End of an IBOR era - SIFMA

End of an IBOR era Key transition challenges for the financial services industry

After more than 40 years of the financial services industry relying on interbank offered rates (IBORs) as a reference rate for variable-rate financial instruments, the London Inter-Bank

Offered Rate (LIBOR) and other IBORs are being replaced by alternate reference rates (ARR). LIBOR, which started its life in 1969 as a reference rate for a syndicated loan transaction, today underpins more than $300 trillion of financial contracts. IBORs also serve as a benchmark rate for performance measurement for investment securities and as a proxy rate for wholesale funding rates.

Since 2012, LIBOR has been mired in scandal and gained negative public attention when several global banks were accused of manipulating their IBOR submissions during the financial crisis. Since then, global regulators have taken several steps to strengthen the IBOR (often referred to as IBOR+), including appointment of a new benchmark administrator, ICE Benchmark Administration. However, IBORs are no longer deemed to be a desirable benchmark due to very low transaction volumes in the unsecured wholesale funding markets that underpin the IBOR submission. For example, 3-month USD LIBOR, the most heavily referenced LIBOR, is supported by less than $1 billion in transactions per day.

In the US, the Alternate Reference Rate Committee (ARRC), convened by the Federal Reserve, recommended the Secured Overnight Financing Rate (SOFR) as the most suitable to be used for US dollar derivatives and other financial contracts. SOFR is a broad measure of the cost of borrowing cash overnight collateralized by U.S. Treasury securities. It is a fully transaction-based rate incorporating data from transactions across three segments of the U.S. Treasury Repo market (tri-party repo, General Collateral Finance (GCF) repo and bilateral repo cleared through the Fixed Income Clearing Corporation (FICC)).

SOFR was first published on April 3, 2018, at 1.80% based on a volume of $800 billion of repo transactions as of April 2, 2018. Each business day, the Federal Reserve Bank of New York (FRBNY) publishes the SOFR at approximately 8:00 a.m.

The transition from USD LIBOR to SOFR is expected to be a significant transformation effort for financial services firms and market participants that have extensive exposure to LIBOR-linked products and contracts. In addition, IBORs are also extensively embedded within the processes, operations, models, data and technology infrastructure at financial services firms. For example, LIBOR is commonly used as a future cash flow discount factor for valuation of financial instruments.

2 | End of an IBOR era

Client outreach, repapering and negotiating contracts.

For any contract maturing beyond 2021, firms may need to renegotiate with their borrowers and counterparties to transition the base rate from USD LIBOR to SOFR. Unlike derivatives contracts, which will be addressed in bulk through updates to standard contract language (protocol), cash products for corporate and retail end users have limited contract standardization, or industry protocol. Moreover, the inventory of contracts and terms may not be easily searchable within firms’ systems. Firms will need to identify the affected contracts, digitize them, extract the relevant terms, educate counterparties as to the need for repapering and update each contract through bilateral or multilateral negotiations. In addition, for contracts maturing before 2021, firms will need to update the fallback language in the existing contracts to address the potential risk of LIBOR discontinuation before 2021.

1. 2. High litigation, reputation and conduct risk.

The change in base rate from USD LIBOR to SOFR will also require renegotiating the spread due to the inherent differences between LIBOR and SOFR (i.e., credit and term premium). For example, if a bank comes up with its own approach for redefining the spread for its variable-rate instruments, their customers and counterparties may respond to unfavorable outcomes relative to the prior benchmark by initiating a legal action (value transfer). Alternatively, if several banks collaborate as an industry to set a new standard spread for variable-rate products, they may be accused of price-fixing under antitrust law. Either way, the bank may face increased legal risk with reputational impact.

3End of an IBOR era |

EY has identified the top 10 challenges that banking and capital markets organizations and other financial market participants will face in transition to the alternate reference rates.

Market adoption and liquidity in ARR derivatives.

Based on the paced transition plan, ARRC members (dealers) are expected to put in place infrastructure for trading in SOFR futures and/or overnight index swap (OIS) trading in SOFR in the second half of 2018. In addition, CME Group Inc. has planned to launch monthly and quarterly SOFR futures on May 7, 2018. Market adoption and liquidity in SOFR derivatives will be a key success factor for the paced transition plan. As the transition timing for cash products to SOFR is uncertain, the demand for SOFR derivatives to hedge potential interest rate risk embedded in cash products will likely be missing (for example, a borrower that wants to hedge a floating interest rate loan based on SOFR), as SOFR does not currently qualify as an eligible benchmark rate for hedge accounting1.

Differences in ARR and transition timelines across G5 currencies.

While the US market has settled on the SOFR rate, the UK will use the Sterling Overnight Index Average (SONIA), which is an unsecured rate. This movement away from an international unsecured standard (LIBOR) may result in challenges in cross-currency swap markets. Instead of using the similar rate for both legs of a foreign currency (FX) swap, trades may need different rates for each leg (e.g., USD at secured SOFR swapped for GBP at unsecured SONIA). Further, the lack of harmonization in transition timing to alternate reference rates or in the timing of publication of daily ARR’s across G5 currencies may result in additional challenges for the FX swap markets.

Regulatory uncertainty.

Regulatory mandates tend to arrive with clear guidance, legal certainty and prudential incentives for rapid compliance. Yet regulators see the IBOR transition not as a mandate, but rather as a voluntary, industry-led initiative. This perspective may cause delays as the industry uncovers situations requiring regulatory guidance or legal rulings. The lack of definitive regulatory guidance on the IBOR transition may slow down progress as banks deem “wait and watch” as the prudent strategy, which may further aggravate the situation due to a buildup of more legacy contracts inventory for future transition.

Absence of ARR term rates.

IBOR rates are available for terms ranging from overnight to 1 week to 12 months, which allow corporate and retail clients to borrow using variable-rate instruments with certainty of cash flow (interest payments) throughout the term. SOFR, initially, will solely be an overnight rate, which means that term rates will likely need to be calibrated based on transactions in the SOFR futures market. The definition of term rates is scheduled for 2021, which may need to be reconsidered to facilitate the transition of cash products to ARR. Further, given the inter-relationship between the cash and derivatives markets (e.g., for hedging), the development and transition work for SOFR and term rates needs to run concurrently.

3. 5.

6. 4.

1The Financial Accounting Standards Board (FASB) has released an exposure draft for comment on Derivatives and Hedging (Topic 815) “Inclusion of the Overnight Index Swap (OIS) Rate Based on the Secured Overnight Financing Rate (SOFR) as a Benchmark Interest Rate for Hedge Accounting Purposes”


http://www.fasb.org/cs/Satellite?c=FASBContent_C&cid=1176170069139&pagename=FASB%2FFASBContent_C%2FNewsPage

http://www.fasb.org/cs/Satellite?c=FASBContent_C&cid=1176170069139&pagename=FASB%2FFASBContent_C%2FNewsPage

Operations and technology changes.

Over the years, IBOR has been extensively embedded in business and operational processes, from low-level data structures to applications built over decades. The transition away from IBOR will require significant changes, made more difficult given the lack of certainty as to the timing and desired target state. At the very minimum, firms will need to identify every reference to an IBOR across the entire organization, and then replace it with a pointer to one of several possible reference rates, with the choice contingent on the specific situation.

Accounting considerations.

The Financial Accounting Standards Board (FASB) recently issued guidance on derivative and hedging transactions in ASC 815, and there are proposed amendments to ASC 815 that will add SOFR as a benchmark. Banks will need to ensure that, as they replace IBORs with bundles of financial instruments (which may include SOFR derivatives plus interest-rate derivatives), the bundles qualify and are recognized as eligible hedges under the accounting rules.

LIBOR may yet survive.

The announcements by the Financial Conduct Authority (FCA) regarding the future of LIBOR highlighted the risk that LIBOR may cease publication at some point after 2021. However, the most recent speech by Andrew Bailey, chief executive of the UK’s FCA, hinted at a potential use of synthetic LIBOR for existing contracts beyond 2021. In addition, most recently, the ICE Benchmark Administration has hinted at the possibility of LIBOR being kept alive for selected currencies and tenors beyond 2021, derived based on a spread over the alternate reference rates (e.g., LIBOR after 2021 = SOFR + x%). The lack of clarity on the future of LIBOR is a key hurdle in the mobilization of transition activities related to existing contracts maturing beyond 2021. Further, the survival of LIBOR beyond 2021 may result in the fragmentation of liquidity in the derivatives markets and potentially an increase in basis risk for banks.

Valuation, model and risk management.

IBORs have long been a convenient proxy for general interest rate risk used in valuation and risk modeling, and as a discount factor for prepayment schedules and other situations in financial modeling. As such, a wide range of financial and risk models will need to be redeveloped, recalibrated and revalidated using ARR. The lack of availability of historical time series data on ARR is likely to be an issue for risk modeling. Firms will need to quickly build an inventory of all pricing, valuation and risk models that have a dependency on IBORs and rank order the models based on materiality and complexity for redevelopment. Further, asymmetry in the timing of transition across different products and linked contracts may result in additional basis risk for firms.

7. 9.

10. 8.


EY contacts

Global

Roy Choudhury Ernst & Young LLP [email protected]

United States

Michael Sheptin Ernst & Young LLP [email protected]

United Kingdom

Shankar Mukherjee Ernst & Young LLP [email protected]

Europe

Philippe Vidal Ernst & Young Advisory [email protected]

Japan

Kazuto Kita Ernst & Young ShinNihon LLC [email protected]

Asia-Pacific

Sky So Ernst & Young – Hong Kong [email protected]

The extensive use of LIBOR in financial markets across a range of products, contracts and business processes will likely make the transition to alternate reference rates an enterprise-wide transformation initiative. Although 2021 may seem far away, banks need to mobilize their transition efforts urgently and elevate this topic within their organization.

