P a g e 1

Page |1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Number Four ... It is the only number that has the same
number of characters as its value in the English
language. It is the smallest composite number that is
equal to the sum of its prime factors. The smallest
squared prime (p2).
Francis Bacon believed that age appears to be best in
four things; old wood best to burn, old wine to drink, old
friends to trust, and old authors to read.
Today, we can read that the European Systemic Risk Board (ESRB) General
Board has identified four systemic risks as representing the most material
threats to the stability of the EU financial sector:
1. An abrupt reversal of compressed global risk premia, amplified by low
secondary market liquidity;
2. Weak profitability prospects for banks and insurers in a low nominal
growth environment, amid incomplete balance sheet adjustments;
3. Rising of debt sustainability concerns in the public and non-financial
private sectors, amid low nominal growth;
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |2
4. Prospective stress in a rapidly growing shadow banking sector, amplified
by spill over and liquidity risk.
The first systemic risk, assessed to be the most significant of the four,
materialises through a change in investor preferences in the developed
financial markets and, most notably, in the United States, with an
increasing aversion to holding long-term fixed income securities.
This induces a portfolio reallocation towards short-term instruments,
causing a rise in US long-term risk-free interest rates and risk premia
across all financial asset classes.
The first systemic risk acts as a trigger for the vulnerabilities related to the
remaining three sources of risk.
In the EU this would lead, in particular, to a weakening of domestic
demand, a decline in property prices and a renewed widening of sovereign
credit spreads, as well as to a sell-off by the shadow banking sector that
would amplify the shocks to financial asset prices in the EU.
We can read the above in an interesting paper: “Adverse macro-financial
scenario for the EBA 2016 EU-wide bank stress testing exercise”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |3
This is not an easy to understand document, so you will need some time to
go through the details. On the bright side, it is easier to understand from
the doctoral dissertation of the German philosopher Arthur Schopenhauer
“On the Fourfold Root of the Principle of Sufficient Reason / Über die
vierfache Wurzel des Satzes vom zureichenden Grunde”.
Read more at Number 3 below. Welcome to the Top 10 list.
Best Regards,
George Lekatis
President of the IARCP
General Manager, Compliance LLC
1200 G Street NW Suite 800,
Washington DC 20005, USA
Tel: (202) 449-9750
Email: [email protected]
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804,
Wilmington DE 19801, USA
Tel: (302) 342-8828
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |4
Yves Mersch: Oral hearing of the Federal
Constitutional Court
Introductory statement of the European Central Bank
by Mr Yves Mersch, Member of the Executive Board of
the European Central Bank, at the Oral hearing of the
Federal Constitutional Court in the OMT proceedings,
Karlsruhe
“You have once again invited the European Central Bank to provide its
opinion, as an expert third party, on the decision of the Governing Council
of the European Central Bank of 6 September 2012, whose compatibility
with national constitutional law you are reviewing in these proceedings.
This is the decision that approves the main parameters of the Eurosystem's
outright monetary transactions on the secondary market for government
bonds - so-called OMTs.
European Union Agency For Network And Information
Security
Big Data Threat Landscape and Good Practice
Guide
The term Big Data is often used loosely to designate the palette of
algorithms, technology and systems employed for collecting data of
unprecedented volume and variety, and extracting value from them by
massively parallel computation of advanced analytics.
The sources of Big Data are many and diverse.
Distributed multimedia sensors on the Internet of Things, mobile
telecommunication devices and networks, distributed business processes,
and Web-based applications are all candidate data providers/generators.
As Big Data usage has increased over the years, the various algorithms,
technologies, and systems are gradually reaching a level of development
and maturity suitable for widespread adoption.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |5
Adverse macro-financial scenario for
the EBA 2016 EU-wide bank stress testing exercise
The European Banking Authority (EBA) 2016 EU-wide stress testing
exercise will require banks to use the presented outcome of the adverse
macro-financial scenario for variables such as GDP, inflation,
unemployment, asset prices and interest rates in order to estimate the
potential adverse impact on profit generation and capital.
The adverse scenario covers three years, starting from the first quarter of
2016, when the shocks are assumed to materialise, and ending in 2018.
2016 EU-wide stress test:
Frequently Asked Questions
The EU-wide stress test serves as a common foundation on which national
authorities can base their supervisory assessment of banks’ resilience to
relevant shocks, in order to identify residual areas of uncertainties, as well
as appropriate mitigation actions.
Moreover, the exercise strengthens market discipline, through the
publication of consistent and granular data on a bank by bank level
illustrating how balance sheets are affected by common shocks.
The EU-wide stress test is initiated and coordinated by the EBA and
undertaken in cooperation with the Competent Authorities (the Single
Supervisory Mechanism for the euro area banks), the European Central
Bank (ECB), the European Systemic Risk Board (ESRB) and the European
Commission (EC).
The 2016 exercise covers a sample of 51 banks representing about 70% of
EU banks total assets.
The EBA develops a common methodology that is applied by all the banks
in the sample and checked by supervisors.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |6
Building a sound global Islamic financial system
Opening remarks by Dr Zeti Akhtar Aziz, Governor of
the Central Bank of Malaysia (Bank Negara Malaysia),
at the Islamic Financial Services Board (IFSB) - Meet
the Members & Industry Engagement Session, Kuala
Lumpur
“It is my pleasure to welcome you to this Industry Engagement Session
organised by the IFSB.
Since its introduction in 2012, these sessions have drawn encouraging
response from the members and the industry.
Such an interface between the regulators, industry and the IFSB has
become even more important in the current environment in which greater
global attention is being accorded to the reform of prudential regulations.”
PCAOB Launches Redesigned Website
Optimized for Mobile Devices
The Public Company Accounting Oversight Board launched a newly
redesigned website at www.pcaobus.org that uses a responsive web design.
The new PCAOB site scales to fit any screen: desktop, laptop, tablet, and
smartphone.
In addition to the responsive design, pcaobus.org features enhanced
navigation. Visitors can get to the most popular pages within the PCAOB
website using the new expandable navigation – the mega menu – at the top
of any page.
In addition, handy footer links at the bottom of every page also provide
access to the most popular and important PCAOB content.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |7
Regulatory landscape for 2016 - positioning for
a dynamic, trusted and vibrant market
Keynote address by Mr Ong Chong Tee, Deputy
Managing Director (Financial Supervision) of the
Monetary Authority of Singapore, at the SGX Equities Dialogue 2016,
Singapore
“2016 has started on a challenging note for global stock markets.
The first trading week of this year alone saw global markets losing close to
S$3 trillion, led by sharp declines in the Chinese stock market.
The STI Index has fallen by more than 20% during the last 12 months to the
lowest level since October 2011.
Oil prices are testing lows last seen in 2004 and many other commodity
prices are also under downward pressure.
Banks and the German economy - will they
continue to work hand in hand?
Speech by Dr Andreas Dombret, Member of the
Executive Board of the Deutsche Bundesbank, at the
4th Regensburger Wirtschaftsgespräch, Industrie- und Handelskammer
(IHK) Regensburg, Regensburg.
“Mark Twain once said, "A banker is a fellow who lends you his umbrella
when the sun is shining, but wants it back the minute it begins to rain."
I probably don't have to point out that bankers aren't, of course, like that well, at least most of them aren't.
On the contrary, banks often play a very important role for enterprises and
for the economy as a whole.
They act as mediators between those who invest capital and those who need
it.”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |8
Challenges for France's economy and financial
sector in 2016
Mr François Villeroy de Galhau, Governor of the Bank
of France, Paris
“2016 has already been marked by volatility: weak financial markets and
commodity prices, from China and the Middle East; political uncertainty in
Europe, in Southern Europe, in Eastern Europe, North-Western Europe
with the British referendum, and even in Central Europe with the refugee
crisis.
It is our duty to be vigilant, but we must also, on the one hand, distinguish
real information from background noise and real challenges - and there are
no shortages of them - from the sensational and sometimes excessive
statements at this start of this year; on the other hand, in the face of current
volatility, we must stick to our medium-term objectives.”
Hearing at the Committee on Economic and
Monetary Affairs of the European Parliament
Introductory statement by Mr Mario Draghi, President
of the European Central Bank, before the Hearing at
the Committee on Economic and Monetary Affairs of the European
Parliament, Brussels
“In my remarks today, I will address in turn the global economic context,
recent financial developments and the state of the euro area recovery.
I will conclude by briefly presenting our most recent decision to disclose the
Agreement on Net Financial Assets - or ANFA - as I know this topic is of
concern to some of you.”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |9
Yves Mersch: Oral hearing of the Federal
Constitutional Court
Introductory statement of the European Central Bank
by Mr Yves Mersch, Member of the Executive Board
of the European Central Bank, at the Oral hearing of
the Federal Constitutional Court in the OMT
proceedings, Karlsruhe
Mr Chairman,
Distinguished members of the Second Senate,
Introduction
You have once again invited the European Central Bank to provide its
opinion, as an expert third party, on the decision of the Governing Council
of the European Central Bank of 6 September 2012, whose compatibility
with national constitutional law you are reviewing in these proceedings.
This is the decision that approves the main parameters of the Eurosystem's
outright monetary transactions on the secondary market for government
bonds - so-called OMTs.
I am happy to accept this invitation.
What has changed since the last oral hearing on 11 June 2013?
The Court of Justice of the European Union has, on the basis of the facts
provided by you, responded to the questions submitted to it for a
preliminary ruling.
The Court of Justice of the European Union, which is competent under the
Treaties to interpret Union law and the validity of the acts of the Union's
institutions, including the European Central Bank, found OMTs to be
compatible with Union law:
The European Central Bank did not exceed its monetary policy mandate
either as regards the conditionality, the selectivity or the parallelism of
OMTs nor as a circumvention of the limits and conditions laid down by the
assistance programmes of the European Stability Mechanism - the so-called
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 10
ESM.
The Court of Justice of the European Union followed the arguments put
forward by the European Central Bank and confirmed that OMTs in view of
their objectives and the instruments provided for achieving them, fall
within the area of monetary policy and therefore within the powers of the
Eurosystem.
Monetary policy measures, such as OMTs, may have indirect effects on the
stability of the euro area, without this leading to monetary policy measures
being treated as equivalent to economic policy measures.
The fact that the European Central Bank will take an independent monetary
policy decision on the implementation of OMTs also excludes the possibility
that the ESM's assistance programmes were circumvented.
The Court of Justice of the European Union also confirmed that OMTs are
proportional and that the European Central Bank, as regards the judicial
review of these conditions, should be granted a broad discretion.
As a result the European Central Bank was entitled to take the view that the
purchase of government bonds on the secondary markets, in accordance
with the conditions laid down on 6 September 2012, is likely to facilitate the
monetary policy transmission mechanism and to safeguard the singleness
of monetary policy.
These conditions were characterised by the fact that the interest rates for
government bonds in the various euro area Member States were highly
volatile with extreme spreads, which were not caused by macroeconomic
differences but by strong distortions of the government bond markets,
largely due to the unfounded concerns of investors regarding the
reversibility of the euro.
OMTs do not go beyond what is required in order to achieve these
objectives.
They are not only strictly linked to their objectives, their volume is also - as
the European Central Bank indicated in the last oral hearing - limited in
several respects.
The Court of Justice of the European Union also decided that OMTs do not
breach the prohibition of monetary financing.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 11
In particular, the Court emphasised that OMTs do not remove the impetus
for Member Stets to follow a sound budgetary policy.
The Governing Council of the European Central Bank's draft decision and
draft guideline on OMTs, which were already available on 6 September
2012, contain adequate safeguards to ensure that the intervention of the
Eurosystem does not result in an effect equivalent to that of a direct
purchase of government bonds from the public authorities and bodies of
the Member States.
I should like to cite a few examples.
The European Central Bank's Governing Council decides on the scope, the
start, the continuation and the suspension of the intervention on the
secondary markets.
In addition, a minimum period is observed between the issue of a security
on the primary market and its purchase on the secondary market.
Furthermore, any prior announcement concerning either its decision to
carry out such purchases or the volume of purchases envisaged is
precluded.
There is therefore no certainty that government bonds will be purchased.
What role does the European Central Bank see for itself in these oral
proceedings in the light of this confirmation of its actions?
The European Central Bank cannot make any statements on the
compatibility of OMTs with national constitutional law as it has no
competence in this regard.
Nevertheless, the ECB's working assumption has always been that the
Maastricht Treaty, which transferred monetary policy to the European
Central Bank, has been declared as being compatible with national
constitutional law.
The European Central Bank is participating in this oral hearing in order to
assist in clarifying any remaining questions, insofar as they are based on the
subject matter of these proceedings, i.e. OMTs are covered but not other
monetary policy measures.
At the same time the European Central Bank's Governing Council must be
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 12
able to decide independently on future monetary policy, in order to fulfil its
duty of maintaining price stability in the euro area, as the Senate has
described in paragraph 32 of its order for reference.
Mr Chairman,
Distinguished members of the Second Senate,
Following on from these introductory words I will focus on two points,
which you identified in your communication with the European Central
Bank as being significant:
First, the timeliness and modalities for the implementation of OMTs;
Second, the possible volume of OMTs and potential risks for the federal
budget.
Timeliness and modalities for the implementation of OMTs
As regards the timeliness of OMTs, let me be quite clear: OMTs were
developed in January 2012, to confront an extraordinary crisis situation.
This crisis situation was characterised by massive distortions of the
government bond market that developed their own momentum.
This in turn led to a disruption of the monetary policy transmission
mechanism, which posed a threat for price stability.
With OMTs the Eurosystem substantiated one of the monetary policy
instruments provided for under the Statute.
It can be activated by the Governing Council, providing the conditions and
the need for such action are present.
The European Central Bank's Governing Council may activate OMTs under
the following conditions, which must be met cumulatively:
-
The Governing Council of the European Central Bank must establish
that the monetary policy transmission mechanism is impaired, in
particular due to unfounded fears regarding the reversibility of the euro,
and is leading to unwarranted spreads on the government bond
markets.
-
The Member State whose government bonds will be sold on the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 13
secondary market must participate in an appropriate ESM programme.
Appropriate, in this context, means exclusively macroeconomic
adjustment programmes or enhanced conditions credit lines, which
facilitate primary market purchases on the government bonds market
via a corresponding ESM facility.
-
The Member State whose government bonds are being purchased on
the secondary market must comply with the strict conditionality and
satisfactorily implement, as verified by the Governing Council of the
European Central Bank, the programme.
-
The Member State whose government bonds are being purchased on
the secondary market must have access, or be regaining access, to the
government bonds market.
This will also be verified by the European Central Bank's Governing
Council.
As regards the first condition, the impairments to the monetary policy
transmission mechanism have noticeably declined, not least thanks to the
monetary policy measures carried out by the European Central Bank, in
particular the development of OMTs.
The euro area is confronting a slow but steady recovery.
Certain Member States that in 2011 and 2012 were subject to market
overreactions are now seeing signs of positive growth.
Irrespective of the fact that yields for government bonds have reacted in
varying degrees to new economic developments, there has been a clear
reduction in the yield spreads compared to the situation in 2012.
It is not the aim of OMTs to harmonise interest rates regardless of the
differences between Member States' macroeconomic or budgetary
situation.
Concerning the second condition, two euro area Member States are
currently undergoing ESM macroeconomic adjustment programmes.
However, none of these programmes allow primary market purchases
through the ESM to the government bonds market.
In conclusion, I can state that OMTs are in principle available as monetary
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 14
policy instruments.
The conditions for their crisis and location-related activation are, however,
not currently met.
Possible volumes and potential risks for the federal budget
With regard to the possible volume of OMTs it remains the case that no ex
ante quantitative limits are set on the size of OMTs in order to prevent
market participants from adjusting to this situation and using these
instruments for their own purposes to the detriment of the effectivity of the
monetary policy instruments put in place.
Notwithstanding this, the possible volume of OMTs is in fact quantitatively
limited to one to three-year government bonds, which are suitable for
OMTs.
Government bonds with a maturity of on to three years form only a small
part of the entire volume of government bonds.
The Court of Justice of the European Union has confirmed that it follows
from this that the commitments that the European Central Bank enters into
are, in fact, circumscribed and limited.
In order to ensure that maturities are not significantly shortened, it is
foreseen that the European Central Bank's Governing Council will closely
monitor the maturity structure and the termination of new issues of
government bonds in the concerned Member States.
Thus the volume of OMTs is limited in a variety of ways.
In assessing the potential risks of OMTs it should be taken into account
that, in principle, the use of monetary policy instruments to maintain price
stability entails financial risks for the Eurosystem.
This applies not only to OMTs but also to main refinancing operations, to
cite just one standard monetary policy instrument as an example.
The Eurosystem uses main refinancing operations to make central bank
money available to banks.
In principle, these bank loans could also fail, even though the risk of this
occurring is slight.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 15
Therefore, the European Central Bank's Governing Council limits these
risks, by requiring the provision of collateral for main refinancing
operations.
The European Central Bank's Governing Council has also taken precautions
with regard to OMTs in order to limit the Eurosystem's financial risk.
This is done, in particular, by applying a requirement of strict conditionality
and the monitoring of the satisfactory implementation of the programme.
This strict conditionality, compliance with which is to be independently
assessed by the European Central Bank from the monetary policy
perspective, ensures that the Member States concerned apply sufficient
budgetary discipline and carry out structural reforms, to achieve a
sustainable budgetary position.
For the implementation of OMTs, as for other monetary policy operations
of the European Central Bank, creditworthiness and risk management rules
apply.
In this way an excessive default risk is avoided.
It should be added, that the European Central Bank will not carry out any
purchases using OMTs during the review of an ESM assistance programme.
This also ensures that market conditions are not directly influenced by
European Central Bank purchases whilst the programme is being assessed
by the Troika.
The comparison between OMTs and main refinancing operations
demonstrates that the financial risks of various monetary policy
instruments differ as to their degree but not as regards their principle
nature.
Thus the Court of Justice of the European Union held in its judgment that
the precautions foreseen for OMTs are likely to reduce the risk of losses.
It also recalled that a central bank, such as the European Central Bank, has
a duty to take decisions that, like open market transactions, inevitably
involve a risk of floss.
With regard to the necessity mentioned in the hearing outline, in
connection with the potential risks of OMTs for the federal budget, for a
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 16
recapitalisation of the Bundesbank, I would confirm the position of the
European Central Bank that was provided in the last oral hearing.
As far as I am aware, under German law there is no obligation for the
federal government to recapitalise the Bundesbank, even when its losses
are of such a magnitude that its equity base is threatened.
Such a "default liability" can also not be deduced as a general rule under
Union law in respect of the individual Member States when the central
bank's equity is drastically reduced.
In accordance with the principle of financial independence as established
by Article 130 of the Treaty on the Functioning of the European Union it
follows that a central bank must permanently have adequate equity
available to fulfil its monetary policy tasks within the Eurosystem.
However, this does not mean that every loss must be immediately and fully
offset by private or public shareholders or the Member States.
A central bank can in the short and medium-term, even with reduced or
negative equity, fulfil its Eurosystem monetary policy tasks.
In this respect a reduced or negative equity does not preclude from the
outset an orderly and stability-oriented monetary policy.
Only when this situation continues for too lengthy a period - the European
Central Bank's last Convergence Report spoke of "a prolonged period of
time" - would doubts arise as to whether the central bank can still
adequately fulfil its Eurosystem monetary policy tasks.
Only in such an extreme case - and exclusively in this case - would they be
recapitalised, not immediately, but - again in the words of the European
Central Bank's Convergence Report - "within a reasonable period of time".
Conclusion
Mr Chairman,
Distinguished members of the Second Senate,
I and my colleagues are at your disposal for further questions on these and
other issues.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 17
European Union Agency For Network And
Information Security
Big Data Threat Landscape and Good Practice
Guide
Executive Summary
The term Big Data is often used loosely to designate the palette of
algorithms, technology and systems employed for collecting data of
unprecedented volume and variety, and extracting value from them by
massively parallel computation of advanced analytics.
The sources of Big Data are many and diverse.
Distributed multimedia sensors on the Internet of Things, mobile
telecommunication devices and networks, distributed business processes,
and Web-based applications are all candidate data providers/generators.
As Big Data usage has increased over the years, the various algorithms,
technologies, and systems are gradually reaching a level of development
and maturity suitable for widespread adoption.
Experience has shown that Big Data applications can provide a dramatic
increase in the efficiency and effectiveness of decision-making in complex
organizations and communities.
It is expected that it will constitute an important part of a thriving
data-driven economy, with applications ranging from science and business
to military and intelligence.
However, besides its benefits or in some cases because of them, Big Data
also bears a number of security risks.
Big Data systems are increasingly becoming attack targets by threat agents,
and more and more elaborate and specialized attacks will be devised to
exploit vulnerabilities and weaknesses.
This Threat Landscape and Good Practice Guide for Big Data provides an
overview of the current state of security in the Big Data area.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 18
In particular, it identifies Big Data assets, analyses exposure of these assets
to threats, lists threat agents, takes into account published vulnerabilities
and risks, and points to emerging good practices and new researches in the
field.
