...

P a g e 1

by user

on
Category: Documents
58

views

Report

Comments

Description

Transcript

P a g e 1
Page |1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Dear Member,
I will ask you 3 questions:
1. Which is the difference between
information leakage and data breach?
Information leakage relates to a set of
threats that emerge due to unintentional
or maliciously triggered revelation of
valuable information (personal data,
credentials, security related information,
etc.) to an unauthorised party.
Information leakage is different from
data breach, in that it mainly concerns exploitation of technical and
organisational weaknesses to obtain information that is then fed to other
attacks.
2. Is cyber espionage a technical or a tactical approach?
With the term cyber espionage we refer mainly to APTs (Advanced
Persistent Threats) and Targeted Attacks, initiated by threat agents with
very high capabilities, resources and motivation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |2
Cyber espionage consists of a combination of threats. It combines tools and
tactics. It is rather a tactical approach than technical.
The reconnaissance phases may persist over a very long time period, while
attribution is very difficult, especially in case of state sponsored espionage.
We have an increase in focus, sophistication and persistence.
3. What is ransomware / scareware?
Ransomware belongs to the family of malware threats. It is gaining
importance as a malicious tool, in particular for mobile devices.
Advancements in functionality of ransomware have shown up after the
announcement of a Trojan encryption tool for sale in underground market
for Android. The first mobile malware embracing this functionality has
already been detected.
All ransom attempts have used social engineering techniques to exert
pressure on the victims.
It is interesting to observe how protective functions of mobile devices have
been misused to block phones and require a ransom: by attacking the Apple
ID on iOS devices, adversaries managed to completely block the device and
ask money to unlock the device.
Thee ransomware threat can create damage, especially to businesses, while
it is highly profitable for cyber-criminals.
Research has shown that ca 3% of victims pay a ransom.
Interesting developments…
All these issues are discussed at the ENISA Threat Landscape 2014. Learn
more at Number 3 below.
We rely on a stable, safe, and resilient cyberspace. We rely on this vast array
of networks to communicate and travel, power our homes, run our
economy, and provide government services.
Yet cyber intrusions and attacks have increased dramatically over the last
decade, exposing sensitive personal and business information, disrupting
critical operations, and imposing high costs on the economy.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |3
You must download (no cost, no registration) and read a very interesting
book that covers cybersecurity and “The Digital Revolution in Banking”
(The Group of Thirty, Gail Kelly):
“A loss of trust in a player in the financial system usually results in the rapid
withdrawal of customer deposits, a rapid rise in counterparty collateral
levels, and a refusal to deal.
Digital technologies potentially exacerbate the impact of a loss of trust.
It is already conceivable, for example, that a “run” on a bank might
originate on social media and occur on mobile phones.
In a digital environment, such a “run” could occur at any time and spread
with astonishing speed.
With real-time settlement processes in place, enormous shifts of funds will
be able to be effected in virtually no time.
Flows of cash in and out of individual institutions can already happen
quickly.
They will be able to happen much more rapidly in a digital environment.
This is likely to encourage more precipitate behaviors by market
participants seeking to manage counterparty risk and, consequently, the
capacity for even more rapid intervention, when required, by market
regulators.
Given the importance of community trust in the safety of the banking
system, even the most technically complex of these issues should not be left
for technical specialists alone to solve.
Bank executives, policy makers, and regulators will all need to be satisfied
that customer data are adequately protected and that commerce that relies
on electronic exchange can be safely conducted.
A high level of engagement and collaboration, locally and globally, is likely
to be required to develop enduring solutions.
Trust is a fundamental feature of the financial system and a precondition
for its successful operation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |4
As it has developed so far, the digital world offers very different trust
propositions.
As the two worlds collide, we need to be very sure that the central elements
of the financial system that create trust are not compromised.”
What? Have you seen the “as the two worlds collide”? It is like a James
Bond movie, but is also part of our job.
“Skyfall is where we start
a thousand miles and poles apart
where worlds collide and days are dark.”
To make it worse, what do they mean when they say “A thousand miles and
poles apart”?
Hint: The distance from Berlin to Moscow is 999.31 miles and the Poles live
between the cities. Spooky!
Read more at Number 5 below. Welcome to the Top 10 list.
Best Regards,
George Lekatis
President of the IARCP
General Manager, Compliance LLC
1200 G Street NW Suite 800,
Washington DC 20005, USA
Tel: (202) 449-9750
Email: [email protected]
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804,
Wilmington DE 19801, USA
Tel: (302) 342-8828
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |5
United States – European Union
Financial Markets Regulatory
Dialogue Joint Statement
Participants in the U.S.-EU Financial Markets
Regulatory Dialogue (FMRD) met on January 12,
2015 to exchange information on regulatory developments as part of their
ongoing dialogue, and discuss their strong cooperation and shared interests
in continuing to implement and enforce robust standards, including those
on the G-20 financial regulatory agenda.
Advancing macroprudential policy objectives
Speech by Mr Daniel K Tarullo, Member of the Board
of Governors of the Federal Reserve System, at the
Office of Financial Research and Financial Stability
Oversight Council s 4th Annual Conference on
"Evaluating Macroprudential Tools:
Complementarities and Conflicts", Arlington, Virginia
ENISA Threat Landscape 2014
Interesting parts
No previous threat landscape document published by ENISA has shown
such a wide range of change as the one of the year 2014.
We were able to see impressive changes in top threats, increased complexity
of attacks, successful internationally coordinated operations of law
enforcement and security vendors, but also successful attacks on vital
security functions of the internet.
“SSL and TLS, the core security protocols of the internet have been under
massive stress, after a number of incidents have unveiled significant flaws
in their implementation .”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |6
The role of national supervisors in European
banking supervision
Speech by Dr Andreas Dombret, Member of the
Executive Board of the Deutsche Bundesbank, at
Chatham House, London
“The topic of my speech today is European banking
supervision, but the underlying theme, of course, is integration.
Since the Treaties of Rome were signed in 1957, the history of Europe has
been characterised by ever-deepening integration.”
The Group of Thirty
The Digital Revolution in Banking
Gail Kelly
“For the last two decades, cybersecurity in banks has been based on two
central ideas—the creation of strong perimeter defenses (firewalls and
similar mechanisms) and the encryption of data in transit outside the
perimeter walls.
More recently, increasing effort has also gone into monitoring system
traffic and activity to identify anomalous events that might indicate fraud or
attack.”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |7
The Russian economic situation and Bank of
Russia's forecast
Statement by Ms Elvira Nabiullina, Governor of the
Bank of Russia, in follow-up of Board of Directors
meeting, Moscow
“According to our estimates, annual inflation will approximate 10% in 2014.
The acceleration of inflation results from both the impact of the external
trade restrictions and specific factors in the food market (which will add
about 2.3 pp to the total inflation at year-end), and considerable ruble
depreciation (that will contribute 2.6 pp).”
Independence of monetary policy and the
banking union
Speech by Mr Erkki Liikanen, Governor of the
Bank of Finland, at the Lamfalussy Lecture
Conference, organised by Magyar Nemzeti Bank
(the central bank of Hungary), Budapest,
“One of the lasting lessons we have learned from the monetary policy
experience of the last decades is the value of the independence of central
banks.”
EIOPA Opinion on sales via the Internet of
insurance and pension products
As established in Article 29(1)(a) of the
Regulation, EIOPA shall play an active role in building a common Union
supervisory culture and consistent supervisory practices, as well as in
ensuring uniform procedures and consistent approaches throughout the
Union.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |8
Statement at the SEC Open Meeting on the
PCAOB 2015 Budget
James R. Doty, PCAOB Chairman
SEC Open Meeting
Washington, DC
“I am here to present for your consideration the PCAOB's 2015 Budget of
$250.9 million.”
The growing relationship between China and
Barbados
“They say that the world's centre of gravity has shifted to the east, suddenly
and dramatically.
Even someone like myself, with more than a passing knowledge of Chinese
history, culture and policy, has been astounded by the transformation.
The images I see on TV daily are of an utterly different country to the one I
visited in 1980.”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |9
United States – European Union
Financial Markets Regulatory Dialogue
Joint Statement
Participants in the U.S.-EU Financial
Markets Regulatory Dialogue (FMRD) met
on January 12, 2015 to exchange information
on regulatory developments as part of their
ongoing dialogue, and discuss their strong cooperation and shared interests
in continuing to implement and enforce robust standards, including those
on the G-20 financial regulatory agenda.
Recognizing the continued importance of U.S. and EU markets for the
growth and stability of the international economy, participants welcomed
the progress made by U.S. and EU authorities since the crisis to bolster the
resilience of financial markets and reiterated their unswerving commitment
to work together to advance financial regulatory reform in a consistent and
convergent manner.
EU participants included representatives of the European Commission
(EC) and the European Securities and Markets Authority (ESMA).
U.S. participants included staff of the Treasury and independent regulatory
agencies, including the Board of Governors of the Federal Reserve System
(Federal Reserve), the Commodity Futures Trading Commission (CFTC),
the Federal Deposit Insurance Corporation (FDIC), and the Securities and
Exchange Commission (SEC), as well as the Public Company Accounting
Oversight Board (PCAOB).
Each U.S. participant discussed, and expressed positions on, those issues in
their respective areas of responsibility.
EU and U.S. participants held productive discussions on an extensive
agenda, including topics related to those commitments made by the G-20
Leaders: implementation of Basel III capital, leverage, and liquidity rules;
implementation of over-the-counter (OTC) derivatives reforms (including a
discussion of cross-border issues); and recent policy developments on
cross-border resolution.
Participants also exchanged views on bank structural measures,
securitization, money market funds, alternative investment fund managers,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 10
benchmarks, information sharing for supervisory and enforcement
purposes, the implementation of UCITS reforms, and audit cooperation
and macro-prudential oversight.
Capital Markets Union (CMU)
EU participants presented the broad outlines of the EU’s new efforts to
facilitate access to market-based finance through the creation of a CMU,
which Treasury highlighted as a welcome step towards the development of a
more resilient and integrated Single Market.
Derivatives
Participants reiterated the need for all G-20 jurisdictions to continue to
address and implement OTC derivatives reforms in a timely manner.
Participants also reaffirmed that jurisdictions and regulators should be able
to defer to each other, consistent with the St. Petersburg Declaration.
Participants highlighted EU and U.S. efforts to implement OTC derivatives
reforms and their continued efforts to settle remaining issues related to
cross-border market participants, transactions, and infrastructures.
Both sides welcomed the extension of the transitional period for capital
requirements for exposures to central counterparties (CCPs).
The extension allows the EU to continue to engage with CFTC and SEC
staffs to move forward on equivalence decisions for U.S. CCPs.
EC and CFTC staffs committed to resolving soon issues related to
equivalence for U.S.-based CCPs under the European Markets and
Infrastructure Regulation (EMIR) on the basis of an effective system of
substituted compliance for dually-registered CCPs.
The EU and U.S. participants discussed the importance of minimizing
divergences with regard to margin for uncleared swaps, to the extent
possible.
Securitization
Participants discussed securitization, including the Basel Committee for
Banking Supervision (BCBS) and International Organization of Securities
Commission (IOSCO) consultation paper on criteria for identifying simple,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 11
transparent, and comparable securitizations, and EU plans to develop “high
quality securitization” (HQS) as a means to increase sources of funding for
the EU economy.
Banking
EU and U.S. participants recognized the major strides made globally
through the Basel Committee and in their markets to strengthen bank
capital, leverage, and liquidity, while noting critical work has to be carried
out to implement outstanding elements of the robust banking regulatory
framework globally.
U.S. participants welcomed the launch of the Single Supervisory
Mechanism (SSM), a major component of the Banking Union in the EU.
Participants committed to continue cooperation on regulatory standards
for internationally active banks, and exchanged views about the
implications of the recent report in the framework of the BCBS’s Regulatory
Consistency Assessment Programme (RCAP).
Participants also discussed the Federal Reserve’s existing proposals for
enhanced capital rules and the rule for supplementary leverage for the
largest U.S. banks, and its forward agenda, as well as recent legislative
developments on bank structural reform related to measures on both sides
of the Atlantic.
EU participants noted the extension of the conformance period under
Volcker rule for legacy covered funds to July 2016. EU participants raised
concerns about the effect of the Volcker Rule on foreign funds.
Resolution
Participants noted the considerable progress made this year on
cross-border resolution and reaffirmed the deep cooperation between the
EC, EBA, FDIC, and Federal Reserve on technical aspects of resolution.
The U.S. banking agencies, Treasury, and the EU welcomed the Financial
Stability Board’s (FSB) proposal for an international minimum standard on
total loss absorbing capacity (TLAC) and urged that it be finalized in time
for the G-20 Leaders Summit later this year following the conclusion of the
FSB’s public consultation and quantitative impact study.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 12
The U.S. banking agencies, Treasury, and the EU also welcomed the
International Swaps and Derivatives Association (ISDA) Resolution Stay
Protocol and the adherence of 18 major global banks to the Protocol.
They discussed the next steps involved in promoting widespread adoption
of the Protocol. U.S. and EU participants emphasized the importance of
clear, credible, and well-designed CCP recovery and resolution strategies.
Benchmarks
Participants discussed the ongoing international review of benchmarks and
the standards for determining outcomes-based equivalence in draft
legislation currently under negotiation in the EU.
Participants reiterated support for the IOSCO principles for administrators
of interest rate, foreign exchange and other financial benchmarks and
reiterated their commitment to fight market abuse, including benchmark
manipulation, through appropriate means.
Insurance
Participants noted progress in the work to date toward a covered agreement
and reiterated the commitment to engage all stakeholders in a transparent
manner.
Participants pressed for continued progress through the processes defined
by each jurisdiction’s relevant law, with the objective of initiating
negotiations on a covered agreement in the second quarter of 2015 and
agreed to provide an update on progress at the next FMRD in July 2015.
Accounting
Participants discussed recent developments regarding the use of IFRS and
U.S. GAAP. Participants reiterated their commitment to convergence on
high quality accounting standards and committed to continue their efforts
regarding consistency in the application of accounting standards in
practice.
Audit
PCAOB and EC participants committed to continue building a stable
framework for transatlantic cooperation between regulators on audits to
protect investors on both EU and US markets in a manner that maximizes
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 13
all regulatory resources to increase market confidence and transparency to
investors.
Participants looked forward to further reports on the outcomes of the
informal working group established between the PCAOB, EU Member
States audit regulators and the European Commission.
The PCAOB and EU participants agreed on the effectiveness of a
cooperative framework designed to protect investors including, inter alia,
joint inspections conducted under the terms of Statements of Protocol and
consistent with their respective legal and regulatory regimes and a robust
dialogue and exchange of views regarding risk assessment for the greatest
regulatory impact as well as the possibility of appropriate levels of reliance
on the quality control work of other regulators to the extent justified.