Given the uncertainty, it is important to comprehensively assess the issues across the 10 areas summarized above. The assessment will allow firms to size the challenges facing their organizations and the potential resource requirements and effort to address them. This will provide the information necessary to inform executive management and the Board on the probable impact and how the firm is likely to address it.

The financial services industry has an important role to play in educating end users of financial products on the looming risks of ongoing dependency on LIBOR and guide them through this transition process. Firms that proactively engage with their customers, and offer new products linked to ARR, are likely to be at a competitive advantage.


EY | Assurance | Tax | Transactions | Advisory

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

EY is a leader in serving the global financial services marketplace Nearly 51,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Organization today includes more than 11,000 professionals at member firms in over 90 locations throughout the US, the Caribbean and Latin America.

EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.

With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.

© 2018 Ernst & Young LLP. All Rights Reserved.

EYG no. 02134-181Gbl1803-2610806 BDFSOED None

ey.com

What you need to know • The SEC staff issued guidance to help companies facing challenges in accounting for

the effects of the Tax Cuts and Jobs Act in accordance with ASC 740, which requires the effects of changes in tax law to be accounted for in the period of enactment.

• The SEC staff said a company that hasn’t completed its accounting for the effects of the most significant change to US tax law since 1986 by its financial reporting deadline may report provisional amounts based on reasonable estimates for items for which the accounting is incomplete. Those amounts will be subject to adjustment during a measurement period of up to one year.

• The SEC staff said a company that cannot make a reasonable estimate for an income tax effect should not account for that effect until it can make such an estimate.

• The SEC staff guidance requires companies to disclose information about the material financial reporting effects of the Act for which the accounting under ASC 740 is incomplete.

Overview The Securities and Exchange Commission (SEC) staff issued Staff Accounting Bulletin (SAB) 1181 to provide guidance for companies that have not completed their accounting for the income tax effects of the Tax Cuts and Jobs Act in the period of enactment, which is the period that includes 22 December 2017.

No. 2018-01 4 January 2018

Technical Line

SEC staff provides guidance on accounting for the effects of US tax reform

In this issue: Overview ............................ 1 Background ........................ 2 Key considerations ............. 2

Accounting for the effects of the Act ....................... 2

Measurement period ......... 3 Initial and subsequent

reporting of provisional amounts ........................ 3

Disclosure requirements ... 6 Form 8-K filing

requirements ................. 8 Foreign private issuers

reporting under IFRS ...... 8 Investment companies

affected by the Act ......... 8 Non-SEC financial

statements ..................... 8 Internal control

considerations ................. 9

EY AccountingLink | ey.com/us/accountinglink

2 | Technical Line SEC staff provides guidance on accounting for the effects of US tax reform 4 January 2018

The SEC staff acknowledged the challenges companies may face in accounting for the effects of the Act by their financial reporting deadlines and said the guidance is intended to help companies provide investors with timely, decision-useful information. The SEC staff noted that Accounting Standards Codification (ASC) 740, Income Taxes, doesn’t address these challenges and said clarification was needed to address uncertainty or diversity in views about the application of ASC 740 in the period of enactment.

“Allowing entities to take a reasonable period to measure and recognize the effects of the Act, while requiring robust disclosures to investors during that period, is a responsible step that promotes the provision of relevant, timely, and decision-useful information to investors,” SEC Chief Accountant Wesley Bricker said.

SAB 118 applies only to the application of ASC 740 in connection with the Act and should not be relied upon for other changes in tax law.

The SEC staff also issued Compliance and Disclosure Interpretation (C&DI) 110.02 to answer questions companies have raised about certain Form 8-K filing requirements.

For details on the provisions of the Act, refer to our Tax Alert, Tax Cuts & Jobs Act Conference Agreement Released. For details on accounting and financial reporting considerations related to the Act, refer to our Technical Line, Accounting for the effects of the Tax Cuts and Jobs Act.

Background ASC 740 requires companies to account for the effects of changes in income tax rates and laws on deferred tax balances (including the effects of the Act’s one-time transition tax on certain foreign earnings) in the period in which the legislation is enacted. The financial statement effects of a change in tax law are recorded as a component of income tax expense related to continuing operations.

In issuing the guidance, the SEC staff said it was clarifying the application of ASC 740 for companies that may encounter situations where they do not have the necessary information available, prepared or analyzed (including computations) in reasonable detail to complete the accounting under ASC 740 for the reporting period in which the Act was enacted.

Key considerations Accounting for the effects of the Act SAB 118 provides the following guidance:

• Accounting for income tax effects is completed — When reporting the effects of the Act on the enactment date, a company must first reflect in its financial statements the income tax effects of the Act for which the accounting under ASC Topic 740 is complete. These completed amounts will not be provisional amounts.

• Accounting for income tax effects is incomplete but the company has a reasonable estimate — If a company’s accounting for certain income tax effects of the Act is incomplete but it can determine a reasonable estimate of those effects, the SEC staff said that it will not object to a company including the reasonable estimate in its financial statements. The staff said it would not be appropriate for a company to exclude a reasonable estimate from its financial statements if one had been determined. The reasonable estimate should be included in a company’s financial statements in the first reporting period in which a company is able to determine the estimate. The estimate would be reported as a provisional amount in the financial statements during a “measurement

If a company has not completed its accounting, the SEC staff expects companies to account for each effect of the Act in the first reporting period in which a reasonable estimate can be made.

http://www.ey.com/UL/en/AccountingLink/Accounting-Link-Home

https://taxnews.ey.com/news/2017-2130-tax-cuts-and-jobs-act-conference-agreement-released

https://taxnews.ey.com/news/2017-2130-tax-cuts-and-jobs-act-conference-agreement-released

http://www.ey.com/Publication/vwLUAssetsAL/TechnicalLine_07172-171US_TaxReform_19December2017/$FILE/TechnicalLine_07172-171US_TaxReform_19December2017.pdf



period.”2 Provisional amounts could include, for example, reasonable estimates that give rise to new current or deferred taxes based on certain provisions of the Act, as well as adjustments to current or deferred taxes that existed prior to the Act’s enactment date.

• Accounting for Income tax effects is incomplete and the company doesn’t have a reasonable estimate — If a company does not have the necessary information to determine a reasonable estimate to include as a provisional amount, the SEC staff said that it would not expect a company to record provisional amounts in its financial statements for the income tax effects for which a reasonable estimate cannot be determined. In these cases, the SEC staff said a company should continue to apply ASC 740 (e.g., when recognizing and measuring current and deferred taxes) based on the provisions of the tax laws that were in effect immediately prior to the Act being enacted. That is, the staff does not believe a company should adjust its current or deferred taxes to account for the income tax effects of the Act until the first reporting period in which a reasonable estimate can be determined.

How we see it The Act’s one-time transition tax requires companies that have deferred recognizing income taxes on certain foreign earnings and profits earned in prior periods (i.e., asserted indefinite reinvestment) to now pay income taxes on those earnings. If a company previously asserted indefinite reinvestment, we believe the company could continue to follow its existing accounting until it has the necessary information to determine a reasonable estimate for the transition tax.

Measurement period The measurement period begins in the reporting period that includes the Act’s enactment date and ends when a company has obtained, prepared and analyzed the information needed to complete the accounting requirements under ASC 740. The measurement period should not extend beyond one year from the enactment date (i.e., the measurement period must be completed by 22 December 2018). During the measurement period, the staff said it expects companies to act in good faith to complete the accounting under ASC 740.

Initial and subsequent reporting of provisional amounts Any provisional amounts or adjustments to provisional amounts included in a company’s financial statements during the measurement period (including the period of enactment) should be included in income from continuing operations as an adjustment to tax expense or benefit in the reporting period the amounts are determined.

During the measurement period, a company may need to reflect adjustments to its provisional amounts if it obtains, prepares or analyzes additional information about facts and circumstances that existed as of the enactment date that, if known, would have affected the income tax effects initially reported as provisional amounts. A company may also need to report additional tax effects during the measurement period that were not initially reported as provisional amounts, if it obtains, prepares or analyzes additional information about facts and circumstances that existed as of the enactment date.

Any income tax effects of events unrelated to the Act should not be reported as measurement period adjustments. Hence, companies will need to make sure they have procedures in place to distinguish between changes to provisional amounts that are related to the Act and transactions entered into after the enactment date. For example, a company may enter into a business combination after the enactment date. The tax accounting consequences of the business




combination, including the effects on a company’s pre-business combination tax attributes (e.g., realizability of deferred tax assets) will need to be considered separately from any changes in provisional amounts related to the accounting for the tax consequences of the Act.

How we see it While SAB 118 does not address interim reporting during the measurement period, we believe the effects of initially recording provisional amounts related to the enactment date effects of the Act and making adjustments to those amounts, if significant, should be recognized as discrete events similar to the accounting for tax law changes in the period of enactment. Accordingly, companies should not allocate the effect of changes in the enactment date provisional amounts to subsequent interim periods by adjusting the estimated annual effective tax rate.

SAB 118 does not specify how a company should determine whether it can make a reasonable estimate. A company will need to determine whether a reasonable estimate can be made based on its facts and circumstances. This includes the availability of records to complete the necessary calculations, technical analysis of the new tax law and finalization of its accounting analysis, including its assessment of how certain provisions of the Act may affect its outside basis differences related to foreign subsidiaries.

To help companies with their accounting during the measurement period, SAB 118 provides the following examples. Each example assumes the company has only one foreign subsidiary. A company that has more than one foreign subsidiary may reach different conclusions for each subsidiary, depending on the facts and circumstances, including the availability of information necessary to complete the analysis.