To this aim, ongoing community-driven efforts and publicly available
information have been taken into account.
The study analyses threats to all identified Big Data asset classes.
Highlights include:
Big Data threats include, but are not limited to, threats to ordinary data.
The high level of replication in Big Data storage and the frequency of
outsourcing Big Data computations introduce new types of breach, leakage
and degradation threats that are Big Data-specific.
Big Data is having significant privacy and data protection impacts.
The creation of links at data collection (a.k.a. “ingestion”) time is a key
requirement for parallelization – and therefore performance - of Big Data
analytics, but the additional information it creates may increase the impact
of data leakages and breaches.
The interests of different asset owners (e.g., data owners, data
transformers, computation and storage service providers) in the Big Data
area are not necessarily aligned and may even be in conflict.
This creates a complex ecosystem where security countermeasures must be
carefully planned and executed.
As in many other areas of ICT, starting to apply basic privacy and
security best practices would significantly decrease overall privacy and
security risks in the Big Data area.
At this still early stage of this emerging paradigm, embracing the
Security-by-default principle can prove to be both highly practical and
beneficial; as opposed to the cost and effort required to provide ad hoc
solutions later on.
This guide finally provides a gap analysis presenting a comparison between
identified Big Data threats and identified Big Data countermeasures.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 19
In this context, the lack of current Big Data countermeasures and pressing
needs in the development of next-generation countermeasures are
discussed.
In particular, the question arises of the trend of current countermeasures of
adapting existing solutions against traditional data threats to the Big Data
environments, mostly focusing on the volume of the data.
This practice mainly targets scalability issues and clearly does not fit the Big
Data peculiarities (5V- Volume, Variety, Value...) resulting in partial and
ineffective approaches.
A set of recommendations for next-generation countermeasures concludes
the guide.
Among these recommendations, we remark:
i) to depart from current approaches for traditional data, defining Big
Data-specific solutions,
ii) to identify gaps and needs for current standards, planning the definition
of standardization activities,
iii) to focus on training of specialized professionals,
iv) to define tools for security and privacy protection of Big Data
environments,
v) to clearly identify Big Data assets simplifying the selection of solutions
mitigating risks and threats.
Aligning to its mandate ENISA published two more reports studying the
impact of Big Data in the more specialized areas of data protection and
privacy (“Privacy by design in big data”4) and critical infrastructures.
1. Introduction
In this reports ENISA elaborates on threats related to Big Data, a
technology that has gained much traction in recent years and is expected to
play a significant role affecting various aspects of our sociatey, ranging from
health, food security, climate and resource efficiency to energy, intelligent
transport systems and smart cities.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 20
The European Commission has acknowledged the potential impact of Big
Data in a “thriving data-driven economy” by outlining a strategy on Big
Data.
According to estimates, the value of just personal data of EU citizens has
“the potential to grow to nearly €1 trillion annually by 2020” (sic).
It is thus conceivable that data will continue to be a significant economic
drive.
But also in science and research Large and nowadays Big Data continue to
proliferate and many agencies and institutions in Europe and around the
globe have or are planning to launch Big Data projects to facilitate scientific
data analysis and exploitation.
Big Data technologies are also being used in military applications; such as
fighting terrorism; assisting in combat; gathering and analysing intelligence
from heterogeneous sources, including battlefield data and open sources.
In addition, many existing data intensive environments have in recent years
adopted a Big Data approach.
To name just a few examples, Facebook is thought to store one of the
biggest datasets worldwide, storing more than 300 petabytes of both
structured and unstructured data; Twitter recently decided to tap directly
into its own raw data using Big Data analytics and the world’s
telecommunications capacity was already by 2007 near 65 Exabytes
(without signs of this trend declining); straining existing storage and
analytic processes and technologies.
Given that Big Data approaches make use of extremely novel and high tech
ICT systems, with little time to mature against cyber-attacks it is not
suprising that attacks are showing an increased trend in both number,
sophistication and impact.
But because of the loose use of definitions and the unwillingness of affected
organizations to disclose attack data, accurate estimates are not easy to
come up with.
Additionally, as more and more businesses and organizations venture into
the Big Data field, attackers will have more incentives to develop specialized
attacks against Big Data.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 21
Somewhat paradoxically, Big Data approaches can also be used as a
powerful tool to combat cyber threats by offering security professionals
valuable insigts in threats and incident management.
Being an ENISA deliverable in the area of Threat Landscape, this report
constitutes a detailed threat assessment in the area of Big Data, based on
input from the ENISA Threat Landscape activities.
The rationale behind this piece of work is to “deepen” the generic threat
assessment by taking into account the specificities of Big Data.
Policy context
Threat analysis and emerging trends in cyber security are an important
topic in the Cyber Security Strategy for the EU.
Moreover, the new ENISA regulation highlights the need of analysing
current and emerging risks and dictates that “the Agency, in cooperation
with Member States and, as appropriate, with statistical bodies and others,
collects relevant information”.
More specifically, it is stated that it should “enable effective responses to
current and emerging network and information security risks and threats”.
To this end the ENISA Work Programme 2015 included this study on “Big
Data Threat Landscape and Good Practice Guide” as one of this year’s
deliverables (“WPK1.1-D2: Risk Assessment on two emerging
technology/application areas” that focuses on Big Data).
The report aims to identify emerging trends in cyber-threats and to provide
a concise state of the art analysis of the cyber threat and security issues of
Big Data; consolidating existing and open literature and available
information, and contributing to a cyber security public and private
initiatives by addressing industry concerns in the area..
1.1 Scope
This report contributes to the definition of a threat landscape, by providing
an overview of current and emerging threats applicable to Big Data
technologies, and their associated trends.
Several Big Data definitions exist in the literature and the area is constantly
being shaped by advantages in methods, tools, and new applications, thus it
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 22
is not possible to take into consideration all Big Data systems.
The research done focuses on assets, threats and controls applicable to
prominent, important and/or widely used
1.2 Big Data systems.
The goal is to deepen our understanding of the threats that affect Big Data
and to provide good practices and recommendations for those threats that
are considered important or emerging.
1.3 Target audience
It is expected that this report will be useful for performing detailed Risk
Assessments (RA) and Risk Management (RM) by Big Data providers and
operators according to their particular needs and for Big Data consumers in
drafting their SLAs.
The asset and threat taxonomies presented here are to be expanded by asset
owners, based on the particular Big Data system instantiation at hand,
before being used as input to RA/RM and cyber threat exposure analysis.
Moreover, the presented Big Data threat landscape will be of use to
policy-makers for understanding the current state of threats and respective
mitigation practices and measures in the area.
Further, the extensive research of relevant existing literature in Big Data
security and threat research means this study will be of particular interest
to researchers and institutions working in the field.
1.4 Methodology
This study and its outcome are based on desk research and review of
conference papers, articles, technical blogs and a variety of other open
sources of information relevant to Big Data.
This report identifies the majority of sources consulted; the details of all
documentary sources consulted during this study are available on request.
More than one hundred documentary sources were identified through a
number of search methods, including specialist search engines for
academic sources and journal articles.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 23
The sources collected are all in English.
The overall work went through a three-step process as follows: The first
step “Information collection” was about the identification and collection of
relevant information, in particular the assets and threats.
The second step “Assessment, Guidelines and Gap Analysis” performed an
analysis about the collected information to identify current and emerging
trends and then elaborated countermeasures in a Big Data scenario.
The third step “Good practices definition” was focused on findings, current
practices, and needs that formalized the Big Data threat landscape report.
A final note, all referenced web resources were last accessed in November
2015.
1.5 Structure of this document
The structure of document is as follows: in section 2 we define Big Data and
describe an abstract architecture upon which the study is based; in section
3 we present an asset taxonomy for Big Data; in section 4 we identify
threats against Big Data, based on the threat taxonomy used by ENISA in
“Threat Landscape and Good Practice Guide” reports, and map these
threats to Big Data assets; in section 5 we consider which threat agents are
more relevant to Bog Data attacks; in section 6 we present a set of
recommendations and good practices for Big Data; we conclude in section 7
with a gap analysis.
In addition 6 annexes are provides at the end of the report.
Annex A contains the Big Data asset taxonomy in full depth; including all
identified asset groups, asset types, assets and asset details.
Annex B contains the detailed Big Data asset taxonomy diagram.
Annex C contains the Big Data threat taxonomy in full detail; including all
identified threat groups/types correlated to threat agents and affected Big
Data assets.
Annex D contains the detailed Big Data threat taxonomy diagram.
Annex E contains a concise presentation on how Big Data analytics can
assist security professionals in analysing threats and attacks and detecting
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 24
intrusion and fraud cases.
Annex F contains a summary of existing threat taxonomies, which were
used along with ENISA’s threat taxonomy to drive this study.
2. Big Data Environments
The term Big Data describes the vast amount of data in our
information-driven world.
In a 2001 research report and related lectures, the META Group (now
Gartner) defined the data growth challenges and opportunities as being
three-dimensional, i.e. increasing Volume (amount of data), Velocity (speed
of data in and out), and Variety (range of data types and sources).
Gartner, and then the industry, used this "3Vs" model for describing Big
Data: "Big data is high volume, high velocity, and/or high variety
information assets that require new forms of processing to enable enhanced
decision making, insight discovery and process optimization.”.
Additionally, some new Vs have been added by some organizations to
further define Big Data: "Veracity" (data authenticity since the quality of
captured data can vary greatly and an accurate analysis depends on the
veracity of source data), “Variability” (data meaning is often changing, and
the data can show inconsistency at times, and this can hamper the process
of handling and managing the data effectively) and “Value” (the potential
revenue of Big Data).
This being a developing field, several other alternative or complenetary
definitions have been proposed, in an effort to capture different nuances
attributed to Big Data; such as its evolutianary nature: “datasets whose size
is beyond the ability of typical database software tools to capture, store,
manage, and analyze.” (sic).
Given that the field is still not mature, for the purposes of this report we
take into account the different ways Big Data is defined.
While a great scientific opportunity exists with Big Data, this growth is
outpacing the technological advances in computational power, storage,
analysis and analytics.
Furthermore a real concern is arising about the security of this massive
amount of digital information, the data protection and privacy issues, and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 25
the protection of the (critical) infrastructure supporting it.
2.1 Big Data architecture
The architecture is a high-level conceptual model that facilitates the
discussion of security requirements in Big Data and introduces the
terminology used in this report.
It does not represent the system architecture of a specific Big Data system,
nor it is tied to any specific vendor products, services, or reference
implementation, but rather it is a tool for describing some common Big
Data components; i.e. the Big Data environment.
In our vision the notion of Big Data architecture can be detailed into five
layers: “Data sources”, “Integration process”, “Data storage”, “Analytics and
computing models“, “Presentation”.
The function of each layer is as follows:
The “Data sources” layer consists of disparate data sources, ranging from
sensor streaming data, to structured information such as relational
databases, and to any sort of unstructured and semi-structured data.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 26
The “Integration process” layer is concerned with acquiring data and
integrating the datasets into a unified form with the necessary data
pre-processing operations.
The “Data storage” layer consists of a pool of resources such as distributed
file systems, RDF stores, NoSQL and NewSQL databases, which are suitable
for the persistent storage of a large number of datasets.
The “Analytics and computing models” layer encapsulates various data
tools, such as Map Reduce, which run over storage resources and include
the data management and the programming model.
The “Presentation” layer enables the visualisation technologies.
Cloud computing can be deployed as the infrastructure layer for Big Data
systems to meet some infrastructure requirements, such as
cost-effectiveness, elasticity, and the ability to scale up or down.
3. Big Data assets
Assets can be abstract assets (like processes or reputation), virtual assets
(for instance, data), physical assets (cables, a piece of equipment), human
resources, money”.
An item of our taxonomy is either a description of data itself, or describes
assets that generate, process, store or transmit data chunks and, as such, is
exposed to cyber-security threats.
For information security considerations, this study focuses on assets that
are related mainly to information and communication technology (ICT)
under the scope of Big Data.
A major source of information for this study is the work made by the NIST
Big Data Public Working Group (NBD-PWG), which is developing
consensus on important and fundamental questions related to Big Data.
They have produced two draft Volumes (Volume 1 about Definitions and
Volume 2 about Taxonomy).
Another source of information is the report “Big Data Taxonomy”, issued by
Cloud Security Alliance (CSA) Big Data Working Group in September 2014.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 27
In that document, CSA proposes a six-dimensional taxonomy for Big Data,
pivoted around the nature of the data to be analysed.
The objective is to help “navigate the myriad choices in compute and
storage infrastructures as well as data analytics techniques” and the
proposed structure is mainly intended as a high-level taxonomy for decision
makers.
Specifically, most of the terminology used in this report for high level asset
types (Data, Infrastructure, Analytics, and Security and Privacy techniques)
comes, with some small modifications, from the CSA taxonomy; where our
term Infrastructure also comprises of the other two CSA main categories;
viz. Compute Infrastructure and Storage Infrastructure.
Another high-level type, Roles, comprises human resources and other
related assets, as in previous ENISA thematic studies.
3.1 Big Data asset taxonomy
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 28
The full list of identified the Big Data assets is given in Annex A.
3.2 Big Data asset categories
With the following list we attempt to identify some of the known Big Data
valuable assets in a hierarchical manner.
The first and second level category items (asset group and asset type) can be
thought of as intuitively clear, but we give a brief description of them
nevertheless.
The full taxonomy, with further levels in the taxonomy such assets and
asset details, is presented in Annex A.
Data – This is the core category of the Big Data taxonomy and includes:
Metadata, i.e. schemas, indexes, data dictionaries and stream grammars’
data (which often but not necessarily come together with stream data).
Structured data, i.e. database records structured according to a data model,
as for example a relational or hierarchical schema; structured identification
data, as for example users’ profiles and preferences; linked open data;
inferences and re-linking data structured according to standard formats.
Semi-structured and unstructured data, for example logs, messages and
web (un)formatted data (Web and Wiki pages, e-mail messages, SMSs,
tweets, posts, blogs, etc.), files and documents (e.g. PDF files and Office
suite data in Repositories and File Servers), multimedia data (photos,
videos, maps, etc.), and other non-textual material besides multi-media
(medical data, bio-science data and raw satellite data before
radiometric/geometric processing, etc.).
Streaming data, i.e. single-medium streaming (for example in-motion
sensor data) and multimedia streaming (remote sensing data streams, etc.).
Volatile data, i.e. data that are either in motion or temporarily stored, as,
for example, network routing data or data in devices’ random access
memory.
Infrastructure – The term infrastructure comprises software, hardware
resources denoting both physical and virtualized devices, the basic
computing infrastructure with its batch and streaming processes and the
storage infrastructure with all sort of database management systems,
ranging from old-style relational databases to NoSQL or NewSQL, as well
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 29
as Semantic Web tools.
Specifically, the Infrastructure first level category includes:
Software, including operating systems, device drivers, firmware, server-side
software packages (as Web and Application Server software) and
applications.
Applications sub-category includes software implementation as back-end
services and all sorts of functionalities that utilize other assets in order to
fulfil a defined task, such as for example asset management tools,
requirements gathering applications, billing services and tools to monitor
performances and SLAs.
Hardware (physical and virtual), i.e. servers (physical devices and hardware
nodes, all the virtualized hardware, including virtual Data Centres with
their management consoles and virtual machines, as well as the physical
hardware supporting their provisioning), clients, network devices (for
example, physical switches, virtual switches and virtual distributed
switches, etc.), media and storage devices (the various types of disk storage,
etc.), data gathering devices (sensors, remote platforms as airborne
platforms or drones, etc.), Human Interface Devices (HID) and mobile
devices.
Computing Infrastructure Models, this category includes paradigms of
abstract processing architectures, on whether the processing can be done in
batch mode, for example MapReduce; on real-time/near real- time
streaming data, as for example Sketch or Hash-based models; or follow a
unified approach supporting both, as for example Cloud Dataflow.
Storage Infrastructure Models, this category includes paradigms of abstract
storage architectures, including Big Files and triples-based models.
Big Data Analytics – This category includes models which define protocols
and algorithms for Big Data analysis, like procedures, models, algorithms
definitions down to the source code, and analysis’ results.
The category includes:
Data analytics algorithms and procedures, which include algorithm source
code with their set-up parameters, configuration and thresholds, metrics,
the model definitions, advanced techniques that streamline the data
preparation stage of the analytical process.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 30
Analytical results, either in textual or in graphical mode (e.g. spatial
layouts, abstract, interactive and real time visualizations).
Security and Privacy techniques – This category name includes the term
“techniques” to remark that the security-related assets it includes are the
ones of interest to attackers and therefore more subject to unauthorized
disclosure and leakage, as for example security best practice documents,
cryptography algorithms and methods, information about the access
control model used, etc.
The category includes the following sub-categories:
Infrastructure Security, i.e. the first aspect of a Big Data ecosystem security,
which deals with how to secure the distributed computation systems and
the data stores, with security Best Practices and policy set-ups.
Data Management, i.e. documents and techniques about how to secure
Data Storage and Logs, and documentation about granular audits and data
life cycle (Data provenance).
Integrity and reactive security, which deals with all the practices,
techniques, and documents related to End Point validation and filtering
and the monitoring of real-time security, including incident handling and
information forensics.
Data Privacy, i.e. all the techniques put in place to protect privacy as it is
requested by law, for example cryptographic methods and access control.
Roles - This terminology for this category was introduced by the NIST Big
Data Public Working Group and includes:
Data provider, such as enterprises, organizations, public agencies,
academia, network operators and end- users.
Data consumer, partly overlapping the previous category, but from a
different scope, and including enterprises, organizations, public agencies,
academia and end-users.
Operational roles, i.e. system orchestrators (business leader, data scientists,
architects, etc.), Big Data application providers (application and platform
specialists), Big Data framework providers (Cloud provider personnel),
security and privacy specialists, technical management (in-house staff,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 31
etc.).
We remark that leaving the taxonomy unbalanced (some sub trees, like
those rooted in Data and Infrastructure are deeper than others) is a
deliberate choice.
Indeed some leaf subcategories of our taxonomy, such as Models
definitions, could be used to integrate external taxonomies designed for
different reasons, such as data science ones.
Another remark is that most of the categories and sub-categories could be
related to data, rather than Big Data.
For example, relational databases are a very typical and common resource
in every enterprise infrastructure, not necessarily storing big data volumes.
Even when relational databases have big volume size, they are often
manageable through traditional hardware clusters, appliances and software
tools.
Another example is applications’ random-access memory (featured in
volatile data category), i.e. the data that is temporarily in memory due to
processing operations.
This memory is often (though not invariably, as witnessed by the success of
in-memory processing systems) not large, compared to massive data sizes
of in-memory databases.
Nevertheless, we included these assets in our taxonomy for completeness of
information.
Data stored in relational databases, often very valuable for data owners,
might be used in some cases as data source for analytics, while leakage of
RAM content could compromise login credentials and cryptographic keys,
paving the way to dangerous attacks to Big Data.
The presented asset taxonomy should only be considered as a snapshot of
the complex range of Big Data assets and could as such not be exhaustive.
4. Big Data threats
4.1 ENISA threat taxonomy
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 32
In this section, we introduce the major characteristics of the ENISA threat
taxonomy.
The ENISA taxonomy is a comprehensive one, with a special focus on
cyber-security threats; i.e., threats applying to information and
communication technology assets.
Additional non-ICT-stemming threats have been considered to cover
threats to physical assets and also both natural disasters [not directly
triggered by humans] and environmental disasters directly caused by
human.
The threat taxonomy has been developed by the ENISA Threat Landscape
(ETL) Group and is a consolidation of threats previously considered in
other thematic reports and extensive research.
The taxonomy includes threats applicable to the Big Data assets and only
these are depicted in figure 4-1.
In the following subsection, threats specific to Big Data that were identified
through extensive literature that have been assigned to the relevant
categories defined in ENISA’s Threat Taxonomy are mapped to the
previously discussed Big Data Asset Taxonomy.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 33
4.2 Mapping threats to Big Data assets
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 34
In this section, we discuss the threats that can be mapped to the Big Data
asset taxonomy presented in the previous chapter.
This analysis is based on an extensive review of actual threat incidents and
attacks to Big Data presented in articles, technical blogs, conference papers,
as well as online surveys for gathering supplemental information.
Our review was driven by the ENISA generic threat taxonomy presented in
the previous section.
In general terms, threats, such as network outage or malfunctions of the
supporting infrastructure, may heavily affect Big Data.
In fact, since a Big Data has millions of pieces of data and each piece may be
located in a separate physical location, this architecture leads to a heavier
reliance on the interconnections between servers.
Past ENISA thematic reports have dealt in depth with threats such as
outages and malfunctions, which affect network communication links.
For this reason, in this report, we don’t take these threats into account.
Also, we chose not to dwell on physical attacks (deliberate and intentional),
natural and environmental disasters, and failures / malfunction (e.g.
malfunction of the ICT supporting infrastructure), since their effects are
strongly mitigated by the intrinsic redundancy of Big Data, though Big Data
owners deploying their systems in private clouds or other on-premise
infrastructure should take these attacks under serious consideration .
