...

P a g e 1

by user

on
Category: Documents
28

views

Report

Comments

Description

Transcript

P a g e 1
Page |1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Dear Member,
We shouldn't be fatalistic. We're not doomed to
repeat the past.
Yes, the cycle is a force of human nature.
But resilience to it can be nurtured.
It will be a battle of nurture against
human nature.
This is such an interesting speech! It is
about "Nurturing resilience to the
financial cycle" by Alex Brazier, Executive
Director for Financial Stability Strategy
and Risk of the Bank of England.
Alex continued:
"The time to start it is when people
most feel like celebrating: when
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |2
your market is on the up. We have to start now.
And if we're going to have any success, we - the Bank of England, you - the
industry, and us - together, need to step up and act.
So this evening I want to set out what is being done.
At the heart of it is the need to ensure finance supports you through the
whole cycle.
The need to avoid the pattern - all too familiar to you - of financing
conditions going from conservative to careless and then to completely
closed, all too rapidly."
Read more at Number 4 below. Welcome to the Top 10 list.
Best Regards,
George Lekatis
President of the IARCP
General Manager, Compliance LLC
1200 G Street NW Suite 800,
Washington DC 20005, USA
Tel: (202) 449-9750
Email: [email protected]
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804,
Wilmington DE 19801, USA
Tel: (302) 342-8828
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |3
National Cyber Security Awareness Month
Best Practices for Victim Response and Reporting of Cyber
Incidents Version 1.0
Any Internet-connected organization can fall prey to a disruptive network
intrusion or costly cyber attack.
A quick, effective response to cyber incidents can prove critical to
minimizing the resulting harm and expediting recovery.
The best time to plan such a response is now, before an incident occurs.
This “best practices” document was drafted by the Cybersecurity Unit to
assist organizations in preparing a cyber incident response plan and, more
generally, in preparing to respond to a cyber incident.
National Cyber Security Awareness
Month
Growing Global Coalition Urges
Internet Users Everywhere To STOP. THINK. CONNECT.
The 2015 National Cyber Security Awareness Month (NCSAM) is
emphasizing “Our Shared Responsibility,” the month’s official theme and
call to action for all global citizens to take basic steps to make the Internet –
a vital resource for our personal, public and professional lives – safer and
more secure.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |4
Panel remarks at the Brookings Institution
William C Dudley, President and Chief Executive
Officer of the Federal Reserve Bank of New York, at
"The Fed at a crossroads: Where to go next?",
Brookings Institution, Washington DC
It is a great pleasure to be here today to participate in
this panel with John Taylor. I am going to take today's topic - "Where to go
next?" - to address the issue of how monetary policy should be conducted.
This is an issue that is getting considerable attention among policymakers
here in Washington, D.C.
To put succinctly the question I wish to tackle: Is it better for policymakers
to start with a formal rule as the default position, or for policymakers to
have a more flexible approach that considers a broader set of factors in
setting the monetary policy stance?
Nurturing resilience to the financial cycle
Alex Brazier, Executive Director for Financial
Stability Strategy and Risk of the Bank of
England, at the Property Investor's Banquet,
London
"It's clear why you are celebrating.
A crane-filled skyline to the City.
New office space completion in Central London: a ten-year high;
More than thirty schemes underway: a twenty-year high;
And transactions that are near a record high.
Half of them financed by capital attracted from overseas."
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |5
EIOPA advices to set up a new asset
class for high-quality infrastructure
investments under Solvency II
The European Insurance and Occupational
Pensions Authority (EIOPA) published its Advice to the European
Commission on the identification and calibration of infrastructure
investments risk categories.
 Robust criteria have been put forward to identify eligible infrastructure
projects;
 Risk charges for investing in qualifying infrastructure projects have been
carefully calibrated to the respective risks leading to a different treatment;
 To benefit from a different treatment insurers will need to conduct
adequate due diligence as part of an effective risk management of this
complex and heterogeneous asset class.
Progress on prudential regulation and three
areas to complete
Andrew Bailey, Deputy Governor of Prudential
Regulation and Chief Executive Officer of the
Prudential Regulation Authority at the Bank of England, at the City
Banquet, Mansion House, London
"This evening I want to describe the progress we have made on prudential
regulation and then examine a number of topical issues for the PRA and the
Financial Services industry: the Senior Managers and Certification Regime;
structural reform and ring fencing; and what the PRA is doing to pursue its
secondary objective on competition.
A common theme here is getting the incentives right to support good
outcomes in relation to both prudential and conduct objectives."
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |6
Game changers in financial markets regulation, innovation and cybersecurity
François Groepe, Deputy Governor of the South
African Reserve Bank, at the STRATE, PASA and GIBS Conference,
Johannesburg
"A game changer can be defined as "a newly introduced element or factor
that changes an existing situation or activity in a significant way".
Another way of thinking about game changers may be in terms of what the
well-known Austrian-born economist, Joseph Schumpeter, called "creative
destruction".
Schumpeter, writing on economic and social evolution in his work
Capitalism, socialism and democracy in 1942, wrote: The opening up of new
markets, foreign or domestic, and the organisational development from the
craft shop to such concerns as US Steel illustrate the same process of
industrial mutation - if I may use that biological term - that incessantly
revolutionises the economic structure from within, incessantly destroying
the old one, incessantly creating a new one. This process of creative
destruction is the essential fact about capitalism.
NCSA statement following report of
data breach at Experian, Exposing
T-Mobile Customer Data
Following a massive data breach at Experian, 15 million current or former
T-Mobile customers woke up this morning to unsettling news: their
sensitive personal information – names, addresses, Social Security
numbers, birthdays and unique identification numbers – is now likely in
the hands of malicious hackers.
According to news reports, this is not the first time Experian has faced a
data breach of this nature.
It’s not surprising that data brokers or credit bureaus ‒ who collect millions
of people’s most private details – are prime targets for cybercriminals, but it
is disconcerting.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |7
Hearing at the Economic and Monetary
Affairs (ECON) Committee of the
European Parliament
Gabriel Bernardino, Chairman of EIOPA
"I am happy to be here just less than four months before the full
implementation of EIOPA’s top-priority project - Solvency II, which will
start on 1 January 2016.
Since the end of 2014, the strategic focus of EIOPA’s work on Solvency II
has been on supervisory convergence, with the aim to ensure the highest
consistency possible in the implementation of Solvency II across the EU.
This is a project that has delivered state-of-the-art risk-based regulation in
Europe, and which is the outcome of joint efforts by the co-legislators,
regulators, supervisors and industry and consumer representatives.
The European Parliament has played a key role in this process.
As a first step towards ensuring this consistency, in the past 12-month
period, EIOPA delivered in total 18 Implementing Technical Standards
(ITS), of which six have already been endorsed by the European
Commission (EC). "
Tips from the National Counterintelligence
Executive
Traveling Overseas with Mobile Phones,
Laptops, PDAs, and other Electronic devices
You should know :
•
In most countries you have no expectation of privacy in Internet
cafes, hotels, offices, or public places.
Hotel business centers and phone networks are regularly monitored in
many countries. In some countries, hotel rooms are often searched.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |8
National Cyber Security Awareness Month
Best Practices for Victim Response and Reporting of Cyber
Incidents Version 1.0
Any Internet-connected organization can fall prey to a disruptive network
intrusion or costly cyber attack.
A quick, effective response to cyber incidents can prove critical to
minimizing the resulting harm and expediting recovery.
The best time to plan such a response is now, before an incident occurs.
This “best practices” document was drafted by the Cybersecurity Unit to
assist organizations in preparing a cyber incident response plan and, more
generally, in preparing to respond to a cyber incident.
It reflects lessons learned by federal prosecutors while handling cyber
investigations and prosecutions, including information about how cyber
criminals’ tactics and tradecraft can thwart recovery.
It also incorporates input from private sector companies that have managed
cyber incidents.
It was drafted with smaller, less well-resourced organizations in mind;
however, even larger organizations with more experience in handling cyber
incidents may benefit from it.
I. Steps to Take Before a Cyber Intrusion or Attack Occurs
Having well-established plans and procedures in place for managing and
responding to a cyber intrusion or attack is a critical first step toward
preparing an organization to weather a cyber incident.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |9
Such pre-planning can help victim organizations limit damage to their
computer networks, minimize work stoppages, and maximize the ability of
law enforcement to locate and apprehend perpetrators.
Organizations should take the precautions outlined below before learning
of a cyber incident affecting their networks.
A. Identify Your “Crown Jewels”
Different organizations have different mission critical needs.
For some organizations, even a short-term disruption in their ability to
send or receive email will have a devastating impact on their operations;
others are able to rely on other means of communication to transact
business, but they may suffer significant harm if certain intellectual
property is stolen.
For others still, the ability to guarantee the integrity and security of the data
they store and process, such as customer information, is vital to their
continued operation.
The expense and resources required to protect a whole enterprise may force
an organization to prioritize its efforts and may shape its incident response
planning.
Before formulating a cyber incident response plan, an organization should
first determine which of their data, assets, and services warrants the most
protection.
Ensuring that protection of an organization’s “crown jewels” is
appropriately prioritized is an important first step to preventing a cyber
intrusion or attack from causing catastrophic harm.
The Cybersecurity Framework produced by the National Institute of
Standards and Technology (NIST) provides excellent guidance on risk
management planning and policies and merits consideration.
B. Have an Actionable Plan in Place Before an Intrusion Occurs
Organizations should have a plan in place for handling computer intrusions
before an intrusion occurs.
During an intrusion, an organization’s management and personnel should
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 10
be focused on containing the intrusion, mitigating the harm, and collecting
and preserving vital information that will help them assess the nature and
scope of the damage and the potential source of the threat.
A cyber incident is not the time to be creating emergency procedures or
considering for the first time how best to respond.
The plan should be “actionable.”
It should provide specific, concrete procedures to follow in the event of a
cyber incident.
At a minimum, the procedures should address:
-
Who has lead responsibility for different elements of an organization’s
cyber incident response, from decisions about public communications,
to information technology access, to implementation of security
measures, to resolving legal questions;
-
How to contact critical personnel at any time, day or night;
-
How to proceed if critical personnel is unreachable and who will serve
as back-up;
-
What mission critical data, networks, or services should be prioritized
for the greatest protection;
-
How to preserve data related to the intrusion in a forensically sound
manner;
-
What criteria will be used to ascertain whether data owners, customers,
or partner companies should be notified if their data or data affecting
their networks is stolen; and
-
Procedures for notifying law enforcement and/or computer
incident-reporting organization.
All personnel who have computer security responsibilities should have
access to and familiarity with the plan, particularly anyone who will play a
role in making technical, operational, or managerial decisions during an
incident.
It is important for an organization to institute rules that will ensure its
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 11
personnel have and maintain familiarity with its incident response plan.
For instance, the procedures for responding to a cyber incident under an
incident response plan can be integrated into regular personnel training.
The plan may also be ingrained through regularly conducted exercises to
ensure that it is up-to-date.
Such exercises should be designed to verify that necessary lines of
communication exist, that decision-making roles and responsibilities are
well understood, and that any technology that may be needed during an
actual incident is available and likely to be effective.
Deficiencies and gaps identified during an exercise should be noted for
speedy resolution. Incident response plans may differ depending upon an
organization’s size, structure, and nature of its business.
Similarly, decision-making under a particular incident response plan may
differ depending upon the nature of a cyber incident.
In any event, institutionalized familiarity with the organization’s
framework for addressing a cyber incident will expedite response time and
save critical minutes during an incident.
C. Have Appropriate Technology and Services in Place Before An
Intrusion
Organizations should already have in place or have ready access to the
technology and services that they will need to respond to a cyber incident.
Such equipment may include off-site data back-up, intrusion detection
capabilities, data loss prevention technologies, and devices for traffic
filtering or scrubbing.
An organization’s computer servers should also be configured to conduct
the logging necessary to identify a network security incident and to perform
routine back-ups of important information.
The requisite technology should already be installed, tested, and ready to
deploy.
Any required supporting services should either be acquired beforehand or
be identified and ready for acquisition.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 12
D. Have Appropriate Authorization in Place to Permit Network
Monitoring
Real-time monitoring of an organization’s own network is typically lawful if
prior consent for such monitoring is obtained from network users.
For this reason, before an incident takes place, an organization should
adopt the mechanisms necessary for obtaining user consent to monitoring
users’ communications so it can detect and respond to a cyber incident.
One means of accomplishing this is through network warnings or “banners”
that greet users who log onto a network and inform them of how the
organization will collect, store, and use their communications.
A banner can also be installed on the ports through which an intruder is
likely to access the organization’s system.
A banner, however, is not the only means of obtaining legally valid consent.
Computer user agreements, workplace policies, and personnel training may
also be used to obtain legally sufficient user consent to monitoring.
Organizations should obtain written acknowledgement from their
personnel of having signed such agreements or received such training.
Doing so will provide an organization with ready proof that they have met
legal requirements for conducting network monitoring.
Any means of obtaining legally sufficient consent should notify users that
their use of the system constitutes consent to the interception of their
communications and that the results of such monitoring may be disclosed
to others, including law enforcement.
If an organization is a government entity (e.g., a federal, state, or local
agency or a state university) or a private entity acting as an instrument or
agent of the government, its actions may implicate the Fourth Amendment.
Consequently, any notice on the system of such an entity or organization
should also inform users of their diminished expectation of privacy for
communications on the network.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 13
E. Ensure Your Legal Counsel is Familiar with Technology and
Cyber Incident Management to Reduce Response Time During an
Incident
Cyber incidents can raise unique legal questions.
An organization faced with decisions about how it interacts with
government agents, the types of preventative technologies it can lawfully
use, its obligation to report the loss of customer information, and its
potential liability for taking specific remedial measures (or failing to do so)
will benefit from obtaining legal guidance from attorneys who are
conversant with technology and knowledgeable about relevant laws (e.g.,
the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic
surveillance, and communications privacy laws).
Legal counsel that is accustomed to addressing these types of issues that are
often associated with cyber incidents will be better prepared to provide a
victim organization with timely, accurate advice.
Many private organizations retain outside counsel who specialize in legal
questions associated with data breaches while others find such cyber issues
are common enough that they have their own cyber-savvy attorneys on staff
in their General Counsel’s offices.
Having ready access to advice from lawyers well acquainted with cyber
incident response can speed an organization’s decision making and help
ensure that a victim organization’s incident response activities remain on
firm legal footing.
F. Ensure Organization Policies Align with Your Cyber Incident
Response Plan
Some preventative and preparatory measures related to incident planning
may need to be implemented outside the context of preparing a cyber
incident response plan.
