Monday 21 December 2015

Out Outsourcing?

Well, not really.  But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services.  It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here).  There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.

1.  The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same.  I have heard this before but I was still expecting to see a recognition that there may be a difference.  I could not really find an obvious distinction in the enforcement notice.  This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial).  This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.

2.  The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights.  The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above.  This also includes signing the contracts!  Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined.  This can include determining the different roles of people and teams probably sitting near each other.

3.  The legal form of the outsourcing provider does not matter.  A JV form that effectively provides an outsourcing activity should also be treated as outsourcing. 

4.  The consequences of a lack or breakdown of controls matter a great deal.  If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.

Last but not least, the response when the issue is discovered remains crucial.  In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group.  In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA.  As in other cases, the fine may not have been the largest cost to the bank.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis but I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of the blog.

Monday 16 November 2015

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 
One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

Monday 31 August 2015

Capital Markets, Financial Crisis and ‘Diversions’

Sometimes the same word can have different meanings in different languages.  One example is 'diversion'.  In English it means typically a different way.  However, in Spanish 'diversion' means having fun.  I guess that when you take a different way, it can be fun.

Once upon a time, I spent time assessing the efficiency of UK equity markets.  The key idea was that if markets are efficient and there is no manipulation (e.g. information leakage), then we should be able to use the logic of event studies and test that there are no abnormal equity price movements before a corporate announcement.  I moved on, and the initial work was eventually carried out.  It was published by the FSA (here) and as far as I can recall, it made it as far as the front page of the Financial Times

I thought that it would be a good diversion from my current activities to read something about capital markets.  I came across an interesting paper on market efficiency published in Institutional Investor (here).  The paper was written in the wake of the award of the 2013 Nobel Prize in Economics to three economists, including Eugene F. Fama and Robert J. Shiller.  What made the award interesting is that it recognises the challenges of assessing efficient markets; Fama pioneered the notion of efficient capital markets and Shiller has challenged it.  (The third Nobel laureate was Lars Peter Hansen who, as I understand it, deserves it for his work on the maths of finance.)

The paper is an interesting tour of many years of research by the authors – applied and academic.  It explains in simple language the ‘joint hypotheses’, i.e. the need to test jointly the assumption of efficient capital markets with an equilibrium pricing model, usually capital asset pricing model (CAPM), and the potential implications, e.g. the market may be efficient but assets may not be priced according to the CAPM

The paper also provides a clear articulation of the challenges to the efficient market hypotheses.  One of the responses is to test alternatives to the CAPM model, e.g. momentum strategies.  One of them is that there are behavioural biases, e.g. investors overreact to both good news and bad news, and capital markets are not efficient.  Overall, the authors come out in favour of efficient markets, ‘at least as the base case’, without committing to a view that markets are ‘perfectly efficient’.  One of the implications of less than perfect efficiency of capital markets is that market arrangements, including regulation, matter to some degree.

In my view, the best point made in the article is the consideration of the link between belief in market efficiency – ‘market fundamentalism’ – and the recent (or ongoing) financial crisis.  As the authors put it, financial crises are not created by someone buying something that he thinks is a fair deal in an efficient market.  Financial crises are created by people that think that markets are inefficient, i.e. an impossibly good deal is available and will continue to be available.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Monday 6 July 2015

Is the Governance Map Also the Territory?

One of the financial crisis’s lessons for regulators has been discovering the ‘accountability firewall’ of collective responsibility which prevents actions against individuals even if they are approved for specific roles.  This was one of the lessons from the UK Parliamentary Commission on Banking Standards from 2013.

UK regulators have been tasked with the challenge of breaking down that ‘firewall’ for both banks and insurance.  The UK has had a regime of approved persons for some time.  The PRA and the FCA have been consulting on proposals aimed at strengthening the accountability of senior management.  For insurers, this is referred to as the Senior Insurance Managers Regime (SIMR).

