Upload Login /
...

P a g e 1

by user

on
Category: Documents
>> Downloads: 6
45

views

Report

Comments

Description

Transcript

P a g e 1
Page |1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Dear Member,
It is always interesting when banks
report “key challenges to compliance”.
For a long time, banks’ information
technology (IT) and data architectures
have been inadequate to support the
broad management of financial risks.
Many banks lacked the ability to
aggregate risk exposures and identify
concentrations quickly and accurately
at the bank group level, across business
lines and between legal entities.
Some banks were unable to manage their risks properly because of weak
risk data aggregation capabilities and risk reporting practices. This had
severe consequences to the banks themselves and to the stability of the
financial system as a whole.
In response, the Basel Committee has issued supplemental Pillar 2
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |2
(supervisory review process) guidance to enhance banks’ ability to identify
and manage bank-wide risks.
Today we have a very interesting paper.
Global systemically important banks (G-SIBs) have reported five key
challenges to compliance with the Principles in the area of risk data
aggregation.
1. First, consistent with the results of 2013 stocktaking, G-SIBs have a heavy
reliance on manual processes and interventions to create risk reports.
While market risk data (and to some extent, liquidity risk data) are largely
automated, manual processes are still widely used in many risk areas and
across businesses and functions.
This impedes banks in generating ad hoc data report requests in a timely
and accurate manner, especially in times of stress or crisis situations.
In this context, G-SIBs pointed out the importance of enhancing their IT
infrastructures to support daily data aggregation in situations of
stress/crisis.
Some of them also underlined the need to improve their production of risk
information and metrics (notably in domains other than market risk) on a
timely basis to meet all risk management requirements.
2. Second, G-SIBs appear unable to consistently and comprehensively
document risk data aggregation processes at the group level, including
clearly defining material risk across business lines and legal entities.
A possible solution to this issue is the implementation of formal “data
dictionaries” consistently covering all risk categories at the group level, thus
reducing the time required to generate customised reports.
The development of an End User Computing Policy (EUC) would help
capture and ensure complete documentation of all material manual
processes at the group level.
3. Third, G-SIBs reported difficulties improving their ability to aggregate
collateral-related data for derivatives transactions.
G-SIBs also noted the challenges in aggregating off-balance sheet risk data,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |3
due, in part, to the non-linearity of the measures and the lack of
harmonisation across jurisdictions.
4. Fourth, G-SIBs reported difficulties in establishing adequate automated
reconciliation processes for risk data aggregation, notably for managerial
risk data with regulatory and/or accounting data.
More broadly, throughout the reconciliation process, banks are striving to
address the key challenge of ensuring a consistent level of granularity of
information and sufficient documentation of material discrepancies across
source systems.
5. Finally, several G-SIBs highlighted that legal restrictions in some
regions/countries have hindered them in producing a granular level of
details on risk data.
Read more at Number 8 below. Welcome to the Top 10 list.
Best Regards,
George Lekatis
President of the IARCP
General Manager, Compliance LLC
1200 G Street NW Suite 800,
Washington DC 20005, USA
Tel: (202) 449-9750
Email: [email protected]
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804,
Wilmington DE 19801, USA
Tel: (302) 342-8828
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |4
Network and Information
Security in the Finance Sector
Regulatory landscape and
Industry priorities
The denomination “finance sector” describes a complex mesh of different
actors who achieve different missions and goals.
Their interaction is also complex and is better understood when adopting a
high-level view of the sector and exploring specific areas when required.
The Basel Committee's work programme for
2015 and 2016
The work programme for 2015 and 2016 is structured
around four themes:
1. Policy development;
2. Ensuring an adequate balance between
simplicity, comparability and risk sensitivity across the regulatory
framework;
3. Monitoring and assessing implementation of the Basel framework;
and
4. Improving the effectiveness of supervision.
ECB press conference - introductory statement
Introductory statement by Mr Mario Draghi, President
of the European Central Bank, Frankfurt am Main
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |5
Solvency II: transitional
measures on risk-free interest rates and technical provisions
The PRA is publishing this statement to set out expectations of firms in
relation to how participations in insurance and reinsurance undertakings
are accounted for in the Solvency Capital Requirement (SCR) at solo level.
The BSP and the banking industry - weaving a
story of growth and development
Speech by Mr Amando M Tetangco, Jr, Governor of
Bangko Sentral ng Pilipinas (BSP, the central bank of the
Philippines), at the Annual Reception for the Banking
Community, Malate
Cyber resilience - a financial stability
perspective
Speech given by Mr Andrew Gracie, Executive
Director of Resolution of the Bank of England, at the
Cyber Defence and Network Security conference, London
In the finance sector, we have to contemplate the possibility that core
functions in firms, the financial market infrastructure that links them
together or the supply chains that support them, may be damaged in a cyber
attack, either through the corruption or loss of data or outright loss of
systems.
Does the Riksbank have to make a profit? Challenges for the
funding of the Riksbank
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |6
Speech by Ms Kerstin af Jochnick, First Deputy
Governor of the Sveriges Riksbank, at the Swedish
House of Finance (SHoF), Stockholm, 23 January
2015.
In the long run, the largest part of the Riksbank’s
profits are paid back to the government in the form
of dividends, and over the past 25 years the
Riksbank has paid in more than SEK 210 billion to the Treasury.
Progress in adopting the principles for effective
risk data aggregation and risk reporting
The Principles for effective risk data aggregation and
risk reporting (the “Principles”) were issued by the
Basel Committee on Banking Supervision in January
2013.
The Principles aim to strengthen risk data aggregation and risk reporting
practices at banks to improve risk management practices.
Building a culture of trust in the financial
industry
Opening address by Mr Ravi Menon, Managing
Director of the Monetary Authority of Singapore, at the
Monetary Authority of Singapore-Singapore Academy
of Law Conference, Singapore, 23 January 2015.
DHS Releases 2014 Travel and Trade
Statistics
“The TSA screened more than 650 million passengers, nearly 1.8 million
each and every day, while CBP processed 31 million imports, $2.4 trillion in
trade, and 374 million travelers.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |7
Network and Information
Security in the Finance Sector
Regulatory landscape and
Industry priorities
Important parts
E-communications in the Finance sector
The denomination “finance sector” describes a complex mesh of different
actors who achieve different missions and goals.
Their interaction is also complex and is better understood when adopting a
high-level view of the sector and exploring specific areas when required.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |8
Sector structure
A taxonomy of relevant stakeholders was identified including associations
and regulation institutions.
This taxonomy aims to identify where information security concerns could
be of relevance.
Figure 1 – Taxonomy of stakeholders presents a high-level view of the
European Finance sector main actors, including the relevant authorities.
The resulting taxonomy considered categorises stakeholders according to
four main categories, namely:
-
Banks,
-
Service Providers,
-
Professional Associations
-
Authorities.
In the area of Financial Authorities, we can distinguish two different levels:
National Supervisory Authorities are in charge of financial
institutions supervision.
European Supervisory Authorities work to improve the functioning
of the internal market by ensuring appropriate and harmonised European
regulation.
The term Financial Service activities encompasses the “Banks” and “FI
Service Providers” categories.
These non IT/ICT activities can be considered as “core business” and
consist overall in redistributing funds other than insurance, pension
funding or compulsory social security.
The following activities are considered:
Monetary Intermediation (Central banking, other monetary
intermediation): this group includes transferable deposits (i.e. funds,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |9
obtained on a day-to-day basis not only from central banking, but from
other non-financial sources);
Holding companies: this class includes the units that hold the assets
(owning controlling-levels of equity) of a group of subsidiary corporations
which own the group; the holding companies in this class do not provide
any other service to the businesses in which the equity is held (i.e. they do
not administer or manage other units);
Trust, funds and similar financial entities: this class includes legal
entities organized to pool without managing securities or other financial
assets on behalf of shareholders or beneficiaries; the portfolios are
customised to achieve specific investment characteristics such as
diversification, risk, rate of return and price volatility.
These entities earn interest, dividends and other property income, but have
little or no employment and no revenue from the sale of services;
Other financial service activities, except insurance and pension
funding: this group includes financial service activities except those
conducted by monetary institutions.
Communications flows
The historical purpose of the finance sector is to provide three types of
services:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 10
-
Safe storage for financial assets;
-
Financial assets movements capabilities (and transactional support);
-
Access to financial instruments (Payments, Funds, Securities, Trade).
Overall, financial institutions (e.g. Banks, Corporate and Investment
companies) act as brokers to borrowers on one side and lenders on the
other side.
They rely on several intermediaries, who provide services ranging from
depositaries to communications activities.
The key function of the finance sector is therefore the safe storage and
communications of assets (cash, gold, securities, etc.).
This implies that financial institutions must be able to:
-
Store those assets in a secure fashion;
Communicate with comparable security levels with their
counterparts, i.e. their customers, their providers, their central banks, etc.
The protection of stored assets is comparable to a medieval fortress: for
ages, banks have built vaults, safes, and those were protected by safeguards.
Nowadays, ledger books are entirely digital; physical assets are rarely
moved, but banks keep track records of each account statements and
transactions in their books.
The protection of assets in transit (i.e. transactions) require specific
dedicated protection measures to avoid crime, theft or fraud.
The usual technologies are used (cryptography, tunnels, etc.), over a variety
of infrastructures that are detailed at a later stage.
The finance sector is actually a mesh of smaller, very specific functions
which need permanent communication channels with their counterparts.
For example, Banks need to be able to communicate on request with:
-
Clearing Houses, both at National and European levels;
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 11
Settlement platforms (e.g. TARGET2, national platforms now
provide a bridge to the central bank since the adoption of the Euro).
-
Stock Markets;
-
Payments processors.
-
Etc.
Some of these smaller functions may be grouped within a larger holding
company, and therefore communications may happen internally in those
finance groups.
Indeed, over the past 30 years a consolidation of several Banks or other
financial functions through mergers and acquisitions was observed.
In such large groups, all communications happen on entirely private
networks.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 12
Banks and Payment processors need to relate themselves to National and
European reserves, and therefore use their settlement platforms when a
movement of funds is operated (after it is cleared).
Depending on their size, they either have a direct connection to these
platforms, or they may use “service providers” who can register them as
participants.
In Europe, an international dimension is present in addition to the national
dimension in many cases; high volumes of transactions are processed
cross-border.
Figure 2 below pictures information flows between Banks, Clearing Houses
and Settlement platforms (European and National).
Network infrastructures
Overall, the means for communications that financial institutions use are
numerous.
They tend to make equal use of public and private networks, for which they
can either be fully in control or be totally dependent on their providers’
security and resilience features and operations.
Infrastructure types
Four main categories of networks are used in the finance sector:
Public (i.e. telephone networks, internet, etc.), which are used mostly
for customer interaction. In this case, Resilience is managed by the ICT
provider, and Security by the financial institution.
Shared Leased / Owned (information networks e.g. Reuters and
some Trade Markets) which are used to access “business” networks.
Resilience and Security are both managed mostly by the service provider.
Leased / Owned (private) lines usually connect headquarters to local
branches or to datacentres, or to their worldwide branches. They are
provided by ICT Operators and financial institutions use those lines for all
internal connectivity (voice, data, multimedia).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 13
Resilience is managed by the ICT provider (although financial institutions
may choose to establish redundant connectivity), and security is fully
managed by the financial institution.
Provided lines come with the subscription to a service or a platform,
and are completely out of the financial institutions’ control, except at the
moment of deciding which type of installation is contracted (e.g. SWIFT).
International Networks
Banks may often establish one to one private links with counterparts to cut
costs and avoid the fees imposed by IT service providers.
Many respondents however prefer to use IT service providers for such
purpose.
Many respondents referred to SWIFTnet as an IT service provider: SWIFT
(The Society for Worldwide Interbank Financial Telecommunication)
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 14
provides a proprietary information network enabling financial institutions
to communicate financial messages in a standardised, secure and
trustworthy environment.
SWIFT operates in 200+ countries and therefore provides an access point
to many types of international markets and counterparts.
SWIFT provides the infrastructure, the software, standardised message
formats, input validation and many associated services to their customers.
SWIFT participants have however no control on the security and resilience
measures of the software or the network; they have to trust that both their
main and backup gateways will operate and that messages flow is never
interrupted.
National and European Networks
At National and European levels, the same scenario may occur as described
above.
However, the access to Euro settlement platforms (and therefore to the
European Central Bank) is a specific service to the TARGET2 platform.
European countries have implemented national gateways to the TARGET2
SSP (Single Shared Platform), which is operated by the Central Banks of
Germany, France and Italy.
For a few years now, participants are required to interact through the SSP,
and no longer through their National Central Bank.
The SSP includes a SWIFT gateway, however “Each TARGET2 participant
has to subscribe to the relevant SWIFT service according to its own
participation profile”.
In Italy, SIANET is a private network provider, which can also route all
national interbank commercial payments (commercial payments, credit
card transactions, check truncation, etc.) according to the standards
defined for RNI (Rete Nazionale Interbancaria).
In Interbanking communications taking place through SIANET, all
messages are authenticated and depending on the use, encrypted.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 15
IT service providers
The primary function of the Finance sector is traditionally far from
information technology preoccupations, and the Finance sector’s IT Banks
and financial institutions faced major challenges in automating their
business processing.
They built entire internal IT functions to address the arising needs.
These daughter companies are often however legally separated from their
parent company, and obtain a specific status (e.g. PSF “professionels du
secteur financier” in Luxembourg) and therefore a specific regulation.
Those IT Service Providers are often fully dedicated to provide their mother
company with internal services.
In some cases, they also externalise some services to other companies.
Their status remains however the same as regards to the law as they need to
demonstrate compliance to their mother company’s regulatory
requirements by extension.
They however are usually ahead of regulations as they apply a risk-based
security governance which is driven by the security of their assets.
In some cases also, these companies have been established as
joint-ventures.
Service Gateways
Many service providers offer gateway services to SWIFTnet, and their
customers are typically smaller participants.
Communication between such players usually takes place over the Internet,
analogous to companies connecting to their banks to make payment
instructions or to retrieve account information.
Many of these providers have a European presence, but can also operate
from non-European countries.
Network and Information Security (NIS) drivers in Finance
Overall, the Industry uses three main layers for their information systems’
security governance:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 16
External oversight describes both the impact of standards and
regulations which impact networks and information security directly or not.
Internal governance describes the strategic alignment to business
objectives, depending on which types of NIS architecture are necessary to
support the business model.
NIS operations describe the managed activities that allows the actual
security to operate on a daily basis.
According to Industry participants, international standards usually serve as
a reference, but some national standards also exist in larger European
countries which are taken into account when regulation is high-level.
About the influence of foreign regulations
The influence of international regulations and standards is significant for
several reasons.
Two influential examples are significant:
Basel III requires better liquidity provisioning; this will lead to a need
for banks to be able to reconstitute liquidity stocks at the end of day on the
Interbanking market.
Banks tend to develop such provisioning with a trusted counterpart (i.e. call
“operational intimacy).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 17
A secure communication link is therefore critical for such type of
communications;
- SOX requires the control of the “internal control systems” (sections 302
and 404, namely “Corporate responsibility for financial reports”, and
“Management assessment of internal controls”).
Both sections do not list which internal controls are required, which lead in
the finance sector to largely adopt COSO or CoBIT as control frameworks.
As a consequence, Security is covered as voluntary measures under the
following pillars: Security policy, standards, access and authentication,
network security, monitoring, and segregation of duties, physical security.
Companies regulated under SOX which have a European presence are
therefore required to follow SOX requirements.
Standards and Supervision
International and National Standards are also often used as a mechanism to
further define some specific, non-regulatory guidance on NIS matters.
Several voluntary standards [such as the German IT- Grundschutz Manual,
the UNI CEI ISO/IEC 27001:2006 Standard and the Industrial Standard
PCI Data Security Standard (PCI DSS)] are frequently highlighted by the
involved respondents.
This approach appears to provide a double benefit: it improves security
measures’ technical adequacy (while regulations’ requirements remain at a
general/service level) and provides Supervisory Authorities with a clear and
immediate understanding of the approach adopted: Supervisory authorities
prefer to understand whether or not the operator adopted sound security
controls instead of providing evidences of a specific technical measures in
place.
The implementation of commonly recognised standards serves this
purpose.
For instance, the Industrial Standard PCI Data Security Standard (PCI
DSS) was designed by the association of several payment providers
(American Express, Discover Financial Services, JCB, MasterCard and Visa
International) in order to improve the security baselines of major payment
channels.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 18
This standard was mentioned by many respondents as a key point of
reference in the field, besides regulations, and extended beyond the
payment industry.
At Member State level, Regulations for Finance’s Technology vary widely
both in depth and scope coverage.
National central banks and National Financial Supervisory Authorities10
form the National regulatory foundation.
Banks are responsible for ensuring that their systems pass their supervision
audits, and also that they contractually provision adequate security levels
from their service providers.
Typically, supervisors analyse and challenge the security specifications and
practices (whether the implementing party will be the banks themselves or
external system and service providers).
The typical mechanisms observed therefore are:
-
Regulations define high-level obligations;
Supervisory Authorities use Standards (national or international) to
assess the application of regulation.
Beyond the international standards cited by all, Member States have
developed standards that address more specifically their own needs, e.g.:
Minimum Requirements for Risk Management (The German Federal
Financial Supervisory Authority)
The German Federal Financial Supervisory Authority (Baffin) provides a
framework for risk management for German financial institutes. It is based
on EU Directive 2004/39/EC.
This framework relates to Senior Management’s responsibilities, general
requirements for risk management and resources including personnel,
systems, technical facilities and related processes as well as contingency
plans.
It includes references to the IT-Grundschutz Catalogues of the Federal
Office for Information Security (Bundesamt für Sicherheit in der
Informationstechnik – BSI) and the ISO/ICE 27002.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 19
Banking Act (Gesetz üben das Kreditwesen): The German
Federal Financial Supervisory Authority:
The German Federal Financial Supervisory Authority (BaFin) refers to the
Banking Act (Kreditwesengetz – KWG) in banking supervision.
The Banking Act lays down rules for banks which they have to observe when
they are being established and when they are carrying on their business.
Rules are designed to enable smooth functioning of the banking system,
and it includes top-level description of very basic requirements.
For example, the Banking Act states that:
The credit institution and BaFin shall put in place state-of-the-art
measures to safeguard data protection and data security.
They shall guarantee the confidentiality and integrity of the retrieved
and transmitted data.
This state of the art is defined by BaFin in consultation with the Federal
Office for Information Security; actual measures are not described in the
Banking Act.
-
Swiss National Bank: The National Banking Act 3/2004
The Swiss National Banking Act obliges the National Bank to oversee
systems operating clearing, settlement and other financial instruments.