In general, a threat is “any circumstance or event with the potential to
adversely impact an asset through unauthorized access, destruction,
disclosure, modification of data, and/or denial of service”.
Given the definition we gave of Big Data (Volume, Velocity, Variety,
Veracity, Variability and Value), a threat to a Big Data asset can be
considered as any circumstance or event that affects, often simultaneously,
big volumes of data and/or data in various sources and of various types
and/or data of great value.
We also identify two different sub-categories of threats: “Big Data Breach”
and “Big Data Leak”, orthogonal to the used threat taxonomy.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 35
A breach occurs when “a digital information asset is stolen by attackers by
breaking into the ICT systems or networks where it is held/transported”.
We can define “Big Data Breach” as the theft of a Big Data asset executed by
breaking into the ICT infrastructure.
A Big Data Leak on the other hand, can be defined as the (total or partial)
disclosure of a Big Data asset at a certain stage of its lifecycle.
A Big Data Leak can happen for example in inadequate design, improper
software adaptation or when a business process fails.
In terms of the attacker model, a Big Data Breach requires pro-active
hostile behaviour (the break-in), while a Big Data Leak can be exploited
even by honest-but- curious attackers.
4.2.1 Threat Group: Unintentional damage / loss of information
or IT assets
This group includes Information leakage or sharing due to human errors,
unintentional intervention or erroneous use of administration of systems
(misconfiguration), loss of devices.
Threat: Information leakage/sharing due to human error
Accidental threats are those not intentionally posed by humans.
They are due to misconfiguration, skill- based slips and clerical errors (for
example pressing the wrong button), misapplication of valid rules (poor
patch management, use of default user names and passwords or
easy-to-guess passwords), and knowledge-based mistakes (software
upgrades and crashes, integration problems, procedural flaws).
Information leakage due to misconfiguration can be a common problem:
according to a recent study, erroneous system administration setups led to
numerous weaknesses in four different Big Data technologies; viz. Redis,
MongoDB, Memcache and ElasticSearch.
According to the same study most of these new products “are not meant to
be exposed to the Internet. [...] These technologies' default settings tend to
have no configuration for authentication, encryption, authorization or any
other type of security controls that we take for granted. Some of them don't
even have a built-in access control.”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 36
Furthermore, in the past, there have been reported incidents of
inappropriate sharing of files containing possible sensitive and confidential
information, which affected even very popular online services like Dropbox.
This is also confirmed by many surveys.
The assets targeted by these threats include asset group “Data”, and asset
“Applications and Back-end services” (such as for example “Billing
services”).
Threat: Leaks of data via Web applications (unsecure APIs)
Various sources claim that Big Data is often built with little security.
New software components are usually provided with service-level
authorization, but few utilities are available to protect core features and
application interfaces (APIs).
Since Big Data applications are built on web services models, APIs may be
vulnerable to well-known attacks, such as the Open Web Application
Security Project (OWASP) Top Ten list, with few facilities for countering
common web threats.
The security software vendor Computer Associate (CA) and other sources
report data breaches, due to insecure APIs, in many industries, especially in
social networks, mobile photo-sharing and video-sharing services, as
Facebook, Yahoo and Snapchat.
For example, a threat of this category may consist in injection attacks to
Semantic Web technologies through SPARQL code injection.
Security flaws are rather common in new Big Data languages like SPARQL,
RDQL (both are read-only query languages) and SPARUL (or
SPARQL/Update, which has modification capabilities).
The use of these new query languages introduces vulnerabilities already
found in a bad use of old-style query languages, since attacks like SQL,
LDAP and XPath injection are already well known and still dangerous.
Libraries of these new languages provide tools to validate user input and
minimize the risk.
However, “main ontology query language libraries still do not provide any
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 37
mechanism to avoid code injection” and without these mechanisms,
attackers’ arsenal might get enhanced with SPARQL, RDQL and SPARQL
injections.
Other new Big Data software products, as for example Hive, MongoDB and
CouchDB, also suffer from traditional threats such as code execution and
remote SQL injection.
The assets targeted by these threats belong to group “Data” and asset type
“Storage Infrastructure models” (such as “Database management systems
(DBS)” and “Semantic Web tools”)
Threat: Inadequate design and planning or incorrect adaptation
Techniques for improving Big Data analytics performance and the fusion of
heterogeneous data sources increase the hidden redundancy of data
representation, generating ill-protected copies.
This challenges traditional techniques to protect confidentiality51 and the
effect of redundancy must be taken into account.
As already stated, Big Data redundancy can be seen as a threat mitigation
technique for physical attacks, disasters and outages, however in some
cases it signals a system weakness, being a risk booster for Big Data leaks.
In other words, if our Big Data storage replicates data records ten times
and distributes the copies to ten storage nodes for some reason (e.g., to
speed up the analytics pipeline), the ten nodes may end up with different
levels of security robustness (e.g., different security software versions) and
this will increase the probability of data disclosure and data leaks.
This can be considered a specific weakness of Big Data designs.
On the other hand we can also note that even the redundancy and the
replication that are necessary features to enhance Big Data functionality,
are not always a failsafe against data loss.
For example Hadoop, the well-known framework for Big Data processing,
replicates data three times by default, since this protects against inevitable
failures of commodity hardware.
However, a corrupted application could destroy all data replications.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 38
Also, recent studies put forward the idea that Hadoop redundancy could
even be a non-linear risk booster for Big Data leakages.
Even the design of the Hadoop Distributed File System (HDFS) signals
problems as reported by literature.
HDFS is the basis of many Big Data large-scale storage systems and is used
by social networks.
HDFS clients perform file system metadata operations through a single
server known as the Namenode, and send and retrieve file system data by
communicating with a pool of nodes.
The loss of a single node should never be fatal, but the loss of the
Namenode cannot be tolerated.
Big social networks, such as Facebook, suffered this problem and took
countermeasures against the threat (Hadoop installed at Facebook includes
one of the largest single HDFS cluster, more than 100 PB physical disk
space in a single HDFS file system).
One more threat related to the design is the lack of scalability of some tools.
For example NIST reports that original digital rights management (DRM)
techniques were not built to scale and to meet demands for the forecasted
use of the data and “DRM can fail to operate in environments with Big Data
characteristics— especially velocity and aggregated volume”.
The assets that are targeted by these threats belong to asset groups “Data”
and “Big Data analytics”, and to asset types “Software”, “Computing
Infrastructure models“ and “Storage Infrastructure models”.
4.2.2 Threat Group: Eavesdropping, Interception and Hijacking
This group includes threats that rely on alteration/manipulation of the
communications between two parties.
These attacks do not require installing additional tools or software on the
victims’ infrastructure.
Threat: Interception of information
A common issue that affects any ICT infrastructure is when offenders can
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 39
intercept communications between nodes by targeting the communication
links.
Various sources claim that inter-node communication with new Big Data
tools is often unsecured, that it is not difficult to hijack a user session or
gain unauthorized access to services in social networks as Facebook and
Twitter, and that there is evidence of flaws in communication protocols.
Big Data software distributions (for example Hadoop, Cassandra,
MongoDB, Couchbase) rarely have the protocols that ensure data
confidentiality and integrity between communicating applications (e.g.,
TLS and SSL) enabled by default or configured properly (e.g., changing
default passwords).
The assets targeted by this threat belong to asset groups “Data” and “Roles”,
and to asset “Applications and Back-end services”.
4.2.3 Threat Group: Nefarious Activity/Abuse
This group includes threats coming from nefarious activities.
Unlike the previous group, these threats (often) require the attacker to
perform some actions altering the victims’ ICT infrastructure; usually with
the use of specific tools and software.
Threat: Identity fraud
Big Data systems store and manage credentials for accessing personal data
and financial accounts with information such as credit card numbers and
payment and billing details, which are targets for cyber criminals.
Big Data systems also store profiling data that can describe user behaviour,
preferences, habits, travel, media consumption at a high degree of detail,
and may help attackers in more elaborate forms of impersonation fraud,
creating big opportunities for identity thieves.
Since most Big Data systems are built on top of cloud infrastructure, a
threat to users’ identity is, for example, when the control of a system
interface, in either a Big Data system based on a large public cloud or in a
widely used private cloud, gets lost.
A successful attack on a console grants the attacker complete power over
the victim's account, including all the stored data.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 40
The control interfaces could be initially compromised via novel signature
wrapping and advanced XSS techniques, then privilege escalation may lead
to identity fraud.
While in traditional information systems the loss of control of a console
interface could cause limited information leakage, in Big Data the effect is
amplified and the impact is more severe.
Social engineering is not a new issue, but as social networking becomes
important both for home users and businesses, attacks often involve social
engineering.
Attackers have been abusing social networks since they first came online.
For example, XSS vulnerabilities on Twitter have been used to push
malicious and fake tweets, while Internet malware has emerged on
Facebook as a means of promoting malicious profiles.
The assets targeted by these threats are “Personal identifiable information”,
“Applications and Back end services” (such as, for example, “Billing
services”) and “Servers”.
Threat: Denial of service
Big Data components can be threaten by traditional denial of service (DoS)
and distributed denial of service (DDoS) attacks.
For example, such attacks may remove Big Data components from the
network and then exploit its vulnerabilities or an attacker could exhaust the
limited resources in a Hadoop cluster, leading to a significant decrease of
system performance and causing the loss of the targeted resource to other
cloud users.
But, at the same time, countering mechanisms have been developed
for/using Big Data systems.
For example administrators of Hadoop infrastructure can deploy
specialized components to track DDOS attacks.
In the past this kind of attacks has led to some service outages for Amazon
distributed storage, through elevated levels of authenticated requests and
account validation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 41
Furthermore, as already stated, also specific attacks against social networks
such as Facebook have been mounted, exploiting some weaknesses of the
Hadoop Distributed File system, for example the Namenode single server.
Assets targeted by this threat include the asset “Servers” (viz. Virtualized
Data Centre”, “Physical Machine” and “Virtual Machine”) and the asset
“Network”.
Threat: Malicious code / software / activity
These very generic threats affect almost all the ICT components of an
infrastructure.
Examples of these threats are:
i) exploit kits, which allow virus and malware infections,
ii) worms, which may be distributed by using the network to send copies to
other nodes,
iii) Trojans, which are pieces of malware that facilitate unauthorized access
to a computer system,
iv) backdoors and trapdoors, which are undocumented entry points into a
computer program, generally inserted by a programmer to allow remote
access to the program,
v) service spoofing, which is an attack in which the adversary successfully
masquerades as another by falsifying data and thereby gaining an
illegitimate advantage,
vi) web application attacks and injection attacks through code injection –
examples of exploiting this threats to mount more elaborate attacks have
already been discussed –.
After the deployment of the code, the attacker may manipulate infected
devices.
In Big Data, malware infected nodes may send targeted commands to other
servers and disturb or manipulate their operations, worms may replicate
themselves sending copies to other nodes and affect the behaviour of all
components connected to the network.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 42
There is always the possibility that vendors of Big Data tools, or somebody
else in the software chain, may have installed firmware with backdoors or
some hidden functionality to facilitate access to the devices, in particular in
the context of very new technologies such as NoSQL and NewSQL.
An example of hacking Big Data through a malicious code attack is reported
in literature as faulty results of the Hadoop logging data system.
System administrators use Hadoop server logs to identify potential attacks.
A demo of this hack requires that a service, called Flume, streams logs into
a SQL based Hadoop data store (Hcatalog).
In this scenario, an attacker runs a malicious script and alters the results by
modifying the log data before Flume can stream them into Hcatalog.
The logs can be corrupted even when Hadoop services seem to be working
as expected.
Malicious software can be a threat also in distributed programming
frameworks, which use parallel computation, and may have untrusted
components.
For example, MapReduce computational framework splits the input file
into multiple chunks: in the first phase a mapper reads the data, performs
computation, and outputs key/value pairs.
In the second phase, a reducer works on these pairs and outputs the result.
A key issue is how to secure the mappers, since untrusted mappers alter
results.
With large data sets, it becomes difficult to identify malicious mappers.
The assets targeted by this attack include “Database management systems
(DBMS)” (such as the traditional “Relational SQL” databases, and the Big
Data new tools “NoSQL” and “NewSQL”), and asset type “Computing
infrastructure models”.
Threat: Generation and use of rogue certificates
Device signing and media encryption can be critically undermined by the
use of rogue certificates allowing attackers the access to Big Data assets and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 43
communication links.
These can then be used to access data storage and thus causing data
leakage, intercept and hijack individuals’ secure Web-based
communications, misuse of brand, and upload/download malware or force
updates, which potentially contain undesired functionality for Big Data
software and hardware components.
Social networks such as Facebook are affected.
According to reports in some circumstances download flaws allowed
attackers to plant a malicious file on a victim’s machine that looks like it is
coming from a trusted Facebook domain.
Many assets are targeted by this threat: including asset groups “Data” and
“Big Data analytics”, and assets “Software” and “Hardware”.
Threat: Misuse of audit tools / Abuse of authorizations /
Unauthorized activities
Audit information is necessary to ensure the security of the system and
understand what went wrong; it is also necessary due to compliance and
regulation.
The scope and the granularity of the audit might be different in a Big Data
context and the effect of the misuse of such information may be amplified.
For example, key personnel at financial institutions require access to large
data sets that contain personally identifiable data .
Also, there can be massive breaches of privacy when employees of providers
hosting social networks, using their administrative credentials, regularly
access private user information.
For this reason, it is important to keep security-relevant chronological
records.
Since the misuse and abuse of authorization can become a common issue, it
is necessary to protect a large number of assets containing granular audits,
documentation of the security policies, logs and cryptographic keys (e.g. all
the assets included in category “Security and privacy techniques” of our
asset taxonomy).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 44
The assets targeted by these threats include “identification record data”,
“Database management systems (DBS)” (for example “NoSQL” and
“NewSQL”) and asset group “Security and privacy techniques”.
Threat: Failures of business process
Failures of business process according to ENISA taxonomy are threats of
damage and/or loss of assets due to improperly executed business process.
In Big Data, this class includes all threats related to data integrity that can
be favoured by Big Data storage policies.
In particular, the highly-replicated and eventual consistency nature of big
data represents a driver towards attacks to data integrity, where data items
stored in different replicas can be inconsistent.
This scenario is summarized in the new concept of Big Data degradation,
which represents an increasing risk for Big Data correctness.
This scenario also defines a “Big Data Leak”, a total or partial disclosure of a
Big Data asset at a certain stage of its lifecycle as opposed to a “Big Data
breach” (e.g. a theft of an asset executed by breaking into the
infrastructure).
In our case Big Data can be unwillingly disclosed by the owner to the
provider of an outsourced process, for example when computing data
analytics.
This disclosure of information, at a certain stage of the Big Data lifecycle,
can be exploited by an honest, but curious attacker, even without hostile
intention.
Also, several cases of inadequate anonymisation of users are reported.
While data collection and aggregation uses anonymization techniques,
individual users can be re-identified by leveraging other Big Data datasets,
often available in the public domain.
This is an emergent phenomenon introduced by Big Data variety that has
the ability to infer identity from anonymized datasets by correlating with
apparently innocuous public information.
Examples related to de-identification of personally identifiable information
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 45
(PII) are given by the AOL case and by NIST Big Data publications in Web
logs collection and analysis.
For a more detailed study on deanonymizatuion and anonymity issues in
Big Data systems see ENISA’s report “Privacy by design in big data: An
overview of privacy enhancing technologies in the era of big data analytics “.
The assets targeted by this threat include asset groups “Data” and “Big Data
analytics”.
4.2.4 Threat Group: Legal
This group includes threats due to the legal implications of a Big Data
system such as violation of laws or regulations, the breach of legislation, the
failure to meet contractual requirements, the unauthorized use of
Intellectual Property resources, the abuse of personal data, the necessity to
obey judiciary decisions and court orders.
Threat: Violation of laws or regulations / Breach of legislation /
Abuse of personal data
Data storage in the European Union falls under the Data Protection
directive: organizations are required to
i) adhere to this compliancy law throughout the life of the data,
ii) remain responsible for the personal data of their customers and
employees, and
iii) guarantee its security even when a third-party like a cloud provider
processes the data on their behalf.
In the traditional data centric model, data is stored on-premise, and every
organization has control over the information.
In Big Data, instead, a real concern is arising about the security of this
massive amount of digital information and the protection of the critical
infrastructure supporting it, as demonstrated by a vast literature about
privacy risks.
We should also note that EU has stricter regulations regarding the
collection of personal data than other countries, but sometimes
multinationals operating in the EU are based in the United States.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 46
In this context, the most important privacy issues are how to protect
individual privacy when the data is stored in multiple sites, and how
efficient the protection isError! Bookmark not defined.
Big Data also raises the potential issue of data residency.
Data, when stored in cloud storage of providers that offer multi-national
storage solutions, may fall under different legal jurisdictions.
An example brought by the NIST Big Data Public Working Group regards
the custody of pharmaceutical data beyond trial disposition, which is
unclear, especially after firms merge or dissolve.
The assets targeted by this threat include asset groups “Data” (especially
“identification record data”) and “Roles”.
4.2.5 Threat Group: Organisational threats
This group includes threats pertaining to the organizational sphere.
Threat: Skill shortage
The analysis of large datasets can underpin new waves of productivity
growth and innovation, and unlock significant value.
However, companies and policy makers must tackle significant hurdles,
such for instance a possible shortage of skilled data scientists and
managers.
The asset targeted by this threat is asset group “Roles”.
5. Threats agents
According to ENISA Threat Landscape 2013, a threat agent is “someone or
something with decent capabilities, a clear intention to manifest a threat
and a record of past activities in this regard”.
For Big Data asset owners it is crucial to be aware of which threats emerge
from which threat agent group.
This study does not develop a new glossary on threat agents, but utilises the
ENISA Threat Landscape 2013’s consolidation of several publications.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 47
The categorization of threat agents is as follows:
Corporations: they refer to organizations/enterprises that adopt and/or are
engaged in offensive tactics.
In this context, corporations are considered as hostile threat agents and
their motivation is to build competitive advantage over competitors, who
also make up their main target.
Depending on their size and sector, corporations usually possess significant
capabilities, ranging from technology up to human engineering intelligence,
especially in their area of expertise.
Cyber criminals: they are hostile by nature.
Moreover, their motivation is usually financial gain and their skill level is,
nowadays, quite high.
Cybercriminals can be organised on a local, national or even international
level.
Cyber terrorists: they have expanded their activities and engage also in
cyber-attacks.
Their motivation can be political or religious, and their capability varies
from low to high.
Preferred targets of cyber terrorists are mostly critical infrastructures (e.g.
public health, energy production, telecommunication), as their failures
cause severe impact in society and government.
It has to be noted, that in the public material analyses, the profile of cyber
terrorists still seems to be blurred.
Script kiddies: they are unskilled individuals using scripts or programs
developed by others to attack computer systems and networks, and deface
websites.
Online social hackers (hacktivists): they are politically and socially
motivated individuals that use computer systems to protest and promote
their cause.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 48
Their typical targets are high profile websites, corporations, intelligence
agencies and military institutions.
Employees: they refer to the staff, contractors, operational staff or security
guards of a company.
They can have insider access to company’s resources, and are considered as
both non-hostile threat agents (i.e. distracted employees) and hostile agents
(i.e., disgruntled employees).
This kind of threat agents possesses a significant amount of knowledge that
allows them to place effective attacks against assets of their organization.
Nation states: they can have offensive cyber capabilities and use them
against an adversary.
Nation states have recently become a prominent threat agent due to the
deployment of sophisticated attacks that are considered as cyber weapons.
From the sophistication of these malware, it can be confirmed that Nation
states have a plethora of resources and they have a high level of skills and
expertise.
All agents listed in this section, may have an interest in exploiting certain
vulnerabilities in Big Data for different reasons.
Only some specific threats come more typically from certain agents, as, for
instance, the abuse of authorization that is related to corporation employee,
who can use their administrative credentials to access systems.
In the following table we propose a cross relation between threats and
agents in Big Data.
Annex C presents an overall mappings between assets, threat agents and
threats.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 49
6. Good practices
In this section, we provide a discussion summarizing good practices93 to
protect Big Data assets.
A good practice is a method or technique that has consistently shown
results superior to those achieved with other means, and that is used as a
benchmark.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 50
To this aim, different sources have been collected, reviewed, and mapped to
the previously identified Big Data threats.
They specify vulnerabilities, recommendations, controls, countermeasures,
and good practices published by institutions or working groups, and
relevant for the protecting the assets and counteracting the threats in this
report.
The first result of our analysis is that publicly available information on Big
Data security issues mainly originates from research and is based on
requirements and generic assumptions, while materials of real-life
experience are not often available.
This is mainly due to the fact that development of Big Data infrastructures
and their related security measures are at an early stage of maturity.
In fact, on one side, many of Big Data infrastructures have been operational
for a limited period of time; on the other side, Big Data security assessment
is in many cases managed confidentially for reasons of competitiveness.
Generally speaking, Big Data being a collection of input channels from
sensors, networks, storage and computing systems, and output to data
consumers, there is shared responsibility for security and infrastructure
management.
