Monday June 4 2012 - Top 10 risk and compliance management related news stories and world events...

P a g e | 1

_____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP)

www.risk-compliance-association.com

International Association of Risk and Compliance Professionals (IARCP)

1200 G Street NW Suite 800 Washington, DC 20005-6705 USA Tel: 202-449-9750 www.risk-compliance-association.com

Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's

agenda, and what is next

George Lekatis President of the IARCP

Dear Member, Today we can start from No. 10 of the list, where we discuss cyber-attacks. According to Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust & Clearing Corporation: “Cyber-attacks on the financial services sector represent a significant risk not just to industry participants but to the stability and integrity of the global financial system itself.” “The global financial system is an enormous, interconnected system of systems. In other words, while individual institutions operate different parts of the critical infrastructure, the financial system itself is a product of the interactions of all these discrete actions.” It is an interesting speech, you must read it.

Welcome to the Top 10 list.

http://www.risk-compliance-association.com/

P a g e | 2



The Relevance of Audits and the Needs of Investors May 31, 2012 James R. Doty, Chairman, 31st Annual SEC and Financial Reporting Institute Conference, Pasadena, CA

May 30, 2012

The Federal Reserve Board announced the approval of a final rule outlining the procedures for securities holding companies (SHCs) to elect to be supervised by the Federal Reserve.

An SHC is a nonbank company that owns at least one registered broker or dealer.

Last year, the UK financial services industry faced regulatory change on a sweeping scale.

At the national level the last UK government introduced the Financial Services Act 2010, which resulted in a number of changes.

Interview with Gabriel Bernardino, Chairman of EIOPA, conducted by Jan Wagner, Versicherungsmagazin (Germany)

P a g e | 3



Hearing on the ESRB before the Committee on Economic and Monetary Affairs of the European Parliament

Introductory statement by Mario Draghi, Chair of the ESRB Brussels, 31 May 2012

Meeting of the Financial Stability Board in Hong Kong on 29-30 May At its meeting in Hong Kong, the Financial Stability Board (FSB) discussed vulnerabilities currently affecting the global financial system and the progress in authorities’ ongoing work to strengthen global financial regulation.

Publication of the first regulatory technical standards on credit rating agencies (CRAs) - 30/05/2012 Four European Commission Delegated Regulations establishing regulatory technical standards for credit rating agencies have been published in the Official Journal of the European Union.

http://www.esma.europa.eu/news/Publication-first-regulatory-technical-standards-credit-rating-agencies-CRAs


P a g e | 4



Commodity Futures Trading Commission (CFTC) “Smart Regulatory Reform and the Perils of High-Frequency Regulation” – Remarks by Commissioner Scott D. O’Malia May 31, 2012

Commodity Futures Trading Commission (CFTC) Statement Regarding Public Roundtable to Discuss the Proposed Volcker Rule, Chairman Gary Gensler, May 31, 2012

Hearing entitled “Cyber Threats to Capital Markets and Corporate Accounts” Friday, June 1, 2012 House Committee on Financial Services, Subcommittee on Capital Markets and Government Sponsored Enterprises Hearing on “Cyber Threats to Capital Markets and Corporate Accounts” Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust & Clearing Corporation

P a g e | 5



NUMBER 1

The Relevance of Audits and the Needs of Investors May 31, 2012 James R. Doty, Chairman, 31st Annual SEC and Financial Reporting Institute Conference, Pasadena, CA Good Afternoon, I am pleased to be back this year to join you in this conference again. I must tell you that the views I express today are my own and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB. This is a special year in many respects. We have our own concerns at home. But those of us who find our work on financial terrain have our sights trained east, toward Europe, and west, toward China, more than in past years. In the broader population, there is new apprehension for effects we don't know but must nevertheless judge. Will European states muster a defense to the behavioral contagion of financial panic? Will they find a way to use their inter-dependence to make Europe financially stronger? Or will they find that too many divergent interests must agree to save the European experiment?

P a g e | 6



How will the U.S. be affected? Looking toward China, many say that that nation's economic growth cannot continue without structural changes. Can China instill its new, investing middle-class with confidence that financial markets will provide for its future? From our larger companies to our smaller entrepreneurs, we are doing business in China. Can we have confidence that China isn't the latest iteration of — pick your era — the Tulip Scandal, the silver-mine frauds of the Old West, the S&L bust? And how should we deal with these risks in a global economy? These are questions that require that admirable quality we often call vision. When we speak of vision, we speak of visionaries. That is, people who have stepped out from the crowd and revealed something that the rest of us could not see. There are false visionaries, who inspire us to act based on what we or they wish might be. But the true ones give us honesty, and invaluable leadership.

I. Ken Leventhal Exemplified the Expertise and Integrity that is Needed to Make Accounting and Auditing Relevant to the 21st Century. Earlier this month, the University of Southern California, the accounting profession and the public more generally lost a true visionary. I refer to the passing from our scene of Kenneth Leventhal earlier this month, at the age of 90. Ken Leventhal, throughout his career, gave us clear ideas about how the practice of accounting can and should give society the tools necessary to reduce complicated circumstances to simple, actionable facts.

P a g e | 7



And he was a good Trojan. Although a graduate of UCLA, he became an active and generous USC supporter after UCLA ended its accounting major. He believed in the future of the accounting profession. He wanted to train the new generation of accountants to use the tools he had developed in practice to help the profession thrive as a vital force for social good. He helped build and maintain a first-rate accounting program at USC, which among other things brings the faculty, policy-makers in accounting, auditing and securities regulation, as well as leaders in the profession together each year at this first-rate conference. Beyond his work here at USC, his professional life leaves a great a legacy and, if we heed his lessons, perhaps a chance to see our confusing financial world with his clarity. He was born in 1921. As he told his own story, he got the idea for his career when he was a paper boy for the Herald-Express newspaper. His boss was planning to take a correspondence accounting course and go into business for himself, because — as many faculty members will likely recall Mr. Leventhal recounting — "all it took to get started in accounting was a pencil." Mr. Leventhal said that "for a nickel," he figured he could be his own boss, and he never changed his mind. Mr. Leventhal's plan was interrupted in 1939, after high school, by WWII. When he returned from the war, he enrolled at UCLA on the GI Bill.

P a g e | 8



That is where he met his wife and future business partner, Elaine Otter Leventhal. After they finished school in 1949, they started the accounting firm Kenneth Leventhal & Co. in Los Angeles. They focused on real estate accounting, and grew the firm into the premier real estate specialty firm in the country, at one point the ninth largest firm in the country. Their clients included the top real estate developers in the post-war period — Ray Watt, Trammell Crow, Donald Trump, and Donald Bren to name a few. Mr. Leventhal made his mark guiding those clients "through times of expansion and financial distress." To give you a sense of that mark, let me read a passage from a Washington Post article in 1990. It said, "When Donald J. Trump, the flamboyant real estate tycoon, found his business empire in disarray, he could have called on any of Wall Street's top investment bankers to help him out of his troubles. Instead, he turned to an accountant in Los Angeles," Kenneth Leventhal. The Post called him "no run-of-the-mill" accountant. Rather, it reported, "[a]t a time when the world of accountants and their firms is undergoing wrenching changes, besieged by government lawsuits and cutthroat competition for clients" — sound familiar? — "the 70-year-old Leventhal is running ahead of the pack and, so far, ahead of his profession's problems." The Post went on to explain the source of his worth: his skill and integrity. As one person put it at the time, "If Trump said his properties were worth such and such, the bankers might not believe him. But if Ken Leventhal says they were worth it, nobody would challenge his word." For decades, the firm had enjoyed high regard in accounting and real estate circles. Forbes magazine noted in a 1979 article on the firm that, through its expertise, "Leventhal . . . made a name for itself by helping over a score of troubled real estate companies keep out of the courts.

P a g e | 9



The Leventhal firm specialized and trained its professionals in being able to discern, in simple terms, the economics of transactions. In putting together a debt-restructuring plan, for example, the firm "first had to cut through what Leventhal call[ed] ‘the accounting hogwash.'" As a long-time partner explained it: "What we do is analyze the underlying real estate in terms of a range of values, under different economic circumstances. And we look at the probable streams of cash flow." In other words, he eschewed over-reliance on manuals and complex programs that tried to anticipate everything, but, in the end, could be used to excuse a failure to find the proverbial needle in a haystack. This is not to say that the global audit firm can do without structure and manuals, or that our economy can dispense with the global audit firm. But Mr. Leventhal's career exemplifies confidence in a guiding principle — one that encourages staff to simplify, to understand the economics of a transaction before attempting to apply the accounting requirements. Doing so requires a deep understanding of the prevailing circumstances, awareness of trends, acute sensitivity to the fact that even the best managements have an inherent bias toward self-protection. As he said, it can be done with a pencil, and the will to be skeptical of false visions. That is, the will to get it right. The approach an accountant chooses makes an enormous difference, to the investors that rely on his work, to his firm's integrity and reputation, and even his own career. One of the most exciting things about a career in the accounting profession is that, no matter where you are in the country, your work — and your choices in how to perform that work — can make an immense difference to an enormous number of people. That's also, of course, a daunting responsibility.

P a g e | 10



II. An Audit Establishes Its Relevance on a Foundation of Skeptical Inquiry. An audit that is merely confirmatory, that supports management's vision without sufficiently testing it, promotes commoditization of the audit, and it does worse. From the halls of the great marble buildings in Washington, from the skyscrapers of Manhattan, from the sunny gardens here in Pasadena, one hears the same refrain: the complexity of financial reporting makes it difficult for management to report, auditors to audit, and investors to understand the economic substance of a transaction or event. This tropism — our inexorable tendency toward the complex — threatens to crush auditor, preparer and investor alike. But the truth is that, by their conduct, auditors may encourage complexity by failing to simplify transactions to their economics, by approaching their task as steps in a corroboration, by failing to speak to the realities and relying on the formalities. Leventhal's accountants saw this first hand in a classic instance of Mr. Leventhal's so-called "hogwash." This example started out in a little known savings and loan association in Irvine, California, which was acquired by a hungry and ambitious real estate investor in Phoenix. It burst onto the public stage when the Leventhal firm's work was pitted against the work of three major accounting firms. Leventhal had been engaged by the federal government to examine transactions in which thrift regulators paid certain bankers to take on ailing institutions in exchange for more than $50 billion in federal subsidies. The firm helped the government determine which transactions should have been reopened or renegotiated to win better terms for taxpayers.

P a g e | 11



In July 1989, the firm produced a report for the Federal Home Loan Bank Board of San Francisco on Irvine-based Lincoln Savings and Loan Association. The Leventhal report studied 15 transactions undertaken by Lincoln in 1986 and 1987. The report stated that — The transactions . . . analyzed were accounting-driven "deals" created for the appearance of profits. In economic reality the transactions provided no profit, but instead exposed the Association to huge economic losses from other linked transactions or side deals, which the Association entered into for no apparent reason other than to induce purchases of its real estate at prices far in excess of appraised value. The report concluded, ''Lincoln was manufacturing profits by giving its money away.'' The report ignited a political and public firestorm. It was the basis for federal regulators' decision to put Lincoln into receivership in August 1989, costing taxpayers more than $2 billion — still a large sum today. It was also submitted to the House Banking Committee, which had commenced an investigation of Lincoln, its parent American Continental, and Charles Keating, who headed them. At the Banking Committee's hearing on the matter, representatives from one of the three national accounting firms that had audited and signed off on Lincoln's accounts in recent years challenged the conclusions of the Leventhal report —

P a g e | 12



These matters were complex, and judgmental decisions were sometimes necessary to determine which accounting rules applied and how to apply them. We strongly disagree with Kenneth Leventhal's sweeping generalization that we elevated form over substance. In its review of just 15 Lincoln and American Continental transactions, out of hundreds of transactions, Kenneth Leventhal has made some serious mistakes. The Leventhal representative responded that "by properly reversing [the fifteen transactions they studied], over half of Lincoln's reported profits since Mr. Keating acquired the association disappeared." Many of the deals included related party transactions, in which Lincoln or its parent, American Continental, provided the needed cash down payment to purchasers of Lincoln real estate either through a circuitous loan or by buying other real estate from the purchaser. The arrangements allowed Lincoln to report taxable income that exceeded the consolidated taxable income of the parent, allowing Lincoln to make cash payments to the parent, American Continental, in the guise of the subsidiary's portion of American Continental's tax obligation. To keep all this going, Keating exerted extreme pressure on Lincoln's and American Continental's auditors, the banking regulators, and even the Congress, which produced its own scandal in the Keating Five. Meanwhile, Lincoln, the regulated savings and loan, was drained. Contrast the paradigm offered by the Lincoln auditor —complexities and the need for "judgmental decisions" — with the Leventhal approach: relevance achieved not by accepting complexity but by pursuing clarity, for its unwillingness to accept form over substance. The Leventhal approach made accountants' work useful for clients, pertinent to the economic environment, and beneficial to the public.

P a g e | 13



Based on what the Leventhal firm had uncovered, in 1989 the Chairman of the FDIC said that the government should have moved three years sooner to take disciplinary action against Lincoln.

III. Indications of Future Challenges and a Path Forward Until his death, Ken Leventhal exhorted the profession to excel in quality, integrity and expertise. He believed those are the ingredients that, if championed, will make the profession vibrant and successful in the 21st century. In 2010, after the most recent financial crisis, he said, "The thing that bothers me nowadays is reading about all these accounting problems and ‘irregularities.' I'm worried about the standards of our profession that would allow all these ‘irregularities' to occur. I think we need to teach accounting students and younger staff a greater obligation to integrity."

A. Inspections Continue to Reveal an Unacceptable Number of Deficiencies. Ken Leventhal was right to recognize that, notwithstanding his optimism for the new generation of accountants and his belief in the importance of accountants' work to the success of our capital markets, there is unfinished business to resolve the contradiction between the audit as a confirming exercise and the audit as an inquiry to arrive at the truth — the contradiction between the corporate client the auditor sees (and whose view may determine the success of the individual's career) and the investor client (whose view determines the success and continued relevance of the profession as a whole). The PCAOB has conducted annual inspections of the largest firms for the last nine years. We also conduct inspections at least once every three years of other firms that audit, or play a substantial role in auditing, companies that are considered issuers in the United States.

P a g e | 14



This includes some very large non-U.S. firms that are affiliated with the large U.S. firms, as well as many smaller firms, both U.S. and non-U.S. Each year, we have deepened our understanding of the firms' issuer audit practices. From the beginning, inspectors have identified numerous deficiencies. These are situations where inspectors believe, after considerable dialogue with the firm to agree on the facts, that the firm has failed to obtain sufficient audit evidence to provide a basis for an audit opinion. In such cases, the financial statements may well be fairly presented in conformity with GAAP, but the audit work was not sufficient to obtain reasonable assurance that they are. I believe the rigor of inspections has improved the quality of auditing. Our inspectors have noted some significant improvements, such as more care in certain areas and clearer thought-processes as reflected in audit plans and audit conclusion memos. Yet, in recent years, we have seen an equally significant spike in deficiencies. Year in, year out, inspectors find deference to management in key reporting areas. For example, in the critical area of fair value reporting of financial instruments, instead of skeptically testing the reasonableness of managements' assumptions and resulting assertions, one firm's method involved obtaining valuations from a number of external parties and picking the one that is, "closest to the pin" — the pin being management's claimed value. The work and expense to obtain the various outside valuations may have created an appearance of rigor.