The text applies also to operators that are domiciled abroad, provided that
substantial parts of the operation or leading participants are located in
Switzerland.
The Banking Act states that the National Bank may demand that minimum
security requirements are fulfilled.
The Finnish Financial Supervisory Authority: Management of
operational risk, standard 4.4b
The supervision standard establishes an obligation for operational risk
management in financial organisations.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 20
It provides detailed instructions on special subjects such as process
management, staff, information and payment systems, information
security, continuity planning, and legal risks.
Chapter 6.8 covers payment systems and payment services. There are eight
(8) controls that banks "shall adopt".
These include payment systems characterisation, means of payment,
stating principles for fund transfers in payment systems, ensuring internal
control for efficient and secure payment services.
Industry’s prospect
Often, industry perceives regulations as yet an additional constraint that
they have to comply with; this is a strong dichotomy with the original intent
of regulations and standards.
The natural step after assessing the regulatory landscape is not intended to
increase the depth or scope of such regulations, but to better understand
which mechanisms can help the sector altogether to improve their security
baseline.
The Industry’s concerns are usually orthogonal to the usual scope covered
in the Regulatory landscape.
This can be easily explained:
Mature companies already comply with regulatory requirements, and
their maturity level allows them to consider further risks;
Less mature companies are essentially driven by threats and risks
and address these in a less proactive manner.
The purpose of studying this dimension is to better understand where the
needs are, to define recommendations for future support to industry
beyond their usual compliance exercise.
Risks and Challenges
In general, large international banking groups demonstrated a good
understanding of the Risk Landscape and the available Security schemes.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 21
Many companies follow a clear Information Security Management System
(ISMS), and adopt Standards and Control frameworks as part of their
Security Governance.
Many banks have introduced further good practices especially in the area of
IT governance (e.g.: roles and responsibilities; certification to the
International Standards like ISO27001 and 22301) and demonstrate a clear
information security strategic vision.
Security related prescriptions are mostly reported in national regulations or
are defined by sector-internal strategies.
In some Member States, industry stakeholders publish high-level security
and compliance strategies and participate in exercises planned by their
Central Bank.
Medium-sized stakeholders demonstrate limited top management
involvement, limited capacity to be certified against current international
standards, and a de-prioritisation of security investments.
Such difference of situation is not new, it is also not specific to the Finance
sector.
The aim is to understand where such prospects could impair Financial
resilience altogether.
Risk Management Domains
Typical risk management practices and threats are well known and
understood by respondents.
Respondents especially mentioned that “Risk Management” was not
NIS-specific, which was later confirmed by literature review.
The finance sector manages mainly risk in “sectors”, and they make a clear
distinction between Financial, Operational and IT risks.
Figure 14 sets the Information Security risk domain in the overall
perspective; it expands broadly across all categories.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 22
Typically, NIS therefore belongs to the information risk area despite having
a potential impact on the three pillars above mentioned.
In the opinion of several respondents, NIS risk is a horizontal risk that
pertains to all the others:
-
Poor input controls may lead to fraud risks;
Insider threats were reported by many as a “hot topic” in several
member states, which could be both categorised under “Finance risk” or
“Information Security Risk”;
Payment being almost entirely digital nowadays also relates more to
an Information security risk than a purely financial risk;
-
Etc.
Security governance
At present, the Security Governance and the NIS Risk management are
therefore typically part of the Technology divisions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 23
Interviews revealed that in many cases, top management is only formally
involved once a year, as this constitutes in many Member States a binding
prescription.
Respondents underlined that, as the CISO often reports to the CIO, both
budget lines conflict in times of ICT budget restrictions.
In particular, CISOs suggested that the Security budget (Safety, ICT
Security, and Security Continuity) should be separated from all other
budgets and be approved directly by the Board of Directors.
In addition, the Board of Directors should appoint one of its members as a
delegate for the company’s security.
In light of these considerations, this topic should possibly be further
discussed and pragmatic solutions be presented in the light of the
upcoming directives (NIS and PSD2).
Security assessments
The replies collected concerning the usual security assessment practices
were in line with the requirements usually found in international
standards.
Several statements support this observation, e.g.: «CISO defines policies,
structures and techniques …», « Vulnerability analysis is carried out every
year…»; «Risk Assessment and Business Impact Analysis at least
annually»; «all security incidents are logged, classified, analysed, and
discussed with internal audit and at the periodical management’s review
meeting».
The answers collected on the “systematic security assessments” topic
suggest that most actors operate in an adequate way fulfilling all regulatory
and standards requirements.
Other aspects of the feedback received also suggest that the approaches
implemented, the binding prescriptions, the voluntary measures /
strategies aim at enhancing information security both globally and
in-depth.
Mitigation limitations
Three dimensions of complexity
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 24
The structure of the finance sector is complex overall. Threats and potential
weaknesses vary according to the business type and the security model
adopted: for instance, Investment banks or high frequency trading (HFT)
might face difficulty in ensuring the continuous and balanced provision of
information security in their activities.
Customer-facing operators might be more exposed to risks related with the
rapidly evolving technological environment.
On the other hand, while the technological environment is rapidly
changing, the business and financial services landscape is also rapidly
evolving (e.g. new competitors, emerging market models, etc.).
The combination of these trends influence the degree of complexity of the
financial sector itself and of the information security management
requirements.
Supply chain in security measures
The key issue reported by participants during our interview process relates
to the dichotomy between the security objectives / obligations of their
company, and the fact that many aspects are totally under 3rd party
control: this remark applies both to messages / networks service providers.
Likewise this issue seems to extend to other supply areas: Banks are
responsible for instance for the protection against data leaks, but cannot
always configure entirely the devices they purchase (mobile phones, tablets,
laptops, servers, operating systems, etc.).
Another issue was reported several times and is noteworthy: the need for
including the entire supply chain as part of principle security measures.
Respondents mentioned several outsourcing contracts with major
providers (e.g. Telecom Operators, SWIFT, IBM, Microsoft, …).
They perceived that such world-class providers implement and maintain
satisfactory security levels on their services.
Smaller providers are also used, and respondents felt that these might be
more subject to breaches; such attacks might be aimed those weaker links
as a way to enter the target victim.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 25
Last but not least, when required, respondents mentioned many
international standards (ISO 27001, 31000, 22301) but none cited ISO
28000, confirming that supply chain security requires more attention.
Privacy considerations
Current technology allows both private companies and public authorities to
use personal data on an unprecedented scale in order to pursue their
activities.
Individuals increasingly make personal information available publicly and
globally.
Because of the close relation between information technology’s evolution
and economic development, personal data protection play a central role in
the Digital Agenda for Europe, and more generally in the Europe 2020
Strategy.
A “personal data breach” is defined by Directive 2002/58/EC in Article 2 as
“a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed in connection with the provision
of a publicly available electronic communications service in the
Community”.
Skills shortage
Finally, although risk and security issues are very well understood among
operators, many issues still remain.
The finance sector operators manifest a positive tendency to invest in IT
security, with a growth in the amounts invested varying from +6% to +10%
in the past years.
Nevertheless, a lack of skilled and competence staffing persists in the field
of IT security in the finance sector, which leads many finance operators to
contract external experts or consultancy companies to secure their
infrastructures and communications.
Such security functions should however be considered more critical since
those experts are requested to sign non-disclosure agreements (NDAs).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 26
Desirable features
The NIS management instruments mentioned are numerous in the sector,
and many of them expressed limited concerns related to their ability to
manage an adequate security level.
In some cases, a few of them hoped for:
-
Company cultural change to integrate more future security insights;
-
Improved corporate NIS awareness and involvement;
Consolidated standards and guidelines for implementing sustainable
security strategies;
Voluntary NIS exercises both at national or European level, with the
inclusion of their supply chain.
The first topics may be addressed by additional supervisory requirements,
in the member states where NIS governance is covered by the law.
In the others, raising the awareness on such issues may be a possible
alternative.
The two following topics (NIS guidance and cooperation) are further
detailed below:
From Compliance to Sustainable Security Objectives
The finance sector, overall, is perceived as being a “state of the art”
implementation of sustainable security measures in almost all areas (e.g.
Web Banking security, internal security procedures).
In most cases, the compliance to Supervisors’ requirements comes usually
as an addition to high-level regulations and is a compliance exercise.
However, Supervisory requirements on Information Security differ widely
from one country to another and the compliance exercise can become
extremely complex.
Unlike business areas –where finance instruments are already supervised
under the Single Supervisory Mechanism (SSM)- the supervision
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 27
convergence for network and information security is still a work in
progress.
Additionally, Financial Services that operate worldwide are also bound by
foreign legislation.
This compliance overhaul is increased when IT Infrastructures are either
outsourced or physically reside under remote legislations: the use of Cloud
Computing creates much supervisory and compliance concerns.
Many respondents also related that they are rarely fully aware of all the
implications and impact of regulatory requirements; they felt these were
scattered across several different texts, and that a single implementation
guideline would be precious.
Furthermore, current regulations were criticised for considering mostly the
prevention of “Financial Incidents”.
The risks arising from information security, data confidentiality or business
continuity could be encompassed as critical component of the financial
stability.
This reveals a demand for assessing the financial system’s resilience
globally; a combined Business/IT stress-testing was also advocated at large
scale.
Cross Sector / Cross Border Cooperation opportunity
The extra-mile to enhanced security and resilience was recommended to be
approached using self- commitment and cooperation, possibly supported
by the guidance of National IT Supervisors.
Furthermore, since Regulation should establish principles rather than
specific measures, Interviewees felt that recommendations should not lead
to strengthen regulation as a result.
Self-commitment to guidelines and standards is perceived as a practical
and pragmatic method. Such guidance would benefit greatly to smaller
institutions which do not face the same challenges as larger ones.
Global European cooperation and Good Practices sharing could allow a
better understanding of the Risks and Security challenges faced by the
Finance Sector.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 28
Any means of cooperation should include the relevant stakeholders from
regulators, banks, system and service providers, clearing houses, and other
relevant parties.
Contingency planning and exercises
A majority of respondents stressed the importance of contingency plans’
testing recurrence.
Besides being able to demonstrate that information security is managed,
and that contingency plans are established, there is a need to demonstrate
its periodical testing and update.
Respondents suggested that an optimal recurrence for such exercises would
need to follow a two-fold principle:
1.
Contingency plans testing is requested at least once a year, although
for very critical components and infrastructures it would be even most
appropriate to having it test twice a year;
2.
Contingency plans testing is necessary each time major changes
occur in the management structure or in the physical infrastructure: this
helps to ensure that the plan is consistent to the changed conditions are
eventually appropriately updated.
In a few Member States, operators are required to periodically test their
contingency plans, and also to develop scenarios in cooperation with their
partners and service providers to guarantee that the entire supply chain is
appropriately tested.
Respondents mentioned the fact that finance sector operators might be
required to comply to regulations related to critical infrastructure security.
This approach, while it improves practical security levels, demands
additional compliance efforts from finance sector operators.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 29
The Basel Committee's work
programme for 2015 and 2016
The work programme for 2015 and 2016 is
structured around four themes:
5. Policy development;
6. Ensuring an adequate balance between
simplicity, comparability and risk
sensitivity across the regulatory
framework;
7. Monitoring and assessing implementation of the Basel framework;
and
8. Improving the effectiveness of supervision.
During 2014 the Basel Committee published a number of final standards
and consultative documents.
Policy development
The Committee will continue to pursue its post-crisis reform agenda, with a
focus on restoring confidence in capital ratios.
This includes revisions to existing methods of measuring risk-weighted
assets.
For example, revisions of the standardised approaches for credit, market
and operational risk have been published for consultation.
In addition, other policy development work is well advanced.
This includes a capital floor based on standardised approaches,
consideration of simple, transparent and comparable criteria for
securitisations, the fundamental review of the trading book and interest
rate risk in the banking book.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 30
There is also ongoing work with the Financial Stability Board related to the
adequacy of loss-absorbing capacity of global systemically important banks
(G-SIBs) in resolution.
In addition to existing policy initiatives, there are three policy-related
issues which the Committee is undertaking:
1. Assessing the interaction, coherence and overall calibration of the
reform policies;
2. Reviewing the regulatory treatment of sovereign risk; and
3. Assessing the role of stress testing in the regulatory framework, in
light of national developments.
Interaction, coherence and overall calibration
Now that the major elements of the reform agenda have been agreed, the
Committee will assess the interaction, coherence and overall calibration of
the reform policies.
The aim of the Committee's work on coherence is to consider how the
various regulatory metrics interact and whether the calibration and design
of the various elements of the framework are consistent with their intended
objectives.
The regulatory framework that has emerged following the crisis is one with
multiple metrics.
Compared with the pre-crisis framework - which relied only on the
risk-weighted capital ratio - the revised regulatory framework now includes
a leverage ratio, large exposure limits, the liquidity coverage ratio, net
stable funding ratio and forthcoming loss-absorbing capacity requirements
for G-SIBs in resolution.
In addition, as described in more detail below, stress testing has played an
increasingly important role in a number of jurisdictions.
The Committee will further assess the potential interactions among these
metrics, including the extent to which the various measures bind across
different banks and drive bank behaviour.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 31
This shift to multiple metrics and greater reliance on stress testing reflects
the importance of an eclectic regulatory framework, relying on a range of
complementary regulatory measures and supervisory judgement.
Such an approach is more robust to arbitrage and erosion over time, as each
measure offsets the shortcomings and adverse incentives of the others.
For example, the leverage ratio provides an absolute cap on leverage, but,
by itself, could incentivise banks to increase their holdings of higher risk
assets.
The risk-weighted framework compensates for this as it constrains any
bank that materially increases its risk profile without any commensurate
regulatory capital to fund its balance sheet.
The LCR requires banks to maintain a prudent buffer of high quality liquid
assets.
The Committee is committed to finalising the calibration of the leverage
ratio, revising the standardised approaches and implementing a capital
floor.
As part of this work, the Committee will also consider how the interaction of
the various metrics should influence the calibration of these policy items.
Sovereign risk
The Committee has initiated a review of the existing regulatory treatment of
sovereign risk and will consider potential policy options.
The review will be conducted in a careful, holistic and gradual manner.
Stress testing
The Committee plans to further investigate current approaches to stress
testing across jurisdictions and to discuss the role of stress testing in the
Basel framework, particularly how stress testing relates to the existing
Pillar 1 (minimum requirements) regulatory framework.
This work follows the increasing importance of stress testing in many
countries, both as a supervisory tool and as a method for determining bank
capital requirements.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 32
Simplicity, comparability and risk sensitivity
Work on simplicity, comparability and risk sensitivity combines the issues
emerging from the Committee's top-down review of the framework along
with the bottom up work on risk-weighted asset variability, which were
detailed in the Committee's November 2014 report to the G20 Leaders.
The G20 report sets out the measures the Committee is taking to simplify
the regulatory framework, and to improve consistency and comparability in
bank capital ratios, thereby restoring confidence in risk-weighted capital
ratios.
The Committee is also working to improve the presentation of its web
pages, including the consolidation of the Basel framework into a single
volume.
Monitoring and assessing implementation
The Committee will continue to monitor and assess its members'
implementation of the Basel framework.
The Regulatory Consistency Assessment Programme (RCAP) is the means
by which the Committee evaluates member jurisdiction's adoption of its
standards.
The RCAP will be expanded to also cover Basel III's liquidity standards and
the frameworks for global and domestic systemically important banks.
Improving the effectiveness of supervision
The Committee will continue its work on improving the effectiveness of
supervision.
In particular, the Committee will focus on supervisory practices related to
stress testing, valuation practices and the role of Pillar 2 in the capital
framework.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 33
ECB press conference - introductory
statement
Introductory statement by Mr Mario Draghi,
President of the European Central Bank, Frankfurt
am Main
Ladies and gentlemen, the Vice-President and I are
very pleased to welcome you to our press conference.
Let me wish you all a Happy New Year. I would also like to take this
opportunity to welcome Lithuania as the nineteenth country to adopt the
euro as its currency.
Accordingly, Mr Vasiliauskas, the Chairman of the Board of Lietuvos
bankas, became a member of the Governing Council on 1 January 2015.
The accession of Lithuania to the euro area on 1 January 2015 triggered a
system under which NCB governors take turns holding voting rights on the
Governing Council.
The details on this rotation system are available on the ECB's website.
We will now report on the outcome of today's meeting of the Governing
Council, which was also attended by the Commission Vice-President, Mr
Dombrovskis.
Based on our regular economic and monetary analyses, we conducted a
thorough reassessment of the outlook for price developments and of the
monetary stimulus achieved.
As a result, the Governing Council took the following decisions:
First, it decided to launch an expanded asset purchase programme,
encompassing the existing purchase programmes for asset-backed
securities and covered bonds.
Under this expanded programme, the combined monthly purchases of
public and private sector securities will amount to €60 billion.
They are intended to be carried out until end-September 2016 and will in
any case be conducted until we see a sustained adjustment in the path of
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 34
inflation which is consistent with our aim of achieving inflation rates below,
but close to, 2% over the medium term.
In March 2015 the Eurosystem will start to purchase euro-denominated
investment-grade securities issued by euro area governments and agencies
and European institutions in the secondary market.
The purchases of securities issued by euro area governments and agencies
will be based on the Eurosystem NCBs' shares in the ECB's capital key.
Some additional eligibility criteria will be applied in the case of countries
under an EU/IMF adjustment programme.
Second, the Governing Council decided to change the pricing of the six
remaining targeted longer-term refinancing operations (TLTROs).
Accordingly, the interest rate applicable to future TLTRO operations will be
equal to the rate on the Eurosystem's main refinancing operations
prevailing at the time when each TLTRO is conducted, thereby removing
the 10 basis point spread over the MRO rate that applied to the first two
TLTROs.
Third, in line with our forward guidance, we decided to keep the key ECB
interest rates unchanged.
As regards the additional asset purchases, the Governing Council retains
control over all the design features of the programme and the ECB will
coordinate the purchases, thereby safeguarding the singleness of the
Eurosystem's monetary policy.
The Eurosystem will make use of decentralised implementation to mobilise
its resources.
With regard to the sharing of hypothetical losses, the Governing Council
decided that purchases of securities of European institutions (which will be
12% of the additional asset purchases, and which will be purchased by
NCBs) will be subject to loss sharing.
The rest of the NCBs' additional asset purchases will not be subject to loss
sharing.
The ECB will hold 8% of the additional asset purchases.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 35
This implies that 20% of the additional asset purchases will be subject to a
regime of risk sharing.
Separate press releases with more detailed information on the expanded
asset purchase programme and the pricing of the TLTROs will be published
this afternoon at 3.30 p.m.
Today's monetary policy decision on additional asset purchases was taken
to counter two unfavourable developments.