Excerpt from SAB 118 Example 1 — Analysis is incomplete and company cannot reasonably estimate provisional amounts Prior to the reporting period in which the Act was enacted, Company X did not recognize a deferred tax liability related to unremitted foreign earnings because it overcame the presumption of the repatriation of foreign earnings.3

Upon enactment, the Act imposes a tax on certain foreign earnings and profits at various tax rates. Based on Company X’s facts and circumstances, it was not able to determine a reasonable estimate of the tax liability for this item for the reporting period in which the Act was enacted by the time that it issues its financial statements for that reporting period; that is, Company X did not have the necessary information available, prepared, or analyzed to develop a reasonable estimate of the tax liability for this item (or evaluate how the Act will impact Company X’s existing accounting position to indefinitely reinvest unremitted foreign earnings).

As a result, Company X would not include a provisional amount for this item in its financial statements that include the reporting period in which the Act was enacted, but would do so in its financial statements issued for subsequent reporting periods that fall within the measurement period, beginning with the first reporting period falling within the measurement period by which the necessary information became available, prepared, or analyzed in order to develop the reasonable estimate, and ending with the first reporting period within the measurement period in which Company X was able to obtain, prepare, and analyze the necessary information to complete the accounting under ASC 740.




Excerpt from SAB 118 Example 1a — Analysis is incomplete and company can reasonably estimate provisional amounts Assume a similar fact pattern as Example 1; however, Company Y was able to determine a reasonable estimate of the income tax effects of the Act on its unremitted foreign earnings for the reporting period in which the Act was enacted.

Company Y, therefore, reported a provisional amount for the income tax effects related to its unremitted foreign earnings in its financial statements that included the reporting period the Act was enacted. In a subsequent reporting period within the measurement period, Company Y was able to obtain, prepare and analyze the necessary information to complete the accounting under ASC 740, which resulted in an adjustment to Company Y’s initial provisional amount to recognize its tax liability.

Excerpt from SAB 118 Example 2 — Analysis is incomplete and company may need to recognize a valuation allowance Company Z has deferred tax assets (assume Company Z was able to comply with ASC Topic 740 and re-measure its deferred tax assets based on the Act’s new tax rates) for which a valuation allowance may need to be recognized (or released) based on application of certain provisions in the Act.

If Company Z determines that a reasonable estimate cannot be made for the reporting period [in which] the Act was enacted, no amount for the recognition (or release) of a valuation allowance would be reported.

In the next reporting period (following the reporting period in which the Act was enacted), Company Z was able to obtain, prepare and analyze the necessary information in order to determine that no valuation allowance needed to be recognized (or released) in order to complete the accounting under ASC 740.

We developed the following example of another situation that might arise.

Illustration 1 — Analysis is incomplete and company can reasonably estimate provisional amounts related to the one-time transition tax but cannot reasonably estimate tax effects of remaining outside basis difference

Facts

Assume a similar fact pattern to Example 1, but assume that Company W was able to determine a reasonable estimate of the income tax effects of the Act on its unremitted foreign earnings for the reporting period in which the Act was enacted as it relates to the one-time transition tax (i.e., the tax due based on accumulated earnings and profits subsequent to 1986).

Company W did not have the necessary information available, prepared or analyzed to develop a reasonable estimate of the tax liability, if any, for its remaining outside basis difference including any deferred tax accounting that may be required due to other provisions in the Act beyond the one-time transition tax, including how that accounting may be affected by Company W’s ongoing accounting position to indefinitely reinvest unremitted foreign earnings.




Analysis

Company W reported a provisional amount for the income tax effects of the one-time transition tax in its financial statements that included the reporting period the Act was enacted. In a subsequent reporting period within the measurement period, Company W was able to obtain, prepare and analyze the necessary information to complete the accounting under ASC 740 for the one-time transition tax, and Company W adjusted the provisional amount it had previously reported to recognize its tax liability.

Company W was not able to determine a reasonable estimate of the tax liability, if any, under the Act for its remaining outside basis difference (or evaluate how the Act will affect Company W’s existing accounting position to indefinitely reinvest unremitted foreign earnings) in the reporting period in which the Act was enacted by the time that it issued its financial statements for that reporting period. As a result, Company W would not include a provisional amount for this item in its financial statements that include the reporting period in which the Act was enacted, but would do so in its financial statements issued for subsequent reporting periods that fall within the measurement period, beginning with the first reporting period falling within the measurement period by which the necessary information became available, prepared, or analyzed in order to develop the reasonable estimate, and ending with the first reporting period within the measurement period in which Company W was able to obtain, prepare, and analyze the necessary information to complete the accounting under ASC 740.

Disclosure requirements In addition to the disclosures required by ASC 740, SAB 118 requires companies to disclose information about the material financial reporting effects of the Act for which the accounting under ASC 740 is incomplete, including:

• Qualitative information about the income tax effects of the Act for which the accounting is incomplete

• The items reported as provisional amounts

• Existing current or deferred tax amounts for which the income tax effects of the Act have not been completed

• The reason the initial accounting is incomplete

• The additional information that needs to be obtained, prepared or analyzed to complete the accounting requirements under ASC 740

• The nature and amount of any measurement period adjustments recognized during the reporting period

SAB 118 also requires companies to disclose the following information about material financial reporting effects of the Act, which companies will likely disclose in reporting periods after the period in which the Act was enacted:

• The effect of measurement period adjustments on the effective tax rate

• Disclosures of when the accounting for the income tax effects of the Act has been completed

SAB 118 requires companies to make disclosures about the material effects of the Act for which the accounting is incomplete.




Illustration 2 — Disclosures a calendar year-end company might make in the period of enactment about incomplete accounting

A calendar year-end company that has not yet completed its accounting might make the following disclosures in the notes to its financial statements for the period ended 31 December 2017.

This is a simple example that addresses only federal income tax effects and doesn’t reflect other disclosures required by ASC 740. Depending on its facts and circumstances, a company will need to provide more information. Disclosures should be sufficiently detailed for a reader to understand the status of a company’s accounting for the tax effects of the Act (i.e., effects for which the accounting is complete, effects for which the accounting is incomplete but a reasonable estimate can be made, and effects for which the accounting is incomplete and no provisional amounts have been recorded) and the additional information needed to complete the accounting under ASC 740.

Example disclosure:

The Tax Cuts and Jobs Act was enacted on 22 December 2017. The Act reduces the US federal corporate tax rate from 35% to 21%, requires companies to pay a one-time transition tax on earnings of certain foreign subsidiaries that were previously tax deferred and creates new taxes on certain foreign sourced earnings. At 31 December 2017, we have not completed our accounting for the tax effects of enactment of the Act; however, in certain cases, as described below, we have made a reasonable estimate of the effects on our existing deferred tax balances and the one-time transition tax. In other cases, we have not been able to make a reasonable estimate and continue to account for those items based on our existing accounting under ASC 740, Income Taxes. For the items for which we were able to determine a reasonable estimate, we recognized a provisional amount of $XXXX, which is included as a component of income tax expense from continuing operations.

Provisional amounts

Deferred tax assets and liabilities: We remeasured certain deferred tax assets and liabilities based on the rates at which they are expected to reverse in the future, which is generally 21%. However, we are still analyzing certain aspects of the Act and refining our calculations, which could potentially affect the measurement of these balances or potentially give rise to new deferred tax amounts. The provisional amount recorded related to the remeasurement of our deferred tax balance was $XXXXX.

Foreign tax effects: The one-time transition tax is based on our total post-1986 earnings and profits (E&P) for which we have previously deferred from US income taxes. We recorded a provisional amount for our one-time transition tax liability for XX of our foreign subsidiaries, resulting in an increase in income tax expense of $XXX. We have not yet completed our calculation of the total post-1986 foreign E&P for these foreign subsidiaries. Further, the transition tax is based in part on the amount of those earnings held in cash and other specified assets. This amount may change when we finalize the calculation of post-1986 foreign E&P previously deferred from US federal taxation and finalize the amounts held in cash or other specified assets. No additional income taxes have been provided for any remaining undistributed foreign earnings not subject to the transition tax and any additional outside basis difference inherent in these entities as these amounts continue to be indefinitely reinvested in foreign operations. Determining the amount of unrecognized deferred tax liability related to any remaining undistributed foreign earnings not subject to the transition tax and additional outside basis difference in these entities (i.e., basis difference in excess of that subject to the one time transition tax) is not practicable, but the related cumulative temporary difference as of 31 December 2017 was $XX.




We have not made sufficient progress on the E&P analysis for the remaining XX of our foreign subsidiaries to reasonably estimate the effects of the one-time transition tax and, therefore, have not recorded provisional amounts. We continued to apply ASC 740 based on the provisions of the tax laws that were in effect immediately prior to the Act being enacted. Because we had previously determined these amounts were indefinitely reinvested, no deferred taxes have been recorded. It is impracticable to determine unrecognized deferred tax liabilities related to these entities, but the cumulative temporary difference as of 31 December 2017 was $XX.

Form 8-K filing requirements The SEC staff issued C&DI 110.02 in response to questions it has received from companies regarding whether the remeasurement of a deferred tax asset (DTA) to reflect the new tax rates or other provisions of the Act would trigger an obligation to file a Form 8-K under Item 2.06, Material Impairments. The C&DI states that the remeasurement of a DTA to reflect the effect of a change in tax rate or tax laws is not an impairment under ASC 740 and wouldn’t trigger the reporting requirement. However, the enactment of new tax rates or tax laws could have financial reporting implications, including whether it is more likely than not that the DTA will be realized.

In the C&DI, the SEC staff also noted that registrants employing the measurement period approach described in SAB 118 and concluding that an impairment has occurred (e.g., a valuation allowance) for the period that includes the enactment date due to changes resulting from the enactment of the Act may rely on the Instruction to Item 2.06, which exempts registrants from filing a Form 8-K if the conclusion is made in connection with the preparation, review or audit of financial statements to be included in the next periodic report to be filed. In those situations, registrants must disclose the impairment, or a provisional amount with respect to that possible impairment, in the next timely filed report.