The proposals may well increase the scope of senior managers, and will strengthen conduct requirements that apply to them.  It seems to me that the most innovative (and, dare I say, revolutionary) aspect of the proposals is the requirement that firms produce a ‘governance map’.   As with all good ideas, it is simple.  The regulator identifies a set of responsibilities and then asks firms to map them to senior managers who are subject to regulatory approvals and sanctions.  

The list of responsibilities is long.  For example, the list for insurers is as follows:
1.       ensuring that the firm has complied with the obligation to satisfy itself that persons performing a key function are fit and proper;
2.       leading the development of the firm’s culture and standards;
3.       embedding the firm’s culture and standards in its day-to-day management;
4.       production and integrity of the firm’s financial information and regulatory reporting;
5.       allocation and maintenance of the firm’s capital and liquidity;
6.       development and maintenance of the firm’s business model;
7.       performance of the firm’s Own Risk and Solvency Assessment (ORSA);
8.       induction, training and professional development for all the firm’s key function holders;
9.       maintenance of the independence, integrity and effectiveness of the whistleblowing procedures, and the protection of staff raising concerns;
10.   oversight of the firm’s remuneration policies and practices.

For banks, there is no direct equivalent to 7 even if there is an ICAAP.   However, the list includes the following additional responsibilities:
1.       funding is also mentioned in 5. above as well as an additional responsibility in respect of the bank’s treasury management functions;
2.       developing a firm’s recovery plan and resolution pack and overseeing the internal processes regarding their governance;  
3.       managing the firm’s internal stress-tests and ensuring the accuracy and timelines of information provided to the PRA and other regulatory bodies for the purpose of stress testing; 
4.       safeguarding the independence of and overseeing the performance of the compliance function, internal audit and risk function respectively; these are three different responsibilities.

There are some interesting differences between banking and insurance.

The overall message is rather simple: there is an individual presumption of responsibility in the event of a breach.  In those cases, the relevant individual will need to demonstrate that he took reasonable steps to prevent the breach in the relevant area. 

Firms’ senior managers will spend time discussing the mapping of responsibilities.  This may well be the easy part.  Undoubtedly, the challenge for senior managers will not be the map, but the territory, i.e. how to manage the relevant responsibility.  For some responsibilities there will processes, teams and awareness within the company to ensure that something happens; think of item 7 above, the ORSA.  In other cases, the challenge will be determining which business function will assume the relevant responsibility and what approaches, processes and resources will be needed as evidence that reasonable steps were taken.  What should be done to prove that ‘firm’s culture and standards’ are developed and embedded?  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Sunday 28 June 2015

Securitisations and Solvency II: An opportunity? Or one to be missed?

To put it mildly, securitisations did not a get a good reputation as a result of the financial crisis.  Things are now changing.   This is illustrated well in a discussion paper from the Bank of England and the European Central Bank extolling the virtues of securitisations (here).    It is difficult to disagree with the key message; securitisations can be a win-win transactions that enhances the ability to redistribute risks more efficiently in the economy while enabling institutional investors to access a wider pool of investment.  

The Solvency II Delegated Acts (‘implementing measures’) built up a more favourable capital treatment for securitisations.  It is now recognised as a category of its own for the purposes of spread risk.  This evolution can be evidenced in the Commission’s Impact Analysis published at the time of the publication draft Delegated Acts (here).  As recognised in the Delegated Acts, this even includes recognising the name ‘securitisation’ instead of the name used in the Solvency II Directive in 2009: ‘investment in tradable securities or other financial instruments based on repackaged loans’.

As one would expect, the calibration of the standard formula spread risk for securitisation reflects the maturity of the exposure and its credit rating.  However, there is an interesting innovation.  The Delegated Acts identify two types of securitisation exposures: ‘good’ and ‘bad’, or in policy terms, type 1 and type 2.  The criteria are set out in the Delegated Acts and are quite detailed.  

Exposures of type 1 must meet 20 conditions including a rating of ‘BBB’ or above, the seniority of the exposure in the securitisation, SPV arrangements, listing in an OECD or EU exchange, and backing by residential loans, commercial loans or auto loans and leases.   The list of conditions is somewhat shorter for securitisations that were issued before the Delegated Acts came into force. Type 2 securitisations are simply those not meeting these criteria.  