Every party, such as a data provider or a data consumer, should be
conscious that its own security also depends on the security of its
neighbours.
Countermeasures and good practices are expected to be implemented to
increase security of single parties, and of other related parties when
applicable.
Different documents produced by the following bodies have been
examined: ISO, COBIT, Council on Cyber Security (CCS) and NIST.
ISO terminology proposes security controls, while COBIT provides best
practices that allow bridging the gap between control requirements,
technical issues and business risks.
The CCS is an independent and not-for-profit organization, which presents
a recommended set of actions (the so called CIS Critical Security Controls
for Effective Cyber Defence).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 51
When appropriate, we provide practices suggested by the NIST Big Data
use cases.
During the analysis, we tried to uniform the terminologies used by the
above bodies, which in some cases were nonhomogeneous.
For controls and technologies specifically directed towards data protection
see ENISA’s “Privacy by design in big data: An overview of privacy
enhancing technologies in the era of big data analytics” (2015).
One more source of potential controls and technical countermeasures
stems from the use of Big Data analytics as a tool for increasing system and
data security, and improving intrusion detection and prevention.
For completeness a small presentation of the expected capabilities is given
in Annex E: Big Data analytics for security.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 52
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 53
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 54
7. Gap analysis
In this section, we provide a gap analysis for those cases where further
research and investigations are required in the areas of Big Data threats,
security, and good practice.
This analysis aims to close the gaps highlighted in the previous section and
is summarised as follows.
The use of cryptography may be not always sufficient and there are obvious
risks associated to administrators and security professionals with
equivalent privileges.
This is especially true when threats related to information leakage and/or
sharing due to human errors are considered.
Furthermore, leaks of data via Web applications (unsecure APIs) and
inadequate design/planning or improperly adaptation need an improved
design of computing and storage infrastructure models, while streaming
data from sensors may have issues of confidentiality that cannot be
mitigated by current solutions.
Personal identifiable information is at risk even when best practices are
widely followed and calls for privacy-oriented defensive approaches.
Malicious code and activities pose a risk to models of computing
infrastructure and storage due to the difficulties of patch management in a
Big Data heterogeneous environment, while violation of laws or
regulations, breach of legislation and abuse of personal data may affect final
users.
All these breaches requires, on one side, Big Data specific countermeasures,
and, on the other side, the involvement of policy makers to reflect changes
in current IT environment in EU laws and legislations.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 55
Finally, a skill shortage in roles such as data scientists is foreseen.
We categorize the gaps into four groups: gaps
(i) on data,
(ii) on the use of cryptography
(iii) on computing and storage models and
(iv) on roles (e.g. administrators, data scientist, and final users).
Gaps on data protection
Major gaps are found due to threats to privacy (e.g., the identification of
personal identifiable information) and to confidentiality of sensor data
streams.
As already reported in this report, several cases of identity fraud due to
traffic capture and data mining have been recorded in recent years.
Big Data analysis has facilitated the intrusion of privacy by strengthening
common techniques and further research in this field is required.
Since countermeasures, discussed in the previous section, such as
anonymization did not prove to be always effective against Big Data mining,
new research efforts are made to devise better controls.
For example, a promising topic, actively researched, is privacy-preserving
data mining (PPDM).
The basic idea of PPDM is to modify the data in such a way so as to perform
data mining algorithms effectively without compromising the security of
sensitive information contained in the data.
In addition, it is foreseeable to have streams of data from sensors certified
when possible.
Since centralized cryptography systems are hard to implement when a large
number of sensors is involved, the use of Trusted Computing (TC) appears
to be a promising technology.
Trusted computing relies on Trusted Platform Modules (TPMs) and related
hardware to prove integrity of software, processes, and data.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 56
TPM chips are not expensive and could be fitted in sensors at build time.
TPM-enabled devices could provide reliable data streams.
However, on the server side (e.g., Big Data cloud-based installations), the
use of this new technology is more challenging since hardware TPM should
be adapted to virtualized environments.
A researched approach is based on the notion of virtual Trusted Platform
Module (vTPM), which provides secure storage and cryptographic
functions of TPM to applications and operating systems running in virtual
machines.
Other hardware-based security technologies include the development of
new processors for the embedded smart sensors.
These new processors include protected areas for storage of user
authentication keys, as well as areas of the processor that are off-limits to
unauthorized users.
Besides the above technically-oriented aspects of data protection gaps, in
2015 ENISA has conducted a privacy-oriented assessment of Big Data
”Privacy by design in big data”4.
In this work, more thorough privacy gaps have been identified and
recommendations have been made.
Highlights include: application of privacy by design, preservation of privacy
by data analytics and the need for coherent and efficient privacy policies for
big data.
It is recommended to refer to this document in order to obtain full
perspective of security and privacy issues of Big Data.
Use of cryptography in applications and back-end services
The use of cryptography in Big Data as a mitigation countermeasure can be
challenging.
Gaps related to the use of cryptography are mainly related to:
i) performance and scalability,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 57
ii) protection of logical and physical fragments, such as data blocks.
In fact, in Big Data, cryptography adds complexity and negatively affects
performance.
New dedicated products and ad hoc solutions are under development, as for
example the already discussed TC and TPM technologies, while some
interesting new approaches to cryptography for Big Data applications as the
notion of “cryptography-as-a-service” in cloud environments are emerging.
In recent years, there has been a lot of discussion around novel, but still
rather esoteric crypto-algorithms.
Homomorphic encryption, honey encryption and other proposals could, at
least in theory, provide end-to-end data protection and confidentiality.
As an example, assuming the existence of a fully homomorphic cryptoscheme, one could use public Big Data systems to perform analytics – with
the expected speed or accuracy losses – without ever revealing the data to
anyone else, not even the computation and storage service provider.
Research is still ongoing but the interested reader can find a concise study
of the current state of the art in ENISA’s “Privacy by design in big data: An
overview of privacy enhancing technologies in the era of big data analytics”.
Gaps on computing and storage models
Computing Infrastructure and storage models in Big Data face new
challenges such as the lack of standardization and portability of security
controls among different open source projects (e.g., different Hadoop
versions) and Big Data vendors, and the poor design of security features.
Often, standards do not exist or are still under development.
An example of lack of standards is brought by NIST Big Data Working
Group for the shipping industry, which uses Big Data in the identification,
transport, and handling of items in the supply chain.
However, at the moment, the status of the shipped items (e.g., unique
identification number, GPS coordinates, sensors information, etc.) is not
passed through the entire chain.
A unique identification schema is under development within an ISO
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 58
technical committee.
From a security perspective, we note that in a traditional management
system as, for example, in an SQL relational database, security has slowly
evolved and many new controls have been proposed over the years.
Unlike such solutions, the security of Big Data components has not
undergone the same level of rigor or evaluation due to the immaturity of Big
Data research and development.
Gaps on roles (administrators, data scientist, and final users)
As stated in the previous section, many roles can be critical in Big Data, in
particular system administrators, data scientist, and users.
Big Data administrators and other privileged users are a big concern since
they require access to corporate data systems when working on behalf of
the cloud services provider.
Moreover, they could use their grants to access key stores and other
sensitive information.
All the data scientist positions are unlikely to be filled in the near future,
while users might not always be conscious of or care about the legal
implications of data storage – legal implications that will vary large and
wide around the world.
Awareness, education, and training are the keys to close these gaps
concerning human resourses.
Some new online educational web sites are offering specialised courses in
Big Data, for example the Big Data University sponsored by IBM, and MIT.
The Big Data University is run by a community, which includes many IBM
staff members, contributing voluntarily to the development of courses, and
to enhancing the site; also Amazon is contributing to the initiative.
Other courses are available at Massive Open Online Course (MOOC)
websites like Coursera.
But, as with ICT security, it will take years to fulfil industry’s requirements
on skilled and trained personnel.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 59
Recommendations
The above gaps naturally result in a set of recommendations that can be
classified as general recommendations, technical recommendation and
recommendation on human resources.
General recommendations: they target the main Big Data stakeholders such
as owner of Big Data projects and policy makers.
In particular, stakeholders should depart by the assumption that a Big Data
environment is simply a traditional data environment focusing on large
amount of data.
Big Data is more than a simple scalability problem, and management tools
and risk assessment countermeasures and solutions should consider and
address all 5V characterizing a Big Data environment.
This consideration is important both for policy makers specifying laws and
regulations targeting current ICT environment, and stakeholders managing
Big Data platforms and analytics.
Especially for the latters, it becomes fundamental to evaluate
i) the current level of security by understanding the assets covered (and not
covered) by existing security measures,
ii) the effectiveness of the application of good practices adapted from
traditional security and privacy tools and techniques.
General recommendation requires a parallel standardization effort
supporting the definition of proper and specific Big Data tools and
legislations.
Technical recommendations: they target owners of Big Data projects and
developers of corresponding products.
Following general recommendation of being Big Data specific, stakeholders
should limit as much as possible the practice of adapting existing products
to Big Data.
Big Data introduces completely novel environments with new assets,
threats, risk, and challenges.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 60
As a consequence, new products are needed to provide effective
countermeasures and increase the trustworthiness of Big Data
environments.
Such products must be put in the Big Data life cycle after a careful
evaluation, through pilots, aimed to verify and prove their correct
behaviour.
Success of these new products passes from a commitment by third- party
vendors to apply security measures and stay focused on any updates.
Moreover, developers of Big Data products should benefit from new tools
providing security and privacy functionalities by default.
To conclude, as already specified in the general recommendations,
international bodies are invited to support this shift to Big Data specific
security and privacy solutions by starting a gap analysis on Big Data
standards, and new standardization activities according to the identified
gaps.
Recommendations on human resources: they target human resources
managing and using Big Data assets.
As in traditional environments, in fact, human resources are one of the
main sources of threats, and include users that attack a system either
maliciously or accidentally.
To limit these scenarios, all involved parties should focus on training of
specialized professionals.
Big players should support education initiatives on Big Data to raise/train
tomorrow's scientists, fostering information and communication
technology security awareness and training programs.
Private companies and governmental bodies should encourage technical
staff to attend offline/online courses from respected institutes to increase
their competences.
Final users should learn about their rights and threats to privacy attending
courses and educational initiatives.
Big Data administrator and other privileged users should cooperate with
the international community to exchange on threats and promote the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 61
application of good practices as mitigation measures.
Finally, Big Data administrator should rely on good practices, and report on
their implementations choices in terms of considered assets, threat,
countermeasures, and identified gaps.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 62
Adverse macro-financial scenario for
the EBA 2016 EU-wide bank stress testing exercise
The European Banking Authority (EBA) 2016 EU-wide stress testing
exercise will require banks to use the presented outcome of the adverse
macro-financial scenario for variables such as GDP, inflation,
unemployment, asset prices and interest rates in order to estimate the
potential adverse impact on profit generation and capital.
The adverse scenario covers three years, starting from the first quarter of
2016, when the shocks are assumed to materialise, and ending in 2018.
1. Main risks to stability of the EU financial sector
The narrative of the adverse scenario reflects the four systemic risks
identified by the ESRB General Board as representing the most material
threats to the stability of the EU financial sector:
1. An abrupt reversal of compressed global risk premia , amplified by low
secondary market liquidity;
2. Weak profitability prospects for banks and insurers in a low nominal
growth environment, amid incomplete balance sheet adjustments;
3. Rising of debt sustainability concerns in the public and non-financial
private sectors, amid low nominal growth;
4. Prospective stress in a rapidly growing shadow banking sector, amplified
by spill over and liquidity risk.
In the adverse scenario, the first systemic risk, assessed to be the most
significant of the four, materialises through a change in investor
preferences in the developed financial markets and, most notably, in the
United States, with an increasing aversion to holding long-term fixed
income securities.
This induces a portfolio reallocation towards short-term instruments,
causing a rise in US long-term risk-free interest rates and risk premia
across all financial asset classes.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 63
The increases are amplified by limited secondary market liquidity.
A protracted period of global financial market uncertainty would follow,
leading to a confidence-driven contraction of domestic demand in emerging
markets, in line with country-specific vulnerabilities.
The first systemic risk acts as a trigger for the vulnerabilities related to the
remaining three sources of risk.
In the EU this would lead, in particular, to a weakening of domestic
demand, a decline in property prices and a renewed widening of sovereign
credit spreads, as well as to a sell-off by the shadow banking sector that
would amplify the shocks to financial asset prices in the EU.
2. Macro-financial shocks driving the out come of the adverse
scenario
Specific macro-financial shocks that are assumed to materialise under each
of the parts of the scenario are presented in Table 1.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 64
Concerning the calibration of the specific shocks, the yields on long-term
Treasury securities United States are assumed to rise sharply, deviating by
250 basis points (bps) from the baseline by end-2016.
The increased investor risk aversion would affect the prices of European
fixed income instruments, and yields on ten-year German sovereign debt
would increase by about 80 basis points over the same horizon.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 65
The impact on sovereign bond yields would be lasting, so that German
ten-year bond yields would remain some 53 basis points above the baseline
levels in 2018 (see Table 2).
In addition, sovereign credit spreads in the euro area would widen,
reflecting broadly the market assessment of individual sovereigns’
vulnerabilities.
Overall, long-term interest rates in the EU would be higher by 71 basis
points in 2016, 80 basis points in 2017 and 68 basis points in 2018.
Against the backdrop of global financial tensions, bilateral nominal
exchange rates of the central and eastern European (CEE) countries against
the euro would depreciate sharply, by between 8% and 24% in the course of
2016, corresponding to the historical exchange rate volatilities.
Subsequently, these exchange rates would remain stable at the weaker
levels for the remainder of the exercise horizon.
The increase in bond yields in the CEE countries would be stronger than
that observed in the euro area and western European non-euro area
countries.
At the same time, the Swiss franc would appreciate by 23% against the euro
(see Table 3).
These exchange rate movements would take place despite the implied
strong fundamental misalignment of the respective currencies that would
not begin to correct before end-2018.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 66
More generally, the global increase in risk premia has effects well beyond
fixed income markets.
Global equity prices would decline by 36% by the end of 2016.
As a result, and amplified by a sell-off by shadow banking entities, EU stock
prices would fall, on an annual basis, by 25% in comparison with the
baseline scenario in 2016, followed by a mild recovery that would reduce
the average deviation from the baseline scenario to about 16% in 2018 (see
Table 4).
Commodity prices would also be affected, responding to financial shocks
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 67
and the expected weakening of global economic growth, with oil prices
falling by about 48% in 2016 compared with the baseline projection of
about 54 US dollars per barrel, standing at about 44% below baseline levels
in 2017 and 2018.
Money market rates (three-month interbank offered rates) in all EU
countries would rise by about 33 basis points compared with the baseline
scenario in 2016, reflecting a higher credit premium.
This additional credit premium would decline to 23 basis points in 2017
and 6 basis points in 2018.
As monetary policy is assumed to follow the expectations implied by the
baseline scenario also under the adverse scenario, this increase should not
be interpreted as being driven by monetary policy decisions.
Tighter financing conditions caused by a reduction in the availability of
funding from shadow banking entities would contribute directly to a
contraction in economic activity.
It is assumed that banks would respond by tightening lending standards on
loans to the private non-financial sector.
This funding shock is represented by country-specific shocks to the cost of
corporate credit and loans to households, via an increase in the user cost of
capital and a reduction in the financial wealth of households respectively.
The corresponding impact on 2018 GDP is estimated to be limited to about
0.12%.
Finally, swap rates would respond to the increase in money market rates
and long-term government bond yields.
Depending on the maturity, euro swap rates would increase by between 44
and 58 basis points in 2016 compared with the baseline, and remain
elevated until 2018.
Detailed paths for swap rates for the US dollar and most EU currencies are
presented in the annex.
The increased global uncertainty would reduce global economic growth,
notably through confidence and financial spillovers to emerging market
economies (EMEs), spanning all major emerging market regions (Asia,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 68
Latin America, emerging Europe).
The spillovers give rise to a sudden re-assessment of growth expectations
in these countries.
In turn, sizeable capital outflows from EMEs lead to a reduction in
emerging market asset prices, causing domestic demand in these
economies to suffer from both tighter financing conditions and business
and consumer confidence shocks.
This would have an impact on the EU economies through trade channels, as
foreign demand for EU exports would be materially reduced.
The estimated impact of the above-mentioned financial and real shocks on
economic activity in the countries outside the EU would be sizeable, in
particular for EMEs that are also commodity exporters (see Table 5).
Cumulative GDP growth in the developed economies would be between
2.5% and 5% lower than under the baseline scenario in 2016-17.
By 2018, as the impact of the shocks would begin to wear off, GDP growth
rates would approach those projected under the baseline scenario.
Among the main emerging economies, the impact would be particularly
strong for Brazil, Russia and Turkey, while for China and India total GDP
would stand about 4.5% below the baseline projections in 2018.
Overall, the demand for EU exports would stand nearly 8% below the
baseline projection in 2017 and 6.5% below the baseline in 2018.
The global shocks are also assumed to negatively affect confidence,
resulting in country-specific reductions in private consumption and
investment in all EU countries.
Lower consumer confidence, together with increased risk premia, would
additionally cause a slowdown in property market activity, both in the
residential and commercial property segments.
The exogenous shocks to house prices reflect the country-specific
misalignment of house prices with regard to estimated fundamental levels
and historical volatility of house prices.
These shocks, which overall drive the house prices down by about 6%, are
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 69
supplemented with a common shock of about 7.5% affecting all EU
countries and some country-specific exogenous add-ons calibrated
according to the assessment of national competent authorities.
Commercial property prices are also affected by a common shock,
calibrated in a uniform way for all EU countries at about 7%.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 70
3. Results for the euro area and European Union
As a combined result of the foreign demand shocks, financial shocks and
domestic demand shocks in the EU, the scenario implies a deviation of EU
GDP from its baseline level by 3.1% in 2016, 6.3% in 2017 and 7.1% in 2018.
The implied EU real GDP growth rates under the adverse scenario over the
three years of the exercise amounts to -1.2%, -1.3% and +0.7% respectively
(see Table 6).
The major part of the impact on GDP is driven by the domestic demand
factors, namely the exogenously set reductions in consumption and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 71
investment, which collectively reduce EU real GDP by about 3.6%
compared with the baseline by 2018 (see Chart 1).
Assumed shocks to foreign demand contribute a further 2.7% to the total
2018 deviation of EU GDP from the baseline.
The combined impact of interest rate, house price and stock price shocks is
somewhat weaker.
The positive contribution of lower commodity prices and weaker exchange
rates to EU GDP moderates the negative deviation from the baseline by
about 0.8%.
In combination with substantially lower headline inflation, the impact on
nominal GDP would be particularly pronounced.
In a historical perspective, the adverse scenario, leading to a total reduction
in EU GDP by 1.7% in 2018 from the 2015 level, is slightly less severe than
the 2008-10 period when the EU economy contracted by about 2.0% over
three years.
The recession considered under the adverse scenario is longer but
shallower than the 2008-10 events (see Chart 2).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 72
The Harmonised Index of Consumer Prices (HICP) inflation rate in the EU
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 73
under the adverse scenario is well below the baseline scenario, by -2.0 p.p.
in 2016, -1.9 p.p. in 2017 and -2.1 p.p. in 2018 (see Table 7).
Following a sharp reduction in energy and food commodity prices in early
2016, under the adverse scenario HICP inflation would reach -0.9% in
2016. Prices would fall slightly in 2017 and 2018, with annual inflation rates
of -0.2% and -0.2% respectively.
The projected inflation is initially driven by much lower commodity prices,
which explain a large majority of the deviation of HICP inflation rate from
the baseline scenario in 2016.
Over time, the deviation is increasingly explained by the impact on prices of
weaker aggregate demand, both domestic and foreign.
The adverse scenario implies a substantial increase in the EU
unemployment rate, instead of a slight reduction expected under the
baseline scenario.
The EU unemployment rate would reach 11.6% in 2018, some 2.8
percentage points higher than the baseline (see Table 8).
Residential property prices in the EU would fall, reflecting the assumed
exogenous shocks as well as their reaction to the general deterioration in
the economic outlook.
Overall, EU residential property prices would stand about 21.3% below the
baseline levels by 2018 (see Table 9), having contracted by about 10.7%
from the 2015 levels.
Commercial property prices, similar to residential property prices, would
deviate downwards from the levels consistent with the baseline economic
projections.
By 2018, prime commercial property prices would contract by about 15%
from their 2015 levels, and stand about 23% below the baseline projections
(see Table 10).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 74
In comparison with the adverse scenario of the 2014 EU-wide stress testing
exercise, this scenario would result at the end of the horizon in a
similarly-sized deviation from baseline of EU GDP level (-7.1% compared
with -7.0% in the 2014 exercise) and a much stronger deviation of the price
level (-5.8% and -2.8% respectively) from the baseline.
The impact on GDP is driven primarily by more severe domestic demand
shocks, as foreign demand shocks are less severe than in the 2014 scenario
and lower commodity prices stimulate growth in the EU economy.