How we see it While the C&DI provides clarification of Item 2.06 of Form 8-K, companies should continue to discuss Form 8-K reporting requirements with their securities counsel regarding the effects the Act may have on their reporting requirements.

Foreign private issuers reporting under IFRS The SEC staff also said it would not object to a foreign private issuer reporting under IFRS applying a measurement period solely for purposes of completing the accounting requirements for the income tax effects of the Act under International Accounting Standard 12, Income Taxes.

Investment companies affected by the Act The SEC’s Division of Investment Management issued guidance in IM Information Update 2017-07 in which the SEC staff confirmed that investment companies can rely on SAB 118 for purposes of calculating their net asset value (NAV) and reporting measurement period adjustments. The SEC staff also reminded investment companies to make disclosures, where applicable, about any material effects of the Act on their NAV calculations and information about material provisions for which the accounting is incomplete. Such disclosures could be made in a press release, on a website or in another reasonable manner.

Non-SEC financial statements SAB 118 applies to any financial statements filed with or furnished to the SEC. However, we believe SAB 118 clarifies the guidance in ASC 740 for a unique circumstance, and it would also be appropriate for other entities applying US GAAP4 to follow the SAB. We believe that

The SEC staff said remeasuring DTAs to reflect a change in tax rate does not create impairments under ASC 740.




an entity that is not an SEC filer that elects to follow the guidance in SAB 118 would also need to consider the disclosure requirements when preparing its financial statements in the period of enactment and during the measurement period.

Internal control considerations Companies need to evaluate whether changes to their existing processes and controls are necessary to address the financial reporting effects of implementing both the Act and SAB 118. That is, companies need effective internal controls to make sure that the accounting implications of the transition and future tax provision calculations are accurately recorded in their financial statements.

In addition to the overall effect of the Act on the income tax accounts, key areas requiring controls include the processes for estimating and finalizing provisional amounts, calculating the one-time transition tax, tracking outside basis differences after enactment, determining the timing of the reversal of temporary differences, assessing the realizability of deferred tax assets and carryforwards, calculating any minimum taxes and making disclosures.

Additionally, companies need to evaluate whether they need any new information to account for the effects of the tax law changes and whether they will use any new information in internal control over financial reporting. If that’s the case, they also need to consider the effectiveness of controls over the completeness and accuracy of that new information.

1 SAB 118, Income Tax Accounting Implications of the Tax Cuts and Jobs Act. 2 SAB 118 says, “The staff was informed, in part, by the measurement period guidance applied in certain situations

when accounting for business combinations under ASC Topic 805, Business Combinations. The measurement period guidance in ASC paragraph 805-10-25-13 addresses situations where the initial accounting for a business combination is incomplete upon issuance of the financial statements that include the reporting period the business combination occurred.”

3 ASC 740-30-25-17. 4 Examples of instances in which nonpublic entities have applied SEC staff guidance include the application of the full

cost method (Rule 4-10(c) of Regulation S-X) to oil and gas exploration costs, and the application of SAB 101, Revenue Recognition in Financial Statements.

Endnotes:



SCORE No. 00015-181US

ey.com/us/accountinglink

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.



http://www.ey.com/

Risk and control considerations within robotic process automation implementations Balancing transformation with risk and control to achieve compliance

2

Addressing history before it repeats itself

Since the advent of technology as a vehicle to accelerate business performance within organizations, risk management has often been perceived as a foundational, yet sometimes burdensome, pillar that has frequently been sidestepped since inception. For example, during the early 1980s, spreadsheets and databases (collectively, referred to as end-user computing (EUC)) began to multiply at an astonishing pace due to their ease of use, functionality and powerful insights that could be gleaned at record speed. However, even today, this domain remains a considerable impediment for organizations because sustainable, control-focused programs were not established from the onset to govern, assess, standardize, and monitor performance and risk. Retroactively untangling the unwieldy universe of EUC is often viewed as a Herculean (and, potentially, even insurmountable) task within organizations and unfortunate headline-worthy instances have resulted, including:

• Human error

• After releasing earnings, a multinational home mortgage funding company restated its unrealized gains by $1.2 billion due to “honest mistakes made in a spreadsheet used in the implementation of a new accounting standard.”Source: Gartner

• Fraud

• A global investment bank identifi ed a macro with intentionally inappropriate linkages utilized to create fi ctitious transactions and depict inaccurate growth. Source: Forrester

• Data privacy

• Forty-six percent of data privacy incidents are a result of compromised fi les by internal resources due to uncontrolled access to data fi les residing on shared drives. Source: CIO World

Organizations possess the luxury of hindsight to refl ect on future improvements. EUC is a comparable example whereby an investment to harness risk and control up front may have minimized a perennial dilemma across the fi nancial services industry. It is imperative for organizations to address the risks presented and consider the potential implications introduced relative to the vision, reputation and success of an organization (e.g., inaccurate fi nancial reporting, operational losses and ineffi ciencies, fraud, reputational risk, consumer concern, regulatory sanctions and strategy growth limitations).

What will be the catalyst for organizations to harness the risks introduced by RPA to mitigate a similar dilemma within the next decade?

State of robotics

Although RPA may enhance the overall interconnectedness of business process operations, how is the risk and control landscape impacted by the introduction of such transformational automation initiatives?

3

More recently, the fi nancial services industry has embraced automation as a disruptive force that challenges the current state of daily business operations, while simultaneously aligning with organizational drivers (e.g., cost, productivity and effi ciency). Although the continuum of automation ranges from basic workfl ow through artifi cial intelligence (inclusive of machine learning, natural language processing and cognitive processing), organizations have begun to invest heavily in robotic process automation (RPA). This technology allows organizations to automate high-volume, deterministic, system-based tasks by introducing a virtual workforce of “robots.” The business units that comprise the fi rst line of defense (specifi cally, the fi nance and operations departments) have been the earliest adopters of this advancement. They evaluated their existing processes to identify, prioritize, develop and, ultimately, deploy robotics that may alleviate mundane tasks and departmental pain points. Business units have capitalized on the speed and nimbleness of deploying RPA in partnership with and, at times, autonomously from IT departments.

As the appetite, quantity and complexity of robots begin to proliferate following adoption across the three lines of defense, organizations recognize the necessity to establish program governance from the onset to enforce consistency, accountability and standardization. The creation of a scalable operating model is a vital undertaking to balance strategy formalization, business enablement, technology integration, and communication and coordination. The decision whether to embrace a federated or centralized operating model construct is a function of an organization’s culture, but most traditional RPA operating models consist of the following six components.

Organizations are also instituting formal centers of excellence (COEs) that align with this broader operating model. These COEs represent dedicated groups with specialized competencies that focus on orchestrating the RPA life cycle. These organizational structures (e.g., operating models and COEs) remain governance focused, yet their primary business objectives are optimizing the connectivity of disparate processes to build “bridge” functionalities, creating effi ciencies and improving productivity. As the continuum of automation progresses beyond RPA, organizations ultimately should refl ect upon the lessons learned from their RPA journey to proactively institute similar COE constructs and recognize risk and control considerations.

Strategy and governance defi nes the overall vision and standards for RPA at the enterprise level

Value measurementdefi nes the manner by which RPA is measured from the perspective of performance and impact

Technologyenables RPA efforts by maintaining the overall platform and providing the necessary support for applications

Enterprise integrationleverages the existing functions and capabilities within the enterprise to enable RPA, while establishing a point of integration for key control functions

Alignment and changepromotes an RPA journey that is inclusive of impacted resources through awareness and training

Process life cycle consists of the identifi cation, prioritization, development and ongoing maintenance of RPA instances

1 3

42 6

5

* “RPA is Transforming Business Process – Delivering Fast, Accurate Service, and Improving Customer Experience,” Everest Group, Institute for Robotic Process Automation, 2016.

Recognition of risks and controls

4

As the fi nancial services industry entertains this infl ection point of puzzlement, curiosity and concern surrounding RPA across organizations, the question is no longer “if,” but rather “why,” “when,” “how many,” “where” and “how fast” robotics have been deployed. Boards, executives, committees, regulators, risk management and compliance functions, and internal audit departments are receptive to leveraging technology to reduce costs and streamline processes, yet queries have arisen about the parallel degree of focus on risk, control and compliance. Instances have also been identifi ed whereby control consciousness has been viewed as secondary to deploying RPA and realizing business returns.

Risk mitigation remains the foundation for strong business performance, and organizational trepidation has surfaced that robotic deployments may be a new vehicle that presents both traditional risks and also introduces new, unforeseen risks. Minimally, from a risk and control perspective, organizations are tackling the following representative apprehensions with their RPA journey.

• Rationalization — Although organizational direction may be communicated with regard to RPA, anxieties exist regarding the improper usage and deployment of robotics. RPA sometimes may rightly serve in a bridge capacity, but situations have occurred whereby RPA is not the appropriate technology and was solely selected due to a speed-to-market goal. As a result, the advantages of fl exibility and convenience have been a curse, and led to knowingly circumventing extensive queues within development teams and cumbersome technology controls.

• Maintenance and operations — Similar to an employee, robots require guidance to perform the activities desired. Although robots are confi gured as of a point in time based upon defi ned business requirements, broader architecture and system changes can severely affect the expected performance. Modifi ed data fi eld mappings, orphan and dangling robots, vendor upgrades, system integrations, capacity and performance monitoring, and forward compatibility considerations require attention to preserve the original intentions of the robot and manage the perceived brittleness of the application and RPA dependencies.

• Cybersecurity and resiliency — As robotics become mainstream, these new entrants to the IT environment represent additional vectors for compromise. Abuse of privileged access, mismanaged access entitlements and disclosure of sensitive data are valid concerns. Additionally, platform security vulnerabilities, privacy implications and denial of service may yield ramifi cations that impact the RPA integrity, reliability and downstream business processes.