For instance, an organization should review its personnel and human
resource policies to ensure they will reasonably minimize the risk of cyber
incidents, including from “insider threats.”
Proper personnel and information technology (IT) policies may help
prevent a cyber incident in the first place.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 14
For instance, a practice of promptly revoking the network credentials of
terminated employees—particularly system administrators and
information technology staff—may prevent a subsequent cyber incident
from occurring.
Furthermore, reasonable access controls on networks may reduce the risk
of harmful computer misuse.
G. Engage with Law Enforcement Before an Incident
Organizations should attempt to establish a relationship with their local
federal law enforcement offices long before they suffer a cyber incident.
Having a point-of-contact and a pre-existing relationship with law
enforcement will facilitate any subsequent interaction that may occur if an
organization needs to enlist law enforcement’s assistance.
It will also help establish the trusted relationship that cultivates
bi-directional information sharing that is beneficial both to potential victim
organizations and to law enforcement.
The principal federal law enforcement agencies responsible for
investigating criminal violations of the federal Computer Fraud and Abuse
Act are the Federal Bureau of Investigation (FBI) and the U.S. Secret
Service.
Both agencies conduct regular outreach to private companies and other
organizations likely to be targeted for intrusions and attacks.
Such outreach occurs mostly through the FBI’s Infragard chapters and
Cyber Task Forces in each of the FBI’s 56 field offices, and through the U.S.
Secret Service’s Electronic Crimes Task Forces.
H. Establish Relationships with Cyber Information Sharing
Organizations
Defending a network at all times from every cyber threat is a daunting task.
Access to information about new or commonly exploited vulnerabilities can
assist an organization prioritize its security measures.
Information sharing organizations for every sector of the critical
infrastructure exist to provide such information.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 15
Information Sharing and Analysis Centers (ISACs) have been created in
each sector of the critical infrastructure and for key resources.
They produce analysis of cyber threat information that is shared within the
relevant sector, with other sectors, and with the government.
Depending upon the sector, they may also provide other cybersecurity
services.
The government has also encouraged the creation of new information
sharing entities called Information Sharing and Analysis Organizations
(ISAOs) to accommodate organizations that do not fit within an established
sector of the critical infrastructure or that have unique needs.
ISAOs are intended to provide such organizations with the same benefits of
obtaining cyber threat information and other supporting services that are
provided by an ISAC.
II. Responding to a Computer Intrusion: Executing Your
Incident Response Plan
An organization can fall victim to a cyber intrusion or attack even after
taking reasonable precautions.
Consequently, having a vetted, actionable cyber incident response plan is
critical.
A robust incident response plan does more than provide procedures for
handling an incident; it also provides guidance on how a victim
organization can continue to operate while managing an incident and how
to work with law enforcement and/or incident response firms as an
investigation is conducted.
An organization’s incident response plan should, at a minimum, give
serious consideration to all of the steps outlined below.
A. Step 1: Make an Initial Assessment
During a cyber incident, a victim organization should immediately make an
assessment of the nature and scope of the incident.
In particular, it is important at the outset to determine whether the incident
is a malicious act or a technological glitch.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 16
The nature of the incident will determine the type of assistance an
organization will need to address the incident and the type of damage and
remedial efforts that may be required.
Having appropriate network logging capabilities enabled can be critical to
identifying the cause of a cyber incident.
Using log information, a system administrator should attempt to identify:
 The affected computer systems;
 The apparent origin of the incident, intrusion, or attack;
 Any malware used in connection with the incident;
 Any remote servers to which data were sent (if information was
exfiltrated); and
 The identity of any other victim organizations, if such data is apparent in
logged data.
In addition, the initial assessment of the incident should document:
 Which users are currently logged on;
 What the current connections to the computer systems are;
 Which processes are running; and
 All open ports and their associated services and applications.
Any communications (in particular, threats or extortionate demands)
received by the organization that might relate to the incident should also be
preserved.
Suspicious calls, emails, or other requests for information should be
treated as part of the incident.
Evidence that an intrusion or other criminal incident has occurred will
typically include logging or file creation data indicating that someone
improperly accessed, created, modified, deleted, or copied files or logs;
changed system settings; or added or altered user accounts or permissions.
In addition, an intruder may have stored “hacker tools” or data from
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 17
another intrusion on your network.
In the case of a root-level intrusion, victims should be alert for signs that
the intruder gained access to multiple areas of the network.
The victim organization should take care to ensure that its actions do not
unintentionally or unnecessarily modify stored data in a way that could
hinder incident response or subsequent criminal investigation.
In particular, potentially relevant files should not be deleted; if at all
possible, avoid modifying data or at least keep track of how and when
information was modified.
B. Step 2: Implement Measures to Minimize Continuing Damage
After an organization has assessed the nature and scope of the incident and
determined it to be an intentional cyber intrusion or attack rather than a
technical glitch, it may need to take steps to stop ongoing damage caused by
the perpetrator.
Such steps may include rerouting network traffic, filtering or blocking a
distributed denial-of-service attack, or isolating all or parts of the
compromised network.
In the case of an intrusion, a system administrator may decide either to
block further illegal access or to watch the illegal activity to identify the
source of the attack and/or learn the scope of the compromise.
If proper preparations were made, an organization will have an existing
back-up copy of critical data and may elect to abandon the network in its
current state and to restore it to a prior state.
If an organization elects to restore a back-up version of its data, it should
first make sure that the back-up is not compromised as well.
Where a victim organization obtains information regarding the location of
exfiltrated data or the apparent origin of a cyber attack, it may choose to
contact the system administrator of that network.
Doing so may stop the attack, assist in regaining possession of stolen data,
or help determine the true origin of the malicious activity.
A victim organization may also choose to blunt the damage of an ongoing
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 18
intrusion or attack by “null routing” malicious traffic, closing the ports
being used by the intruder to gain access to the network, or otherwise
altering the configuration of a network to thwart the malicious activity.
The victim organization should keep detailed records of whatever steps are
taken to mitigate the damage and should keep stock of any associated costs
incurred.
Such information may be important for recovering damages from
responsible parties and for any subsequent criminal investigation.
C. Step 3: Record and Collect Information
1. Image the Affected Computer(s)
Ideally, a victim organization will immediately make a “forensic image” of
the affected computers, which will preserve a record of the system at the
time of the incident for later analysis and potentially for use as evidence at
trial.
This may require the assistance of law enforcement or professional incident
response experts.
In addition, the victim organization should locate any previously generated
backups, which may assist in identifying any changes an intruder made to
the network.
New or sanitized media should be used to store copies of any data that is
retrieved and stored.
Once the victim organization makes such copies, it should writeprotect the
media to safeguard it from alteration.
The victim organization should also restrict access to this media to
maintain the integrity of the copy’s authenticity, safeguard it from
unidentified malicious insiders, and establish a chain of custody.
These steps will enhance the value of any backups as evidence in any later
criminal investigations and prosecutions, internal investigations, or civil
law suits.
2. Keep Logs, Notes, Records, and Data
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 19
The victim organization should take immediate steps to preserve relevant
existing logs.
In addition, the victim organization should direct personnel participating in
the incident response to keep an ongoing, written record of all steps
undertaken.
If this is done while responding to the incident or shortly thereafter,
personnel can minimize the need to rely on their memories or the
memories of others to reconstruct the order of events.
As the investigation progresses, information that was collected by the
organization contemporaneous to the intrusion may take on unanticipated
significance.
The types of information that the victim organization should retain include:
● a description of all incident-related events, including dates and times;
● information about incident-related phone calls, emails, and other
contacts;
● the identity of persons working on tasks related to the intrusion,
including a description, the amount of time spent, and the approximate
hourly rate for those persons’ work;
● identity of the systems, accounts, services, data, and networks affected by
the incident and a description of how these network components were
affected;
● information relating to the amount and type of damage inflicted by the
incident, which can be important in civil actions by the organization and in
criminal cases;
● information regarding network topology;
● the type and version of software being run on the network; and
● any peculiarities in the organization’s network architecture, such as
proprietary hardware or software.
Ideally, a single, designated employee will retain custody of all such
records.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 20
This will help to ensure that records are properly preserved and can be
produced later on.
Proper handling of this information is often useful in rebutting claims in
subsequent legal proceedings (whether criminal or civil) that electronic
evidence has been tampered with or altered.
3. Records Related to Continuing Attacks
When an incident is ongoing (e.g., during a DDOS attack, as a worm is
propagating through the network, or while an intruder is exfiltrating data),
the victim organization should record any continuing activity.
If a victim organization has not enabled logging on an affected server, it
should do so immediately.
It should also consider increasing the default size of log files on its servers
to prevent losing data.
A victim organization may also be able to use a “sniffer” or other
network-monitoring device to record communications between the
intruder and any of its targeted servers.
Such monitoring, which implicates the Wiretap Act (18 U.S.C. §§ 2510 et
seq.) is typically lawful, provided it is done to protect the organization’s
rights or property or system users have actually or impliedly consented to
such monitoring.
An organization should consult with its legal counsel to make sure such
monitoring is conducted lawfully and consistent with the organization’s
employment agreements and privacy policies.
D. Step 4: Notify
1. People Within the Organization
Managers and other personnel within the organization should be notified
about the incident as provided for in the incident response plan and should
be given the results of any preliminary analysis.
Relevant personnel may include senior management, IT and physical
security coordinators, communications or public affairs personnel, and
legal counsel.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 21
The incident response plan should set out individual points-of-contact
within the organization and the circumstances in which they should be
contacted.
2. Law Enforcement
If an organization suspects at any point during its assessment or response
that the incident constitutes criminal activity, it should contact law
enforcement immediately.
Historically, some companies have been reticent to contact law
enforcement following a cyber incident fearing that a criminal investigation
may result in disruption of its business or reputational harm.
However, a company harboring such concerns should not hesitate to
contact law enforcement.
The FBI and U.S. Secret Service place a priority on conducting cyber
investigations that cause as little disruption as possible to a victim
organization’s normal operations and recognize the need to work
cooperatively and discreetly with victim companies.
They will use investigative measures that avoid computer downtime or
displacement of a company's employees.
When using an indispensable investigative measures likely to
inconvenience a victim organization, they will do so with the objective of
minimizing the duration and scope of any disruption.
The FBI and U.S. Secret Service will also conduct their investigations with
discretion and work with a victim company to avoid unwarranted
disclosure of information.
They will attempt to coordinate statements to the news media concerning
the incident with a victim company to ensure that information harmful to a
company’s interests is not needlessly disclosed.
Victim companies should likewise consider sharing press releases regarding
a cyber incident with investigative agents before issuing them to avoid
releasing information that might damage the ongoing investigation.
Contacting law enforcement may also prove beneficial to a victim
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 22
organization.
Law enforcement may be able to use legal authorities and tools that are
unavailable to nongovernmental entities and to enlist the assistance of
international law enforcement partners to locate stolen data or identify the
perpetrator.
These tools and relationships can greatly increase the odds of successfully
apprehending an intruder or attacker and securing lost data.
In addition, a cyber criminal who is successfully prosecuted will be
prevented from causing further damage to the victim company or to others,
and other would-be cyber criminals may be deterred by such a conviction.
In addition, as of January 2015, at least forty-seven states have passed
database breach notification laws requiring companies to notify customers
whose data is compromised by an intrusion; however, many data breach
reporting laws allow a covered organization to delay notification if law
enforcement concludes that such notice would impede an investigation.
State laws also may allow a victim company to forgo providing notice
altogether if the victim company consults with law enforcement and
thereafter determines that the breach will not likely result in harm to the
individuals whose personal information has been acquired and accessed.
Organizations should consult with counsel to determine their obligations
under state data breach notification laws.
It is also noteworthy that companies from regulated industries that
cooperate with law enforcement may be viewed more favorably by
regulators looking into a data breach.
3. The Department of Homeland Security
The Department of Homeland Security has components dedicated to
cybersecurity that not only collect and report on cyber incidents, phishing,
malware, and other vulnerabilities, but also provide certain incident
response services.
The National Cybersecurity & Communications Integration Center (NCCIC)
serves as a 24x7 centralized location for cybersecurity information sharing,
incident response, and incident coordination.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 23
By contacting the NCCIC, a victim organization can both share and receive
information about an ongoing incident that may prove beneficial to both
the victim organization and the government.
A victim organization may also obtain technical assistance capable of
mitigating an ongoing cyber incident.
4. Other Potential Victims
If a victim organization or the private incident response firm it hires
uncovers evidence of additional victims while assessing a cyber
incident—for example, in the form of another company’s data stored on the
network—the other potential victims should be promptly notified.
While the initial victim can conduct such notification directly, notifying
victims through law enforcement may be preferable.
It insulates the initial victim from potentially unnecessary exposure and
allows law enforcement to conduct further investigation, which may
uncover additional victims warranting notification.
Similarly, if a forensic examination reveals an unreported software or
hardware vulnerability, the victim organization should make immediate
notification to law enforcement or the relevant vendor.
Such notifications may prevent further damage by prompting the victims or
vendors to take remedial action immediately.
The victim organization may also reap benefits, because other victims may
be able to provide helpful information gleaned from their own experiences
managing the same cyber incident (e.g., information regarding the
perpetrator’s methods, a timeline of events, or effective mitigation
techniques that may thwart the intruder).
III. What Not to Do Following a Cyber Incident
A. Do Not Use the Compromised System to Communicate
The victim organization should avoid, to the extent reasonably possible,
using a system suspected of being compromised to communicate about an
incident or to discuss its response to the incident.
If the victim organization must use the compromised system to
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 24
communicate, it should encrypt its communications.
To avoid becoming the victim of a “social engineering” attack (i.e., attempts
by a perpetrator to convince a target to take an action through use of a ruse
or guile that will compromise the security of the system or data), employees
of the victim organization should not disclose incident-specific information
to unknown communicants inquiring about an incident without first
verifying their identity.
B. Do Not Hack Into or Damage Another Network
A victimized organization should not attempt to access, damage, or impair
another system that may appear to be involved in the intrusion or attack.
Regardless of motive, doing so is likely illegal, under U.S. and some foreign
laws, and could result in civil and/or criminal liability.
Furthermore, many intrusions and attacks are launched from compromised
systems.
Consequently, “hacking back” can damage or impair another innocent
victim’s system rather than the intruder’s.
IV. After a Computer Incident
Even after a cyber incident appears to be under control, remain vigilant.
Many intruders return to attempt to regain access to networks they
previously compromised.
It is possible that, despite best efforts, a company that has addressed known
security vulnerabilities and taken all reasonable steps to eject an intruder
has nevertheless not eliminated all of the means by which the intruder
illicitly accessed the network.