First, inflation dynamics have continued to be weaker than expected.
While the sharp fall in oil prices over recent months remains the dominant
factor driving current headline inflation, the potential for second-round
effects on wage and price-setting has increased and could adversely affect
medium-term price developments.
This assessment is underpinned by a further fall in market-based measures
of inflation expectations over all horizons and the fact that most indicators
of actual or expected inflation stand at, or close to, their historical lows.
At the same time, economic slack in the euro area remains sizeable and
money and credit developments continue to be subdued.
Second, while the monetary policy measures adopted between June and
September last year resulted in a material improvement in terms of
financial market prices, this was not the case for the quantitative results.
As a consequence, the prevailing degree of monetary accommodation was
insufficient to adequately address heightened risks of too prolonged a
period of low inflation.
Thus, today the adoption of further balance sheet measures has become
warranted to achieve our price stability objective, given that the key ECB
interest rates have reached their lower bound.
Looking ahead, today's measures will decisively underpin the firm
anchoring of medium to long-term inflation expectations.
The sizeable increase in our balance sheet will further ease the monetary
policy stance.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 36
In particular, financing conditions for firms and households in the euro
area will continue to improve.
Moreover, today's decisions will support our forward guidance on the key
ECB interest rates and reinforce the fact that there are significant and
increasing differences in the monetary policy cycle between major advanced
economies.
Taken together, these factors should strengthen demand, increase capacity
utilisation and support money and credit growth, and thereby contribute to
a return of inflation rates towards 2%.
Let me now explain our assessment in greater detail, starting with the
economic analysis.
Real GDP in the euro area rose by 0.2%, quarter on quarter, in the third
quarter of 2014.
The latest data and survey evidence point to continued moderate growth at
the turn of the year.
Looking ahead, recent declines in oil prices have strengthened the basis for
the economic recovery to gain momentum.
Lower oil prices should support households' real disposable income and
corporate profitability.
Domestic demand should also be further supported by our monetary policy
measures, the ongoing improvements in financial conditions and the
progress made in fiscal consolidation and structural reforms.
Furthermore, demand for exports should benefit from the global recovery.
However, the euro area recovery is likely to continue to be dampened by
high unemployment, sizeable unutilised capacity, and the necessary
balance sheet adjustments in the public and private sectors.
The risks surrounding the economic outlook for the euro area remain on the
downside, but should have diminished after today's monetary policy
decisions and the continued fall in oil prices over recent weeks.
According to Eurostat, euro area annual HICP inflation was -0.2% in
December 2014, after 0.3% in November.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 37
This decline mainly reflects a sharp fall in energy price inflation and, to a
lesser extent, a decline in the annual rate of change in food prices.
On the basis of current information and prevailing futures prices for oil,
annual HICP inflation is expected to remain very low or negative in the
months ahead.
Such low inflation rates are unavoidable in the short term, given the recent
very sharp fall in oil prices and assuming that no significant correction will
take place in the next few months.
Supported by our monetary policy measures, the expected recovery in
demand and the assumption of a gradual increase in oil prices in the period
ahead, inflation rates are expected to increase gradually later in 2015 and in
2016.
The Governing Council will continue to closely monitor the risks to the
outlook for price developments over the medium term.
In this context, we will focus in particular on geopolitical developments,
exchange rate and energy price developments, and the pass-through of our
monetary policy measures.
Turning to the monetary analysis, recent data indicate a pick-up in
underlying growth in broad money (M3), although it remains at low levels.
The annual growth rate of M3 increased to 3.1% in November 2014, up from
2.5% in October and a trough of 0.8% in April 2014.
Annual growth in M3 continues to be supported by its most liquid
components, with the narrow monetary aggregate M1 growing at an annual
rate of 6.9% in November.
The annual rate of change of loans to non-financial corporations (adjusted
for loan sales and securitisation) remained weak at -1.3% in November
2014, compared with -1.6% in October, while continuing its gradual
recovery from a trough of -3.2% in February 2014.
On average over recent months, net redemptions have moderated from the
historically high levels recorded a year ago and net lending flows turned
slightly positive in November.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 38
In this respect, the January 2015 bank lending survey indicates a further
net easing of credit standards in the fourth quarter of 2014, with
cross-country disparities decreasing in parallel with an increase in net
demand for loans across all loan categories.
Banks expect that these dynamics will continue in early 2015.
Despite these improvements, lending to non-financial corporations
remains weak and continues to reflect the lagged relationship with the
business cycle, credit risk, credit supply factors and the ongoing adjustment
of financial and non-financial sector balance sheets.
The annual growth rate of loans to households (adjusted for loan sales and
securitisation) was 0.7% in November, after 0.6% in October.
Our monetary policy measures should support a further improvement in
credit flows.
To sum up, a cross-check of the outcome of the economic analysis with the
signals coming from the monetary analysis confirmed the need for further
monetary policy accommodation.
All our monetary policy measures should provide support to the euro area
recovery and bring inflation rates closer to levels below, but close to, 2%.
Monetary policy is focused on maintaining price stability over the medium
term and its accommodative stance contributes to supporting economic
activity.
However, in order to increase investment activity, boost job creation and
raise productivity growth, other policy areas need to contribute decisively.
In particular, the determined implementation of product and labour
market reforms as well as actions to improve the business environment for
firms needs to gain momentum in several countries.
It is crucial that structural reforms be implemented swiftly, credibly and
effectively as this will not only increase the future sustainable growth of the
euro area, but will also raise expectations of higher incomes and encourage
firms to increase investment today and bring forward the economic
recovery.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 39
Fiscal policies should support the economic recovery, while ensuring debt
sustainability in compliance with the Stability and Growth Pact, which
remains the anchor for confidence.
All countries should use the available scope for a more growth-friendly
composition of fiscal policies.
We are now at your disposal for questions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 40
Solvency II: transitional
measures on risk-free
interest rates and technical provisions
1
Introduction
1.1
This supervisory statement is of interest to all UK insurance firms
within the scope of Solvency II and to the Society of Lloyd’s.
The PRA expects firms to read this statement alongside all relevant
European legislation and relevant parts of the PRA Rulebook.
1.2
The PRA is publishing this statement to set out expectations of firms
in relation to how participations in insurance and reinsurance undertakings
are accounted for in the Solvency Capital Requirement (SCR) at solo level.
The PRA regards the benefits of providing appropriate levels of
policyholder protection from exposure to the risks associated with such
participations as proportionate to compliance costs, which are not expected
to increase compared to the current approach.
1.3
The statement sets out issues that the PRA expects firms to have
considered when calibrating their internal models to ensure that they
adequately address the risks posed by those participations.
1.4
This statement expands on the PRA’s general approach as set out in
its insurance approach document.
By clearly and consistently explaining its expectations of firms in relation to
the particular areas addressed, the PRA seeks to advance its statutory
objectives of ensuring the safety and soundness of the firms it regulates,
and contributing to securing an appropriate degree of protection for
policyholders.
The PRA has considered matters to which it is required to have regard, and
it considers that this statement is compatible with the Regulatory Principles
and relevant provisions of the Legislative and Regulatory Reform Act 2006.
1.5
The PRA is publishing this statement to set out expectations of firms
in relation to how participations in insurance and reinsurance undertakings
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 41
are treated when the SCR is determined at the solo level using an approved
internal model.
The PRA expects benefits from the maintenance of the levels of
policyholder protection envisaged by Solvency II requirements, by
clarifying its expectation that capital requirements should reflect the
economic reality of exposure to the risks associated with such
participations.
Some firms may see their SCR increase compared to what they had been
expecting if they were contemplating a different approach.
The PRA does not regard these costs as incremental compared to Solvency
II requirements (which are set out below).
The PRA regards the benefits of this statement as proportionate to the
costs.
It also expects to facilitate effective competition by ensuring that firms are
held to a common standard for policyholder protection.
1.6
The proposals in this draft supervisory statement would not have any
direct or indirect discriminatory impact under existing UK law.
2
Risks posed by participations in insurance and reinsurance
undertakings
2.1
Where a firm owns a participation in an insurance or reinsurance
undertaking, this will appear as an investment on the firm’s balance sheet.
This will generally pose a risk to the firm as if the undertaking in which the
participation is held suffers a loss, this will impact the participating firm’s
balance sheet.
This risk should be reflected in the solo SCR for the participating firm.
2.2 When considering how to reflect this risk in an internal model, firms
may consider it appropriate to examine the characteristics of the assets and
liabilities of the undertaking in which the participation is held and the risks
arising from these.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 42
Firms may also consider the extent to which the risks of the assets and
liabilities of the participant might diversify with the assets and liabilities of
the participation.
2.3 Firms should also consider the risks posed by any obstacles to
covering losses with resources currently held in the form of a participation
in related undertakings.
These obstacles might arise from any barriers to moving resources between
entities, taking into account the lack of diversification under extreme
scenarios.
2.4 As well as requiring that internal models should take account of all
material risks, the Solvency II Regulations require that the assumptions
underlying the system used for measuring diversification effects should be
justified on an empirical basis.
Firms will therefore need to demonstrate that any allowance for inter-entity
diversification in the calculation of the solo SCR appropriately takes
account of restrictions on transferring resources between the participant
and the participation.
2.5 Firms’ attention is drawn to the draft European Insurance and
Occupational Pensions Authority (EIOPA) Guidelines which state that the
calculation of the solo SCR should not be replaced with a consolidated
calculation as though the participating undertaking and its related
undertaking were a Solvency II group.(2)
3
Group SCR calculation
3.1
For the avoidance of doubt, this supervisory statement does not
relate to the calculation of the group SCR.
The calculation of group own funds takes account of obstacles to
transferring resources between entities, meaning that these obstacles do
not need to be reflected in the group SCR.
3.2
This statement relates only to the calculation of the solo SCR.
Since the determination of own funds at a solo level does not consider
obstacles to transferring resources between entities, it is the PRA’s view
that any such obstacles should be reflected in the calculation of the solo
SCR.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 43
The BSP and the banking industry - weaving a
story of growth and development
Speech by Mr Amando M Tetangco, Jr, Governor of
Bangko Sentral ng Pilipinas (BSP, the central bank of
the Philippines), at the Annual Reception for the
Banking Community, Malate
On behalf of the members of the Monetary Board, your other hosts for
tonight: Finance Secretary Cesar Purisima (who is currently on official
mission abroad), Freddie Antonio, Phillip Medalla, Andy Suratos, Juan de
Zuniga and Val Araneta, I thank all of you for accepting our invitation.
This marks the 10th year that I am welcoming you to the Fort San Antonio
Abad for the BSP's Annual Reception for the Banking Community.
This is the only time in a year that the BSP hosts in one event, the
leadership of the Philippine banking industry - from the universal and
commercial banks to the thrift banks and the rural banks - in a
multi-sectoral gathering.
After all, the banking industry serves the cross section of our society. In
other words, all of us here have a stake in the banking sector, a very
important pillar of our economy.
As in the past, I will briefly review how we fared last year, discuss how we
see the operating environment for this year, and share how we can move
forward together to achieve even better results.
Review of 2014
Well, 2014 certainly turned out to be a good year for the Philippine
economy in general and for the banking sector in particular, although it did
not start this way.
About this time last year, we were faced with significant capital outflows
and as a result, the peso came under strong depreciation pressures.
In May to August, inflation spiked to levels that threatened the attainment
of the government's inflation target.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 44
In addition, losses from a series of natural disasters slowed our economy.
GDP grew 5.8% in the first three quarters last year, slower than in the
comparable period in 2013.
Even so, the Philippines still emerged as one of the fastest growing
economies in the region.
Indeed, our country's underlying story of resilience remained intact
through the challenges of 2014 with continuing economic and governance
reforms keeping us on the growth track.
On our part, the Bangko Sentral implemented preemptive and sequential
monetary and macroprudential policies that helped keep inflation
expectations in check and financial market exuberance at bay.
As a result, average inflation settled at 4.1 percent - this is the sixth year in
a row that we kept inflation within the government's target range.
The peso remained relatively stable. And while our Balance of Payments
showed a deficit due to capital outflows influenced by the Fed's decision to
end quantitative easing, our current account remained in surplus from
strong remittances and receipts from exports and BPOs.
This brought our foreign exchange reserves to nearly $80 billion, sufficient
to cover over 10 months' worth of imports of goods and payment for
services.
This provides a critical buffer against potential external shocks.
Underpinning the sustained growth of the Philippine economy is the
strong performance of our banking system.
Double-digit growth rates in lending continued to support economic
activities, as public confidence in banks sustained the rise in deposits to
record high levels.
The confidence is well deserved. For instance, even as lending continued to
grow, commercial and universal banks maintained the quality of their
loans, with NPLs as of September at 2.04% - the lowest since December
2009.
Certainly, we are seeing better governance, better management and more
investments in technology and capacity building from Philippine banks.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 45
Equally important, our stress tests indicate that our banks have enough
capital to withstand extreme shocks in credit and market risks.
Indeed, the accelerated adoption of Basel 3 capital requirements beginning
January last year is a measure not only of the strength of our banks - it is a
measure of the commitment and the readiness of our banks to help foster
overall financial stability.
Philippine banks are also becoming more financially inclusive.
We are witness to their increasing involvement in financial education, the
growing number of new deposit accounts starting with children, the greater
use of electronic money, the expanding size of the country's microfinance
portfolio and the wider coverage of our automatic teller machines or ATMs.
I am happy to share the good news that next week, the Bankers Association
of the Philippines, Bancnet and Megalink will formalize the consolidation of
the two ATM networks.
This is a milestone we have been looking forward to on the way to the
greater goal of establishing a National Retail Payment System (NRPS) that
will achieve inter-operability, efficiency, security and inclusiveness in the
way we settle financial transactions.
Indeed, the Bangko Sentral ng Pilipinas is pleased that the banking
community is fully engaged with us in the implementation of prudent and
systematic banking reforms.
I can say that today, our banking system is sound, profitable and stable; it
is responsive to the needs of the economy; it is responsible in managing the
funds entrusted to them by their customers; and it is increasingly inclusive.
Ladies and gentlemen of the Philippine banking sector, well done!
Congratulations!
Our banks are also highly rated by independent analysts. In 2014 for
instance, Philippine banks received awards and recognition for various
categories that are just too many to mention here.
In the interest of fairness therefore, I will desist from naming any such
awards.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 46
Suffice it to say, that people take note of these awards which should help
define your bank as we prepare for the opportunities and challenges that
come with ASEAN Integration.
In addition, it is a source of pride for us that when Moody's assessed 69
jurisdictions in 2014, it concluded that only the Philippine banking system
deserved a positive outlook - only one out of 69.
Outlook
Given all these, what is in store for us in 2015?
As policymakers of the National Government see it, our economy will grow
by 7-8 percent in 2015 while the inflation target is at 2 to 4 percent.
Other institutions and analysts project lower numbers for growth.
But there is one thing they have in common - the view that the Philippines
will continue to be comparatively buoyant.
However, there are risks that cloud the future.
The continuing uncertainty in the global financial markets is a concern as
geopolitical tensions go on and economic performance among major
economies remains divergent.
For instance, US economic growth continues to gain traction. With this, the
market anticipates the Fed will raise the Fed Funds target rate this year.
As a result, the US dollar has been strengthening against other currencies.
Apart from the US, however, other major economies are slowing down
weighed by debt, unemployment, weak demand and/or geopolitical
concerns.
These economies are moving toward stimulus programs or quantitative
easing.
This divergence in monetary policy between strong and weak economies
could unsettle markets.
While all of this was happening, the balance of supply and demand in the
oil market has triggered a precipitous decline in oil prices.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 47
I have been asked how a stronger dollar and cheaper oil will affect us.
Well, a stronger dollar would make our foreign exchange obligations more
expensive but, this will be countered by a smaller oil (import) bill from
lower oil prices.
The drop in oil prices will also ease inflation and benefit consumers.
Nevertheless, we need to be mindful of the risk of a sudden reversal in the
trend.
If low oil prices persist, the economies of oil-producing countries may
eventually weaken and adversely affect the global economy.
For certain, there will be pluses and minuses.
We could see sporadic market volatility in the interim.
Nevertheless, from our experience and track record, it can be said that we
are equipped to deal and handle these issues.
Let us also remember that we start 2015 with a credit rating that is two
notches into investment grade territory.
Higher state spending on infrastructure and the implementation of projects
under the public-private partnership program should also provide stimulus
for growth moving forward.
I believe, therefore, that even as episodes of stormy weather develop, the
Philippine banking community can face 2015 with confidence given its
strong balance sheet, solid capital base that exceeds global standards,
product innovations, and adherence to international standards for
governance and risk management.
Of course, we still need to continue working together on our reform agenda
to achieve a more inclusive financial system that promotes inclusive
growth, strengthen consumer protection, forestall emerging risks, and
ensure financial stability at all times.
This is the philosophy that underpins our reform program.
Together, let us craft the way forward to an even better, stronger and more
inclusive banking system.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 48
Only by doing so can we preserve the gains we have achieved so far.
And we do have a long way to go, given that 25% of Filipinos still live in
poverty.
Of course, there is so much more that our banks have empowered and
continue to support - from the cities to the countryside.
Ladies and gentlemen. I have learned in my almost 10 years as governor of
the Bangko Sentral that each year is different.
While our mandate remains the same, our operating environment is
constantly shifting and changing. Sometimes, it turns on its head.
So, how do we navigate in uncharted waters?
Well, with extreme care: we have to make sure that we are in shipshape
condition, that we are properly equipped for the journey ahead, and that we
remain watchful of possible risks. Ladies and gentlemen, I believe we are
ready to take on the challenges and opportunities that lie ahead.
Let us now offer a toast: May I request the members of the Monetary Board
to please join me on stage- To our continuing partnership in making our
banking industry a dynamic story of growth and development that benefits
our people and our country.
Cheers!... Mabuhay ang Pilipinas! Mabuhay po tayong lahat!
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 49
Cyber resilience - a financial stability
perspective
Speech given by Mr Andrew Gracie, Executive
Director of Resolution of the Bank of England, at the
Cyber Defence and Network Security conference, London
In the last few weeks in mainstream media cyber has been to the fore.
The hacking of Sony and related reports of attacks on nuclear reactors in
South Korea provide a salutary reminder of what we are up against.
The threat is there not only to steal data but to disrupt or destroy the
functions of a firm.
Detecting threats, being ready to respond to attacks and the capability to
recover all pose new challenges for firms in every sector.
In the finance sector, we have to contemplate the possibility that core
functions in firms, the financial market infrastructure that links them
together or the supply chains that support them, may be damaged in a cyber
attack, either through the corruption or loss of data or outright loss of
systems.
These are issues we already think about in the context of other types of
major operational disruption.
But the risks around cyber are different. Detection of a problem may be
more difficult.