• Methodology and documentation — Granted that agile development methodologies encourage improved iterative communication and coordination between key stakeholders, adherence to documentation standards should be a staple of this approach to support the risk and control mindset. Although business functionalities may be delivered more timely and accurately, the traceability of artifacts related to RPA decisions often is absent, and even an afterthought.

RPA riskand

controls

Technologyenablement

Business process optimization

Cost Productivity Ef ciency

Reliability Scalability Retention

Consistency Auditability

Unt

appe

d ri

sk c

over

age

RPA bene ts

Organizational drivers

Why are my actions related to data (e.g., extracting,

aggregating and transforming) suddenly

under extensive scrutiny?

Process selection and

criteria

Platformresiliency

Conductand

culture

Transparencyand

metrics

Cybersecurity

Vision

Methodology

Com

patib

ility

Vendor management

Talent and training

Benet r

ealiz

atio

n

Interdependency

management

Ris

k an

d co

ntro

l inte

gr

ation

Business continuity anddisaster recovery

Resource optimization

Perform

ance

mon

itori

ngSystem developm

ent life cycle

Program risk management

6 —

Ente

rpris

e in

tegr

ation

5 — Technology

4 — Alignment and change

3 — Va

lue

mea

sure

men

t

2 — Process life cycle

1 — Strategy and governance

Critical risk High risk Moderate risk

5

Regardless of an employee’s role within an organization, it is widely appreciated that regulatory, fi nancial and reputational risk management are simply “good business.” Automation agendas are exciting and groundbreaking, yet they require an effective challenge from a risk management perspective to proactively protect organizations. As robots extract, aggregate, transform and upload data, risk and control considerations become paramount discussion topics.

Illustrative risks per operating model component

Proactive risk and control consciousness

To complement the prior RPA organizational structures (e.g., operating models and COEs) discussed, it is critical to identify the junctures of risk introduced by the broader RPA program. The following represent illustrative risk considerations in which a degree of control may be justifi ed.

1. Strategy and governance

Has an organization-wide, business-driven vision and strategy been defi ned, inclusive of the end state and maturity tollgates (e.g., operational readiness, benefi t realization and virtual workforce)?

Has an operating model (inclusive of program roles and responsibilities) been established to govern, manage, operationalize and scale the program and life cycle (e.g., centralized and federated)?

Have policies and standards been defi ned to promote program value and consistency (e.g., process prioritization, value measurement, development and deployment, issue management, and risks and controls)?

Has a project management offi ce been established to foster a “seat-at-the-table” position across relevant steering committees to focus on RPA development workfl ow, fi nancial planning, resource management, and control and risk management aspects?

2. Process life cycle

Has a consistent, end-to-end methodology been established to manage the RPA life cycle (e.g., identifi cation, prioritization and development)?

Have process suitability criteria been established (e.g., deterministic, digitized and documented) and are potential candidates stored within a repository for future consideration?

Has a process prioritization model been defi ned to align with the business-driven program vision and the desired value (e.g., effi ciency gains, cost avoidance, quality management and growth acceleration)?

Has exception handling of the processes in production been conducted to monitor performance (e.g., run-book protocols) and manage any encountered exceptions (e.g., technical or operational)?

6

3. Value measurement

Has a regular cadence been established to communicate the program’s progress and success to executive leadership (including progress relative to the overall strategy, vision and maturity)?

Have key performance indicators (KPIs) and key risk indicators (KRIs) been defi ned to proactively assess the RPA program’s health (e.g., engagement and acceptance, effi ciencies gained, development pipeline and training)?

Have operational and performance metrics been defi ned to identify trends and anomalies regarding production concerns (e.g., capacity, downtime and exceptions)?

Has the return on investment been measured (e.g., cycle time, transactions processed and capacity gains) and socialized to challenge the speed and targets for further automation?

4. Alignment and change

Has the organization planned accordingly for the new competencies required to sustain the RPA program strategy?

Has organizational training and education been deployed (and how frequently) to provide the necessary skills uplift (e.g., awareness, foundations and development)?

Have new learning paths, job descriptions and workforce planning changes been defi ned to promote the program’s sustainability?

Have automation anxiety and resistance and cultural impacts been experienced organizationally?

7

5. Technology

Has the organization effectively collaborated with the RPA vendor to agree upon licensing, communication channels, interaction points and service-level agreements (e.g., software issues, confi guration management, enhancements and defects)?

Has the organization challenged the compatibility of RPA with the underlying architecture and infrastructure (e.g., synchronization, server changes, entitlement management, business continuity and disaster recovery)?

Has a controlled, non-production innovation and test lab been established to challenge the feasibility of the integration of RPA with further emerging technologies?

Has a knowledge-management repository been established to capture relevant RPA lessons learned, accelerators, enablers and artifacts to promote organizational consistency?

6. Enterprise integration

Have RPA teams effectively integrated with organizational transformation teams to maximize synergies (e.g., business process management) and minimize duplication?

Have the three lines of defense adopted standardized risk and control frameworks that align with the RPA operating model?

Have the security implications (e.g., privileged access management, denial of service and platform vulnerabilities) and regulatory implications (e.g., privacy and across borders) of RPA been proactively considered?

Has the impact on core technology processes (e.g., change management and logical security) and system integration been evaluated and communicated as a result of introducing RPA?

How has your organization demonstrated the agility to tackle the risk and control agenda for these domains to provide enhanced visibility of the RPA program’s soundness?

8

9

Call to action

RPA has already revolutionized organizations from a people, process and technology standpoint. Although organizations are admittedly within the early stages of their automation journey, current trends have surfaced and inklings of future focus have been identifi ed.

To avoid the introduction of a potentially systematic risk within an organization, RPA implementation teams should:

• Expect enhanced regulatory and internal audit scrutiny — articulate and document visions, approaches, rationales and recognition of process, risk and control considerations

• Create and preserve artifacts — create document repositories and connections to existing governance, risk and control (GRC) platforms that are linked to processes, risks and controls to demonstrate framework adherence and evidence traceability

• Anticipate production disruptions following deployment — establish handling procedures for timely resolution of issues identifi ed to minimize the impacts on connected operations

• Embed risk and control involvement — entertain the inclusion of a dedicated work stream to proactively foster risk and control consciousness, including participation in a seat-at-the-table capacity during agile development working sessions (e.g., Scrum)

• Assess consistency of control process, risk and control inventories — determine overlaps and disparities with the organization’s technology risk and control inventory

• Plan accordingly for delayed deployments — recognize that stage gates (and, therefore, buffers) may need to be incorporated into timelines to manage risk and control implications during agile development efforts

• Challenge the audience and degree of progress and risk reporting — understand the desire for reporting about benefi t realization, concentration risk, control adherence and resulting people risk management

• Consider synergies of the risk and control work stream — recognize that content within a process, risk and control work stream can be pivoted to serve as an internal audit work plan to evaluate the RPA implementation

• Determine the new role of people — recognize that roles and responsibilities will be altered as a result of RPA implementations, yet oversight and monitoring are critical to foster control and sustainability

10

The emphasis on cohesive processes, risks and controls remains a staple across the fi nancial services industry. Although new disruptive innovations and technologies will be introduced into an organization’s environment as time elapses, we believe:

• Regulators will take considerable interest with regard to the handling of people risk management, particularly since robotics may alienate or create angst among employees and their future responsibilities and employment.

• Internal audit will focus on the logic inspections of robotics, similar to model risk management re-performance efforts, query analysis and data mapping during report validations, and confi guration assessments of application controls.

• Cyber criminals will seek new entry points into organizations via robotics and, hence, an elevated focus on network security, platform resiliency and ethical attack-and-penetration efforts to proactively identify vulnerabilities within the robotics.

• Executives will desire risk profi ling and health checks of individual robotics to assess if overreliance is placed on the robotics and whether their initial intended purposes have morphed, particularly where human intervention may be warranted from a decision-making perspective.

• New employment opportunities will exist that bring together automation and risk management competencies, and likely will be fi lled by transfers from internal innovation centers or external hires.

Top-fi ve predictions

Next steps

11

To provide constructive, timely feedback and challenge regarding the risk and control considerations of an RPA implementation, it is critical to strike a balance between passive and obtrusive engagement. The majority of implementations today do not possess a dedicated risk and control work stream as part of the broader project team. The integration of this focused risk and control mindset throughout the process would serve as a dynamic preparedness health check in advance of the inevitable external review and overall stakeholder inquisitiveness.

As echoed earlier, risk and control compliance should not be sacrifi ced during the automation journey. These disciplines are not mutually exclusive, but rather they should coexist in harmony. As organizations continue to progress their automation agendas, the following actions should be considered:

• Assess feasibility of a “bolt-in” risk and control work stream for robotic implementations underway to retrofi t artifacts, where possible

• Understand future robotic implementations to consciously align a bolt-in risk and control work stream from the start

• Evaluate degree of preparedness documentation required for external-party review (e.g., rationalization, robotic playbooks, robot inventories, fl owcharts, and risk and control matrices)

• Develop templates and enablers to capture relevant risk and control documentation on an ongoing basis, including performance of a risk-based degree of design and operating effectiveness testing

• Determine necessary skills uplift (e.g., training and development) or hiring required to support risk and control work streams

Maintaining a “fi nger on the pulse” of RPA risk and control across an organization represents a worthwhile investment to proactively manage the changing business processes and, ultimately, protect against potentially newsworthy repercussions.

Measure and monitor your RPA risk and control profi le before becoming a statistic.

David KahanFinancial ServicesTechnology Risks and [email protected]

Chris LambertonFinancial ServicesRobotic Process Automation (Europe, Middle East, India, Africa)[email protected]

Andrew OltmannsFinancial ServicesBusiness Risks and [email protected]

Andy GillardFinancial ServicesRobotic Process Automation (Asia-Pacifi c)[email protected]

George KaczmarskyjFinancial ServicesRobotic Process Automation (Americas)[email protected]

Contacts


About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.