The next FMRD meeting will take place in Brussels, Belgium in July 2015.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 14
Advancing macroprudential policy
objectives
Speech by Mr Daniel K Tarullo, Member of the
Board of Governors of the Federal Reserve
System, at the Office of Financial Research and
Financial Stability Oversight Council s 4th
Annual Conference on "Evaluating
Macroprudential Tools: Complementarities and
Conflicts", Arlington, Virginia
Standing in front of this audience I feel secure in observing that we are all
macroprudentialists now.
The imperative of fashioning a regulatory regime that focuses on the
financial system as a whole, and not just the well-being of individual firms,
is now quite broadly accepted.
Indeed, the two entities co-sponsoring this conference were themselves
created by the Dodd-Frank Wall Street Reform and Consumer Protection
Act, which reoriented financial regulation toward safeguarding financial
stability by containing systemic risk - an aim that may not define all of
macroprudential policy, but surely rests at its center.
But beneath the high-level consensus for a macroprudential orientation
lies a broad range of substantive views, as well as a host of analytic and
practical questions, which form the subject of this conference and many like
it.
Experience with macroprudential policy measures in various countries is
not extensive and may, in any case, have only limited applicability
elsewhere because of differences in economic conditions, the relative
importance of capital market and traditional bank intermediation, and
many other factors.
And there is sometimes a tendency to overlook the significance of
institutional and legal considerations in fashioning and comparing
macroprudential policies.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 15
If macroprudential policy is to be more than a catchphrase, policymakers
must confront these considerations in specifying how a macroprudential
perspective will inform financial regulation.
Today I would like to suggest some specific macroprudential objectives
that I regard as both realistic and important to incorporate into a near- to
medium-term policy agenda:
First, continuing the task of ensuring that very large, complex financial
institutions do not threaten financial stability;
Second, developing policies to deal with leverage risks and susceptibility to
runs in financial markets that are not fully contained within the universe of
prudentially regulated firms; and
Third, dealing with the vulnerabilities associated with the growing
importance of central counterparties.
Before discussing these specifics, I will begin with some brief observations
on macroprudential tools and, in particular, the special difficulties
associated with time-varying macroprudential policies.
The varieties of macroprudential tools
In mapping out the range of macroprudential policies, analysts have
developed various taxonomies.
Common to most is the distinction between tools designed to prevent
systemic risk from building by "leaning against the wind" and tools
designed to increase the resiliency of the financial system should systemic
risk nonetheless build and lead to broad-based stress.
While some tools may straddle this distinction, it seems useful as a starting
point for evaluating the utility of different measures.
As I have explained elsewhere, I think a distinction of equal - if not greater importance is between structural or "through the cycle" tools, on the one
hand, and time-varying tools, on the other.
Structural macroprudential tools are put in place as a part of the ongoing
regulatory structure, but they are designed specifically from a systemic, as
opposed to a firm- or asset-specific, perspective.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 16
Many proponents of macroprudential policy seem particularly attracted to
time-varying measures for both resiliency and lean-against-wind measures.
The aim is to regulate in an explicitly countercyclical fashion through
measures that attempt to restrain rapid, unsustainable increases in credit
extension or asset prices - either directly or through shifts in incentives and to relax those measures as economic conditions deteriorate.
One can readily understand the conceptual appeal of this approach, but it
raises a fair number of significant issues - analytic, practical, institutional,
and legal.
These include the reliability of measures of excess or systemic risk, the
appropriate officials to be making macroprudential decisions, the speed
with which measures might realistically be implemented and take effect,
and the right calibration of measures that will be efficacious in damping
excesses while not unnecessarily reducing well-underwritten credit flows in
the economy.
Even if these issues could be addressed and a time-varying
macroprudential measure developed and applied, there is some reason to
believe that regulatory relaxation of such a requirement may not have much
effect on the downside of an economic or financial cycle.
Market discipline, which may have been lax in boom years, tends to become
very strict when conditions deteriorate rapidly.
At that point, counterparties and investors may look unfavorably at a
reduction in capital levels or margins or other protective measures, despite
their formal elimination by regulators and despite the potential benefits for
the economy as a whole.
None of this is to say that analysis of possible time-varying
macroprudential tools should not continue.
Indeed, some are clearly appropriate for near-term use.
For example, since good prudential supervision must always be
time-varying, we should continue to adapt oversight with a view to
changing conditions.
And we will be working with the other banking regulators to build out the
Basel III countercyclical capital buffer regime, which takes effect in the
United States next year.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 17
But as a realistic matter, the role of time-varying macroprudential tools is
probably limited for the immediate future.
At the same time, there is both considerable need and potential for
completing or developing in the near- to medium-term what I have termed
structural macroprudential measures.
Of course, there are intellectual and practical challenges here as well,
including the need to assess the impact of the measures on economic and
financial activity in non-stress times.
But unlike time-varying measures, which often must be adopted swiftly to
be effective, structural measures can be developed through a full and
careful process, including normal administrative law notice and comment
procedures.
Additionally, where appropriate, the development of such measures can
readily involve multiple regulatory authorities. Let me turn now to what I
regard as three priority areas for the application of macroprudential tools.
Large financial institutions
By definition, too-big-to-fail problems implicate systemic risk
considerations and must be addressed in any regulatory system that seeks
to preserve financial stability.
More generally, the dynamics observed during the financial crisis including correlated asset holdings, common risks and exposures, and
contagion among the largest firms - suggest that the well-being of any one
of these firms cannot be isolated from the well-being of the banking system
as a whole.
Much of the post-crisis reform agenda has been centered on these
institutions.
Various regulatory measures informed to a greater or lesser extent by
macroprudential considerations have been developed and are now at
various stages of implementation.
I will mention three of the most important.
First is a set of strengthened capital standards, which fit squarely within the
objective of increasing the resiliency of systemically important institutions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 18
Basel III fortified the microprudential requirements for both the quality
and quantity of capital for all internationally active institutions.
But, both internationally and in the United States, the post-crisis reform
agenda includes capital requirements derived in whole or in part from
macroprudential aims.
These include capital surcharges for systemically important firms and
stress testing.
Stress testing, unlike conventional capital requirements, provides a
forward-looking assessment of losses that would be suffered under adverse
economic scenarios.
Moreover, the related capital planning process helps ensure that the
banking system would continue to have adequate capital to provide viable
financial intermediation even in the face of adverse conditions.
The simultaneous testing of the largest firms using a supervisory model
provides a perspective on a large part of the banking system and facilitates
identification of correlated exposures and other common risks.
The supervisory construction of adverse scenarios each year allows us to
incorporate changes in financial practices, vulnerabilities, and conditions
into a dynamic capital standard.
For example, in recent tests, the Federal Reserve has assessed potential
interest rate risk by analyzing how sensitive deposits will be to rate rises,
whether banks might have to raise deposit rates more than expected to
retain deposits, and whether banks that are hedging interest rate risk are all
dealing with the same few counterparties.
The system of risk-weighted capital surcharges adopted by the Basel
Committee on Banking Supervision is a regulatory innovation designed to
reduce the chances of distress or failure of "G-SIBs" (global systemically
important institutions) to a greater degree than at other firms, in
recognition of the fact that the resulting negative consequences for the
financial system would likely be substantially more significant.
These surcharges are an important example of the principle, embodied in
section 165(a) of the Dodd-Frank Act, that prudential requirements should
increase in stringency with the systemic importance of regulated firms.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 19
The surcharge applicable to institutions varies based on the relative
systemic importance of a firm.
As you are doubtless aware, the Federal Reserve has proposed for domestic
implementation a range of surcharges higher, and somewhat differently
calibrated, than the Basel framework.
The approach to calibration we developed in cooperation with other Basel
Committee members was to determine the additional capital necessary to
equalize the probable systemic impact from the failure of a systemically
important bank, as compared to the probable systemic impact from the
failure of a large, but not systemically important, bank.
However, the surcharge levels ultimately agreed to by the Basel Committee
were toward the low end of the range suggested by this analysis.
The levels included in the proposed rule are more in the middle of that
range and thus higher than the Basel surcharges.
As suggested in an economic impact analysis undertaken by Basel
Committee members, this higher level of surcharges should provide
substantial net economic benefits by reducing the risks of destabilizing
failures of very large banking organizations.
The proposed rule would also take into account a firm's relative dependence
on short-term wholesale funding, a source of systemic vulnerability to
which I will return a bit later in these remarks.
During the transition period for implementation of the G-SIB surcharges
(as modified following the notice and comment process), the affected firms
will presumably be considering whether they wish to reduce or alter the
range, amount, or types of their activities so as to place themselves in a
lower "risk bucket," with a concomitantly lower capital surcharge.
A second kind of post-crisis regulatory reform with a macroprudential
influence is the new set of quantitative liquidity requirements, including the
now-adopted liquidity coverage ratio (LCR) and the internationally
agreed-upon net stable funding ratio (NSFR) soon to be considered for
adoption by U.S. banking regulators.
Having just recently given an entire speech on the subject, I will note here
only that both the LCR and the NSFR - along with the Federal Reserve's
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 20
annual Comprehensive Liquidity Assessment and Review - were motivated
by the systemic liquidity squeeze experienced during the crisis.
Even though the LCR, for example, is principally microprudential in design,
it still reflects macroprudential concerns, as in its exclusion of deposits with
other banks from the set of assets that qualify as highly liquid.
And, as in the requirements applicable to matched books of large firms that
are important providers of liquidity to financial markets, some overtly
macroprudential provisions have been incorporated in the NSFR.
A third set of regulatory measures of relevance to systemic risks from large
financial institutions concerns the potential failure of these institutions.
These include, among others, the orderly liquidation authority given the
Federal Deposit Insurance Corporation (FDIC) under title II of the
Dodd-Frank Act and proposals to assure the availability of debt that is
convertible into equity should a firm fail, thereby providing for absorption
of losses and possible recapitalization without need for the injection of
public capital.
I suspect these and similar measures do not appear on many lists of
macroprudential tools.
And it may be hard to decide whether to classify them as resiliency tools or
as structural measures designed to retard the build-up of systemic risk.
Yet, with their purposes of ensuring that even the largest firms can fail and
be wound down in an orderly fashion, and of countering too-big-to-fail
perceptions associated with systemically important financial institutions,
they belong on those lists.
One such tool that has gotten more attention in the past year is the
resolution planning process established by section 165(d) of the
Dodd-Frank Act.
The Federal Reserve and the FDIC have identified substantial shortcomings
in many of the plans submitted to date.
In the next round of submissions, due this summer, these firms will need to
produce plans that show they could be resolved in bankruptcy in an orderly
fashion.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 21
Meeting this requirement will entail significant changes in some
combination of corporate structure, inter-corporate relationships, the mix
and extent of activities, and the legal locus of certain bank activities.
Developing a new form of market regulation
As I have just described, measures to promote the macroprudential
objectives associated with the regulation of large financial institutions have
already been developed.
They need variously to be finalized or implemented.
And all will probably need to be adjusted as time passes and circumstances
change.
But the tools themselves have been identified, selected, and elaborated
upon.
When it comes to much financial activity taking place outside prudentially
regulated institutions, however, there is still a need to develop, analyze, and
consider tools that should be used for achieving macroprudential aims.
Given the breadth and diversity of activities that can be encompassed, for
example, in the term "shadow banking," it is also necessary for
policymakers to identify some priority areas within which to focus work on
developing an appropriate set of regulations informed by macroprudential
considerations.
I would suggest that priority should be given to activities that pose
significant risks of rapid investor flight during stress periods, with the
attendant risks of firesales and other negative effects on funding and asset
markets more generally.
Specifically, it seems sensible to prioritize two areas: short-term wholesale
funding and the liquidity and redemption risks that may be present in asset
management activities.
These areas may, of course, overlap in some circumstances.
I have on past occasions described at some length my concerns with
short-term wholesale funding - especially, though not exclusively, funding
associated with assets thought to be cash equivalents.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 22
We are, of course, addressing these risks within prudentially regulated
firms through various types of liquidity regulation and supervision, as well
as changes in practice by the firms that clear tri-party repo transactions.
But, as demonstrated in the years preceding the crisis, short-term
wholesale funding can support a form of shadow banking outside the
regulatory perimeter.
Indeed, one might expect that as regulatory and supervisory practice forces
the internalization by regulated firms of the systemic costs of excessive
dependence on runnable short-term funding, there will be increasing
incentives for more leveraged credit intermediation to migrate outside the
regulatory perimeter.
One policy response that the Federal Reserve has advocated and that has
now been proposed by the Financial Stability Board (FSB), is for minimum
margins to be required for certain forms of securities financing transactions
(SFTs) that involve extensions of credit to parties that are not prudentially
regulated financial institutions.
This system of margins is intended to serve the macroprudential aim of
moderating the build-up of leverage in the use of these securities in less
regulated parts of the financial system and to mitigate the risk of procyclical
margin calls by preventing their decline to unsustainable levels during
credit booms.
Given the ease with which such transactions may move across borders, it is
particularly important that the FSB has proposed a framework that could
be applicable in all major financial markets.
We will welcome comments on this proposal when, as I expect, the Federal
Reserve issues a notice of proposed rulemaking to implement it
domestically, probably by using the Federal Reserve's authority under the
Securities Exchange Act of 1934 to supplement our prudential regulatory
authorities.
But it is also important to continue analysis of other macroprudential policy
options that would address the risks associated with short-term wholesale
funding.
Indeed, even the FSB proposal does not extend to SFTs backed by
government collateral, a very important source of short-term wholesale
funds.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 23
Asset management activities have commanded considerable attention
lately, both internationally at the FSB and domestically at the Financial
Stability Oversight Council (FSOC).
The asset management industry has grown rapidly since the financial crisis,
both in terms of the dollar amount of assets under management and in the
concentration of assets managed by the largest firms.
These trends may well continue as stricter prudential regulation makes
investment in certain forms of assets more costly for banks.
To the extent that asset management vehicles hold relatively less liquid
assets but provide investors the right to redeem their interests on short
notice, there is a risk that in periods of stress, investor redemptions could
exhaust available liquidity.
Under some circumstances, a fund might respond by rapidly selling assets,
with resulting contagion effects on other holders of similar assets and, to
the degree they had not already been subject to redemption pressures,
other asset management vehicles holding those assets.
The use of leverage by investment funds, including through derivatives
transactions, could create interconnectedness risks between funds and key
market intermediaries and amplify the risk of such firesales.
Considerable work is needed, first, to develop better data on assets under
management, liquidity, and leverage, in order to fill the information gaps
that have concerned so many academics and policy analysts.
Then there is more work to be done in assessing the magnitude of liquidity
and redemption risks, including the degree to which those risks vary with
the type of assets and fund structure.
And finally, we will need tools that will be efficient and effective responses
to the risks identified.