Figure 1 shows the significant difference that meeting the conditions for type 1 makes to the capital charges.  It is a noticeably a more important consideration than the rating or maturity of the exposure.  

Figure 2 shows an alternative view of the spread risk capital requirements for type 1 securitisations compared against the equivalent ones for corporate bonds of equivalent ratings.   The differences aren’t that large in particular for short maturities.

All this raises a number of interesting considerations for an insurer’s capital management strategy. 

Firstly, there may be tactical adjustments where insurers find that they are holding type 2 securitisation paper as part of the Solvency II implementation work.  In this case, the insurers may seek to dispose of these investments before 1 Jan 2016 to avoid the capital increases that Figure 1 suggests.  However, given insurers’ relatively small holdings of securitisations, this may not be a material issue.

The bigger issue is the extent to which there is an appetite to consider the capital treatment of type 1 securitisation as a more strategic opportunity and readjust investment strategies.  Indeed, would it be possible to do so before 1 Jan 2016 to enhance the matching of cash flows of annuity liabilities and subject to Matching Adjustment? 

In any event, Figure 2 above suggests that there may be an interesting question about the risk and return trade-off of corporate bonds versus type 1 securitisations.  Would the returns from securitisations be sufficiently higher to justify the additional capital requirements?  Figure 2 suggests that for low maturities, e.g. up to 7 to 10 years, this could be finely balanced in particular for ‘BBB’ bonds.  If so, would insurers be willing to tilt their investment strategies to include more type 1 securitisation?  The answer to this question requires appropriate consideration, cash-flow matching including risk appetite, stress testing and governance.   

However, even if the risk and return trade-off mentioned above appears appropriate, it seems that there may be a limited supply of type 1 securitisations.  If so, there would be a limited opportunity for insurers in the short to medium term.  This would be more of an opportunity for investment banks to structure securitisation transactions.

This post is part of a series of posts on Solvency II.  To see the list, click here

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox. 

Tuesday 5 May 2015

Reverse Stress Testing (RST): The Return of ‘Adequacy’

RST is one of the additional challenges that financial regulators have added following the financial crisis.  I spoke today on the subject at an event organised by the Institute of Risk Management. 

The effective implementation of RST builds on the articulation of the underlying business model.  This is something that UK supervisors have put on the agenda recently to signal a more holistic approach to supervision.  I have written a number of posts on the subject which you can access here.   

There are a number of challenges to deliver a RST.  The return of ‘adequacy’ might seem an odd title for my presentation.  It seeks to convey a simple message about the main challenge of RST: the assessment and judgement about the resilience of the business model.  It’s a ‘return’ because the term ‘adequacy’ used to be more prominent.  You may remember the Capital Adequacy Directive before it became the Capital Requirement Directive.  Anyway, the graph below seeks to illustrate the challenge of adequacy, which also serves to bring on a page the various stress and scenario tests that banks and insurers are considering on a regular basis. 

The key message from the graph is that if business failure scenarios are ‘close’ to the 1-in-200 scenarios, the adequacy of the business model and the strategy could be challenged.  Management may need to consider how to mitigate the risks to the business model. 

The full set of slides is available here.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a weekly basis so I will not be flooding your inbox.  

Sunday 19 April 2015

Creating Your Own Risk Wave

During a recent family vacation, I had the opportunity to watch something unusual in the Mediterranean Sea.  The sea was rough and I saw people surfing at a beach where one usually sees children paddling.  There were about twenty surfers in the sea waiting for a wave.  When a wave came, a few would successfully ride it.  Then they had to paddle back to the ‘line’ and wait for the next wave.

It reminded me of blogging (in general, not just this one).  You start by identifying a number of ideas, like the surfer’s positioning to wait for a wave.  You develop one of them into a post and publish it.  You then need to start all over again, like the surfers paddling back out to sea after they have caught a wave.  As with surfing (I guess) that’s the fun of it.