© 2018 EYGM Limited. All Rights Reserved.

EYG no. 00422-181Gbl 1712-2504420

ED 1/18

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

Consolidated audit trail (“CAT”) — Now what?EY’s point of view during this time of uncertaintyJanuary 2018

CAT timeline and recent updates

November 152016

September 12017

November 152017

May 152018

August 152018

October 152018

November 152018

November 152019

Begin customer data reporting by all industry members

Small BDs must begin reporting to CAT processor

Thesys publishes draft of Technical Specifications

Final CAT NMS Plan approved and becomes effective

Coordinated and structured testing begins of order submission

Large BDs must begin reporting to CAT processor

Thesys to publish Technical Specifications for submission of Customer InformationSROs begin

reporting to CAT Processor

On October 16, 2017 FIF CAT Working Group provides extensive feedback on draft Industry Member specifications

On November 13, 2017, SROs request ExemptiveRelief to delay CAT reporting. Chairman Clayton releases public statement indicating that the SEC cannot support the proposed request in its current terms

Exemptive Relief request proposes that Industry Member Specifications for customer and order data will be finalized in October 2018 with iterative drafts every two months

On Dec 19, 2017, CAT Operating Committee holds industry update call and communicates that they are operating on timeline proposed in November 13 Exemptive Relief request even though not formally approved/sanctioned by SEC

Exemptive Relief request indicates industry testing to begin in October 2019

Exemptive Relief requests that large BDs begin reporting in April 2020

Exemptive Relief requests that small BDs begin reporting in April 2021

Ori

gina

lIn

dust

ry u

pdat

e

Thesys to publish updated TechnicalSpecifications for submission of order data by BD’s

The CAT implementation scope and timeline has been subject to significant scrutiny from Participants and Industry Members. While no official delay has been sanctioned by the Securities and Exchange Commission (“SEC”), key plan milestones have been missed. An Exemptive Relief request was filed by the CAT NMS Participants to delay all milestones. Below outlines some key updates/requests on original timelines.

The complexity of CAT, lack of complete and finalized specifications, proposed timeline changes and lack of official guidance and communication from the SEC has created an environment of significant uncertainty for Industry Members.

Now What? EY’s point of view

November 152016

September 12017

November 152017

May 152018

August 152018

October 152018

November 152018

November 152019

Begin customer data reporting by all industry members

Small BDs must begin reporting to CAT processor

Thesys publishes draft of Technical Specifications

Final CAT NMS Plan approved and becomes effective

Coordinated and structured testing begins of order submission

Large BDs must begin reporting to CAT processor

Thesys to publish Technical Specifications for submission of Customer InformationSROs begin

reporting to CAT Processor

On October 16, 2017 FIF CAT Working Group provides extensive feedback on draft Industry Member specifications

On November 13, 2017, SROs request ExemptiveRelief to delay CAT reporting. Chairman Clayton releases public statement indicating that the SEC cannot support the proposed request in its current terms

Exemptive Relief request proposes that Industry Member Specifications for customer and order data will be finalized in October 2018 with iterative drafts every two months

On Dec 19, 2017, CAT Operating Committee holds industry update call and communicates that they are operating on timeline proposed in November 13 Exemptive Relief request even though not formally approved/sanctioned by SEC

Exemptive Relief request indicates industry testing to begin in October 2019

Exemptive Relief requests that large BDs begin reporting in April 2020

Exemptive Relief requests that small BDs begin reporting in April 2021

Ori

gina

lIn

dust

ry u

pdat

e

Thesys to publish updated TechnicalSpecifications for submission of order data by BD’s

Looking back

Going forward

• Ensuring documentation and data attribute mapping for existing non-financial regulatory reporting is current and accurate and captures inventory of all applicable use cases and events

• Remediating legacy issues with existing regulatory reports, including Order Audit Trail System (“OATS”) and Electronic Blue Sheets (“EBS”) that will be foundational for CAT reporting

• Evaluating customer reference data quality, accuracy and completeness for unique customer identifiers like SSN, TIN, LEI, etc., and remediating where required

• Consolidating and centralizing data with an eye on the future to support data flexibility and advanced capabilities, like TCA, supervision and surveillance, best execution, etc.

• Enhancing security programs to protect confidential customer and order information

• Understanding dependencies on existing vendor solutions that will impact future reporting efforts

• Developing a holistic technology strategy to support efficient future reporting, including buy, build and hybrid model decisions

• Planning and designing a sustainable operating model and controls framework to support future reporting, including periods of parallel reporting

While it will undoubtedly be challenging and costly to implement, it is widely agreed that Consolidated Audit Trail will be a useful system that will provide transparency into our financial markets in addition to useful information for regulators and broker-dealers alike. Even with unclear timelines, CAT will ultimately be required and as such firms should use this as an opportunity to enhance and improve existing reporting operations and technology which will eventually facilitate CAT reporting and provide additional benefits to firms.




Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.


1801-2572905 ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

www.ey.com

0

Electronic tradingKeeping up with the risk at capital markets firms

January 2018

1 | Electronic trading

Pic or drop contents

• detail

• detail

point

• detail

point

point

Co

nte

nts 4 Introduction

5 Getting started

7 Sizing the risks

8 What about models?

9 Evaluating the controls

12 Testing and monitoring

13 Lines of defense

14 Conclusion

Introduction

Keeping up with the risk at capital markets firms | 4

1 See page 11 for a discussion of selected regulatory guidance.

Electronic trading is ever increasing: in volumes, in asset classes and in overall importance to market structure. This electronic trend includes the growth of automated trading, algorithmic trading, high-frequency trading and increased routing to all manner of trading platforms, as well as new types of automation, such as the application of artificial intelligence and machine learning to trading logic (collectively in this paper, e-trading).

With increased activity comes increased risk, so it is no surprise that there is growing concern among regulators and risk managers for capital markets firms of all sizes as to whether controls are able to keep pace and effectively manage e-trading risks. Rule-making and regulatory guidance have provided useful standards for control, but the question persists: are controls sufficient for the level of risk?

In analyzing e-trading risks, firms and regulators share the twin goals of preserving market integrity and avoiding catastrophic losses. Unfortunately, given the complexity of e-trading environments and the large order volumes flowing through various components, even small mistakes can have potentially catastrophic impacts – to the market in question and to the firm itself.

Instances of such losses and mini-“flash crashes” have led regulators to be more active in punishing firms that cause market disruption through e-trading errors. Recent fines have grown in size, and regulatory supervisors are actively examining e-trading environments for safety and soundness, including direct involvement by the second line of defense and application of model control standards to the embedded algorithms (algos).

Conduct risks have also extended into e-trading. Firms are expected to prevent or detect misconduct by human or machine, meaning that they must understand what algos are being programmed to do

and whether those actions are consistent with applicable regulations, policies and the firm’s own disclosures to clients. Two key areas ripe for innovation are surveillance for trader misuse of electronic platforms (starting with layering and spoofing) and oversight of automated trading logic (including the “quants” and IT developers creating and tweaking the code).

Indeed more recent regulation and industry guidance have raised the overall obligation of firms to correctly identify and mitigate all aspects of e-trading risks –from systematic limitations on outgoing orders to accurate disclosure of key functionality to customers and counterparties. It is incumbent on firms to have an end-to-end system of controls for risks that can disrupt markets, harm investors or damage confidence in the markets.1

With all this increased focus, boards and senior management at most firms with any degree of e-trading have taken at least initial steps to assess existing risks and controls. Yet the highly specialized, rapidly evolving nature of e-trading presents unique challenges to firms in right-sizing control and oversight processes, and firms are hesitant to stifle innovation and automation given its competitive importance.

To strike this balance, we believe firms need a comprehensive control environment that includes an enterprise-level policy, clear roles across lines of defense, detailed risk assessments, proportionately designed controls of several types, and continuous re-evaluation and testing. This paper discusses each of these key components in more detail, and highlights common challenges unique to e-trading, with suggestions as to how firms can address those challenges. With the right framework, firms joining in the growth of e-trading can be more confident that their controls are keeping up with the risk.

Getting started


Figure 1: Sample e-trading flow

Risk identification

The first step is for firms to understand e-trading activities occurring across the enterprise. This may seem obvious, but it can be difficult in practice:

► Who is responsible for collecting information about e-trading (businesses, Technology, others)?

► What is in scope on the continuum from electronically-assisted human trading to fully automated decision-making and execution?

► Are there consistent standards for risk understanding and control, including shared taxonomies and control libraries, to facilitate assessment and reporting?

► How does e-trading aggregate for enterprise risk management and board-level risk tolerance?

To help solve for these challenges, we recommend that firms articulate an enterprise-level e-trading governance framework, starting with a shared definition of e-trading, defined roles and responsibilities, a structure to support the ongoing risk management program, and establishment of a firmwide e-trading policy to set high-level standards.

A key feature of the governance program is to mandate and organize collection of information about e-trading activities, using common definitions and standards for risk identification. Firms following this type of approach have been able to develop asset inventories for the business areas and markets where

e-trading (as they have defined it) is already in use, and to impose vetting and approval processes regarding expansions.

Mapping the flows

A key consideration for risk identification and the asset inventory is the level of detail that will be required for in-scope activities. E-trading occurs through a series of processes that employ multiple hardware and software components to achieve a specific purpose. Each e-trading process may entail use of multiple algos, each with its own functional purpose, plus other hardware and software components and embedded controls.

As a result, ideal classification and risk identification in the e-trading environment involves mapping each end-to-end process, or “flow,” recognizing that all components and connections in the flow are relevant to evaluating the risks. Creating a detailed mapping of each flow is no small undertaking, but it provides a well-understood, easy-to-reference “place mat” for the flow, highlighting key handoffs between systems, component parts, and all significant inputs/outputs.