Owing to a more favourable baseline projection than in the 2014 exercise,
GDP over the three- year horizon falls by -1.7% in the adverse scenario,
which is slightly higher than the -2.1% assumed in the 2014 exercise.
Consumer prices fall by 1.3% over the horizon in the adverse scenario, while
they were assumed to increase by 1.7% in the 2014 exercise.
The impact of both scenarios on the EU unemployment rate and residential
property prices is similar.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 75
The change in residential property prices over the horizon, however, is
somewhat less adverse in this scenario (-10.7%) than in the 2014 exercise
(-15.4%), again owing to a substantially more favourable baseline.
As the impact of this scenario on commercial property prices is stronger
than that assumed in the 2014 exercise, the change over the horizon is also
more adverse (-15.0%, compared to -8.3% in 2014).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 76
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 77
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 78
2016 EU-wide stress test:
Frequently Asked Questions
Scope
1. Why does the EBA run an EU-widestress test?
The EU-wide stress test serves as a common foundation on which national
authorities can base their supervisory assessment of banks’ resilience to
relevant shocks, in order to identify residual areas of uncertainties, as well
as appropriate mitigation actions.
Moreover, the exercise strengthens market discipline, through the
publication of consistent and granular data on a bank by bank level
illustrating how balance sheets are affected by common shocks.
2. Who is involved?
The EU-wide stress test is initiated and coordinated by the EBA and
undertaken in cooperation with the Competent Authorities (the Single
Supervisory Mechanism for the euro area banks), the European Central
Bank (ECB), the European Systemic Risk Board (ESRB) and the European
Commission (EC).
The 2016 exercise covers a sample of 51 banks representing about 70% of
EU banks total assets.
3. How does it work in practice?
The EBA develops a common methodology that is applied by all the banks
in the sample and checked by supervisors.
The EBA also acts as a data hub for the final dissemination of the outcome
of the common exercise. Competent Authorities (CAs) are responsible for
the quality assurance process and the supervisory reaction function.
The EBA supports the CAs’ quality assurance process by providing common
quality assurance guidelines and EU-wide descriptive statistics on the main
risk parameters.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 79
4. Will banks under take an asset quality review ahead of the
stress test?
In 2016, the stress test will not be preceded by a coordinated EU-wise asset
quality review (AQR) as it was the case in 2014.
However, the assessment of asset quality is regularly undertaken by CAs as
part of their supervisory work.
Process and roles
5. What is the role of the EBA?
The EBA is responsible for developing and providing CAs with a common
methodology to allow them to undertake a rigorous assessment of banks’
resilience under stress in a common and comparable way.
The ESRB is responsible for designing a common adverse scenario on
which the stress test can be run.
The EC provides the baseline scenario.
The EBA also provides CAs with EU descriptive statistics on risk
parameters for the purposes of consistency checks.
Furthermore, the EBA acts as a data hub for the final dissemination of the
common exercise, thus ensuring transparent and comparable disclosure of
banks’ results.
Finally, the EBA plays a key role in ensuring effective communication and
coordination between home and host authorities in the framework of
colleges of supervisors.
6. What are the roles of national Competent Authorities (CAs)
and the Single Supervisory Mechanism?
CAs, including the Single Supervisory Mechanism for the euro area banks,
are responsible for ensuring that banks correctly apply the common
methodology developed by the EBA.
In particular CAs and the SSM are responsible for assessing the reliability
and robustness of banks’ assumptions, data, estimates and results.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 80
Furthermore, CAs and the SSM are responsible for the quality assurance
process as well as for the resulting supervisory actions.
7. What banks will be involved in the stress test?
The 2016 EU-wide stress test exercise will be carried out on a sample of
banks covering about 70% of the EU banking sector, as expressed in terms
of total consolidated assets as of end 2014.
It will include 51 EU banks from 15 European countries.
8. Why has the sample shrunk compared to the 2014 EU-wide
stress test and also to the 2015 EU-wide transparency exercise?
Following a wide ranging exercise in 2014, the EBA decided to focus on a
more homogeneous sample of large banks, to ensure greater comparability
while ensuring a significant coverage of EU banking assets.
The 2016 EU-wide stress test exercise is carried out on a sample of 51 banks
covering broadly 70% of the national banking sector in the Eurozone, each
non-Eurozone EU Member State and Norway, as expressed in terms of total
consolidated assets as of end 2014.
To be included in the sample, banks have to have a minimum of EUR 30 bn
in assets.
This threshold is consistent with the criterion used for inclusion in the
sample of banks reporting supervisory reporting data to the EBA, as well as
with the SSM definition of a significant institution.
Smaller banks not included in the 2016 EU-wide stress test will be tested by
their relevant competent authorities as part of the SREP Process.
Timeline and disclosure
9. What is the timeline for the stress test?
After the launch of the exercise, banks will proceed to estimate the impact
of the adverse scenario on banks’ balance sheets.
Banks’ results will be quality assured and challenged by the CAs.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 81
This can lead to resubmissions and possible additional iterations.
The EBA expects to publish the final results of the 2016 EU-wide stress test
by early Q3 2016.
10.How will data and results be published?
The most important aspect of the EBA’s common EU-wide exercise is the
disclosure of comparable and consistent data and results across the EU.
Results will be disclosed on a bank by bank basis and the EBA will act as a
data hub for the final dissemination of the outcome of the common
exercise.
The level of granularity of the data disclosed will be consistent with that of
the 2014 EU-wide stress test and 2015 EU-wide transparency exercise.
It will include the capital position of banks, risk exposures, and sovereign
holdings.
The credibility of the EU-wide stress test rests on transparency.
Market participants will be able to determine for themselves how
supervisors and banks are dealing with remaining pockets of vulnerability.
Methodological aspects and scenario
11.Why have you moved from a ‘pass or fail’ stress test to an
exercise where no specific capital hurdle is defined?
The objective of the crisis stress tests was to identify possible capital
shortfalls and require immediate recapitalisation actions.
As banks have now moved to a more steady-state setting, the aim of the
2016 exercise is rather to assess remaining vulnerabilities and understand
the impact of hypothetical adverse market dynamics on banks.
Although no hurdle rates or capital thresholds are defined for the purpose
of the exercise, CAs will use stress test results as an input to the Supervisory
Review and Evaluation Process (SREP).
In addition the publication of capital ratios will enable market participants
to make their own assessment.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 82
12. What are the key methodological changes compared to the
previous exercise?
The building blocks of the common methodology are rather similar to those
of the 2014 exercise.
Some improvements have been included for both refining the previous
methodology, based on prior experience, and addressing new relevant risks.
In this regard, a methodology to estimate conduct risk-related losses is now
included.
Additionally, a more precise treatment of FX lending risk and hedging,
together with a refinement of the net interest income (NII) methodology,
were also introduced.
13.How will the EBA ensure consistency between both Eurozone
and non-Eurozone countries in the conduct of the exercise?
The aim of an EU-wide stress test is to assess the resilience of financial
institutions across the Single Market to adverse market developments.
Consistency in the way the exercise is conducted across the EU is necessary
to ensure a rigorous assessment as well as comparability of data.
To this end, two elements are crucial:
(1) a common methodology and consistently applied constraints, such as a
static balance sheet, which will provide market participants and institutions
with a common exercise to contrast and compare EU banks under adverse
market conditions;
(2) a common baseline and adverse macro-economic scenario.
In addition, the EBA will provide comparative analysis at the end of the
quality assurance process by CAs and bank results will be discussed in in
the framework of colleges of supervisors involving home and host
authorities, as well as the EBA.
14.What is the scope of consolidation?
The EU-wide stress test will be conducted on the highest level of
consolidation (group level).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 83
Subsidiaries of banks in the European Economic Area are excluded given
the Single Market perspective of the exercise.
15. How will the stress test results feed into the SREP process?
The 2016 EU-wide stress test will be one crucial piece of information in the
SREP process in 2016.
The results of the stress test will allow CAs to assess banks’ ability to meet
applicable minimum and additional own funds requirements under the
stress conditions against the common scenarios and assumptions.
Furthermore, the results of the stress tests will be a solid ground for a
discussion with individual banks to better understand relevant
management actions and how their capital planning may be affected by the
stress and ensure that the banks will be above the applicable capital
requirements.
As stated in the EBA Guidelines on common procedures and methodologies
for the SREP, CAs are expected to factor the results of the EU-wide Stress
test, together with ICAAP and other supervisory stress tests and other
assessments into the assessment of banks’ adequacy of own funds, and in
particular their ability to meet the own funds requirements over the
economic cycle.
Supervisors have a wide range of tools available which will be applied on a
case by case basis.
In order to inform the SREP process, the timeline of the exercise has been
brought forward compared to 2014.
16.How will the stress test results be used for cross border banks?
The results of the stress test forming a vital part of information for SREP
purposes will be discussed within the framework of colleges of supervisors
established for cross-border banks.
Any measures affecting additional own funds requirements (Pillar 2
requirements) will be jointly agreed by the members of the colleges, as
required under the legislation of joint decisions on institutions-specific
prudential requirements.
In order to inform the SREP process and the calendar of the joint decisions
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 84
in 2016, the timeline of the exercise has been brought forward compared to
2014.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 85
Building a sound global Islamic financial
system
Opening remarks by Dr Zeti Akhtar Aziz, Governor of
the Central Bank of Malaysia (Bank Negara
Malaysia), at the Islamic Financial Services Board
(IFSB) - Meet the Members & Industry Engagement
Session, Kuala Lumpur
It is my pleasure to welcome you to this Industry Engagement Session
organised by the IFSB.
Since its introduction in 2012, these sessions have drawn encouraging
response from the members and the industry.
Such an interface between the regulators, industry and the IFSB has
become even more important in the current environment in which greater
global attention is being accorded to the reform of prudential regulations.
The strengthening of such an interface provides an important platform for
building greater understanding on the expectations, issues and areas of
concern amongst the regulators, the industry and the IFSB.
With more than a decade since the inauguration of the IFSB in November
2002, the IFSB has built a solid global reputation as a prudential
standard-setting body for Islamic finance.
Its achievements also include initiatives to increase international regulatory
cooperation, to encourage uniformity of regulatory frameworks and the
efforts to enhance the monitoring of financial risks in the Islamic financial
system.
The enhanced stability and resilience of the current global Islamic financial
system is reinforced by its vibrant growth and its increasing
internationalisation and integration into the international financial system.
This is a realisation of the aspirations and vision of the IFSB Founding
Members.
The IFSB has also made significant advancements in taking forward the
recommendations made in the Islamic Finance and Global Financial
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 86
Stability Report 2010 towards achieving financial stability in the national
and the international Islamic financial system.
The prudential standards including that for liquidity management issued by
the IFSB takes into account the unique characteristics of Islamic finance
and are also designed to not impose any regulatory burden while upholding
the financial stability agenda.
The effective implementation of the standards issued by the IFSB is key
towards promoting the soundness and stability of Islamic financial
institution.
To enhance this prospect, the IFSB has strengthened its role in facilitating
greater jurisdictional preparedness in the adoption of these standards
through the provision of technical assistance to its members.
Malaysia is one of the jurisdictions that has adopted and operationalised
the prudential standards and the guiding principles that have been issued
for the industry.
The implementation of these standards and guiding principles support the
regulatory framework that we now have in place in our Islamic financial
system.
As the industry is aware, it places emphasis on the enforcement of
standards for capital adequacy, effective risk management practices,
liquidity management, greater financial disclosure and governance,
reinforced by a strong Shariah and legal framework.
Among the important initiatives of the IFSB is also the establishment of the
International Islamic Liquidity Management Corporation (IILM) in 2010
which has changed the landscape for liquidity management in the
international Islamic financial system, particularly in strengthening the
cross-border liquidity arrangements among the Islamic financial
institutions.
A further initiative during the same year was the introduction of the Islamic
Financial Stability Forum (IFSF), set up in 2010 to further solidify the
global efforts in areas that will contribute towards safeguarding financial
stability.
Deliberations on wide ranging issues that pertain to risks to financial
stability in the Islamic financial system have taken place at this forum.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 87
Greater awareness on issues relating to regulation and supervision of
Islamic finance have also been raised at international meetings,
conferences, seminars, workshops and other dialogues that have been
organised by the IFSB in many countries across several continents.
The initiatives and milestones achieved by the IFSB have indeed paved the
way for jurisdictions across the globe to build a solid foundation for the
progressive growth of Islamic finance that is underpinned with stability.
Additionally, the early recognition by the IFSB of the increasing
interconnectivity in a financial system, the IFSB, unlike other prudential
standard setting bodies, has advanced its mission through the development
of prudential standards for a broader coverage that includes the banking,
capital market and insurance or takaful sectors.
The prudential standards issued by the IFSB takes into account the
specificities of Islamic finance and the dynamics of the various Shariah
contracts used in the wide ranging products offered by Islamic financial
institutions.
It is within this context that Islamic financial institutions are able to
perform its role more effectively as financial intermediaries that are
differentiated from its conventional counterparts.
With greater readiness, Islamic financial institutions can strategically
position themselves to further realise the true value proposition of Islamic
finance, particularly as a financial regime that places emphasis on
risk-sharing and that further strengthens the link of finance to the real
economy.
Of importance, industry players will be better positioned to ride the
evolutionary waves of financial innovation that is prevalent in Islamic
finance in order to enable greater offerings of risk-sharing products to
customers and businesses.
In Malaysia, Islamic banks now have the potential to be better able to
pursue their role as investment intermediaries through the offering of
investment accounts in addition to the entrenched deposit products, in
which various modes of risk-sharing contracts can be applied.
This is supported by the legal recognition of investment accounts in the
Islamic Financial Services Act 2013 (IFSA).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 88
It provides a differentiation between the deposit account and the
investment account which offers a new investment avenue that caters for a
wider range of investor risk-return preferences.
In contrast to the deposit account, these funds are being channelled directly
to finance entrepreneurship in productive activities.
In promoting entrepreneurship and value-creating activities, it also
contributes towards generating growth and enhances the prospects for job
creation.
Additionally, the Investment Account Platform (IAP) that is currently being
developed will provide a centralised multi-bank platform as a new financing
option for entrepreneurs with viable projects as well as an opportunity for
the investing public to finance these projects.
It is encouraging that to date, eight Islamic banks are offering investment
accounts to their customers.
More are expected to follow when the value proposition of such investment
accounts, with its unique features and the different target market become
better understood.
The industry-led communication by the Association of Islamic Banking
Institutions Malaysia will contribute towards increasing the awareness of
customers on the concept and on the key features of investment account.
The latest establishment of a consortium developed by four Islamic banks
to develop and operate the IAP which is to be launched next month is also
another initiative to advance this new offering.
In the development of the investment account, it will be essential for
Islamic banks, investors and entrepreneurs to embrace the different
approaches in the management of the risk and return relationships that are
embedded in the variations of the Shariah contracts used in such
investment accounts.
These relationships need to be well understood by the parties involved and
which are aligned with clear contractual and operational requirements.
The IFSB has an important role in not only providing guidance but also in
initiating the convergence of the different practices between IFSB members
with regard to the treatment of the investment account - also referred to as
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 89
profit sharing investment account (PSIA) - in the IFSB standards.
More in-depth work can also be explored by the IFSB on the prudential
requirements for the investment account to further ensure a conducive
environment for such risk-sharing offerings.
The global Islamic financial system is now operating at a time when the
international economic and financial environment has become immensely
more challenging.
New risks that are more complex, with more profound systemic
implications are emanating with the increasing forces of financial
liberalisation, globalisation, technological advancement, intensified
competition, financial innovation and the internationalisation of Islamic
finance.
Cumulatively, these developments necessitate greater prudential regulation
and supervisory oversight to ensure a resilient and sustainable financial
system.
The role of the IFSB remains instrumental and paramount as we face a time
of increasing uncertainties.
Continuous and stronger support for the IFSB, particularly from its
members including in actively providing feedback on its Consultative
Papers and in the participation in IFSB related events, supported by the
existing collaboration and cooperation among the regulators would
collectively strengthen the potential for the IFSB to manage its journey
ahead.
Greater concerted efforts by members to consistently adopt and implement
the prudential standards issued by the IFSB will not only contribute
towards preserving financial stability but it will also enhance regulatory
harmonisation across jurisdictions.
These efforts will indeed place us on a path to realising our quest and
shared aspirations for a more resilient and sound global Islamic financial
system.
It is also timely for the IFSB to elevate its level of engagement and
connectivity with other international standard setting bodies.
This would enable the framework for financial stability in the context of
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 90
Islamic finance to interface with the arrangements that exists for the
conventional financial system, therefore avoiding any fragmentation in the
global regulatory framework.
Malaysia, as the host of the IFSB will continue to be committed to support
its development and its potential as a prudential standard-setting body in
the international financial system.
On that note, I wish you a productive session today and look forward to the
constructive outcomes of this engagement.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 91
PCAOB Launches Redesigned Website
Optimized for Mobile Devices
The Public Company Accounting Oversight Board launched a newly
redesigned website at www.pcaobus.org that uses a responsive web design.
The new PCAOB site scales to fit any screen: desktop, laptop, tablet, and
smartphone.
In addition to the responsive design, pcaobus.org features enhanced
navigation. Visitors can get to the most popular pages within the PCAOB
website using the new expandable navigation – the mega menu – at the top
of any page.
In addition, handy footer links at the bottom of every page also provide
access to the most popular and important PCAOB content.
While the most visited sections of the site – Standards, for example – can
be found at the same URLs, many of the main pages for program areas have
been enhanced. Also, the PCAOB Careers section has been redesigned.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 92
Regulatory landscape for 2016 - positioning for a
dynamic, trusted and vibrant market
Keynote address by Mr Ong Chong Tee, Deputy
Managing Director (Financial Supervision) of the Monetary Authority of
Singapore, at the SGX Equities Dialogue 2016, Singapore
Ladies and Gentlemen
Good afternoon.
I am delighted to join you at the inaugural SGX Equities Dialogue.
A challenging start
1. 2016 has started on a challenging note for global stock markets.
The first trading week of this year alone saw global markets losing close to
S$3 trillion, led by sharp declines in the Chinese stock market.
The STI Index has fallen by more than 20% during the last 12 months to the
lowest level since October 2011.
Oil prices are testing lows last seen in 2004 and many other commodity
prices are also under downward pressure.
2. The prevailing negative market sentiments reinforce the importance of
various measures undertaken by both MAS and SGX together with different
market stakeholders, to build a more robust and resilient financial market.
These include areas relating to capital, liquidity and margin rules,
infrastructure resilience and so on; all of which complement various
measures on promoting high standards of professional conduct, improved
corporate disclosures as well as retail investor education.
We have also worked with the industry at large on regular stress tests and
crisis management exercises.
The current uncertain macroeconomic and market environments
underscore the importance of staying vigilant to new or growing risk areas
and vulnerabilities.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 93
3. But it is also important not to lose sight of the long-term positives.
Our capital markets continue to attract a diverse range of players and
activities.
Besides SGX, international exchange groups such as the InterContinental
Exchange (ICE) and EUREX, have or will establish exchanges and clearing
houses in Singapore.
These will add to the vibrancy of our exchange landscape in parallel with
the continued growth in our asset management industry.
The last asset management survey done for 2014 showed robust growth in
total assets under management, with assets under management increasing
by 30% to S$2.4 trillion.
There is clearly a role for our capital markets to help match savers and users
of capital and in the management of financial risks.
4. The SGX Equities Dialogue this afternoon is a good occasion for sharing,
discussion and reflection on developments affecting our securities market.
Allow me to use this address to share some thoughts on our market
regulatory structure, and MAS' roles in market surveillance and
enforcement; and I will conclude by sharing some shorter remarks on new
trends and on skills development.
A sound regulatory system
5. As an international centre, Singapore's financial market is influenced by
many external factors.
The growth of our financial sector in part has been driven by our ability to
attract international investors, traders and financial intermediaries to
participate in our financial markets, and for foreign corporates to tap our
markets for their funding and hedging needs.
Clearly, Singapore does not and cannot operate in isolation from rest of the
world; indeed, we have become an important node in the global financial
system.
6. Singapore's attraction and standing as an international financial centre
must be underpinned by investor confidence in a stable business
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 94
environment, with clear rule of law and a sound regulatory framework.
Only when there is confidence and stability in the system would corporates,
financial institutions and individuals tap our financial centre to invest, to
raise capital and to manage risks.
7. As our markets develop, we must continue to safeguard this reputation of
integrity, trust and resilience.
Because many global financial institutions operate here, we have to also
measure ourselves to international standards and expectations by
incorporating international rules and best practices where appropriate.
In the securities markets, the MAS has an active role in international
standard setting bodies such as International Organisation of Securities
Commissions (IOSCO); as an example, we co-chair a CPMI-IOSCO
Working Group on strengthening the cyber resilience of financial market
infrastructures, including dealing with cyber-threats.
8. As exchanges in Singapore are key financial market infrastructure with a
global participation, they are regulated to meet international standards.
Many of these standards are implemented through the exchanges' own
business rules to ensure fair and orderly trading.
9. This brings me to the subject of SGX as a self-regulatory organisation or
SRO. Singapore's capital markets operate under a dual-level regulatory
framework.