Continue to monitor your system for anomalous activity.
Once the victim organization has recovered from the attack or intrusion, it
should initiate measures to prevent similar attacks.
To do so, it should conduct a post-incident review of the organization’s
response to the incident and assess the strengths and weaknesses of its
performance and incident response plan.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 25
Part of the assessment should include ascertaining whether the
organization followed each of the steps outlined above and, if not, why not.
The organization should note and discuss deficiencies and gaps in its
response and take remedial steps as needed.
Cyber Incident Preparedness Checklist
Before a Cyber Attack or Intrusion
 Identify mission critical data and assets (i.e., your “Crown Jewels”) and
institute tiered security measures to appropriately protect those assets.
 Review and adopt risk management practices found in guidance such as
the National Institute of Standards and Technology Cybersecurity
Framework.
 Create an actionable incident response plan.
o Test plan with exercises
o Keep plan up-to-date to reflect changes in personnel and structure
 Have the technology in place (or ensure that it is easily obtainable) that
will be used to address an incident.
 Have procedures in place that will permit lawful network monitoring.
 Have legal counsel that is familiar with legal issues associated with cyber
incidents
 Align other policies (e.g., human resources and personnel policies) with
your incident response plan.
 Develop proactive relationships with relevant law enforcement agencies,
outside counsel, public relations firms, and investigative and cybersecurity
firms that you may require in the event of an incident.
During a Cyber Attack or Intrusion
 Make an initial assessment of the scope and nature of the incident,
particularly whether it is a malicious act or a technological glitch.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 26
 Minimize continuing damage consistent with your cyber incident
response plan.
 Collect and preserve data related to the incident.
o “Image” the network
o Keep all logs, notes, and other records o Keep records of ongoing attacks
 Consistent with your incident response plan, notify—
o Appropriate management and personnel within the victim organization
should o Law enforcement
o Other possible victims
o Department of Homeland Security
 Do not—
o Use compromised systems to communicate.
o “Hack back” or intrude upon another network
After Recovering from a Cyber Attack or Intrusion
 Continue monitoring the network for any anomalous activity to make
sure the intruder has been expelled and you have regained control of your
network.
 Conduct a post-incident review to identify deficiencies in planning and
execution of your incident response plan.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 27
National Cyber Security
Awareness Month
Growing Global Coalition
Urges Internet Users
Everywhere To STOP. THINK. CONNECT.
The 2015 National Cyber Security Awareness Month (NCSAM) is
emphasizing “Our Shared Responsibility,” the month’s official theme and
call to action for all global citizens to take basic steps to make the Internet –
a vital resource for our personal, public and professional lives – safer and
more secure.
Led by the National Cyber Security Alliance (NCSA), the nation's leading
nonprofit, public-private partnership promoting online safety, and the U.S.
Department of Homeland Security (DHS), NCSAM marks its 12th
anniversary this October.
Launching the month with the recognition that securing the Internet is a
global imperative, the General Secretariat of the Organization of American
States (OAS) will also host an international event in Washington, D.C.
promoting a culture of cybersecurity among its member states’ 250 million
Internet users in Latin America and the Caribbean as well as other
countries around the globe.
OAS is a long-time STOP. THINK. CONNECT. partner and has championed
participation in education and awareness by a diverse group of stakeholders
in Latin America.
The theme of the month resonates with young people internationally.
According to the recently released Cyber Safety for the Digital Generation
survey by the Raytheon Company, 82 percent of young adults globally
believe that keeping the Internet safe and secure is our shared
responsibility.
They are clear on the roles everyone should play in keeping them safe and
secure online:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 28
75 percent think they themselves should be significantly involved;
69 percent think the commercial websites they visit and use should be
significantly involved;
51 percent think the government should be significantly involved;
47 percent think the people they interact with on social networks should be
significantly involved.
“We live in a global, digital age where people, networks and devices are
increasingly interconnected, and everyone needs to be taking steps to use
the Internet safely and more securely,” said Michael Kaiser, NCSA’s
executive director.
“Practicing good cybersecurity empowers Internet users to reap the benefits
of connectivity with greater confidence. National Cyber Security Awareness
Month succeeds when we work together to build a safer, more secure and
trusted Internet. Awareness month is a must.”
NCSAM 2015 also marks the fifth anniversary of STOP. THINK.
CONNECT., the preeminent global cybersecurity education and awareness
campaign.
Driven by NCSA, the Anti-Phishing Working Group (APWG) and DHS,
which leads the federal government’s campaign, STOP. THINK. CONNECT.
continues to extend its international impact with a simple but increasingly
important message to stay safer and more secure online.
The campaign’s partners include 271 large companies, small- and
medium-sized businesses, colleges and universities, regional banks and a
collection of other organizations as official partners.
Currently, STOP. THINK. CONNECT. has official partnerships in Canada,
Australia, Panama, the European Union, India, Japan, Mexico and other
countries and regions, with its materials translated into five languages —
Spanish, French (Canadian), Portuguese (Brazilian), Japanese and Russian
— and several more translations on the way.
Check out NCSA’s new infographic, “5 Years of STC” and learn more about
how to get involved: http://ncsam.info/1JCDXlT
“While NCSA and its many partners work year round to create awareness
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 29
around the safe and secure use of the Internet, National Cyber Security
Awareness Month unites everyone in a concentrated effort to promote a
culture of cybersecurity in everything we do,” said Jacqueline Beauchere,
Chief Online Safety Officer of Microsoft and Chair of NCSA’s Board of
Directors.
“We are thrilled to see the adoption of Cybersecurity Awareness Month and
STOP. THINK. CONNECT. across the globe.
When industry, government and civil society work together, we can help
every digital citizen access and act on the information they need to be safer
and more secure online.”
Ready, Set, Get #CyberAware
Under the umbrella theme of “Our Shared Responsibility,” NCSAM 2015
will explore five weekly themes addressing a cross section of cybersecurity
issues.
They include STOP. THINK. CONNECT., cybersecurity in the workplace,
connected communities and families, our evolving digital lives/the Internet
of Things and building the next generation of cyber professionals.
Individuals and companies and organizations of all sizes can show their
support for NCSAM by becoming a Champion.
Currently there are more than 475 NCSAM Champions who will play an
active role in sharing important cybersecurity messages with their local
communities, corporations, governments and individuals internationally.
For more information on how to become a champion, visit
https://www.staysafeonline.org/ncsam/champions.
Using the new hashtag, #CyberAware, NCSAM’s Champions and
supporters are also encouraged to join the conversation by posting tips,
advice and information and participating in weekly Twitter chats occurring
every Thursday at 3:00p.m. EDT and keeping up on the latest updates on
http://www.facebook.com/staysafeonline.
To stay safer online everyone should implement these simple, actionable
steps:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 30
Keep a clean machine: Keeping all web-connected devices ‒ including PCs,
mobile phones, smartphones, and tablets ‒ free from malware and
infections makes the Internet safer for you and more secure for everyone.
Get two steps ahead: Turn on two-step authentication ‒ also known as
two-step verification or multi-factor authentication ‒ on accounts where
available.
When in doubt, throw it out: Links in email, posts and texts are often the
ways cybercriminals try to steal your information or infect your devices.
Share with care: Before posting something online, think about how it could
be perceived now and in the future.
Check out NCSA’s tips infographic: http://ncsam.info/1VoT4X7.
About National Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) was created as a
collaborative effort between government and industry to ensure every
American has the resources they need to stay safer and more secure online.
Now in its 12th year, NCSAM is co-led by the Department of Homeland
Security and the National Cyber Security Alliance, the nation's leading
nonprofit public-private partnership promoting the safe and secure use of
the Internet and digital privacy.
Recognized annually in October, NCSAM involves the participation of a
multitude of industry leaders ‒ mobilizing individuals, small- and
medium-sized businesses, non-profits, academia, multinational
corporations and governments.
Encouraging digital citizen around the globe to STOP. THINK. CONNECT.,
NCSAM is harnessing the collective impact of its programs and resources to
increase awareness about today’s ever-evolving cybersecurity landscape.
Visit the NCSAM media room:
https://www.staysafeonline.org/about-us/news/media-room/
About The National Cyber Security Alliance
The National Cyber Security Alliance (NCSA) is the nation's leading
nonprofit public-private partnership promoting the safe and secure use of
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 31
the Internet and digital privacy.
Working with the Department of Homeland Security (DHS), private sector
sponsors and nonprofit collaborators to promote cybersecurity awareness,
NCSA board members include representatives from ADP, AT&T, Bank of
America, BlackBerry, Comcast Corporation, EMC Corporation, ESET,
Facebook, Google, Intel, Logical Operations, Microsoft, PayPal, PKWARE,
Raytheon, Symantec, Verizon and Visa.
Through collaboration with the government, corporate, nonprofit and
academic sectors, NCSA's mission is to educate and empower digital
citizens to use the Internet securely and safely, protect themselves and the
technology they use, and safeguard the digital assets we all share.
NCSA leads initiatives for STOP. THINK. CONNECT., a global
cybersecurity awareness campaign to help all digital citizens stay safer and
more secure online; Data Privacy Day, celebrated annually on January 28
and National Cyber Security Awareness Month, launched every October.
For more information on NCSA, please visit
staysafeonline.org/about-us/overview/.
About STOP. THINK. CONNECT.
STOP. THINK. CONNECT. is the national cybersecurity education and
awareness campaign.
The campaign was created by an unprecedented coalition of private
companies, non-profits and government organizations with leadership
provided by the National Cyber Security Alliance (NCSA) and the
Anti-Phishing Working Group (APWG).
The Department of Homeland Security leads the federal engagement in the
campaign.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 32
Panel remarks at the Brookings Institution
William C Dudley, President and Chief Executive
Officer of the Federal Reserve Bank of New York, at
"The Fed at a crossroads: Where to go next?",
Brookings Institution, Washington DC
It is a great pleasure to be here today to participate in
this panel with John Taylor. I am going to take today's topic - "Where to go
next?" - to address the issue of how monetary policy should be conducted.
This is an issue that is getting considerable attention among policymakers
here in Washington, D.C.
To put succinctly the question I wish to tackle: Is it better for policymakers
to start with a formal rule as the default position, or for policymakers to
have a more flexible approach that considers a broader set of factors in
setting the monetary policy stance?
As always, what I have to say today reflects my own views and not
necessarily those of the Federal Open Market Committee (FOMC) or the
Federal Reserve System.
To get right to the punch line, I favor a more flexible approach that
incorporates a broader set of factors into the monetary policy
decision-making process.
The world is complex and ever-changing. There are many factors that can
affect the economic outlook and the attainment of the Federal Reserve's
mandated objectives and, thereby, the appropriate stance of monetary
policy.
At the same time, I do not favor total discretion in which the monetary
policy strategy is determined in an ad hoc fashion as we go along.
For monetary policy to be most effective, market participants, households
and businesses need to be able to anticipate how the Federal Reserve is
likely to respond to evolving conditions.
That is because the transmission of monetary policy to the real economy
depends not only on what policymakers decide to do today, but also on
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 33
what the public anticipates that the FOMC is likely to do in the future as the
economic outlook changes and evolves.
Our experience at the zero lower bound in recent years underscores how
important expectations are in influencing the effectiveness of monetary
policy.
Policymakers thus need to act in a systematic and consistent manner so
that expectations are formed accurately and economic behavior can
respond consistently with those expectations. In my view, this
consideration rules out a totally discretionary monetary policy.
Before I critique the use of prescriptive rules in monetary policy-making, I'd
like to make it clear at the start that the Taylor Rule (by which I mean the
formulation based on John's 1993 and 1999 papers) has a number of
positive attributes that make it a useful reference for policymakers.
First, it has two parameters - the long-term inflation objective and the level
of potential output - that map directly to the Federal Reserve's dual
mandate objectives.
Second, the Rule has the desirable feature that when economic shocks push
the economy away from the central bank's objectives, the Taylor Rule
prescribes a policy response that can help push the economy back toward
the central bank's goals.
Third, a number of studies have shown that Taylor Rules are robust in the
sense that they generally perform quite well across a range of different
assumptions about how the economy is structured and operates.
Despite these attractive features, I don't believe that any prescriptive rule,
including the Taylor Rule, can take the place of a monetary policy
framework that incorporates the FOMC's collective assessment of the large
number of factors that impact the economic outlook.
As I see it, the Taylor Rule has several significant shortcomings that can be
detrimental to the attainment of the Federal Reserve's mandated objectives.
These shortcomings are not just theoretical; they have been very relevant to
monetary policy in recent years.
First, the Taylor Rule is not forward-looking.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 34
Its policy prescription is based on the current size of the output gap and the
deviation of current inflation from the Fed's objective, not on how these
variables are likely to evolve in the future.
So, in a rapidly changing environment, the Taylor Rule and other similar
prescriptive rules will wind up being "behind the curve."
For example, in the fall of 2008, Taylor Rule prescriptions were well above
the level of rates that was appropriate given the sharp and persistent
deterioration in the economic outlook and the sharp tightening in financial
conditions that occurred during that period.
Of course, many economists at that time recognized that such prescriptions
would have been inappropriate and suggested various ad hoc modifications
to the prescriptions - in fact, John himself suggested that modifications to
his rule were appropriate at that time.
Nonetheless, there was no consensus about the "right" modification to the
rules at that time, in part, because the circumstances were unprecedented
and the outlook so uncertain.
If the FOMC had been required to justify to Congress deviations from a
reference rule at that time, I believe that this would have slowed down how
we responded to the crisis and would have resulted in a monetary policy
that was not sufficiently accommodative.
The consequence could have been a longer financial crisis and a deeper
recession.
Second, the Taylor Rule, as typically used, assumes that a 2 percent real
short-term interest rate is consistent with a neutral monetary policy.
However, a large literature concludes that the equilibrium real short-term
rate is very unlikely to be constant, with its value affected by many factors,
including the pace of technological change, fiscal policy and the evolution of
financial conditions.
Sometimes it can be much higher than 2 percent.
Presumably, this was the case during the late 1990s as rapid technological
change lifted productivity growth. Sometimes it can be well below 2
percent.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 35
For example, when credit availability dried up during the financial crisis in
late 2008, this drove down the equilibrium real rate far below 2 percent.
More recently, the slow growth rate of the economy and the low rate of
inflation are evidence that the equilibrium real short-term rate today is well
below the 2 percent rate assumed in the Taylor Rule.
If 2 percent really was consistent with a neutral monetary policy, then the
very low real rates of recent years - buttressed by our large-scale asset
purchases - should have been extraordinarily accommodative.
As a result, we should have grown much faster than the 2½ percent pace
evident over the past couple of years and seen an inflation rate much higher
than what we experienced.