There is not the same symmetry of information that there might be in the
event of bomb, flood or fire.
And the mechanisms we have put in place to manage these risks may not
protect against a cyber attack.
Our current approach to ensure firms are able to continue to operate core
functions in a major operational disruption involves ensuring that firms
have primary and secondary sites at a safe distance from each other and the
capacity to switch operations between the two without any extended
interruption in activity.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 50
But with cyber such common systems environments between primary and
secondary sites and mirroring of data between the two could, in the event of
a successful attack, result in a complete loss of systems, disrupting a firm's
capacity to operate and leaving the timeframe and route to recovery
uncertain.
Unlike most other forms of operational disruption, we know too with cyber
that this is not a game against nature.
There are groups out there that are motivated to attack the sector.
For most, the motivation is economic; that accounts for the rise in fraud.
But there are actors out there, sometimes state-sponsored, who may be
motivated to bring systems down and cause harm to the sector.
Their capabilities vary, but it is in the nature of cyber that attack types are
constantly evolving and readily scalable.
And the threat is international.
Attacks can originate anywhere around the globe.
This all implies a different disposition for cyber defence.
We should not expect to build an impermeable perimeter that, through
technology design, will withstand attack.
Rather we should expect the cyber threat to be ever-present, ever-evolving
and networks to be penetrated.
The capability to identify where this has occurred and to respond is key.
Part of this is active engagement with threat intelligence to understand
likely adversaries, their motivations and ways of working.
For all these reasons, addressing cyber risk in the financial sector is a high
priority for the Bank of England.
It touches on most of our responsibilities - as prudential supervisor of
financial firms, as supervisor of financial market infrastructure - and
operator of financial market infrastructure (of real time gross settlement
(RTGS)) - and as UK authority responsible for financial stability.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 51
Financial stability is the unifying objective in all of these responsibilities.
It means that, in the spectrum of cyber attacks, we are much more
concerned about those that have the potential to disrupt the UK system by
damaging the operations of key firms or financial market infrastructure and
to understand how that damage could transmit through the sector, than to
deal with individual cases of cyber fraud.
Such cases of consumer detriment are for the Financial Conduct Authority
(FCA), law enforcement agencies such as the National Crime Agency, the
police and the Home Office to address.
In response to the rise in the potential threat to UK financial stability from
cyber, the Financial Policy Committee (FPC) in June 2013 recommended
that the UK authorities should work with firms at the core of the system to
test and improve cyber resilience.
I want to spend the rest of this speech outlining what we have done in
response.
The accent has been on assessing the vulnerability of the UK financial
sector to cyber attack.
We are doing that in two ways: a cross-sector review of current risk
management practices with regards to cyber and vulnerability testing via
CBEST.
Let me describe these in turn.
As a first step in diagnosing the sector's cyber resilience, the UK financial
authorities issued a questionnaire to thirty six firms that make up the "core"
of the UK financial system.
This included the largest UK and foreign banks active in London and the
key payment and settlement systems, clearing houses and exchanges that
together are critical for delivery of the financial services that the wider
economy depends on.
The questionnaire provided for a detailed self-assessment by firms of how
they organise their cyber defences.
Its purpose was to enable UK authorities to take stock of resilience across
the sector and identify best practice across firms.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 52
Part of this was to be able to play back to individual firms where they stood
relative to best practice.
But lying behind this is the objective of raising resilience in individual firms
by ensuring that the network as a whole is resilient.
And given the importance of these firms to the stability of the financial
system, this implies a level of resilience that goes beyond basic cyber
hygiene but aims instead to ensure that firms are in a position to manage
Advanced Persistent Threats (APT) that are the hallmark of some
state-sponsored attackers.
We are currently discussing the results from these questionnaires directly
with firms.
You will appreciate that I cannot go into specifics.
But overall the responses did not reveal any immediate critical
shortcomings in the cyber resilience of the firms involved.
But they did point to areas for improvement that we will be following up on
with firms.
Let me list some common themes.
1. Cyber has changed the rules: existing operational resilience
arrangements are often geared to dealing with physical threats. These still
matter. But cyber changes the game.
Cyber is a dynamic, intelligent and adaptive threat.
In the cyber arms race, costs are stacked in favour of the attacker, not the
defender.
To meet the challenge, organisations need to have policies and processes
that are dynamic, intelligent and adaptive too.
This means investment in capability to identify threats and detect cyber
attacks.
Without this situational awareness it is hard to determine and achieve
appropriate maturity levels for cyber defence and to allocate resources
effectively to meet the threat.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 53
2. Cyber is not a minority sport for technologists only: Of course the first
line of defence is critical and we still need IT specialists who understand the
technical challenges cyber presents.
But good cyber resilience is about much more than technology.
It is about culture too and this means people and processes.
When Morgan Stanley reported recently its customer information had been
breached, this wasn't due to sophisticated hackers, rather an employee who
stole data from over 350,000 customer accounts.
All parts of an organisation need to understand cyber risk and their
responsibilities towards improved cyber hygiene.
This includes Board level engagement.
Front line business areas need to understand and own the risk.
Management of cyber vulnerabilities needs to feature in strategic planning.
3. Cyber requires effective and regular testing: Of people, processes and
technology.
Industry investment in cyber is significant but testing the effectiveness of
this investment has not kept pace.
Assurance is often based on audits and control sampling which is not
sufficient, not least because of the challenge for internal audit departments
to keep pace with change in this area. And of course, given the dynamic
nature of the threat, such tests should take place on a regular basis.
This leads me onto the other element of our response to the FPC
recommendation I wanted to talk about: vulnerability testing through the
CBEST program.
CBEST is a framework that we have developed working with government,
industry and commercial providers of penetration testing and threat
intelligence.
The idea is to bring to bear the best available intelligence on potential
threats to test directly a firm's ability to protect, detect and respond to cyber
attacks.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 54
The scope of a CBEST test is tailored to the business of the firm and the
critical services it provides.
Given the scope, relevant intelligence on threats and attack types is drawn
together from threat intelligence providers, including government sources,
and is used to design a series of tests that mimic the methods that are most
likely, according to the threat intelligence, to be deployed against the firm.
The companies providing the penetration test are accredited within a
framework that has benefitted from GCHQ input and delivery of the test is
within a controlled testing process agreed between the firm, the authorities
and the test provider.
The results should provide firms - and us - with a direct read on the
robustness of their defences to more sophisticated attack types and a gaps
analysis so that firms know what steps they need to take to improve their
resilience.
This is not a regulatory requirement though we are encouraging firms to
participate. Rather it is a voluntary process.
But we think the benefits to firms of CBEST are significant.
This is why the FPC in December encouraged firms to undergo a CBEST as
"soon as practicable".
By going through this process, firms will not only understand where their
vulnerabilities lie, but also which threats should cause them most concern
and what steps they should take to combat them.
Access to direct feeds of commercial and government intelligence, via
accredited red team testing by cyber experts, ensures that the test involves
the most up-to-date threats, most relevant to their specific situation.
And we are keen for other sectors, and other jurisdictions, to benefit from
our experiences.
CBEST was officially launched in the summer with the same thirty six firms
that participated in the questionnaire.
Tests are at an advanced stage for a number of firms and we expect to
include the results when we report back to the FPC in the coming months.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 55
So this covers how we are responding to the FPC's recommendation. But
we are also looking beyond this.
I have already noted the benefit for individual firms of enhanced cyber
resilience across the sector.
To realise that, firms need to cooperate not compete in this space.
With that in mind, we are working with industry to strengthen
arrangements for information sharing, reviewing existing forums for
tactical information sharing and supplementing them where necessary with
arrangements for more strategic information sharing including on good
practice.
We are also working with the sector on how existing arrangements for
responding to a major operational disruption would work in the event of a
severe cyber attack.
We have used simulation exercises like Waking Shark II to test response
frameworks.
And, as was announced last week, a joint testing programme between US
and UK governments and authorities will start this year.
This answers to the fact that cyber knows no borders and the significant
operational interlinkages between our systems and it reflects the growing
dialogue with the US and others as to how best to manage the risk to
financial stability from cyber.
So it is clear the world has changed; cyber is an ever-present threat.
Firms need to stand ready to manage this risk.
And just as cyber has changed the world for firms, it has also changed the
landscape for authorities; we need to adapt our approach to operational
resilience of the financial sector as a whole.
Our work in response to the FPC's recommendation typifies this; but we
will continue to work with firms, government and cyber experts to learn
and evolve our approach.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 56
Does the Riksbank have to make a
profit? Challenges for the funding of
the Riksbank
Speech by Ms Kerstin af Jochnick, First
Deputy Governor of the Sveriges Riksbank, at
the Swedish House of Finance (SHoF),
Stockholm, 23 January 2015.
The Riksbank is in good form! Last year the foreign currency reserves
brought in more than SEK 30 billion.
This in turn meant that the Riksbank’s equity increased by almost the same
amount. (We will reveal the size of the reported profit at the beginning of
February.)
In the long run, the largest part of the Riksbank’s profits are paid back to
the government in the form of dividends, and over the past 25 years the
Riksbank has paid in more than SEK 210 billion to the Treasury.
Although the amounts involved here are very large, we rarely discuss the
Riksbank’s profits or equity.
This is because the Riksbank’s assignment does not concern making a
profit; it involves maintaining price stability and promoting a safe and
efficient payment system.
However, it is important to remember that if we are to perform our tasks
and ensure the Riksbank’s independence, we must have adequate financial
resources.
Carrying out our monetary policy assignment and the task of promoting a
safe and efficient payment system includes measures that are made in
various ways through the balance sheet.
All of these measures affect the size of the balance sheet, the profits and
equity.
It is therefore important that the Riksbank’s equity is of an adequate size to
retain the confidence of the financial sector.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 57
Does the Riksbank have to make a profit?
Well, a profit only becomes important when it affects the balance sheet and
thereby the Riksbank’s ability to carry out its tasks.
The Riksbank does not need to make a profit every year, but in the long run
it is important that the Riksbank does make a profit.
We need to be able to build up buffers to cover our costs so that we can
carry out our task regardless of the government and the Riksdag, the
Swedish parliament.
It is therefore important that the Riksbank is not financially dependent on
them.
Moreover, EU legislation requires that a central bank should have adequate
financial resources to carry out its tasks independently.
The main reason why I have chosen to talk about the Riksbank’s
possibilities to make a profit is that it is not self-evident that the Riksbank
will always report large profits year after year.
The coming five-year period actually looks rather gloomy from this
perspective.
The low interest rates and expectations of rising interest rates further ahead
mean that we share this situation with many other central banks.
It is linked to the way the Riksbank has prepared itself to be able to manage
its tasks in the future.
The Riksbank has deliberately altered its balance sheet in recent years, but
there are also changes in our environment that have affected the balance
sheet, leading to its current composition.
The way the balance sheet looks, combined with the developments in
interest rates and yields on the Riksbank’s assets and liabilities also have
decisive significance for the Riksbank’s capacity to make a profit.
We need to understand the Riksbank’s balance sheet to be able to
understand the connections.
How has the balance sheet developed over time?
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 58
And what do we think will happen to it in the future? How does our current
balance sheet affect the Riksbank’s possibilities to make a profit?
In conclusion, I intend to comment on the current situation with very low
international interest rates, and what will happen if (or rather when)
interest rates begin to rise.
What will this entail for the Riksbank’s possibilities of making a profit?
The Riksbank’s measures are reflected in the balance sheet
The Riksbank thus does not have the aim to make a profit, but the bank’s
possibilities to make profits are nevertheless very important.
They are connected to the Riksbank being able to conduct its monetary
policy independent of the government and parliament.
The Riksbank needs to be financially independent to do this in a credible
manner.
In plain language, this means that the bank needs to have sufficient
resources at its disposal to be able to carry out its tasks without being
governed by subventions from the government.
When the Riksbank carries out its tasks, this usually has consequences for
the Riksbank’s balance sheet.
Most of the instruments the Riksbank uses to steer the interest rate are also
items on the balance sheet.
The Riksbank currently steers the interest rate through its monopoly on
supplying a payment system for transferring money between the banks
(including the Riksbank) and above all by determining the conditions for
this.
It is mainly the conditions for the banks’ deposits and loans with the
Riksbank that are used as an instrument to steer interest rates in the
economy.
Prior to the financial crisis, the transactions in the Riksbank’s different
instruments were relatively small, but this changed during the financial
crisis.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 59
Then we used our balance sheet to supply the banks with liquidity.
Up to autumn 2008, the Riksbank’s balance sheet was around SEK 200
billion, but it increased dramatically during the crisis to at most SEK 763
billion in July 2009.
The reason the balance sheet more than tripled was that the Riksbank
began lending large amounts in US dollars and Swedish krona to the
Swedish banks from October 2008.
The dollar loans were largely funded by the Riksbank in its turn borrowing
dollars from the Federal Reserve.
The lending in krona resulted in the banks’ holdings of Swedish krona
increasing, funds which were ultimately deposited with the Riksbank.
This was reflected in the balance sheet in the form of larger monetary policy
liabilities.
The Riksbank and the banking system comprise a closed system, which
means that the money the Riksbank lends out must automatically return to
the Riksbank.
During the financial crisis, the Riksbank thus functioned as intermediary
and replaced the market funding the financial agents were no longer willing
to provide.
Instead of one bank lending to another bank, the central bank steps in and
lends money to the bank needing market funding and at the same time the
central bank offers a risk-free investment to the bank that no longer wishes
to provide market funding.
Unlike the larger central banks, the Riksbank did not buy any securities
during the financial crisis, considering the loans against collateral to be
sufficient.
This meant that the Riksbank could relatively quickly cease its
extraordinary measures when the situation improved and the loans
matured.
Many central banks’ balance sheets are still much larger than they were
prior to the financial crisis, which reflects the central role played by the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 60
central banks, not merely during the actual crisis but also during the
recovery phase.
Monetary policy has been very expansionary to support economic
developments, with very low interest rates and continued comprehensive
central bank loans in various forms.
Although the Riksbank was able to phase out its extraordinary measures
relatively quickly, compared with other countries, the Riksbank’s balance
sheet has for various reasons changed since before the crisis. So let us go
through why the balance sheet looks the way it does.
How has the Riksbank’s balance sheet developed over the past
decade?
Let us examine (a simplified version of) the Riksbank’s balance sheet from
the year-end 2004.
Ten years ago, the balance sheet total was SEK 183 billion.
The asset side was dominated by the gold and foreign currency reserves,
which amounted to SEK 166 billion.
In addition, we had a monetary policy claim on the Swedish banks of SEK
17 billion.
At that time the Riksbank lent money to the banking system and this was
done through the monetary policy repo transaction (therefore the name
repo rate).
The assets are largely funded through the Riksbank over the year issuing
banknotes and coins to a value of SEK 109 billion.
The bank’s equity amounted to SEK 65 billion.
The small liability to the IMF is a result of Sweden’s membership of the
International Monetary Fund. I do not intend so say so much about this
item now.
Let us now compare this with how the balance sheet looks today. As you can
all see, a lot has happened over the past ten years. For instance, we can
observe that:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 61
•
The foreign currency reserve is SEK 325 billion larger. This increase
is mainly because we have borrowed the equivalent of SEK 200 billion in
foreign currency through the Swedish National Debt Office to strengthen
the foreign currency reserve.
•
We have once again acquired a securities portfolio in Swedish krona.
The Riksbank previously had a portfolio of Swedish securities but then this
was phased out more than ten years ago.
•
The stock of notes and coins has declined, partly due to card
payments and electronic payments becoming more common.
As a consequence of this, we now have monetary policy liabilities instead of
a monetary policy claim.
This means that we are now borrowing excess liquidity from the banking
system instead of lending money to cover a liquidity deficit.
I will return to this issue later on.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 62
One thing that is immediately apparent when comparing today’s balance
sheet with the one from ten years’ ago is that the debt items the Riksbank
does not pay interest on, that is, notes and coins and equity, have gone from
comprising almost 100 per cent to hardly 40 per cent of the Riksbank’s total
funding today.
This means that the probability of the Riksbank making losses in certain
years has increased. I will return to this, but let us first look a little closer at
the changes in the Riksbank’s balance sheet.
The foreign currency reserve has strengthened
The largest change in the Riksbank’s balance sheet is the strengthening of
the foreign currency reserve.
One can say that a central bank has three reasons for holding a foreign
currency reserve.
The first is to make interventions in the foreign exchange market, the
second is to maintain a readiness to supply the financial system with
liquidity in foreign currencies and the third is to meet obligations to
international organisations.
The Riksbank’s foreign currency reserve was strengthened partly because
Sweden’s commitments to the International Monetary Fund (IMF) have
increased, but mainly because the Riksbank is to manage the task of
ensuring that the payment system in Sweden functions safely and
efficiently.
The serious situation abroad and the Swedish banks’ extensive funding in
foreign currencies mean that the risks of disruptions to the financial system
are higher than before.
The role of the Riksbank in this situation is, when necessary, to be able to
provide liquidity assistance at short notice.
With today’s Swedish banking system, it may also be necessary to provide
such assistance in foreign currencies.
We therefore asked the National Debt Office on two occasions to borrow
foreign currency on our behalf to strengthen the currency reserve.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 63
All in all, we borrowed foreign currency to a value equivalent to SEK
200 billion.
However, the foreign currency reserve has grown by SEK 325 billion, while
the strengthening by means of the National Debt Office loans amounted to
SEK 200 billion.
The difference is partly due to the krona being weak during 2014 and the
value of the foreign currency reserve, measured in krona, therefore having
increased.
The krona depreciation is also visible in the fact that the value of the foreign
currency loans, which a year ago was SEK 193 billion, now amounts to SEK
228 billion.
But the foreign currency reserve has also grown as a result of the return on
the bonds in the foreign currency reserve being reinvested in new bonds
instead of used to pay dividends to the government.
As a result of this, the Riksbank has instead had to borrow from the banks
that are its monetary policy counterparties to pay the dividends.
This has contributed to the banks’ net claims on the Riksbank having
increased by almost SEK 50 billion over the past ten years, which has
means that we have gone from having a monetary policy claim to a
monetary policy liability.
The Riksbank has reintroduced a portfolio in Swedish krona
On the asset side, we now also have a portfolio of Swedish government
bonds in Swedish krona.
Let me just comment here on why we have once again acquired a securities
portfolio in Swedish krona.
Most central banks have a securities portfolio in their own currency.
The Riksbank also had such a portfolio during the 1990s and this consisted
mainly of government bonds, as well as a minor holding in treasury bills
and mortgage bonds. In
2001, the portfolio was transferred to the Swedish National Debt Office.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 64
In autumn 1999, The Riksbank’s market commitment repo facility was
transferred to the Swedish National Debt Office and the assessment was
made that a domestic securities portfolio at the Riksbank would not fulfil
any important monetary policy function.