Both the short-term wholesale funding and asset management examples
point to the broader objective for macroprudential policy of developing
what we might term "prudential market regulation" - that is, a policy
framework that builds on the traditional investor protection and market
functioning aims of securities regulation by incorporating a system-wide
perspective.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 24
Like the reforms to banking regulation that followed the crisis, this new
form of regulation might start by strengthening some of the firm- or
fund-specific measures associated with those traditional regulatory aims,
but then move forward to take into account such considerations as
system-wide demands on liquidity during stress periods and correlated
risks among asset managers that could exacerbate liquidity, redemption,
and firesale pressures.
The specific policies associated with prudential market regulation might be
transaction-specific, or apply to certain kinds of business models.
In her important speech last month, Securities and Exchange Commission
(SEC) Chair Mary Jo White provided a roadmap for beginning to develop
just such a regulatory approach for the asset management industry.
In thinking about short-term wholesale funding and some forms of asset
management, we encounter a background circumstance that complicates
the task of developing effective macroprudential tools.
Demand for safe short-term assets is both real and substantial, emanating
from multiple sources, including sovereign nations that wish to self-insure
against exchange rate pressures; non-financial corporations that have
increased their cash holdings in the wake of the market disruptions
associated with defaults by Enron and other companies; and institutional
investors protecting themselves against redemption demands or other
unexpected cash needs.
While it is important to adopt measures that protect against runs and that
counteract the illusion that cash equivalents are actually cash, it is equally
important to realize that the demand for relatively safe, short-term assets
will not disappear.
Indeed, there is some risk that, as regulation makes some forms of such
assets more costly, this demand will simply turn elsewhere.
Thus the ultimate effectiveness of what I have termed prudential market
regulation will depend on policymakers taking into account in their
regulatory approaches the sources of, and motivation for, demand for
short-term, liquid, and relatively safe assets beyond the debt of very
creditworthy sovereigns.
Central counterparties
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 25
My third policy objective with a macroprudential component relates to
central counterparties (CCPs).
A key regulatory aim following the crisis, both in the United States and
internationally, has been to encourage more derivatives and other financial
transactions to be cleared through CCPs.
There are important financial stability benefits to be gained from the
progress that has been made toward this aim - including multilateral
netting, standardized initial and variation margin requirements, and
greater transparency.
However, as has been frequently observed, if the financial system is to reap
these benefits, the central counterparties to which transactions are moving
must themselves be sound and stable.
Extreme but plausible events, such as the failure of clearing members or a
rapid change in the value of instruments traded by a CCP, could expose it to
financial distress.
If the CCP has insufficient resources to deal with such stress, it may look to
its clearing members to provide support.
But if the problems arise during a period of generalized financial stress, the
clearing members may themselves already have been weakened or, even if
they remain sound, the diversion of their available liquidity to the CCP may
prevent customers of the clearing members from accessing needed funding.
If the CCP fails, the adverse effects on the financial system could be
significant, including the prospect that the CCP's default on its obligations
could amplify the stress on other important financial institutions.
Considerable work to ensure the safety of CCPs has been done internationally by the Committee on Payments and Market Infrastructures
(CPMI) at the Bank for International Settlements and by the International
Organization of Securities Commissions (IOSCO), and domestically by the
SEC, the Commodity Futures Trading Commission, and the Federal
Reserve.
The 2012 CPMI-IOSCO Principles for Financial Market Infrastructures
(PFMIs) updated and strengthened regulatory standards for, among other
financial market utilities, significant CCPs.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 26
These principles, once fully implemented by all relevant U.S. agencies, will
provide a strong and consistent basis for heightened oversight of the CCPs
designated as systemically important by the FSOC.
These heightened standards must continue to be supported by robust
supervisory efforts that should continue to evolve as supervisors gain
experience assessing firms against new regulations and consider new and
changing risks faced by CCPs.
Notwithstanding the advances in CCP regulation, questions have been
raised in international fora, in discussions among domestic financial and
regulatory officials, and by some market participants over whether more
needs to be done.
To me, at least, some of the most important questions implicate
macroprudential concerns.
One discrete example is the possibility that CCP margining practices may
have a significantly procyclical character that could be problematic in
deteriorating financial conditions.
More fundamentally, systemically important CCPs are now generally
required to have funds sufficient to cover defaults by their two largest
members ("cover 2").
Perhaps this is the right standard when contemplating the well-being of a
CCP in isolation.
But it seems worth considering whether this standard is adequate when
hypothesizing stress throughout the financial system, since the default of
two large counterparties would almost surely be accompanied by significant
market disruption.
At the least, it is important to ensure a consistent, robust implementation of
the cover 2 standard that has already been agreed.
While the question of what constitutes the optimal default fund standard
needs more analysis and debate, I think there is little question that more
attention must be paid to strengthening stress testing, recovery strategies,
and resolution plans for significant CCPs.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 27
The typical CCP recovery strategy does not take a system-wide perspective
and is premised on imposing losses on, or drawing liquidity from, CCP
members during what may be a period of systemic stress.
Many of these members are themselves systemically important firms,
which will likely be suffering losses and facing liquidity demands of their
own in anything but an idiosyncratic stress scenario at a CCP.
Moreover, in at least some cases, uncertainty is increased by the difficulty of
estimating with any precision the extent of potential liability of members to
the CCP, thereby complicating both their recovery planning and efforts by
the official sector to assess system-wide capital and liquidity availability in
adverse scenarios.
These and other questions will be discussed in the coming months at the
CPMI, the FSB, and other international fora, as well as among U.S.
regulators.
Researchers with a macroprudential perspective can contribute to these
discussions with analyses of system-wide liquidity demands and knock-on
effects of defaults by CCP members, as well as policy suggestions to address
vulnerabilities that emerge from these analyses.
Conclusion
In a basic sense, the imperative of a macroprudential policy perspective
means taking account of system-wide effects as financial regulation is
developed and implemented.
But as is the case with traditional microprudential policy, agreement at this
high level does not necessarily assure agreement on the priorities for
regulatory attention, much less the specific regulations that should be
adopted.
Nor can even the best-conceived macroprudential policies compensate
totally for the risks created by key macroeconomic or financial conditions.
It should, however, force us all to think about issues like arbitrage,
correlated risks and responses, and externalities in a more explicit and
regular fashion than was evident in pre-crisis practice.
And even as policymakers try to move forward with a practical agenda to
incorporate macroprudential concerns in their programs, it is important
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 28
that the academics and policy researchers represented by this audience
continue to advance this still fledgling sub-discipline through both
theoretical and empirical work.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 29
ENISA Threat Landscape 2014
Interesting parts
Executive summary
No previous threat landscape document published by ENISA has shown
such a wide range of change as the one of the year 2014.
We were able to see impressive changes in top threats, increased complexity
of attacks, successful internationally coordinated operations of law
enforcement and security vendors, but also successful attacks on vital
security functions of the internet.
Many of the changes in the top threats can be attributed to successful law
enforcement operations and mobilisation of the cyber-security community:
•
The take down of GameOver Zeus botnet has almost immediately
stopped infection campaigns and Command and Control communication
with infected machines.
•
Last year’s arrest of the developers of Blackhole has shown its effect
in 2014 when use of the exploit kit has been massively reduced.
•
NTP-based reflection within DDoS attacks are declining as a result of
a reduction of infected servers. This in turn was due to awareness raising
efforts within the security community.
•
SQL injection, one of the main tools used to compromise web sites, is
on the decline due to a broader understanding of the issue in the web
development community.
•
Taking off-line Silk Road 2 and another 400 hidden services in the
dark net has created a shock in TOR community, both at the attackers and
TOR users ends.
But there is a dark side of the threat landscape of 2014:
•
SSL and TLS, the core security protocols of the internet have been
under massive stress, after a number of incidents have unveiled significant
flaws in their implementation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 30
•
2014 can be called the year of data breach. The massive data breaches
that have been identified demonstrate how effectively cyber threat agents
abuse security weaknesses of businesses and governments.
•
A vulnerability found in the BASH shell may have a long term impact
on a large number of components using older versions, often implemented
as embedded software.
•
Privacy violations, revealed through media reports on surveillance
practices have weakened the trust of users in the internet and e-services in
general.
•
Increased sophistication and advances in targeted campaigns have
demonstrated new qualities of attacks, thus increasing efficiency and
evasion through security defences.
In the ETL 2014, details of these developments are consolidated by means
of top cyber threats and emerging threat trends in various technological
and application areas.
References to over 400 relevant sources on threats will help decision
makers, security experts and interested individuals to navigate through the
threat landscape.
Lessons learned and conclusions may be useful for all stakeholders involved
in the reduction of exposure to cyber threats.
Opportunities and issues in the areas of policy/business and technology
have been identified to strengthen collectively coordinated actions towards
this goal.
In the next year, ENISA will try to capitalize on these conclusions by
bringing together expertise to improve information collection capabilities
and to apply lessons learned to various areas of cyber security.
The figure below summarizes the top 15 assessed current cyber-threats and
threat trends for emerging technology areas.
More details on the threats, emerging technology areas, threat agents and
attack methods can be found in this report.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 31
Introduction
This ENISA Threat Landscape report for 2014 (ETL 2014) is the result of
threat information collection and analysis of the last 12 months (December
2013 – December 2014), referred to in this document as the reporting
period.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 32
The ETL 2014 is a continuation of the reports produced in 2012 and 2013: it
follows similar approaches for the collection, collation and analysis of
publicly available information to produce the cyber-threat assessment.
The report contains a description of the methodology followed, together
with some details on use-cases of cyber-threat intelligence.
The main contribution of the ETL 2014 lies in the identification of top cyber
threats within the reporting period.
Together with the emerging threat landscape, it makes up the main
contribution towards identification of cyber-threats.
As in previous years, the ETL 2014 is based on publicly available material,
the availability of which has grown substantially in the reporting period.
Starting from ca. 150 references in 2012, we identified ca. 250 in 2013.
In 2014, we identified over 400 sources containing information on cyber
threats, whereas in all years we assume that our information collection
detects ca. 60-70% of available material.
This makes the ETL 2014 a unique comprehensive collection of information
regarding cyber-security threats.
ENISA has performed information collection by means of internet searches,
by using the information provided by the CERT-EU and by using the web
platform of Welund Horizon Ltd through free access granted to ENISA in
the reporting period.
As is explained later in this report, the ETL 2014 has been expanded to
include information on attack vectors, that is schematic representations on
the course of attacks, indicating targeted assets and exploited weaknesses
/vulnerabilities.
Another new component in the ETL 2014 is the elaboration of use-cases of
threat intelligence: by showing the various activities of threat analysis, we
demonstrate how the information produced can be used within various
phases of security management.
Another novelty of the ETL 2014 process is the involvement of stakeholders
in the identification of issues as well as knowledge transfer and information
sharing.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 33
In 2014, ENISA has established an ETL stakeholder group consisting of 13
experts from CERTs, vendors, Member States and users.
This group has provided advice on various issues of threat analysis,
including stakeholder requirements and state- of-the art developments in
the area of threat intelligence.
Lessons learned and conclusions summarize the highlights of this year’s
threat assessment exercise and provide concluding remarks that are
relevant for policy makers, businesses and cyber-security experts.
Policy Context
The policy context of the ETL 2014 with regard to relevant EU-regulations
is identical to that of 2013 ETL.
The Cyber Security Strategy of the EU stresses the importance of threat
analysis and emerging trends in cyber security.
The ENISA Threat Landscape is an activity contributing towards the
achievement of objectives formulated in this strategy, in particular by
contributing to the identification of emerging trends in cyber-threats and
understanding the evolution of cyber-crime.
Moreover, the new ENISA regulation mentions the need to analyse current
and emerging risks (and their components), stating: “the Agency, in
cooperation with Member States and, as appropriate, with statistical bodies
and others, collects relevant information”.
In particular, under Art. 3, Tasks, d), iii), the new ENISA regulations states
that ENISA should “enable effective responses to current and emerging
network and information security risks and threats”.
The ENISA Threat Landscape aims to make a significant contribution to the
implementation of the EU Cyber Security Strategy by streamlining and
consolidating available information on cyber-threats and their evolution.
Insider threat
As an aftermath of the Snowden revelations, in this reporting period a
significant effort has been invested in the analysis of the insider threat.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 34
Reports on the insider threat have been issued, mainly on the initiative of or
commissioned by governmental organisations or organisations enrolled in
national security and military defence.
Although these reports mainly focus on malicious insider user activities,
analysis of incidents indicates that a significant amount of insider threats
stem from unintentional user errors/mistakes, unintentional displacement
of information and loss/theft.
Whatever the grounds for insider threat materialisation might be, usually,
they lead to significant impact for the organisation.
This explains significant CISO concerns assessed: more than half of
organisations believe that they are vulnerable to this threat.
On the other hand, more than half of security professionals consider insider
threats as being difficult to prevent.
Admittedly, the insider threat is not mainly a technical issue.
Together with the high impact of such attacks, it is evident that this threat is
a significant concern, both for technical experts and executives.
In the reporting period we have assessed that:
•
The insider threat is being primarily noticed by means of technical
controls (e.g. via analytics regarding printer logs, intranet logs,
unauthorised access attempts, outbound web traffic to mistrusted sites,
etc.).
But technology is just one part of the problem. Being a part of the
organisation, measures that go beyond technological solutions need to
be sought.
Technological solutions need to go hand in hand with HR, awareness and
employee guidance processes.
•
Materialised insider threats need particularly high efforts to contain.
While average containment of cyber-attacks is ca. 30 days, insider attacks
need on average ca. 60 days.
•
Insider attacks are often bypassing existing security controls due to
access rights but also due to available knowledge of the insider regarding
existing protection.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 35
In addition, they are aware of weaknesses /vulnerabilities of the
organisation that can be misused in order to successfully place an attack.
Often, the best way to recognise an insider adversary is to keep an eye on
people’s behaviour to detect patterns of dissatisfaction.
•
A considerable amount of insider incidents in organisations is a
result of user error.
Given the assessed fact that over 50% of data breaches are due to user
sloppiness, one can argue that significant damage is caused due to
ignorance.
Hence, a better remediation of insider threat might be achieved by better
user training.
Over 48% of organisations participating in a survey on insider threat have
not provided any security training to their employees.
Among the most frequent user errors are misdelivery, that is, sending
information (paper or digital) to wrong recipients.
Misdelivery is followed by publishing error, disposal error,
misconfiguration and malfunction.
•
Information types that have been breached by insiders are:
intellectual property (63%), customer data (50%), unknown (24%) and
financial records (22%).
Top 5 activities of insider misuse assessed are: privilege abuse (88%),
non-approved hardware (18%), bribery (16%), e- mail misuse and data
mishandling (11%).
•
A very thorough risk assessment of the insider threat141 has
impressively demonstrated that no operator of critical systems can afford
having the required level of protection to properly mitigate insider threats.
This report underlines also the potential for the combination of insider
threat with guidance from external threat agents, an issue that is often
underestimated by organisations.
All in all, this report penetrates the issue of insider threat at a considerable
depth.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 36
•
It seems that there is a gap between perception and reality about
insider threat.
Analysis of real incidents shows that insider threats are in second position
as cause of all incidents, but are far less than outsider threats which is at the
first position (insider threat only 8% of all incidents).