This conclusion is supported by a number of more formal models.
For example, the Laubach-Williams model currently estimates that the
equilibrium real short-term rate is around zero percent.
Third, the Taylor Rule - and more broadly, any prescriptive rule for the
systematic quantitative adjustment of the policy rate to changes in
intermediate policy inputs such as real GDP or inflation - is incomplete
because it does not fully account for factors that are crucial to how
monetary policy impulses are transmitted to the real economy.
Monetary policy affects economic activity through its impact on financial
conditions - including the level of equity prices, bond yields, the foreign
exchange value of the dollar and credit conditions.
If the relationship between the federal funds rate and other indicators of
financial conditions were stable, then one could just focus on the level of
short-term rates.
But, because financial conditions vary considerably relative to short-term
rates, as we have seen in the financial crisis and its aftermath, one needs to
consider developments in financial conditions more broadly in setting
monetary policy.
In fact, at times, when short-term rates have been pinned at the zero lower
bound, the Federal Reserve has taken actions that eased financial
conditions without changing short-term interest rates.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 36
Such actions have included forward guidance that the FOMC was likely to
keep short-term rates low for a long time and large-scale asset purchases
that led to lower bond term premia.
Now, as I said at the start, just because I don't want to follow a rule
mechanically does not mean that I favor the polar opposite - that is, a fully
discretionary monetary policy in which market participants, households
and businesses cannot anticipate how monetary policy is likely to evolve as
economic and financial market conditions and the economic outlook
change.
If households and businesses do not have a good notion of how the Federal
Reserve will respond to changing economic and financial market
conditions, then this would loosen the linkage between short-term rates
and financial conditions.
This would also likely lead to greater uncertainty about the outlook and
higher risk premia, and it would make it more difficult for policymakers to
attain their objectives.
Instead, what I favor is a careful elucidation of those factors that influence
the economic outlook and how monetary policy is likely to respond to
changes in the outlook.
This includes fiscal policy, productivity growth, the international outlook
and financial conditions, as well as how much employment and inflation
deviate from the Fed's objectives.
By conducting policy in a transparent way and communicating what is
important in determining the central bank's reaction function, I think
policymakers can strike the best balance between a monetary policy that
fully incorporates the complexity of the world as it is, while, at the same
time, retaining considerable clarity about how the FOMC is likely to
respond to changing circumstances.
A formal policy rule such as the Taylor Rule misses this balance by going
too far in one direction.
What is important for attaining the Federal Reserve's mandated objectives
is not that monetary policy is described in terms of a formal prescriptive
rule, but rather that the FOMC's intentions and strategy are well
understood by the public.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 37
This argues for clear communication through the FOMC meeting
statements and minutes, the FOMC's statement concerning its longer-term
goals and monetary policy strategy, the Chair's FOMC press conferences
and testimonies before Congress, and speeches by the Chair and other
FOMC participants.
But it also is important that the strategy be the "right" reaction function.
This means a policy approach that responds appropriately to important
factors beyond the two parameters of the Taylor Rule - the output gap
estimate and the rate of inflation.
Thank you for your kind attention.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 38
Nurturing resilience to the financial cycle
Alex Brazier, Executive Director for Financial
Stability Strategy and Risk of the Bank of
England, at the Property Investor's Banquet,
London
I am grateful to Martin Arrowsmith, Oliver Burrows, Neil Crosby, Kishore
Kamath, Magda Rutkowska and Robert Sturrock for their assistance in
preparing these remarks.
My Lord Mayor, Lady Mayoress, Ladies and Gentlemen.
It is a great honour to join you this evening.
It's clear why you are celebrating.
A crane-filled skyline to the City.
New office space completion in Central London: a ten-year high;
More than thirty schemes underway: a twenty-year high;
And transactions that are near a record high.
Half of them financed by capital attracted from overseas.
Commercial property is punching well above its weight in attracting capital
to Britain. Those capital inflows are helping to sustain steady growth while
our major trading partners lag behind.
So your industry is contributing to the livelihoods of people up and down
the country.
But while that's true in the good times, it's true in the bad times too: when
commercial real estate catches a cold, the whole economy starts to shiver.
It's not just that the construction industry suffers and jobs are lost, or that
banks are injured, impairing their lending to the rest of the economy.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 39
It's that small businesses see their own property fall in value - assets that
are vital to secure their borrowing.
And if the flow of foreign capital were to dry up or even reverse, there would
be wider consequences for spending, output and exchange rates.
So your continued success is important to everyone.
And yet, as you know all too well, the UK's commercial property market
hardly has a record as a beacon of stability.
But we shouldn't be fatalistic. We're not doomed to repeat the past.
Yes, the cycle is a force of human nature.
But resilience to it can be nurtured.
It will be a battle of nurture against human nature.
The time to start it is when people most feel like celebrating: when your
market is on the up. We have to start now.
And if we're going to have any success, we - the Bank of England, you - the
industry, and us - together, need to step up and act.
So this evening I want to set out what is being done.
At the heart of it is the need to ensure finance supports you through the
whole cycle.
The need to avoid the pattern - all too familiar to you - of financing
conditions going from conservative to careless and then to completely
closed, all too rapidly.
The need to replace financing that magnifies cycles of sentiment with
financing that mutes them.
And in this, the measures I'll outline this evening constitute one aspect of a
broader post-crisis endeavour to build, and maintain, a financial system
that supports, and does not disrupt, the real economy.
It goes by the name of macroprudential policy.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 40
Banking system resilience
The first step to nurturing a resilient environment is to reduce the prospect
of a sudden crunching of credit supply from an injured banking system.
In the financial crisis, as banks were holed below the waterline and new
lending seized up, the flow of new lending to commercial property collapsed
to a third of its earlier level.
Since the crisis, the Bank of England has been building a safer banking
system.
Measured on a consistent basis, major banks hold 10 times more capital
than they did before the financial crisis1.
And through stress testing, we're making sure they're able to withstand
severe stresses. By withstand, I don't just mean survive. I mean continue to
lend, including to you.
Last year, we tested whether the banking system could withstand a snap
back of long-term interest rates, a sharp fall in residential and commercial
real estate prices, and a deep recession - all without cutting lending.
This year we're testing whether they can withstand a synchronised, sharp
slowdown in China, emerging markets and Europe, and sharp falls in asset
and commodity prices - all while increasing lending to the UK real economy
by 10%.
We showed last year that, where the tests say a bank needs more capital,
we're prepared to take action.
And where the system needs strengthening as a whole, we can change
capital requirements to put additional resilience in, either across the board
through countercyclical requirements, or to particular sectors, through
sectoral capital requirements.
We are matching the strength of the banking system to the scale of risk it
faces, so you can be more confident that credit will be there when you need
it.
Resilient underwriting standards
We have to nurture more than the resilience of the banking system.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 41
Your balance sheets have to be resilient too. Over-gearing of your industry
has been a major driver of instability in the past, making you vulnerable to
the slightest change in sentiment.
In part that's the result of lenders offering deals in the good times that
present even the most responsible investors with an impossible choice: gear
up to uncomfortable levels or be forced out of the market.
To avoid that Hobson's choice, any slipping of lenders' standards has to be
addressed. That's why we're now reviewing the standards of major lenders
regularly.
This year we found loan-to-value ratios rising and interest cover ratios
falling, but from a very conservative starting point. We'll keep watching
this, and there will be a new survey in coming months.
We know that the importance of major UK lenders in financing you has
almost halved since the crisis.
While that diversity should be welcome - it should be a source of strength it can be a source of weakness if it simply moves gearing into a shadow on
our radar screen. It's essential that our radar technology keeps up.
The Bank's Commercial Property Forum, ably chaired by Ian Marcus, helps
us minimise the shadow on the screen. But we also want systematic data.
That's why I welcome the efforts of your industry, in partnership with us, to
build a database of CRE loans: a dataset that will be run and managed for
the public good, while respecting commercial confidentiality.
It can give you, and us, the information we need to manage the risk of
loosening underwriting standards.
Long-term valuations
But still more is needed to nurture a resilient market environment. You can
become over-geared without technical slipping of underwriting standards.
We've seen in the past how a change in sentiment can drive commercial
property prices up even without the prospect of improvement in the
cashflows which the property will generate.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 42
That creates headroom for those already in the market to borrow more
without breaching their loan-to-value standards. And the use of that
headroom drives prices up further.
An ultimately pernicious spiral of sentiment and debt begins. Valuations
and debt increase sharply relative to the cashflows that support them.
When the music stops, the process goes into sudden reverse. As valuations
fall, borrowers are left struggling to service loans that are greater than the
value of the property.
Firesales begin. Sentiment deteriorates. And market valuations collapse.
In short, finance magnifies the cycle.
This is detrimental to you, to lenders, and to the rest of the economy. And to
your great credit, your industry has been in the vanguard of thinking to deal
with this.
The proposal of the cross-industry Vision for Real Estate Finance, led by
Nick Scarles of Grosvenor, was that everyone - lenders, borrowers and
regulators - should consider appropriate levels of debt not relative to
market prices but relative to cash flows capitalised at long-term,
cycle-neutral, rates.
Put simply, if prices rise because of sentiment rather than cashflow
prospects, that should result in greater reliance on equity, rather than debt,
finance.
So when the inevitable reverse in sentiment happens, it won't be magnified
by an over-indebted industry.
The industry proposal is music to our ears. If you apply it, it will stop debt
running away unsustainably in the good times. And it will cushion the bad
times.
It's countercyclical, mirroring the way capital requirements for banks will
now operate.
And it's completely in tune with the broader aim of reducing the way
finance magnifies cycles.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 43
So we want to help you make progress with it. As capitalisation rates come
down from their post-crisis highs, the need to do so is increasing.
So in a matter of months, the Bank of England will start reporting
market-wide indicators of valuations and gearing based on cashflows
capitalised at cycle-neutral rates.
It will help you to measure the risks. And risk that gets measured can get
managed, by you and by us.
These measures aren't a panacea. They can't guarantee occupancy rates or
rents for you. But had they been used to guide your decisions and our
policy, they would have made a real difference in the run-up to the crisis.
In fact, the last commercial real estate cycle could have been severely
curbed and loss rates for some banks dramatically reduced.
So your industry really does deserve great credit for taking the lead in
developing the answers. Now - when you most feel like celebrating - is the
time to start applying them.
Resilience in the future
If we continue to work together there is a real prospect of nurturing a
market that keeps up with the cycles of human nature.
But nature will fight back. The drivers of cycles will evolve. History may
rhyme, but it rarely repeats.
Just look in this cycle at the rapid inflows of finance to commercial property
from retail investors in open-ended funds. More than 6% of the stock of
commercial real estate finance is now held in these funds, and is growing
rapidly.
Now, a shift in finance, from bank debt to fund equity can be good for
stability. It's one part of the broader inflow of equity in this cycle, which is
helping to keep gearing down as prices rise.
But it's not risk free. Fund investors offered redemption at short notice can
create problems if prompted to herd to the exit.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 44
In the 2008 crisis, we saw redemptions from property funds reach more
than one half of assets under management. Many of you saw the
consequences - firesales of assets, magnifying the market downturn.
Open-ended property funds now have 80% more assets under management
than they did on the eve of the crisis.
So the growing importance of funds offering short notice redemption and
investing not just in property but in other potentially illiquid markets too, is
a focus of regulators in the UK and internationally.
The Bank of England, along with the FCA, is looking closely at the ways
these funds might contribute to broader instability.
And it's in part thanks to working closely with you that we're alert to this.
By working together, our nurturing of resilience can keep up with nature's
inevitable fight back.
We can together create an environment that gives you the best chance of
success. Whether you succeed will be down to you. But one thing is for sure.
Your success is important to everyone.
For its part, the Bank of England is committed to ensuring the financial
system serves you - the real economy.
That's why, here at Guildhall, in 23 days' time, we're hosting an Open
Forum to bring together policymakers, financial market users, academics,
and wider society.
The aim is to chart the way for financial markets so that they serve their
users and contribute to prosperity.
You can sign up on our website.
Please do. Because your industry has taken a lead in learning from the past,
in leading the changes needed and in having a sense of your responsibility
to the wider economy.
Yours is a model of engagement for others to emulate. And I look forward to
continuing to work together.
Thank you.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 45
EIOPA advices to set up a new asset
class for high-quality infrastructure
investments under Solvency II
The European Insurance and Occupational
Pensions Authority (EIOPA) published its
Advice to the European Commission on the identification and calibration of
infrastructure investments risk categories.
 Robust criteria have been put forward to identify eligible infrastructure
projects;
 Risk charges for investing in qualifying infrastructure projects have been
carefully calibrated to the respective risks leading to a different treatment;
 To benefit from a different treatment insurers will need to conduct
adequate due diligence as part of an effective risk management of this
complex and heterogeneous asset class.
EIOPA has suggested a more granular approach by advising to create a
separate asset class under Solvency II standard formula for investments in
infrastructure projects.
This new asset class seeks to capture high quality infrastructure, whilst
recognising the complex and heterogeneous nature of such investments.
The proposed approach meaningfully reduces risk charges for qualifying
infrastructure project investments in equity and debt.
At the same time EIOPA proposes robust risk management requirements
including active monitoring of exposures to infrastructure projects as well
as sound stress testing of their cash flows.
Gabriel Bernardino, Chairman of EIOPA, said: “EIOPA has made
remarkable progress in proposing a new asset class and a prudentially
sound regulatory treatment within a very short timeframe.
Investments in infrastructure could be very important for the insurance
business because, due to their long-term nature, they may be a good fit to
match long-term liabilities while also increasing portfolio diversification.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 46
However, infrastructure projects can be very complex and require specific
risk management expertise. It is very important that risks of infrastructure
investments are properly managed and monitored over time.
Under such conditions, I believe that the proposed calibrations reflect the
risk profile of high-quality infrastructure projects”.
According to the Advice, qualifying infrastructure investments will need to
satisfy conditions relating to the predictability of the cash flows to
investors, the robustness of the contractual framework, and their ability to
withstand relevant stress scenarios.
Regarding calibrations, EIOPA recommends that the spread risk charge
within the Solvency II standard formula is amended for qualifying
infrastructure debt investments according to a modified credit risk
approach (reduction of around 30% in the risk charge for BBB rated
qualifying infrastructure).
Risk charges for infrastructure equity investments are proposed to be in a
range between 30% and 39%.
In terms of risk management, insurers should in particular conduct
adequate due diligence prior to the investment; establish written
procedures to monitor the performance of their exposures and regularly
perform stress tests on the cash flows and collateral values supporting the
infrastructure project.