P a g e | 15



But the explicit acknowledgement that the test was designed to support management's number — the "pin" — calls into question whether the auditor approached the audit with appropriate skepticism. What about evaluating management's estimate in light of the environment and prevailing trends? What about looking for the value that is probable in light of those trends? It is the rare case in which an auditor knowingly acknowledges or documents the conflict between maintaining objectivity and maintaining a good client relationship. Indeed, the auditors who explicitly aimed for the number closest to management's claimed value may not have consciously sought to obscure valuation errors. Nor am I suggesting that Lincoln's auditors colluded with management to mislead. But they did allow themselves to be mere corroborators of a story that became thinner with each transaction. Lincoln stands as a vivid reminder that auditors who merely confirm managements' estimates and don't challenge them with the basic tools at their disposal may have squandered a chance to avert later investor ruin: they run the risk that the company's estimate was unreasonable when made. Auditors have clients to keep and practices to grow. Recall the pitches some auditors have made to win audit clients. For example, commitments by the engagement team to "support the desired outcome" when matters need to be vetted with the firm's National Office. Or to offer "a reduced footprint in the organization, lessening audit fatigue." Recall, also, the troubling notes in some auditors' personnel files, in which the reviewed auditors claim to have advanced cross-selling of non-audit services, raising the question whether firms' cultures still impliedly encourage auditors to sell services to their audit clients and, if

P a g e | 16



so, legal or illegal, whether such goals undermine the appropriate state of mind for auditors. This is the unfinished business that occupies the PCAOB, and occupies audit regulators around the world who have also identified a gap between the purpose of the audit and its fulfillment. These concerns have been expressed by regulators in Canada, Germany, the U.K., the Netherlands, Australia and elsewhere. The gap threatens the future relevance of the profession's work, as well as public confidence in its credibility.

B. The PCAOB's Initiatives Aim to Help the Profession Realize Its Potential by Enhancing the Relevance, Credibility and Transparency of the Audit for the Sake of Investor Protection. The PCAOB is deeply engaged in examining ways to enhance the relevance, credibility and transparency of the audit to better serve investors. Our projects include improvements in basic auditing areas, such as what to look for in transactions involving related parties, including corporate executives. The PCAOB proposed a new auditing standard on related party transactions on February 28. Comments are requested by today. This standard describes basic tools that good auditors have used for years to identify financial reporting risks. Among other things, it requires auditors to understand management's compensation as a way to understand management's motivations. Indeed, changes in performance metrics may well be an important clue to understand areas where management's story is weak. They offer the auditor insights that may not be gleaned otherwise.

P a g e | 17



The PCAOB has also recently proposed, for a second exposure, a new auditing standard on what the auditor should communicate to audit committees in order to protect the public's interest in keeping audit committees informed of important audit matters. In addition to receiving written comment, the Board has held a productive public roundtable discussion on auditors' responsibilities to audit committees. I expect the Board soon to adopt a final standard that reflects the public advice and comment. The PCAOB standards-setting work also includes more broad-ranging projects, commenced not with concrete proposals but with concept releases, to examine ways to enhance the relevance, reliability and independence of audits in today's world, and in light of lessons both auditors and investors have learned in the recent financial crisis, not to mention past crises that like Banquo's ghost haunt us still. These projects involve consideration of changes to the form and content of the standard audit report, as well as a deep examination of the behavioral patterns that the current audit model imposes. I am not here today to tell you where the PCAOB should come out on the question of what is the most relevant information auditors should provide the investing public. But I do believe that the investing public can and should benefit from the wisdom of auditors like Ken Leventhal. I am interested in a better, more transparent reporting model, that will align auditors with investors, that will make the audit more relevant, de-commoditized, and that will function to more consistently require auditors to demonstrate the requisite skepticism and provide true insight. The project on independence invites discussion on ways to relieve auditors of the pressure both to foster and maintain a long-term relationship with the audit client when making tough decisions on an audit — to relieve auditors of the tie between their engagements and their careers.

P a g e | 18



In this regard, as with the revisions of the auditor's reporting model, the focus of the European Union and its member states becomes a factor in our own process. There, the perception grows that something is likely to change. The EU and its member states are engaged in a process that, I suspect, will take them through 2013 and into 2014. What we are learning through roundtables and public meetings on our concept releases is highly relevant to their process. How we internalize, how we digest, what we hear in our debate, will inform the debate and process of policy development in Europe. This is not an easy subject. Some form of term limits may or may not provide more independence: but I believe we must explore the possibility that they would help and the feasibility of the range of approaches available to free the auditor to think and act more independently.

C. The Global Nature of Auditing Today Requires Enhanced Attention to Address Risks to Investor Protection. I could not close a discussion on the future of auditing without reflecting on some other aspects of the international dimension. All of the challenges and initiatives I have described must be understood against the backdrop that auditing today is a global endeavor. Firms large and small have chased, and then fled, the plethora of potential Chinese and other non-U.S. clients seeking to draw from the wellspring of U.S. capital markets. There are lessons that could be learned, that should have been learned, from the S&L crisis and the internet bubble. Auditors' choices are the same, but the outcome could be even worse.

P a g e | 19



In the S&L crisis, the U.S. government turned to the profession to sort out the facts and provide reliable valuations of assets. Who will be the Ken Leventhals of today? Last week, faced with a similar task, the Spanish government announced that it had chosen a different path. It has eschewed the work of auditors in favor of a different kind of analyst. The financial statements the government questioned were audited. Is the auditor's work not relevant today? The only thing worse for the profession than being involved in the next banking crisis may be not being involved in it. Through their networks, audit firms reach everywhere. Local environments and trends are within their long reach. Engagement partners supervise audits that span continents and oceans. But the reader of an audit report may not know how much of the actual work was done by the firm signing the report. Participating audit firms practice in markets that exhibit markedly different business cultures, with divergent patterns of transparency. Small U.S. firms around the country are also engaged in audits of foreign private issuers, or U.S. companies that operate, in Asia, Latin America, Africa and elsewhere. The PCAOB is focusing on the effect of these various business models on the protection of investors. In any given week, PCAOB inspectors are working in numerous countries, often side-by-side with local audit oversight authorities in joint inspections.

P a g e | 20



We are drawing as broad and as clear a picture as we can about how auditors meet the challenges of understanding different environments and coordinating with other auditors to obtain a full grasp of a company's true results and financial position. We have identified a number of deficiencies in multi-national engagements. Some of the auditing issues have been related to particular areas such as revenue and fair value. Others seem to be attributed to a failure to adhere to the instructions provided by the principal auditor. The director of our inspection force is here today to discuss them. I am also concerned that the public knows little about how audits are conducted. In this regard, the PCAOB proposed last fall new requirements to disclose to investors how a multi-firm audit was accomplished. I expect to ask the Board to act on it in the near future. With sunlight on how the audits are done, they may improve in coordination and quality as well. If darkness persists, I fear some auditors will find themselves on the wrong side of the debate when the lights go on and they are called to account for how a fraud could have eluded a vast network of soldiers in what is supposed to be a fight for truth. These are choices we make today, but will need to explain tomorrow. * * * I want to thank the Leventhal School for inviting me again. The educational opportunities you provide to students, and the conferences

P a g e | 21



like this one that you provide professionals, will make a difference as to the choices your progeny make.

P a g e | 22



NUMBER 2

May 30, 2012

The Federal Reserve Board on Wednesday announced the approval of a final rule outlining the procedures for securities holding companies (SHCs) to elect to be supervised by the Federal Reserve.

An SHC is a nonbank company that owns at least one registered broker or dealer.

The Dodd-Frank Wall Street Reform and Consumer Protection Act eliminated the previous supervision framework that applied to SHCs under the Securities and Exchange Commission and permitted SHCs to be supervised by the Federal Reserve.

An SHC may seek supervision by the Federal Reserve to meet requirements by a regulator in another country that the firm be subject to comprehensive, consolidated supervision in the United States in order to operate in the country.

P a g e | 23



The final rule specifies the information that an SHC will need to provide to the Board as part of registration for supervision, including information related to organizational structure, capital, and financial condition.

Under the final rule, an SHC's registration becomes effective no later than 45 days from the date the Board receives all required information.

The final rule provides that upon an effective registration, an SHC would be supervised and regulated as if it were a bank holding company.

However, consistent with the Dodd-Frank Act, the restrictions on nonbanking activities in the Bank Holding Company Act would not apply to a supervised SHC.

FEDERAL RESERVE SYSTEM

12 CFR Part 241 Regulation OO; Docket No. R-1430 RIN 7100 –AD 81

Supervised Securities Holding Company Registration AGENCY: Board of Governors of the Federal Reserve System (“Board”). ACTION: Final Rule SUMMARY: The Board is adopting this final rule to implement section 618 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act” or “Act”), which permits nonbank companies that own at least one registered securities broker or dealer, and that are required by a foreign regulator or provision of foreign law to be subject to comprehensive consolidated supervision, to register with the Board and subject themselves to supervision by the Board. The final rule outlines the requirements that a securities holding company must satisfy to make an effective election, including filing the appropriate form with the responsible Reserve Bank, providing all additional required information, and satisfying the statutory waiting period of 45 days or such shorter period the Board determines appropriate.

P a g e | 24



DATES: The rule is effective [30 days after date of publication in the Federal Register].

Important parts SUPPLEMENTARY INFORMATION: I. Background Section 618 of the Dodd-Frank Act permits a company that owns at least one registered securities broker or dealer (a “nonbank securities company”), and that is required by a foreign regulator or provision of foreign law to be subject to comprehensive consolidated supervision, to register with the Board as a securities holding company and become subject to supervision and regulation by the Board. A securities holding company that registers with the Board under section 618 is subject to the full examination, supervision, and enforcement regime applicable to a registered bank holding company, including capital requirements set by the Board (although the statute allows the Board to modify its capital rules to account for differences in activities and structure of securities holding companies and bank holding companies). The primary difference in regulatory frameworks between securities holding companies and bank holding companies is that the restrictions on nonbanking activities that apply to bank holding companies do not apply to securities holding companies. Under section 618 of the Act, a securities holding company that elects to be subject to supervision by the Board must submit a registration form that includes all such information and documents the Board, by regulation, deems necessary or appropriate. The statute also specifies that registration as a supervised securities holding company becomes effective 45 days after the date the Board receives all required information, or within such shorter period as the Board, by rule or order, may determine.

P a g e | 25



Section 618 makes a registered securities holding company subject to all of the provisions of the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (“BHC Act”) in the same manner as a bank holding company, other than the restrictions on nonbanking activities contained in section 4 of the BHC Act. Consistent with the Dodd-Frank Act, the Board anticipates applying the same supervisory program, including examination procedures, reporting requirements, supervisory guidance, and capital standards, to supervised securities holding companies that the Board currently applies to bank holding companies. However, the Board may, based on experience gained during the supervision of supervised securities holding companies, modify these requirements as appropriate and consistent with section 618.

II. Notice of Proposed Rulemaking: Summary of Comments.

On September 2, 2011, the Board invited public comment on a proposed rule implementing the registration requirements and procedures for securities holding companies pursuant to section 618 of the Act. The Board received three comments, none of which addressed any substantive aspect of the proposed rule. One commenter expressed the view that firms should not elect to be supervised by the Federal Reserve because of a “lack of leadership at the FED Districts.” Another commenter included the phrase “supervised securities holding companies registration” in the subject line of the comment letter but provided no comment. The third commenter mistakenly believed that section 618 of the Dodd-Frank Act and the Board’s proposed Regulation OO apply to foreign companies that own national banks in the United States.

P a g e | 26



This commenter argued that such foreign companies should be subject to supervision by the Board as supervised securities holding companies if they wish to operate in the United States by owning national banks. The Board is finalizing the rule with only technical modifications.

III. Description of Final Rule.

The final rule permits securities holding companies to elect to become supervised securities holding companies by registering with the Board. The final rule outlines the requirements that a securities holding company must satisfy to make an effective registration, including filing the appropriate form with the responsible Reserve Bank, providing all additional information requested by the Board, and satisfying the statutory waiting period of 45 days or such shorter period the Board determines appropriate. Section 241.1 of the final rule outlines the authority under which the Board is issuing the rule. Section 241.2 of the final rule changes the proposed definition of the term “securities holding company” in order to more closely reflect the statutory language. The revised definition contains additional language, which makes clear that to become a securities holding company, a company must, among other things, be “required by a foreign regulator or a provision of foreign law to be subject to comprehensive consolidated supervision.” Under the Dodd-Frank Act and final rule, a company that is currently subject to comprehensive consolidated supervision by a foreign regulator, a nonbank financial company supervised by the Board, a bank holding company, a savings and loan holding company, an insured bank, a savings association, or a foreign banking organization with U.S. banking operations would not qualify for registration as a supervised securities holding company.

P a g e | 27



Under the final rule, terms such as “affiliate,” “bank,” “bank holding company,” “control,” and “subsidiary” are defined to have the same meaning as in section 225.2 of the Board’s Regulation Y. Section 241.3 of the final rule requires a securities holding company that elects to register to become a supervised securities holding company to file the proper form with the responsible Reserve Bank. The Board is creating a new form for this purpose. The form, which is similar to the Board’s current form Application for a Foreign Organization to Acquire a U.S. Bank or Bank Holding Company (FR Y-3F; OMB No. 7100-0119), used by a company registering to become a bank holding company, includes a number of questions relating to the organizational structure of the securities holding company, its capital structure, and its financial condition. Specifically, the form requires a securities holding company electing to be supervised to submit: 1. An organization chart for the securities holding company showing all subsidiaries. 2. The name, asset size, general activities, place of incorporation, and ownership share held by the securities holding company for each of the securities holding company’s direct and indirect subsidiaries that comprise 1 percent or more of the securities holding company’s worldwide consolidated assets. 3. A list of all persons (natural as well as legal) in the upstream chain of ownership of the securities holding company who, directly or indirectly, own 5 percent or more of the voting shares of the securities holding company. In addition, the Board would request information concerning any voting agreements or other mechanisms that exist among shareholders for the exercise of control over the securities holding company.

P a g e | 28



4. For the senior officers and directors with decision-making authority for the securities holding company, the biographical information requested in the Interagency Biographical and Financial Report FR 2081c (the Financial Report need not be provided). 5. Copies of the most recent quarterly and annual reports prepared for shareholders, if any, for the securities holding company and certain subsidiaries. 6. Income statements, balance sheets, and audited GAAP statements, as well as any other financial statements submitted to the securities holding company’s current consolidated supervisor, if any, each on a parent-only and consolidated basis, showing separately each principal source of revenue and expense, through the end of the most recent fiscal quarter and for the past two (2) fiscal years. 7. A description of the methods used by the securities holding company to monitor and control its operations, including those of its domestic and foreign subsidiaries and offices (e.g., through internal reports and internal audits). 8. A description of the bank regulatory system that exists in the home country of any of the securities holding company’s foreign bank subsidiaries. The description also should include a discussion of each of the following: a. The scope and frequency of on-site examinations by the home country supervisor; b. Off-site monitoring by the home country supervisor; c. The role of external auditors; d. Transactions with affiliates; e. Other applicable prudential requirements;

P a g e | 29



f. Remedial authority of the home country supervisor; g. Prior approval requirements; and, h. Any applicable regulatory capital framework. 9. A description of any other regulatory capital framework to which the securities holding company is subject. The final rule further provides that the Board may at any time request additional information that it believes is necessary to complete the registration. Under the rule, the registration is considered filed when all information required by the Board is received. Section 241.3 of the final rule also states that a registration filed by a securities holding company becomes effective and supervision by the Board begins on the 45th calendar day after the date that a complete filing is received. Under the final rule, the Board also reserves the right to shorten the 45-day waiting period and begin consolidated supervision at such earlier date as the Board specifies to the securities holding company in writing. The final rule provides that, upon an effective registration, a supervised securities holding company would be supervised and regulated as if it were a bank holding company, and that the nonbanking restrictions contained in section 4 of the BHC Act will not apply to a supervised securities holding company. This treatment will generally mean that supervised securities holding companies will, among other things, be required to submit the same reports and be subject to the same examination procedures, supervisory guidance, and capital standards that currently apply to bank holding companies.