But it also reminded me of risk management: you implement an enterprise risk management (ERM) system, then wait for the events (or the wave) which will come sooner or later and learn about the effectiveness of ERM implementation. 

It occurred to me that the differences between surfing and risk managements are more revealing.  Firstly, surfers look for the best opportunity to ride a wave.  Risk management, on the other hand, usually aims to protect a business franchise rather than embrace risk taking. But see this post for an alternative view.

Secondly, the existence of a back book in banking and insurance means that there is not an obvious notion of going back to the beginning as there is in surfing and paddling back out to sea.  

Finally, building up a banking or insurance back book, or acquiring one, involves more choice than a surfer has in choosing a wave.  Indeed, it may be the equivalent of creating your own wave.  In some cases, it would be a wave of longevity risks.  In other cases, it would be a wave of ‘interest rate risk mismatch’. 

So next time you happen to see a surfer, think like one of them and consider how risk management can help your business thrive.  But also remember that if surfers have dreams, they probably dream of creating their own wave.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Tuesday 14 April 2015

Risk Is Exciting

You hear people say that risk management and regulation are not exciting topics.

However the 30,000 pageviews on this blog since Nov 2014 suggest that risk management and regulation are more interesting than it seems.  Your comments have also been very useful and instructive.  Please keep them coming.

Thank you all!    

Tuesday 31 March 2015

Losses Are Not Failures of Risk Management

Well, not necessarily.  But we need to remind ourselves and our stakeholders that that’s really the point.  Losses will happen with certain regularity.  This is the message of a system of a risk appetite system where the limits are calibrated to a 1-in-10 chance over a one-year horizon.   Whether the implications are really appreciated is a different point. 

A paper by Rene Stulz (here) is a good reminder that losses may not represent a failure of risk management.  This is particularly the case where “managers [know] exactly the risks they faced―and they decided to take them.  Therefore there is no sense in which risk management failed”.  He goes on further to say that “deciding whether to take a known risk is not a decision for risk managers.  The decision depends on the risk appetite of an institution.” 

This is consistent with the practitioner’s view as expressed by James Tufts, Group CRO of Guardian Financial Services, expressed in a guest post in this blog: “[T]he objective of the ‘Risk Function’ should not be ‘risk management’.  That’s a business objective.  The objective of the ‘Risk Function’ is to provide the ERM [Enterprise Risk Management] framework and the source of challenge and oversight on all aspects of the business model, relative to this framework.”

There may be risk management failures nevertheless and Stulz’s paper goes on to provide a useful classification:
  1. Mismeasurement of known risks  
  2. Failure to take risks into account 
  3. Failure in communicating the risks to top management 
  4. Failure in monitoring risks 
  5. Failure in managing risks 
  6. Failure to use appropriate risk metrics
I find these categories rather intuitive and I wonder how they can be used in practice.  There is an increasing regulatory expectation of formal assessment of the effectiveness of risk management and these categories could usefully feed into that process in two complementary ways. 

Firstly, banks and insurers track a range of risk events/incidents.  It would be useful to consider if reported incidents fall into any of the above categories.  Alternatively they may be consistent with risk appetite.

Secondly, insurers and banks using an internal model are expected to use it to support a profit and loss attribution.  This means explaining actual profits and losses by reference to the output of the internal model and the risk categories considered.  It would be interesting to consider if the losses arise from changes in values consistent with risk appetite or any of the reasons set out above. 

The above might seem a simple idea but learning from failures, or risk management failures in this case, is usually anything but a simple idea.

If you found this post useful, you may want to subscribe and receive future posts by email (here). There will not be many of them.

Monday 16 March 2015

Stress Testing: Reporting or ‘So What’?