Having mapped the end-to-end flows in this fashion, firms can leverage classifications within the policy to identify next steps for different types of activity. For example, critical reference data inputs can be readily identified and checked for legitimacy. Similarly, algoswithin the flow can be isolated for consideration as potential models (see page 8).

6

The e-trading policy

Key aspects of the governance framework should be reflected in an enterprise-level e-trading policy, setting the foundation for ongoing oversight and aggregation of e-trading risks.

Figure 2: Key aspects – e-trading policy

► Governance structure – this generally includes assigning authority for approval of new or modified requests to engage in e-trading activity, and may also create an enterprise-level oversight body (e.g., an e-trading risk committee) that includes membership from all lines of defense and impacted businesses across the firm

► Operating model – the policy sets out the framework for ongoing risk management, including high-level roles and responsibilities across three lines of defense for control execution, assessment, monitoring/testing, and reporting

► Setting scope – typically, the activities considered in scope as e-trading are defined broadly, encompassing any automation of actions taken within trading or order processing, allowing varying levels of automation to be reflected in subsequent risk assessment activities


► Definitions – the policy defines common language for key components within the e-trading environment, such as algorithmic models, order routers and other software components

► Documentation – a fundamental tenet of the policy is to control the population of e-trading activities by defining required information capture and maintenance for an inventory of in-scope activities

► Risk/control standards –identification of the types of risks to be considered in e-trading activities, and the types of controls to be considered in assessing how well controlled are the risks

Sizing the risks


Sorting through the details

Having identified in-scope activities, firms next need to assess the level of risk and identify controls related to those activities. To do this for e-trading, firms need to assess processes at a fairly granular level – the level at which e-trading errors occur. This typically requires a “bottom up” review, since existing operational risk assessments tend to be at too high a level to evaluate differential e-trading risks and assess individual controls in operation. This detailed understanding of controls within e-trading flows also becomes important later, as monitoring and testing are employed to develop ongoing oversight.

The granular review will cut across many risk and control owners – including the business, Technology, Operations, Model Control and Compliance. Firms should consider overarching controls (such as change management) and those that are specific to individual e-trading flows (those shown on place mats).

Inherent risk is relative

A helpful starting point in evaluating e-trading controls is to establish a common understanding of the varying levels of inherent risk created by different e-trading activities. A simple scoring model can be developed using information collected in the e-trading inventory. For example, starting with the flow’s functional significance, it can be scored by its scope (products, regions, business lines), purpose (firm, client, actions taken) and basic functionality (how it achieves the purpose). Additional factors might include:

► Regulation (whether some or all of the functionality has to meet regulatory requirements)

► Complexity (the level of functional complexity and likelihood of errors occurring, absent controls)

► Impact (the use of outputs and consequences of failure, either directly or on downstream processes)

By using a consistent, clear method to determine the relative inherent risk of in-scope activities, firms can gain more comprehensive coverage, but also can prioritize a heightened focus on the riskiest e-trading activities – a key component of “right-sizing” their efforts in this space.

8

What about models?

Figure 3: Sample e-trading algorithm functional types

Are algorithms models?

After the financial crisis, regulatory supervisors have increasingly focused on models for activities, including risk management, valuation, investment decisions, and assessing capital adequacy. In response to formal supervisory guidance (see page 11, describing SR 11–7) and feedback from regulators in various jurisdictions, firms have undertaken broad, multiyear programs to enhance their model risk management (MRM) frameworks, including governance, model definition, model inventory, stature of MRM functions and model control standards across the model life cycle (development, validation and use).

When it comes to e-trading, regulators are expecting MRM functions to identify algorithms within e-trading flows that present model risk and confirm that they are subjected to appropriate model controls. But how can this be accomplished? MRM functions often struggle to integrate model control activities within the context of the overall e-trading flows and the existing controls operated by others, including Technology.

Identification and classification

The previously described asset identification process can be used to identify algos operating within each e-trading flow, and those algos can be further classified by function since different uses will present inherently different levels of potential model risk. Once identified, the MRM function can lead a process to capture relevant information about each algo, supporting an assessment of whether it meets the definition of a

model (i.e., there is uncertainty in the output from assumptions, and a quantitative method/approach applied vs. a rule-based engine with no uncertainty in the output).

Defining model control activities

Once algos are appropriately classified, MRM functions should confirm that any algo qualified as a model is subject to controls commensurate with its complexity, impact and the level of reliance placed on its outputs. MRM functions likely will need to customize existing model control standards to address the unique nature of e-trading algos (e.g., constant calibration, programmatic parameter updates). MRM can also take into account existing controls surrounding the algosthat may partially mitigate model risk (such as relevant input and output checks).

To implement model controls, MRM will need to identify how these activities fit into the overall e-trading control framework, across first and second line of defense functions (e.g., trading, quants, Compliance, Technology, Independent Risk). Focus on model risk will only increase as firms further expand the use of trading algos, including advanced approaches such as machine learning and artificial intelligence (see page 9, describing the Financial Stability Board’s recent white paper on these topics). We anticipate that the ability to successfully integrate model controls with the broader e-trading control framework will become critical to credibly managing the risks posed by these new capabilities.


Evaluating the controls


Types of controls

Most e-trading is subject to multiple layers of controls that can be categorized broadly into three types, based on the stage (before, during or after trading) within the overall process:

► Pre-trade controls occur primarily in the software development life cycle (SDLC), including turnover management, regression testing, and deployment controls for software and hardware components.

► Trading controls tend to operate on the desk or in infrastructure immediately adjacent to it – these controls will be both preventive and detective in nature, including input and output checks, trader and quant oversight, and layers of limits.

► Post-trade controls provide real-time monitoring and alerting of production incidents as they start to occur, driving responsive actions (automated or manual) while losses can still be mitigated.

Assessing in phases

Typically, we suggest firms approach e-trading control assessment in two key phases. The first is a process review covering key horizontal areas like SDLC, MRM, limit frameworks and incident management. The strength of these control frameworks operates to mitigate risks across e-trading processes.

Second, more focused reviews can be undertaken for the individual e-trading flows, identifying specific potential points of failure in the functional architecture, inbound connections, outbound connections and logic engines (algos). Here, the place mat developed for each flow during asset identification should facilitate the review and allow visualization of embedded controls, assisting ina risk-based prioritization of controls for design and operating effectiveness testing.

SDLC is key

The most fundamental “prevent” controls for e-trading are those in the SDLC. Grouped broadly under change management (see Figure 4), these controls should include standards for code development, approvals, testing and deployment protocols. Even small tweaks to automated trading or order handling logic can lead to serious issues – whether through

unintended impacts to adjoining components in the flow, or by changing customer treatment or trading behavior in a way that violates conduct principles or changes the accuracy of firm disclosures.

Despite the criticality of strong SDLC, many quants and electronic trading managers bemoan the bureaucracy introduced with stronger change management controls, especially when firms include groups outside of the business or Technology into the approval chain (e.g., New Product Committees, Compliance, MRM and Risk). What’s more, as a practical matter, the volume and frequency of changes needed in a modern e-trading environment make it impractical to apply an equal standard of review to all changes.

To solve for these challenges, we see leading practice where firms have taken the following steps:

► First, evolving the e-trading architecture to include a degree of “parameterization,” which is the ability for predefined variables within the code to be changed on the fly, without a cumbersome process. Built-in limitations on how (or how much) these parameters can change serve to contain the overall risk presented by the real-time changes. In addition, periodic review processes validate that key functionality has not changed, despite the allowance of flexibility in defined areas.

► Second, requiring non-parameter changes to be assigned a risk tier by developers, based upon a defined set of risk triggers that include the potential materiality and impact of the change (e.g., to the flow, Compliance or customer interactions). The resulting risk tier corresponds to the level of pre-vetting required. Periodic look-back reviews are used to validate that risk tieringdecisions are being made appropriately.

► Third, recognizing that there will be instances where an expedited process is needed, even for higher risk changes, by creating a process for “emergency turnovers,” allowing changes to proceed without aspects of the onerous pre-deployment approval process. These turnoversmust be tracked and subjected to post-change challenge as to the legitimacy of invoking the exception, as well as regression testing of the resulting changes.


Figure 4: Sample e-trading control types

Designed for failure

Given the frequency of turnovers and the complexities of the change process, most firm SDLC programs experience regular errors; these occurrences point to an even more important consideration in evaluating controls within an electronic trading flow – the need for intentional redundancy. In other words, firms should have multiple layers of controls, including both those reasonably designed to prevent errors from occurring and those designed to rapidly halt processes when errors nonetheless occur.

Limits as the last clear chance

The ultimate controls designed to operate when other controls have failed are perimeter limits. These coarse-grained limits are set at the outermost edge of the system architecture, designed to halt automated instructions from upstream components when management tolerances in terms of notional size, volume, various risk measures or some combination of

factors are exceeded. These limits are required by regulatory directives for systematic avoidance of disruptive impacts to markets or harm to investors (see page 11). By design, perimeter limits should be activated only when other limits have failed – more fine-grained limits should be embedded at key action points within the flow, as internal kill switches and “sense checks” to stop processing upon input or output failures or notable calculation mistakes.

As applicable, the embedded and perimeter limit regimes should include sensitivity to credit risk and expected activity levels for customers trading through the firms’ infrastructure, and to market risk limit frameworks applicable to the firms’ principal flows (market making and hedging). To manage all this, firms should look to establish a limits framework and operating model that operates in real time, including real time management by appropriately segregated first-line personnel and second-line oversight (Market and Credit Risk) of potential intraday risk.

Key regulatory guidance for e-trading

By way of explicit rule-making, prudential supervisory guidance and contributions to published industry standards, regulators globally have articulated expectations for e-trading controls.