P a g e | 30



The final rule provides the Board with flexibility to adjust these requirements as appropriate to ensure that securities holding companies operate in a manner that is consistent with safety and soundness and that addresses the risks they pose to financial stability.

IV. Administrative Law Matters A. Paperwork Reduction Act Analysis

In accordance with the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (“PRA”), the Board may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OMB control numbers for the existing information collections are provided below. The OMB control number will be assigned for the new information collection related to registrations described below. The Board reviewed the final rule under the authority delegated to the Board by OMB.

Title of Existing Information Collections:

The Annual Report of Bank Holding Companies (FR Y-6),

The Report of Foreign Banking Organizations (FR Y-7),

The Consolidated Financial Statements for Bank Holding Companies (FR Y-9C),

The Parent Company Only Financial Statements for Large Bank Holding Companies (FRY-9LP),

The Parent Company Only Financial Statements for Small Bank Holding Companies (FRY-9SP),

The Financial Statements for Employee Stock Ownership Plan Bank Holding Companies (FR Y-9ES),

P a g e | 31



The Supplement to the Consolidated Financial Statements for Bank Holding Companies (FR Y-9CS),

The Financial Statements of U.S. Nonbank Subsidiaries of U.S. Bank Holding Companies (FR Y-11 and FR Y-11S),

The Financial Statements of Foreign Subsidiaries of U.S. Banking Organizations (FR2314 and FR 2314S),

The Bank Holding Company Report of Insured Depository

Institutions’ Section 23A Transactions with Affiliates (FR Y-8),

The Consolidated Bank Holding Company Report of Equity Investments in Nonfinancial Companies (FR Y-12) and the Annual Report of Merchant Banking Investments Held for an Extended Period (FR Y-12A), and

The Capital and Asset Report of Foreign Banking Organizations (FR Y-7Q), and the Financial Statements of U.S. Nonbank Subsidiaries Held by Foreign Banking Organizations (FR Y-7N and FR Y-7NS).

Frequency of Response: Annually, semi-annually, quarterly, event-generated.

Affected Public: Nonbank companies.

P a g e | 32



NUMBER 3

Introduction Last year, the UK financial services industry faced regulatory change on a sweeping scale. At the national level the last UK government introduced the Financial Services Act 2010, which resulted in a number of changes to our objectives, powers and duties, in particular giving us a new financial stability objective and additional enforcement powers. In June 2010, the current UK coalition government announced that the FSA will be split up. The prudential supervision of banks and insurers will be moved to a new operationally independent subsidiary of the Bank of England: the Prudential Regulation Authority (PRA). The FSA will be renamed the Financial Conduct Authority (FCA) and will focus on consumer protection and markets oversight. The government also established a new committee of the Bank of England with responsibility for delivering financial stability: the Financial Policy Committee (FPC).

P a g e | 33



The European Union (EU), meanwhile, created three pan-European agencies to address the risk of regulatory arbitrage and improve the quality of national supervision of banks, securities markets and the insurance industry. The EU also created a new advisory body, the European Systemic Risk Board (ESRB), to identify systemic risks and make recommendations for mitigating them. Europe’s new regulatory architecture became operational in January 2011 and will fundamentally change the way in which national supervisory authorities operate. A significant majority of regulatory requirements will be determined solely at the EU level and national supervisors will play a key role in negotiating and agreeing these, but their role as decision makers will centre on their function as supervisors of firms and markets.

The Financial Services Act 2010 The Financial Services Act 2010 (the Act), which received royal assent on 8 April 2010, resulted in a number of changes:

Consumer protection The Act removed the FSA’s public awareness objective and required us to set up an independent body to take forward consumer education work. The Act also provides for more funding to be made available for consumer education work. The Act gave us additional powers for the FSA to require consumer redress. This allows us to make sure that consumers receive redress in cases involving large-scale consumer mis-selling or other failures.

Financial stability

P a g e | 34



The Act gave us a new financial stability objective to contribute to protecting and enhancing UK financial stability. We are required to cooperate appropriately with the Treasury, the Bank of England and other relevant bodies in pursuing this objective. The Act requires us to have and keep under review a financial stability strategy. It enables us to gather information from entities, including unregulated entities for financial stability purposes. It also requires us to consider the impact that international events and circumstances could have on financial stability in the UK.

Enhanced powers The Act extends the scope of our key regulatory powers to make rules and to alter authorised firms’ regulatory permissions, so we may use the powers in pursuit of any of our regulatory objectives, including the new financial stability objective. We have new rule-making powers for: • Remuneration: we now have the power to specify that remuneration agreements in breach of our rules are void; • Recovery and resolution plans; • Short selling; and • Consumer redress schemes. We have new enforcement powers to: • restrict or suspend the carrying on of regulated activities for up to 12 months;

P a g e | 35



• suspend or impose restrictions on an approved person for up to two years; • impose a financial penalty at the same time as cancelling a firm’s permission; • penalise any person who performs a controlled function4 without approval; and • issue a warning notice against an individual three years from the time we first became aware of the misconduct (increased from two years).

Financial Services Compensation Scheme (FSCS) The Act contains provisions that will enable the FSCS to act as a single point of contact and to pay redress to consumers where redress is due to them under other schemes, such as schemes established outside the UK.

UK regulatory reform Over the past nine months, the FSA has begun the process of aligning the organisation to ensure it is ready to cut over to the new regulatory structure. As a result, we incurred approximately £1m of direct costs last financial year: • Programme management support £0.33m; • Regulatory design £0.10m; • IT design £0.33m; and • Other (e.g. HR and other central functions) £0.24m. Shortly after the end of our financial year in April 2011, we replaced our Risk and Supervision business units with two new ones: the Conduct Business Unit, which broadly aligns with the regulatory activities to be undertaken by the FCA, other than enforcement; and the Prudential

P a g e | 36



Business Unit, which broadly aligns with the regulatory activities of the PRA, other than enforcement. Central services will continue for the lifetime of the FSA to be structured on an unitary basis. We are confident that our programme remains on track and further progress will be made during 2011/12.

A new European supervisory structure European Supervisory Authorities (ESAs) and the European Systemic Risk Board (ESRB) The creation of ESRB and the three new ESAs marks a significant change to the way in which financial services regulation will be developed and delivered across Europe. The ESRB will undertake macro-prudential analysis at EU level to identify risks to EU financial stability and will make recommendations to address these risks.

European Supervisory Authorities (ESAs) The ESAs became operational in January 2011. They are: • The European Banking Authority (EBA); • The European Insurance and Occupational Pensions Authority (EIOPA); and • The European Securities and Markets Authority (ESMA). They replace: • The Committee of European Banking Supervisors (CEBS); • The Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS); and

P a g e | 37



• The Committee of European Securities Regulators (CESR).

The ESAs are responsible for developing a large proportion of the rules that apply to the financial services sector in the UK. These will be issued as EU regulations, so will be directly applicable across the EU. As well as developing binding rules, the ESAs have powers to: • impose a temporary ban on financial activities; • investigate alleged breaches of EU rules; • take binding decisions in emergencies; • arbitrate in disputes between national supervisors; • play a coordinating role within colleges of supervisors; • undertake peer review; • directly supervise credit rating agencies (ESMA only); and • require information to be passed to them that is necessary for discharging their responsibilities. In 2010/11, we devoted significant resource during the negotiation of the ESA legislation to ensure that the ESA package as a whole secured the key objectives of: • protecting the single market; • addressing the risks arising from regulatory arbitrage; • raising standards of supervision among national supervisors; while

P a g e | 38



• retaining responsibility for day-to-day supervision at the national level. Once the ESA legislative package was agreed in the Autumn of 2010, our focus shifted to preparing for the new European order. During 2010/11, we: • influenced the ESAs regulatory framework and operating model; • adapted our operating model to work effectively with the ESAs; • enhanced our secondments strategy and identified training requirements; and • developed systems to handle ESA data requests.

Financial stability Introduction During 2010/11 the FSA’s mandate was significantly extended. From April 2010, we were given a new statutory objective, which made more explicit the responsibilities for promoting financial stability that we had been exercising under the ‘market confidence’ objective mandated under FSMA. At the same time, our supervisory approach continued to progress toward intensive supervision and proactive challenge, laying the groundwork for the preventative interaction framework that will guide the PRA. We continued to embed the organisational and cultural change needed to implement intensive supervision, moving our regulatory approach from retrospective intervention to proactive challenge. Our supervisors made judgements on firms’ business models; intervening early if they anticipated any risks that might arise from firms’ business strategies and approaches to funding and capital.

P a g e | 39



This approach has demanded quality staff, industry knowledge and the will to challenge the industry robustly where potential threats were identified. We contributed significantly to the development of a robust policy reform programme, driven by the initiatives and issues identified in The Turner Review and the wider policy agenda mandated by the EU. And the FSA continued to play a leading role in influencing regulatory reform on the global stage, while ensuring that the UK arrangements on, for example, key issues of capital and liquidity were consistent with the direction of international standards. This section describes the work we accomplished in these areas, under these headings: • The Financial Services Act – our new financial stability objective; • FSA supervision – a major intensification of approach; • Progress on reforming the international and European regulatory framework – policy and practice; and • Specific measures to strengthen firms’ resilience. We also include the principal metrics we use to assess our supervisory effectiveness in relation to our financial stability objective and to gauge financial stability generally. These are:

Supervisory effectiveness

Chart 1: Supervisory issues closed Chart 2: Firm feedback on the quality of FSA supervisory risk assessments

Measures of financial stability

P a g e | 40



Chart 3: Cost of credit Chart 4: FSA firm cancellations Chart 5: Major UK banks – CDS spreads, five-year senior debt

A central tool in supervision is identifying the risk mitigation actions firms must take. Looking at the quantity identified and speed which with these are closed gives a perspective on the intensity and effectiveness of our supervision. The number of issues closed in Q4 2010/11 is 439 (from 303 in Q3 2010/11); this represents 17% (12% in Q3 2010/11) of the population of open issues. This shows an absolute and proportional increase in the number of issues closed than previously reported.

P a g e | 41



The proportion of high-risk issues closed was slightly higher than other issues at 18%, reflecting us prioritising issues with the most risk. Also, about 40% of the issues (recorded and closed) were in respect of high-impact firms, reflecting the enhanced focus of our risk assessment and mitigation work on these firms.

From our regulated firms’ perspective, the quality of our risk assessment in the last six months has reduced slightly from 5.2 down to 4.9, with the most significant reductions in our Major Retail Groups Division and Retail Division. Risk mitigation is scored more positively at 5.3, but again this represents a fall against the 5.6 recorded for the six months to June. However, scores remain positive in the context of a 1-7 scoring system, where 4 is neutral. The deterioration may have been driven by the amount and pace of regulatory change, which has continued to put pressure on both sides of the firm-supervisory relationship.

P a g e | 42



The current cost of interbank borrowing (measured by the Libor-OIS spread) – in a context and relative to the extremes of 2008 – is not excessive. However, spreads have recently entered a slightly more volatile period, driven by movement in the OIS swap rate. In part, this reflects uncertainty about the short-term outlook for the bank rate, amid persistent above target inflation and variable information about the performance of the economy.

P a g e | 43



This chart shows the number of authorised firms this year that have cancelled their authorisation with the FSA. Not all cancellations are necessarily failures and not all failures are regulatory failures. Nevertheless, this chart gives some indication of the level of distress in the system. During 2010/11, there was a significant reduction in the cancellation rate among significant impact firms.

P a g e | 44



UK banks’ credit default swaps (CDS) spreads are a measure of how investors perceive the default risk posed by these firms. UK banks’ CDS spreads rose in November, as the Irish sovereign crisis pushed up CDS spreads for Eurozone sovereigns. Spreads for some of the banks fell back after the EU and IMF bailout was announced. HSBC and Standard Chartered have seen swap rates rise in early 2011 due to concerns in the aftermath of the Japanese earthquake. Nevertheless, using absolute CDS as an indicator, they remain the banks with the lowest perceived credit risk, driven in part by their strength in emerging market economies.

P a g e | 45



Solvency II As we said in our Business Plan for 2010/11, Solvency II is a fundamental change of the prudential regime for the European insurance industry. It aims to establish a revised set of EU-wide risk management standards and capital requirements that will replace and harmonise the current arrangements. Policy in this area continues to be developed in Europe. There have been delays to the timeline that have affected our own consultation and shortened the window for implementation. As a result, we are looking for ways to manage this uncertainty. At the same time, we have continued to contribute to the development of the Directive, such as through our involvement in the work of European Insurance and Occupational Pensions Authority (EIOPA). We continue to lead some of the working groups, and Hector Sants was appointed to the EIOPA Management Board in January 2011.

Our work with the UK industry We have maintained close contact with the UK insurance industry on both policy and implementation issues. We continued in 2010 to engage with firms to understand how the developing requirements affect them and inform our contributions to EIOPA. We also had ongoing discussions with firms about how prepared they are for the new regime. The fifth quantitative impact study (QIS5) helped us increase our dialogue with firms on both fronts.

P a g e | 46



We gave briefings and ran workshops to educate firms about the importance of taking part in QIS5. We encouraged firms of all sizes and types to participate in the exercise to provide a robust evidence base to inform the ongoing development of the Solvency II landscape. During the exercise, we answered over 600 queries, and the UK report to EIOPA was compiled with submissions from 267 solo firms and 35 groups, representing over 70% of the market. We also had discussions with firms about the practical implications for them and we will continue to do so in the run up to implementation. We have continued to make progress with the internal model approval process (IMAP). We published an update in April 2010 setting out the pre-application process for firms, and the findings of the thematic review in February 2011. At the end of March 2011, started the next phase of IMAP as we endeavour to give as many firms as possible a decision on their model for day one. We further detailed our approach at our Solvency II Conference in April 2011 – more information about this is available on the dedicated Solvency II pages of the FSA website. As stated above, we had started to prepare our consultations; however, the publication of the Omnibus II proposals to amend the Solvency II Directive to bring it in line with the new European regulatory structure and allow for transitional provisions has meant that our consultation timetable has been affected. Our consultation process will relate to the transposition of the level 1 text of the Directive and consequential changes to the Handbook. We expect to publish the first Consultation Paper later this year.

P a g e | 47



We will review the European policy timelines regularly, and publish our own consultation timeline on our website in due course. Internally, we developed and delivered technical training for supervisors and other specialists working on Solvency II. At the end of March, we had trained over 450 people. To deliver Solvency II we have increased our resources significantly, with recruitment ongoing to provide the skills and processes to support and deliver the implementation of the Directive. Most recently, we shared our current thinking on the policy issues and implementation approach, with approximately 550 people from the UK insurance industry at our Solvency II Conference on 18 April 2011. • We outlined our two-tier approach to the way we would allocate resources to firms in the pre-application phase of IMAP. • We discussed the main policy uncertainties, which we also set out in the accompanying conference document Delivering Solvency II, April 2011. • We outlined the key dates, including our assumptions that full implementation will be on 1 January 2013, and that we would be open to receive applications on the provisions of the Directive that require our approval. • We underlined the importance of the UK industry’s continued involvement in developing the approach to implementation in Europe and the UK. We will do this through a number of different fora, including the existing Insurance Standing Group and its sub-groups, which has over 100 people registered to receive information. We will also create new ones as needed.