The Advice: https://goo.gl/JaK1x2
Note
The European Insurance and Occupational Pensions Authority (EIOPA)
was established on 1 January 2011 as a result of the reforms to the structure
of supervision of the financial sector in the European Union.
EIOPA is part of the European System of Financial Supervision consisting
of three European Supervisory Authorities, the National Supervisory
Authorities and the European Systemic Risk Board.
It is an independent advisory body to the European Commission, the
European Parliament and the Council of the European Union.
EIOPA’s core responsibilities are to support the stability of the financial
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 47
system, transparency of markets and financial products as well as the
protection of insurance policyholders, pension scheme members and
beneficiaries.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 48
Progress on prudential regulation and
three areas to complete
Andrew Bailey, Deputy Governor of Prudential
Regulation and Chief Executive Officer of the
Prudential Regulation Authority at the Bank of
England, at the City Banquet, Mansion House,
London
My Lord Mayor, Ladies and Gentlemen - it is a great pleasure to be here
again at the regulators dinner, and it is very good of you to entice so many
people here tonight with the prospect of an evening with regulators.
I won't speculate on how this ranks on the scale of evenings spent in our
cosmopolitan capital city. It is also a great pleasure to be speaking here
tonight with Tracey.
This evening I want to describe the progress we have made on prudential
regulation and then examine a number of topical issues for the PRA and the
Financial Services industry: the Senior Managers and Certification Regime;
structural reform and ring fencing; and what the PRA is doing to pursue its
secondary objective on competition.
A common theme here is getting the incentives right to support good
outcomes in relation to both prudential and conduct objectives.
Progress
It is over eight years now since the financial crisis began in this country.
And to continue Tracey's theme for a moment, it is possibly salutary to
recall that amidst the many bad events of Autumn 2007, England reached
the Final of the Rugby World Cup. I didn't expect to say "those were the
days" about 2007.
It was natural that the first response to the financial crisis in terms of
reforms was focused on the bedrock prudential issues of capital and
liquidity in banks.
This has been supplemented by the drive both internationally and
domestically to solve the too big to fail problem through a combination of
resolution measures at the centre of which is agreement on total loss
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 49
absorbing capacity for those banks which require such a bulwark to ensure
orderly resolution in the event of failure.
This is crucial to break the dependence of failing banks on injections of
public money and likewise to break the impact of solvency problems in
banks on the public finances.
This is an international as well as domestic agenda of reforms aimed at
fixing the fault lines that caused the financial crisis, building a more
resilient and open global financial system, and deepening and building
trust across jurisdictions.
I have said before, but I think it justifies repeating, that we are unwavering
supporters of an open global financial system which finances the
investment and trade necessary to support strong, sustainable and
balanced growth.
As we see and seek to deal with new risks to the world economy and to
global financial stability it is always important to remember that free trade
and free capital flows are the foundation of a successful world economy
with all the benefits that brings for the welfare of people.
So, it should be no surprise that our focus is on three things: first, full,
consistent and prompt implementation of the already agreed reforms
across the financial system, and here I would note that the largest single
activity for the PRA this year is to complete the implementation of Solvency
2 for insurers for the end of this year, something I believe we are on course
to do; secondly, finalising the design of the remaining post-crisis reforms
and thus providing the much needed clarity around the future regulatory
system; and thirdly, scanning the horizon for new risks and vulnerabilities
that appear on our landscape, ones such as the risk of cyber disruption.
I think there is solid evidence of progress in all of these three areas.
Internationally, there is plenty of evidence of shared objectives and effective
co-operation among national authorities to solve common problems and
"own" and thus implement the resulting reforms.
An example over the last year has been the building of strong working
relations between the PRA and our colleagues at the Single Supervisory
Mechanism of the ECB.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 50
This can only be for the good, and represents the much needed close
working of people who are on the front line supervising the system.
We also want to encourage sound market-based finance and we are, for
example, strong supporters of the EU initiative on simple, transparent and
standardised securitisation.
Finalising design
When I look at the remaining agenda of post-crisis reforms to be agreed, it
is striking that they are not about capital levels in the same way that we saw
immediately post-crisis.
True, there is work in Basel but that is much more about refining the
framework than a step change in capital requirements.
As part of this there is work to agree and implement the leverage ratio
internationally, and to improve the use of models to estimate capital
requirements so that they are used only for asset classes that lend
themselves to modelling of this sort and we have an acceptable degree of
consistency across banks.
There are two important points I want to draw out which are by no means
uncontroversial.
First, it is sometimes said that the banking system still needs markedly
more capital, and that a focus on other issues is a distraction from tackling a
system that is still over-leveraged.
The second, closely-related, point is that we should focus much more
exclusively on non-risk based measures of capital requirements.
I don't agree with either of these positions, and nor would I say do most
supervisors I know.
I have been and remain a strong supporter of the reforms to date and the
higher levels of capital put in place, and I am a strong supporter of having
the leverage ratio in our toolkit and that for some assets it is the "biting"
approach and therefore it is not just a backstop.
But I disagree with those who want to go much further, for reasons which
are at the heart of what we are doing.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 51
First, because to argue for much higher capital on top of what has been
done since the crisis is to argue that what is being done on resolution and
loss absorbency is of little use.
This misses the point that resolution is about being able to stabilise and
then where necessary close or restructure failing banks. In other words,
resolution is a much more extensive approach, and in my view very
necessary.
The design of international policy measures to end too big to fail is now
largely complete for banks, but substantial work remains to put these into
effect in terms of resolution plans.
Second, understanding how banks take and manage risk, the controls they
have and the quality of risk management, is at the heart of the job of a
prudential supervisor.
That's what we do every day, and the standards of this work have been
raised extensively since the crisis, which was very necessary.
Now, it is possible I suppose to argue that a focus on oversight of risk
management should be pursued alongside a sole focus on a non-risk based
capital measure like the leverage ratio.
But in my view that is a flawed argument because the prevailing capital
regime has a strong influence on how firms take and manage risk, in other
words it creates the incentives.
And, if we only used a non-risk based system, we would incentivise firms to
disregard the amount of risk per unit of assets on their balance sheet.
The leverage ratio is firmly in the camp of necessary but not sufficient, as is
the risk-based approach.
The third reason why I disagree with the much more capital school of
thought is because there are more important things for us to do, which
revolve around getting the incentives for behaviour right in firms.
This is why as supervisors, both prudential and conduct, we spend so much
time on governance in firms and on getting the incentives aligned for
individuals through our approach to remuneration and to the responsibility
of individuals.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 52
We have achieved much progress towards strengthening the resilience of
the global banking system, with stronger capital ratios, and this has
demonstrated in my view the important principle that appropriately strong
capital positions support rather than deter lending by banks.
Jobs still to finish: three topical issues
The Senior Managers Regime
The Senior Managers and Certification regime for banks is a product of the
Parliamentary Commission on Banking Standards chaired by Andrew
Tyrie, put into legislation and to be implemented by the PRA and FCA by
next March, so not long to go now.
The current approved persons regime has not delivered effective incentives
and thus behaviour.
As part of last week's announcement on the Bank of England and Financial
Services Bill, the Government put forward an important change to the
senior managers regime for banks, by removing the "presumption of
responsibility" and replacing it with a "duty of responsibility".
I can tell you from my postbox in all its many forms, that the "presumption"
is the most controversial element of the new regime.
On its own that is not a good reason for change. I want therefore to explain
why the change does make sense, and why the new regime should create the
right incentives.
In the current Approved Persons regime, the PRA and FCA can take formal
action for misconduct against an approved person either if that person has
failed to comply with the statements of principle (which will become in the
new regime common rules of professional conduct) or they have been
knowingly concerned in a breach of a regulatory requirement by the firm.
The burden of proof in an enforcement action falls on the regulator.
The Banking Reform Act adds a third reason to take enforcement action
against senior managers (not others) in these firms if: the firm (and I
emphasise here the firm - going beyond the individual) has breached
regulatory requirements; and the senior manager is responsible for the area
of the firm in which the breach occurred.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 53
The Act goes on to say that the person would not be guilty of misconduct if
they satisfy the Regulator that they have taken such steps a person in that
position could reasonably be expected to take to prevent the breach.
For the first two limbs the burden of proof would fall on the Regulator in
the same way as the continuing provisions I mentioned earlier.
But, crucially, it would be for the senior manager to satisfy the Regulator on
the question of reasonableness - thus the presumption is created until it is
rebutted.
The change that the Government has announced to create "the duty of
responsibility" will, if Parliament approves it, replace the presumption with
a statutory duty on senior managers to take reasonable steps to prevent
breaches of regulatory requirements by their firms from occurring.
Thus it will be for the Regulator to show that the senior manager did not
take such steps as it was reasonable for a person in that position to take to
prevent the breach of regulatory requirements.
In my view this does not represent a watering down of the requirement.
Why?
Well the "duty of responsibility" creates a positive duty on senior managers
to take reasonable steps to prevent regulatory breaches occurring.
This will be on a statutory footing, which hardwires the concept in the very
fabric of the regulatory regime, rightly reflecting the importance which
society places on this issue.
Let me be very clear, substituting "duty" for "presumption" changes the
mechanism of enforcement not the substance of the requirement on senior
managers, and I would not support changing the latter.
There has been a lot of noise around the new regime in recent months, and I
have asked people involved whether their problem was with the
"presumption", or with the regime more broadly.
The universal answer has been that the difficulty was with the
"presumption" not the regime which appears to have broad support.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 54
So, if Parliament is in agreement, and I do not presume to take that for
granted, I expect that the new regime will be put into effect in the spirit with
which it is intended, and that the focus will shift to that spirit and away
from finding ways to circumvent the "presumption".
To be blunt, I hope that those within firms and their advisors will respect
the will of Parliament on this crucial point.
The new regime matters hugely for getting the right incentives for people
running firms.
The important word is not "presumption" or "duty but rather
"responsibility", it's about holding people more personally to account.
If there are people who wish to argue that they should not take on the
responsibilities of the job they do, then I believe they have no place in the
industry, it's that simple.
We all want well-run firms where senior people lead and take
responsibility.
And I know that this is how the vast majority of people do behave, because I
observe it.
The senior managers and certified persons regime is also not purely, or in
my view even primarily, a tool of enforcement.
Our job is always to apply forward-looking judgement to prevent problems
occurring; and the new regime will ensure that the incentives on senior
managers in the roles that they perform align with that approach.
But, just as Parliament has recognised that it is not the PRA's role to ensure
that no firm fails, likewise we should not expect the Regulators to prevent
all failures, or misconduct, by individuals.
The PRA's enforcement powers are a necessary part of its toolkit, and we
will use those tools when the circumstances warrant it. But they are not our
primary mode of operating.
Also, the Government announced last week that - subject to agreement by
Parliament - it plans to extend the Senior Managers regime to other firms
across the industry. This is a further step in the right direction.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 55
There is no doubt that one regime will be better than many.
Lastly on the senior managers regime, there is one other very important
broad reason for putting it into place.
On and off I have been involved in regulation for over twenty five years.
During that time a few regimes have come and gone, and there have been
debates about self-regulation versus a regime more purely in the hands of
public authorities.
This debate strikes me as a gross over-simplification. Self-regulation
doesn't work if there is no clear and consistent allocation of responsibility
for the public interest objectives of financial regulation to public bodies that
are answerable to the government and to parliament.
But likewise, public bodies cannot seek to take on the responsibility of
managing within firms, something that has to be the responsibility of
boards and management.
The senior managers and certification regime is vital here because it creates
the framework to establish effective responsibility within firms, while
maintaining the role of the public authorities, the PRA and FCA, for
supervising and enforcing the public interest.
A very good example of how this should work can be seen in the
recommendations of the Fair and Effective Markets Review, which provide
a means to establish and maintain high conduct standards in financial
markets.
Structural reform
I want now to turn to structural reform and ring fencing.
This is a subject in its own right, but I can assure you that I intend to be
brief on this one tonight. We are now well into implementation.
Last week we issued our second consultation paper on implementing the
regime, and we plan one more such paper which will be more in the form of
a wrap up of points raised and a few outstanding actions.
Any structural reform measure involves complex implementation, the devil
is always in the detail, and we need to get that right. I read from time to
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 56
time that we are apparently watering the regime down via the
implementation.
I can assure you that we are not doing so, and we should not because that
would go against the will of Parliament.
But, sensibly, the regime sensibly allows for a degree of flexibility in how
the requirements are implemented, recognising the differences in business
models, legal structure and strategy of various firms.
That was essential and sensible because a rigid definition of the fence would
not work well for all firms.
To ensure balance, I should say that I also get the opposite commentary,
that the implementation is too rigid.
One particular form of this commentary is that our rules on the governance
of the ring fenced bank within a group mean that it will be independent in
all respects, and that, proverbially, it will be able to stick two fingers up at
its parent. No. The ring fenced bank will have to observe the law in respect
of the requirements of ring fencing, not more than that.
This is not really different from the position for banks that have
subsidiaries operating in other countries, they have to respect the laws of
the country in which they operate.
But, let me be clear what it does not mean: it does not mean that the ring
fenced bank can set its own strategy and thereby ignore the group to which
it belongs; it does not mean that it can set its risk appetite in isolation of the
group to which is belongs; it does not mean that it can refuse to pay a
dividend to its parent if it is adequately capitalised both now and looking
forwards using stress tests (in other words, it does not have a reason to trap
excess capital); and it does not mean that its CEO can ignore the Group
CEO. But, and this is crucial, the group cannot require the ring fenced bank
to break the rules of ring fencing. I hope this is clear.
If you think we have watered down the regime, please let me know.
Competition
I want to finish on an equally important subject, namely competition in the
banking industry, which is of course topical today in view of the CMA's
report.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 57
The PRA has been given by Parliament a so-called secondary objective
which I think is best described as requiring us to act in respect of the
competitive implications of our own actions and inactions but only to the
extent that we are not undermining our primary objective for banks of
safety and soundness.
We have been working to embed the secondary objective in the PRA, and to
date our most publicised actions have been in the area of new bank
authorisations.
The PRA has authorised ten banks in the last two years, and currently we
have a substantial pipeline of interested parties.
We are thinking about competition in our domestic work, but also about
how we approach international policy issues.
For instance, this week our response to the European Commission's
consultation on the impact of the new capital regime has been published.
It is quite often said that aspects of the capital regime discriminate against
smaller banks and building societies that use the so-called standardised
capital approach versus larger banks that use their own models.
The consequence of this is that smaller banks and building societies cannot
compete effectively in lower risk asset markets such as prime mortgages
because the capital requirements are too far apart and in favour of large
banks.
This forces them into riskier assets and undermines their position.