However, the experiences of the financial crisis 2008–2009 show how
important it is to be able to quickly implement measures beyond the
ordinary measures used by a central bank to implement monetary policy.
During the crisis the Riksbank took several extraordinary measures to
improve the functioning of the financial markets and the monetary policy
transmission mechanism.
Other central banks implemented similar measures. Unlike many other
central banks, the Riksbank did not buy any government bonds or covered
bonds, but these possibilities were discussed.
One important lesson from the crisis is that new measures require
considerable preparation.
After the crisis, we therefore decided that it is a good idea to make practical
preparations for a crisis even during normal circumstances by
supplementing the Riksbank’s toolbox with a limited securities portfolio in
Swedish krona.
This ensures that necessary systems, agreements, routines and knowledge
are already in place if it becomes necessary to quickly implement
extraordinary measures.
Given that we now have a repo rate close to zero and we are discussing
which unconventional measures might be appropriate if inflation does not
rise towards two per cent, it is good that the Riksbank has created the
possibility and knowledge to manage a bond portfolio.
This means that we now can quickly and simply purchase and sell bonds,
something that would previously have taken us much longer.
So, in technical terms we are prepared to increase the size of the portfolio if
and when it should prove necessary.
The general public’s use of cash is declining
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 65
One important item on the liabilities side of the balance sheet is
outstanding banknotes and coins.
The Riksbank has the monopoly on issuing banknotes and coins in Sweden
and is responsible for supplying the country with cash.
The size of this item depends on the demand from the general public for
cash.
Previously, the stock of notes and coins used to grow over time in line with
growth in the economy, but this has not been the case in recent years.
Since 2007, the demand for notes and coins has instead declined, both in
relation to GDP and in absolute figures.
As far as I know, we are alone in the world with regard to the latter
development.
It is not entirely clear why this is so, but the fact that Sweden is in the
forefront with regard to the use of card payments and electronic payments
has probably contributed.
The value of outstanding banknotes and counts amounted to SEK 109
billion ten years ago and comprised 60 per cent of the Riksbank’s balance
sheet total.
At the end of 2014, the item had declined to just over SEK 83 billion and
now comprises only 17 per cent of the balance sheet total.
The Riksbank assesses that cash will remain a means of payment for the
foreseeable future, although it will probably decline in significance.
The replacement of the Swedish banknotes and coins that will take place
between autumn 2015 and summer 2017 increases uncertainty over how
much cash will be in circulation during the coming years.
What does it mean for the Riksbank when the amount of cash in circulation
declines? Well, when this happens the banks do not need to hold such large
stocks of cash as before.
Instead, they deposit the money in their accounts with the Riksbank.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 66
What this means for the Riksbank’s balance sheet is that when the liabilities
item banknotes and coins declines, the item monetary policy liabilities
increases by the same amount.
Over the past ten years, the item banknotes and coins has declined by SEK
25 billion, and the monetary policy liabilities item has thus increased by the
same amount.
In this way, the Riksbank misses out on interest-free funding, as the
Riksbank pays interest on the monetary policy liabilities.
Although this is not so relevant at present when the repo rate is at zero, in
the long run the Riksbank’s profits will shrink in line with the decline in the
use of cash.
I should perhaps take the opportunity to say here that the Riksbank is in
general positive towards developments on the payments market that in
many cases lead to both safer and more efficient payments.
But one cannot disregard the fact that a decline in the use of cash will also
reduce the Riksbank’s opportunities for interest-free funding.
The Riksbank borrows instead of lending
The changes in the Riksbank’s balance sheet that I have mentioned here
have led to a major change in the liquidity position of the banking system
towards the Riksbank.
Ten years ago, the banking system had a structural deficit of liquid funds
with regard to the Riksbank.
This means that the Riksbank had to regularly lend money to the banking
system.
Since 2010, the banking system has instead had a structural surplus of
liquid funds and the Riksbank now borrows these funds from the banking
system.
The most important explanations for the banking system moving from
deficit to surplus are that the dividend payments to the government have
not been taken from the assets; the Riksbank has instead borrowed money
to pay the dividends, and that the general public’s demand for cash has
declined.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 67
This change is reflected in the Riksbank’s balance sheet in that we now
carry out our monetary policy operations on the liabilities side of the
balance sheet. But it makes no difference to our ability to implement
monetary policy.
Regardless of whether the banking system has a deficit or a surplus of
liquidity in relation to the Riksbank, our monetary policy system works by
means of our determining the conditions for the banks’ deposits and loans
with the Riksbank, which determines the shortest interest rate – the
overnight rate – so that it comes closer to our policy rate, what is known as
the repo rate.
The repo rate thus states which level the Riksbank wants for the overnight
rate, which is currently zero per cent.
The overnight rate in turn affects interest rates charged to the general
public and thereby activity and prices in the economy.
The Riksbank’s need for funding is increasing
The most important fundamental consequence in the changes to the
balance sheet between 2004 and 2014 is that the Riksbank now has a larger
funding need than before. I shall explain why.
The reason is that the foreign currency reserve needs to be much larger
than before, as the banks’ funding in foreign currency has expanded so
much over the past ten years.
And this means that the traditional funding sources, equity and banknotes
and coins, are not enough.
How should the Riksbank fund its assets?
As I have already described, the Riksbank chose to borrow foreign currency
on the international capital market through the Swedish National Debt
Office when the foreign currency reserve was strengthened.
We assessed that this was the most suitable procedure at the time and it
functioned well and is still doing so.
Although the Riksbank is able to borrow euros and dollars at a low cost on
the capital market through the National Debt Office, the interest
expenditure for the currency loans is higher than the return the Riksbank
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 68
receives on the money when it is invested in safe assets with very low risk.
The difference is around 0.2 per cent.
This means that the strengthening of the foreign currency reserve of SEK
200 billion costs the Riksbank around SEK 400 million a year.
One can regard this cost as a form of insurance premium that the Riksbank
considers is worth paying to ensure a good level of preparedness for a crisis.
As the Swedish banking system is so large and important to the Swedish
economy, this cost can be considered small in relation to the costs that
might arise if the banking system ceased functioning.
The reinforcement of the foreign currency reserve thus reduces the
Riksbank’s profits by around SEK 400 million a year.
This is one of the reasons why it is has been discussed in various contexts
whether the banks should contribute to the costs of the reinforcement.
The Riksbank has previously argued that it would be reasonable if the
banks stood for the cost of the part of the foreign currency reserve needed
to manage emergency liquidity assistance5, and we will probably have
reason to return to this question in the future.
How can the Riksbank obtain funding in the future?
By going through the balance sheet in this way, we can clearly see that the
Riksbank has little opportunity to influence how it obtains funding.
We have already observed that the banknotes and coins item is declining
and that there is nothing the Riksbank can do about this – it is part of the
technological developments taking place.
With regard to foreign currency loans, I mentioned that the interest
expenditure for them exceeds the income on the assets the loans fund.
The Riksbank’s equity exceeds SEK 100 billion. This means that the
Riksbank has a good capacity to manage potential losses.
And it is important for our credibility. EU legislation prescribes that it is the
highest decision-making body in the central bank that shall decide on the
size of the bank’s equity.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 69
It is of course important that the decision is made after a preparatory
process that is transparent and predictable, with a healthy balance between
promoting on the one side the need of the Riksbank to have sufficient
equity on each occasion and on the other side the interest of the Swedish
government to minimise the Riksbank’s costs for tying up capital.
To summarise, we can note that the Riksbank currently only has one source
of funding that it determines itself, namely monetary policy liabilities. In
other words, the Riksbank can always make payments by increasing
liquidity in the banking system.
But all other forms of funding are affected in one way or another by things
beyond the bank’s control.
At present, the repo rate is at zero and this means that the Riksbank does
not have any interest expenditure for the monetary policy liabilities.
But this is temporary, and as the repo rate is raised, the bank’s interest
expenditure will increase.
This will also mean that profits decline.
The coming years – profits declining, no dividends
I have now spent some time on describing the Riksbank’s balance sheet and
discussing some of the challenges the bank is facing.
But I have not yet said anything about the largest challenge for the bank in
the short term.
By this I mean the extremely low interest rates, both here in Sweden and
abroad.
As I have already mentioned, the foreign currency reserve shall be managed
so that the Riksbank can provide emergency liquidity assistance in foreign
currency at short notice.
The assets therefore need to be easy to sell. They must also retain their
value.
Therefore, the foreign currency reserve largely consists of very safe
government bonds, mainly from the United States and Germany.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 70
The yields on US and German government bonds are currently very low. As
the Riksbank’s income largely consists of the return on the foreign currency
reserve, one must realise that the Riksbank currently has fairly limited
opportunities to earn money.
Let us look at a simple calculation, based on how things looked ten years
ago, and compare this with the current situation.
Net interest income has declined
At the end of 2004, the Riksbank had assets worth SEK 183 billion.
The interest rate then was around four per cent (measured as an average
over the currencies included in the reserve).
A rough estimate of the Riksbank’s net interest income is then SEK 7.3
billion (183 x 4%).
As the assets were financed almost completely by the banknote and coin
stock and the bank’s equity, interest rate expenditure was low.
The cost of the small IMF liability was just under SEK 300 million, so net
interest income was around SEK 7 billion.
This should be set against the Riksbank’s costs for conducting its
operations, which amounted to around SEK 750 million a year.
Net interest income was thus almost ten times higher than expenditure.
If we make the same calculation for 2014, the picture is rather different.
Based on the interest rates that applied at the turn of the year, net interest
income is around SEK 3.5 billion.
Now the bank also has sizeable interest expenditure amounting to SEK 2.4
billion (and this despite the repo rate being zero, so the bank does not pay
interest on liabilities in Swedish krona).
Net interest income is thus SEK 1.1 billion, which still covers the costs of
conducting the bank’s operations – but now with a much smaller margin
than before.
As you can all see, this is a very rough and simplified calculation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 71
The return on a bond portfolio is not just determined by the interest rate at
a particular point in time, but also by the yield curve and how it moves over
time.
We have calculated this, too, and when we estimated the expected return on
the foreign currency reserve, we have used data from interest rate forecasts
by the National Institute of Economic Research.
From 1988 onwards, the Riksbank’s results have on average exceeded SEK
8 billion a year.
I have chosen 1988 as starting year as this was when we began to apply the
principles for how to calculate the size of the dividend, which still apply
today.
In brief, the principles entail the dividend level remaining stable, the
majority of the profit shall be paid as a dividend, and that the calculation
shall not take into account developments in the government budget.
In concrete terms, this means that 80 per cent of the average results in the
past five years (adjusted for exchange rate effects) shall be paid as dividend
to the government.
The majority of the profit has been paid to the Treasury.
The fact is that if we include the two extra dividends of SEK 20 billion each
paid at the beginning of the 2000s, the Riksbank has paid somewhat more
than its profits in dividends during this period.
The smallest dividend paid during the period is that paid in spring 2014,
SEK 3.3 billion.
Losses await
If we instead look ahead, we see that the Riksbank will probably make
losses over a couple of years.
The results for 2014 (which have not yet been established) were still
positive, but if interest rates rise in the way that the National Institute of
Economic Research forecasts, it will be some time before the Riksbank can
show a profit again.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 72
It looks as though the bank will have losses in the years 2015–2018
amounting to around SEK 5 billion a year.
This development is not unique to the Riksbank.
Many of those who have invested in bonds will face losses when interest
rates rise.
Those that are hit the hardest will be the central banks that have applied
what is known as quantitative easing in recent years, that is, they have
bought large volumes of bonds with long maturities to stimulate the
economy.
The fact that the Riksbank makes losses in turn means that the bank will
not be able to pay dividends to the government for some years.
As the dividend payment is based on the results from the past five years, it
will decline with a time lag, and the forecast at the moment is that we will
pay two further dividends before the losses take over and the dividend
payments become zero.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 73
This is of course a setback for the government’s income.
And as the dividends cannot be negative when the Riksbank makes a loss,
the bank must bear the losses, which will reduce our equity.
As we have equity of a good SEK 100 billion, we can manage this without
any infringement of our financial independence.
The Riksbank is financially strong
I have now described how the Riksbank’s balance sheet has changed over
the past ten years.
I have also tried to show how this affects the bank’s capacity to make a
profit.
Some changes are the result of active decisions by the Riksbank. Decisions
the Riksbank has made as a preventive measure to be sufficiently prepared
to manage a changed situation.
I am of course mainly thinking of the reinforcement of the foreign currency
reserve here, but also the decision to acquire a portfolio of Swedish
securities again.
Other changes, such as the decline in the use of cash and international
interest rates, are beyond the Riksbank’s control.
Changes in the Riksbank’s balance sheet will lead to the bank’s profits
slowly shrinking.
We must therefore consider more carefully than before how we can best
fund our assets.
The expected rise in interest rates has a much greater effect on the bank’s
profits in the short term, but on the other hand the effect is temporary.
Although there is no lack of challenges, the Riksbank is financially strong.
This is important to be able to perform our task in the best possible way.
The bank has substantial equity, which may well be needed if the Riksbank
is forced to adopt unconventional methods to bring up inflation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 74
Finally: Does the Riksbank have to make a profit? Yes, it does actually.
We must be able to cover our costs. And we must be able to build up buffers.
But if our finances are stable, then our capacity to perform our tasks will
not be jeopardised because we lose money during a few years.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 75
Progress in adopting the principles for
effective risk data aggregation and risk
reporting
1. Introduction, motivation, methodology
The Principles for effective risk data aggregation
and risk reporting (the “Principles”) were issued
by the Basel Committee on Banking Supervision
in January 2013.
The Principles aim to strengthen risk data aggregation and risk reporting
practices at banks to improve risk management practices.
In addition, improving banks’ ability to rapidly provide comprehensive risk
data by legal entity and business line is expected to enhance both their
decision-making processes and their resolvability.
A complete list of the Principles can be found in Annex 2 of this report.
The Principles are initially applicable to systemically important banks
(SIBs) and apply not only at the group level but also to all material business
units or entities within the group.
National supervisors may nevertheless choose to apply the Principles to a
wider range of banks.
The Basel Committee and the Financial Stability Board (FSB) expect banks
identified as global systemically important banks (G-SIBs) to comply with
the Principles by 1 January 2016.
In addition, the Basel Committee strongly suggests that national
supervisors also apply the Principles to banks identified as domestic
systemically important banks (D-SIBs) three years after their designation
as such by their national supervisors.
The Basel Committee and national supervisors have agreed to monitor and
assess banks’ progress through the Basel Committee’s Supervision and
Implementation Group (SIG), which will share its findings with the FSB at
least annually from the end of 2013.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 76
To facilitate consistent and effective implementation of the Principles
among G-SIBs, the SIG decided to use a coordinated approach for national
supervisors to monitor and assess banks’ progress until 2016.
The first step of this coordinated approach was to implement a
“stocktaking” self-assessment questionnaire, which was completed by
G-SIBs during 2013.
Taking into consideration the results of the 2013 stocktaking exercise,
discussions with the industry, and national supervisors’ continuous
monitoring of banks, the Basel Committee agreed that it would be
appropriate to design a reduced survey and to focus on the fundamentals,
particularly:
(i) governance;
(ii) infrastructure; and
(iii) data aggregation accuracy.
This report reviews the high-level results of the self-assessment
questionnaire.
1.1 Aim of the 2014 bank questionnaire
The questionnaire was intended to establish how each G-SIB views its
current compliance status with Principles 1 through 11.
The survey enables the supervisory authorities to monitor progress towards
full compliance by the 2016 deadline and to help identify and remedy any
implementation issues.
1.2 Bank questionnaire scope
To more effectively monitor the progress made in implementing the
Principles, a condensed version of the 2013 survey was developed, focusing
on the issues considered as essential and/or critical for compliance
purposes, or that were related to requirements with weak performance in
2013.
The 2013 stocktaking survey included 87 detailed requirements; in
comparison, the 2014 survey included 35 questions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 77
Thirty-one G-SIBs and six other large banks (ie non-G-SIBs) participated in
the self-assessment exercise.
Among the 35 questions, 11 correspond with the overall Principles, 21
correspond with specific requirements under the Principles, and three
additional questions relate to large-scale IT infrastructure projects (Annex
4).
Banks were asked to rate their level of compliance with each Principle and
requirement.
The other 21 questions were included in the 2014 survey because they were
noted as being essential for compliance with a given Principle, or had
especially weak performance based on the results of the 2013 stocktaking
questionnaire.
Finally, banks were also asked to provide the expected date of full
compliance with each Principle.
The 2014 questionnaire asked for two sets of comments on each question.
First, banks were expected to provide general comments.
Second, they were asked to describe the impact of any compliance “gap”
and potential mitigation tools to be used until they would be able to fully
comply with the Principle.
Furthermore, banks were expected to explain the potential negative impact
or consequences these gaps could have on risk data aggregation and risk
reporting capabilities, and, where relevant, what temporary measures will
be introduced to mitigate any material issues.
The WGSS compared the results from the 2013 stocktaking and the 2014
questionnaire, and set out several recommendations to ensure that banks
continue to strive to achieve full compliance by the 2016 deadline.
To assess progress, this report compares the responses of the 30 G-SIBs
that participated in the initial 2013 stocktaking with their responses to the
2014 questionnaire.
1.3 Self-assessment rating
In the 2014 questionnaire, banks were requested to rate, on a scale from 1
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 78
to 4, their current level of compliance with 11 Principles and 21 specific
requirements under the Principles.
The four ratings were defined as follows:
1. The Principle/requirement has not yet been implemented.
2. The Principle/requirement is materially non-compliant and significant
actions are needed in order to make further progress or achieve full
compliance with the Principle/requirement.
3. The Principle/requirement is largely compliant with and only minor
actions are needed to fully comply with the Principle/requirement.
4. The Principle/requirement is fully compliant with and the objective of
the Principle/requirement is fully achieved with the existing architecture
and processes.
It was expected that if compliance with any one requirement under a
Principle was rated below 4, then the general level of compliance with the
Principle would also be rated below 4.
1.4 Bank questionnaire process
National supervisors administered the questionnaire and banks rated their
current level of compliance with each Principle.
National supervisors reviewed and analysed the banks’ responses via
follow-up meetings or conference calls and provided a written assessment
of their respective banks’ responses.
During these interactions, banks and national supervisors discussed:
• Areas where national supervisors thought that ratings might not be
accurate,
• Banks’ strategy for complying with the Principles; and
• Other comments provided by the banks.
The observations, recommendations, and conclusions in this paper are
based on self-assessments completed by the participating banks.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 79
National supervisors were not asked to validate the accuracy of the ratings
or comments, nor did they assess the potential differences in the level of
rigor applied by each bank or differences in home/host supervisory
approaches.