P a g e | 48



We published an overall update on Solvency II in June 2010 on all pillars of the Directive to inform and motivate firms to take action as needed. We have tailored our information for smaller insurers through our events and our website, including things for firms to consider when creating their implementation plans. We also gave briefings to market analysts and ratings agencies (February 2011), and to non-executive directors of insurance and reinsurance firms (January and April 2011) as part of our educational programme. 2011/12 is critical in our preparations for implementing Solvency II, in Europe and the UK. We are confident that our implementation approach will help us deliver our Solvency II programme and carry out our obligations fully.

P a g e | 49



NUMBER 4

Interview with Gabriel Bernardino, Chairman of EIOPA, conducted by Jan Wagner, Versicherungsmagazin (Germany)

The EU’s new regulatory regime for insurers, known as Solvency II, will take effect from 2014. Although hailed by EU regulators as an innovation, the regime has come under sharp criticism from smaller insurers, including several in Germany. They complain that the scheme favors bigger insurers who have the resources to easily adjust to the new regime. Wrong says Gabriel Bernardino, who as chairman of the EU insurance and pension regulator EIOPA will be Solvency II’s chief enforcer. Versicherungsmagazin spoke to him at length.

Why is Solvency II needed? Has not Solvency I ensured for a well (functioning insurance industry? I know of no cases in Germany where the insured lost their money when an insurer went under. The idea was never that Solvency II would fix the market because Solvency I failed, or because insurers needed more capital. The idea was rather a move toward a risk_based system. The problem is that there is misallocation of capital among companies. Some have more capital than they need, and some have less.

P a g e | 50



This has negative consequences for protection and pricing. To illustrate this, let us take two insurance firms with the same liabilities but two different investment strategies. One is based on shares and the other is based on bonds. From a market perspective, you would conclude that the firm with a share driven strategy would need to hold more capital than the one with a bond driven one. But the current regime doesn’t require this! The risks on the asset side are not taken into account, and that’s what Solvency II aims to resolve.

Are European insurers prepared for the transition to Solvency II? When Solvency II begins in 2014, there will be no ‘Big Bang.’ That’s because some of its elements are already in the system. In Germany for example, incentives for better risk management and governance are embedded in MaRisk, which is already in force. The objective is not to force insurers to have more capital. It is rather to have capital better aligned with the risks. You will have companies that have more capital than they need under a risk based system and others that do have less than they need. For those who have less, it’s fair to ask them to raise more capital. But even in the latter situation, Solvency II is accommodating. You don’t need to apply it immediately from 2014, so you have time to raise the capital you need. Another example is the life business where a transition period applies to calculations of the liabilities according to Solvency II.

P a g e | 51



Isn’t it true though that big listed insurers have an advantage over mutuals, as they will be able to raise the capital they need under Solvency II more easily? If you look at mutuals around Europe, they collectively have much more capital than public companies. I therefore don’t think Solvency II will be a big burden for them. Moreover: If they can demonstrate to the regulator that they effectively manage the risks on their investments, they may deviate from the standard model with its set of risk charges and use an internal one which is more flexible.

So smaller insurers have nothing to fear from Solvency II? I’m not saying that the introduction of Solvency II will have no effect on the market. Something like this always does. One possible consequence of Solvency II is that there will be some concentration in certain markets. But we’re seeing this already!

Some insurers complain that Solvency II will compel them to invest in safe, but low yielding instruments like bonds, as they carry no risk charge. Clearly that’s not what we have seen and that’s not what we will see. The US asset manager Black Rock did a survey some months ago in which it asked European insurers what asset classes they would target even under Solvency II. They replied that they would invest more in alternative investments like hedge funds, venture capital and project finance. And why?

P a g e | 52



In a low interest rate environment insurers have to find ways of boosting returns. No one is saying that with Solvency II you have to invest more in this or that asset class. We’re merely saying that if you have more risk, you should have more capital.

Given the European debt crisis, does it still make sense to require no risk charge for sovereign bonds. Greek bonds can hardly be considered safe instruments… Although there is a zero risk charge for sovereign bonds, Solvency II deals with the specificity of the various asset classes in that market valuations are used. This is different than in the banking sector. If sovereign debt in the portfolios of insurers were to be assessed under Solvency II, it would need to be rated according to the risk that the markets perceive nowadays. And that perception has definitely changed with the debt crisis, no question. So if say German Bunds decrease in value, this is immediately reflected on the portfolios of the insurers, and this is the figure you take into account in order to calculate the difference between your assets and liabilities. If therefore an insurer has a 100 percent solvency requirement, but the markets penalize some bonds on the portfolio, then the assets diminish value and your solvency diminishes. So you see, Solvency II does take the risk associated with sovereign bonds into account.

P a g e | 53



For assets which are more volatile like shares and real estate, a further risk charge applies.

Will the reporting requirements under Solvency II be a burden for smaller insurers? The requirements are harmonized around Europe, so this makes things easier for cross border companies. But this is also good for medium sized ones with business in two or three countries. Having one system of reporting provides a huge cost benefit for all insurers doing cross border business. The idea is to bring more commonality to supervision. Secondly, we’ve got the principle of proportionality applied to the ultimate extent. There will be of course more complexity for those insurers who are invested in say structured products or use derivatives. But if you don’t invest in these kinds of instruments your reporting will be less complex. There will be annual reporting, which is more comprehensive, as well as quarterly reporting on the most important elements. But for smaller companies whose risk profile doesn’t really change, the regulators have the option of waiving the quarterly reporting requirement.

Will Solvency II be applied to pension funds? As I have always said, this is not a copy_paste exercise.

P a g e | 54



There are elements of Solvency II that make lots of sense for pension funds, such as governance, transparency and risk management. These are known as the second and third pillars of Solvency II. In terms of the capital requirements, or the first pillar of the regime, we concluded that there is great diversity among pension plans in Europe. There are plans that are basically insurance type contracts, and in those you should have a regime like Solvency II. But there are also employer sponsored plans where the risk is not transferred to the insured. This is a different type of system than the insurance type, and it makes little sense to apply exactly the same capital requirements.

P a g e | 55



NUMBER 5

Hearing on the ESRB before the Committee on Economic and Monetary Affairs of the European Parliament

Introductory statement by Mario Draghi, Chair of the ESRB Brussels, 31 May 2012

Dear Madam Chair, Dear Honourable Members, I am very pleased to appear before this Committee today to present the first annual report on the activities of the European Systemic Risk Board (ESRB) – of which you have all received a copy and which is being published as I speak. In my remarks today, I will refrain from repeating the content of the report and will instead focus on three key areas of the ESRB’s work over the past year, which will also keep us busy for the foreseeable future. These are: i) The assessment of systemic risks; ii) The establishment of a sound macro-prudential framework in the EU; and iii) Medium-term structural developments in the EU financial system. I will then be at your disposal for questions.

1. Assessment of systemic risks in the EU financial system

It is less than a year since the ESRB cautioned that the risks to the EU financial system had become systemic.

P a g e | 56



After a period of stabilisation on the back of actions by central banks and other institutions earlier this year, more recently there have been renewed bouts of volatility and uncertainty, although not at the same levels reached in November 2011. Fundamental challenges persist. In my view, these include: i) Limiting contagion between Member States across the EU; and ii) Promoting a macroeconomic strategy that, together with fiscal consolidation, supports growth and furthers the competiveness adjustments needed to tackle the economic imbalances within the EU. Addressing these challenges in a decisive and sustainable manner is a prerequisite for the success of measures to ensure a more resilient financial system capable of supplying, on a sustainable basis, the financial services necessary to support economic activity. From a macro-prudential point of view, such measures include: i) Implementing credible mechanisms for the recapitalisation and restructuring of banks, where needed; and ii) Improving banking supervision and resolution at the European level. In the past, the ESRB has underlined the need for all national and European authorities to act, and to do so in unison, with speed, ambition and a total commitment to safeguard financial stability. Today, I reiterate this call, while acknowledging the efforts undertaken so far. Within the broader economic and financial context, the financial system continues to face the challenge of adjustment in order to address imbalances accumulated in the past. For banks, progress has already been made on some fronts, but more is needed. For other financial sectors, it is important that international and

P a g e | 57



EU reforms, designed to improve their resilience, are fully implemented and adhered to – an issue that I will return to later. The ESRB is concerned with two aspects of banks’ adjustment. First, it should be carried out in an orderly way to support economic growth to the full extent necessary, without exacerbating market fragility and the positions of others in the financial system. Second, the degree of adjustment planned by the EU banking sector over the coming years must be sufficient to restore confidence in the strength of banks’ balance sheets. With regard to the first point, official data and surveys from many countries across the EU indicate some overall stabilisation in financial conditions in the early part of this year. However, the recent turbulence highlights the uncertainty surrounding the outlook for these financial conditions, given their link to the soundness of EU banks’ balance sheets and, in turn, the direct or indirect connections between those balance sheets and sovereign vulnerabilities. Concerning the second point, close monitoring and a systemic assessment of the feasibility and nature of the adjustment by banks, as well as within the financial system more broadly, is crucial. In this regard, the ESRB has called upon its partners within the European System of Financial Supervision – supervisory authorities at the national and EU level – to regularly collect detailed, ex ante information from banks and other key players in the system, and report it to the ESRB. The General Board will review the latest developments – and their implications – at its meeting in June.

2. A sound macro-prudential framework for the EU Let me now turn to the work undertaken to establish a framework capable of addressing the deficiencies of the pre-crisis framework in preventing and mitigating systemic risks in the EU.

P a g e | 58



While the launch of the ESRB was a first, and necessary, step in this respect, it is vital to develop a sound and comprehensive macro-prudential framework for both the EU as a whole and the individual Member States. As indicated in the Annual Report, this has been one of the ESRB’s priorities since its inception. First, in order to create a solid foundation for pre-emptive action against systemic risks, it is essential to develop macro-prudential mandates and tools. In its recommendation published in January, the ESRB highlighted the need for well-defined macro-prudential mandates for national authorities to act either on their own initiative, or in response to the ESRB’s advice. In accordance with the ESRB’s duty to follow up on its recommendations, the first reports from the Member States outlining their progress thus far are expected by the end of June under the ESRB’s “comply or explain” mechanism. A key lesson from the past is that financial or systemic stability mandates must be accompanied by the means to act. Macro-prudential authorities will need to be equipped with effective policy tools to respond, in a pre-emptive way, to the complex and ever-changing variety of systemic risks. The ESRB is currently working on identifying the minimum set of tools necessary for conducting macro-prudential policies throughout the EU. Second, it is crucial to ensure that macro-prudential issues are taken into consideration when developing EU legislation for the financial sector, given the impact that such regulations could have on incentives within the financial system. In this regard, I would like to touch on a number of important pieces of EU legislation that the ESRB has been following:

P a g e | 59



i) A draft directive and regulation on capital requirements for credit institutions (the “CRD/CRR”); ii) The proposal for a regulation on OTC derivatives, central counterparties and trade repositories (“EMIR”); and iii) The part of the proposal for the Omnibus II directive that concerns the regulation of the insurance sector. With regard to the CRD/CRR, I very much welcome the recent progress made by this Committee, as well as by the EU Council, on advancing the proposals put forth by the Commission less than a year ago. Your work together with the Council provides a promising basis for the establishment of important macro-prudential instruments for addressing systemic risks in the banking sector. To assist you, and the Council, in your work on the CRD/CRR, the ESRB wrote to you in March outlining a number of macro-prudential principles. I urge you to consider these principles in order to ensure that macro-prudential authorities, at both the EU and national level, are fully equipped with a flexible set of policy tools and sufficient scope to act early and effectively to prevent the build-up of systemic risks in the future. Obviously, discretion to pursue macro-prudential policies requires efficient coordination as a safeguard against potential negative externalities or unintended consequences. The ESRB is ready to play a central role in this respect, and work is under way to establish a general framework for the coordination of national macro-prudential policies by the ESRB, where such policies give rise to material spillovers across borders. The agreement on EMIR was also an important step forward in implementing lessons from the crisis, and it includes a number of useful elements to safeguard financial stability in the EU.

P a g e | 60



The ESRB has started preparations for performing the tasks assigned to it under EMIR. From a macro-prudential perspective, however, I should point out that, in the view of the ESRB, EMIR does not address the issues raised by the possible pro-cyclical effects of either easing or tightening of collateral eligibility and of requirements for transactions subject to central counterparty clearing. In accordance with its responsibilities, the ESRB continues to examine whether and how collateral requirements could be applied as a macro-prudential tool at a later stage. The new regulatory framework for insurance activities is currently being finalised. Some important aspects of this framework – such as those related to the treatment of long-term guarantees – are being discussed over the next few days as part of the “Omnibus II trialogue” discussions, in which this Committee is actively involved. The ESRB is aware that several of the issues at stake are potentially relevant from a macro-prudential point of view. In particular, the new regulatory framework (Solvency II) may amplify the procyclicality of insurers’ balance sheets and, in particular, capital levels. This has been recognised by the legislator, which is designing several policy instruments (including some of a macro-prudential nature) to mitigate procyclicality and other factors. It is crucial that such instruments are designed to deliver a clear and credible objective and that their interaction is duly considered to ensure that the use of these instruments has the intended effect.

3. Structural developments in the EU financial system Finally, I would like to highlight some medium-term, structural developments that the ESRB is currently looking at, with a view to

P a g e | 61



gaining a better understanding of their implications for systemic risk and to identifying appropriate policy responses for delivering a more resilient financial system. The ESRB is devoting particular attention to structural aspects of both the traditional banking sector and the shadow banking sector. Before commenting on developments in these sectors, I would like to briefly say a few words on the whole financial system, which is currently undergoing a regulatory reform in all its segments. An important goal of such reforms is to ensure a sustainable supply of financial services from the system to the rest of the economy. In Europe, the financial sector has traditionally been centred around banks. However, some activities may shift to other – maybe less regulated – parts of the system in the years to come, perhaps as a direct consequence of the current crisis or as a result of the overhaul of standards for regulated activities and entities. While such developments can, in principle, be of benefit to the system, they must be monitored closely in order to limit the emergence of new vulnerabilities, for example those stemming from shifts driven by regulatory arbitrage. Turning to the banking sector, the onset of the financial crisis revealed significant shortcomings in banks’ funding structures – part of the necessary adjustment I referred to earlier involves a transition to more sustainable funding structures. However, banks’ ability to manage this adjustment is being hampered by conditions in European interbank and unsecured credit markets. As a result, there has been a rise in banks’ recourse to secured funding markets and innovative funding instruments.

P a g e | 62



The ESRB is analysing these shifts in funding behaviour carefully from a macro-prudential perspective, to ensure that unintended consequences or new systemic vulnerabilities associated with such behaviour do not go undetected. The increased reliance on secured funding raises concerns about the extent to which banks’ assets become encumbered. If taken too far, insufficient amounts of unencumbered bank assets in the future could reduce the stability of funding within the system and, in a self-fulfilling manner, reinforce the lack of access to private unsecured markets today. Furthermore, innovative sources of private funding for banks – such as liquidity swaps between banks and other parts of the financial system – could have implications for the level of interconnectedness in the system, as well as the durability of funding during future downturns or stress periods. Turning to the shadow banking sector, the instabilities that can arise from a highly interconnected system were exposed by the financial crisis. Shadow banking activities were a major contributor to that interconnectedness, in particular given the interlinkages between the regular banking sector and the complex, and opaque chains of financial intermediation that emerged within the system. They also, directly and indirectly, helped to facilitate the substantial rises in leverage in some economies. As indicated in the Annual Report, the ESRB has already begun work in this area. This has involved, for example, identifying and assessing potential systemic risks associated with European money market funds, on which a report is soon to be published as an ESRB Occasional Paper.