Observed current trend for this threat: stable/ slight increase
Information leakage
Information leakage relates to a set of threats that emerge due to
unintentional or maliciously triggered revelation of valuable information
(personal data, credentials, security related information, etc.) to an
unauthorised party.
Such information is then abused as is, or within other threats and attacks.
Information leakage is different from data breach, in that it mainly
concerns exploitation of technical and organisational weaknesses to obtain
information that is then fed to other attacks.
Data breach, on the other hand, is the threat of compromising of
confidentiality of massively stored business information.
In the reporting period we have experienced leakage incidents, one of which
– Heartbleed - has been classified by the security community as “one of the
most serious to affect the Internet”.
However, some months later, another leakage vulnerability of SSL has been
found.
Concluding one can say that increased complexity of internet architectures
(i.e. web and application services) as well as decentralisation and
virtualisation of processing, open doors to information left- overs during
processing.
This information is targeted by this threat.
In this reporting period we have assessed that:
•
Heartbleed was a serious blow to OpenSSL, one of the basic
components of secure communication in the internet.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 37
Though good guidance was given to remove the vulnerability, delays,
update errors and even non-corrections of the used SSL version have been
observed.
Yet, this incident has demonstrated the complexity in losing trust to a basic
security component: certificates need to be re-issued and dependencies of
existing software need to be analysed and fixed.
It is expected that this incident will continue bothering security experts for
some time.
A second leakage incident related to SSL is indicative for the continuous
attempt to challenge the security of trust functions of the internet.
•
Among application vulnerabilities (XXS, Information leakage,
Session Management, etc.), none has demonstrated an increase similar to
information leakage, which has nearly doubled in comparison to 2012.
It is assumed that this was due to accidental leakage of sensitive
information through data transmission error messages.
Others argue that due to increased complexity and low level of awareness
for a good error handling, information storage and application architecture
issues, information leakage will increase.
In the reporting period, information leakage weaknesses have been
assessed to be within the top three in application vulnerabilities.
•
Social media remain a major channel for information leakage that
can be used in other (e.g. targeted) attacks.
Creating awareness with regard to social media/networking applications
can be considered as a “work in progress” area.
Important personal information can be found in social media such as:
copies of driver licenses, ID cards, passports, registration cards, school ID
cards or credit cards.
•
Due to the need to transfer information among servers, mobile
applications, cloud servers, etc. it is necessary to introduce/use security
controls to avoid data exfiltration for data that are on the move or reside in
end-devices that are not properly managed, at least security wise.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 38
Such controls need to be positioned at all components interacting by means
of application scenarios, both within and outside the organisation.
•
A relevant study shows that over 50% of tested applications exhibit
weaknesses regarding information leakage related to application, its
implementation, user data, etc.
Moreover, over 30% of applications are prone to information leakage due to
poor error handling.
This fact opens windows for abuse through information leakage threat.
This indicates an increased need for secure application development
practices.
•
Among the most common leaks found in applications are:
information found in comments (e.g. filename), cookie retrieval, internal IP
addresses and server versions.
Observed current trend for this threat: increasing
Cyber espionage
This threat has been introduced in the top threats due to the significant
amount of incidents attributed to nation states and corporations.
With this cyber threat we would like to refer mainly to APT (Advanced
Persistent Threat) and to Targeted Attacks, knowing that the later kind of
attacks is not only deployed within espionage campaigns.
Moreover, from assessed material it becomes clear that APT is nothing
more than a targeted attack that is being initiated by a threat agent with
very high capabilities and resources.
It is also clear, that cyber espionage consists of a combination of threats
mentioned in this chapter.
Hence, just as other threats in the present chapter, the cyber espionage
threat is not overlap-free with other threats mentioned.
To this extent, this threat refers rather to certain tools and tactics that
match the profile of espionage threat agents: cyber espionage is rather a
tactical approach than technical.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 39
As it is the case with some reports found, cyber espionage is worth
classifying according to campaigns encountered.
Whatever the classification of this threat might be, it assumes a high level
capability and corresponding motivation.
Moreover, this kind of attack and especially the reconnaissance phases may
persist over a very long time period, while attribution is very difficult,
especially in case of state sponsored espionage.
In the reporting period we have seen cyber espionage on the rise: reports
about incidents state a growth that is close to 3% compared to last year166.
In this reporting period we have assessed that:
•
Quite some targeted attack campaigns have demonstrated an
increase in focus, sophistication and persistence.
We have seen attacks more narrowly tailored, addressing a reduced number
of recipients and organisations but increasing significantly in frequency.
Spear phishing and Strategic Web Compromise (SWC, aka Watering Hole)
are important tools used for initial phases of the attack (i.e. reconnaissance,
weaponisation and delivery).
Spyware Trojans, Bootkits and remote access trojans (RAT) are often used
malware in the phases exploitation and persistence.
•
Statistics show important trends observed in the reporting period:
there is an increase of industry sectors targeted (11%) (i.e. wider
campaigns).
While the number of recipients targeted has decreased (62%) (i.e. more
targeted campaigns).
Average duration of targeted attacks increased (105%) (i.e. more persistent
campaigns); and number of detected campaigns increased significantly
(472%).
•
The observed cascade of sophistication, complexity and capability
levels start with advanced persistent threat, go over to targeted attacks and
end at cyber-criminals.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 40
With the advancement of attacks, technology used today within APT and
targeted attacks, will be adopted over time by cyber-criminals.
•
New attack methods that can be used in targeted and advanced
persistent threat attacks emerge in the area of research.
It can be assumed that advancements in new methods will arise in the
military and national security sectors.
•
The volume of attacks by industry sector shows that the most popular
targets of targeted attacks are: governments (80%), computer/IT (4%),
followed by Aerospace, Industrial, Electrical, Telecommunications and
Military (3% each).
This fact clearly manifests the areas of interest and motives behind
cyber-espionage, being collection of intelligence regarding political,
strategic, technological and industrial developments.
•
Primarily within APTs but also targeted attacks, involved adversaries
have demonstrated the ability to evade existing controls, at least automated
ones.
It is therefore advisable to consider strengthening defences at the level of
human-based controls, such as trainings regarding phishing and spam and
awareness raising measures in general.
Observed current trend for this threat: increasing
Ransomware/Rogueware/Scareware
Although ransomware belongs to the family of malware threats, it has been
considered as an individual threat due to its assessed dynamics.
In the reporting period we have seen ransomware gaining importance as a
malicious tool.
Though some reduction of this threat has been expected after law
enforcement success of last year (Police Virus, Zeus-Botnet), a significant
revival of this threat has been assessed, in particular for mobile devices.
Equally significant is the fact that ransom shows growth potential due to
updates performed in corresponding malicious tools, especially regarding
distribution, encryption and used payment methods.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 41
It seems that ransomware has gone through improvements adopted from
malware.
Moreover, it seems reasonable to speculate on the potential entrance of a
ransomware development kit in the cyber-crime market.
Although ransom decreased in the reporting period, the inclusion of mobile
devices and the new features mentioned above, create the impression that
this threat will be increased in the future.
In this reporting period we have assessed that:
•
Advancements in functionality of ransomware have shown up after
the announcement of a Trojan encryption tool for sale in underground
market for Android.
Right after this announcement, the first mobile malware embracing this
functionality was detected.
By the end of second quarter of 2014, some 47 versions on the Trojan have
been detected.
All ransom attempts have used social engineering techniques to exert
pressure on the victims40.
•
For the communication with the C&C server, one version of the
Trojan has used the TOR network.
Although the use of the anonymity network is seen as an advancement,
researchers argue that this increases detectability both of the malware and
the underlying botnet.
It remains to be observed how TOR functionality usage within malware will
evolve over the time.
•
It is interesting to observe how protective functions of mobile devices
have been misused to block phones and require a ransom: by attacking the
Apple ID on iOS devices, adversaries managed to completely block the
device and ask money to unlock the device.
•
Thee ransomware threat can create damage, especially to businesses,
while it is highly profitable for cyber-criminals.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 42
As opposed to the past, available anonymous payment schemes such as
MoneyPack and QIWI VISA Wallet, facilitate cash flow to the
cyber-criminals.
The encryption used is impossible to break (RSA 2048 encryption used
within Cryptolocker and its evolution Ransomcrypt).
Research has shown that ca 3% of victims pay a ransom.
•
In the reporting period Fake Antivirus has bothered security experts,
in particular in the mobile area.
It is remarkable that a fake antivirus named “Virus Shield” has been
downloaded over 10.000 times, thus getting into the top paid list in the first
week of appearance1.
Cyber-opportunity makes the thief
Opportunity has been long ago recognised as a basic element of practical
crime theory.
These approaches build on the old saying “opportunity makes the thief.”
In cyber-crime the situation is not much different.
In the reporting period we have seen cyber threat agents looking for
opportunities to better target their attacks and more easily fool their
victims.
The examples are self-speaking: international sport events, specially crafted
phishing attacks based on personal profiles/habits, targeted campaigns to
find weak links, etc.
Considering the opportunity factor in cyber-crime might be an important
tool for defenders in order to understand motivation and techniques that
are likely to be used.
By taking into account the issue of opportunities in cyber-crime, it can be
concluded that:
•
Cyber-crime opportunities often have location and time relevance: It
is typical that, as ordinary criminals, cyber criminals seek to abuse
collective mind-sets that are formed within big events.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 43
Moreover, events with international political impact are main triggers for
cyber- crime, especially hacktivism, cyber-fighters and state sponsored
espionage.
•
Cyber-crime tries to increase opportunity specificity: cyber-crime
seeks for specific opportunities that increase success rates.
In the reporting period we have experienced a shift towards more targeted
attacks to sets of opportunities that are concentrated to exploiting specific
weaknesses.
Hence, instead of looking for victims in the wild, cyber attackers
concentrate their attacks on set of users, e.g. by abusing breached
information.
•
Cyber-crime produces opportunities for cyber-crime: The emergence
of underground markets for hacking tools and hacked information (i.e.
cyber-crime as a service) shows clearly that cyber-crime leads to
cyber-crime.
Cyber-crime underground forums, cyber-crime market places and offerings
are a clear indication hereto.
•
Social and technological changes create cyber-crime opportunities:
Building the basis of cyber- crime for years now, social and technical
changes are THE opportunity abused, especially in phases of growth, mass
deployment/marketing and end of support.
Knowing that, introduction of social and technical changes should be
“secure by design”.
In the reporting period we have seen some EU-Member States introducing
security in early stages of technology adoption in order to effectively reduce
the window of this opportunity.
Yet not always feasible and obvious, with some awareness, these
opportunities could be recognised by defenders, thus contributing to
situational prevention.
In cyber-space this might mean adapting defences, level of preparedness
and expectations.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 44
Looking at ways to better understand the methods used for opportunity
emergence and opportunity exploitation, might lead to a better
cyber-defence.
It is considered appropriate to more systematically analyse this field and
capitalized on existing experience from the area of criminology
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 45
The role of national supervisors in European
banking supervision
Speech by Dr Andreas Dombret, Member of the
Executive Board of the Deutsche Bundesbank, at
Chatham House, London
1. Introduction
Ladies and gentlemen
Thank you for this opportunity to speak at Chatham House today. It is an
honour for me to speak at such a distinguished institution and to share my
thoughts with you.
The topic of my speech today is European banking supervision, but the
underlying theme, of course, is integration.
Since the Treaties of Rome were signed in 1957, the history of Europe has
been characterised by ever-deepening integration.
Once it had been set in motion, European integration proved to be a steady
process marked by a number of leaps.
One such leap was taken in 1999. In that year, 11 European countries
adopted the euro as their common currency.
Today, the euro is shared by 19 countries and more than 300 million
people.
However, as you know, the sun does not always shine in the euro area.
In the wake of the global financial crisis of 2008, the euro area slid into a
crisis of its own.
In 2010, Greece stumbled into a sovereign debt crisis.
This led to a rapid loss of confidence in other countries at the periphery of
the euro area and eventually brought the euro area to the brink of collapse.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 46
Extensive rescue packages provided by the member states of the euro area
as well as non-standard measures taken by the ECB helped to calm the
markets and prevented the crisis from escalating.
To some, the present situation might look familiar.
Greece is again capturing the headlines, since last week's elections put into
power a party which is set to derail the train of reform.
And just three days before the Greek elections, the ECB again decided to
take non-standard measures in order to address the risks of too prolonged a
period of low inflation - as you know, the Bundesbank takes a rather critical
view of these measures.
But even though some might be reminded of 2010, it is obvious that the
situation has improved over the past five years.
And at some point, the focus should shift from managing the current crisis
to preventing future crises.
With regard to the European banking sector, the focus shifted in mid-2013
and, once again, the response was a leap in integration.
2. The idea behind European banking supervision
About a year later, on 4 November 2014, the first pillar of a European
banking union was erected.
On that date, the ECB assumed responsibility for supervising the 120
largest banks in the euro area - with the accession of Lithuania, the number
of supervised banks has risen to 123.
These 123 banks account for more than 85% of the aggregate balance sheet
of the euro area's banking sector, making the ECB one of the biggest
banking supervisors in the world.
The idea of European banking supervision was undoubtedly born out of the
crisis.
The crisis lent new urgency to something that had already been obvious
before: in banking and finance, national borders are far less relevant than
in other areas of life.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 47
Such an integrated financial system is certainly desirable for all the
well-known reasons, including efficiency gains and risk-sharing.
However, that which distributes gains among all of us in good times, forces
us all to share the pain in bad times.
In an integrated financial system, problems in one country can quickly
spread to others.
This is what happened during the recent crisis and it made us realise that
banking supervision had to adapt - with international banks that operate
across borders, isolated supervision was not so "splendid" after all.
To quote the IMF, the European banking union is the "logical conclusion of
the idea that integrated banking systems require integrated prudential
oversight".
To be sure, there was a certain amount of cooperation in supervisory
matters before the crisis.
There was an exchange between home and host supervisors of
internationally active banks.
And there were supervisory colleges in which supervisors of global banks
convened and shared their insights.
However, this was not enough.
An integrated financial system cannot be supervised through cooperation, it
requires an integrated approach.
Taking banking supervision from the national level to the European level
has three specific benefits.
First, European banking supervision makes it possible for banks in the
entire euro area to be supervised to the same, high standards.
These standards will emerge from sharing insights and empirical findings
internationally and taking the best from each national approach to banking
supervision.
Germany, for instance, could benefit from a more quantitative-oriented
approach, which has already been adopted by other countries.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 48
Second, European banking supervision makes it possible to effectively
identify and manage cross-border problems.
This is essential, because, as I have mentioned, large banks are usually
active in more than one country.
The failure of the Franco-Belgian bank Dexia in 2011 is a classic example of
a case where banking supervision with a cross-border focus could have
improved crisis management.
Another example is German Hypo Real Estate, which failed in 2009.