2. Key conclusions from the 2014 Survey
2.1 General conclusions
As seen in Graph 1 below, the average ratings of Principles 1 to 11 ranged
from 2.43 to 3.33.
Overall, there were only minor improvements in average ratings.
The three Principles with the lowest reported compliance were Principle 2
(data architecture/IT infrastructure), Principle 6 (adaptability) and
Principle 3 (accuracy/integrity) as nearly half of banks reported material
non-compliance on these Principles.
The three Principles with the highest reported compliance for both 2013
and 2014 were Principle 8 (comprehensiveness), Principle 9
(clarity/usefulness), and Principle 11 (report distribution).
Compared to the 2013 results, many banks continue to encounter
difficulties in establishing strong data aggregation governance, architecture
and processes.
Banks reported that they often rely on manual workarounds.
Similar to the results of the 2013 stocktaking, many firms failed to
recognise that governance/infrastructure Principles are important
prerequisites for facilitating compliance with the other Principles.
As depicted in Graph 1, compliance with Principle 2 (data architecture/IT
infrastructure) was rated lowest while Principle 11 (report distribution) was
rated highest.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 80
2.2 Rating changes
Results showed that there were considerable rating changes among the
banks, when comparing responses from the 2013 stocktaking with those
from the 2014 questionnaire (see Graph 2).
Rating downgrades were reported in at least one Principle by 16 banks.
In particular, there were more downgrades in the areas of governance and
infrastructure and risk data aggregation capabilities, than in risk reporting.
Based on the review of the responses from the banks, there are a number of
factors that led to such results.
Some banks noted delays in initiating or implementing large-scale IT
infrastructure projects as well as the complexity of projects to ensure
compliance with the Principles.
Importantly, several institutions also noted an improved understanding of
the Principles, notably in terms of the scope to be covered (with respect to
all material risks and legal entities).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 81
2.3 Expected date of compliance
One of the most noteworthy results of the 2014 questionnaire was that
many banks indicated that they will be unable to comply with at least one
Principle by the January 2016 deadline.
For example, as shown in Graph 3, 11 banks do not anticipate complying
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 82
with Principle 6 by the January 2016 deadline, and nine banks do not
anticipate complying with Principle 3 and Principle 5 by the deadline.
In comparison with the results of last year’s stocktaking, execution risk
appears to have increased.
Overall, 14 G-SIBs indicated that they will not fully comply with at least one
Principle by the deadline, compared with only 10 banks in the 2013
exercise.
Sixteen banks indicated that they plan to comply with the Principles by the
January 2016 deadline.
Given the complexity of ongoing, large-scale data infrastructure projects
and noted issues in complying with some of the more fundamental
Principles, it appears that banks still have considerable work ahead of
them.
On a positive note, three banks which expected in 2013 to miss the
compliance deadline have now indicated that they expect to meet the
deadline.
Two additional banks did not report any corresponding rating changes
from the 2013 stocktaking to the 2014 questionnaire.
The results of the 2014 questionnaire raise some concern that
self-assessments of compliance dates may be overly ambitious.
Several G-SIBs that rated themselves as materially non-compliant with
several Principles still expected to be compliant by the deadline.
For example, 15 G-SIBs rated themselves as materially non-compliant with
Principle 3 (data accuracy and integrity), but 10 of those G-SIBs still
expected to meet the deadline.
Regardless of how the banks rated themselves, anecdotal evidence gathered
via the questionnaire suggests that it will be difficult for a number of firms
to fully comply with the Principles by 2016.
2.4 Comparison of data aggregation and risk reporting in G-SIBs’
self-assessments
Some of the data aggregation and risk-reporting Principles are closely
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 83
aligned as complying with the former is a prerequisite for complying with
the latter.
As shown in Graph 4, Principles 3 and 7 address accuracy and integrity in
both data aggregation, and reporting.
Principles 4, 8 and 9 address completeness, comprehensiveness and
clarity/usefulness.
Principles 5 and 10 address the ability to produce reports in a timely
manner at an appropriate frequency.
However, banks generally assigned themselves higher ratings on the
risk-reporting Principles than they did on the related data aggregation
Principles.
For example, seven banks rated themselves as fully compliant on Principle
8 (comprehensiveness); nevertheless, the same banks rated themselves as
largely compliant on Principle 4 (completeness).
Those banks considered that risk management reports comprehensively
cover all material risk areas, but they indicated the need to enhance the
completeness of risk data aggregation capabilities.
Similarly, two banks rated themselves as fully compliant on Principle 10
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 84
(frequency) but rated themselves as largely compliant on Principle 5
(timeliness).
2.5 Additional issues regarding strategic IT projects
Finally, as mentioned above, the 2014 survey includes three additional
questions related to large-scale IT infrastructure projects.
These three questions were added to the survey to obtain a greater
understanding of banks’ assessment of IT projects that support compliance
with the Principles vis-à-vis other projects (see Annex 4 for more details).
Most respondents indicated that they had several IT projects that were
intended to support compliance with the Principles.
Banks that do not expect to comply with the Principles by January 2016
failed to explain whether it would be possible to ensure that IT projects
could be moved to a higher priority.
Moreover, the interdependencies associated with large-scale IT projects
would make it difficult for banks to re-assign a higher priority to them.
Most banks noted that all projects are important, and are funded according
to their normal budgeting cycle and are provided with the same level of
oversight as other high-priority projects.
2.6 Other large banks’ assessments
In addition to G-SIBs, four national supervisors invited six other large
banks (ie non-G-SIBs) to complete the questionnaire.
However, the sample in the 2014 survey had only four entities in common
with the “other large bank” sample in the 2013 exercise.
The compliance levels for non-G-SIBs were similar to those of G-SIBs.
None of the non-G-SIB banks rated themselves as non-compliant with any
of the Principles, Among the non-G-SIBs, the three Principles with the
lowest reported compliance were Principle 2 (data architecture/IT
infrastructure), Principle 3 (accuracy and integrity for risk data
aggregation) and Principle 7 (accuracy for risk reporting).
The Principles for which non G-SIBs reported the highest compliance
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 85
pertained to risk reporting practices: Principle 8 (comprehensiveness),
Principle 9 (clarity and usefulness) and Principle 11 (report distribution).
Only three banks expected to comply with all the Principles by the deadline.
2.7 Supervisory plans and recommendations
In comments provided by supervisors, they noted the need for continued
supervisory oversight of G-SIBs’ progress in closing gaps with the aim of
fully complying with the Principles.
Supervisors identified the need to meet with bank management and
internal audit monitor progress and achieve the necessary oversight.
This is deemed critical given the high level of execution risk posed by the
fact that many G-SIBs do not expect to be fully compliant prior to the
deadline.
In order to facilitate implementation, a number of recommendations have
been made, including:
(i) the need to more fully engage senior management and the board of
directors; and
(ii) having supervisors more carefully monitor progress on IT architecture
projects, the need to minimise use of manual systems, and the importance
of quality controls.
3. Governance (Principles 1 and 2)
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 86
3.1 Quantitative description
G-SIBs reported minimal progress with respect to compliance with
Principles 1 (Governance) and 2 (Data and IT infrastructure), which are
considered to be prerequisites for overall compliance with RDARR
Principles.
Consistent with 2013 results, the G-SIBs identified Principle 2 as the most
challenging, as it attracted the lowest average compliance rating, of 2.43.
Only two G-SIBs reported compliance with the Governance Principle, and
no G-SIBs fully comply with the Data Architecture and IT Infrastructure
Principle.
Of particular note, six G-SIBs downgraded their ratings for each of these
Principles as compared with their self-assessment ratings from 2013 to
2014.
The majority of G-SIBs (70%) rated themselves as “3” (materially
compliant) with the Governance Principle, while fewer than half (43%)
rated themselves materially compliant with the data architecture and IT
infrastructure Principle.
Seven G-SIBs rated themselves “2”, (materially non-compliant or needing
significant actions to meet the requirement) for the Governance Principle,
and more than half of the G-SIBs (57%) rated themselves a “2” for the data
architecture and IT infrastructure Principle.
Several G-SIBS reported that they do not expect to achieve full compliance
with these two Principles by the January 2016 deadline. \
In fact, the number of G-SIBs expected to miss the deadline for compliance
has increased since 2013.
At least nine G-SIBs do not expect to meet Principle 2 by January 2016, and
three do not expect to meet Principle 1 by January 2016 (compared to eight
and one, respectively, in 2013).
3.2 Challenges
The most common weaknesses identified by G-SIBs were:
(i) the need to continue expanding components of an enterprise-wide
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 87
governance framework and
(ii) to manage multiple large-scale projects related to RDARR. Many banks
continue to point to the need to enhance current IT architecture and data
flows to reduce complexity and manual workarounds.
Frequently, G-SIBs commented that IT infrastructure, while adequate in
normal times, was not adequate in stress or crisis situations.
While many banks have most elements of a governance framework,
particular elements (by risk type or across legal jurisdictions) were noted as
requiring additional policies, procedures and controls.
G-SIBs noted enhanced data quality standards, manual workarounds, and
appropriate governance as current processes for mitigating potential
exposures until the necessary IT architecture is fully established.
3.3 Potential strategies for compliance
In order to meet the requirements of the Governance Principle, G-SIBs
reported they will continue to define and clarify the functions and roles
required under enterprise-wide data governance.
G-SIBs noted that additional work was necessary on cross-functional
implementation initiatives involving risk, compliance, IT, finance and
internal control functions.
Further enhancements are planned to risk reports with a view to providing
metrics on limitations (eg data quality, completeness) for a better
understanding of data quality and to provide further assurance around the
underlying processes.
Escalation processes when outside tolerances also need to be implemented
at certain G-SIBs.
It was indicated that improvements to board-level reporting are a necessary
action step.
For some banks, the current limitations of risk reporting have yet to be
communicated to the board.
Increased transparency and or expanded narrative descriptions are other
planned action items.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 88
While the above actions involve reporting, it is noteworthy that governance
processes for escalation and description of current limitations are not in
place at reporting G-SIBs.
With respect to data architecture and IT infrastructure, G-SIBs report the
following needed action steps:
• Improving IT infrastructure so that more frequent data are available for
certain risk areas (credit risk and liquidity risk);
• Process improvements to infrastructure so as to reduce reliance on
manual workarounds and to automate aggregations;
• Simplifying current IT architecture and data flows across departments
and legal entities to streamline the aggregation process and to enable quick
aggregation of risk data during times of stress;
• Ensuring that consistent and integrated data taxonomies and dictionaries
exist at the group level, and throughout the organisation; and
• Identifying and defining “data owners” to improve accountability.
As depicted in Table 1, three G-SIBs do not expect to meet Principle 1, and
at least nine (possibly 10) G-SIBs do not expect to comply with Principle 2
by the January 2016 deadline.
In some cases, G-SIBs reported that appropriate communication would be
made to the board of directors on progress.
For some G-SIBs, infrastructure solutions will span multiple years beyond
the deadline.
Respondents stated that an adequate governance framework and
documentation would be in place, and would mitigate any potential
negative effects or outcomes until the infrastructure solutions are in place.
For the nine (possibly 10) G-SIBs indicating that they would not be able to
meet the deadline, none anticipated a material negative impact of
compliance gaps on risk management decisions.
To address compliance gaps with this Principle, the G-SIBs intend to:
• Rely on manual workarounds with appropriate controls and expert
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 89
judgement;
• Establish data governance frameworks including data quality standards;
and

• Prioritise high-impact risk data items in the remediation process.
4. Data aggregation (Principles 3, 4, 5 and 6)
4.1 Quantitative description
In the area of risk data aggregation, G-SIBs’ average self-assessment
compliance ratings improved from 2013 with respect to most RDARR
Principles (Table 2).
The notable exception was Principle 3 (accuracy and integrity), for which
banks’ ratings are evenly split between “materially non-compliant” and
“largely compliant”.
The overall deterioration in the average compliance rating for Principle 3 is
the result of several institutions downgrading their ratings due to delays in
certain projects as well as a greater understanding of the scope of the risks
covered in the Principle.
Such a trend is all the more noteworthy since, in the area of risk data
aggregation capabilities, a relatively large number of requirements for
Principle 3 that were considered as being “essential” for complying with the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 90
Principle as well as requirements where performance was weak based on
the results of the 2013 stocktaking.
In this respect, the level of compliance remains particularly low, at around
2.5, for requirements 12 (there is an appropriate balance between
automated and manual systems) and 13 (proper documentation of risk data
aggregation processes).
In contrast with Principle 3, the average compliance rating for Principle 4
(completeness) improved, with nearly two thirds of the respondents
considering their practices as being “largely compliant”.
Requirement 15, an essential element for compliance under Principle 4,
states that banks should include all material risk data in banks’ data
aggregation capabilities.
The requirement registers a satisfactory average level of compliance, of 3.1.
Regarding the expected date of full compliance, the number of G-SIBs
indicating that they will not be in a position to comply by January 2016
doubled with respect to Principle 3 (accuracy and integrity), Principle 5
(timeliness) and Principle 6 (adaptability).
Slightly less than one third of all respondents expect that they will not be
compliant with Principles 3, 5 and 6 by January 2016.
4.2 Challenges
G-SIBs reported five key challenges to compliance with the Principles in the
area of risk data aggregation.
First, consistent with the results of 2013 stocktaking, G-SIBs have a heavy
reliance on manual processes and interventions to create risk reports.
While market risk data (and to some extent, liquidity risk data) are largely
automated, manual processes are still widely used in many risk areas and
across businesses and functions.
This impedes banks in generating ad hoc data report requests in a timely
and accurate manner, especially in times of stress or crisis situations.
In this context, G-SIBs pointed out the importance of enhancing their IT
infrastructures to support daily data aggregation in situations of
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 91
stress/crisis.
Some of them also underlined the need to improve their production of risk
information and metrics (notably in domains other than market risk) on a
timely basis to meet all risk management requirements.
Second, G-SIBs appear unable to consistently and comprehensively
document risk data aggregation processes at the group level, including
clearly defining material risk across business lines and legal entities.
A possible solution to this issue is the implementation of formal “data
dictionaries” consistently covering all risk categories at the group level, thus
reducing the time required to generate customised reports.
The development of an End User Computing Policy (EUC) would help
capture and ensure complete documentation of all material manual
processes at the group level.
Third, G-SIBs reported difficulties improving their ability to aggregate
collateral-related data for derivatives transactions.
G-SIBs also noted the challenges in aggregating off-balance sheet risk data,
due, in part, to the non-linearity of the measures and the lack of
harmonisation across jurisdictions.
Fourth, G-SIBs reported difficulties in establishing adequate automated
reconciliation processes for risk data aggregation, notably for managerial
risk data with regulatory and/or accounting data.
More broadly, throughout the reconciliation process, banks are striving to
address the key challenge of ensuring a consistent level of granularity of
information and sufficient documentation of material discrepancies across
source systems.
Finally, several G-SIBs highlighted that legal restrictions in some
regions/countries have hindered them in producing a granular level of
details on risk data.
4.3 Potential strategies for compliance
To address the challenges relating to the compliance with the Principles
and associated requirements in the area of risk data aggregation, reported
action items included:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 92
• Developing IT infrastructure to aggregate a broader range of risk data
automatically and reduce reliance on manual workarounds;
• Automating data quality controls and improving reporting capabilities
associated with group-wide stress testing;
• Improving systems to monitor and enforce credit limits status across risk
types and products;
• Promoting data alignment between risk and finance, using common data
dictionaries and appropriate governance structure;
• Establishing data collection channels, processes and procedures that
encompass the development of common taxonomies and reference data so
as to facilitate data aggregation in times of stress/crisis;
• Enhancing data aggregation capabilities to consolidate data from
branches and subsidiaries operating in other jurisdictions and, more
generally, developing consolidated data stores notably for credit, market
and operational risks to expedite risk reporting and easier reconciliation of
risk data;
• Implementing programmes aimed at meeting Basel III regulatory
requirements and other international initiatives (eg Legal Entity
Identifiers); and
• Providing appropriate access to sufficient staff with expert knowledge of
risk control functions and data so they are able to process ad-hoc data
report requests.
5. Risk reporting (Principles 7, 8, 9, 10 and 11)
5.1 Quantitative description
For the Principles relating to risk reporting, the results of the 2014
questionnaire were fairly similar to the results of the 2013 stocktaking
exercise.
G-SIBs generally assigned themselves higher ratings on the risk-reporting
Principles than they did on the corresponding data aggregation Principles.
As in the 2013 survey, the average reported level of compliance for Principle
11 (distribution) on the 2014 survey is the highest among all the Principles
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 93
(Table 3).
The average compliance from 2013 to 2014 slightly increased for Principle 8
(comprehensiveness), Principle 9 (clarity and usefulness), Principle 10
(frequency), and Principle 11.
Among the Principles for risk reporting, only Principle 7 (accuracy) saw an
overall deterioration in ratings from 2013 to 2014, from 2.70 to 2.67.
At least 27 banks expect to comply with Principle 8, Principle 9 and
Principle 11 by the January 2016 deadline.
Fewer banks expect to comply with Principle 7 (23 G-SIBs) and Principle 10
(24 G-SIBs) by the deadline.
For Principles 7, 10, and 11, the number of G-SIBs indicating that they
would comply by the deadline slightly decreased in comparison with the
2013 stocktaking.
For Principles 8 and 9, the number of G-SIBs indicating they would comply
by January 2016 remained the same from 2013 to 2014.
5.2 Challenges
The primary challenges G-SIBs face in this area are similar to the
challenges in complying with other Principles.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 94
This highlights the interdependencies among the Principles, and
underscores that compliance with some of the more fundamental Principles
will facilitate compliance with the risk-reporting Principles.
For Principle 7 (accuracy), the G-SIBs first and foremost identified the
difficulty in developing consistent approaches for producing accurate
manually generated reports in cases where automated reports cannot be
produced.
The banks noted that issues related to the accuracy of reports are
exacerbated during stressful periods.
The banks also noted that the frequency of reports also suffers during
stressed or crisis situations.
Most of the respondents maintained that their risk reports cover all
material risk areas within their organisations and that the scope and depth
of the reporting are consistent with the banks’ complexity, size and risk.
The banks did not note any particularly overwhelming issues with Principle
8 (comprehensiveness) in terms of establishing appropriate internal
policies and procedures to create comprehensive reports.
The more challenging issue is in the consistent monitoring of these reports
to ensure that they remain appropriately comprehensive given changes in
reporting metrics or in ensuring that reports are available on both
single-line (legal, business, particular risks etc) and aggregate/consolidated
levels.
In addition, the overarching issue of developing appropriately
comprehensive reports during stressed or crisis situations was raised.