This is an area where the leverage ratio acts to counterbalance the
difference, a point that is not well enough understood.
But in our response to the European Commission we said that while the
financial stability benefits from regulation of large, internationally-active
banks mean these firms should meet global standards, a differentiated
approach for smaller firms would recognise the high costs and smaller
benefits of applying global standards to them, and should enable us to find
ways to create a regime which is more simple and which reduces their
reporting burden.
This would help to foster competition and would be good for the European
Single Market.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 58
This is an important issue, and one that matters if we are to have growing
challenger banks.
We want to put such a regime into effect, and thus demonstrate that at the
PRA we are very serious about our competition objective. I hope the
European authorities will likewise pursue this important change.
We will also be arguing in Basel and in the EU to narrow the gap between
standardised and internally modelled capital requirements for prime
mortgages including by having more risk sensitivity in the standardised
approach.
And, we have also tightened the standard for models.
I also want to be clear that we welcome internal model applications by
smaller banks and we will do what we can to help them meet the required
prudential standards, which are largely set out in the EU legislation.
Lord Mayor, a year in your office is never dull, and likewise our world is
certainly full of interest.
I have ranged quite widely this evening to give a report on a number of our
key areas of activity.
There are however some very important core principles at the heart of our
work, getting the incentives right for firms and individuals, and establishing
the importance of personal responsibility within an appropriate setting.
I have been blunt on one or two points and this may provoke debate.
This is a good thing, and we will have the opportunity to return to the
debate on these issues at The Open Forum being organised at the Guildhall
on November 11th.
I know you will be there, as will Tracey and I. Please, will everyone
participate, and to find out more consult the Bank of England website.
Thank you.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 59
Game changers in financial markets regulation, innovation and cybersecurity
François Groepe, Deputy Governor of the South
African Reserve Bank, at the STRATE, PASA and
GIBS Conference, Johannesburg
Introduction
Good day, ladies and gentlemen.
I would like to thank the organisers of the STRATE, PASA and GIBS
Conference for inviting me to give this keynote address.
I look forward to sharing my views on the developments that can be
considered game changers that may affect financial markets and shall focus
primarily on regulation, innovation and cybersecurity in this context.
A game changer can be defined as "a newly introduced element or factor
that changes an existing situation or activity in a significant way".
Another way of thinking about game changers may be in terms of what the
well-known Austrian-born economist, Joseph Schumpeter, called "creative
destruction".
Schumpeter, writing on economic and social evolution in his work
Capitalism, socialism and democracy in 1942, wrote:
The opening up of new markets, foreign or domestic, and the organisational
development from the craft shop to such concerns as US Steel illustrate the
same process of industrial mutation - if I may use that biological term - that
incessantly revolutionises the economic structure from within, incessantly
destroying the old one, incessantly creating a new one. This process of
creative destruction is the essential fact about capitalism.
Inventive economists have since adopted this term to describe the
disorderly manner in which the free market delivers progress.
The disruptive nature of innovation is essential for both progress and
prosperity, and the theory of "creative destruction" gives us some insights
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 60
into understanding this phenomenon and the evolutionary changes that
follow in its aftermath.
Disruptive innovation brings opportunity in the form of productivity gains,
for example, but it also brings challenges such as increased cyber-threats
and vulnerabilities stemming from the greater degree of
interconnectedness and, in the latter case, increased risks of contagion.
Regulation, by necessity, has to keep pace and respond to the changing
environment.
Unfortunately, regulators often play catch-up due to the speed of
technological change and innovation as well as their lagging ability to fully
understand the technology and the risks that it may give rise to.
Despite this, regulators should promote an environment that is conducive
to technological change and at the very least not become a hindrance or
frustrate innovation as it supports economic development and growth.
In this regard, the OECD opines:
One of the important lessons of the past two decades has been the pivotal
role of innovation in economic development.
The build-up of innovation capacities has played a central role in the
growth dynamics of successful developing countries.
These countries have recognised that innovation is not just about
high-technology products and that innovation capacity has to be built early
in the development process in order to possess the learning capacities that
will allow "catch-up" to happen - Ultimately a successful development
strategy has to build extensive innovation capacities to foster growth.
1. Regulatory developments affecting financial markets
The most recent global financial crisis has impacted negatively on the
global economy and financial markets, and has revealed significant
deficiencies in the policy frameworks of many countries.
In an attempt to address these deficiencies, the G-20 has called for financial
markets and regulation to be reformed, with the objective of making
financial systems more resilient.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 61
This initiative has accelerated the rate of reform, with governments putting
increasing pressure on regulatory authorities to adhere to and implement
international best practice and standards.
Activities offered by financial service providers in the financial system are
highly interconnected, and these services are inseparably integrated into
both the domestic and the international economy, which means that
regulatory authorities had to take note of the way in which these markets
are developing and the role they play within the broader global context.
The magnitude of the financial system and regulatory reform has been
unprecedented. The reforms have focused mainly on the banking,
insurance and financial markets and providers of financial services, as well
as on the infrastructure supporting these sectors.
As regulatory frameworks develop and reforms are implemented, new
aspects to financial regulation come to the fore.
Previously, regulators were mainly concerned with the supervision of banks
and the oversight of payment systems.
Now they have to contend with a much broader universe (which includes
non-bank participants in the financial markets) and consider
shadow-banking, how it affects the financial system and financial stability,
and how to regulate these activities.
The focus, however, is no longer narrowly on prudential regulation.
In this age where we are confronted with a society that is well informed and
digitally connected, that proactively engages in consumer activism and that
places great emphasis on values such as fairness, the spotlight shines
brightly on issues such as market conduct, transparency and calls to "level
the playing fields".
It is indeed so that regulation and liberalisation happen in cycles, and
periods of deregulation are often followed by periods of re-regulation.
Given the devastating effects of the most recent global financial crisis, the
astronomical social costs resulting from it, and the perceptions around the
role that financial engineering and technology alongside deficient
supervision and regulation played in the run-up to the crisis, we have
inevitably been catapulted into an epoch of re-regulation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 62
Regulators and economic agents alike face a number of challenges at this
point in time.
These include:
1. International standards have been developed - for markets, regulators
and participants - to assist with the management of risks and even
behaviour.
Whether they are encapsulated in the new Basel III requirements for capital
or liquidity, or in the Principles for financial market infrastructures, or in
the codes of conduct, these standards are introducing requirements that
require adherence.
Non-compliance with these standards is likely to lead to hefty penalties.
There is a strong demand for participants to be accountable and
responsible, and to incur liability if they are not playing by the rules.
This has resulted in numerous large financial-sector firms being slapped
with fines running into billions of dollars.
2. Standards are inextricably linked to the next point, which is governance
arrangements and remuneration.
Governance arrangements have been a focal point for some time now, and
recent events in international markets have highlighted the importance of
good governance and of ethical behaviour from all stakeholders.
The global financial crisis has also refocused the attention of regulators on
the remuneration structures of management and other individuals
participating in financial markets and systems.
This, in some ways, can be related to what economist describe as the
"agency problem" and which under certain conditions may result in
risk-shifting.
This is a key area of focus of reform in attempts to promote the soundness
of the financial sector in particular, hence governance arrangements and
remuneration continue to be intensely discussed at various international
regulatory forums.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 63
3. "Shadow-banking" and "new (non-bank) participants" have come into
sharp focus since the global financial crisis due to their role in the run-up to
the global financial crisis and in financial regulatory arbitrage.
Efforts to regulate these entities will intensify. This is likely to draw
criticism from certain quarters but is entirely justifiable.
The reason is that shadow-banking has the potential to transform the
financial environment, to open up markets, to promote financial inclusion,
to reduce frictional costs, and so forth.
Hence, the further development of shadow-banking should be encouraged,
simultaneously mitigating any risks that these entities may pose to the
financial system and ensuring that the playing fields are level.
4. Financial market infrastructures (or FMIs), resolution and cross-border
issues constitute a further challenge. Central banks have traditionally
fulfilled the role of lender of last resort to commercial banks.
The global financial crisis has shown that central banks may need to
reconsider this function and consider the role of FMIs.
Financial markets are interconnected and integrated internationally,
creating a further challenge for central banks as they need to consider the
position and cross-border transactions of global FMIs.
5. Conduct has already been raised in terms of standards, codes and
governance.
As much as financial market participants must come to terms with the fact
that there are now a multitude of regulators to contend with, regulators
need to consider the mandates of other regulators and agree on
arrangements or memorandums of understanding to work with one
another to create an enabling environment for a safer financial sector.
It is also vitally important that regulators do not merely regulate because
that is their mandate.
It is vital that the impact of regulation is properly assessed ex ante and that
careful consideration is lent to the possible unintended consequences and
the economic costs of unnecessary regulation or so-called "red tape".
Regulators should strive towards smart and effective regulation as opposed
to simply issuing more regulations.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 64
2. Innovation and financial markets
Regulators should not inhibit innovation. However, as custodians of
financial stability, central banks in particular are tasked with the safety and
efficiency of financial systems, and should act appropriately to address any
risks that may emerge.
Electronic trading in South African bonds
During 2012, the Bond Market Development Committee, under the
auspices of the Financial Markets Liaison Group, embarked on an initiative
to enhance liquidity in the South African bond market.
The Bond Market Development Committee, chaired by National Treasury,
and in consultation with the World Bank and bond market stakeholders,
has made considerable progress and is currently at an advanced stage of the
development of an electronic trading platform; it is envisaged that the
platform will be introduced before the end of this year.
The initial phase will, however, include only government bonds; it will be
expanded to corporate bonds at a later stage.
Initially in the electronic trading platform, primary dealers will be the only
"price makers" while the rest of the market will be "price takers" but with
full access to trading and pricing information.
In addition to the general benefits of enhanced market transparency, credit
risk management and trading, the electronic trading platform also aims to
improve liquidity by expanding this platform to include other market
participants complying with the requirements as market makers, in
addition to the primary dealers. Competition among market makers is
paramount to supporting liquidity at an instrument level and to minimising
transaction cost.
The introduction of the electronic trading platform will enable National
Treasury and the South African Reserve Bank to monitor market-making
activities in the secondary bond market, which could result in the enhanced
monitoring of liquidity conditions.
Enhancements to over-the-counter trading
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 65
In response to the recommendations of the G-20 and the subsequent
Principles for financial market infrastructures, the South African Central
Securities Depository, known as STRATE, is in the process of addressing
the lack of transparency and risk management in over-the-counter (or OTC)
instruments.
To address these concerns, the Financial Markets Act was promulgated and
regulation was passed to include the clearing through a central counter
party and to record all the financial transactions of OTC derivatives
contracts in a Trade Repository.
Collateral optimisation
In collateral markets, "collateral optimisation" has become a key objective.
Not only do banks invest in systems that optimise the way in which their
collateral can be utilised, but vendors and central securities depositories
now also provide these services to their clients.
These smart systems have built-in intelligence which optimises the way in
which the collateral is applied and will substitute assets if required.
An example is the Clearstream collateral management system, which is
gaining momentum globally.
The speed of transactions
The need for faster services, trading, transactions and payments is
stimulated by a generation demanding access and speed, accommodated by
the proliferation of new technologies, growing familiarity with technology,
and expectations of real-time satisfaction if not gratification - not only in
financial market transactions and payments, but also in communication,
services, social media and entertainment.
Participants in financial markets have created systems which enable the
"trawling" of financial markets to detect opportunities within markets and
then to transact on these opportunities within milliseconds - also termed
"high-frequency trading".
Not only do these transactions take place within seconds; the system
development and innovation within financial markets makes it possible to
transact from anywhere in the world 24 hours a day, seven days a week.
Blockchain technology
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 66
Blockchain technology, another example of the recently trending
phraseology, enables the ordering (grouping) of various transactions in an
inexpensive decentralised manner by making use of a number of servers.
These transactions are not only limited to near-real-time payments but can
also include financial market transactions and information relating to the
settlement thereof.
Blockchain has the ability to reduce transaction costs, as it takes away the
requirement for intermediaries and is completely decentralised.
Blockchain is still in its infancy and while regulators and markets are still
trying to get to grips with the concept of Bitcoin, newer or more innovative
technologies are already on our doorstep.
3. Cybersecurity
The developments in cyberspace are a cause of concern for regulators,
financial market participants, business and informed consumers.
With the interconnectedness of systems and the ease of Internet access,
regulators need to understand the cyber-threats that the financial system is
exposed to.
Nearly every week one reads about the latest victim of a cyberattack, and
the targets range from banking systems through consumer information
held by retailers to social media facilitators and even governments.
The rapid developments in technology and the cyber-world have opened the
doors to a new and uncharted frontier.
Companies and countries alike are trying to get to grips with this latest
threat and to find ways in which to mitigate the risk while protecting their
information and reputation at the same time.
Governments, central banks, financial service providers and companies are
expanding their cyber-protection capabilities.
This means there is a growing demand for the limited technical skills
available in this environment. The focus is, however, not only on
prevention.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 67
In responding to security breaches, one has to respond with agility and
speed while trying to limit the damage done and importantly to ensure
continuity of service.
Conclusion
In conclusion, I would like to revisit the idea of a "game changer". A game
changer can be the discovery of something as small as a molecule or the
invention of something that transforms the way in which we communicate,
like mobile telephony.
The way in which one looks at game-changing innovations will alter the way
in which one sees the world and will affect one's strategies and business
plans.
Game changers can be perceived as opportunities or threats, and both the
number and the frequency are likely to increase in the future.
No country can afford to have a myopic view and narrow national focus
when it considers the game changers in financial market developments.
Equally, regulators cannot afford to be left behind and only react to the
changes in financial markets.
Regulators must work alongside all stakeholders and not only the
incumbents to try to understand the disruptive innovations and the policy
implications thereof.
It is important to emphasise the point of incumbents, as Rajan and Zingales
eloquently set out the role that incumbent coalitions play in financial
system developments but also underline how such coalitions may hold back
financial sector development.
Lastly, regulators need to be agile and forward thinkers and appreciate that
their role extends beyond simply regulating. Their role is to help facilitate
progress with the ultimate objective of improving the quality of peoples'
lives.
Thank you.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 68
NCSA statement following report of
data breach at Experian, Exposing
T-Mobile Customer Data
Following a massive data breach at Experian, 15 million current or former
T-Mobile customers woke up this morning to unsettling news: their
sensitive personal information – names, addresses, Social Security
numbers, birthdays and unique identification numbers – is now likely in
the hands of malicious hackers.
According to news reports, this is not the first time Experian has faced a
data breach of this nature.
It’s not surprising that data brokers or credit bureaus ‒ who collect millions
of people’s most private details – are prime targets for cybercriminals, but it
is disconcerting.