P a g e | 63



The ESRB is also finalising its reply to the consultation launched by the European Commission through its Green Paper on Shadow Banking, which was published earlier this year. Looking ahead, from a policy perspective, measures to tackle systemic risks associated with the shadow banking system will need to be tailored to the specific risks stemming from the different activities conducted under the shadow banking umbrella. It is important that horizontal focus be placed on the economic nature of financial activities, i.e. on ensuring that activities carried out within the system, and which involve maturity and liquidity mismatches, leverage and/or incomplete risk transfer, fulfil the appropriate prudential requirements, irrespective of where they are carried out or by whom. Finally, it will be important to ensure global consistency and therefore the full and consistent transposition in the EU of policy initiatives agreed at the international level, notably those due to be announced by the Financial Stability Board. In this regard, the ESRB stands ready to work together with the relevant international and EU institutions and bodies.

***

Let me now conclude by stressing that all the ESRB activities that I have presented here today have been carried out with the full involvement and support of all ESRB member institutions and bodies – notably the Advisory Scientific Committee and Advisory Technical Committee – and in close cooperation with the three European Supervisory Authorities. For this we are grateful and look forward to a continued fruitful cooperation in the future. Thank you very much for your attention. I am now at your disposal for questions.

P a g e | 64



NUMBER 6

30 May 2012

Meeting of the Financial Stability Board in Hong Kong on 29-30 May At its meeting in Hong Kong, the Financial Stability Board (FSB) discussed vulnerabilities currently affecting the global financial system and the progress in authorities’ ongoing work to strengthen global financial regulation.

Vulnerabilities in the financial system After a period of calm in financial markets earlier this year, tensions have increased more recently and risk aversion has returned to elevated levels. In the euro area, the adverse feedback loop between sovereign debt strains, weak economic growth and fragile banking systems has intensified. There has been a pull-back in cross-border financial activity. Against this background, risks of adverse spillovers to global financial markets and economies have increased. The FSB supports the work of European and national authorities to lower short-term risks and foster lasting confidence and stability, including completing the repair and restructuring of some banks as required. In addition, authorities agreed to work together to minimise the downside risks from the ongoing process of bank deleveraging. All FSB members remain committed to strong cooperation to support market functioning.

P a g e | 65



Central banks, supervisors and treasuries are maintaining close dialogue and cooperation during this period of heightened uncertainty.

Addressing systemically important financial institutions (SIFIs) The FSB reviewed the ongoing work to develop further the SIFI framework, including extending it to domestic systemically important banks and establishing a process to ensure consistent implementation of the policy measures, in particular for resolvability, that apply to global SIFIs (G-SIFIs). The FSB endorsed the International Association of Insurance Supervisors (IAIS) consultation paper that sets out a proposed methodology for assessing the global systemic importance of insurance companies. The paper will be published ahead of the Los Cabos G20 Summit. The FSB evaluated progress in implementing its Key Attributes of Effective Resolution Regimes for Financial Institutions. Authorities are in the process of putting in place recovery and resolution plans, resolvability assessments and institution-specific cross-border cooperation agreements for G-SIFIs, and home authorities of G-SIFIs will prioritise the development of high-level resolution strategies to guide these processes. FSB members reaffirmed the need for further work to establish international guidance on common terms for information sharing and on the handling of client assets in resolution. FSB members will begin in July the first of an iterative series of peer reviews on the implementation of the Key Attributes. The FSB also welcomed progress of its Data Gaps Initiative, which will collect and share among authorities information on the common exposures and financial interlinkages of global systemically important banks.

P a g e | 66



It supported operational preparations in close interaction with the banks to implement the initial phase of the project from March 2013.

Over-the-counter (OTC) derivatives The FSB reviewed the steps being taken to implement OTC derivatives reforms, on which it will shortly issue its third progress report. Members noted that encouraging progress has been made in setting international standards, in advancing legislation and regulation by a number of jurisdictions and in practical implementation of reforms to market infrastructure and activities. They recognised, however, that the current momentum must be maintained as much work remains to be done to complete the reforms by the end-2012 deadline agreed by the G20. The FSB noted in particular the substantial progress that has been made in the four safeguards for a resilient and efficient global framework for central clearing. In addition, the Committee for Payment and Settlement Systems and the International Organization of Securities Commissions published in April the Principles for Financial Market Infrastructures. These actions will ensure the robustness of financial market infrastructures and allow national authorities to decide on the appropriate form of CCPs to meet the G20 commitment to centrally clear all standardised OTC derivatives by the end of 2012. In the coming weeks, standard setters will issue consultation papers on margining requirements for bilaterally-cleared derivatives transactions and on resolution of central counterparties (CCPs) and other financial market infrastructures.

P a g e | 67



Shadow banking Members reviewed the ongoing workstreams to strengthen the oversight and regulation of shadow banking. Members looked forward to policy recommendations by IOSCO by the autumn on potential measures that would mitigate the susceptibility of money market funds to runs and other systemic risks. The FSB will publish by end-2012 an initial integrated set of policy recommendations to strengthen regulation of shadow banking. The FSB also launched its second annual monitoring exercise of the global shadow banking system, which includes all FSB member jurisdictions. The FSB will report its findings to the G20 Finance Ministers and Central Bank Governors in November.

Legal entity identifier (LEI) The FSB approved recommendations to support the establishment of a global LEI system that will provide a unique global identifier for parties to financial transactions, as requested at the Cannes Summit. The recommendations will be submitted to the Los Cabos Summit. The proposals set out a governance framework to protect the public interest, while promoting active coordination between the global regulatory community and the private sector in the implementation of the system. The proposals for the initial reference data and LEI code are in line with the ISO 17442:2012 standard published today. The recommended implementation plan targets launch of the global LEI system on a self-standing basis by March 2013.

P a g e | 68



FSB capacity, resources and governance FSB members welcomed the draft report of the High-Level Group that it set up in response to a call by the G20 Leaders at the Cannes Summit to strengthen the FSB’s capacity, resources and governance. They agreed to submit, for endorsement at the G20 Los Cabos Summit, the recommendations set out in the report to place the FSB on an enduring organisational footing with institutional standing, legal personality and greater financial autonomy, while maintaining the existing strong links with the Bank for International Settlements.

Implementation monitoring and adherence to standards As the global financial reform process has progressed, the focus of the FSB and its members is increasingly turning from global policy development to timely and consistent implementation. The FSB reviewed progress in the implementation of G20 reforms under its Coordination Framework for Implementation Monitoring, on which it will report to the Los Cabos Summit. In addition to the progress report on OTC derivatives market reforms, members approved progress reports in two other priority areas: Basel III and compensation practices. These reports will be published around the time of the Los Cabos Summit.

Basel III. The interim report prepared by the Basel Committee on Banking Supervision (BCBS) will describe the progress made and issues identified in implementing the Basel III framework (including Basel II and II.5). The BCBS, in coordination with the FSB, will continue to closely monitor and promote the full, consistent and timely implementation of Basel III.

P a g e | 69



Compensation practices. The report will describe the progress made by FSB member jurisdictions and firms in implementing the FSB Principles and Standards for Sound Compensation Practices since the FSB’s October 2011 thematic peer review. The FSB will continue its ongoing monitoring of actions taken and identification of remaining gaps and impediments to full implementation. The Bilateral Complaint Handling Process launched in April will be an important input to this process. Members agreed to publish on the FSB’s website summary information on their actions to meet their commitments to undergo and publish the results of assessments under the IMF/World Bank Financial Sector Assessment Programme and FSB peer reviews under the FSB Framework for Strengthening Adherence to International Standards.

Study on the effects of agreed regulatory reforms on emerging market and developing economies (EMDEs) The FSB reviewed a study, which has been prepared in coordination with the IMF and the World Bank, identifying the extent to which agreed regulatory reforms may have unintended consequences for EMDEs. The study will be submitted to the Los Cabos Summit.

Regional consultative groups In 2011 the FSB established six regional consultative groups (RCGs) to expand upon and formalise its outreach. The six RCGs include 112 institutions from 65 jurisdictions beyond the FSB’s membership. Members heard reports from the co-chairs of each of the RCGs on their meetings in the first half of 2012.

P a g e | 70



Notes to editors The FSB has been established to coordinate at the international level the work of national financial authorities and international standard setting bodies and to develop and promote the implementation of effective regulatory, supervisory and other financial sector policies in the interest of financial stability. It brings together national authorities responsible for financial stability in 24 countries and jurisdictions, international financial institutions, sector-specific international groupings of regulators and supervisors, and committees of central bank experts. The FSB is chaired by Mark Carney, Governor of the Bank of Canada. Its Secretariat is located in Basel, Switzerland, and hosted by the Bank for International Settlements.

P a g e | 71



NUMBER 7

Publication of the first regulatory technical standards on credit rating agencies (CRAs) - 30/05/2012 Today, four European Commission Delegated Regulations establishing regulatory technical standards for credit rating agencies have been published in the Official Journal of the European Union. These technical standards set out:

1. The information to be provided by a credit rating agency in its application for registration to the European Securities and Markets Authority (ESMA);

2. The presentation of the information to be disclosed by credit rating agencies in a central repository (CEREP) so investors can compare the performance of different CRAs in different rating segments;

3. How ESMA will assess rating methodologies; and

4. The information CRAs have to submit to ESMA and at what time intervals in order to supervise compliance.

The four standards, which complement the current European regulatory framework for credit rating agencies, were developed by the European Securities and Markets Authority (ESMA) and endorsed by the European Commission on 21 March. The regulatory technical standards will ensure a level playing field, transparency and adequate protection of investors across the Union and contribute to the creation of a single rulebook for financial services.



P a g e | 72



The first 3 regulations will come into force 20 days after their publication today on 20 June 2012. While the fourth RTS will come into force 6 months after its publication in the Official Journal on 30 November 2012.

P a g e | 73



NUMBER 8

Commodity Futures Trading Commission (CFTC)

“Smart Regulatory Reform and the Perils of High-Frequency Regulation” - Remarks by Commissioner Scott D. O’Malia May 31, 2012 Good afternoon and thank you Armins for the warm introduction and for the opportunity to speak at MarkitSERV’s 2012 Outlook for OTC Markets event. In light of the significant regulatory reform efforts that are currently underway at the Commodity Futures Trading Commission (the “CFTC” or the “Commission”) and elsewhere, events like this one are essential for market participants seeking clarity and guidance in navigating the array of new financial regulations that are coming down the pike while continuing to grow and innovate. As a technology company, MarkitSERV provides critical solutions to its customers in connection with their over-the-counter (“OTC”) derivative transactions in order to streamline workflows and simplify tasks. Technology has always been near and dear to my heart, and I understand the challenges of integrating the newest and best products without having to put the brakes on. As chairman of the Commission’s Technology Advisory Committee (“TAC”), I similarly have pushed the Commission to upgrade its technology infrastructure for the purpose of automating and expanding the Commission’s market surveillance and oversight of both the futures and swaps markets while fostering innovation.

P a g e | 74



I also have utilized the TAC to inform the Commission as to the costs and impacts of its regulatory and policy decisions, as well as to provide a context for future choices. Most recently, I established the TAC Subcommittee on Automated and High Frequency Trading. This subcommittee’s only focus is developing consensus regarding the definition of high-frequency trading (“HFT”) in the context of the larger universe of automated trading. The definition of HFT will serve as an initial step towards assessing the impact of HFT in the CFTC’s regulated markets. We will use this definition in considering appropriate regulatory responses. While it is tempting to rush to regulate automated trading and HF—especially in light of its proliferation in our markets and the reality of events like the Flash Crash of 2010—I realized at the outset that there is currently no consensus among market regulators or even market participants as to the definition of HFT. Every debate begins by clearly defining the issue, and that is what I am doing right now. Today, my remarks cover what I call “smart regulatory reform” and the benefits of avoiding that temptation to engage in rapid regulatory leaps before clearly defining the issues and, more importantly, the objectives. I will focus on three topics. First, I plan to discuss the process by which the Commission is implementing its final rules. The pace has been frenetic. We have not spent enough time thinking through all of the potential issues.

P a g e | 75



The Commission is engaged in its version of “high-frequency regulation.” Similar to high-frequency trading, the market is unfamiliar with the exact goals and objectives of the Commission’s rulemaking and can only react. Without a schedule of rules and clear compliance dates, the market is left guessing as to whom the rules apply, when they must comply and what venue they must connect. Second, I plan to discuss the extraterritorial application of the Dodd-Frank Act and our rules. Defining our own jurisdiction should have been one of our first steps down this regulatory rabbit hole. It is now almost two years since the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) passed and I have not even seen or reviewed our draft guidance. Third and finally, I want to provide a general update on the Commission’s upcoming rules, customer reforms and technology. Before touching on the three topics of my speech, I would like to start today by providing a little background and context.

Financial Markets in Crisis

As you all know, the 2008-2009 global financial crisis resulted in the collapse of large financial institutions and significant government intervention in the form of bailouts.

In response, Congress passed the Dodd-Frank Act, which was directed at reducing risk, increasing transparency and promoting market integrity.

In particular, Title VII of the Dodd-Frank Act significantly transformed the Commodity Exchange Act (the “CEA”) and required the Commission to prescribe over 50 final rules within 360 days after the date of enactment of the Dodd-Frank Act.

P a g e | 76



The Perils of High-Frequency Regulation

For those of you who are unfamiliar with the typical Washington rulemaking process, it is generally a long and all-consuming one. Before the enactment of the Dodd-Frank Act, the Commission issued three or four rules a year at best.

My friend and former Commissioner Mike Dunn would always say that most of the Commission’s rules normally take anywhere from 15 to 18 months to finalize.

In order to complete the Herculean task of finalizing over 50 rules, the Commission also has established over 30 multi-disciplinary, rule-writing teams.

Essentially, we are engaging in what amounts to high-frequency regulation.

Notwithstanding the Commission’s tighter timeframes and staff restructuring, the Commission is charged with understanding and overseeing markets with which it does not have prior expertise. Swaps and futures markets are different.

I believe that the Commission must spend an appropriate amount of time understanding swaps markets and the ramifications of these rules, including the cost and benefits of each and every rule before they are finalized, not after.

Some of you may know that I have been very critical of the Commission’s cost-benefit analyses.

The Commission previously minimized the role of performing complete cost-benefit analyses by turning the process into an administrative, check-the-box exercise.

The good news is the Commission has reversed course and the chairman recently signed a Memorandum of Understanding with the Office of Information and Regulatory Affairs (“OIRA”) within

P a g e | 77



the White House to provide technical expertise in order to develop a more thorough process for conducting the Commission’s cost-benefit analyses during the implementation of the Dodd-Frank Act.

In my view, there are three critical areas where the Commission can and must improve its cost-benefit analysis.

First, the Commission should develop a realistic and status quo ante baseline.

Second, the Commission should develop replicable quantitative analysis, which will allow it to make informed decisions about the market.

Finally, the Commission should develop a range of policy alternatives for consideration. All three of these standards are best practices recommended in the Office of Management and Budget Circular A-4, Regulatory Analysis.

As a result of our high-frequency regulatory approach, several of our final rules have created significant regulatory uncertainty and unnecessary angst; much like the uncertainty and angst surrounding the HFT activity during the Flash Crash of 2010.

As you peel back the layers of some of these final rules, the problems of our high-frequency regulatory approach becomes apparent.

I will briefly highlight several examples.

The poster-child for high-frequency regulation is the recently finalized swap dealer definition rule.

This final rule includes an overly complex definition that would require several commercial firms and cooperative banks to register as swap dealers if it were not for a generous and temporary de minimis threshold for swap dealing activities at set $8 billion.