The MAS is the statutory regulator, and we have the broad mandate of
overseeing the proper functioning of financial markets, including
exchanges like the Singapore Exchange (SGX) and newer entrants such as
ICE Futures Singapore (ICE Futures) and EUREX.
The MAS, as you all know, is an integrated financial supervisor and our
Capital Markets Group performs the equivalent regulatory functions as
other standalone securities regulators including the SEC in the US, the SFC
in Hong Kong or ASIC in Australia; our regulatory powers encompass
policy making, supervision and enforcement.
10. The exchanges, with their frontline interface with industry players,
traders and investors, perform complementary and important roles in
ensuring fair, orderly and transparent markets.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 95
The exchanges are accountable to MAS on how they exercise these
regulatory responsibilities.
11. Questions have been raised, and quite understandably so, on whether a
listed for-profit exchange can discharge its role as a regulator.
12. In Singapore, this issue has been reviewed periodically since the
demutualisation and merger of the Stock Exchange of Singapore (SES) and
Singapore International Monetary Exchange (SIMEX) in 1999, to form
SGX.
It is important to be mindful of what the SRO function entails.
13. Let me elaborate.
The SRO function goes beyond listings, which has been the main area of
focus.
This is partly because the listings function is the more visible part of the
SRO to investors and listed companies.
But in fact, the SRO function is much broader.
Besides functioning as a listing authority, the SGX's SRO role also
encompasses a market surveillance function to uphold the integrity of the
market, and a member supervision function to ensure participants'
adherence to trading and clearing rules.
14. So removing the SRO function from the SGX - as some have suggested could mean that the exchange will not need to undertake market
surveillance; nor to regulate members for compliance with rules of the
exchange.
Others have suggested removing only the listing authority function from
SGX.
But the flip side is that this risks losing the synergy of its regulatory
function with its other roles pertaining to the development of a viable and
credible marketplace; and creates ambiguity as to who oversees proper
conduct of listed companies - the separate listing authority or the exchange.
15. It is worth noting that SGX's SRO function is neither a new invention
nor "uniquely Singapore".
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 96
Exchange self-regulation has a long history in financial markets and in
many established markets.
Most, if not all exchanges globally, perform a varying range of SRO
functions.
Global exchanges - like the New York Stock Exchange (NYSE), NASDAQ,
ICE and Chicago Mercantile Exchange (CME) in the US, and London Stock
Exchange (LSE) in the UK, and Hong Kong Exchange (HKEx), Australian
Securities Exchange (ASX) Group and the Japan Exchange (JPX) Group in
Asia - are also SROs.
This brings me to my next point.
16. There is no single "correct" model for the SRO. Neither is a particular
model cast in stone and unchangeable.
The division of regulatory responsibilities between the statutory regulator
and the exchange's SRO function - or some other regulatory model - has to
reflect and adapt to each jurisdiction's circumstances, market environment
and other idiosyncrasies.
To illustrate this diversity:
In the US, the SEC has primary responsibility for reviewing IPO filings
made by companies.
Member supervision is undertaken by the Financial Industry Regulatory
Authority (FINRA), a separate industry SRO which supervises all securities
broker dealers.
US exchanges are responsible for market surveillance, although some have
outsourced the duties to FINRA.
In UK, the LSE performs market surveillance and member supervision,
while listings are approved by its statutory regulator i.e. the Financial
Conduct Authority.
In Asia, HKEx, JPX Group and ASX Group perform all SRO functions in the
areas of listings, member supervision and market surveillance, much like in
Singapore.
There may also be additional structures and processes in place to
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 97
supplement the SRO functions.
For example HKEx has an independent Listing Committee that makes all
formal decisions on listing applications.
17. The varied practices across the globe suggest the viability of different
SRO models with their attendant benefits and limitations that may be
appropriate to one jurisdiction while not necessarily to others.
But what is common is that the notion of exchanges as frontline regulators
has not been radically changed nor dismantled.
18. In Singapore's context, when we review the role of the MAS vis-? -vis an
SRO, a key consideration is who is better placed to make that assessment of
risk-return tradeoffs in the strategy to support a sustained thriving
marketplace.
A stringent set of entry or policing criteria can limit growth and
development; a loose set of criteria can undermine long-term confidence of
market participants including investors and companies.
On either end, the exchange's own shareholders and other stakeholders
including the investing public will be worse off.
In addition, we have to consider who is in a more nimble position to
manage the different types of risks posed by market participants on the
exchange itself including early detection and preliminary investigations.
19. I should emphasise that these do not mean that concerns over potential
conflict of interest especially with respect to the listing function are
unfounded.
Hence the MAS regularly reviews the extent to which the SRO functions listings, member supervision and surveillance - should reside with the
exchange.
The answer is not necessarily a binary "yes" or "no" outcome each time but
involves a review of whether there are sufficient safeguards and
conflict-mitigants incorporated into the exchange's governance,
organisation structure and including its reward and recognition system in
relation to the SRO function.
20. I will highlight our recent review in the three areas of listing, member
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 98
supervision and market surveillance.
Much work has been done to enhance the exchange's role around listings.
We believe that SGX - as the only securities exchange in Singapore remains an appropriate listing authority.
SGX has raised its admission criteria, and enhanced the governance process
by setting up three new independent listings committees to complement
SGX's listing and disciplinary processes.
The committees comprise a diverse mix of reputable, independent and
experienced individuals to represent both investor and public interest.
We believe these are positive developments and we should allow these
committees to carry out their respective oversight functions.
21. However, we have also determined that there is scope to recalibrate the
responsibilities of the exchange vis-? -vis the MAS in the areas of member
supervision and market surveillance.
The impetus for such a recalibration is not because we think that there is
material or potential conflict-of-interest risk.
Rather, as Singapore's financial landscape features more than one
exchange, it is not efficient to have each exchange carry out similar
supervisory roles of common members.
Member supervision
22. Therefore, with respect to member supervision, MAS will redefine the
scope of regulatory responsibilities between MAS and exchanges so that
overlaps faced by intermediaries who are members of different exchanges,
and at the same time regulated by MAS, are minimised.
To elaborate, exchanges typically supervise intermediaries to ensure that
they comply with the exchange rules, uphold high standards of market
integrity and are financially sound.
MAS, on the other hand, supervise intermediaries for compliance with
MAS' statutory licensing requirements pertaining to systemic and conduct
risks.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 99
23. In practice, exchange rules can and do overlap with the statutory
requirements under the Securities and Future Act.
The regular dialogue and co-ordination between MAS and SGX have
allowed us to manage inspection visits in a way that reduces the burden on
intermediaries who are both licensed by MAS and are members of SGX.
24. However, this will become more challenging when more than one
exchange operates in Singapore.
For example, an intermediary that is licensed by MAS, can also be a
member of both SGX and ICE Futures; it should not have to undergo three
separate inspections a year, especially if a number of areas are duplicative.
25. In the US which has many more exchanges, they have either set up a
separate industry SRO to undertake member supervision in the case of the
securities market or relied on an exchange to play a "lead SRO" role in the
futures market.
26. As a statutory regulator, MAS will remain primarily responsible for the
supervision of intermediaries who are our licensees in areas of capital and
reserves, business conduct, anti-money laundering & counter terrorist
financing (AML/CFT) and operational resilience.
These are areas which have been stipulated in our regulations and notices,
and are statutory obligations to be complied with.
Starting from this year, MAS will no longer require exchanges to inspect
their members in these areas as long as the entities are licensed by MAS.
In other words, MAS will effectively be the "lead regulator" in these areas.
27. The need to form a separate SRO at this juncture for the purpose of
member supervision is in our view, not compelling.
It is unlikely to be an efficient model given the size of our market.
In fact, it may require greater coordination since there will be more parties
involved, namely MAS, the exchanges and yet another SRO.
28. The exchanges will remain responsible for areas affecting their
respective market operations such as those relating to the priority of orders
on a trading floor or risk management rules on margin requirements.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 100
In other words, these are business rules which members have to comply
with, and may differ from exchange to exchange.
Exchanges will need to supervise their members for compliance, in
accordance with the risks these members pose to the markets or clearing
houses, and undertake disciplinary proceedings for members who breach
their rules.
29. Clearly, we cannot avoid all overlaps and even some differences
between MAS' regulations and exchanges' rules in certain areas such as
those relating to financial resources and business conduct requirements.
This is in a way inevitable as MAS' regulations have to cover all capital
markets intermediaries regardless whether they are members of exchanges
or not.
Exchanges, depending on the type of products that they offer, may need to
impose differentiated requirements on different members depending on
the assessment of product risks and credit worthiness of their members,
which may or may not be regulated by MAS.
Protocols on information sharing between MAS and exchanges' SRO units
will hence be mapped out.
30. At a broader level, we believe this change will lead to greater
supervisory efficiency and better system-wide risk management.
While exchanges will retain their regulatory responsibilities in terms of
member supervision, their resources can be concentrated on the
supervision of members with significant risk exposures on their respective
exchange.
This can include members which are not under MAS' oversight such as
those based overseas.
Market surveillance
31. The MAS on our part will be enhancing our surveillance capabilities
both within and across markets.
The presence of multiple exchanges, each focused on its own markets, can
give rise to blind spots as each exchange may not have the complete picture
of common members' exposure and activities.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 101
There are also certain markets such as in the OTC derivatives space that are
not under the direct surveillance of exchanges.
32. Hence MAS, as the statutory regulator, will be in a better position to
aggregate and review different pools of information in the activities across
exchanges and market sectors to anticipate possible risk and to investigate
potential misconduct and market abuses.
33. Advancement in technology, particularly in the field of data analytics,
has brought about enhanced surveillance techniques.
In terms of capacity building, the MAS will enhance our analytics and
thematic studies of big datasets to detect hitherto complex patterns, for
potential market misconduct and abuses.
34. What all these mean, is that in each market, both the exchange and MAS
will be looking out for potential risks, albeit based on different parameters.
This will increase the robustness of the overall oversight of market
activities.
Robust enforcement and market discipline
35. These enhancements to our surveillance efforts will complement, in a
significant way, our enforcement actions against market misconduct.
The objective is on early detection as well as to support more expedient
investigations and tough enforcement actions.
This will also augment our toolkit to combat misdemeanors such as market
manipulation and insider trading.
36. MAS has and will spare no effort to investigate any serious market
misconduct and to take appropriate enforcement action.
This is not always an easy task because investigations into market
misconduct often involve complex and large scale relationships, which will
necessitate considerable investigation resources.
Market misconduct is often perpetrated by multiple parties, some of whom
may be outside our jurisdiction.
Such cross-border investigations present additional challenges, as crucial
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 102
evidence may be situated beyond the jurisdictional reach of enforcement
agencies and require coordination by multiple agencies globally.
37. I am pleased to note that the joint investigations arrangement between
MAS and the Commercial Affairs Department (CAD) which commenced
last year for all potential market misconduct offences has facilitated greater
efficiency in the enforcement process and enabled both agencies to pursue
more effective enforcement outcomes.
There have been queries on the status of the investigations by MAS and
CAD in the penny stocks debacle; it is still premature for me to comment
but I just want to note that this is a complex exercise that is ongoing and
involves reviewing vast amounts of trade data from more than 500 trading
accounts (both local and overseas), requiring our investigators to obtain
and comb through more than 20,000 communication messages, many
witnesses and other pieces of potential evidence.
Investigations are at an advanced stage and charges are likely to be filed
against the responsible parties in the course of this year.
38. Notwithstanding the complexity of current or future investigations, our
enforcement agencies will be relentless in our pursuit of persons who break
our securities laws.
We will also seek criminal actions or higher civil penalties in appropriate
cases to send the right deterrent message.
I encourage you to read our Capital Markets Enforcement monograph
which outlines our philosophy and approach to enforcement.
39. However, it is neither realistic nor desirable for regulators to police
every single trade in our financial markets, which will require inordinate
resources.
Instead, the surveillance and enforcement functions of the MAS should be
complemented by a culture of market discipline through greater
transparency.
This will allow market participants including investors and analysts to
query, and to exercise their interests as stakeholders.
As former Federal Reserve Chairman Alan Greenspan once said,
"Transparency challenges market participants not only to provide
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 103
information, but also to place that information in a context that makes it
more meaningful".
A dynamic and evolving market
40. I will now move on to some broader development areas.
Financial markets will evolve, in part driven by technology and as a
response to regulatory requirements.
Just as technology has improved operational efficiency of stock exchanges
in the 1990s from an open-outcry pit system to real-time electronic trading
screens, technology will continue to transform and improve how exchanges
and other financial market infrastructures work.
41. The trend of financial markets "electronification" is inevitable as more
financial products are standardised and traded electronically.
We are likely to see more algorithmic trading which do not require human
intervention in trading decisions.
As the cost of setting up trading platforms declines, trading venues
including exchanges, electronic crossing networks, multilateral trading
facilities will proliferate and compete for liquidity.
42. We have seen significant investments in technology to reduce latency
and design in ever-smarter algorithms to trade more efficiently.
Whether such innovations have led to more efficient markets for end-users
to invest and to manage their risks are still subject to some debate.
Regulators worldwide also have been keeping abreast with innovative
developments to understand newer forms of risks and market linkages, as
well as to embrace the opportunities that these may bring.
I will highlight a few examples that will be relevant to the world of
exchanges.
43. I think we can expect innovations in distributed ledger technology that
will be applied to the "plumbing" of financial markets, areas which we
hitherto tend to take for granted.
A distributed system should in theory improve resilience as it theoretically
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 104
removes the risk of a single point of failure.
If the clearing and settlement of equity trades can be reduced from the
existing standard of 2-3 days to as little as 10 minutes, this will further
reduce settlement risk.
Some have said that the near instant settlement of transactions can
transform the financial system and free up billions of dollars' worth of
collateral that is locked up during the trade settlement period.
44. Technology can also lead to "commoditisation" of certain financial
intermediation functions.
Just 15 years ago, the cost of brokerage for retail investors was as much as
1%.
But now our retail investors are able to access global markets at
significantly lower brokerage costs.
There will be no let up on cost pressure.
We used to hear about brokerages such as E-Trade offering stock trading at
a $9.99 flat commission; now we have the likes of Robinhood in the U.S.
offering retail trading for free.
45. The advent of "robo advisers" also suggests that investors can access
automated investment advice on their Smartphones, without the need for
human interface.
Some commentators believe that computer algorithms can essentially
provide customized advice to investors at a fraction of costs compared to
human financial advisers.
46. The interplay of new technology, different platforms and new players
inevitably suggests faster and cheaper options ahead.
These can impinge on the existing job roles in our financial marketplace.
Technology-driven applications may very well become alternatives to the
traditional stockbroking service offering.
If a consumer is already getting regular and instant updates on the markets
using his Smartphone, it is only natural for him to expect higher service
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 105
levels from his stockbroker beyond ad-hoc market updates and pure
execution.
If consumers are already comfortable with making and receiving payments
instantly via internet banking, there will be calls to shorten if not eliminate
the 2 to 3 days taken to settle and deliver his stock.
So the business model of CDP as a central securities depository may need to
be reviewed in future.
Upskilling the stockbroking industry
47. This leads me to the subject of skills upgrading.
The Government has launched the SkillsFuture initiative last year, to allow
all Singaporeans to acquire a mastery of skills and to be better prepared for
future jobs.
This can be helpful to financial market professionals such as our trading
representatives as example.
48. The Institute of Banking and Finance (IBF) has worked with SGX to
conduct a survey polling some 1,200 trading representatives last year for
their feedback on their training needs and professional development.
IBF has also organised extensive consultations with multiple stakeholders
such as Securities Association of Singapore (SAS) and the Society of
Remisiers of Singapore (SRS), as well as arranged focus group discussions
with individual remisiers and dealers.
49. As a follow up to these consultations, IBF will be introducing a new set
of competency standards to help trading representatives acquire
competencies to service their clients better.
IBF will also be working closely with the SGX Academy, SRS as well as the
larger broking-firms to have in place a wide offering of training
programmes to be made available to trading representatives
50. MAS will continue to support the various training initiatives.
All learning and development programmes formally recognised by IBF will
receive at least 50% funding subsidy from the Financial Sector
Development Fund (FSDF).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 106
In addition, trading representatives who are prepared to undergo the IBF
Standards certification programme will receive 70% funding subsidy.
You might be aware that the SkillsFuture Credit has already been rolled out
early this month.
Trading representatives can use the $500 Credit for eligible training
programmes.
I encourage all trading representatives to make use of these schemes to
upskill themselves.
51. MAS has also looked into some feedback from the industry that certain
business conduct rules pose operational challenges to trading
representatives who provide advice to customers on their trades.
Currently, trading representatives are subject to the same requirements as
those imposed on financial advisory representatives, and are required to
take into consideration the customer's investment objectives, financial
situation and particular needs to ensure suitability of the products
recommended which can take time to do so.
Yet we recognise the time-sensitive nature of execution services for listed
non-complex products such as SGX-listed shares.
MAS will therefore look to exempt trading representatives from
requirements that apply to financial advisory representatives by the middle
of this year.
This change will make it easier for trading representatives to provide
investment advice on simple products.
Conclusion
52. Finally, let me conclude here and thank you all for your patience and
attention.
May I wish everyone a very energetic and prosperous year of the Monkey.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 107
Banks and the German economy - will they
continue to work hand in hand?
Speech by Dr Andreas Dombret, Member of the
Executive Board of the Deutsche Bundesbank, at the
4th Regensburger Wirtschaftsgespräch, Industrie- und
Handelskammer (IHK) Regensburg, Regensburg.
1. Introductory remarks
Mr Witzany
President Olschok
Ladies and gentlemen
I am delighted to be here in Regensburg to speak to you today.
Over the next hour, I would like to discuss with you whether banks and
savings banks and enterprises will be able to continue working hand in
hand in future to tackle the challenges of business life.
I have learned that the forum provided by your first Wirtschaftsgespräch
already discussed to what extent the sometimes complex rules of the Basel
III framework might affect the supply of credit to small and medium-sized
enterprises (SMEs) in particular.
I would now like to revisit that debate and continue it in my speech.
2. Banks and enterprises: for or against each other?
Mark Twain once said, "A banker is a fellow who lends you his umbrella
when the sun is shining, but wants it back the minute it begins to rain."
I probably don't have to point out that bankers aren't, of course, like that well, at least most of them aren't.
On the contrary, banks often play a very important role for enterprises and
for the economy as a whole.
They act as mediators between those who invest capital and those who need
it.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 108
They finance investments, they take on and manage risks, they settle
payments and they play a supporting role for enterprises in IPOs.
That means that businesses need banks, but that banks also need
businesses.
As at the end of last year, German banks and savings banks had lent a total
of far over €900 billion to domestic enterprises alone - that corresponds to
just under 12% of their consolidated balance sheet total.
Their lending business, in particular with corporate clients, is therefore a
key pillar of our domestic credit institutions' business activity.
I am certainly not exaggerating when I say that this kind of cooperation
between banks and savings banks and enterprises works well in Germany in
the vast majority of cases.
The traditional concept of the "house bank", or relationship banking, has
major importance in particular for the German Mittelstand.
Many enterprises work together with just a single credit institution, and, in
a lot of cases, have done so for many years.
Nevertheless, the recent financial crisis has not left the relationship
between credit institutions and enterprises unaffected.
The banks' standing was severely damaged, a lot of trust was forfeited, and
quips like that by Mark Twain started making the rounds again.
The loss of trust went so far that some enterprises made enquiries at the
Bundesbank during the crisis about whether they could open an account
with us, because they said that they no longer had any confidence in the
commercial banks.
At the same time, massive government financial rescue packages were
being put together - without them it is likely that there would have been a
complete collapse of the financial system with even more serious
consequences for the real economy.
3. Banking regulation: we'll soon be there
The financial crisis and the ensuing global financial crisis have made it
abundantly clear to us how closely interlinked the financial system and the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 109
real economy are.
We have learned that institutions can be so large that they can't really be
removed from the market - this is known in the debate as the "too big to
fail" problem.
We are also aware that credit institutions' bonus systems can get out of
hand and generate destabilising effects if they are geared excessively to
short-term profits and ignore long-term risks.
And we now know that the banks' high degree of interconnectedness and
phenomena such as herding behaviour can indeed give rise to risks for the
financial system, even though each individual bank is stable when viewed in
isolation.
Comprehensive reforms were and are therefore still necessary in order to
create a secure financial system that reliably fulfils its actual purpose for the
real economy.
And that is why we have seen many new regulatory initiatives over the past
few years.
Today, seven and a half years after the collapse of Lehman Brothers - which
for many was the beginning of the financial crisis - we are significantly
closer to our goal than ever before.
In response to the financial crisis, the G20 countries have worked on
improving the resilience of the individual banks.
Strengthening the individual banks as the smallest component part of the
financial system strengthens the system itself.
With this goal in mind, in 2010 the Basel Committee on Banking
Supervision adopted a regulatory framework, called Basel III for short.
The first step set out in this framework was to overhaul the capital
requirements in place for credit institutions.