Third, taking banking supervision from the national to the European level
will add a layer of separation between supervisors and the banks they
supervise.
This will prevent supervisors from treating their banks with kid-gloves out
of national interest.
You see that we have come to expect a lot from European banking
supervision.
But even though I am extremely optimistic, we have to bear one thing in
mind: European banking supervision is an immensely complex operation
that has been put together in a very short space of time.
We should not expect everything to run smoothly from day one.
It will certainly take some time before every detail is sorted out deep down
in the engine room of actual banking supervision.
Let us take a tour down into that engine room and see how European
banking supervision is organised and what that entails for the national
supervisors.
3. The role of national supervisors
A question I often heard during the run-up to European banking
supervision was: "Aren't national supervisors digging their own grave?
Now that supervision has been transferred to the European level, where will
that leave you as national supervisors?"
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 49
First of all, we should certainly not succumb to the illusion that
European-level supervision is going to spell the end of national supervision.
In the entire euro area there are about 3,400 banks, of which only 123 are
directly supervised by the ECB - the rest remain the responsibility of
national supervisors.
In Germany, for instance, about 1,800 credit institutions are still being
supervised by the Bundesbank and BaFin.
Nevertheless, the ECB will certainly play a part in harmonising the
supervisory approaches to all banks in the euro area.
Consequently, national supervisors will have to take a more European
perspective in supervising those banks which remain within their direct
sphere of responsibility.
But what about those banks which are directly supervised by the ECB?
Are national supervisors being pushed to the sidelines in these cases?
Well, let us consider the facts.
The ECB has to supervise 123, mostly very large and complex banking
groups, which are located in 19 different countries.
To do so, the ECB has a staff of 1,000, most of whom are located in
Frankfurt.
There is no other option for European banking supervision than to rely on
national supervisors.
The role of national supervisors builds on their expertise and experience,
as well as their resources and their presence on the ground.
The Bundesbank, for instance, has decades of experience in banking
supervision, has nine regional offices and about 1,300 supervisors.
Consequently, the ongoing banking supervision lies with "joint supervisory
teams".
These teams are headed by ECB staff, but are comprised mainly of national
supervisors.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 50
The Bundesbank is represented in all the joint supervisory teams for
German banks and also in some teams for foreign banks.
Altogether, about 300 supervisors from the Bundesbank work in the
context of European banking supervision.
And here, I am just talking about ongoing supervision.
In addition to that, all the national supervisory authorities are represented
on the Supervisory Board, the decision-making body of European banking
supervision.
For the Bundesbank that means we are ceding, in whole or in part,
responsibility for supervising 21 German institutions, but becoming
involved in the supervision of 102 foreign institutions.
You can imagine that all this requires national supervisors to adjust - not
only from an organisational point of view but also from a personal
standpoint.
Supervisors who, for years, were responsible for national banks are
suddenly being pushed into an international working environment.
This is exciting and challenging at the same time, and it will be some time
before everyone has adjusted to the new circumstances.
Experience of the first few weeks is rather encouraging, though.
From an organisational perspective, the Bundesbank has already adapted.
We have changed our structure to allow us to play an efficient and effective
role in European banking supervision: we have set up a new Secretariat to
prepare the meetings of the Supervisory Board, we have set up a new
department to analyse the foreign banks which fall under European
banking supervision, and we have set up a staff unit to coordinate those
colleagues from the Bundesbank who work in the joint supervisory teams.
All this requires great effort and represents a formidable challenge.
However, the real challenge does not lie in organising day-today
supervision in the new system.
In my view, the real challenge lies in the decision-making processes.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 51
Since the ECB is responsible for European banking supervision, the
Governing Council is the highest decision-making body not only for
monetary policy issues but also for matters of banking supervision.
These two responsibilities converge on the banks.
Banks are a crucial element in the transmission process of monetary policy,
while, at the same time, being the object of banking supervision.
This, of course, gives rise to conflicts of interest, as it creates a banking
supervisor with access to central bank liquidity.
To minimise such conflicts of interest, a governance structure has been
created that limits the Governing Council's involvement in supervisory
decisions.
Time will tell whether this structure truly helps to avoid conflicts of interest
between monetary policy and banking supervision or whether it might have
been better to create an independent banking supervisor.
4. Conclusion
Ladies and gentlemen
European banking supervision certainly represents the biggest step
towards financial integration in Europe since the launch of the euro.
And, to me, it is the most logical step to take.
Single monetary policy requires integrated financial markets - which
includes, without doubt, European-level banking supervision.
And for anyone who has gained the impression that we have transferred
responsibility for banking supervision to an institution with no previous
experience of supervising banks, rest assured: that is not the case.
National supervisors will continue to play an important role in supervision
within the new system.
For us, as national supervisors, this is an extremely exciting challenge.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 52
Since colleagues from the Bundesbank began taking part in the joint
supervisory teams, our tasks and perspectives have been broadened
substantially.
I am sure that our national supervision will also benefit from the experience
we gain by working in the joint European teams.
And I firmly believe that European banking supervision will benefit from
the involvement of national supervisors.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 53
The Group of Thirty
The Digital Revolution in Banking
Gail Kelly
Bank Security
For the last two decades, cybersecurity in banks has been based on two
central ideas—the creation of strong perimeter defenses (firewalls and
similar mechanisms) and the encryption of data in transit outside the
perimeter walls.
More recently, increasing effort has also gone into monitoring system
traffic and activity to identify anomalous events that might indicate fraud or
attack.
While these strategies have worked well thus far, they will come under
increasing and considerable pressure.
For example, attacks on perimeter security have become increasingly
sophisticated, and there are an increasing number of recorded instances of
breach.
In addition, banks will need to increase their ability to monitor the “enemy
within”—a number of recent breaches of credit card data appear to have
been enabled by the malicious actions of staff or contractors with privileged
systems access.
As perimeter security is increased, it is likely that attempts will increase to
access protected data, insert malicious hardware or software, or disrupt
environments from the inside.
The secure transmission of data, which is now a central feature of the
financial system, has relied on cryptographic techniques using
computationally intractable functions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 54
These techniques are so “intractable” that they are widely regarded as being
well beyond the capacity of even the largest assemblies of conventional
computers to unscramble.
This is still the assessment of experts in the field.
However, computing capabilities continue to develop rapidly.
Very recently, what is claimed to be the first commercially available
quantum computer was released in Canada, and Google has just made a
major investment in this field.
While it is still the clear assessment of experts that our current
cryptographic standards remain secure, close attention to developments is
important.
These three issues—increasing risk of perimeter compromise, greater
“enemy within” attacks, and the risk of cryptographic defeat of data in
transit—mean that the current approaches to, and standards for, bank
security will need to be fundamentally reappraised over the next five to 10
years.
Security Beyond Banks
However, security of the financial system extends beyond the security of
individual banks.
As banking activity increasingly extends beyond banks, so must questions
of adequate security for the banking system.
Businesses beginning to engage in banking-like activities as a result of the
digital revolution regularly use, or depend upon, public or hybrid clouds for
data storage and often deploy security measures that fall below what is
regarded as appropriate in major banks.
As the digitization of banking continues, it is unclear that security
arrangements in individual banks, however strong, will provide adequate
security for the system as a whole.
In the complex web of 23 businesses that provide e-commerce, failures in
one part of the system may lead to a loss of confidence in the system as a
whole.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 55
While no part of the financial system would be complacent about
cybersecurity, it may well be that the greatest risks to security lie outside
the areas of greatest focus.
A Loss of Confidence
A loss of trust in a player in the financial system usually results in the rapid
withdrawal of customer deposits, a rapid rise in counterparty collateral
levels, and a refusal to deal.
Digital technologies potentially exacerbate the impact of a loss of trust.
It is already conceivable, for example, that a “run” on a bank might
originate on social media and occur on mobile phones.
In a digital environment, such a “run” could occur at any time and spread
with astonishing speed.
With real-time settlement processes in place, enormous shifts of funds will
be able to be effected in virtually no time.
Flows of cash in and out of individual institutions can already happen
quickly.
They will be able to happen much more rapidly in a digital environment.
This is likely to encourage more precipitate behaviors by market
participants seeking to manage counterparty risk and, consequently, the
capacity for even more rapid intervention, when required, by market
regulators.
Given the importance of community trust in the safety of the banking
system, even the most technically complex of these issues should not be left
for technical specialists alone to solve.
Bank executives, policy makers, and regulators will all need to be satisfied
that customer data are adequately protected and that commerce that relies
on electronic exchange can be safely conducted.
A high level of engagement and collaboration, locally and globally, is likely
to be required to develop enduring solutions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 56
Trust is a fundamental feature of the financial system and a precondition
for its successful operation.
As it has developed so far, the digital world offers very different trust
propositions.
As the two worlds collide, we need to be very sure that the central elements
of the financial system that create trust are not compromised.
The Changing Profile of Systemic Risk
Overall, the advent of digital financial services is likely to change the profile
of risks across the financial system.
Almost certainly it will raise new risks; it may also arguably make others
easier to manage.
Traditional credit risk, for example, has the potential to become more
accurately managed as the amount and timeliness of data available to credit
providers increase considerably.
Key credit functions such as property valuation may become more accurate
and more objectively based.
Credit decision making is likely to become more automated and more
consistent as a result.
Advanced analytic techniques may allow patterns in credit and market data
to be observed earlier and with greater clarity, allowing swifter and more
accurate response to emerging imbalances and other issues.
Some aspects of operational risk may also decline, as greater automation is
introduced.
Against this, systems reliability is likely to become a more important risk
consideration, as the ability to “step back” to manual systems in the event of
failure becomes increasingly difficult.
Greater redundancy and higher levels of assurance will be required, not just
in major banks but in a growing number of new entrants.
In addition, cybersecurity risks will certainly increase, and new approaches
and techniques will be required to address and mitigate them.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 57
These changes, together with the wider spread of financial services in the
economy, more complex webs of service delivery, and high levels of
innovation, are likely to shift the overall profile of systemic risk.
The net impact of all these will not be easily assessed.
Policy makers will need to think deeply about systemic risk, including about
the potential role of digital financial services in the creation and
transmission of future financial crises.
To read the paper:
http://group30.org/images/PDF/OP89.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 58
The Russian economic situation and Bank
of Russia's forecast
Statement by Ms Elvira Nabiullina, Governor of
the Bank of Russia, in follow-up of Board of
Directors meeting, Moscow
Good afternoon! Today the Bank of Russia Board
of Directors has decided to raise the key rate to
10.5% per annum.
In the recent months, domestic inflation accelerated significantly and
inflation expectations increased.
According to our estimates, annual inflation will approximate 10% in 2014.
The acceleration of inflation results from both the impact of the external
trade restrictions and specific factors in the food market (which will add
about 2.3 pp to the total inflation at year-end), and considerable ruble
depreciation (that will contribute 2.6 pp).
According to the Bank of Russia estimates, the impact of these factors will
persist in 2015 Q1 resulting in stable increased inflation expectations and
spreading inflationary pressure to the markets of goods and services not
directly related to imports and sanctions.
Meanwhile, the direct impact of ruble depreciation is time-limited and,
according to our estimates, may be largely exhausted during the next
six-month period.
Tighter monetary policy of the Bank of Russia will contribute to limiting
secondary effects, cooling inflation expectations and slowing price growth.
Should inflation risks aggravate, the Bank of Russia is ready to further raise
the key rate in order to prevent acceleration of inflation and loss of control
over it.
Monetary policy easing can be considered when inflation and inflation
expectations show a stable downward trend.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 59
Before moving to the forecast our decision is based on I would like to touch
upon the current situation.
Russian economic situation
The recent months saw considerable changes in the global economy,
primarily in the global commodity market, which have a direct impact on
the Russian economy.
Urals crude price fell by over 40% as against the highest price in June.
Some other Russian export commodities have also experienced price
decrease.
Oil price dynamics have become one of the main reasons of ruble
depreciation.
Discussions of multiple interconnections between the foreign exchange
rate and oil prices have currently become a popular trend which should not
be taken literally.
There should be understanding that it is not the only factor of exchange rate
fluctuations.
They are also caused by the situation in the Russian and global economy,
domestic and foreign financial markets, and by the expectations of the
economic agents.
In particular, the ruble exchange rate was affected by the restricted access
of Russian companies and banks to external markets raising concerns
regarding the upcoming external debt payments.
However, the impact of the external factors on the economic situation
should not be considered unidirectional.
External trade restrictions and ruble exchange rate dynamics have
enhanced the competitiveness of Russian exports and boosted import
substitution.
The recent months see accelerated annual growth rates of industrial
production (almost two-fold in September-October as against 1.5% in the
first six months of the year) and improved sentiment of manufacturers.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 60
Net export contribution to GDP growth increased.
Nevertheless, amid high uncertainty this output growth is not yet
accompanied with investment increase.
Consumer demand also weakens due to the slowdown in annual growth of
real income of households which has contracted to 0.5%.
As a result, procurement manager sentiment index in the service sector
deteriorates.
The situation in the labour market remains unchanged, seasonally adjusted
unemployment rate stayed at 5.2% in October.
Broad set of labour market indicators, including the number of working
hours, number and length of unpaid vacations, and others do not bear
evidence of considerable concealed unemployment.
According to our estimates the labour productivity growth slowed down to
0.7% in January-October this year with persistent gap between the growth
of wages and labour productivity signaling of slow pace of economic
restructuring.
These factors affected GDP dynamics. Our estimate of the GDP growth in
2014 has been slightly raised to 0.6%.
Due to the transition to the floating exchange rate, the foreign exchange
market absorbs external shocks preserving relative stability of other
segments of the financial market.
For comparison, during the global crisis of 2008, the volatility of the money
market rates exceeded the current values ten-fold.
The banking sector continues stable servicing and funding of the economy.
During the previous 11 months, loans to non-financial organisations grew
by 12% and loans to households by 12.7% (adjusted for currency
revaluation).
The financial system gradually adjusts to inflation targeting and floating
exchange rate.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 61
Time lag of the reaction of the banking sector to the change of the Bank of
Russia key rate remains large though, according to our estimates, gradually
shrinking.
This refers to deposit rates as well. As lags shrink, the effectiveness of the
interest rate channel of the Bank of Russia monetary transmission
mechanism will improve.
As for the foreign exchange transmission channel, its impact is complicated
due to the high volatility in the foreign exchange market which resulted,
inter alia, from the restricted access of Russian banks and companies to
external markets.
In order to normalise the situation with foreign exchange liquidity, the
Bank of Russia has introduced reverse transactions to provide it.
Interest rates on these transactions have been decreased to the level of
LIBOR rates plus 0.5 pp.
The volume of foreign exchange liquidity provision is determined by the
demand estimates based on the balance of payments forecast.
The next one-year repo auction of 15 December will accept Eurobonds and
provide for the possibility of early deal termination by borrowers.
In the near future the Bank of Russia also intends to consider the
introduction of foreign exchange lending secured by non-marketable assets.