P a g e | 78



Due to the complexity of this 600+ page final rule, some commercial firms will be confused as to whether they will be considered a swap dealer or not.

The final rule also adds two new definitions of the term “bona fide hedging” to our existing two definitions (Regulation 1.3(z) and Position Limits Rule).

As a result, the Commission is now up to four separate definitions and counting.

Another example of high-frequency regulation can be seen in the inconsistencies among the Commission’s various reporting rulemakings.

For instance, since final passage of the large trader reporting rules, the Commission has been forced to delay implementation and issue a 160+ page guidebook on compliance reporting.

The license approval process for swap data repositories (“SDRs”) and swap execution facilities (“SEFs”) has also been problematic.

Thus far, the Commission has received four SDR applications, but has approved none.

Since no two SDRs will be the same, the Commission is challenged with approving different models within the same regulatory framework.

This problem will only be compounded when we receive dozens of SEF applications.

Due to the compressed schedule, we do not have the luxury of delaying license approvals to make sure that they meet a one-size-fits-all standard.

The delayed license approval process makes a strong case for preserving the principles-based regulation the Commission was

P a g e | 79



known for versus the more specific rule-based regulation the Commission has adopted since the passage of the Dodd-Frank Act.

The Elements of Smart Regulatory Reform

To avoid the perils of high-frequency regulation, the Commission needs to engage in what I call “smart regulatory reform.”

Right now, you may be asking yourself, “What does he mean by ‘smart regulatory reform?’”

In my view, smart regulatory reform consists of three key elements.

First, smart regulatory reform is based on facts that are uncovered through comprehensive research and robust and frequent discussions with industry.

Second, smart regulatory reform reflects thorough economic analysis.

Put differently, the Commission cannot ignore the importance of its cost-benefit analyses when prescribing regulations.

Finally, smart regulatory reform should provide market participants and other affected persons with regulatory certainty.

Our rules should not be unnecessarily complex, confusing, and in some cases redundant.

The Commission’s primary objective in implementing the Dodd-Frank Act should be to encourage compliance—not to increase its enforcement docket.

Firms utilizing swaps and futures markets to mitigate and manage commercial risks should be focused on just that and not on the risk that they will take a misstep into a regulatory trap.

P a g e | 80



Ultimately, I believe that smart regulatory reform will reduce systemic and counterparty risk, encourage liquidity formation, promote price discovery, and enhance market efficiency and competition in our financial markets.

Enforcement is one of the Commission’s many functions. It is not the Commission’s only function.

The Swaps Market Is Global

In September 2010, the G-20 leaders met in Pittsburgh, Pennsylvania and agreed to implement comprehensive financial reform and the clearing of OTC derivative contracts by no later than 2012.

Based on the work completed thus far, I believe it is possible for Commission to implement clearing in the fourth quarter of 2012 for major banks. I believe that the Commission will not require managed money and end users to clear until early-to-mid2013.

What I cannot predict is when Europe will require their registrants and market participants to meet a similar deadline. I am not confident based on recent press accounts that European OTC derivatives rules will be ready until sometime next year.

Although the futures and swaps markets developed as parallel markets, the swaps market is a more globalized market.

It is very typical that swaps market participants are domiciled inside and outside of the United States and engage in a variety of cross-border swap activities such as marketing to foreign customers and making OTC markets in foreign jurisdictions.

These activities could be subject to both U.S. and non-U.S. regulatory oversight.

J.P. Morgan’s recent trading loss highlights the global nature of this business and the importance of a coordinated global regulatory approach.

P a g e | 81



The Commission’s Cross-Border Proposed Interpretative Guidance

When I accepted this speaking engagement, I expected the Commission would have released guidance on the extraterritorial application of the Dodd-Frank Act and its rules.

That has not happened and I have not even reviewed a draft.

However, let me share with you what I expect to see and the principles that I hope will be included in the guidance.

I expect the Commission will propose:

(1) Which foreign persons will have to register as swap dealers and major swap participants (“MSPs”);

(2) What Dodd-Frank Act requirements will apply to those swap dealers and MSPs;

(3) When the Commission will defer to comparable foreign regulatory regimes and permit swap dealers and MSPs to satisfy their requirements under the Dodd-Frank Act through substituted compliance; and

(4) How the clearing mandate, trade execution, and certain reporting provisions will apply to cross-border swap transactions involving non-swap dealer and non-MSP counterparties.

The Commission’s cross-border guidance will turn on a small provision that quietly made its way into the CEA through the Dodd-Frank Act—new Section 2(i) of the CEA.

Many people are unfamiliar with new Section 2(i).

This section contains only 101 words—enough words that could fit into a Twitter feed.

P a g e | 82



Specifically, Section 2(i) provides that the Commission’s swap authority shall not apply to foreign activities unless those activities “have a direct and significant connection with activities in, or effect on, commerce of the United States . . . .”

The important thing for you all to remember is that this language gives the Commission broad authority over the swaps market that goes well beyond other areas of law.

For that reason, I believe that the Commission’s cross-border guidance, once issued, should take into account the following four principles and considerations.

First, the CFTC’s cross-border guidance should be based on principles of international comity.

In other words, the guidance should not overreach or step on the toes of sovereign nations.

We would not want these nations to retaliate by re-characterizing as foreign, market participants who we typically think of as “U.S. persons.”

Second, and in some way related to the first point, the CFTC’s guidance should be based on principles of international harmonization.

That is, the CFTC needs to coordinate its efforts with the Securities and Exchange Commission (the “SEC”), as well as the efforts of foreign regulators.

As far as I am aware, the CFTC and SEC will release separate extraterritorial guidance, which can only create inconsistency and added compliance challenges and costs.

Additionally, our cross-border guidance needs an appropriate phase-in to match global regulatory efforts relating to swaps.

P a g e | 83



Third, I believe that the Commission’s guidance should in some way demonstrate the costs and benefits of setting its jurisdiction too broadly.

The CEA only requires the Commission to consider the costs and benefits of its regulations and orders.

It does not require that the Commission consider the costs and benefits of interpretative guidance, which the Commission will propose.

In my view, however, the Commission should do the right thing and conduct a thorough analysis of the costs and benefits of its guidance.

That way, the Commission will be able to adequately understand the implications of its guidance and make an informed decision regarding policy alternatives.

Finally, the Commission should ensure that its registrants and registered entities remain competitive in global financial markets. Understandably, U.S. registrants and registered entities would be subject to all of the provisions of the Dodd-Frank Act.

Nevertheless, the Commission’s policies should not put them at a disadvantage vis-à-vis their foreign competitors.

Current Outlook

Without a doubt, the Commission will be busy this summer. I estimate that the next handful of Commission rules and guidance to be issued will include:

(1) The definition of “swap;”

(2) The Commission’s cross-border guidance;

(3) Mandatory clearing determinations; and

(4) The Commission’s final implementation timetable for clearing.

P a g e | 84



In July, I believe that the Commission will vote on rules regarding trade execution, including the final rules for SEFs, as well as Core Principle 9 for Designated Contract Markets.

These are my best guesses.

There are also a number of significant developments at the Commission on the customer protection front.

These developments are very important to me.

The failure of MF Global exposed material gaps in our regulatory oversight.

Our reporting methods and disclosure timetables enabled MF Global to move customer money without detection.

On Tuesday of this week, the National Futures Association (“NFA”)—working with the Commission—made several important rule changes to improve transparency and promote further protections for customer funds.

Another action taken by NFA in coordination with the Commission has been dubbed the “Corzine Rule.”

This rule will require CEOs and CFOs to sign-off before a futures commission merchant (“FCM”) can transfer or otherwise move customer funds.

I support this rule as well as other rule improvements in FCM transparency—something I call “know-your-FCM rules.”

The Commission and the NFA plan to work together on the know-your-FCM rules this summer.

These rules will help customers make informed decisions about the safety and security of their FCM.

P a g e | 85



Our challenge is to improve FCM disclosures in such a way to make them useful and relevant.

Broadly, deterrence, transparency, and technology are the three key elements to improving the Commission’s oversight over not only FCMs, but over all CFTC registrants and registered entities. Deterrence speaks for itself.

Transparency offers market participants and regulators a window into business transactions and operations, in addition to exposing possible risks.

Lastly, technology provides the Commission with the ability to catch risks and nefarious behavior before it is too late.

Brave New World of Technology: Swaps Market Infrastructure

When I became a commissioner two-and-a-half years ago, I was aware of the modern trading and matching engines used to trade equities and futures and the explosion in trade volumes across the globe.

However, I was amazed by the lack of sophistication of the Commission’s surveillance and automation capabilities. In my view, the Commission was not organized to appropriately oversee the futures and swaps markets.

I have made correcting this problem among my top priorities while at the Commission.

The good news is that we have addressed this problem by creating a new office of data and technology.

This new office is deploying state-of-the-art technologies to expand the Commission’s oversight functionality.

P a g e | 86



Conclusion

I appreciate the opportunity to speak with you all today and hope that you have found my insights to be useful.

The Commission’s reform efforts must not only provide the needed guidance to ensure that swaps markets are transparent and promote integrity.

Our regulatory reform efforts must also be smart, make sense in terms of their sequencing and implementation, and most importantly not employ a high-frequency regulatory approach.

Again, I would like to thank you all for your participation today. I would also like to thank MarkitSERV for organizing such a timely and constructive event.

P a g e | 87



NUMBER 9

Commodity Futures Trading Commission (CFTC)

Statement Regarding Public Roundtable to Discuss the Proposed Volcker Rule, Chairman Gary Gensler, May 31, 2012 Welcome to the Commodity Futures Trading Commission (CFTC) roundtable on the proposed Volcker Rule. Thank you, Dan, for that introduction, and thank you for working with the rest of the team, particularly Steven Seitz from your office and Steve Kane from the Office of the Chief Economist, to put together this important roundtable. I’d like to thank the Treasury Department staff and the staff of the financial regulators tasked with implementing the Volcker Rule for joining us for this roundtable and for your efforts in coordinating with the CFTC on the rule. I’d also like to thank Sheila Bair, the former Chair of the Federal Deposit Insurance Corporation, for participating today. Former Federal Reserve Chairman Paul Volcker was unfortunately on international travel today, but I’d like to acknowledge his many years of public service. In 2008, the financial system and the financial regulatory system failed. The crisis – caused in part by the unregulated swaps market -- plunged the United States into the worst recession since the Great Depression with

P a g e | 88



eight million Americans losing their jobs, millions of families losing their homes and thousands of small businesses closing their doors. The financial storms continue to reverberate with the debt crisis in Europe affecting the economic prospects of people around the globe. In 2010, Congress and the President came together to pass the historic Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), to promote transparency in the markets and to lower risk to the public from large, complex financial institutions. Amongst these protections is the Volcker Rule, which prohibits banking entities from proprietary trading, an activity that may put taxpayers at risk. This is the CFTC’s 17th roundtable on important topics related to Dodd-Frank reforms. These roundtables are an additional opportunity – beyond the 30,000 comments we’ve received and 1,600 meetings with the public we’ve held -- for dialogue and helpful input from market participants and the public. Our 18th roundtable related to promoting the price discovery function on designated contract markets and related issues of swap execution facilities will be on June 5. In adopting the Volcker rule, Congress prohibited banking entities from proprietary trading while at the same time permitting banking entities to engage in certain activities, such as market making and risk mitigating hedging. One of the challenges in finalizing this rule is achieving these multiple objectives. I’m looking forward to a lively discussion. I’d like to highlight three main issues that I’m particularly interested in getting feedback on today.

P a g e | 89



First, as prescribed by Congress, the Volcker rule prohibits proprietary trading while permitting risk-mitigating hedging. These two provisions are consistent with each other in that they are both meant to lower the risks of banking entities to the broader public. The question is how we as regulators achieve both of these risk-lowering provisions in a balanced way. Some commenters have said if we’re too prohibitive in one area, we may limit banking entities ability to engage in risk-mitigating hedging. On the other hand, if we follow comments of some of the banking entities, then the rule’s allowance for permitted hedging might swallow up Congress’ intent to limit the risk of proprietary trading. Specifically, under the statute, banking entities may engage in “risk-mitigating hedging activities in connection with and related to individual or aggregated positions, contracts, or other holdings.” To qualify as hedging, these activities must be “designed to reduce the specific risks to the banking entity in connection with and related to such positions, contracts, or other holdings.” The criteria for the hedging exemption as included in the proposed Volcker Rule are the following: hedges must mitigate one or more specific risks on either individual positions or aggregated positions, they cannot generate significant new exposures, they must be subject to continuous monitoring and management, compensation for hedging cannot reward proprietary trading, and the hedges must be reasonably correlated to the specific risks of the positions. A further question about hedging activity that was asked by the agencies (question 109 of the CFTC’s proposal) is whether “certain hedging strategies or techniques that involve hedging the risk of aggregated positions (e.g. portfolio hedging) create the potential for abuse of the hedging exemption.”

P a g e | 90



A related question on which it would be helpful to hear from the panel: is it possible, and if so how, could a separate trading desk with its own profit and loss statement engage in risk-mitigating hedges? The further removed hedging activities are from the specific positions the banking entity intends to hedge, is it not more likely that such trading activity is prone to express something other than hedging? As Dan will explain in a moment, we’re not going to be speaking about the specifics of the credit derivative product trading of JPMorgan Chase’s Chief Investment Office. I do think, though, it may be instructive for regulators as we finalize key reforms. Second, in addition to hedging, Dodd-Frank permits market making, which is important to well-functioning markets as well as to the economy. The question for regulators once again is finding a balance, but this time between prohibiting proprietary trading and permitting market making. The agencies ask in the proposal (question 89 in the CFTC’s proposal): “Is the proposed exemption overly broad or narrow? For example, would it encompass activity that should be considered proprietary trading under the proposed rule?” The criteria for market making in the proposed rule included seven requirements. A number of commenters suggested that these requirements may be more applicable to the listed securities markets than to the swaps market. During the second panel today, we are looking for your input on this issue. If some of these requirements are not appropriate, what would be more appropriate with regard to market making in swaps?

P a g e | 91



Third, I’m particularly interested in hearing about how the prohibition on proprietary trading should best be applied to banking entities transacting in futures and swaps. The CFTC’s role with regard to the Volcker Rule and banking entities is primarily with regard to these derivatives traded by swap dealers and futures commission merchants within the banking entity. In particular, banking entities’ market making in swaps is likely to leave them with significant open positions for many years in customized swaps. When would a banking entity’s decision not to hedge or to only partially hedge open swaps positions be considered prohibited proprietary trading? We at the CFTC will benefit from your input on how the Volcker Rule can best protect the public against risk in the swaps and futures markets. Thank you again for coming, and I’ll turn it back to Dan.

P a g e | 92



NUMBER 10

Hearing entitled “Cyber Threats to Capital Markets and Corporate Accounts” Friday, June 1, 2012 9:30 AM in 2128 Rayburn HOB Capital Markets and Government Sponsored Enterprises

House Committee on Financial Services, Subcommittee on Capital Markets and Government Sponsored Enterprises Hearing on “Cyber Threats to Capital Markets and Corporate Accounts” Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust & Clearing Corporation, June 1, 2012 Important Parts Chairman Garrett and Ranking Member Waters, Thank you for scheduling today’s hearing on the important issue of cyber security and the U.S. capital markets. The Committee’s strong leadership on this issue has been critical in helping to raise awareness of the serious threats posed by cyber-attacks on the financial system and fostering dialogue among the private and public sectors on effective strategies to minimize these risks. My name is Mark Clancy, and I am the Corporate Information Security Officer at The Depository Trust & Clearing Corporation (“DTCC”).