The Bank of England (BoE) recently published the results of the first concurrent stress testing of UK banks (click here for a post about the implications of this exercise).  Stress testing is not only relevant to banks; EIOPA also initiated a similar process and carried out an exercise in 2014, which I will cover in a future post.   
Much has been written about the results for individual banks.  I would like to share some observations about an aspect of stress testing with wider implications: the consideration of ‘so what’ that may take place when the stress materialises. 
In the BoE stress testing, banks had to spell out the management actions they envisaged taking.  These actions were subject to scrutiny by the Bank of England and ‘a high threshold was set for accepting’ them. 
There is little detail about the specific management actions that were accepted.  Broadly speaking, they appear to be mainly reduction in costs and dividend.  Furthermore, the BoE clarified that they did not accept management actions that resulted in a unilateral reduction in credit supply in the stress scenario.  This approach meant that management actions had limited impacts, specifically no impact for two banks and, for the other six banks, an average improvement (i.e. an increase in common equity Tier 1 [CET1] after the stress) of 9%.  
In an earlier post (here), I suggested the consideration of ‘so what’, including the ability to carry out actions that mitigate the impact of the stress as one of the potential benefits of stress testing.  How should we reconcile this with the limited scope of management actions recognised in this exercise?
A useful starting point would be to make a clear distinction between stress testing undertaken for different purposes and audiences.  This is summarised in the table below:

‘External’ / BoE
Identifying vulnerabilities and addressing them
Evidencing overall resilience
Lines of business/ business units
Enterprise wide
Given the BoE’s intention to continue stress testing and make them an integral part of the supervisory landscape, the question would be how to integrate these two different perspectives of stress testing. 
Ideally, a bank would start an internal review of stress vulnerabilities at the business unit level as soon as the submission to the BoE is delivered.  This would enable the bank to identify and put in place the appropriate risk mitigation.  For example, the bank may choose to adjust its credit risk mitigation by transferring loans or hedging credit before the next BoE stress testing.  Given the focus on addressing vulnerabilities, which could require board approval, it would make sense to review stress vulnerabilities of specific business units/lines of business on a staggered basis. 
Adopting this approach over time would deliver a virtuous cycle of identification of stress vulnerabilities and enhanced risk mitigation which would be reflected in the next stress testing for the BoE.
In conclusion, while the BoE may have adopted ‘a high threshold’ for accepting management actions, banks can still build in a process to identify and implement these management actions and evidence how they address vulnerabilities in key business units and product lines.

You can subscribe to future posts here.

Saturday 28 February 2015

The European Commission’s Impact Assessment of Solvency II: Some Useful Points

The European Commission recently published a draft of the Solvency II ‘implementing measures’.  The ‘implementing measures’ expand on the requirements set out in the Solvency II directive.  Alongside the ‘implementing measures’, the European Commission also published a draft impact assessment.  This is one the many procedural requirements that apply to the policy-making process in the Commission. 

I thought it would be interesting to review the impact assessment.  As a user, I want to consider the extent to which the impact assessment can help me to understand Solvency II. 

What did I learn from this exercise?

1.    The importance of objectives in the EU policy-making process

The impact analysis is structured around a definition of problems that the policy making will address.  During the discussions about the directive, these objectives were enhancing policyholders’ protection and the integration of insurance markets in the EU. 

The Commission’s impact analysis acknowledges that there is now a third objective that has been taken into account: fostering growth and recovery in Europe by promoting long-term investment.  In the case of insurance, the main challenges that arise relate to the low interest rate environment and the volatility of asset prices. 

2.    A useful summary of how the calibration of asset risk has evolved

The third objective mentioned above has shaped the structure and calibration of capital requirements for assets risk which has evolved over a number of years.  However, it is not easy to see in a succinct way the end product where the answer is set out over a number of articles in the implementing measures.  Surprisingly, this can be summarised in a simple table (below).

3.    The scope of impact analysis remains a tricky issue

The Commission seems to have overcome the challenge of undertaking an impact analysis that seeks to cover the impact of all rules.  The Commission states,

“The options assessed have been selected to cover the most important and representative issues from each of the three pillars of Solvency II and each of the areas of the objectives and problem trees. The areas that are merely technical, have been settled in the Directive or are uncontroversial are not assessed in detail …”

This is reasonable and can result in a more productive use of scarce analytical resources but it can also have unintended consequences.  As far as I can see, the impact analysis did not cover the treatment of long-term guarantees.  I am frankly not sure if this is because it was settled in the Directive or because it turned out to be uncontroversial.