Foreign exchange loans, extended by banks to companies with stable
income in foreign currency, are supposed to be eligible as collateral.
Bank of Russia forecast
The current situation requires updating the forecasts and adjusting the
policy to ensure financial and price stability enabling the economy to adjust
to the new conditions and start developing as quickly as possible.
The "Guidelines for the Single State Monetary Policy in 2015 and for 2016
and 2017" stipulate that the removal of sanctions and trade restrictions
results in certain inflation decrease and moderate acceleration of economic
growth.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 62
We take this possibility into account but base our policy decisions on the
forecasts providing for long-term sanctions.
The baseline forecast the Bank of Russia currently applies in the
decision-making approximates scenario IIIb published in the
aforementioned document.
We expect average oil prices to be $80 per barrel during the next three
years. This average price results from consensus forecast of the leading
analysts.
In the scenario under consideration the current account surplus remains
on the acceptable level of $56 billion in 2015. In 2016 and 2017, no
significant changes in the current account balance are expected either.
The development of import substitution will boost domestic production.
The service sector will see similar trend.
Conditions for diversification of the economy will be established.
Contribution of net exports to GDP will be positive.
According to the Bank of Russia estimates, in these conditions economic
growth rates will remain close to zero in 2015-2016, however in 2017, when
import substitution and increase in non-commodity exports become more
apparent, we expect GDP to grow up to 1-1.2%.
Higher growth rates in the next three years require structural reforms,
primarily measures aimed at real improvement of business climate and
higher labour productivity.
The inflation level is currently affected by the actual ruble depreciation and
the imposed import restrictions but, according to our estimates, these
factors will contribute to inflation increase only till late 2015 Q1,
afterwards, the inflation will start declining.
By late 2015, inflation will fall to 8%.
Inflation is forecast to slow down to the target of 4% by late 2017.
These dynamics are largely connected with the increased inflation
expectations.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 63
In this regard, the Bank of Russia intends to conduct its monetary policy to
prevent further aggravation of inflation and inflation expectations.
As I have mentioned, under the baseline forecast the current account
surplus will amount to $56 billion in 2015 which is below the possible
capital outflow we estimate to reach up to $120 billion next year.
Next year the volume of external debt payments will also approximate to
$120 billion, of which banking sector debt payments will amount to $42
billion, including interest payments.
Non-financial sector debt payments are estimated to be $77 billion,
including interest payments.
We have made special calculations based on the reporting data received
from banks and the survey of 40 largest companies.
According to our estimates based on these data, more than 10% of these
payments refer to intergroup transactions.
Another 20% can be refunded in the international markets.
At least 15% can be redeemed through the partial use of cushion of liquid
foreign exchange assets accumulated by banks and state-owned companies.
The remaining 55% of debts subject to redemption which make about $65
billion can be covered from the current account balance and reduction of
international reserves.
According to our calculations, operations to close the gap of the balance of
payments will require about $70 billion next year.
The Bank of Russia will carry out transactions aimed at maintaining
stability of the balance of payments, i.e. the financial stability, in the
stipulated volumes.
We believe that the international reserves are sufficient to carry out foreign
exchange transactions in such volume.
Meanwhile, in the next three years, the reserves level will be significantly
above the generally accepted adequacy indicators.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 64
There definitely will be no deficit of foreign exchange liquidity given these
parameters of the balance of payments and the volume of our operations.
We indent to conduct the aforementioned FX repos, extend foreign
currency loans and carry out occasional direct FX buy/sell transactions,
inter alia, to accumulate and use Government reserve funds.
It should be noted that under this scenario the ruble should appreciate
considerably next year due to both the compensation of the currently
observed exchange rate overshoot or, in other words, excessive
depreciation, and the oil price growth stipulated by the scenario.
Let me remind you that according to the scenario oil price will be $80.
This is our baseline scenario.
At the same time we are aware of the pessimistic sentiments in the market
due to the dynamics of oil contract quotations observed over the last
months.
Therefore, alongside with the baseline forecast, we have worked out an
alternative scenario which we consider to be unlikely to develop and which
provides for oil price fall to $60 per barrel from early 2015 and during the
whole three-year period.
In this case Russian economy will require more profound adjustment to
the new conditions in 2015-2016.
In this scenario, the current account surplus will amount to approximately
$40 billion in 2015.
It will further increase due to the slight rise of non-oil and gas exports and
decline of imports.
Economic growth rates will depend on the pace of import substitution.
Slow development of import-substituting production in 2015-2016 may
result in "mild" recession.
Nevertheless, output and employment decrease will be considerably less
than in 2008-2009. In this scenario we expect economic recovery growth to
over 5% in 2017.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 65
Under this scenario, in 2015, inflation acceleration may be higher than in
the baseline scenario due to the lower ruble appreciation during the year
which is also expected due to the compensation of the exchange rate
overshoot.
During the following two years, due to the deeper output gap inflation will
decrease even faster than stipulated in the baseline scenario reaching the
target of 4% before late 2017.
Meanwhile, the monetary policy will be aimed at stabilisation of inflation
expectations, prevention of inflation spiral and its gradual decrease due to
the prospects of economic growth. It is also possible that under this
scenario we will be able to ease our policy even earlier.
As the capital outflow during this period will mainly result from external
debt payments, in this scenario we estimate the total capital outflow to be at
the same level as in the baseline scenario.
Under this scenario we are ready to allocate about $85 billion for FX
transactions in order to stabilise the balance of payments that is also
acceptable from the foreign exchange reserve adequacy point of view.
It should be noted that the reserve level will be restored following the
economy adjustment to the new conditions as we intend to conduct mainly
reverse transactions.
The Bank of Russia will undertake operations in the foreign exchange
market based on the balance of payments forecast and the estimation of
balances of banks and companies taking into account the structure, terms
and nature of corporate debt.
I would like to emphasise that we carry out these transactions in order to
prevent situations when excessive exchange rate volatility and its
considerable deviation from fundamental levels create financial stability
risks and result in higher depreciation and inflation expectations.
In particular, now that risks arising from the ruble exchange rate dynamics
have aggravated, the Bank of Russia came up with interventions in the
foreign exchange market.
Of course, we will also consider the impact of operations in the foreign
exchange market on the ruble liquidity and ease the negative effect of
growing structural deficit on the credit institutions' balance sheets. Besides,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 66
we are especially concerned about the collateral adequacy and will take
further measures to decrease pressure on market-traded bonds through
providing liquidity against other types of assets.
Amid the increased volatility of the foreign exchange market, the Bank of
Russia will stick to the conservative approach to the assessment of banking
sector demand for liquidity.
Meanwhile, the volume of ruble liquidity provision will be sufficient for the
banking system to function properly and the money market rates to remain
within the interest rate corridor bounds.
The Bank of Russia will also continue to permanently monitor the situation
in all the segments of the financial market and is ready to take the required
measures to ensure its stable functioning.
It is crucial for normal functioning of the economy and successful
implementation of all macroeconomic policy measures.
Currently the Russian economy faces both external and internal
challenges.
The uncertainty over further developments is really high and the sensitivity
of the economy and especially the financial markets to various
developments increases, at some point the reaction can be excessive.
In these conditions the Bank of Russia is ready to be flexible and take
unconventional decisions in meeting strategic objectives of ensuring
financial and price stability.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 67
Independence of monetary policy and
the banking union
Speech by Mr Erkki Liikanen, Governor of the
Bank of Finland, at the Lamfalussy Lecture
Conference, organised by Magyar Nemzeti
Bank (the central bank of Hungary), Budapest,
One of the lasting lessons we have learned from the monetary policy
experience of the last decades is the value of the independence of central
banks.
What does this independence mean today?
Why should we have it?
What are the current problems involved?
The modern idea of central bank independence was born from the lessons
learned in the fight against the high inflation of the 1970s and the 1980s.
The Bundesbank became the role model which has not been forgotten.
The supporting theory was later developed by the great economists of the
day: Stanley Fischer, Kenneth Rogoff, Carl Walsh and others.
The fight against inflation was successful and the lessons learned from this
fight inspired great reforms in the central banks.
In Europe, those lessons inspired the writing of the statutes of the ECB.
Securing central bank independence and preserving the hard-won price
stability were key ingredients.
Today's monetary problems are very different.
In some respects they are almost a mirror image of the problems of the
great inflation era.
But I am convinced that central bank independence is equally important in
today's environment.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 68
Still, it is interesting to think once more what exactly this independence
means and what it requires in today's different context.
In research, it is usual to distinguish two types of central bank
independence: goal independence and instrument independence.
Just a few comments on goal independence.
Goal independence would mean the ability of the central bank to formulate
the ultimate objectives of its policy.
In democratic systems, goal independence is typically quite limited, and the
objectives of central bank are given by elected bodies.
This is how it should be.
It gives the central bank's activities the necessary democratic legitimacy.
The ECB has been given price stability as its primary objective.
The treaty left to the Governing Council to give an operational definition of
what price stability means.
As you know, the current definition, unchanged since 2003, is that inflation
should be "below but close to two percent over the medium term".
The words "close to" were added to the ECB's definition of price stability in
2003, after a serious and thorough consideration.
These words have now gained increasing weight, as inflation in the euro
area has been clearly below 2 per cent for quite some time.
We have been forced to think carefully what the expressions "close to" and
"over the medium term" mean.
The Governing Council has remained committed to the definition of 2003,
and with a good reason.
The definition of price stability in the medium term must provide a credible
anchor to expectations.
So we must follow it to the letter.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 69
Now on the other level of central bank independence, the instrument
independence, before I return to price stability.
Instrument independence means that the central bank has a great deal of
freedom to use its monetary policy instruments in order to achieve its policy
goals.
Without such freedom, the ability of monetary policy to achieve its
objectives would not be credible and the policy itself could become
ineffective.
Modern central banks have a very high degree of instrument independence
since the 1990s.
This was taken for granted, and remained so, as long as the main
instrument was the interest rate.
Now, after the central bank interest rates have reached their lower bound close to zero - monetary policy has had to turn to other means.
This is by now a global phenomenon in the advanced countries.
The use of "unconventional monetary policy tools" such as large-scale bond
purchases has restarted the discussion of instrument independence.
What can the central bank do under its instrument independence?
For example, there have been some, however not many, critics claiming
that the ECB's bond purchase programmes could go beyond the definition
of monetary policy.
The ECB's case for the legality of its various bond purchase programmes
has been argued elsewhere and I will not go into that here.
I just want to reiterate that in the Governing Council, we all agreed that the
Extended Asset Purchases Program decided on 22 January is a monetary
policy tool.
But instrument independence is not only about what the law allows the
central bank to do.
Independence also requires that the environment where monetary policy
operates is such that a successful monetary policy is possible and viable.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 70
And this is where it becomes really interesting and where the present very
low inflation environment makes a difference.
We usually distinguish two such threats to independence. They are called
"fiscal dominance", and "financial dominance".
Fiscal dominance is the older concept of the two.
Fiscal dominance would arise if the government financing constraint would
become an overriding influence on monetary policy.
The idea that tight monetary policy may become impossible without
accompanying fiscal adjustment was well understood when the blueprints
for the EMU were being prepared.
This is why the Maastricht treaty had its fiscal policy clauses and also why
the Stability and Growth Pact was concluded.
Also the famous prohibition of direct central bank credit to the government,
and the institutional independence of the central banks, are in effect
protections against fiscal dominance.
Now we know that the fiscal framework as put in place before the start of
the EMU was not strong enough to prevent fiscal problems from emerging.
Some have been worried that fiscal dominance has taken hold when the
central banks have used government bond purchases, both to stabilize the
markets and to produce additional monetary stimulus with "Quantitative
Easing" when the interest rate instrument has already been used to the
maximum.
The Extended Asset Purchase Programme of the ECB announced in the
week before last is an example.
As to the euro area, there is no evidence of fiscal dominance.
The acid test for fiscal dominance is: does monetary policy break its price
stability objective for the sake of maintaining the solvency of the
government sector.
This is not the case.
The price stability objective has not been and will not be abandoned.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 71
The bond purchases of the Eurosystem are directed to make monetary
policy more effective, not less.
In particular, we want to move closer to our definition of price stability, and
the bond purchases are contributing to that end.
We have had well known fiscal problems in some of the euro area
countries.
Still, the traditional symptom of fiscal dominance, accelerating inflation has
not materialized, nor have inflation expectations risen.
Inflation expectations remained well in line with the price stability
objective until last summer, when they started to show signs of declining,
not increasing.
Does this mean that the risk of fiscal dominance has become obsolete?
Certainly not.
The idea that monetary policy should be able to concentrate on its primary
objective is relevant also now. But it manifests itself in a slightly different
way than in a high inflation environment.
Solvency of governments is a self-evident condition for sustainable
policies.
But striving for our definition of price stability now requires very
accommodative monetary policy, which includes exceptionally low interest
rates, and also bond purchases.
There have been worries that such a policy could make it too easy for
governments to engage in excessive deficits and fiscal irresponsibility. Is
the ECB, for its part, making life too easy for governments which should
continue their consolidation efforts?
It may well be that the financing of government deficits is made easier by
an accommodative monetary policy.
But the primary goal of monetary policy is price stability, which includes
avoiding the threat of deflation.
The responsibility for fiscal discipline is with the governments, and in the
EU also with the Council and the Commission in their particular roles.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 72
Prudent fiscal policy and abiding by the fiscal rules is essential, but we
cannot have a trade-off between fiscal discipline and price stability.
We can and must have both.
The division of responsibilities between the ECB and the governments is
clear, and each must do their part.
We should beware of the danger that problems which are fundamentally
political could be pushed to central banks to solve.
A division of responsibilities between appointed officials and elected
politicians should be preserved.
That division of responsibilities is one of the forms that the central bank's
instrument independence takes today.
Monetary policy can neither micromanage the needed structural
transformation in the real sector of the economy nor solve excessive deficit
problems of governments.
In the euro area, the countries which have their public finances in order
will benefit more from the accommodative policies of the ECB.
The experience of the last years shows clearly that if there is any doubt
about the long run solvency of a government, monetary policy will not be
transmitted fully to that country's private sector either.
Let me turn next to consider the other potential threat to the independence
of monetary policy, the threat of financial dominance.
Financial dominance means the possibility that the condition of the
banking system could become a constraint, or dominant influence, on
monetary policy.
The idea is that a weak banking sector could force the central bank to
pursue second- or third-best monetary policies in order to prevent a
banking crisis.
In theory it is easy to see how this could happen.
One can imagine a central bank which would have to tighten its monetary
policy for price stability reasons, but is prevented from doing so for the fear
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 73
that the value of the assets of the banking system would decrease and a
financial crisis could ensue.
Episodes which fit that kind of financial dominance have been observed, in
the past, especially in the emerging economies.
And in my own country, the severe crisis in the banking system was one of
the main reasons which forced a devaluation of the currency in 1991.
But looking at the more recent experience, this has not really been the case
in the advanced economies.