P a g e | 93



DTCC is a participant-owned and governed cooperative that serves as the critical infrastructure for the U.S. capital markets as well as financial markets globally. Through its subsidiaries and affiliates, DTCC provides clearing, settlement and information services for virtually all U.S. transactions in equities, corporate and municipal bonds, U.S. government securities and mortgage-backed securities and money market instruments, mutual funds and annuities. DTCC also provides services for a significant portion of the global over-the-counter (“OTC”) derivatives market. To provide insight into the criticality of DTCC’s role in the safe and efficient operation of the U.S. capital markets, in 2010, the Depository Trust Company (“DTC”) settled more than $1.66 quadrillion in securities transactions. Furthermore, three DTCC subsidiaries last month received notifications from the Financial Stability Oversight Council (“FSOC”) of proposed determinations to designate them as systemically important financial market utilities. The subsidiaries are National Securities Clearing Corporation (“NSCC”), the clearing and settlement subsidiary for equities and corporate and municipal fixed income securities, Fixed Income Clearing Corporation (“FICC”), the clearing and settlement subsidiary for U.S. Treasury, Agency and Government-Sponsored Enterprise mortgage-backed securities, and DTC, the depository subsidiary. DTCC itself, as the parent and holding company of these subsidiaries, did not receive a letter, and it does not expect one. As the primary infrastructure responsible for the clearance and settlement of nearly all securities traded in the US cash markets, these DTCC subsidiaries play critical roles in mitigating risk and ensuring the safe and seamless operation of the U.S. capital markets.

P a g e | 94



I am going to focus my testimony today on providing an overview of DTCC’s approach to managing the cyber risk environment. Then I will highlight the nature of the cyber-threats DTCC faces as an organization, how DTCC and the industry plan for and respond to these potential attacks on the infrastructure and opportunities for the private sector and government to work collaboratively to enhance cooperation and information-sharing to protect the safety and soundness of the capital markets.

Understanding the Risk Environment Due to DTCC’s unique role standing at the center of the financial services industry, the organization brings a dual perspective to its view of the risk environment. First, DTCC must examine and plan for cyber-attacks that could impact its ability to perform clearance and settlement and other critical post-trade processes that underpin the global financial marketplace. While these operational risks have long defined the risk landscape for DTCC, in recent years the organization has expanded its focal point to also include liquidity and market risks related to cyber-threats. Second, because of the interconnectedness of the financial system, DTCC must also take into account the broader systemic risks that could result from a cyber-attack on its systems. To understand the nature and extent of the threats faced by DTCC, the organization regularly conducts enterprise-wide risk assessments, including a thorough analysis of business functions and the facilities, systems, applications, business processes and people that perform them. Next vulnerabilities that might exist within those assets and the controls in place to mitigate them are examined. Finally, the threats that exist to those assets are analyzed.

P a g e | 95



The combinations of those factors determine the level of residual risk in the organization – that is, the risk that remains despite efforts at mitigating it. Armed with this data, DTCC assesses whether the residual risk is above, below or consistent with the level of risk that DTCC considers acceptable (known as risk tolerance). This data informs the organization’s business planning and helps guide decision-making on the need for additional investments to further reduce risk or a readjustment of risk tolerance. As these questions are considered, DTCC must also weigh the cost of achieving a tighter risk tolerance against the risk of not acting at all. Risk assessment is a dynamic process, but certain aspects of it are more dynamic than others – and the area that is most volatile are changes in threats and vulnerabilities. On a practical level, virtually no organization has the capability to reduce threats on a daily basis. Rather, organizations must focus their efforts on mitigation of vulnerabilities and/or strengthening of controls. Vulnerabilities take many forms, and while some can be addressed relatively quickly and easily, others require complex and lengthy solutions. DTCC has numerous systems and processes in place to identify new vulnerabilities that could threaten the infrastructure, but the reality is that the organization does not control the timing of their discovery. Indeed, the only variable DTCC, or for that matter, any corporation, fundamentally controls is the tempo at which those vulnerabilities are mitigated. Through continuous analysis and review, DTCC makes decisions on investment levels in response to this rapidly-changing risk environment.

P a g e | 96



The Systemic Impact of Cyber Attacks on DTCC The global financial system is an enormous, interconnected “system of systems.” In other words, while individual institutions operate different parts of the critical infrastructure, the financial system itself is a product of the interactions of all these discrete actions. Because DTCC is connected to thousands of different market participants spanning the entire financial services industry globally, the organization must look beyond how a cyber-attack could harm its own operations to the systemic impact on its members and the broader financial community. As mentioned earlier, DTCC serves as the critical infrastructure for global financial markets and, in this capacity, DTCC acts as an integration point that connects a wide range of industry participants. If DTCC is unable to complete clearance and settlement due to systems disruptions or outages, buyers and sellers of securities would not know if their trades had completed and, therefore, what securities they own or how much capital they have. DTCC’s financial risk and operational assessments must take into account these essential functions and determine how non-performance would impact the markets it serves as well as the firms that utilize its products and services, the investing public and the U.S. economy. In other words, if a cyber-attack directed at DTCC rendered its systems non-operational, what would that do to the overall functioning of the financial system? If the financial markets could not operate, how would that affect liquidity and access to capital? This systemic view of cyber risk has driven DTCC to broaden its perspective to include consideration of ways to mitigate low frequency

P a g e | 97



but potentially high-impact scenarios that a monoplane risk assessment would have ignored.

Threat Actors: Criminals, Hackivists, Espionage and War (CHEW) It is easy to overgeneralize the threat actors who engage in cyber-crimes as identity thieves who infiltrate computer systems to steal personal data or cyber terrorists who want to declare “war” on a particular nation or the world by disrupting the efficient operation of the financial system. Richard Clarke, the counter-terrorism expert who worked as an adviser to Presidents George W. Bush and Bill Clinton, developed a simple way to classify the different “threat actors” into four distinct categories – Crime, Hacktivism, Espionage and War (CHEW). In some cases, I have modified Clarke’s definitions to reflect my own views on and experiences with these subjects.

Crime

The motivation of this group is financial gain and, according to the U.S. Treasury, they have been successful. A study by the agency found that cyber-crime accounts for more revenue than international cartel drug income, running into the hundreds of billions of dollars annually. The threat intensity of this group varies based on two factors: the capabilities of the actors and the vulnerabilities of the targets. While organizations are continually assessing and addressing potential weak links in their systems, criminals are just as quickly acquiring new technical skills and capabilities through a sophisticated cyber black market.

P a g e | 98



Hacktivism

The term hacktivism is applied to groups or individuals who use computer intrusion or “hacking” techniques to promote and publicize an often radical political point of view. The most prominent example of hacktivism is the group Anonymous, which supports efforts of the website WikiLeaks to publish private, confidential information of governments and corporations to expose what it believes are injustices or other perceived wrongs. When members of the U.S. financial sector stopped accepting payment transactions for merchant accounts from WikiLeaks, Anonymous lashed out by initiating denial of service attacks (attacks designed to make a system or network unavailable for use) against a number of those financial firms, including MasterCard, Visa and PayPal. This group, like virtually all hacktivists, is not motivated by financial gain – it wants to make a high-profile political statement. The capabilities hacktivists vary greatly, although it is common to find a few highly-skilled individuals operating in loose confederation with lesser-skilled but highly-motivated actors. The attacks from hacktivists are more difficult to predict because their target selection is often done by consensus online and sometimes in real time.

Espionage

The term cyber espionage was coined to reflect the “spy vs. spy” activity that has occurred between nations for millennia. However, cyber espionage has expanded in recent years beyond attempts to steal national secrets to now include cyber theft of proprietary information from corporations in an effort to gain an economic and competitive advantage over the commercial interests of that country.

P a g e | 99



The U.S. Office of the National Counterintelligence Executive released a report to Congress in 2011 highlighting the nature of the problem. “In 2010, the FBI prosecuted more Chinese espionage cases than at any time in our nation's history. Although cyber intrusions linked to China have received considerable media attention, some of the most damaging transfers of U.S. technologies to foreign entities have been conducted by insiders. For example, a DuPont chemist in October 2010 pled guilty to stealing research from the company on organic light-emitting diodes, which the chemist intended to commercialize in China with financial help from the Chinese Government. Similarly, the unmasking of the network of 10 Russian "illegals" implanted on American soil indicated that these spies had been tasked to collect on economic as well as political and military issues. China and Russia are not the only perpetrators of espionage against sensitive US economic information and technology. Some US allies abuse the access they have been granted to try to clandestinely collect critical information that they can use for their own economic or political advantage.”

War

This is the cyber age equivalent of Carl von Clausewitz’s 19th century definition that “war is the continuation of politics by other means.” In this regard, war generally refers to the launch of a cyber-missile or some other cyber weapon of mass destruction to devastate the capabilities of a government or corporation by causing a physical system to fail or to gain control over that system. Today, as many as 30 countries have cyber war units to protect and defend against such an attack, according to Secretary of Defense Leon

P a g e | 100



Panetta, who also oversees a cyber-command center comprised of Army, Navy, and Air Force personnel. There is another aspect of war thinking that attempts to undermine the integrity of and reduce confidence in the capabilities of a particular technology system(s) to the point that it is rendered too unreliable or error prone to be used for mission critical functions. An example would be cyber criminals tampering with the system(s) of an electronic exchange to the extent that investors lacked confidence in its ability to provide accurate prices or efficient matching of buyers and sellers.

Cyber Threats to the Capital Markets The universe of threat actors, regardless of which category they fall into, pose a significant and growing number of dangers to the U.S. capital markets, ranging from the theft of confidential data to preventing the critical infrastructure from performing key market functions to damaging the integrity of market data and information. Let’s look at each of those in more detail.

Loss of Confidentiality of Data

The loss of confidentiality of personally-identifiable information, whether the result of neglect by employees of a firm or by malicious acts of external individuals, has the potential to put the investing public in harm’s way for fraud and identity theft. If the frequency of these cyber-crimes occurs are regular, it could erode investor confidence in the capital markets. The theft of a customer’s access credentials when stolen via malicious software installed on the individual’s computer is particularly dangerous because that customer faces the potential loss of his or her funds. When this type of theft occurs on a grander scale involving thousands, tens of thousands or even millions of individual account holders, cyber

P a g e | 101



criminals have the power to engage in market manipulation via “pump & dump” scams. In this example, the thieves can run up the price of a thinly-traded security they own by creating buy and sell orders in the accounts they have taken over. Their goal is to move the market in that stock by biding against themselves and anyone else they can lure into the scam. More sophisticated criminal groups sometimes target high-value victims, including institutional clients and prime brokerage accounts, which tend to hold larger balances and normally transact with international locations, for the same purposes. The international nature of these crimes makes detection difficult. Finally, DTCC has seen in recent years attacks using highly sophisticated social engineering techniques that target corporate deal-making information, particularly in the commodities and mergers and acquisition spaces. While this information cannot be easily converted into cash, the crimes are indicative of economic espionage and attempts to give foreign corporation or nations an advantage in competitive negotiations, such as those related to winning bids for natural resources or beating the offering price for an acquisition of a company.

Loss of Ability to Perform Market Functions

The National Market System (NMS) in the United States, which allows for the structured electronic transmission of securities transactions in real-time, is a prime target for threat actors who want to disrupt the orderly and efficient operation of the capital markets. While there are no public reports of the NMS being directly impacted by a cyber-attack that compromised the availability of key market services in the U.S., there have been instances of such crimes overseas.

P a g e | 102



For example, in August 2011 the Hong Kong Stock Exchange 3 had to suspend trading in certain securities following a denial of service attack that made corporate filing information unavailable. As a result, the securities effectively became illiquid after trading was halted, which negatively impacted both individual and institutional investors in that market. In 2012, hacktivist groups perpetrated a series of denial of service attacks directed against the public web sites of several U.S.-based stock exchanges. These attacks, while successful in blocking the availability of these online resources for brief periods of time, did not impact the operation of the NMS, but it reinforced the determination of hacktivists to shock the public and disrupt market activity. If an attack on the NMS were to occur, particularly one that targets critical market infrastructure(s), it could pose serious consequences for the U.S. capital markets and the broader U.S. economy. The systems in the U.S. that perform these core processing functions are largely attached to private, interconnected networks. Although the Internet is not a core component of the NMS, it is commonly used to connect market participants to various systems as a back-up to dedicated telecommunications lines or as a direct connection for smaller market participants. While this minimizes the likelihood of such an attack, mainly because it would need to be conducted from inside the infrastructure or the private networks of market participants, the issue is serious enough that it remains a primary area of concern for the financial services industry.

Loss of Integrity of Information

Maintaining the integrity of financial data is a top priority of the industry because most financial assets in today’s capital markets exist overwhelmingly in digital form.

P a g e | 103



The transition from a paper-based environment to an electronic one was the result of a multi-year initiative to “dematerialize” securities or “immobilize” them in centralized depositories such as DTC. Today, for example, roughly 90% of the $36.5 trillion in securities held at DTC exist only in digital form. Similarly, at the beneficial ownership level, a significant percentage of broker/dealers have digital records detailing which retail and institutional customers own which securities while custodian banks maintain that information for other institutional clients, such as pensions and mutual funds. Financial firms take extreme precautions to guard against three main types of incidences that could impact the integrity of this data. The first incidence is loss of integrity due to accident. The digital nature of the books and records of the financial system makes it critical that this information is secure. As a result, the industry has developed an elaborate set of check and balances when changes are made to these records to protect the accuracy of data and minimize occurrences of accidental errors. The second incidence is loss of integrity due to malicious acts. In March 2011, for example, a service provider used by both the London Stock Exchange and Italian Borsa was hosting malicious banner ads 4 on the public web sites of these exchanges. While this was not a compromise of the exchanges trading systems, it represented vulnerabilities in the supplier processes for vetting paid advertisement content. The implication of this attack is that customers who normally interact with these exchanges could have been targeted in what would have

P a g e | 104



otherwise appeared to have been a normal valid business request to the web site. Another example worth mentioning occurred in January 2011, when the European market for carbon credit trading was temporarily shut down by cyber criminals who changed the ownership information of individual carbon credit owners. According to public reports, this scheme resulted in the theft of 30 million euros worth of credits from the Czech Republic, Austria, Greece, Estonia and Poland emissions market and the closure of the EU Emissions Trading System for more than a week. The third incidence I’d like to mention is loss of integrity due to conflict between nations, terrorists and/or proxies. This type of cyber-crime involves threat actors infiltrating and maintaining access inside a system or systems of a government or corporation for the purposes of launching an attack at an undetermined point in the future. While it is somewhat difficult for a corporation to assess the likelihood of such an attack given the uncertainty in motivation of the threat actors, this has the potential to be the most catastrophic attack of the three I’ve mentioned today and the number of incidences has risen sharply in recent years. It is interesting to note that the more highly-skilled groups or individuals who could plan and execute such an attack tend to be more heavily invested in the orderly operation of the U.S. capital markets and, therefore unlikely to engage in this activity. However, those with less technical skills, most of whom are not as invested in the U.S. capital markets, are more likely to launch this type of attack and are working diligently to acquire the necessary capabilities.

P a g e | 105



DTCC’s Approach to Protecting Against Cyber Threats DTCC maintains an elaborate and sophisticated information security program to protect against the types of cyber-attacks mentioned above. While DTCC corporate policy calls for maintaining strict confidentiality of this information to prevent cyber criminals from knowing the full range of resources and capabilities we possess, we can share certain general information and protocols with the Committee as a way to provide insight into how DTCC safeguards its systems and the data we hold on behalf of customers and the financial services industry. DTCC has established robust policies and procedures that provide the framework for information security within the organization. These policies cover both physical and logical security, are standards based (ISO 27001 and ISO 27002) and are routinely refreshed to ensure the highest degree of protection against cyber-attack. DTCC’s Information Security team carries out a series of processes, including preventative controls such as firewalls and appropriate encryption technology and authentication methods as well as vulnerability scanning to identify high risks, to protect the organization and its members in the cost-effective and comprehensive manner possible.