More than 80 percent of data breach victims firmly place the responsibility
of protecting their information on data brokers, according to a new victim
impact survey by the Identity Theft Resource Center.
Following a string of recent attacks on Experian and others, it is clear that
data brokers need to do more to meet consumers’ expectations.
“When consumers entrust companies with their personal information, they
expect their data to be stored as safely and securely as possible and their
privacy protected,” said Michael Kaiser, executive director of the National
Cyber Security Alliance.
“Learning that this trust has been broken – through no fault of their own –
can be highly distressing.
As much as we have come to rely on technology, we must do so with the
understanding that it is not risk-free.
We urge anyone impacted by this incident to take actionable steps to better
protect their digital data, such as by turning on two-factor authentication
on email and financial accounts, not clicking on suspicious links, and using
public WiFi wisely.”
This breach occurs at the National Cyber Security Awareness Month, co-led
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 69
by the Department of Homeland Security and the National Cyber Security
Alliance, and serves as a reminder of the need for everyone to take steps to
be safer and more secure online.
It is a good time to remind consumers impacted by this breach – and
everyone else – to take the following proactive steps to better secure their
digital lives:
1. Get two steps ahead and protect core accounts ‒ such as email, financial
services, and social networks ‒ with multifactor authentication.
Multifactor authentication requires a second step, such as a text message to
a phone or the swipe of a finger to be used in addition to a password to log
on to an account.
This second step makes it significantly harder for accounts to be accessed
by others.
Email accounts in particular are extremely important to protect as once
breached, hackers can use them to reset passwords and credentials for
other accounts.
For more information visit
www.stopthinkconnect.org/2stepsahead
2. Clean and keep clean all machines.
Immediately update all software on every Internet-connected device.
All critical software including PCs and mobile operating systems, security
software and other frequently used software and apps should be running
the most current versions.
3. Monitor activity on your financial and credit cards accounts.
If appropriate, implement a fraud alert or credit freeze with one of the three
credit bureaus (this is free and may be included if credit monitoring is
provided post breach).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 70
For more information, visit the Federal Trade Commission website:
www.identitytheft.gov.
4. Change passwords on accounts that don’t offer multifactor
authentication.
Change and make better passwords. Passwords should be strong and easy
to remember.
It is always better if they are longer and consist of combinations of
passphrases, numbers and symbols. Important accounts should have
unique passwords not used to access any other accounts.
5. When in doubt, throw it out.
Scammers and others have been known to use data breaches and other
incidents to send out emails and posts related to the incident to lure people
into providing their information.
Delete any suspicious emails or posts and get information only from
legitimate sources.
Data breaches have become more commonplace, and everyone should take
these simple, actionable steps to protect themselves online.
It is also important to respond quickly in the wake of hearing or suspecting
that personal information has been lost or stolen.
Other helpful resources include:
www.stopthinkconnect.org (general online safety and security information)
www.identitytheft.gov (the Federal Trade Commission’s website to guide
consumers after your information is lost
www.bbb.org (resources for small and medium businesses and information
about consumer scams and fraud)
www.idtheftcenter.org (for help with identity theft)
If you believe you have been the victim of a cybercrime you can report it to:
The Internet Crime Complaint Center at www.Ic3.gov
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 71
Hearing at the Economic and Monetary
Affairs (ECON) Committee of the
European Parliament
Gabriel Bernardino, Chairman of EIOPA
Mr Chairman,
Honourable members of the Committee on Economic and Monetary
Affairs, Thank you for inviting me to our regular exchange of views which
plays a fundamental role in honouring our accountability towards the
European Parliament.
This hearing provides me with the opportunity to report to you on how we
are achieving our objectives and delivering on the tasks assigned to us
during the last year and to highlight some of the challenges that we are
facing going forward.
Supervisory convergence
I am happy to be here just less than four months before the full
implementation of EIOPA’s top-priority project - Solvency II, which will
start on 1 January 2016.
Since the end of 2014, the strategic focus of EIOPA’s work on Solvency II
has been on supervisory convergence, with the aim to ensure the highest
consistency possible in the implementation of Solvency II across the EU.
This is a project that has delivered state-of-the-art risk-based regulation in
Europe, and which is the outcome of joint efforts by the co-legislators,
regulators, supervisors and industry and consumer representatives.
The European Parliament has played a key role in this process.
As a first step towards ensuring this consistency, in the past 12-month
period, EIOPA delivered in total 18 Implementing Technical Standards
(ITS), of which six have already been endorsed by the European
Commission (EC).
We also delivered two sets of Guidelines that cover the most relevant areas
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 72
and elements of the Solvency II framework.
Some of these Guidelines concern the basic alignment of supervisory
processes, while others provide clarity to firms on supervisors’
expectations, while reducing the risk of divergent interpretations by
national supervisors.
While regulatory stability is paramount in the run up to the Solvency II
implementation date, EIOPA quickly responded to a request to take a more
granular look at the treatment of infrastructure projects.
During the first half of this year EIOPA published a discussion paper;
consulted representatives of public authorities, insurance and
infrastructure industries, asset managers and academics; and finally
launched a public consultation in early July.
In the consultation paper we propose new definitions and criteria for
identifying qualifying infrastructure debt and equity investments, which
may warrant more specific treatment in the standard formula capital
calculation.
We made some proposals for a better calibration of the treatment for these
qualifying infrastructure investments and additional risk management
requirements.
Currently we are considering the feedback received during the public
consultation and our final advice will be submitted to the European
Commission by the end of September.
One thing is clear to me: calibrations need always to be based on evidence,
and we should stand firm against privileging or incentivising specific asset
classes.
A regime that creates incentives that are not properly aligned with risks will
see the emergence of price distortions and vulnerabilities.
Knowing that new legislation is always more burdensome for smaller
companies, we have made the proportionality principle a cornerstone of our
work.
EIOPA’s goal in this regard is to make sure that Solvency II is implemented
in a manner which would be proportionate to the nature, scale and
complexity of companies’ risk profiles.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 73
Proportionality is embedded for example in the Solvency II regulatory
templates, a significant area of potential costs.
So, we have ensured that companies with simple business models, few
business lines and simple investment strategies will see their reporting
requirements significantly diminished.
SMEs will see reduced frequency in reporting, with quarterly reporting
concerning only some core elements.
Furthermore EIOPA worked very closely with the European Central Bank
(ECB) to align the new ECB statistical reporting requirements with the
Solvency II reporting requirements.
The result is that a large part of the ECB requirements will be met by the
Solvency II data and the additional reporting in the form of ECB add-ons
will be provided within the same reporting framework.
This avoids, to the maximum extent possible, any unnecessary burden on
the industry.
In order to support SMEs even further, in summer 2015 EIOPA published
the Tool for Undertakings (T4U) related to XBRL reporting under Solvency
II.
With this tool we assist SMEs in creating, editing and validating XBRL
reporting documents.
The Tool is offered for free and will help firms without knowledge and
resources to implement Solvency II harmonized quantitative reporting.
Estimations show that approximately 1,200 undertakings will make use of
the T4U.
The Tool is also widely used for quality assurance purposes both at SME
and NCA level.
The availability of relevant Technical Information is also of great
importance for the industry and supervisors during the preparations for full
implementation of Solvency II.
Since February 2015 – well ahead of the actual implementation date - we
have therefore been publishing the relevant risk free interest rate term
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 74
structures and related components.
This information is a key input for the assessment of the (re)insurance
companies’ solvency and financial positions.
The use of harmonised relevant risk free interest rate term structures will
ensure the consistent calculation of technical provisions by (re)insurance
companies throughout the European Union.
EIOPA also adds value to Solvency II implementation by strengthening the
oversight of cross-border groups, and in general upgrading the quality and
consistency of overall supervisory processes in the EU.
Our oversight activities are structured in 3 main areas: Colleges of
Supervisors, the Centre of Expertise in Internal Models and Supervisory
Oversight.
Colleges of supervisors across the EU have been fundamental in increasing
the exchange of information between supervisors, moving towards a more
common analysis and measurement of risks.
EIOPA’s actions ensured consistent processes at college level and are now
focused on more substantial aspects of supervision and supervisory
decisions, for instance closely following the discussions around internal
model approval.
Created two years ago, our Centre of Expertise in Internal Models proved to
be very instrumental in developing new tools and practices in the area of
internal models.
In December 2014, we published the Common Application Package, which
supported insurers in understanding the granularity of documentation and
evidence that is required for the formal internal model application process.
In April 2015, EIOPA issued a supervisory Opinion on Internal Models
covering some key areas where we found inconsistencies in approaches, for
example risks related to Sovereign Exposures and the absence of formal
decisions on equivalence.
We provided relevant guidance to NCAs and plan to engage with them in a
follow-up exercise.
Currently the Centre focuses on the development and testing of sound
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 75
on-going appropriateness indicators and benchmarking for internal
models.
In 2014, we created a Supervisory Oversight Team to continue building our
relations with NCAs on a basis of mutual trust, while providing NCAs also
with a chance for independent and challenging feedback on supervisory
practices.
In the period under reference this team already conducted 18 bilateral visits
to the national supervisory authorities.
As part of its oversight role, EIOPA has in particular been engaged with the
national competent authority in strengthening supervision in Romania.
EIOPA contributed to a balance sheet review and stress test of insurance
companies representing more than 80% of the Romanian market.
Both exercises were completed in July 2015, and in full transparency a
report was published that identified a need for significant adjustments to
the balance sheets and corresponding prudential ratios of a number of
insurance undertakings, followed by a number of supervisory measures.
This was a credible exercise that proved fundamental for enhancing
consumer protection and confidence in the Romanian insurance sector.
Underpinning all the supervisory convergence agenda, EIOPA is also
developing a Supervisory Handbook.
The objective is to build an array of good supervisory practices on the
different areas of Solvency II.
EIOPA expects and encourages NSA’s to adequately implement these good
practices in their supervisory processes.
Finally a reference to the important work performed by EIOPA on the
development of international standards in insurance.
EIOPA’s presence in the IAIS has been a catalyst for a stronger and more
aligned representation of EU supervisors.
Consumer protection
Consumer protection is since day one an integral part of EIOPA’s DNA and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 76
continues to guide our priorities.
EIOPA pursued works simultaneously on different issues that are crucial
for consumer protection: transparency, conflicts of interest and conduct
risks.
Preparing the future implementation of the new Insurance Distribution
Directive EIOPA developed work on product oversight and governance by
insurance undertakings.
Insurers need to implement proper processes to deal with product design,
development and marketing as well as to identify and manage consumer
risks.
Furthermore, EIOPA started to develop a comprehensive risk-based and
preventive framework for conduct of business supervision on a European
level.
Failures in business conduct can pose a serious threat to the stability of the
financial sector, while mis-selling on a mass scale can lead to serious
detriment to individual consumers.
This can result in significant reputational damage for companies and for
consumers in a material loss of confidence in the financial market.
To address these concerns, EIOPA is developing a framework which
anticipates emerging consumer detriment, rather than just reacting to
problems after they have occurred.
This entails putting in place systematic monitoring to identify conduct risks
as these develop, and proportionate processes for assessing those situations
in which additional supervisory measures should be considered, including
the use of thematic reviews, for instance to „deep-dive“ into specific market
segments.
Monitoring should be developed on the basis of appropriate risk-based
indicators.
On the pensions side EIOPA worked on the response to the Call for Advice
from the European Commission on the development of an EU-wide
framework for personal pension products.
In July 2015, we launched a public consultation where we suggested the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 77
creation of a simple, trustworthy, standardised and fully transparent
pan-European personal pension product, the PEPP.
Creating a truly single market for personal pensions in the EU can reduce
costs and provide better returns to consumers by increasing economies of
scale.
It can also help the provision of long-term stable funding to the EU
economy and be a catalyst of the Capital Markets Union. Ultimately it can
reinforce the trust and confidence of EU citizens in the EU project.
After the public consultation is completed, we intend to submit our final
advice to the Commission in the beginning of 2016.
Financial Stability
In line with its mandate, EIOPA continued to initiate and coordinate
EU-wide stress tests with the purpose to assess the resilience of financial
institutions to adverse market developments.
In November 2014, we completed an EU-wide stress test for insurance
companies based on the upcoming Solvency II regime.
We tested a range of credible adverse market scenarios, developed in
conjunction with the ESRB, complemented by a set of independent
insurance-specific shocks covering mortality, longevity, insufficient
reserves and catastrophe shocks.
An additional stress test module addressed the impact of a low yield
environment.
The EIOPA insurance stress test has provided EU supervisors with an
updated picture of undertakings’ preparedness to comply with the
upcoming Solvency II capital requirements.
By applying a set of rigorous and severe stresses we were able to identify the
areas where companies are most vulnerable, in a coordinated and
consistent way across the entire EU.
EIOPA’s stress test results showed that the insurance sector is vulnerable to
a “double hit” scenario that combines a readjustment of risk “premia” with
decreases in asset values due to a continued lower risk free rate.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 78
In the current market situation, action is clearly needed from the industry
to deal with the vulnerabilities of “in-force” business and to restructure
product mixes.
Especially within the context of the low interest rate environment, it is
important that firms use the time given under Solvency II transitional
measures to take the necessary steps to restructure their business models.
As a follow up to the stress test EIOPA issued a set of Recommendations to
NCAs. Our recommendations ensured that identified vulnerabilities are
addressed by NCAs in a coordinated and consistent way.
Supervisors must continue to monitor the situation very closely and
challenge the industry on the sustainability of their business models.
In May 2015, EIOPA launched a stress test for occupational pensions.
In cooperation with the ESRB, we designed a stress test that considers the
key vulnerabilities of pension funds.
We highlight as two adverse market scenarios the effects of a prolonged
low-interest rate environment together with an independent fall in asset
prices.
Moreover, we have included a stress scenario analysing further increases in
life expectancy.
The objective of the exercise is to test the resilience of Defined Benefit (DB)
and hybrid pension schemes to adverse scenarios as well as to identify
potential vulnerabilities for Defined Contribution (DC) schemes.
The results of the stress test analysis will be disclosed in December 2015.
As part of our work on the solvency of pension funds, we are collecting
quantitative information on the impact of different supervisory approaches.
We aim to finalize our own initiative work in the first quarter of 2016 with
an EIOPA Opinion on a possible framework to access the sustainability of
pension promises.
Both the stress test and quantitative assessment were launched
simultaneously and have the same reporting template.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 79
This was done on purpose in order to limit the burden on IORPs and
supervisors and to avoid the duplication of calculations.