For Principle 9, (clarity and usefulness), the banks noted a number of
challenges in establishing a common terminology within reports for
management.
The banks cited non-existent or incomplete data dictionaries, inconsistent
metadata fields, and non-integrated data taxonomies as barriers to
complying with Principle 9.
The respondents cited a number of issues regarding the development of
appropriately frequent reports (Principle 10) to board and senior
management given the nature of the risk or situation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 95
In general, respondents noted that there is often a trade-off between speed
and accuracy/comprehensiveness in reporting, particularly for manually
created reports.
The banks noted that existing information technology infrastructure cannot
create daily aggregation reports, as some financial data are not available on
a daily basis.
As stated previously with Principle 7, manually generated reports also
present challenges in complying with Principle 10.
More specifically, resource-intensive manual processes make it difficult to
quickly provide senior management with various risk reports, particularly
those on liquidity, wholesale credit risk, and other critical credit positions
and exposures.
In terms of distributing risk management reports (Principle 11) the banks
did not greatly elaborate on the challenges and issues because many already
have procedures in place for distributing reports to senior management and
the board of directors, as appropriate, while adhering to the information
security and confidentiality Principles.
However, banks stated that some challenges exist in complying with this
Principle and ensuring a sufficiently robust reporting distribution,
particularly during stress and crisis situations.
5.3 Potential strategies for compliance
Most banks indicated that existing risk management report processes cover
material risk areas and that the scope and depth of reporting is consistent
with their complexity, size and risk profile.
In addition, banks noted that they have procedures in place for report
distribution with appropriate security practices.
Nevertheless, the G-SIBs identified a number of possible action items to
help move towards compliance with the risk reporting Principles.
In terms of improving report accuracy (Principle 7), some G-SIBs noted the
importance of:
• Developing procedures, policies, and controls to produce documents and
ensure their accuracy and clarity for both regular and crisis reporting along
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 96
with implementing reasonableness checks and identification of errors or
weaknesses.
• Improving board and senior management communication of data errors
and weaknesses in risk reporting.
To address the challenges in developing clear and useful reports (Principle
9) a number of institutions noted the need to continue developing standard
terms, glossaries or data dictionaries, focusing on concepts such as
taxonomy, data classification, and metadata as a part of the authorised data
source structure.
G-SIBs also noted the significance of periodically reviewing reports to
verify data quality so that they meet the needs of senior management.
To improve the frequency of risk data reporting (Principle 10), a number of
G-SIBs are in the process of making large-scale IT improvements such as
data warehouses, which will allow for faster capital markets risk reporting
and facilitate the reconciliation of finance and risk data.
Such IT improvements are typically developed at the consolidated or
holding company level to support the automated aggregation of credit risk
and liquidity risk data.
Moreover, the development of IT infrastructure at the
consolidated/aggregate level will typically enhance firms’ ability to
systematically aggregate exposure across disparate systems.
Other high-level initiatives that firms are undertaking to improve the
frequency of risk data reporting include establishing data management
offices and improving data interfaces/databases in the course of completing
large-scale IT projects.
Most of the firms noted that risk management reports are distributed
(Principle 11) to the relevant recipients with the appropriate controls over
security and confidentiality.
Several firms noted the need to:
• Develop or enhance the governance and documentation of distribution
procedures and data confidentiality arrangements;
• Implement additional report access controls across risk types with regards
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 97
to report viewing and distribution; and
• Create information security policies for the distribution of management
reports, which includes the use of secured media such as collaborative
workspaces and encrypted e-mails.
6. Self-assessments by other large banks
As in 2013, Basel Committee member jurisdictions were invited to include
other large banks (ie non-G-SIBs) in the exercise.
In 2014, this sample included six other large banks from four countries.
Taking into account the limited sample, these six banks may not be
representative of all other large banks.
In addition the sample is not the same as in the 2013 exercise (having only
four banks in common) and it is therefore difficult to assess year-by-year
progress towards full compliance by 2016 in this section.
As seen in Graph 5, no bank rated itself as non-compliant with any of the
Principles.
The three Principles with the lowest reported compliance were Principle 2
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 98
(data architecture/IT infrastructure), Principle 3 (accuracy and integrity for
risk data aggregation) and P7 (accuracy for risk reporting). Half of the
banks rated themselves as materially non-compliant on Principles 2 and 7.
The Principles for which banks reported the highest compliance pertained
to reporting: Principles 8 (comprehensiveness), 9 (clarity and usefulness)
and 11 (report distribution).
Only three banks expected to comply with the all the Principles by January
2016 or before.
7. Discussions with industry
In a similar exercise after the 2013 stocktaking, the WGSS engaged in an
industry discussion regarding the some of the preliminary results of the
2014 survey.
The industry provided a number of explanations regarding the number of
ratings changes, both upgrades and downgrades, from 2013.
They mentioned that despite the numerous quantitative ratings
downgrades, there has been progress in complying with the RDARR
Principles.
Industry representative stated that their boards of directors and senior
management are acutely aware of the importance of RDARR, and that there
is generally a higher level of understanding of the Principles.
They also maintain that effective RDARR is an ongoing process and that
there is much work to be done to comply with the Principles by the January
2016 and beyond.
In terms of the challenges that banks face in attempting to comply with the
Principles, the industry panel indicated that the completion of large-scale
IT infrastructure projects will aid in complying with the Principles.
However, large scale IT projects are dependent on many smaller dependent
IT projects, which increases execution risk.
Also contributing to execution risk is the lack of subject matter experts to
improve RDARR processes.
Moreover they indicated the changing regulatory landscape, and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 99
consequent required reporting, further complicates the execution of IT
projects.
Industry members noted that the completion of these projects will improve
business-as-usual RDARR, which will improve, but not completely resolve,
challenges in risk reporting during periods of stress.
Among the greatest challenges in risk reporting during periods of stress is
the over-reliance of manually-created reports and developing processes and
procedures for developing such reports when automated reports cannot be
developed.
8. Supervisory assessment
Based on their knowledge of participating G-SIBs, supervisors indicated
that the questionnaire results broadly reflect the current state of
implementation.
They also found the ratings to be generally credible, and consistent with
their understanding of the G-SIBs’ data aggregation and reporting
capabilities.
Nevertheless, outcomes in this paper are based on self-assessments by
banks that were conducted on a best-efforts basis.
Moreover, the ratings assigned as part of the self-assessment process may
have been interpreted inconsistently across banks.
In addition, although national supervisors reviewed responses and
discussed them with banks in their jurisdictions much more thoroughly in
2014 than in the 2013 stocktaking, they were not asked to validate the
accuracy of the ratings or comments, nor did they assess the potential
differences in the level of rigour applied by each bank or the differences in
home/host supervisory approaches.
Through their responses, the banks demonstrated that they understand the
importance of the Principles and are committed to enhancing their risk
data aggregation and risk-reporting capabilities.
In comparison with the 2013 stocktaking, the G-SIBs noted a number of
ratings increases and decreases for most of the Principles in the 2014
survey.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 100
It is possible that the number of downgrades that banks reported for
various Principles highlighted the banks’ growing understanding of the
Principles and the challenges that remain in complying with them.
Based on the review of the qualitative responses to many of the 2014 survey
questions, it appears the G-SIBs have extensive work to do before they can
comply with some of the RDARR Principles, principally those covering
governance and data aggregation.
Regarding the compliance date, the results of the 2014 questionnaire raise
some concerns that banks intending to comply by the January 2016
deadline may be overly ambitious.
For instance, several G-SIBs have rated themselves as materially
non-compliant with several Principles, yet expect to comply by the January
2016 deadline.
More specifically, 15 G-SIBs rated themselves as materially non-compliant
with Principle 3; however, 10 of those G-SIBs expect to meet the deadline.
Given the complexity of large-scale IT infrastructure projects, it may be
difficult for some banks to achieve compliance by 2016.
Regardless of how the banks rated themselves in the 2014 questionnaire
(materially non-compliant or otherwise), it would appear that a number of
firms will find it difficult to fully comply with the Principles by 2016,
judging from a review of the work that remains to be done.
G-SIBs generally assigned themselves higher ratings for the Principles
relating to risk reporting than they did on those relating to data aggregation
or governance.
While the banks may have adequate processes and procedures in place for
report distribution, they may be overstating their level of compliance.
This is particularly true given their continued reliance on manually
produced reports, particularly in stressed or crisis situations, as well as for
assessing emerging risks.
It is still questionable how reliable and useful these banks risk reports can
be when the data within these reports and the procedures and processes to
produce them are in need of improvements.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 101
Results showed that there remain some significant common challenges to
full compliance with the Principles:
• Banks’ dependence on manual processes;
• The need to develop common data dictionaries and data taxonomies; and
• The inability to create accurate and timely risk data reports during
stressed or crisis situations.
Notwithstanding this, many G-SIBs stated that they do not anticipate any
material negative impact from compliance gaps, or they maintain that their
manual processes are adequate stop-gaps.
9. Conclusion: supervisory plans and recommendations
Supervisory authorities have indicated that they have a variety of
supervisory tools ranging from information-gathering powers to the
enforcement of penalties and capital add-ons if their regulated G-SIBs or
D-SIBs fail to comply with the Principles.
However, a number of supervisory authorities indicated that the
application of specific tools depends on the nature of the issue and its
impact on supervisory objectives.
There is no uniform strategy among authorities for applying any specific
tool, and their responses indicated that they are likely to follow a risk-based
assessment of compliance with the Principles to determine the most
appropriate supervisory tools to apply.
Based on the results noted above, the WGSS has six recommendations for
supervisors to support the timely implementation of the Principles.
Furthermore, it is suggested that these recommendations be published as
part of the public report (Annex 2).
1. Supervisory authorities which have not yet introduced any changes to the
broader supervisory framework to implement the Principles should
consider the feasibility of introducing such changes.
Those supervisory authorities who share a common regulatory framework
with regional supranational authorities should introduce common
guidance.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 102
2. Supervisory authorities regulating D-SIBs which have not yet engaged
with their D-SIBs should enter into initial discussions to assess how their
D-SIBs will implement the Principles within the three-year time frame after
they are designated as D-SIBs.
3. Supervisory authorities should ensure that the banks’ senior
management and boards of directors are directly involved in assessing
progress in implementation, as well as in identifying and enabling timely
resolution of any obstacles to full implementation by 2016.
4. Supervisory authorities should leverage the self-assessment
questionnaire, as well as the results and other information provided by the
WGSS, to enhance their oversight of progress in implementation.
This could involve, among other things, conducting their own assessments
of progress, using the WGSS survey questions as a template.
Likewise, supervisors could use the results to benchmark progress or
conduct peer comparisons.
5. The results of the banks’ self-assessments have not been validated by
supervisors.
However, supervisory authorities should not wait until the implementation
deadline to review the results, build assessments of their validity into
supervisory programmes, and take action as needed to enable timely
implementation.
Supervisory authorities should review the results of the bank
self-assessment survey in developing strategies to assess progress, in
particular, large year-over-year changes for individual banks.
Finally, given the results of the self-assessment and discussions with
industry, the following three topics should be discussed in depth:
(a) Timely implementation of IT architecture, as well as banks’ tactical
mitigants while longer-term strategic solutions are being developed;
(b) The desired balance between automated and manual systems; and
(c) Quality controls in place.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 103
6. Finally, supervisory authorities should continue to actively exchange
information on how they intend to facilitate compliance, or remedy
non-compliance.
Annex 1: 31 G-SIBs participating in the 2014 survey
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 104
Annex 2: List of 11 Principles and 35 requirements in 2014 survey
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 105
Building a culture of trust in the financial
industry
Opening address by Mr Ravi Menon, Managing
Director of the Monetary Authority of Singapore, at the
Monetary Authority of Singapore-Singapore Academy
of Law Conference, Singapore, 23 January 2015.
Chief Justice Sundaresh Menon, Justice Steven Chong, Mr Timothy
Massad, Chairman, US Commodity Futures Trading Commission,
Distinguished guests, colleagues, ladies and gentlemen,
Bad behaviour in finance
Six years ago, the Global Financial Crisis tipped national economies into
recession and brought to their knees some of the most hallowed names in
the financial industry.
But the biggest casualty of the Crisis could well be trust:
-
trust between regulators and financial institutions;
-
trust among financial institutions; and
-
trust that the public places in the financial industry - that their bankers
are honest and their financial advisors are acting in the best interest of
their clients.
And six years after the Crisis broke, the global industry continues to be
dogged by shocking revelations of financial malfeasance, mis-selling, and
dishonesty.
-
In the US, large banks are paying billions of dollars to settle charges
against them for mis-selling mortgage-backed securities which led to
massive losses for their buyers.
-
In the UK, over 13 million complaints have been made against retail
banks for the aggressive mis-selling of so-called Payment Protection
Insurance (PPI).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 106
-
We read of traders in banks circumventing internal rules to make
outsized market bets that subsequently resulted in large losses for these
banks.
-
And in financial centres across the world, including Singapore,
regulators have uncovered attempts by traders at several major global
banks to manipulate key financial benchmarks used to set rates for
loans and foreign exchange contracts.
Little wonder that global surveys show that levels of trust in the financial
industry are lower than ever.
-
According to Edelman, a public relations firm, banking and financial
services ranked last among 15 industries that the public trusted "to do
what is right".
-
In countries most affected by the financial crisis and its aftermath,
levels of trust are lower still - barely 30% of the public in Europe trust
their banks.
Why trust is critical to finance
Financial products and transactions can be quite complex and information
asymmetries often place financial institutions in a more advantageous
position compared to their customers.
-
Trust that the bank is sound is critical for savers to keep their monies in
bank accounts and for borrowers to make long term investment
decisions.
-
Trust that financial advisers and insurance agents are dealing fairly is
important for consumers committing large portions of their savings for
a long period of time.
-
Trust that asset managers and investment brokers are acting in the
clients' interest and not front-running them is key to the investment
process.
The licensing and regulation of financial institutions confers a degree of
legitimacy on them. But being a bank, an insurance company or a capital
markets intermediary is not just about holding an official stamp to collect
and manage funds.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 107
-
As Mark Carney puts it, financial institutions also need a social licence
to operate. 2
-
They earn this social licence through a track record of exemplary
conduct and a reputation for integrity and prudence.
-
Their obligations towards their customers and counterparties must be
based on not just a contractual obligation but a moral one as well.
Getting the culture right
What accounts for the repeated cases of misconduct in the global financial
industry?
Weaknesses in governance, risk management, and operational controls
have allowed unbridled risk-taking and encouraged some individuals to
push, and in several cases, break the bounds of what is permissible.
Since the financial crisis, the international regulatory community has
issued directions and guidance to tighten financial institutions' governance
standards and curb excessive risk-taking.
But weaknesses in governance and control, grave as they were in some
financial institutions, cannot fully account for the spate of misconduct.
There are deeper issues of trust, ethics and culture in the financial industry
that we need to confront.
First, finance is at risk becoming more "de-personalised".
Long-term relationships with customers are being replaced by more
transient transactions with counterparties.
-
Raghuram Rajan observes how increasing product complexity and
reliance on technology has created a detachment from the customer.
-
It ultimately leads to a reductionist view of finance where "money is the
measure of all worth", a state that is hardly conducive for ethical
conduct.
Second, compensation structures tend to over-emphasise profits as
performance measures.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 108
Excessive focus on sales targets and commissions has incentivised a
"trading mentality" which is often associated with too much risk taking or
scant regard for client interests or the sustainability of relationships.
Third, and more fundamentally, departures from ethical conduct are too
easily tolerated as the norm.
-
-
In a global survey of financial sector executives by the Economist
Intelligence Unit, more than half the respondents felt that their career
progression would be difficult without being "flexible on ethical
standards".
If you look at the email and chat room messages between traders
involved in the rigging of financial benchmarks, they betray a lack of
any sense of guilt or wrong-doing.
-
In fact, traders were congratulating and complimenting each other on
their manipulation.
-
And when subsequently questioned by their superiors or regulators,
they offered an array of self-justifications, chief of which is "everybody
does it".
But everybody does not do it.
I believe the vast majority of people working in the financial industry are
committed to serving their clients or customers fairly and with integrity.
But the unethical actions of a few have undermined trust and created
instability.
Reform of the financial industry will not be complete until this issue of trust
and ethics is addressed.
This requires "getting the culture right".
And by culture, I mean the shared values, attitudes and norms that guide
actions.
There is increasing international regulatory guidance to improve risk
governance and align compensation schemes with long-term sustainability
and customer interests.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 109
This is necessary but not sufficient. There are limits to what externally
imposed rules can do to promote the right values in financial firms.
-
Because culture develops from within a firm, it invites a certain
resonance from the members of that firm - in a way that will be difficult
for an externally imposed set of rules to achieve.
-
For the same reason, the behavioural norms that a firm's culture and
value system promotes are more amenable to internal governance and
self-policing than rules that rely on external enforcement.
In short, rules tell us what we can do, but values tell us what we should do.
A mechanistic compliance with rules cannot be an adequate substitute for
an internalised sense of responsibility and basic morality that a finance
professional owes to his client or counterparty.
How can we build a culture of trust and strong values in the financial
industry?
We need an ecosystem to do so - with a role for regulators, the industry, and
most important, the firm itself.
What can regulators do?
First, the role of regulators.
The international regulatory community has been intensifying efforts to
ensure that financial institutions foster a sound risk culture and conduct
themselves in a prudent and socially responsible manner.
But instituting a good risk culture is not merely about slapping on more
rules or adopting a perfunctory, checkbox approach to compliance.
MAS therefore takes an intensive supervisory approach to risk governance
and culture in financial institutions.
We prefer this to an overly prescriptive regulatory approach based on
one-size-fits-all rules that may be less effective in addressing idiosyncratic
risks.
Financial firms differ widely in goals, activities, and culture.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 110
Instead, close supervision - consisting of both onsite inspections and offsite
reviews - provides MAS with a good view of a firm's risk governance and
culture and practices on the ground.
This allows us to assist the board and management in identifying emerging
areas of vulnerabilities and to take pre-emptive corrective actions where
necessary.
Let me cite two areas we focus on: compensation and fair dealing.
Compensation is an important mechanism to shape incentives and
behaviours.
Compensation structures must motivate not only high performance but also
high ethical standards.
-
Some jurisdictions have placed restrictions on bonus payments - how
much can be paid or over how long a period.
MAS has put in place rules and guidelines that are consistent with the
Financial Stability Board's principles for sound compensation practices.
They require the compensation of a bank executive to be aligned with not
only the risks that the bank undertakes, but the time horizon of those risks.
But we have chosen not to cap bonus payments or be overly prescriptive in
our rules.
Such measures may have unintended consequences or could be easily
circumvented.
Instead, MAS has stepped up its supervisory intensity of financial
institutions' overall compensation policies and practices.
