance, the main challenges that arise relate to the low interest rate environment and the volatility of asset prices. 

2.    A useful summary of how the calibration of asset risk has evolved

The third objective mentioned above has shaped the structure and calibration of capital requirements for assets risk which has evolved over a number of years.  However, it is not easy to see in a succinct way the end product where the answer is set out over a number of articles in the implementing measures.  Surprisingly, this can be summarised in a simple table (below).

3.    The scope of impact analysis remains a tricky issue

The Commission seems to have overcome the challenge of undertaking an impact analysis that seeks to cover the impact of all rules.  The Commission states,

“The options assessed have been selected to cover the most important and representative issues from each of the three pillars of Solvency II and each of the areas of the objectives and problem trees. The areas that are merely technical, have been settled in the Directive or are uncontroversial are not assessed in detail …”

This is reasonable and can result in a more productive use of scarce analytical resources but it can also have unintended consequences.  As far as I can see, the impact analysis did not cover the treatment of long-term guarantees.  I am frankly not sure if this is because it was settled in the Directive or because it turned out to be uncontroversial.

4.    The relative priorities of the Commission: the importance of reducing over-reliance on ratings

The concern about over-reliance on ratings is not new if you have been following the development of Solvency II.  However, given the breadth of Solvency II and the focused impact assessment, I found it surprising that the Commission went out of its way to include a full two-page annex summarising the requirements aimed at reducing reliance on external ratings in the risk management of insurance “such as

          ▪ external ratings shall not prevail in risk management;

          ▪ as part of their investment risk management policy, insurers and 
          reinsurers should have their own assessment of all counterparties;

          ▪ as part of their reinsurance (or other risk mitigation techniques) policy, 
          insurers and reinsurers should have their own assessment of all 
          counterparties.”

5.    And finally, a puzzle about policy making

The Commission’s impact assessment notes that one of the issues that emerged from the QIS5 was the application of a limit to the amount of Tier 2 capital (i.e. debt) that would be allowed.  This issue has remained unclear since then. 

Interestingly, if all you read is the relevant section of the impact analysis on pages 38 to 46 which also summarises EIOPA’s recommendations, you could be forgiven for thinking that the limit would not apply.  It is only the summary on pages 50 to 51 that suggested that I might need to reconsider my initial views.  Indeed, the draft implementing measures clarify that the sum of Tier 2 and Tier 3 capital must not exceed 50% of the SCR, which is an interesting development. 

This illustrates one of the key operational challenges of impact analysis: the need to keep up with the policy.

This was a selective but nonetheless in-depth reading of the impact assessment.  Have you read the impact assessment?  Did you learn any useful points from it?

You can subscribe to future posts here.

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.

Is It FCA Supervision or Enforcement?

One of the observations in my latest post about enforcement (here) was that fines can become a relatively small component of the cost of regulatory enforcement.  This observation was made in a context where, in addition to the fine, the firm had agreed to a number of specific measures which included replacing its executive management team and a comprehensive review of its governance structure. 

This week I came across an even better example of the blurring line between formal enforcement and where a firm agrees with the supervisor to a set of measures.  The Times reports that the London office of Deutsche Bank has been put on ‘enhanced supervision’ (here). 

Enhanced supervision is a new power acquired by the FCA, the use of which is articulated in a paper from June 2014 (here).  It explains that the application of enhanced supervision is not enforcement, although that may follow.  Enhanced supervision requires the firm’s Board to formally commit to remediation measures.  The paper sets out a comprehensive list of indicators of the failures that would lead to enhanced supervision:  

• “the observation of numerous or specially significant conduct failings or repeated failings that when examined individually might not be considered serious  
• “occurrence of failings in several business areas, as this is an indicator of wider cultural issues within the firm 
• “a poorly functioning Board, for example failing to challenge executives or take a lead in considering conduct  
• “evidence of control areas such as Risk, Compliance and Internal Audit being poorly managed, under-resourced or unable to make their voices heard at Board level 
• “evidence of weak risk management (we may consider the PRA’s findings in relation to prudential risk management), or 
• “evidence of other weaknesses in the way in which the Board and senior management influence key cultural factors, for example ‘tone from the top’, pay and incentives and their adherence to the organisation’s values.” 

There has been no formal statement from the FCA about this case. 

Perhaps the main point arising from this development is the further recognition that formal enforcement may not necessarily be the most effective tool from the point of view of meeting supervisory objectives and that fines may not be the most effective deterrent.  

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases reviewed.

FCA Enforcement: Going Global

With the advent of 2015, some people have talked about New Year's resolutions but frankly I still had one enforcement case from the Financial Conduct Authority (FCA) from 2014 I was keen to review.  

The case concerns a general insurer, Stonebridge, selling a range of accidental protection products offering cash compensation.  The FCA imposed a fine of £8.4 million as a result of the breaches identified.  (Click here to read the full details of the case.)

The business involved outsourcing sales process to a number of third party companies.  The products were sold in the UK and in a number of European countries (France, Germany, Italy and Spain) over the phone on a non-advised basis.  Names of potential clients were obtained from a range of business partners which were remunerated when sales were made.  These business partners were not involved in selling the products. 

The case results from the breaches of FCA principles concerning the fair treatment of customers (Principle 3) and appropriate systems and controls, including appropriate risk management (Principle 6).  The case provides a number of interesting lessons about the interaction of risk management and regulation.

1.  Fines may become a small component of the cost to firms of regulatory enforcement

In this case and in addition to the fine, the company committed to undertake a range of voluntary measures.  This includes a review of past business sold in the UK and European countries and compensation where losses arise as a result of the failings identified in this case.  

In addition to that, the company has replaced its executive management team, has ceased distribution of all products in the UK and European countries and has undertaken a comprehensive review of its governance structure, including new terms of reference and risk management framework.

2.  The FCA is applying UK requirements to non-UK operations

This is intentionally blunt!  In more subtle phraseology, the enforcement notice makes a distinction between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my emphasis) and the failure to implement adequate systems and control which applies to the entire business, including European business.  The FCA identified significant failures which included inadequate management information, executive and board oversight and compliance oversight.   

3.  The importance of proactively managing the process

I have already written on the importance of proactively managing the enforcement process and contrasted two different responses to technical breaches (here and here).   This case provides an alternative perspective.  

The starting point seems to be an FCA review of a sample of sales calls during March and April 2012, an action presumably arising from the FCA’s ongoing supervision of Stonebridge.  The enforcement case ends up covering sales all around Europe, post-sale cancellation and the company’s systems and controls. 

When confronted with the initial findings from a regulator, there may be a temptation to challenge the findings.  This would be appropriate up to a point.  

An alternative approach would be to accept the substance of the findings and consider how the underlying events could have happened from a risk governance perspective.  This would require reviewing governance arrangements through the company, the risk management framework and the effectiveness of the oversight provided by the second line of defence.  Hindsight is always a powerful tool but it seems that this course of action could have been more effective in limiting the potential consequences.

Finally, this case also illustrates other failures such as controls of outsourcing and a skewed sales incentive mechanism.

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases I have reviewed.