Equity capital is key to the stability of the banks as it constitutes their main
buffer for absorbing losses.
Under the new rules, banks have to satisfy higher capital requirements in
terms of both quantity and quality.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 110
Since last year, these institutions have been required to hold CET1 capital
equal to 4.5% of their risk-weighted assets.
This was followed on 1 January by an additional 0.625% for the capital
conservation buffer, which is set to rise to a total of 2.5% by 2019.
From 2019, when it is possible for all instruments to be deployed in full,
banks and savings banks will have to hold CET1 capital equal to at least 7%
of risk-weighted assets.
This is a significant increase compared with the 2% minimum ratio that
applied until the end of 2013.
What is more, the other new capital instruments, which include the
countercyclical capital buffer and the additional buffers for the most
significant institutions, also need to be backed by CET1 capital.
The new rules will help make the banking system more stable as a whole.
At the same time, however, it goes without saying that the new rules also
place a cost burden on the banks.
This is by no means unintentional in the case of buffers for the most
significant institutions: as their systemic importance puts them at an
advantage in terms of funding costs, this burden levels the playing field at
least in part.
However, some observers fear that this is also detrimental to the real
economy.
They argue that the new rules are making it more expensive for banks to
lend and are therefore concerned that the institutions will be forced to
reduce their lending activities in the future.
The Basel Committee was well aware of the impact that the new rules would
have.
It was for this reason that the Committee also established transitional
periods with the aim of rendering it easier for banks and savings banks to
make the necessary adjustments.
These apply to both the qualitative and the quantitative aspects of the new
capital requirements.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 111
For example, the capital instruments that are no longer eligible for
inclusion in CET1 capital will not be excluded in one fell swoop; instead,
they will be phased out over a period of several years.
Furthermore, increasing requirements regarding the level of capital to be
held will be introduced only gradually.
But the Basel Committee has also come in for criticism in response to these
transitional periods - in the eyes of some government representatives and
market observers, they appeared to constitute too great a concession to the
banks.
Personally, however, I believe that the Committee has served the interests
of the real economy, in particular, without having to compromise on in its
efforts to increase the resilience of the banking system.
Of course, the development of Basel III has and will continue to be
accompanied by impact studies that assess the effects of the new rules on
financial institutions and the real economy.
These studies have thus far come to the conclusion that the short-term
economic impact is rather low and are therefore consistent with numerous
earlier findings that were able to demonstrate, for instance, that credit
institutions' borrowing costs would only rise marginally if additional capital
requirements were imposed.
According to these findings, increasing capital requirements by 100 basis
points would, on average, cause institutions' overall capital costs to rise by
less than ten basis points.
Turning our attention to the future, tighter regulation actually promotes
prosperity because it lessens the likelihood of financial crises.
This is a very important point!
When talking about the implications of regulation, we cannot focus solely
on the short-term costs that the banks are facing - we must also pay
attention to the long-term benefits.
Just think of the many billions of euros of public money that had to be spent
in Germany alone over recent years to stabilise the banks.
In some countries, taking this measure has even plunged governments
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 112
themselves into significant financial difficulties.
Viewed from this perspective, I think the price we are paying for stricter
regulation is entirely appropriate.
Of course, the impact that reforms have on the real economy must,
nevertheless, always be taken into account.
Our objective, not just within the Basel Committee, is to make banks safer
and thus minimise the likelihood of financial crises.
At the same time, we want to ensure two things in the event of an institution
running into trouble: that the taxpayer will not immediately be called upon
once again to foot the bill for failings on the part of the bank's management,
and that the institution can be resolved without causing any major
disruptions.
Aside from this, the regulation seeks to accommodate those enterprises that
rely on bank loans.
Take, for instance, the Basel framework's "SME package", which was
introduced under Basel II and updated under Basel III.
As part of this package, the capital that has to be held against loans to small
and medium-sized enterprises is cut by as much as half depending on
probability of default and collateral.
As a result, capital costs for loans to small and medium-sized enterprises
are significantly cheaper than those for loans to larger enterprises.
It will come as no surprise to you that it was the Bundesbank that
campaigned so hard for this SME-friendly regulation.
Notably, the Basel framework's SME package creates significant incentives
for lending to small and medium-sized enterprises.
Thanks to this regulation, I believe that we have been able to sensibly exert
a positive influence on the relationship between banks and enterprises.
4. Regulation calls for a sense of proportion
If we are to discuss the impact of banking regulation on small and
medium-sized enterprises, I believe we must also consider the regulatory
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 113
implications for small and medium-sized banks and savings banks.
The global regulatory reform of the banking sector in the past few years was
intended to tighten the regulation of internationally active credit
institutions whilst also creating a fair and level playing field worldwide.
As a result, however, almost all regulatory measures are essentially aimed
at internationally active large banks.
This makes absolute sense in the context of the crisis.
But here and there, there is a feeling that in applying the rules we may have
thrown the baby out with the bathwater; in other words, we have made the
rules so complex that they are overwhelming small and medium-sized
institutions.
As a result, the debate about the proportionality of regulation is heating up.
Of course, tighter regulation means a considerable workload for banks and
savings banks, as well as for supervisors.
But it is also very important to weigh this against the cost to society of
financial crises.
Size is only one of several important criteria that determine whether an
institution is "systemically important".
Other major factors are substitutability, interconnectedness and exposure
to similar risks, which is why we cannot simply apply a less complex set of
rules to small banks than to their large competitors.
Instead, these institutions must be regulated in relation to the risk they
pose.
At this point, I feel it is very important to emphasise that the current
regulatory and supervisory frameworks are already largely proportionate.
For example, at present, risk-weighted capital requirements are calculated
differently under standardised approaches and internal ratings-based
approaches.
Furthermore, a portfolio has been introduced to help determine regulatory
capital requirements in retail banking.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 114
And last but not least, small and medium-sized institutions are benefiting
from greater regulatory leeway for business with corporate customers from
the SME sector, which are an important client group for these banks.
So as you can see, the implications of the sometimes complex new rules of
the Basel III framework affect credit institutions and enterprises in similar
ways.
Small and medium-sized market participants, in particular - both in the
financial sector and in the real economy - are concerned about the new
regulation.
However, I think many of their worries are unfounded.
The Basel framework creates active incentives to lend to SMEs, which play
an important role in employment and economic activity - especially in
Germany.
In addition, the new rules will provide relief for credit institutions that are
less significant in terms of their impact on financial stability.
In my opinion, Basel III will bring us a balanced framework that lays the
foundations for sustainable economic growth.
5. Capital markets union will broaden the funding base
As I mentioned earlier, the cooperation between banks and enterprises is
hugely important for both parties.
Whilst banks provide financing to enterprises, they are themselves
dependent on enterprises to generate their income.
I am firmly convinced that this symbiotic relationship in Germany
functions well.
But the financial crisis also showed that this symbiosis can very quickly
evolve into a destructive relationship, specifically when individual banks
conduct business of rather limited use to the real economy, the
repercussions of which cause everyone to suffer in the end.
Enterprises suffer when a crisis in the financial system snowballs into an
economic crisis.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 115
Taxpayers suffer when the state has to rescue ailing banks.
And banks suffer when their reputations are ruined in the wake of a crisis
and both enterprises and the general public lose their trust in them.
Against this backdrop, it is crucial that banks remember their true role: to
finance the real economy.
So how might the future relationship between banks and enterprises look?
You may be familiar with the concept of the "capital markets union", which
is currently the subject of much debate and which aims to bring about
deeper integration of Europe's financial markets - and not just the debt
markets, but also the equity capital markets.
I am assuming that this will also trigger further changes to the structure of
the European financial system.
But we mustn't overlook the fact that much has already changed in recent
years.
In 1999, bank loans still made up 22% of German enterprises' liabilities; in
the third quarter of 2015, this figure fell to just over 14% - and this was
despite the healthy economic situation in Germany.
Following their experiences in the financial crisis, when a number of banks
drastically reduced their credit supply, enterprises have started seeking
alternatives to the traditional bank loan and, where possible, have
increasingly turned to the capital market.
The scale of capital market financing nonetheless remains low in Germany especially when compared to the United States or the United Kingdom.
All the same, I am confident that the cooperation between banks and
enterprises will still be of great importance going forward.
For SMEs, in particular, the relationship with their principal bank
continues to play a vital role - not least because trust is built on past
experience.
A principal bank thus has an information advantage over another investor,
which is highly likely to benefit enterprises.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 116
But besides market-based funding, other lenders such as insurers, other
financial intermediaries or trade credits from other enterprises are also
increasingly taking the place of traditional bank loans.
The use of own funds has also risen, primarily among SMEs.
In short, the funding options for German enterprises are becoming more
varied.
At this point, one might worry that this development will have a negative
impact on banks' earnings, but I would like to put something into
perspective here.
Diversification of funding sources can surely contribute to the stability and
efficiency of the financial system - and that ultimately benefits the banks,
too.
There is still a great deal of potential in this respect in Germany especially,
but also other European countries, compared with the English-speaking
world.
For this reason, I take a thoroughly positive view of the increased
importance of bonds, securitisations and borrowers' notes, even in the SME
sector.
It is particularly important, however, to pay attention to the quality of these
instruments, especially in such a young market segment.
Thus, even SME bonds do not provide a real way out of the funding
problems of weak enterprises, but instead are a suitable instrument for
larger SMEs with high credit quality.
6. Conclusion
Let me sum up by saying that banks and enterprises are closely
interconnected.
They play a crucial role in the functioning of our economy, both individually
and together.
Yet to a great extent, banks and enterprises shape their relationship
themselves: banks decide which enterprises to lend to at which conditions,
and enterprises return this trust with their demand for loans.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 117
I am therefore firmly convinced that credit institutions and enterprises,
working hand in hand, will still be able to overcome the future challenges of
business life.
Even so, their relationship will certainly experience further change in the
coming years and incorporate additional participants, mainly in the capital
market.
I consider this a positive development, as the next rainstorm is sure to
come, and when it does, it will be a good thing that enterprises are able to
procure their umbrellas both on the capital market and in the shape of
loans.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 118
Challenges for France's economy and
financial sector in 2016
Mr François Villeroy de Galhau, Governor of the
Bank of France, Paris
Ladies and gentlemen,
Thank you for coming here today to this magnificently restored Golden
Gallery.
This is the first time that I am giving this address as Governor of the
Banque de France, but it is an auspicious tradition that brings us together.
I would like to start by extending my warmest wishes to you, your
colleagues and your institutions.
2016 has already been marked by volatility: weak financial markets and
commodity prices, from China and the Middle East; political uncertainty in
Europe, in Southern Europe, in Eastern Europe, North-Western Europe
with the British referendum, and even in Central Europe with the refugee
crisis.
It is our duty to be vigilant, but we must also, on the one hand, distinguish
real information from background noise and real challenges - and there are
no shortages of them - from the sensational and sometimes excessive
statements at this start of this year; on the other hand, in the face of current
volatility, we must stick to our medium-term objectives.
This evening I will not discuss the Eurosystem's monetary policy as we are
in the "silent period" leading up to the Governing Council meeting this
Thursday.
Such long-term strategies also apply to the reforms in Europe and in
France.
I would like to broaden my personal wishes to three collective wishes: for
our country and its economy first; for its smooth financing second; and for
financial stability and the soundness of your institutions lastly.
1) Today a confirmed recovery is underway, with growth of over 1% in
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 119
France in 2015, and 1.5% in the euro area.
In 2016, despite the uncertainties, all indicators point to higher growth.
France must now transform this modest but real recovery into strong,
lasting, job-creating growth.
To do this, two conditions must be met in 2016: public reforms must be
pursued, and corporate investment must be stepped up.
As regards the reforms, France is currently being penalised by excessive
debt levels in its public sector (differential of 25% of GDP vis-à -vis
Germany, whereas both countries displayed the same level in 2010) and the
deterioration in its trade balance and competitiveness.
The fight for growth and against unemployment can only be won over time,
with the great virtue of steadfastness.
We must therefore keep up all efforts with regard to containing government
expenditure and hold firm on that which is starting to work: the
Responsibility and Solidarity Pact and the Tax Credit for encouraging
Competitiveness and Jobs (CICE) should enable us to catch up, between
2014 and 2017, one-third of our competitiveness lag with Germany which
built up over the first years of the euro (1999-2007).
Transforming the CICE into a permanent reduction in social contributions
for corporations would be a very welcome development.
But more is required; the unemployed and youth cannot afford to wait.
In addition to emergency plans, at least four reforms appear obvious since
they have worked for our European neighbours: apprenticeships on a
widespread level; simplifications, including in the area of labour law; the
development of entrepreneurship; and lastly the decentralisation of social
dialogue to the company level, i.e. as close as possible to the economic and
human reality.
Corporate investment depends first and foremost on the willingness and
the confidence of thousands of entrepreneurs, but it must naturally be
promoted by financing- and therefore by you.
2) This brings me to my wish concerning the smooth financing of the
economy, against the backdrop of persistently low interest rates.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 120
Monetary policy is proving to be effective: in 18 months, since June 2014
and the announcement of non-standard policies, bank lending rates to
business have fallen by around 80 basis points in the euro area, and
outstanding bank loans have risen from a negative growth of 2.5% in June
2014 to positive growth of 0.9% in November 2015.
According to estimates, including the decisions of 3 December 2014,
non-standard policies improve the growth outlook for the euro area by 1%
between 2015 and 2017, and that of inflation by 0.5 percentage point in
2016 and 0.3 percentage point in 2017.
Bank lending must therefore remain accessible. In this respect, French
banks have achieved good results.
Bank lending to business has risen more sharply in France than anywhere
else in Europe: up 4.5% in annual terms at end-November 2015, compared
with a rise of 1% in Germany, and 0% in Italy.
Moreover, interest rates in France are among the lowest in Europe.
Interest rates on new bank lending are currently below 2% on average,
compared to 5% in 2007.
However, I would like to stress the fact that access to cash loans is more
difficult for very small enterprises.
Their fragile financial position may be one reason; but there is an ongoing
misunderstanding with the banks that the latter must seriously address.
French households' savings must also adjust to the low interest rate
environment.
This is an opportunity to encourage more "risky" and more long-term
investments, both in the interest of investors themselves and of our
economy.
Today only 31% of French households' financial investments are made up of
risky assets, against 45% in the euro area.
This requires taking action in two directions.
First, the decrease in interest rates should be gradually passed on to
risk-free investment returns - this is why I proposed lowering the rate on
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 121
the PEL, the French housing savings plan, this is also why we must
resolutely continue to lower the returns on life insurance invested in euro
funds.
Second, new products should be developed: probably less liquid, with or
without a capital protection over the long term, and possibly offering the
best equity performance over time.
A crucial point is to avoid any tax distortions to the detriment of these
products compared to liquid and risk-free investments.
It remains all the more essential to fully inform investors about the risks
involved when they invest their savings; two examples come to mind today,
unit-linked contracts, and managers offering disintermediated financing.
3) My third and last collective wish for 2016 is that of financial stability and
sound financial institutions.
Since the financial crisis, the regulatory framework and the supervisory and
oversight architecture have been considerably strengthened.
This was necessary, I believe no one here doubts it.
In the banking sector, this involved implementing Basel III / CRD4-CRR,
finalising the TLAC, the new anti-shock weapon, and setting up the
European banking union, which now includes two effective mechanisms:
the single supervisory mechanism, and -since 1 January- the single
resolution mechanism.
Today, French banks are sounder: their core Tier 1 solvency ratio stood on
average at 12% in September 2015, against 6% at end-2007.
And contrary to the fears that have often been expressed, including by some
of you, the current situation shows that these rules have not impacted
lending and growth, in particular thanks to the positive effects of monetary
policy.
In 2016, the projects still underway should be completed.
In particular in order to improve the comparability of internal models - and
thus improve their credibility -, not to substantially increase overall capital
requirements.
To finalise and stabilise Basel III, not to open a new Basel IV.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 122
The insurance sector has not been left out.
The entry into force of the European regulatory reform Solvency 2, also on 1
January, marks a profound break.
We all know that "Solva 2" may still be improved; but it is a significant step
forward.
In this respect, it is important that all institutions continue their efforts to
improve governance and enhance the quality of estimates and data
submitted to supervisors, in order to ensure an adequate monitoring of
risks, in particular those linked to the persistence of very low interest rates.
At the international level, other challenges lie ahead, notably the definition
of systemic groups - it must be similar on both sides of the Atlantic, like you
I am sensitive to this-, harmonised capital requirements and resolution
strategies.
However, the soundness of the financial system does not depend solely on
prudential regulations.
It also depends on the confidence that economic players and the public,
households and businesses, have in their financial system.
In this respect, the efforts of financial institutions to protect their clients are
essential.
In 2016, what is needed is a firm implementation of the Eckert law on
dormant bank accounts and unclaimed life insurance policies, and greater
freedom of choice of loan insurance on real estate loans.
And, of course, more than ever, we need to step up the fight against money
laundering and terrorist financing.
New measures have already been taken, some are being strengthened.
I expect from financial institutions - both insurers and banks - an
exemplary participation in this fight.
I know that they fully agree to the principle, but they must now carry it
through in their daily management; it is in your interest as compliance risk
has become as vital, as strategic, as credit risk.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 123
May your institutions be strong on both fronts; may our country be as
involved in the economic battle as in the fight against terrorism, with the
contribution of all of us; and may each one of you remain vigilant and
active, yet as serene as possible in 2016.
Thank you for your attention.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 124
Innovation and change
Speech by Mr François Villeroy de Galhau, Governor of the Bank of France,
at the Annual Exchange Conference "Innovation and change", Paris
Ladies and gentlemen,
It gives me great pleasure to respond to Stephane Boujnah's invitation and
take part in this annual conference, the subject of which is key to the French
economy today.
Our economy, which is at the frontier of technology, must be able to
innovate continuously - and thus change - in order to improve its growth
prospects.
As a result, business investment, which is one of the keys to innovation,
must be able to find new financing.
This does not mean that traditional financing through bank loans is no
longer necessary, far from it.
It means that funding must become more diverse in order to meet
companies' financing needs, regardless of their size, age or sector.
And of course, in this area, Euronext and the entire financial community
have a vital role to play.
But before addressing in more detail the financial levers of business
investment, I would first like to talk about the economic levers that precede
the need for financing.
I. In economic terms, how are France and the euro area currently
faring, and how can we move things up a gear?
2016 has already got off to a volatile start: weakness in financial and
commodity markets, originating in China and the Middle East; political
uncertainty in Europe, in southern Europe, in Eastern Europe, in
north-western Europe with the British referendum, and even in central
Europe with the refugee crisis.
It is our duty to be vigilant, but we have two other imperatives: on the one
hand, to separate the reality from the hype, the real challenges - and there is
no shortage of them - from the sensationalist and sometimes excessive
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 125
statements made early this year; on the other, to stick to our medium-term
objectives in the face of the current volatility.
This evening, I will not speak of monetary policy, since we are in the silent
period before the Governing Council meeting on Thursday.
But this long-term strategy must apply to economic policy as a whole,
including the need for reform.
a) Today a confirmed recovery is underway, with growth of over 1% in
France in 2015 and 1.5% in the euro area.
In 2016, despite the uncertainties, all indicators point to higher growth.
Despite the weakening of large emerging countries, the French and
European economies should continue to benefit from an exceptional
combination of three trends:
(i) the significant drop in oil and commodity prices (-45% and-31%
respectively, in dollar terms, between 1 January 2015 and 14 January 2016);
(ii) the downward trend in the exchange rate of the euro against the dollar
(-10% over the same period);
(iii) and very low interest rates (-80 basis points in bank lending rates since
June 2014).
The non-standard monetary policy that we have conducted in Europe since
June 2014 has done a lot for our economy.
We now have reliable and concurrent estimates of its effectiveness: it has
boosted growth prospects in the euro area by about 1% for the period 2015
to 2017, and those of inflation by 0.5 percentage point in 2016 and 0.3
percentage point in 2017.
All this is a lot... and in this respect our growth performance remains
insufficient, lower than what should be achieved thanks to these
exceptional economic stimuli, and lower than the European average.
b) We must now turn our too moderate economic recovery into strong,
sustainable and job-creating growth.
This shall notably be achieved by boosting business investment. The
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 126
problem does not lie with the amount of French investment, since the
investment rate of non-financial corporations, which stood at 22.9% in
2015, is slightly above its long-term average, i.e. 21.4% since 1980.
The problem lies with its quality and productivity, which is insufficient to
support growth: a large amount of construction, not enough machinery and
equipment nor research and development.
Boosting productive investment is not something that can be decided from
above: it depends on the decisions of thousands of entrepreneurs.
But all are above all sensitive to three levers.
First, growth prospects, since order books, i.e. expected demand or GDP,
are the main drivers of investment.
To raise medium-term growth in France, structural reforms are essential.
Today we know France's handicaps: a highly indebted public sector,
declining competitiveness, unwieldy procedures.
We also know the solutions: they have worked in other European countries,
Sweden in the 1990s, Germany in the 2000s, Spain in the 2010s.
The second lever is confidence.