4.    The relative priorities of the Commission: the importance of reducing over-reliance on ratings

The concern about over-reliance on ratings is not new if you have been following the development of Solvency II.  However, given the breadth of Solvency II and the focused impact assessment, I found it surprising that the Commission went out of its way to include a full two-page annex summarising the requirements aimed at reducing reliance on external ratings in the risk management of insurance “such as

          ▪ external ratings shall not prevail in risk management;
          ▪ as part of their investment risk management policy, insurers and 
          reinsurers should have their own assessment of all counterparties;
          ▪ as part of their reinsurance (or other risk mitigation techniques) policy, 
          insurers and reinsurers should have their own assessment of all 

5.    And finally, a puzzle about policy making

The Commission’s impact assessment notes that one of the issues that emerged from the QIS5 was the application of a limit to the amount of Tier 2 capital (i.e. debt) that would be allowed.  This issue has remained unclear since then. 

Interestingly, if all you read is the relevant section of the impact analysis on pages 38 to 46 which also summarises EIOPA’s recommendations, you could be forgiven for thinking that the limit would not apply.  It is only the summary on pages 50 to 51 that suggested that I might need to reconsider my initial views.  Indeed, the draft implementing measures clarify that the sum of Tier 2 and Tier 3 capital must not exceed 50% of the SCR, which is an interesting development. 

This illustrates one of the key operational challenges of impact analysis: the need to keep up with the policy.

This was a selective but nonetheless in-depth reading of the impact assessment.  Have you read the impact assessment?  Did you learn any useful points from it?

You can subscribe to future posts here.

Friday 27 February 2015

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 
  • unclear split of responsibilities between first and second line of defence 
  • failure to implement appropriate controls  
  • lack of system to capture the relevant information 
  • weaknesses in management information produced 
  • culture focused on performance together with performance management that often overlooked the importance of risk and controls  
2.  Weaknesses in the second line of defence  
  • inadequate compliance monitoring 
  • inadequate compliance resource and capability 
3.  Weaknesses in the third line of defence  
  • unclear process to accept the risk associated with control weaknesses 
  • dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
  • lack of testing of the closure of audit issues
Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.

Sunday 1 February 2015

Is It FCA Supervision or Enforcement?

One of the observations in my latest post about enforcement (here) was that fines can become a relatively small component of the cost of regulatory enforcement.  This observation was made in a context where, in addition to the fine, the firm had agreed to a number of specific measures which included replacing its executive management team and a comprehensive review of its governance structure. 

This week I came across an even better example of the blurring line between formal enforcement and where a firm agrees with the supervisor to a set of measures.  The Times reports that the London office of Deutsche Bank has been put on ‘enhanced supervision’ (here). 

Enhanced supervision is a new power acquired by the FCA, the use of which is articulated in a paper from June 2014 (here).  It explains that the application of enhanced supervision is not enforcement, although that may follow.  Enhanced supervision requires the firm’s Board to formally commit to remediation measures.  The paper sets out a comprehensive list of indicators of the failures that would lead to enhanced supervision:  
  • “the observation of numerous or specially significant conduct failings or repeated failings that when examined individually might not be considered serious  
  • “occurrence of failings in several business areas, as this is an indicator of wider cultural issues within the firm 
  • “a poorly functioning Board, for example failing to challenge executives or take a lead in considering conduct  
  • “evidence of control areas such as Risk, Compliance and Internal Audit being poorly managed, under-resourced or unable to make their voices heard at Board level 
  • “evidence of weak risk management (we may consider the PRA’s findings in relation to prudential risk management), or 
  • “evidence of other weaknesses in the way in which the Board and senior management influence key cultural factors, for example ‘tone from the top’, pay and incentives and their adherence to the organisation’s values.” 

There has been no formal statement from the FCA about this case. 

Perhaps the main point arising from this development is the further recognition that formal enforcement may not necessarily be the most effective tool from the point of view of meeting supervisory objectives and that fines may not be the most effective deterrent.  

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases reviewed.