The bust in 2008 of the last credit boom did not lead monetary policy to
tolerate a higher-than-mandated rate of inflation.
Instead, in the large advanced economies at least, the bursting of the bubble
coincided with a contraction of private demand and a deep recession.
The negative effect of the crisis on economic activity actually reduced
inflationary pressures.
The main problem has since then been how to prevent the deleveraging
process from starting a deflationary spiral.
In such conditions, monetary policy which eases the strain on the banking
sector has at the same time supported price stability.
Now, almost five years later, do we have a trade-off between price stability
and financial stability?
By conducting a monetary policy of extremely low interest rates, combined
with exceptional measures such as bond purchases, are we stoking asset
price bubbles and encouraging too risky lending practices by banks?
Very low interest rates may encourage risk taking by the investors.
This is actually one of the objectives. Our economies need more productive
investments.
The low interest rate environment will also affect bank lending.
This is also desirable, and it is hoped that business lending to job-creating
SMEs will be stimulated.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 74
However, we hear worries that the incentives could be too strong.
This is based on the fear that banks will finance investments which are too
risky, or the stimulus could be unduly concentrated on, say, the real estate
sector.
Of course, successful monetary policy requires a stable financial system. If
stability is not there, the transmission of monetary policy can hardly work
smoothly.
This is one of the lessons of the financial crisis.
Here we see how the problem of possible financial dominance is
manifested in today's economic environment.
Now it is not the question can the banking system endure a hard,
disinflationary monetary policy.
We must pose the question in another way: how can we make sure that the
banking system is able to operate prudently under a monetary policy that
seeks to maintain price stability "from below", with an accommodative,
even expansionary stance?
There was a famous discussion on how monetary policy should relate to
credit booms and asset prices in the Jackson Hole conference of 2007.
At that time, the prevalent thinking in central banking circles was what it is
better for monetary policy only to "clean" (up after the bursting of the
possible bubbles) than to "lean" (against the wind).
The strategy of the ECB includes the so-called second pillar of monetary
analysis, which focuses on signals from money supply and credit creation.
This means we are committed to consider the sustainability of the
developments in the banking sector and their compatibility with price
stability.
After the hard lessons we learned over the last five years, the case for
benign neglect of asset booms and only picking up the pieces afterwards is
not very attractive.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 75
The crisis experience supports rather the idea that financial excesses are
better prevented as they happen than only managed after they have caused
a recession.
One option is leaning against the wind.
That would mean taking the price stability objective in a more flexible way
and paying more attention to asset prices in monetary policy formulation.
But there are difficulties with that:
One difficulty is the problem of detecting the credit cycle in time, and
correctly timing the monetary policy response.
Another problem is that price stability might get too little attention.
If the price stability objective had to be compromised because of the
developments in the banks and in the financial markets, we would actually
have a case of financial dominance.
How can this be avoided?
Naturally, it is the quality of commercial bank management and the
internal incentives built into the banks' management systems that are the
first line of defence.
But we have also learned that prudent management practices need to be
supported by good and effective regulation.
This leads to my other main point today.
In today's environment, the effective independence of monetary policy
requires good regulation which ensures that the banking system as a whole
remains stable and solid through the interest rate cycle, not only in times of
tight monetary policy but also in times of very accommodative monetary
policy.
Like the fiscal discipline of governments, which protects monetary policy
from forms of fiscal dominance, effective banking regulation protects
monetary policy from financial dominance.
We can see how these prerequisites for independent monetary policy are as
important for today's accommodative monetary policy as they were for a
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 76
disinflationary monetary policy when the concept of independence was
developed.
Fortunately, major progress has been achieved in the field of banking
regulation, not least in the euro area with the banking union.
There are three aspects of the developing banking regulation that I want to
mention in this connection.
First, the prudential regulation of banks is now stronger and more uniform
than before.
Banks' capital ratios have been strengthened a lot since the crisis, and the
responsibility for supervision has been centralized at the ECB. This has
already made banks more resilient in the face of any future shocks.
The new bank recovery and resolution framework is also part of the
banking union.
Its purpose is to reduce the moral hazard problems which are linked to the
problems of explicit or implicit government guarantees and the
too-big-to-fail.
It strengthens the incentives for prudent risk management and the correct
pricing of risks.
It will make banks more resistant to the temptations which the low interest
rate environment may entail.
Second, the EU and the member states are now implementing new
macro-prudential instruments which are designed to improve the stability
of the financial system as a whole.
Macro-prudential policies are very closely related to the problem of
ensuring the independence of monetary policy from financial dominance.
Especially interesting are those macro-prudential tools which can be
adjusted according to the situation in the asset markets and the credit
markets.
Such instruments include, in particular, the countercyclical capital
requirements, as well as the adjustable restrictions on Loan-to-Value ratios.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 77
The connection between macro-prudential policy and monetary policy is so
intimate that central banks must be closely involved in macro-prudential
analysis and decision making.
In the banking union, macro-prudential policy is a shared competence
between the member state authorities and the ECB.
Member states can react to national developments with national measures,
and the ECB has an option to require additional restrictive measures where
it deems that necessary.
The national component is important and valuable since especially the real
estate markets behave often differently in different countries.
Third, while macro-prudential policy is important, it would benefit from
the kinds of structural reforms which would make the banking system more
resilient, and - I emphasise - less prone to unstable behaviour.
By separating the most risky securities and derivative activities from
deposit banking, the spill overs from deposit protection to speculative risk
taking in the securities markets would be prevented.
This would reduce any distorted incentives to expand trading activities in
the universal banking groups.
Several European countries have already implemented legislation which
seeks to separate some parts of the securities business from deposit
banking.
The EU level proposals are under discussion between the Council and the
European Parliament.
I hope that a solution will emerge which ensures as level a playing field
within the EU banking market as possible, while contributing to the
resilience and stability of the financial system.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 78
EIOPA Opinion on sales via the
Internet of insurance and pension
products
1. Legal basis
1.1. This Opinion is issued under the provisions of Article 29(1)(a) of
Regulation (EU) No. 1094/2010 of the European Parliament and of the
Council of 24 November 2010 (hereafter the "Regulation").
As established in Article 29(1)(a) of the Regulation, EIOPA shall play an
active role in building a common Union supervisory culture and consistent
supervisory practices, as well as in ensuring uniform procedures and
consistent approaches throughout the Union.
1.2. This Opinion is being issued in fulfilment of EIOPA's responsibilities to
"monitor new and existing financial activities" under Article 9(2) of the
Regulation.
Furthermore, EIOPA takes a "leading role in promoting transparency,
simplicity and fairness in the market for consumer financial products or
services across the internal market" under Article 9(1) of the Regulation.
1.3. To this end, EIOPA has provided this Opinion concerning consumer
protection issues related to product sales via the Internet.
This Opinion is issued without prejudice to relevant existing and future
instruments of EIOPA, which may apply to sales and distribution channels
that include sales via the Internet, even where such sales are not explicitly
referred to.
2. Context and scope
2.1. Within its remit, EIOPA wants to ensure that consumers’ interests are
adequately protected when purchasing insurance and pension1 products
online.
EIOPA has found that a substantial percentage of customers already use
digital and remote channels.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 79
In addition, more and more customers are willing to use these digital and
remote channels where they are available.
It is expected that due to market developments, in this area consumer
detriment may become an increasing issue for financial supervisory
authorities; this Opinion is aimed at preventing potential consumer
detriment and enhancing awareness.
2.2. As further substantiated below, the digital insurance market of the
future may create specific consumer detriment or increase, due to the
nature of the Internet, the scale of difficulties that exist already in offline
distribution.
At the same time, consumers may derive benefits from online distribution.
Therefore, EIOPA acknowledges the growing importance of the Internet for
the distribution of insurance and pension products, and calls for increased
awareness of its impact.
2.3. This Opinion is addressed to the National Competent Authorities
(NCAs) represented in EIOPA’s Board of Supervisors.
NCAs are invited to increase their level of awareness of and monitoring of
the market with regard to the use of the Internet as a distribution channel.
As such, EIOPA, within its remit, would like to remind NCAs that the fact
that distributors carry out online distribution should not affect their ability
to comply with existing and future requirements applicable in the European
Union as well as national legislation in force in Member States for the
provision of services to consumers.
3. Types of Consumer Protection issues
3.1. EIOPA has found consumer protection issues in a number of Member
States, with regard to online distribution.
With reference to its legislative remit, EIOPA has conducted a fact-finding
exercise among its Member and Observer authorities.
The aim of the fact-finding exercise was to map how insurance and pension
products are sold via the Internet.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 80
3.2. It is worth noting that consumers can find an abundance of
information online.
Digital research can help to empower consumers making an informed
choice.
This may help mitigate general information asymmetries that exist between
consumers on the one hand, and insurance distributors and insurance
undertakings on the other.
The surfeit of information online, and different ways this can be filtered or
presented, can also present challenges for consumers.
Behavioural economics has found that in general most people do not
conduct sufficient searches for information, even in a context of
information abundance, and instead rely on rules of thumb that can be
subject to biases and distortions.
EIOPA fact-finding has indicated that customers might be less inclined to
read standard disclosure documents outlining the details of products when
buying online, and rather focus only on the price of the product or service
(see also 4.5).
3.3. Furthermore, EIOPA found issues where advice is required to be
provided by national law or when so promoted, and the way insurance
intermediaries or undertakings comply with their consequent duties when
sales are conducted online.
In this respect, distributors sometimes do not provide sufficient advice
when distributing their products, or the information displayed is not fair
enough.
This may lead consumers to buy products that insufficiently meet their
needs and requirements.
3.4. Consumers wishing to research premiums via the Internet may not be
fully aware that they may inadvertently enter into unsolicited contracts.
This can be particularly the case given the various options and fields to
'tick-off', also taking into account that sometimes such fields are ticked-off
as default options by the distributor.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 81
Such inadvertent and unsolicited contracts may be caused by a lack of
comprehension of the online purchasing process.
3.5. Furthermore, supervisors may face today and, increasingly so in the
future, challenges with gathering the necessary information to fulfil their
supervisory task at the national level.
For customers buying by the Internet it can become less relevant where the
distributor is located physically.
On the one hand, this helps cross-border trade and thus the integration of
the internal market.
On the other hand, it increases the challenge of fully capturing the potential
for consumer detriment arising from sales via the Internet.
3.6. Additionally, the potentially transient nature of online information
increases the challenge.
Undoubtedly, it is difficult to monitor emerging digital distribution
channels or distribution by email.
Supervisors may also face challenges due to the existence of different
supervisory tools for online sales supervision, like a monitoring tool only
for advertising and websites of supervised entities.
3.7. If not remedied, these issues could lead to a number of undesirable
outcomes.
Consumers might buy insurance that is unsuitable, they risk concluding an
invalid or unsolicited contract or fail to conclude a contract, i.e. their needs
and demands would not be met.
Consumers may choose an insurance policy based solely on the price
offered, where material differences in quality should also be considered.
They may not seek or receive other information important for the decision‐
making process, such as disclosure documents, information on the
distributor’s customer services, and the level of any guarantees provided.
4. Existing requirements applicable in the European Union
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 82
4.1. Existing EU legislation and transposed national legislation address
high-level concerns relating to sales via the Internet of insurance and
pension products.
4.2. Directive 2002/65/EC concerning the distance marketing of consumer
financial services lays down fundamental rights for consumers.
For example, the Directive establishes: an obligation to provide consumers
with comprehensive information on the provider, the financial service, the
distant contract and means of redress, before a contract is concluded; the
consumer's right to withdraw from the contract during a cooling-off period;
a ban on abusive marketing practices seeking to oblige consumers to buy a
service they have not solicited ("inertia selling"); and rules to restrict other
practices such as unsolicited phone calls and e-mails ("cold-calling" and
"spamming").
Nevertheless, a cooling-off period would not necessarily address all issues
with unsolicited contracts identified in this Opinion.
4.3. Directive 2002/92/EC on insurance mediation (the IMD) specifies
requirements, which are applicable to online and offline distribution.
Especially Article 12(3) IMD is relevant, whereas “prior to the conclusion of
any specific contract, the insurance intermediary shall at least specify, in
particular on the basis of information provided by the customer, the
demands and the needs of that customer as well as the underlying reasons
for any advice given to the customer on a given insurance product”.
This information has to be clear and accurate, and comprehensible to the
customer.
4.4. It should be noted that this Opinion does not take a view on whether
advice should be provided or not, but aims to place supervised entities,
when they are required to provide advice or when sales are promoted ‘with
advice’, in a position to comply with requirements set out in Article 12 IMD.
4.5. EIOPA’s Consumer Trends Report in 2013 found several issues with
the disclosure of information, new channels for sales and marketing of
products and services, especially via the internet, including social networks.
In 2014, EIOPA issued a Report on Good Practices on Comparison
Websites.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 83
The Report found that consumers tend to over-rely on the price of products,
rather than the underlying terms and conditions.
Misleading information may be provided to consumers due to conflicts of
interest stemming from close commercial links between insurers and
commercial comparison websites.
Comparison websites may not necessarily be suitable for certain types of
insurance products.
4.6. Future requirements applicable in the European Union for the
provision of services to consumers will include inter alia better information
to consumers.
In this respect, Regulation 1286/2014 of the European Parliament and of
the Council on key information documents for packaged retail and
insurance-based investment products (PRIIPs) introduces a common
standard for key information documents.
It can improve the transparency of PRIIPs offered to retail investors,
irrespective of the distribution channel used.
4.7. The on-going revision of the IMD might introduce new rules for the
distribution of insurance and reinsurance products, to make sure that the
same level of protection applies regardless of the sales channel.
Finally, EIOPA acknowledges that other EU and national legal
requirements address sales in general and may apply to all sales and
distribution channels, even if not explicitly referred to.
5. Taking the above into consideration, EIOPA recommends the
following
5.1. EIOPA reminds NCAs that the fact that distributors carry out online
distribution should not affect their ability to comply with existing and
future requirements applicable in the European Union for the provision of
such services to consumers.
5.2. With this in mind, EIOPA recommends that NCAs take the necessary
and proportionate supervisory actions to ensure that:
5.2.1. Online distributors comply with a duty of advice, if such a duty exists
in national law or when sales are so promoted; and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 84
5.2.2. Customers are provided with appropriate information on the selling
process of the online distributor with a view to avoiding unsolicited, or
mistakenly concluded, contracts.
5.3. EIOPA recommends that NCAs, where relevant, prevent consumer
detriment by taking a more proactive approach to how they:
5.3.1. Collect information on online distribution activities used by
distributors; and
5.3.2. Identify challenges and address issues with newly established online
distribution channels at national level.
6. Within six months of the publication of this Opinion, NCAs are requested
to provide feedback and, where investigations or regulatory/supervisory
actions are undertaken in view of the recommendations, provide details of
those investigations/actions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 85
Statement at the SEC Open Meeting on the
PCAOB 2015 Budget
James R. Doty, PCAOB Chairman
SEC Open Meeting
Washington, DC
Good morning Chair White and Commissioners Aguilar, Gallagher, Stein
and Piwowar. Thank you for inviting me here today.