-
We assess the effectiveness of the firm's compensation system, its
relationship with the firm's governance framework, and its impact on
risk-taking behaviour.
-
We intend to conduct deeper-dive reviews, to examine how a firm
makes compensation decisions in practice, as well as the extent to which
the firm's board and management deal with issues relating to
compensation and risk culture.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 111
A second area of focus is fair dealing: are firms dealing fairly with
customers?
MAS has issued guidance on fair dealing principles and outcomes that
financial firms should achieve.
-
We assess whether the board and management have put in place
initiatives to foster a corporate culture of fair dealing.
-
We evaluate the processes in place to ensure that clients and customers
are offered products and services that suit their needs.
-
We monitor the volume of customer complaints of mis-selling and
examine how complaints are dealt with.
What can industry do?
But even the most intrusive supervision can only go so far in promoting a
culture of ethics.
The industry must itself take collective responsibility to promote higher
ethical standards.
It is better that industry develops codes of good conduct that take into
account operational realities that they know best and that holds firms
accountable to their peers, than wait for the regulator to set rules that may
be impractical or too onerous.
The industry has already begun to do so.
-
In the UK, high street banks have set up the Banking Standards Review
Council (BSRC), which aims to work with the industry to improve
banking practices in three broad areas: culture, competence and
customer outcomes. Participating banks will be required to commit to a
programme of improvement and report to the BSRC on their
performance every year.
-
In the Netherlands, the Dutch Banking Association is exploring plans
for a disciplinary system for ethics violations, similar to what the
medical profession is subject to.
I am pleased to note that in Singapore, our industry associations have not
lagged behind.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 112
The Association of Banks in Singapore (ABS) has published guidance for its
member banks and minimum service standards that customers can expect
from their banks.
-
The Code of Consumer Banking Practice commits member banks to
treat their customers "fairly and reasonably".
-
A separate Private Banking Code of Conduct sets out standards for
financial advisors, not only for professional competency but ethical
conduct as well.
The Singapore Foreign Exchange Market Committee (SFEMC), an industry
association of major foreign exchange market participants, has published a
guide to conduct and market practices for treasury activities.
More commonly known as the Blue Book, the guide has recently been
updated with instructions on the governance, requirements on professional
conduct and best practices for participants in benchmark rate settings.
The industry could consider going further in promoting and reinforcing
ethical standards and good practices:
-
Industry may want to consider a mechanism or process by which firms
could be benchmarked against and held accountable to industry
standards on ethical behaviour and professional conduct.
-
Industry may also want to conduct periodic surveys on stakeholders'
views on risk culture, governance, and market conduct, to help identify
potential blind spots and emerging areas of risk.
What can firms do?
But ultimately it is the financial institution that must bear responsibility for
getting the culture right.
This requires setting the right moral tone from the top.
Many financial firms have issued values statements and codes of conduct
espousing principles, norms and behaviours that apply universally across
the firm.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 113
It is important to have such a tangible point of reference for standards of
conduct, but setting the right tone requires more than lofty exhortations for
good behaviour.
First, lead by example. Management must take time and effort to clearly
articulate the firm's core values and purpose.
They have to demonstrate commitment and credibility by "walking the talk"
with concrete policies, processes and actions.
The firm's leaders must themselves be seen to be guided by those same
qualities they want their staff to emulate.
And programmes to build a culture of trust and ethics cannot be a one-off
exercise to fend off bad publicity or to placate the regulator.
Shaping culture demands a sustained effort.
Second, create a safe environment for whistle-blowing. This means
providing the necessary mechanisms to challenge, question, and report
ethical breaches.
-
A number of banks in Singapore have put in place new channels for
whistleblowing and enhanced the escalation and investigation processes
to facilitate staff reporting.
Third, align human resource policies to a culture of trust and ethics.
I have already mentioned compensation as being an important way to
create incentives for the right behaviour.
But the incentives for ethical conduct must go beyond compensation and
encompass all HR policies: recruitment, on-boarding, appraisal, training
and coaching, promotion, and career development.
-
An organisation's HR policies and practices are the clearest
demonstration of its value system, the qualities it regards as important.
-
In financial firms, it is important that these policies and practices dispel
the perception of good ethics as a constraint on profitability or hurdle to
career advancement.
We are beginning to see some progress.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 114
-
Performance appraisals in some banks now take into account how an
employee's conduct is consistent with the banks' avowed principles and
values.
-
Others have developed balanced scorecards for remuneration that go
beyond traditional measures of financial performance to include
indicators relating to culture and controls.
-
Yet others take into account a business unit's record on compliance,
customer experience, internal audit findings and other relevant
considerations to underscore the organisation's behavioural
expectations of staff.
Conclusion
Let me conclude.
The global financial industry's standing with the public is at an inflection
point.
It could continue a downward spiral of mistrust with yet more egregious
misconduct, or it could seize this opportunity to restore high ethical
standards.
Thankfully, we are in a better place in Singapore.
The financial industry here is generally well regarded and trusted.
But we have not been immune to some of the egregious practices in global
finance, for example, attempts to manipulate financial benchmarks and the
mis-selling of financial products.
We must be on our guard, and work to further strengthen ethical standards
and a culture of trust in the industry.
-
We must foster a culture in the industry that looks beyond the question
"is this legal?" to the larger question "is this right?".
-
For without sound ethics, there can be no trust. Without trust, there can
be no confidence. And without confidence, there can be neither growth
nor stability.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 115
We are gathered here to discuss the future of financial market regulation.
May I suggest that restoring a culture of trust based on strong ethical
standards is imperative to securing a bright future for a purposeful financial
industry.
Thank you and I wish you all fruitful deliberations.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 116
DHS Releases 2014 Travel and
Trade Statistics
DHS released its 2014 year-end comprehensive travel and trade-related
statistics from the Transportation Security Administration (TSA) and U.S.
Customs and Border Protection (CBP).
“DHS employees stand on the front lines protecting our nation from
dangerous contraband and people, while ensuring the free flow of lawful
trade and commerce—just two aspects of our mission,” said Secretary Jeh
C. Johnson.
“This is critically important work, and our employees’ achievements are
self-evident: in 2014, the TSA screened more than 650 million passengers,
nearly 1.8 million each and every day, while CBP processed 31 million
imports, $2.4 trillion in trade, and 374 million travelers.
I salute our employees’ efforts that have led to these important successes.”
TSA Record-Breaking Year
TSA continues to enhance its layered security approach through
state-of-the-art technologies, improved passenger identification
techniques, and best practices to strengthen transportation security across
all modes of transportation.
TSA continued to expand TSA Pre✓®, its expedited screening program
that allows low-risk travelers to leave on their shoes, light outerwear and
belt, keep their laptop in its case and their 3-1-1 compliant liquids and gels
in their carry-on in select screening lanes.
Through risk-based initiatives such as TSA Pre✓®, TSA provides effective
security while gaining efficiencies and improving the travel experience for
millions of passengers each week.
This past year, 120 new TSA Pre✓® lanes were added and TSA Pre✓®
operations began at 11 new airports. Today, TSA Pre✓® has more than 600
lanes at 125 U.S. airports.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 117
TSA had a busy year in 2014, screening 653,487,270 passengers (nearly 1.8
million per day), which is 14,781,480 more passengers than 2013.
TSA screened more than 443 million checked bags and nearly 1.7 billion
carry-on bags.
Nationwide, fewer than one percent (0.32) of passengers waited in a line
longer than 20 minutes.
The TSA Pre✓® application program, which began in December 2013,
enrolled over 800,000 travelers in 2014.
In addition to these enrollments, CBP trusted travelers — those enrolled in
other trusted traveler programs such as Global Entry, NEXUS and SENTRI
— are also automatically eligible for TSA Pre✓®.
Over 40 percent of passengers screened received some form of expedited
screening in 2014.
Protecting the Public: Firearm Seizures
TSA officers continue their vigilance in protecting our nation’s
transportation systems, including catching unusual and dangerous items at
the checkpoints, including firearms.
In 2014, 2,212 firearms were discovered in carry-on bags at checkpoints
across the country, averaging over six firearms per day. Of those detected,
83 percent were loaded.
There was a 22 percent increase in firearm discoveries from 2013’s total of
1,813.
In the same period, more than 1,400 firearm components, replica firearms,
stun guns, and other similar dangerous objects were discovered by TSA in
carry-on luggage.
The top five airports for firearm discoveries in 2014 were:
Dallas/Fort Worth International: 120
Hartsfield-Jackson Atlanta International Airport: 109
Phoenix Sky Harbor International Airport: 78
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 118
Houston George Bush Intercontinental Airport: 77
Denver International Airport: 70
Travel Facilitation Supporting Economic Prosperity
CBP has supported President Obama’s National Travel and Tourism
Strategy to expand the nation’s ability to attract and welcome international
visitors while maintaining the highest standards of security.
CBP officers processed more than 374 million travelers at air, land, and sea
ports of entry in 2014, an increase of four percent from the previous year.
More than 107 million international travelers arrived at U.S. airports, an
increase of 4.7 percent from the previous year.
Despite the continued increase in international air travelers, average wait
times were down 13 percent at the top 10 airports.
At John F. Kennedy International Airport, the airport with the most
passenger volume in the United States, the average wait time in 2014 was
down 28 percent from 2013.
Utilizing Technology to Improve the Passenger Experience
CBP officers are responsible for carrying out the complex and demanding
mission of securing and expediting international trade and travel at all
ports of entry.
CBP’s Resource Optimization Strategy is transforming the way CBP does
business in land, air, and sea environments.
As a result, the agency continues to implement advancements in technology
and automation at ports of entry.
In 2014:
CBP installed Automated Passport Control kiosks in 22 locations to
streamline the traveler inspection process, reduce wait times, and enhance
security.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 119
At some Automated Passport Control locations, wait times decreased by as
much as 25 to 40 percent.
CBP also launched Mobile Passport Control, the first CBP smartphone app
that expedites the entry process for U.S. citizens and Canadian visitors by
providing an automated process through the CBP Primary Inspection area.
The app, which is part of a pilot program, is free for travelers arriving at
Hartsfield-Jackson Atlanta International Airport and is expected to expand
to more airports later this year.
CBP announced additional partnerships to promote trade and travel.
In July, CBP announced initial selections for 16 new reimbursable services
agreements under Section 559 of the Consolidated Appropriations Act of
2014.
Reimbursable services under Section 559 include customs, agricultural
processing, border security services, and immigration inspection-related
services at ports of entry.
Additionally, CBP’s five partnerships established under Section 560,
Dallas-Fort Worth International Airport, the City of El Paso, the South
Texas Assets Consortium, the Houston Airport System, and the
Miami-Dade County in Florida will provide new or enhanced port
processing services on a reimbursable basis.
A decrease in the average wait times at these locations is directly
attributable to these partnerships with wait times decreasing by 15 percent
at Miami International Airport, 24 percent at Houston George Bush
Intercontinental Airport, and 40 percent at Dallas-Fort Worth
International Airport.
The automation of the I-94 Arrival/Departure Record has greatly improved
the traveler experience while saving the U.S. government an estimated
$34.5 million over the past two years.
Trusted Traveler Programs
CBP’s Trusted Traveler Programs, which provide expedited travel for
pre-approved, low risk travelers through dedicated lanes and kiosks,
reached record enrollments in 2014.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 120
An additional 1.25 million people enrolled in the agency’s Trusted Traveler
Programs (Global Entry, SENTRI, NEXUS and FAST) in 2014 to bring total
enrollment to more than 3.3 million members.
Global Entry, the agency’s largest program with more than 1.7 million
members, is operational at 42 U.S. airports and 12 Preclearance locations;
these locations serve 99 percent of incoming travelers to the United States.
CBP added nine Global Entry kiosk locations in 2014 and enrolled its one
millionth member in NEXUS, a program providing expedited travel
between the U.S. and Canada.
Preclearance Expansion
Through Preclearance, the same immigration, customs, and agriculture
inspections of international air passengers performed on arrival in the
United States can instead be completed before departure at foreign
airports.
This not only reduces wait times, but allows the United States and our
international partners to jointly identify and address threats at the earliest
possible point, before arriving in the United States.
In January 2014, CBP expanded Preclearance operations to a 15th location,
Abu Dhabi International Airport.
More than 16 million travelers went through one of CBP’s Preclearance
locations in Canada, Ireland, the Caribbean, and the United Arab Emirates
in 2014, accounting for 15 percent of total international air travel that year.
Trade Facilitation
In 2014, CBP processed more than $2.4 trillion in trade, an increase of
more than four percent from 2013, while enforcing U.S. trade laws that
protect the nation’s economy and the health and safety of the American
public. CBP also processed more than 31 million imports.
China, Canada and Mexico remain the top three U.S. import trading
partners. Special programs and Free Trade Agreements represented
approximately 30 percent of total U.S. imports, with the North American
Free Trade Agreement (NAFTA) and the recently enacted South Korean
Free Trade Agreement leading the way.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 121
Duty collection remains a CBP priority and the agency collected more than
$34 billion in duties in 2014, an increase of two percent from 2013.
In addition, CBP processed more than $1.6 trillion worth of U.S. exported
goods, an increase of four percent from 2013.
In 2014, CBP processed more than 25.7 million cargo containers through
the nation's ports of entry, up 4.5 percent from 2013.
In 2014, CBP conducted more than 23,000 seizures of goods that violated
intellectual property rights, with a total retail value of $1.2 billion.
For example, CBP seized more than $10 million in counterfeit Beats by Dre
headphones, more than $1 million in counterfeit Gibson, Les Paul, Paul
Reed Smith and Martin guitars, and more than $1 million in counterfeit
soccer apparel with fake Arsenal, Barcelona, Celtic, Chelsea, and Real
Madrid trademarks.
Modernizing Trade Systems
The importation of goods into the United States is generally a two-part
process consisting of
1) filing the cargo release documents necessary to determine whether
merchandise may be released from CBP custody, and
2) filing the entry summary documents that pertain to merchandise
classification, duty, taxes, and fees.
CBP has made several enhancements to its import and export processing
system, the Automated Commercial Environment (ACE).
CBP continues to move from paper and legacy system requirements to
faster, modernized and more cost-effective electronic submissions.
This past year:
CBP launched new cargo release and entry summary functionality for its
users, and incorporated the processing of export shipments into the ACE
system.
The new entry summary functionality included enhanced system
validations that increase the accuracy of trade-submitted data.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 122
This implementation has helped increase the number of entry summaries
filed in ACE, rather than the legacy system, to over 40 percent.
Incorporating export processing into ACE also resulted in the processing of
imports and exports in the same, modernized system.
This created a single processing system for export data, which has improved
the ability of CBP to facilitate the flow of goods out of the country.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 123
Disclaimer
The Association tries to enhance public access to information about risk and
compliance management.
Our goal is to keep this information timely and accurate. If errors are brought to
our attention, we will try to correct them.
This information:
is of a general nature only and is not intended to address the specific
circumstances of any particular individual or entity;
should not be relied on in the particular context of enforcement or similar
regulatory action;
-
is not necessarily comprehensive, complete, or up to date;
is sometimes linked to external sites over which the Association has no
control and for which the Association assumes no responsibility;
is not professional or legal advice (if you need specific advice, you should
always consult a suitably qualified professional);
-
is in no way constitutive of an interpretative document;
does not prejudge the position that the relevant authorities might decide to
take on the same matters if developments, including Court rulings, were to lead it
to revise some of the views expressed here;
does not prejudge the interpretation that the Courts might place on the
matters at issue.
Please note that it cannot be guaranteed that these information and documents
exactly reproduce officially adopted texts.
It is our goal to minimize disruption caused by technical errors.
However some data or information may have been created or structured in files or
formats that are not error-free and we cannot guarantee that our service will not
be interrupted or otherwise affected by such problems.
The Association accepts no responsibility with regard to such problems incurred
as a result of using this site or any linked external sites.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 124
The International Association of Risk and Compliance
Professionals (IARCP)
You can explore what we offer to our members:
1. Membership – Become a standard, premium or lifetime member.
You may visit:
www.risk-compliance-association.com/How_to_become_member.htm
If you plan to continue to work as a risk and compliance management
expert, officer or director throughout the rest of your career, it makes
perfect sense to become a Life Member of the Association, and to continue
your journey without interruption and without renewal worries.
You will get a lifetime of benefits as well.
You can check the benefits at:
www.risk-compliance-association.com/Lifetime_Membership.htm
2. Weekly Updates - Subscribe to receive every Monday the Top 10 risk
and compliance management related news stories and world events that
(for better or for worse) shaped the week's agenda, and what is next:
http://forms.aweber.com/form/02/1254213302.htm
3. Training and Certification - Become
a Certified Risk and Compliance
Management Professional (CRCMP) or a
Certified Information Systems Risk and
Compliance Professional (CISRSP).
The Certified Risk and Compliance
Management Professional (CRCMP)
training and certification program has
become one of the most recognized
programs in risk management and compliance.
There are CRCMPs in 32 countries around the world.
Companies and organizations like IBM, Accenture, American Express,
USAA etc. consider the CRCMP a preferred certificate.
You can find more about the demand for CRCMPs at:
www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 125
You can find more information about the CRCMP program at:
www.risk-compliance-association.com/CRCMP_1.pdf
(It is better to save it and open it as an Adobe Acrobat document).
For the distance learning programs you may visit:
www.risk-compliance-association.com/Distance_Learning_and_Certificat
ion.htm
For instructor-led training, you may contact us. We can tailor all programs
to specific needs. We tailor presentations, awareness and training programs
for supervisors, boards of directors, service providers and consultants.
4. IARCP Authorized Certified Trainer
(IARCP-ACT) Program - Become a Certified Risk
and Compliance Management Professional Trainer
(CRCMPT) or Certified Information Systems Risk
and Compliance Professional Trainer (CISRCPT).
This is an additional advantage on your resume,
serving as a third-party endorsement to your knowledge and experience.
Certificates are important when being considered for a promotion or other
career opportunities. You give the necessary assurance that you have the
knowledge and skills to accept more responsibility.
To learn more you may visit:
www.risk-compliance-association.com/IARCP_ACT.html
5. Approved Training and Certification Centers
(IARCP-ATCCs) - In response to the increasing
demand for CRCMP training, the International
Association of Risk and Compliance Professionals is
developing a world-wide network of Approved Training
and Certification Centers (IARCP-ATCCs).
This will give the opportunity to risk and compliance managers, officers and
consultants to have access to instructor-led CRCMP and CISRCP training at
convenient locations that meet international standards.
ATCCs use IARCP approved course materials and have access to IARCP
Authorized Certified Trainers (IARCP-ACTs).
To learn more:
www.risk-compliance-association.com/Approved_Centers.html
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Fly UP