Figure 5: E-trading – select guidance


SEC Rule 15c3-5 – Requires firms trading securities directly on an exchange or ATS, or who provide direct market access to others, to have controls reasonably designed to systematically limit their financial exposures, and to ensure orders sent via the access comply with applicable rules. Requires:

► Preventing entry of orders above preset credit or capital limits, or erroneous or duplicative orders above price or size thresholds

► Maintaining control over market access technology (restricting access)

► Regular reviews of controls and supervision

Market Abuse Regime – EU requirements for firms to reasonably control against key conduct risks, including through automated strategies, and to avoid disruption of markets or unfair use of customer information via e-trading.

Published Standards –expectations for e-trading risk management set out in industry working group papers:

► SSG Algorithmic Trading Briefing Note

► FX Global Code of Conduct

► Treasury Markets Practices Group Automated Trading in Treasury Markets White Paper

► FSB Report on artificial intelligence and machine learning in financial services

In addition, these and other conduct standards detail types of misconduct that firms must prevent, such as front-running and misuse of customer information, that apply equally to the logic of trading algos.

SR 11–7 Letter – OCC defined models broadly and set standards for controlling model risk, considering uncertainty of inputs, complexity of processing, and materiality of outputs.

SEC Reg SCI – US requirement for key market participants (exchanges, ATSs) to strengthen market infrastructure, reducing errors and improving resiliency. Mandates policies and procedures related to capacity, integrity, resiliency, availability and security of key systems. The requirements encompass change management, stress testing, monitoring, cybersecurity, business continuity, disaster recovery and outsourcing.

MiFID II – EU rules that seek to mitigate risks of market disruption or unfair advantages from algo trading, including high-speed arbitrage. Mandates separate identification of investment decision-making and execution algos, and storing down specific details about each, along with systematic limits and capacity and resiliency checks.

Testing and monitoring


Figure 6: Sample e-trading risk metrics

Staying vigilant

Another uniquely daunting feature of e-trading risk is the number of ever-changing variables involved. In addition to frequent turnovers to the firm’s code base, the activities and controls in e-trading rely upon constantly streaming data, multiple connection layers and messaging systems, and external parties such as clients and trading venues. Any of these can be the source of a change to the firm’s risk profile, so it is important to engage in continuous monitoring of the trading environment and related controls.

Many types of tests

Checks performed in real time or on a daily basis are essential, and are themselves key forms of control (for example, “heartbeat” monitors, latency monitors, execution quality surveillance). On a less frequent basis, we recommend that firms conduct walk-throughs and targeted tests to specifically confirm the continued operation of key controls (especially key limits, kill switches and alert mechanisms), and to review that the performance of other components continues to be as expected. Another form of leading-practice testing is to carry out simulations. Through a tabletop exercise the firm can challenge key controls and incident response plans through specific scenarios (such as loss of connectivity or an extreme volume spike).

An increasingly important aspect of testing for e-trading involves transparency – firms can be fined for differences between their client disclosures regarding electronic flows and the reality of how trades are processed, orders filled or information shared. Firms are advised to actively design tests of client-impacting functionality (for example, order treatment in dark pool ATSs, or “last look” on principal quotes) to check that marketing materials and disclosures remain accurate through time and after successive changes.

Available metrics

Another source of monitoring is for firms to identify a set of metrics related to the e-trading control environment. Many of these metrics may already be captured by first-line business or Technology groups, but they can be leveraged and reported more broadly as key risk and control indicators. Historical ranges or

trends can be used to establish thresholds that, when breached, will indicate a potential need for re-evaluation of a particular component or control.

Indeed, since many controls are designed to catch errors, information about upstream process failures can readily be collected at the point of downstream controls activating. Ongoing analysis and reporting of the causes of errors in various flows should be a core component of the overall e-trading control framework.

Risk Areas KRI examples

ChangeManagement

• Number of deployments• Number of emergency turnovers• Number of change management policy breaches• Number of post-deployment roll backs• Number of deployments, turnovers, breaches, etc.

Incidents

• Overall number of technology ‘outages’ by component

• Number of connectivity related technology incidents

• Number of component based incidents

Capacity

• Capacity utilization• Number of capacity threshold breaches• Number of capacity adjustments• Number of messages• Number of orders

Latency• Average latency by flow• Latency threshold breaches

Per order controls limit utilization

• Number of restricted list violations• Maximum open order violations• Number of desk aggregate capital limit violations• Number of emergency limit extensions• Number of customer limit breaches• Number of customer limit extensions

Trade metric trending

• Order to trade ratio• Cancellation rates• Transactions per second / Turnover per second

Trading control trends

• Number of orders cancelled / rejected due to stale order check

• Number of orders cancelled / rejected due to duplicate orders

• Number of orders cancelled / rejected due to maximum open orders

• Number of orders cancelled / rejected due to message volume throttles

Regulatory control violations

• NMS trade through violations• Circuit breaker violations• Reg SHO violations• Sub-penny violations

Lines of defense


Everyone plays a part

A comprehensive control environment requires robust involvement from all three lines of defense. Yet in the first line, e-trading controls are typically widely distributed, since each flow will involve multiple data providers and technology process owners, in addition to the relevant trading desk. This can lead to confusion or dilution of overall first-line ownership of the firm’s e-trading risk. And in the second line, it can be challenging to source sufficiently technical skill sets – especially considering the multiple second-line disciplines that need to be involved for effective oversight (e.g., Compliance, Market, Credit and Operational Risk, and MRM). Similarly, Internal Audit can struggle to gain sufficient understanding of the flows and functionality, and to source the right skill sets to engage in robust review and challenge.

Facing these challenges, many firms have established a dedicated governance committee to take a holistic view and share information across lines of defense. This helps facilitate clear lines of responsibility and raise the awareness of all participants since the committee can include membership from all interested groups, and it plays a role in aggregating and reporting risk and control information to the firm’s executive management and board. The committee does not eliminate gaps in specific roles and/or skill sets, but it can help identify the gaps and agree how to address them – whether with third-party assistance or through targeted hiring.

Adding it up

Of course, another challenge for the second and third lines is how to aggregate and measure electronic trading risk. An efficient approach focuses on “rolling up” the information gathered in the detailed place mats and associated control assessments by mapping those risks and controls to higher level risk nodes in the firm’s enterprise risk and control taxonomies. This allows reuse of the detailed assessments in the enterprise’s risk and control self-assessment (RCSA) program, and should facilitate aggregation of key risk indicators (such as turnover metrics, outages and policy breaches) for ongoing oversight.

14

Conclusion

How EY can help:

Framework

► Evaluate existing policy coverage and/or design policy framework and definitions to identify and classify activities, including model policies and population of model inventories

► Draft minimum standards and types of controls relevant to electronic trading activities based on regulatory expectation and industry practices

► Map end to end electronic trading processes and apply classification criteria

Assessments and Controls

► Evaluate assessment practices and/or design risk assessment programs for electronic trading activities, including development of inherent risk scoring models

► Assess and/or design SDLC and model risk programs, including risk tiering methodologies

► Identify and document relevant controls; perform control assessments

► Summarize residual risks; develop proposed remediation plans

Testing and Monitoring

► Design assistance for monitoring approaches and incident alerting, response and management

► Develop test plans including targeted reviews, model validation approaches, and embedded coverage based on relevant testing skill sets

► Perform model validation

► Perform tests of specific algorithms and/or electronic trading components, and/or perform ongoing algorithm monitoring (including EY’s “Know Your Algo” assessment)

Governance

► Enhance enterprise risk framework and taxonomies to integrate electronic trading risks, including design of governance structures and artifacts (charters, metrics, reporting)

► Define roles and responsibilities across three lines of defense

► Enhance first line controls and operating structure for electronic trading risk management

► Assist with development and optimization of second line testing and validation approaches

Internal Audit Support

► Assist in developing audit plans and scoping for electronic trading risks, including identification of key drivers of risk, types of controls, and potential areas of weakness; assist with enterprise level reporting on audit approaches

► Develop and execute standardized audit program, and/or assist with audit reviews of electronic trading risks and controls, model risks and end to end systems

Electronic connectivity and automated trading in the capital markets, including use of algos, are not new. However, e-trading has been expanding, not only in the speed and sophistication of the computer models themselves, but also through increased volumes and expansion to new asset classes and markets. The expansion will continue, and innovations such as machine learning are sure to add further complexity in the future.

To compete in increasingly electronic markets, firms must be able to nimbly introduce and support more –and more sophisticated – automation in the trading

environment while controlling for the unique risks it presents.

Existing controls and regulatory promulgation of standards are a start. But there are concrete steps that firms can take to help create a comprehensive e-trading control framework, including developing an enterprise-level policy, conducting detailed risk assessments, helping ensure the right types of controls and clear lines of defense, and monitoring/testing. Such a framework will be essential for their e-trading controls to keep up.


15

Con

tacts

Americas EMEIA

Mary Lou Peters212 773 [email protected]

Gagan Agarwala212 773 [email protected]

Andrew Lese212 773 [email protected]

Sayak Mukherjee212 773 [email protected]

Mark Selvarajan44 (0)20 7951 [email protected]

Nick Le Fevre44 (0)79 7661 [email protected]

Kieran Mullaley44 (0)77 7552 [email protected]

Asia Japan

David Scott

65 6309 8031

[email protected]

Sameer Rege

852 2849 9458

[email protected]

Gary Stanton

81 70 2175 1770

[email protected]



EY refers to the global organization, and may refer to one or more, of the member firms of EY Global Limited, each of which is a separate legal entity. EY Global Limited, a UK company limited by guarantee, does not provide services to clients. For moreinformation about our organization, please visit ey.com.

© 2017 EYGM Limited.All Rights Reserved.

Score No. 07226-171Gbl

ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com

End of an IBOR era - SIFMA

Documents

Transcript of End of an IBOR era - SIFMA