I am here to present for your consideration the PCAOB's 2015 Budget of
$250.9 million.
In my view the budget before you today strengthens our ability to protect
investors and build the trust that enables essential capital formation.
The budget aligns with our strategic plan, invests in vital programs,
economic analysis, improved audit oversight and essential technology, all in
a cost-effective way.
It will help us identify and implement ways to advance new standards more
efficiently, as well as address unacceptably high rates of noncompliance
with existing standards.
The budget enables the PCAOB to continue to be the essential oversight
body that Congress envisioned.
And our request reflects our continuing commitment to core values that
investors expect and deserve in audits: independence, integrity, accuracy,
accountability and transparency.
Before I go further, I would like to thank the Chief Accountant (Jim
Schnurr) and his staff as well as the Commission's Chief Financial Officer
(Ken Johnson) and his staff, for their support and counsel as we developed
this budget.
Now let me go deeper into how the 2015 Budget will empower us to act on
behalf of investors and promote capital formation by building market
confidence in the audit.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 86
This budget will allow us to conduct 300 inspections of registered firms,
including 75 inspections of firms that audit broker-dealers.
We will also work closely with firms whose past inspections revealed quality
control problems, to evaluate the firms' measures to improve quality.
The first cycle of inspections of broker-dealer audits under the
Commission's new broker-dealer rule and our audit standards are
underway.
We have coordinated with Commission staff in monitoring implementation
of the new rule and PCAOB standards, including our new auditor
attestation standards.
To this end, last June we released staff guidance, largely directed to
auditors of brokers and dealers who were new to PCAOB standards.
In August, we issued our third annual inspection report on broker-dealer
audits.
And last week, we issued a supplemental report to assist auditors in
preparing for the upcoming busy season.
Sixty of our inspections will be conducted in 26 jurisdictions outside the
United States.
Based on protocols we have established over many years, we will conduct
many of these non-U.S. inspections jointly with local authorities.
We will also continue to pursue protocols with the shrinking number of
jurisdictions where we can't inspect, of which China is a significant
example.
We are in regular communication with all of these remaining jurisdictions.
And we engage in active dialogue with Chinese authorities as we pursue an
agreement on access.
Our enforcement program continues to focus on holding auditors
accountable for audit failures.
During 2014, we made public a record 24 settled disciplinary proceedings,
imposing sanctions including censures, monetary penalties, revocations of
firm registration and bars on individuals' association with registered firms.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 87
In 2014, we stepped up international enforcement activity.
In 2015, we foresee an increase in the need to address potential audit
failures in cross-jurisdictional audits, and the budget reflects that need.
We have several pending investigations and proceedings involving work by
foreign registered accounting firms.
I expect more of our resources than in years past will have to be targeted to
international enforcement activity.
In all of this work, we coordinate closely with the Commission's Division of
Enforcement, including in our mutual efforts to leverage data and analysis
to allocate enforcement resources efficiently.
While we monitor and enforce compliance with existing standards, we also
are continuing to develop new standards and audit practice alerts as
needed.
I have been meeting with the Commission's Chief Accountant Jim Schnurr,
and we are exploring potential ways to make the standard setting process
more efficient.
It is a rulemaking process. There are a lot of perspectives, interests and
effects that have to be considered.
But I agree that the process can be improved.
Our Chief Auditor and I are committed to seeking ways to make it more
efficient.
The 2015 Budget funds a review of our standard-setting agenda, with a view
to identifying ways to advance standard-setting initiatives more efficiently.
I am working closely with Jim Schnurr in this effort, and I know we are
both committed to achieving a result that will benefit the PCAOB, the
Commission and the public.
At the same time, we want to gather as much relevant information as we
can, through outreach and economic analysis, to come to appropriate and
cost-effective approaches to solve problems in audit practices.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 88
In May 2014, we released staff guidance on the use of economic analysis in
standard-setting, modeled after the Commission's own staff guidance and
developed through close coordination with Commission staff.
From this foundation, we have advanced all the projects on our
standard-setting agenda and, in particular, have made significant progress
in developing new performance standards in several areas.
The 2015 Budget will allow us to further those efforts.
To mention a few:
In June 2014, we adopted a new standard to strengthen auditor
performance requirements in three critical areas of the audit: related party
transactions, significant unusual transactions, and a company's financial
relationships and transactions with its executive officers.
In July 2014, the PCAOB staff sought comment on potential changes to the
auditing standards on accounting estimates and fair value measurements.
This led to a day-long, special meeting of our Standing Advisory Group to
hear from several panels of experts in the field.
Robust and valuable public comment is now informing formulation of a
revised new standard.
We are discussing the key issues emanating from these comments with
Commission staff, and we're actively planning next steps.
Also, during 2014, the staff drafted proposed auditing standards for the
Board's consideration on the supervision of other auditors in multi-location
audits and on the use of specialists.
To advance these projects expeditiously and with consensus, we have
bifurcated them.
We should be in a position to seek public comment on both shortly.
We also continue to issue Staff Audit Practice Alerts, a timely and
cost-effective vehicle to improve audit quality, often in areas where our
inspections identify significant audit deficiencies.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 89
For example, in 2014, we released an alert on auditing revenue, one of the
most critical aspects of almost every audit and where our inspectors
frequently find deficient audit work.
The 2015 Budget will also allow the PCAOB to continue to integrate
economic analysis into our programs, by continuing to develop our Center
for Economic Analysis.
The Center is not a high-cost component of the budget, but it is high
impact, high yield. I appreciate your support as we develop it.
We have begun to staff the Center and have several important initiatives
underway.
In addition to the Center's permanent staff, we have recently welcomed our
first three economic research fellows.
To support their work, the Center developed a research environment that
can be used for fellows' projects, as well as to develop baseline analyses to
inform standard-setting.
Center staff now work closely with standard-setting personnel on scoping
and planning data analyses.
We have also established an Inspections Fellowship Program to give
economists the benefit of the insights and knowledge of our experienced
inspectors.
In conjunction with the Journal of Accounting Research, we held our first
annual Conference on Auditing and Capital Markets.
Six papers were selected from more than 80 submissions, based on a
double-blind review conducted with a panel of editors of the Journal and
other academic experts.
The Conference has already provided foundational insights for standard
setting.
The Center has also been developing the groundwork for a post implementation review program to evaluate the effectiveness of new
auditing standards and is planning to conduct the first such review this
year.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 90
This 2015 Budget represents a $7.5 million decrease from last year's
budget.
The reduction reflects an appropriate reassessment of assumptions relating
to personnel and other costs.
We project approximately 850 staff by the end of 2015.
This projection is based on a more conservative assessment of our ability to
hire in today's fairly competitive market for experienced professionals.
But it will still allow us to achieve the objectives we've set out.
In closing, I just want to reiterate that by allocating resources efficiently,
the budget strengthens our ability to protect investors and inspire trust.
The investment will enable capital formation and build upon initiatives that
improve audit quality and sustain robust inspection, enforcement and
standard-setting programs.
The budget supports our strategic plan.
Also of note, the 2015 Budget includes funds to continue the strategic
transformations of our Offices of Information Technology and
Administration.
The 2015 Budget also takes into account the fact that audit and audit
oversight challenges remain.
Our inspections continue to find far too many audit deficiencies, and too
many related shortcomings in firms' quality control policies and
procedures, which must be addressed.
I believe that the continued work of the PCAOB is critical to economic
growth and job creation in the United States.
High quality, reliable audits are good for investors, good for companies, and
good for our markets.
This 2015 Budget request will help us continue that vital service.
I appreciate your time and attention, and I would be happy to answer any
questions you may have.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 91
The growing relationship between China
and Barbados
Welcome remarks by Dr DeLisle Worrell,
Governor of the Central Bank of Barbados, at the Press Launch of the Fish
and Dragon Festival, Bridgetown
Ambassador Wang Ke of the Embassy of the People's Republic of China in
Barbados other representatives of the Embassy of the People's Republic of
China in Barbados, Mr. David Bulbulia, Deputy Permanent Secretary,
Ministry of Foreign Affairs, Mr. Kirk Ottley, President of the BCFA and
other representatives, Festival Director, Ms. Tonika Sealy, ladies and
gentleman, members of the media and press good morning.
They say that the world's centre of gravity has shifted to the east, suddenly
and dramatically.
Even someone like myself, with more than a passing knowledge of Chinese
history, culture and policy, has been astounded by the transformation.
The images I see on TV daily are of an utterly different country to the one I
visited in 1980.
The very fact that CCTV America is available in Barbados, and that its
global coverage is among the most dispassionate, informative and
sympathetic to my sensibilities, of any international broadcaster, is
something that was inconceivable back then.
Most Barbadians are only dimly aware of the magnitude of the change that
the emergence of China implies, and the myriad ways our lives might be
touched by that change.
We do know of Chinese interest in direct investment in the Caribbean; it is
substantial, and it is to be welcomed, because it benefits both sides.
Barbados and the Caribbean benefit from the increase of our capacity to
produce goods and services, and the associated employment.
China, for its part, is in search of opportunities to diversify foreign
investment portfolios.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 92
I have only recently been sensitized to the extent of online commerce with
China, and the in-built features that facilitate this commerce.
The Chinese embassy, the ANNU Institute, the Barbados-China Friendship
Association and other groups and individuals have provided us with
glimpses into China's rich, ancient, and modernizing culture. We see more
of it on CCTV.
The Confucius Institute is about to get going.
We see reports of missions to China, and articles on the experiences of
Barbadians living there.
What all this makes us realise is that a whole new world has emerged, with
China as its hub, and we are feeling the swells reaching us, at this far
distance.
This has whetted the appetite of many, and there is growing interest and
curiosity about the possibilities for networking, exchanges, travel, culture,
entertainment, sports, commerce, conferences and all the many ways our
societies might interact.
The Barbados-China Friendship Association (BCFA) intends to provide a
central node for a multifaceted network covering all areas that might be of
interest to members and the general public.
There is an opportunity for all those who might have an interest in the
China-Barbados relationship to join the association and help us shape its
agenda.
The BCFA is a sponsor with the Chinese Embassy and the Central Bank of
the Fish and Dragon Festival, which we are introducing to the public today.
The association will have a booth at the festival, with information on
membership, the association's actual and future activities, information on
resources for Mandarin language training, information on training and
travel opportunities.
If you already have an interest in interacting with China and the Chinese we
need to hear from you.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 93
And if you are merely curious there will be plenty to pique your interest and
give ideas and inspiration for a deepening of your involvement with the
BCFA and with China.
We invite you to visit and like the Festival's Facebook Page entitled Fish &
Dragon Festival.
We plan an exciting, entertaining and informational festival, which is sure
to be enjoyed by all.
And after the festival the BCFA will keep things going, with the assistance
and engagement of all those who share our passion for an intensification of
the China-Barbados relationship.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 94
Disclaimer
The Association tries to enhance public access to information about risk and
compliance management.
Our goal is to keep this information timely and accurate. If errors are brought to
our attention, we will try to correct them.
This information:
is of a general nature only and is not intended to address the specific
circumstances of any particular individual or entity;
should not be relied on in the particular context of enforcement or similar
regulatory action;
-
is not necessarily comprehensive, complete, or up to date;
is sometimes linked to external sites over which the Association has no
control and for which the Association assumes no responsibility;
is not professional or legal advice (if you need specific advice, you should
always consult a suitably qualified professional);
-
is in no way constitutive of an interpretative document;
does not prejudge the position that the relevant authorities might decide to
take on the same matters if developments, including Court rulings, were to lead it
to revise some of the views expressed here;
does not prejudge the interpretation that the Courts might place on the
matters at issue.
Please note that it cannot be guaranteed that these information and documents
exactly reproduce officially adopted texts.
It is our goal to minimize disruption caused by technical errors.
However some data or information may have been created or structured in files or
formats that are not error-free and we cannot guarantee that our service will not
be interrupted or otherwise affected by such problems.
The Association accepts no responsibility with regard to such problems incurred
as a result of using this site or any linked external sites.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 95
The International Association of Risk and Compliance
Professionals (IARCP)
You can explore what we offer to our members:
1. Membership – Become a standard, premium or lifetime member.
You may visit:
www.risk-compliance-association.com/How_to_become_member.htm
If you plan to continue to work as a risk and compliance management
expert, officer or director throughout the rest of your career, it makes
perfect sense to become a Life Member of the Association, and to continue
your journey without interruption and without renewal worries.
You will get a lifetime of benefits as well.
You can check the benefits at:
www.risk-compliance-association.com/Lifetime_Membership.htm
2. Weekly Updates - Subscribe to receive every Monday the Top 10 risk
and compliance management related news stories and world events that
(for better or for worse) shaped the week's agenda, and what is next:
http://forms.aweber.com/form/02/1254213302.htm
3. Training and Certification - Become
a Certified Risk and Compliance
Management Professional (CRCMP) or a
Certified Information Systems Risk and
Compliance Professional (CISRSP).
The Certified Risk and Compliance
Management Professional (CRCMP)
training and certification program has
become one of the most recognized
programs in risk management and compliance.
There are CRCMPs in 32 countries around the world.
Companies and organizations like IBM, Accenture, American Express,
USAA etc. consider the CRCMP a preferred certificate.
You can find more about the demand for CRCMPs at:
www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 96
You can find more information about the CRCMP program at:
www.risk-compliance-association.com/CRCMP_1.pdf
(It is better to save it and open it as an Adobe Acrobat document).
For the distance learning programs you may visit:
www.risk-compliance-association.com/Distance_Learning_and_Certificat
ion.htm
For instructor-led training, you may contact us. We can tailor all programs
to specific needs. We tailor presentations, awareness and training programs
for supervisors, boards of directors, service providers and consultants.
4. IARCP Authorized Certified Trainer
(IARCP-ACT) Program - Become a Certified Risk
and Compliance Management Professional Trainer
(CRCMPT) or Certified Information Systems Risk
and Compliance Professional Trainer (CISRCPT).
This is an additional advantage on your resume,
serving as a third-party endorsement to your knowledge and experience.
Certificates are important when being considered for a promotion or other
career opportunities. You give the necessary assurance that you have the
knowledge and skills to accept more responsibility.
To learn more you may visit:
www.risk-compliance-association.com/IARCP_ACT.html
5. Approved Training and Certification Centers
(IARCP-ATCCs) - In response to the increasing
demand for CRCMP training, the International
Association of Risk and Compliance Professionals is
developing a world-wide network of Approved Training
and Certification Centers (IARCP-ATCCs).
This will give the opportunity to risk and compliance managers, officers and
consultants to have access to instructor-led CRCMP and CISRCP training at
convenient locations that meet international standards.
ATCCs use IARCP approved course materials and have access to IARCP
Authorized Certified Trainers (IARCP-ACTs).
To learn more:
www.risk-compliance-association.com/Approved_Centers.html
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Fly UP