Way Forward
Looking back over the last 12 months, I can proudly state that EIOPA has
been instrumental in progressing the EU regulatory agenda in insurance as
well as occupational and personal pensions.
We have reinforced our oversight activities for the sake of stronger
supervisory convergence.
We have taken fundamental steps towards enhancing consumer protection
for the future.
Our stress tests serve as a very important supervisory and risk management
tool not only for competent authorities but also for the insurance and
pensions industry.
And finally such work streams as the treatment of infrastructure
investments and a pan European personal pension product contribute to
one of the Europe’s priority goals – the Capital Markets Union.
Taken together, our work of the last year and the coming period shows our
continued commitment to preserve financial stability in the EU and
enhance the protection of European consumers.
Looking forward, I would like to focus on two main challenges:
1. The post-evaluation of regulation
EIOPA will be very attentive to any material loopholes or unintended
consequences of the implementation of Solvency II, especially if they have a
negative impact on consumers.
Areas like the investment behaviour of insurers and product availability
and suitability for consumers will receive special attention.
In a period of low interest rates it is of course rational to engage in a
“search for yield” but this can create additional risks for insurers, in
particular if they invest in unfamiliar asset categories or increase
concentrations in certain specific assets.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 80
Furthermore, insurers will need to adapt their product design in a
sustainable way, pricing correctly the different guarantees and options
included in the contracts.
In order to be prepared to perform this evaluation EIOPA needs to ensure
the collection and processing of relevant data from the supervisory
reporting system being developed for Solvency II.
Appropriate market evidence will also need to be collected.
2. The convergence of supervisory practices
In spite of the significant progress that we already made in building up a
common European supervisory culture, the way towards supervisory
convergence remains a tremendous challenge.
Convergence is a journey and often implies change and movement for each
party from their status quo.
But the benefits of convergence are clear.
Our oversight work is starting to prove its vital importance by helping to
improve the quality and consistency of supervision in the EU.
As we are in an internal market, the quality of national supervision is not
only a local issue; it is an EU issue.
The EU supervisory system is only as strong as its weakest link.
Stronger and more coordinated supervision at the EU level is therefore
needed.
Credible and independent supervision is also key for improving the
confidence of consumers and investors.
It is in all stakeholders’ interest that EIOPA has sufficient human and
financial resources to ensure that NSA’s apply proper and convergent
risk-based supervision.
EIOPA’s drive towards convergence and dialogue amongst NCAs, is
essential for avoiding a “mechanistic” and “tick the box” approach to
supervision, detrimental both to consumers and the industry.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 81
Indeed, the very success of Solvency II depends on a systematic move away
from just such mechanistic supervision, and I believe EIOPA has a crucial
role in driving forward this change in practice.
Our work on these two challenges will be central, I think, to the coming
years.
Finally, allow me to use this opportunity to thank the European Parliament
for its continuous support to EIOPA.
I sincerely hope that we can continue to carry on our efforts in the spirit of
fruitful discussions and cooperation.
I look forward to answering your questions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 82
Tips from the National
Counterintelligence Executive
Traveling Overseas with Mobile Phones,
Laptops, PDAs, and other Electronic
devices
You should know :
•
In most countries you have no expectation of privacy in Internet
cafes, hotels, offices, or public places.
Hotel business centers and phone networks are regularly monitored in
many countries.
In some countries, hotel rooms are often searched.
•
All information you send electronically – by fax machine, personal
digital assistant (PDA), computer, or telephone – can be intercepted.
Wireless devices are especially vulnerable.
•
Security services and criminals can track your movements using
your mobile phone or PDA and can turn on the microphone in your device
even when you think it’s off.
To prevent this, remove the battery.
•
Security services and criminals can also insert malicious software
into your device through any connection they control.
They can also do it wirelessly if your device is enabled for wireless.
When you connect to your home server, the“malware” can migrate to your
business, agency, or home system, can inventory your system, and can send
information back to the security service or potential malicious actor.
•
Malware can also be transferred to your device through thumb
drives (USB sticks), computer disks, and other “gifts.”
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 83
•
Transmitting sensitive government, personal, or proprietary
information from abroad is therefore risky.
•
Corporate and government officials are most at risk, but don’t
assume you’re too insignificant to be targeted.
•
Foreign security services and criminals are adept at “phishing” –
that is, pretending to be someone you trust in order to obtain personal or
sensitive information.
•
If a customs official demands to examine your device, or if your hotel
room is searched while the device is in the room and you’re not, you should
assume the device’s hard drive has been copied.
BEFORE YOU TRAVEL
•
If you can do without the device, don’t take it.
•
Don’t take information you don’t need, including sensitive contact
information.
Consider the consequences if your information were stolen by a foreign
government or competitor.
•
Back up all information you take; leave the backed-up data at home.
•
If feasible, use a different mobile phone or PDA from your usual one
and remove the battery when not in use.
In any case, have the device examined by your agency or company when you
return.
•
Seek official cyber security alerts from:
www.onguardonline.gov and www.us-cert.gov/cas/tips
Prepare your device:
•
Create a strong password (numbers, upper and lower case letters,
special characters – at least 8 characters long).
Never store passwords, phone numbers, or sign-on sequences on any device
or in its case.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 84
•
Change passwords at regular intervals (and as soon as you return).
•
Download current, up-to-date antivirus protection, spyware
protection, OS security patches, and a personal firewall.
•
Encrypt all sensitive information on the device.
(But be warned: In some countries, customs officials may not permit you to
enter with encrypted information.)
•
Update your web browser with strict security settings.
•
Disable infrared ports and features you don’t need.
WHILE YOU’RE AWAY
•
Avoid transporting devices in checked baggage.
•
Use digital signature and encryption capabilities when possible.
•
Don’t leave electronic devices unattended.
If you have to stow them, remove the battery and SIM card and keep them
with you.
•
Don’t use thumb drives given to you – they may be compromised.
Don’t use your own thumb drive in a foreign computer for the same reason.
If you’re required to do it anyway, assume you’ve been compromised; have
your device cleaned as soon as you can.
•
Shield passwords from view.
Don’t use the “remember me” feature on many websites; re type the
password every time.
•
Be aware of who’s looking at your screen, especially in public areas.
•
Terminate connections when you’re not using them.
•
Clear your browser after each use: delete history files, caches,
cookies, URL, and temporary internet files.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 85
•
Don’t open emails or attachments from unknown sources.
Don’t click on links in emails.
Empty your “trash” and “recent” folders after every use.
•
Avoid Wi-Fi networks if you can.
In some countries they’re controlled by security services; in all cases they’re
insecure.
•
If your device or information is stolen, report it immediately to your
home organization and the local US embassy or consulate.
WHEN YOU RETURN
•
Change your password.
•
Have your company or agency examine the device for the presence
of malicious software.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 86
Disclaimer
The Association tries to enhance public access to information about risk and
compliance management.
Our goal is to keep this information timely and accurate. If errors are brought to
our attention, we will try to correct them.
This information:
is of a general nature only and is not intended to address the specific
circumstances of any particular individual or entity;
should not be relied on in the particular context of enforcement or similar
regulatory action;
-
is not necessarily comprehensive, complete, or up to date;
is sometimes linked to external sites over which the Association has no
control and for which the Association assumes no responsibility;
is not professional or legal advice (if you need specific advice, you should
always consult a suitably qualified professional);
-
is in no way constitutive of an interpretative document;
does not prejudge the position that the relevant authorities might decide to
take on the same matters if developments, including Court rulings, were to lead it
to revise some of the views expressed here;
does not prejudge the interpretation that the Courts might place on the
matters at issue.
Please note that it cannot be guaranteed that these information and documents
exactly reproduce officially adopted texts.
It is our goal to minimize disruption caused by technical errors.
However some data or information may have been created or structured in files or
formats that are not error-free and we cannot guarantee that our service will not
be interrupted or otherwise affected by such problems.
The Association accepts no responsibility with regard to such problems incurred
as a result of using this site or any linked external sites.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 87
The International Association of Risk and Compliance
Professionals (IARCP)
You can explore what we offer to our members:
1. Membership – Become a standard, premium or lifetime member.
You may visit:
www.risk-compliance-association.com/How_to_become_member.htm
If you plan to continue to work as a risk and compliance management
expert, officer or director throughout the rest of your career, it makes
perfect sense to become a Life Member of the Association, and to continue
your journey without interruption and without renewal worries.
You will get a lifetime of benefits as well.
You can check the benefits at:
www.risk-compliance-association.com/Lifetime_Membership.htm
2. Weekly Updates - Subscribe to receive every Monday the Top 10 risk
and compliance management related news stories and world events that
(for better or for worse) shaped the week's agenda, and what is next:
http://forms.aweber.com/form/02/1254213302.htm
3. Training and Certification - Become
a Certified Risk and Compliance
Management Professional (CRCMP) or a
Certified Information Systems Risk and
Compliance Professional (CISRSP).
The Certified Risk and Compliance
Management Professional (CRCMP)
training and certification program has
become one of the most recognized
programs in risk management and compliance.
There are CRCMPs in 32 countries around the world.
Companies and organizations like IBM, Accenture, American Express,
USAA etc. consider the CRCMP a preferred certificate.
You can find more about the demand for CRCMPs at:
www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 88
You can find more information about the CRCMP program at:
www.risk-compliance-association.com/CRCMP_1.pdf
(It is better to save it and open it as an Adobe Acrobat document).
For the distance learning programs you may visit:
www.risk-compliance-association.com/Distance_Learning_and_Certificat
ion.htm
For instructor-led training, you may contact us. We can tailor all programs
to specific needs. We tailor presentations, awareness and training programs
for supervisors, boards of directors, service providers and consultants.
4. IARCP Authorized Certified Trainer
(IARCP-ACT) Program - Become a Certified Risk
and Compliance Management Professional Trainer
(CRCMPT) or Certified Information Systems Risk
and Compliance Professional Trainer (CISRCPT).
This is an additional advantage on your resume,
serving as a third-party endorsement to your knowledge and experience.
Certificates are important when being considered for a promotion or other
career opportunities. You give the necessary assurance that you have the
knowledge and skills to accept more responsibility.
To learn more you may visit:
www.risk-compliance-association.com/IARCP_ACT.html
5. Approved Training and Certification Centers
(IARCP-ATCCs) - In response to the increasing
demand for CRCMP training, the International
Association of Risk and Compliance Professionals is
developing a world-wide network of Approved Training
and Certification Centers (IARCP-ATCCs).
This will give the opportunity to risk and compliance managers, officers and
consultants to have access to instructor-led CRCMP and CISRCP training at
convenient locations that meet international standards.
ATCCs use IARCP approved course materials and have access to IARCP
Authorized Certified Trainers (IARCP-ACTs).
To learn more:
www.risk-compliance-association.com/Approved_Centers.html
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 89
RiskMinds International is the world’s
largest and most prestigious risk
management conference and is fully
established as the most senior gathering
of the global risk management
community. 600+ CROs, global
supervisors, renowned academics and
expert industry practitioners will gather together this December to discuss
strategic risk management, capital allocation and practical risk modelling.
I will be providing information about the CRCMP training course during
the event. I am pleased to be able to offer you a special 15% discount off the
booking fee for RiskMinds International. Just quote the discount VIP Code:
FKN2436IARCPE to claim your discount.
The latest agenda can be found on the website here, as well as the speaker
line-up to date. For more information or to register for the 22nd annual
RiskMinds, please contact the ICBI team on: Tel: +44 (0) 20 7017 7200
Fax: + 44 (0) 20 7017 7806 Email: [email protected] Web:
http://www.riskmindsinternational.com/FKN2436IARCPE
I look forward to meeting those of you attending this conference.
Best Regards,
George Lekatis
President of the IARCP
1200 G Street NW Suite 800,
Washington DC 20005, USA
Tel: (202) 449-9750
Email: [email protected]
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804,
Wilmington DE 19801, USA
Tel: (302) 342-8828
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 90
CISRCP and Cybersecurity
courses in Europe and Asia
Dear Member,
We are pleased to announce our
upcoming instructor-led training
courses commencing in Doha, Qatar during November.
Further to our recent and highly successful Cyber Security training course
for a leading government entity in Qatar, we are pleased to announce
details of two Cyber Security public training courses being held in Doha on
November 22-24 and November 25 at Hilton Doha.
Certified Information Systems Risk and Compliance Professional
(CISRCP), November 22-24, 2015
The first is a three-day comprehensive training course which focusses on an
enterprise-wide approach to Cyber Security incorporating the latest
developments in International Standards, Principles and Best Practices in
IT Risk Management, Information Technology, Information Security,
Cyber Security, Risk Management, Corporate Governance and Compliance
(full details attached).
The course comprises of 12 main subject areas including:
 Information Technology and Information Security
 Critical Infrastructure Protection: International Standards,
Principles and Best Practices
 Risk Management and Compliance
 The Frameworks: COSO, COSO ERM, COBIT
 National Institute of Standards and Technology - Special Publication
800-39
 Assessing Security and Privacy Controls
 CERTs (Computer Emergency Response Teams) and Security
Incident Response
 The Sarbanes Oxley Act: New International Standards
 Basel II and Basel III Amendment
 Designing and Implementing an Enterprise-wide Risk and
Compliance Program
 Threat Landscape and Good Practice Guide for Smart Home and
Converged Media
The Cyber Security elements Include:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 91
 The Critical Infrastructure Protection Principles in the USA, EU and
comparison with Qatar
 The National Institute of Standards and Technology Cybersecurity
Framework
 The Cybersecurity Strategy of the European Union
 The Presidential Policy Directive (PPD) 21 - Critical Infrastructure
Security and Resilience
 Executive Orders 13587, 13636
______________________________________________
The target is the bank: From hacking to cybercrime to
cyberespionage, November 25, 2015
The second course is a 1 day interactive training course with hands-on
problem-solving exercises, role-plays and present day case studies to
ensure organisations maintain a cyber-environment that encourages
efficiency, innovation, and economic prosperity while promoting safety,
security, business confidentiality and privacy.
______________________________________________
Upcoming Schedule
Qatar – November 22-24 and November 25, 2015
Bahrain – November 29 – December 1 and December 2, 2015
Dubai – January 24-26 and January 27, 2016
London – February 1-3 and February 4, 2016
Amsterdam – February 22-24 and February 25, 2016
Kuala Lumpur – March 14-16 and March 17, 2016
Hong Kong – March 21-23 and March 24, 2016
IARCP Member Discount
Members of International Association of Risk and Compliance
Professionals (IARCP) are entitled to a 20% discount using IARCP20 when
registering online through our training partner Regulatory Intellect.
For more information and to register you may visit:
http://www.regulatoryintellect.com/view_instances.php?CourseID=11
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Fly UP