Uncertainty is the enemy of investment.
To reduce uncertainty, rules should be simplified, stabilised and made
more visible.
Finally, the third lever is profitability.
This factor has a more direct effect for many SMEs which are sensitive to
the volume of their self-financing.
II. However, while firms' investment decisions are mainly
influenced by economic levers, financial levers also have an
important role to play.
a) Today, companies need more appropriate financing: our challenge
concerns equity financing more than debt financing.
In order to steer investments increasingly towards innovation, making
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 127
them de facto more and more risky, financing has to evolve.
Innovative investments call for new modes of financing. European
companies therefore need loans that are less secured, but also, for business
start-ups and growing businesses, more equity capital.
Indeed, equity capital has two advantages: it gives the entrepreneur access
to long-term funds while also offering investors strong upside potential to
reward the risk incurred.
A catching-up economy - like Europe until the 1980s, and many emerging
countries today - can finance its growth through debt.
An economy at the technological frontier, which carries greater risk, must
rely more on equity financing.
However, in the euro area, companies' financing structure remains
predominantly based on debt rather than equity.
By comparison, the net equity of non-financial corporations represents
123% of GDP in the United States, against 52% in the euro area.
This transatlantic divide, which is hardly ever mentioned, is even larger
than the gap in rates of debt disintermediation: the well-known figure of
20% of capital market financing in Europe compared with 75% in the
United States.
b) With regard to debt, France's situation currently appears on the whole
satisfactory.
Bank financing remains easily accessible.
Indeed, in terms of volume, outstanding bank loans to businesses are rising
at a faster pace in France than anywhere else in Europe, posting growth of
4.5% year-on-year at end-November 2015, compared with +2.1% in the
United Kingdom, +1.0% in Germany, 0.0% in Italy and an average of +0.9%
for the euro area.
Interest rates in France are also among the lowest in Europe: the average
nominal rate on new bank loans is currently less than 2% compared with
5% in 2007.
Lastly, SMEs generally have little difficulty obtaining investment loans:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 128
according to the Banque de France's survey, in the third quarter of 2015,
92% of loan applications were accepted (i.e. at least 75% of the amount
requested was granted), although there is still room for improvement in the
case of VSEs.
At the same time, bond financing is increasing.
The trend towards the diversification of debt financing appears to be more
marked in France than in neighbouring European countries, with
companies increasingly turning to capital markets to meet their funding
needs.
The disintermediation rate, that is the share of bond financing in overall
corporate debt, has risen from 24.2% in 2008 to 38.6% in 2015, compared
with respective rates of 14.1% and 13.5% for Germany and Italy.
Nonetheless, in France, market financing is mainly the preserve of large
corporations, accounting for some 70% of their total financial debt,
compared with 25% for mid-caps and less than 5% for SMEs.
Yet forcing them to switch to disintermediated financing would make little
sense: this diversification of funding has to remain optional, driven by
demand from companies themselves, rather than being imposed according
to a set timetable and pre-defined objectives.
c) The priority of increasing equity funding can be achieved via several
channels.
With regard to "internal" equity, that is self-financing, the outlook is
improving.
For SMEs in particular, self-financing is crucial as it is still the method of
choice for financing investment, even when companies have access to debt.
The decline in French corporate profit margins since 2008 is a source of
concern in this respect.
However, the issue has been clearly identified and steps have been taken to
tackle it, with the Tax Credit for Competitiveness and Employment or CICE,
and the Responsibility and Solidarity Pact.
These reforms are expected to boost the average corporate profit share from
29.5% in 2014 to over 32% in 2017.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 129
In terms of "external" equity, of course, here at Euronext you're at the heart
of the action.
As the leading pan-European stock exchange, you have a central role to play
in enabling firms to access capital market financing, in the form of debt, of
course, but above all in the form of equity.
In this respect, I'd like to acknowledge Euronext's efforts - under the
supervision of the AMF with which the Banque de France has an excellent
working relationship - to draw investors back to the bourse, and to
encourage firms of all sizes and all sectors to tap capital markets.
In the first three quarters of 2015, Euronext helped 38 companies carry out
an initial public offering, raising a total of EUR 82.9 billion of equity and
debt capital in both primary and secondary markets.
Its subsidiary EnterNext, which is dedicated to the financing and
promotion of small and mid-caps, in turn enabled 26 companies to carry
out IPOs, raising EUR 6 billion over the period.
You are thus helping to bring about two important reconciliations: between
the worlds of business and finance, and between France and its appetite for
risk.
What's more you are achieving this with a European dimension.
I can't stress this enough: having a strong position in market infrastructure
is vital for the French economy.
I would like to look beyond Euronext now, and focus on two more general
avenues for promoting equity financing.
First, the French public needs to adapt its savings behaviour to the current
low interest rate environment.
This is a chance to encourage a "riskier" and more long-term approach to
investment, in the interest both of savers and our economy.
Today, only 31% of households' financial investments are made up of risky
assets, compared with 45% in the euro area.
This means taking action in two areas: first, the decrease in interest rates
should be gradually passed on to risk-free investment returns - which is
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 130
why I proposed lowering the rate on the PEL, the French housing savings
plan, and why we must continue to lower the returns on life insurance
savings invested in euro funds; second, we need to develop new products:
less liquid, and with or without a long-term capital guarantee, and which
allow savers to benefit from the higher returns offered by equities over the
long term.
A crucial point is to avoid any tax distortions that might mean these
products are penalised more than liquid and risk-free investments.
This level playing field in terms of taxation should also apply to the
companies that are financed: in other words we need to avoid making debt
financing more attractive than equity financing- and we know we have a
long way to go on this.
The second avenue for fostering equity financing is to boost cross-border
capital flows within the euro area.
One of the great paradoxes of the single currency bloc is that investment is
too low while savings are generally in plentiful supply: the region has a high
current account surplus, of more than EUR 300 billion per year, or over 3%
of GDP for the 12 months up to end-September 2015.
The problem is that these savings cannot circulate freely between member
states due to financial fragmentation.
This situation has serious consequences.
It generates a growth lag, as excess savings in core countries are unable to
satisfy the demand for investment in the periphery.
It also makes the euro area more fragile, as national shocks cannot be
smoothed by fiscal transfers - due to the lack of a fiscal union - or by stable,
long-term private sector capital flows.
By way of comparison, in the United States, 39% of shocks are absorbed by
capital flows between federal states and only 13% by government transfers.
These are flows of equity, not of credit: the former are much more effective
at absorbing shocks as they are a genuine means of cross-border risk
sharing.
A large part of the solution lies at European level, with the European
Commission's plan for a Capital Markets Union (CMU).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 131
However, the goals and ambition of this project need to be more clearly
defined if it is to be a success.
I prefer to talk instead about a Financing and Investment Union, for two
reasons: first, because capital markets are merely a tool - the main objective
is the sound financing of investment; second, because our channels of
funding need to remain diverse - capital markets must coexist alongside
bank lending, as well as private equity funding from insurers and asset
managers.
This Financing and Investment Union should be a consolidation and
synthesis of the CMU, the Banking Union and the Juncker Plan.
It would allow us to foster even greater cross-border capital flows, and
share the burden of risk through innovative mechanisms, such as European
venture capital schemes.
Let me conclude with a more general remark.
It's tempting sometimes to be fatalistic: to say our growth depends on
China, and that innovation can only come from the United States.
Admittedly, the international environment does play an important role; but
our economic destiny depends primarily on us, on our ability to innovate
and to reform.
Financing is merely a part of our current transformation, one that lends
support to the economy and to our businesses.
But it is a vital part of that transformation, and I am pleased that this
conference is giving it the consideration it deserves.
Thank you for your attention.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 132
Hearing at the Committee on Economic and
Monetary Affairs of the European Parliament
Introductory statement by Mr Mario Draghi,
President of the European Central Bank, before the
Hearing at the Committee on Economic and
Monetary Affairs of the European Parliament, Brussels
Mr Chairman,
Honourable Members of the Economic and Monetary Affairs Committee,
Ladies and Gentlemen,
The first weeks of this year have shown that the euro area and the Union at
large face significant challenges.
A strong effort by all policy makers will be needed in the months ahead to
overcome them.
I am therefore grateful to be back before your committee to discuss these
challenges and how the ECB can contribute to tackling them.
In my remarks today, I will address in turn the global economic context,
recent financial developments and the state of the euro area recovery.
I will conclude by briefly presenting our most recent decision to disclose the
Agreement on Net Financial Assets - or ANFA - as I know this topic is of
concern to some of you.
The state of the global economy
Let me start with the state of the global economy.
In recent weeks, we have witnessed increasing concerns about the
prospects for the global economy.
Activity and trade data have been weaker than expected, turbulence in
financial markets has intensified and commodity prices have declined
further.
Slowing growth in emerging market economies is a focal point for this
uncertainty.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 133
In the early years of this century, many emerging economies expanded at a
rapid pace.
They benefited from increasing integration with the global economy and
the tailwinds of buoyant financial markets.
As these factors diminish, many countries have to adjust to a new reality.
In several economies the slowdown has revealed and exacerbated structural
problems which are increasingly restraining growth.
A continuation of the rebalancing process is needed to secure sustainable
growth over the medium term.
This could imply some headwinds in the short term, which will require
close monitoring of the related risks.
One consequence of this adjustment is the divergence of economic cycles.
While the recovery in advanced economies is gradually proceeding, the
growth momentum in emerging market economies has weakened.
Weaker global demand has also contributed to the recent fall in the price of
oil and other commodities, which in turn may have aggravated fiscal and
financial fragilities in some commodity-exporting economies.
Countries that have suffered worsening terms of trade have seen a sharp
decline in activity, while investment in their energy sectors has contracted.
Recent financial developments
Since early December, a general deterioration in market sentiment has
taken root and has gathered pace over the last week.
This initially appeared closely linked to concerns regarding weakening
economic activity around the globe - notably in emerging markets - and to
potential adverse signals from falling commodity prices.
Over time however, market sentiment has become more volatile and
susceptible to rapid change. In this environment, stock prices significantly
declined and bank equity prices were particularly hit, both globally and in
Europe.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 134
The sharp fall in bank equity prices reflected the sector's higher sensitivity
to a weaker-than-expected economic outlook; it also reflected fears that
some parts of the banking sector were exposed to the higher risks in
commodity-producing sectors.
The bulk of euro area listed banks, although they have relatively limited
exposure to emerging markets and commodity producing countries, are
currently trading well below their book values.
The fall in bank equity prices was amplified by perceptions that banks may
have to do more to adjust their business models to the lower growth/lower
interest rate environment and to the strengthened international regulatory
framework that has been put in place since the crisis.
However, we have to acknowledge that the regulatory overhaul since the
start of the crisis has laid the foundations for durably increasing the
resilience not only of individual institutions but also of the financial system
as a whole.
Banks have built higher and better-quality capital buffers, have reduced
leverage and improved their funding profiles.
Moreover, the Basel Committee on Banking Supervision noted that
substantial progress has been made towards finalising post-crisis reforms
and that the remaining elements of the regulatory reform agenda for global
banks are being finalised.
The clarification of these elements will provide regulatory certainty on the
stability of the future framework.
This will support the banking sector's ability to make long term sustainable
business plans into the future.
In fact, central bank governors and heads of supervision indicated that they
are committed to not significantly increase overall capital requirements
across the banking sector.
In the euro area, the situation in the banking sector now is very different
from what it was in 2012.
Perhaps most importantly, euro area banks have significantly strengthened
their capital positions over the past few years, notably as a consequence of
the Comprehensive Assessment conducted in 2014.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 135
For significant institutions, the CET1 ratio has increased from around 9 to
13%, making them more resilient to adverse shocks.
In addition, the quality of the banks' capital has also been substantially
improved.
With the 2015 Supervisory Review and Evaluation Process (SREP), the ECB
has outlined the steady-state Pillar 2 supervisory capital requirements.
This means that, all things equal, capital requirements will not be increased
further.
Hence, the banking sector can now conduct much better capital planning.
Moreover, in 2015, the banks under ECB supervision further increased
profits relative to 2014.
This allows banks to have appropriate distribution policies while still
meeting regulatory capital requirements and buffers, and to support
lending to the economy.
In addition, the ECB's monetary policy actions continue to support banks'
financing conditions and, more broadly, economic activity.
Clearly, some parts of the banking sector in the euro area still face a number
of challenges.
These range from uncertainty about litigation and restructuring costs in a
number of banks to working through a stock of legacy assets, particularly in
the countries most affected by the financial crisis.
There is a subset of banks with elevated levels of non-performing loans
(NPLs).
However, these NPLs were identified during the Comprehensive
Assessment, using for the first time a common definition, and have since
been adequately provisioned for.
Therefore, we are in a good position to bring down NPLs in an orderly
manner over the next few years.
For this purpose, the ECB's supervisory arm is working closely with the
relevant national authorities to ensure that our NPL policies are
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 136
complemented by the necessary national measures.
The state of the euro area recovery and the role of economic
policies
Against the background of downward risks emanating from global
economic and financial developments, let me now turn to the economic
situation in the euro area.
The recovery is progressing at a moderate pace, supported mainly by our
monetary policy measures and their favourable impact on financial
conditions as well as the low price of energy.
Investment remains weak, as heightened uncertainties regarding the global
economy and broader geopolitical risks are weighing on investor sentiment.
Moreover, the construction sector has so far not recovered.
In order to make the euro area more resilient, contributions from all policy
areas are needed.
The ECB is ready to do its part.
As we announced at the end of our last monetary policy meeting in January,
the Governing Council will review and possibly reconsider the monetary
policy stance in early March.
The focus of our deliberations will be twofold.
First, we will examine the strength of the pass-through of low imported
inflation to domestic wage and price formation and to inflation
expectations.
This will depend on the size and the persistence of the fall in oil and
commodity prices and the incidence of second-round effects on domestic
wages and prices.
Second, in the light of the recent financial turmoil, we will analyse the state
of transmission of our monetary impulses by the financial system and in
particular by banks.
If either of these two factors entail downward risks to price stability, we will
not hesitate to act.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 137
In parallel, other policies should help to put the euro area economy on
firmer grounds.
It is becoming clearer and clearer that fiscal policies should support the
economic recovery through public investment and lower taxation.
In addition, the ongoing cyclical recovery should be supported by effective
structural policies.
In particular, actions to improve the business environment, including the
provision of an adequate public infrastructure, are vital to increase
productive investment, boost job creations and raise productivity.
Compliance with the rules of the Stability and Growth Pact remains
essential to maintain confidence in the fiscal framework.
The Agreement on Net Financial Assets
Let me conclude by turning briefly to the recent decision to publish the
Agreement of Net Financial Assets, also known as ANFA.
This is another step to live up to our commitment to be accountable and
transparent, both towards you as Parliament and towards the public at
large.
The ANFA is an agreement between the ECB and the euro area National
Central Banks - the NCBs.
It ensures that monetary policy is unaffected by NCB operations related to
their national, non-monetary policy tasks.
The right to perform such tasks dates back to the start of Economic and
Monetary Union.
At that time, the founding member states decided to centralise only central
bank functions and tasks that are necessary to conduct a single monetary
policy.
All other tasks remained with the NCBs.
Such national, non-monetary policy tasks include managing the NCBs'
remaining foreign reserves - including gold - after the transfer of foreign
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 138
reserves to the ECB, managing some non-monetary policy portfolios
including those related to pension funds for their employees, or providing
payment services to national governments.
When the NCBs hold portfolios not related to monetary policy as part of
their national tasks, these portfolios are financed either by central bank
money provided by the NCBs or by non-monetary liabilities.
This does not interfere with monetary policy as long as it is limited to less
than the amount of banknotes needed by the public.
This limit ensures that banks still have to borrow from the Eurosystem at
the monetary policy rate set by the Governing Council.
Here is where the ANFA comes in.
Its purpose is to limit the size of the NCBs' non-monetary policy portfolios,
net of the related liabilities, and thus to ensure that the Eurosystem can
effectively implement the single monetary policy.
Of course, when performing national tasks, the NCBs must comply with the
Treaty including the prohibition of monetary financing.
Moreover, if these tasks were to interfere with monetary policy in any other
way, they can be prohibited, limited or have conditions placed on them by
the Governing Council.
The publication of the previously confidential ANFA text was a unanimous
decision of the ECB and the NCBs in the Eurosystem to live up to our
commitment to be transparent.
This publication should resolve misunderstandings about ANFA.
In particular, it clarifies that the sole purpose of ANFA is to set limits for
non-monetary policy operations related to national tasks of the NCBs,
which they are allowed to conduct according to the Treaty.
Nothing more and nothing less.
These limits ensure that the NCBs' operations do not interfere with the
objectives and tasks of the Eurosystem and, in particular, with the single
monetary policy.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 139
Finally, complementing the information on ANFA, the ECB also published
data on the Eurosystem's aggregate net financial assets.
The NCBs will follow suit and disclose their respective net financial assets
when publishing their annual financial accounts.
These data provide factual information to the public as to which part of
central bank money demand is provided by non-monetary policy
operations.
Thank you for your attention, and I look forward to your questions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 140
Disclaimer
The Association tries to enhance public access to information about risk and
compliance management.
Our goal is to keep this information timely and accurate. If errors are brought to
our attention, we will try to correct them.
This information:
is of a general nature only and is not intended to address the specific
circumstances of any particular individual or entity;
should not be relied on in the particular context of enforcement or similar
regulatory action;
-
is not necessarily comprehensive, complete, or up to date;
is sometimes linked to external sites over which the Association has no
control and for which the Association assumes no responsibility;
is not professional or legal advice (if you need specific advice, you should
always consult a suitably qualified professional);
-
is in no way constitutive of an interpretative document;
does not prejudge the position that the relevant authorities might decide to
take on the same matters if developments, including Court rulings, were to lead it
to revise some of the views expressed here;
does not prejudge the interpretation that the Courts might place on the
matters at issue.
Please note that it cannot be guaranteed that these information and documents
exactly reproduce officially adopted texts.
It is our goal to minimize disruption caused by technical errors.
However some data or information may have been created or structured in files or
formats that are not error-free and we cannot guarantee that our service will not
be interrupted or otherwise affected by such problems.
The Association accepts no responsibility with regard to such problems incurred
as a result of using this site or any linked external sites.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 141
The International Association of Risk and Compliance
Professionals (IARCP)
You can explore what we offer to our members:
1. Membership – Become a standard, premium or lifetime member.
You may visit:
www.risk-compliance-association.com/How_to_become_member.htm
If you plan to continue to work as a risk and compliance management
expert, officer or director throughout the rest of your career, it makes
perfect sense to become a Life Member of the Association, and to continue
your journey without interruption and without renewal worries.
You will get a lifetime of benefits as well.
You can check the benefits at:
www.risk-compliance-association.com/Lifetime_Membership.htm
2. Weekly Updates - Subscribe to receive every Monday the Top 10 risk
and compliance management related news stories and world events that
(for better or for worse) shaped the week's agenda, and what is next:
http://forms.aweber.com/form/02/1254213302.htm
3. Training and Certification - Become
a Certified Risk and Compliance
Management Professional (CRCMP) or a
Certified Information Systems Risk and
Compliance Professional (CISRSP).
The Certified Risk and Compliance
Management Professional (CRCMP)
training and certification program has
become one of the most recognized
programs in risk management and compliance.
There are CRCMPs in 32 countries around the world.
Companies and organizations like IBM, Accenture, American Express,
USAA etc. consider the CRCMP a preferred certificate.
You can find more about the demand for CRCMPs at:
www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 142
You can find more information about the CRCMP program at:
www.risk-compliance-association.com/CRCMP_1.pdf
(It is better to save it and open it as an Adobe Acrobat document).
For the distance learning programs you may visit:
www.risk-compliance-association.com/Distance_Learning_and_Certificat
ion.htm
For instructor-led training, you may contact us. We can tailor all programs
to specific needs. We tailor presentations, awareness and training programs
for supervisors, boards of directors, service providers and consultants.
4. IARCP Authorized Certified Trainer
(IARCP-ACT) Program - Become a Certified Risk
and Compliance Management Professional Trainer
(CRCMPT) or Certified Information Systems Risk
and Compliance Professional Trainer (CISRCPT).
This is an additional advantage on your resume,
serving as a third-party endorsement to your knowledge and experience.
Certificates are important when being considered for a promotion or other
career opportunities. You give the necessary assurance that you have the
knowledge and skills to accept more responsibility.
To learn more you may visit:
www.risk-compliance-association.com/IARCP_ACT.html
5. Approved Training and Certification Centers
(IARCP-ATCCs) - In response to the increasing
demand for CRCMP training, the International
Association of Risk and Compliance Professionals is
developing a world-wide network of Approved Training
and Certification Centers (IARCP-ATCCs).
This will give the opportunity to risk and compliance managers, officers and
consultants to have access to instructor-led CRCMP and CISRCP training at
convenient locations that meet international standards.
ATCCs use IARCP approved course materials and have access to IARCP
Authorized Certified Trainers (IARCP-ACTs).
To learn more:
www.risk-compliance-association.com/Approved_Centers.html
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)