Public and Private Sector Collaboration Helps Protect Against Cyber Threats The financial services industry is engaged in a variety of public-private partnerships with the federal government to protect against cyber threats and safeguard the nation’s critical market infrastructure. A prime example of this collaborative relationship is the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC).

P a g e | 106



The FSSCC was established in 2002 in response to the September 11, 2001, terrorist attacks and at the request of the U.S. Treasury Department in harmony with Presidential Decision Directive 63 (PDD63) of 1998. PDD63 required sector-specific federal departments and agencies to identify, prioritize and protect United States critical infrastructure and key resources and to establish partnerships with the private sector. The FSSCC has 52 member associations and financial institutions representing clearinghouses, commercial banks, credit rating agencies, exchanges/electronic communication networks, financial advisory services, insurance companies, financial utilities, government sponsored enterprises, investment banks, merchants, retail banks and electronic payment firms. FSSCC members dedicate a significant amount of time and resources to this partnership for critical infrastructure protection and homeland security. The FSSCC does not collect dues and its success as a volunteer organization relies heavily on the time members contribute and to the expertise and leadership roles members play within their respective financial institutions and associations. The FSSCC is charged with “strengthen[ing] the resiliency of the financial services sector against attacks and other threats to the nation’s critical infrastructure by proactively identifying threats and promoting protection, driving preparedness, collaborating with the U. S. Federal government, and coordinating crisis response – for the benefit of the Financial Services sector (the "Sector"), consumers and the U.S.A.” The FSSCC has achieved a number of successes at overseeing cyber security efforts within the sector and has played a vital role in helping to identify strategic issues and coordinate a response with federal counterparts.

P a g e | 107



One particular effort was the launch of a “threat and vulnerability matrix” to gather detailed information to perform an assessment at the sector-wide level, with the goal of identifying areas of common concern. In addition, the FSSCC has served as the coordinating entity in the private sector, working with the U.S. Department of Homeland Security (DHS), U.S. Treasury and other federal agencies, in getting cleared sector personal briefed at the classified level on contextual information about cyber and physical threats. DTCC has been actively involved with FSSCC since its inception. From May 2004 to June 2006, DTCC’s current President and Chief Executive Officer, Donald F. Donahue, served under an appointment by the U.S. Secretary of the Treasury as Sector Coordinator; he later served as Chair of FSSCC from April 2005 to April 2006. Currently, DTCC officials serve on various FSSCC committees, sub-committees and working groups, including the Executive Committee, Policy Committee and Sector Wide Activities Committee.

Financial Services–Information Sharing and Analysis Center and Information Sharing

The Financial Services–Information Sharing and Analysis Center (FS-ISAC) is the primary group for information sharing between the federal government and the financial sector. It was created in 1999 in response to the 1998 PDD63, which called for the public and private sector to work together to address cyber threats to the nation’s critical infrastructures. After the terrorist attacks of 9/11, and in response to Homeland Security Presidential Directive 7 (HSPD7) and the Homeland Security Act, the FS-ISAC expanded its role to include physical threats to the financial sector.

P a g e | 108



The FS-ISAC is a 501(c)6 non-profit organization and is funded entirely by its member firms and sponsors. In 2004, there were only 68 members of the FS-ISAC, mostly larger financial services firms. Since that time, the membership has expanded to over 4,200 organizations, including commercial banks and credit unions of all sizes, brokerage firms, insurance companies, payments processors and over 30 trade associations representing the majority of the U.S. financial services sector. The FS-ISAC has implemented a number of programs in partnership with the Department of Homeland Security (DHS) and other government agencies to encourage and expand information sharing. In 2011, for example, the FS-ISAC, in partnership with DHS, became the third ISAC to participate in the National Cyber Security Communications Integration Center (NCCIC) watch floor. FS-ISAC representatives, cleared at the Top Secret/Sensitive Compartmented Information (TS/SCI) level, attend the daily briefs and other NCCIC meetings to share information on threats, vulnerabilities, incidents and potential or known impacts to the financial services sector. This program has been extremely beneficial in providing situational awareness to the financial sector while also allowing the industry to provide feedback on threats to DHS. DTCC was a founding member of the FS-ISAC in 1999 and continues to participate in the group’s information-sharing mission. I currently serve on the Board of Directors for the FS-ISAC and as a member of the Threat Intelligence Committee (TIC). Team members are also active in the TIC, the Security Automation Working Group, Products & Services Committee, Audit and Compliance

P a g e | 109



Working Group, Clearing House and Exchange Forum (CHEF) and Crisis Management team.

FSSCC & FS-ISAC: A Partnership to Combat Cyber-Threats While the FSSCC operates at a strategy and policy level, the FS-ISAC engages with its members on operational issues. Together, the two bodies work in partnership to bring a more comprehensive approach to cyber security. For example, the FSSCC and the FS-ISAC have been successful in partnering with DHS and the United States Treasury to obtain security clearances for over 250 individuals in the financial sector who support critical infrastructure protection. The FS-ISAC serves as the hub of activity to coordinate information sharing on threats between financial institutions and the federal government, law enforcement and other critical infrastructure organizations. A sub-community within the FS-ISAC, CHEF was established in 2011. This sub-group played a critical role coordinating information sharing in response to a series of denial of service attacks on the public websites of U.S. stock exchanges. CHEF pooled intelligence, aggregated information about the characteristics of the attacks and shared strategies and techniques to mitigate them in near real-time. This information was shared with CHEF members and, more broadly, within the FS-ISAC and by the FS-ISAC with other ISACs, law enforcement and DHS. In addition, FS-ISAC members provided the CHEF with information about their approaches to mitigating attacks of this kind, which traditionally have not centered on the capital markets infrastructure.

P a g e | 110



The key to success in managing these denial of service attacks was the level of trust that accompanied the information sharing between financial institutions themselves and these institutions and the federal government. The FS-ISAC provides a host of additional resources for its members, including access to a library of threat information and alerts on new cyber threats and attacks. This enables the industry to more effectively monitor its own systems to determine if similar activity is occurring in their networks or to better align defenses to counter an attack before it occurs. Using the internationally recognized traffic light protocol (TLP), the FS-ISAC designates the sensitivity of unclassified information as green (can be shared with the widest audience), yellow (a somewhat narrower audience) and red (the most restricted audience) to ensure the widest but also most secure distribution of data.

The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) There are two programs I’d like to highlight today because they are excellent examples of the enormous benefits that can be derived through a collaborative approach to information sharing between the federal government and the financial sector. The United States Computer Emergency Readiness Team (US-CERT) leads the federal government’s efforts to “improve the nation’s cyber security posture, coordinate cyber information sharing, and proactively manage cyber risks…while protecting the constitutional rights of Americans.” The US-CERT, using the traffic light protocol, provides alerts to the financial sector on observable data and indicator information, including tactics, techniques or procedures used by cyber criminals or details about the threat actors.

P a g e | 111



The two most effective reports the industry receives are the Cyber Information Sharing and Collaboration Program (CISCP) alerts, which combine a range of sources and provide normalized post-analysis reporting on threat intelligence, and the Early Warning and Indicator Notice (EWIN), which provides less refined but timelier information. The quality and quantity of information the financial sector receives from DHS’s National Cyber Security Division (NCSD) and US-CERT has been greatly improved in the last three years and has been essential in helping to protect the nation’s critical infrastructure at a time of increased threats. The financial services sector also has the ability to leverage other federal capabilities provided by DHS and/or National Institute of Standards and Technology (NIST), including the National Vulnerability Database (NVD), which holds information on over 50,000 software vulnerabilities in commercial and open source software products. Additionally, the financial sector has increasingly adopted use of the NIST Security Content Automation Protocol (SCAP) suite, which includes the Common Platform Enumeration (CPE) to identify types of systems and software in use and the Open Vulnerability Assertion Language (OVAL) to describe the technical characteristics of a system to determine if a specific software vulnerability is present. DTCC employs SCAP to automate internal processes for the identification and eradication of known vulnerabilities within its IT infrastructure. This offers the organization a cost effective and proven way to efficiently manage vulnerabilities. To further enhance information sharing, DTCC and FS-ISAC are collaborating with DHS and other groups to develop a protocol to automate the machine-to-machine sharing of threat reporting information to reduce inefficiencies and latency.

P a g e | 112



Opportunities to Enhance Public-Private Cyber Security Collaboration In May 2010, FS-ISAC and federal agencies took an important step forward in partnering to counter suspected state-sponsored acts of cyber espionage by creating a pilot program, known as the Government Information Sharing Framework (GISF). This pilot program allowed for the sharing of advanced threat and attack data between the federal government and about a dozen financial services firms that were deemed capable of protecting highly sensitive information. The program operated successfully from May 2010 through December 2011 and was expanded to include the sharing of classified technical and analytical data on threat identification and mitigation techniques. Unfortunately, the program was effectively terminated by the Department of Defense (DoD) in December 2011 for reasons that were unclear to pilot participants. However, while information sharing was expected to continue through DHS, this, too, was ceased in December 2011, eliminating an important source of threat data and analysis for the financial sector. Since the termination of GISF, more than 5 organizations in the financial sector have experienced threat assessment by FS-ISAC indicates that these threats will continue to increase in the years ahead. There were four primary benefits and insights that DTCC and the other pilot participants gained from GISF: 1. The receipt of actionable information in a format that allowed industry participants to search for similar threat activity in their own networks. 2. The receipt of contextual information on that actionable information to better understand the risk implications of observing that threat activity.

P a g e | 113



3. The ability to adjust assessments of cyber espionage using quantifiable information on the level of malicious activity being observed, which was previously invisible to members of the financial sector. This information greatly increased the collective assessment on threats that were present from these actors and resulted in the FS-ISAC substantially escalating its level of commitment and engagement with government and other partners to identify and mitigate these potential cyber-crimes. 4. An enhanced understanding that previous threat management processes, teams and tools had insufficient capacity to consume threat data due to its raw state and the level of inefficiencies in how this information was communicated. Today, the financial sector and DHS are actively collaborating on the development of standards to support the automation of sharing and consuming threat data. GISF was responsible for driving innovative new programs in the industry to reshape the sector’s approach to assessing the multitude of risks associated with cyber espionage. This prompted many of the pilot firms, including DTCC, to revise their views on best practices for managing threat information, to expand existing information sharing activities with peers and with the FS-ISAC and to make significant additional investments in threat mitigation and detection capabilities that otherwise could not have been easily justified due the lack of understanding of the risk to the sector.

Limitations of Classified Information to Protect Against Cyber-Threats

While DHS has been able to offer security clearance to more than 250 financial sector personnel for the purposes of giving them access to classified briefings, this is not sufficient on a practicable level because the data cannot be shared broadly due to its classified nature.

P a g e | 114



Furthermore, the financial industry lacks the infrastructure and processing capabilities to handle such information, which typically provides additional context on non-financially motivated threat actors and their capabilities.

Next Steps: Expanding Information Sharing Between the Public and Private Sectors Information sharing like that which occurred under the GISF program represents the most critical line of defense in managing and mitigating cyber security risk today because it: • Provides actionable information for the industry to protect itself from cyber criminals;

• Drives innovation and improvement in defense strategies and programs, and • Provides a vehicle for making risk-based decisions on investments and priorities. While GISF was successful in many aspects, its reach and impact were limited because it did not scale to the depth and breadth of the sector. As a result, it is impossible to gauge the broader benefits of the program because only 16 financial institutions served as pilot participants. However, what is abundantly clear is that information sharing today occurs at “human” speed while cyber-threats occur at warp speed. Now more than ever, an investment in standards, protocols and methods for the industry to rapidly share and consume threat and observable data is needed. In addition, information sharing is most valuable when there is a high degree of trust among and between the financial sector and federal agencies.

P a g e | 115



The more trust that exists between these institutions, the more information sharing occurs – and the better equipped each organization is to mitigate the risk of cyber-attack and safeguard its systems and data from threats. Also, there is a need for government to invest in additional staffing, tools and repositories to strengthen the nation’s defenses against cyber-attack. Based on DTCC’s experience and the increased need for collaboration between industry and government in this capacity, DTCC strongly supports restarting GISF, removing its pilot status and expanding its reach within the financial sector and to other members of the Critical Infrastructure and Key Resources (CIKR) community who face these types of threats. This program, in combination with supporting enhancement for standards and normalization (with an eye toward automation), will greatly improve the efficiency of threat detection. A potential remedy that I’d like to share regarding the lack of classified processing capability within the financial industry is to enable the critical infrastructure community to engage service providers to provide the necessary capabilities. For example, telecommunications providers could filter the critical infrastructure firm’s in-bound network circuits to remove threats in real-time based upon classified threat data that could not otherwise be processed at the firm. In addition, the federal government could allow the critical infrastructure firm to build and procure needed capabilities in their own infrastructure by allowing the accreditation of classified facilities to occur for non-government contractors. Much of the depth of the U.S. government’s understanding of cyber security threats is highly classified, and the CIKR community outside of the defense arena has limited personnel with the necessary security clearances.

P a g e | 116



DHS has, at present, very limited ability to “hold” clearances for CIKR personnel. For example, recently-hired veterans at DTCC who held TS/SCI clearance from their military service saw those credentials lapse when they came to the private sector. As the sophistication and technological means of threat actors increases, the financial sector and government need to move from a static one-size-fits-all framework to a risk-based one that incorporates the dynamic nature of the cyber security threat landscape, the individual firms in the financial sector and the global nature of the capital markets. Cyber-attacks on the financial services sector represent a significant risk not just to industry participants but to the stability and integrity of the global financial system itself. There are no shortage of threat actors who, for a variety of financial and political reasons, dedicate themselves to wreaking havoc on the systems that underpin the U.S. and global economies. While the public and private sectors have taken important steps forward in recent years to enhance collaboration, a greater degree of trust and information sharing is needed to ensure that all resources are working in concert to protect and defend the financial sector for cyber-attack. There is much progress to build on in the years ahead in these areas. DTCC stands ready to work in partnership with this Committee, the Congress and Administration and federal agencies to harden the sector’s defenses against cyber-crimes. On behalf of DTCC, I would like to thank you again for holding today’s hearing to raise awareness of these issues and for allowing us to testify this morning. I would be happy to answer any questions you may have.

P a g e | 117



Certified Risk and Compliance Management Professional (CRCMP) Distance learning and online certification program. Companies like IBM, Accenture etc. consider the CRCMP a preferred certificate. You may find more if you search (CRCMP preferred certificate) using any search engine. The all-inclusive cost is $297. What is included in the price:

A. The official presentations we use in our instructor-led classes (3285 slides) The 2309 slides are needed for the exam, as all the questions are based on these slides. The remaining 976 slides are for reference. You can find the course synopsis at: www.risk-compliance-association.com/Certified_Risk_Compliance_Training.htm

B. Up to 3 Online Exams You have to pass one exam. If you fail, you must study the official presentations and try again, but you do not need to spend money. Up to 3 exams are included in the price. To learn more you may visit: www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf www.risk-compliance-association.com/CRCMP_Certification_Steps_1.pdf

http://www.risk-compliance-association.com/Certified_Risk_Compliance_Training.htm

http://www.risk-compliance-association.com/Certified_Risk_Compliance_Training.htm

http://www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf

http://www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf

http://www.risk-compliance-association.com/CRCMP_Certification_Steps_1.pdf

http://www.risk-compliance-association.com/CRCMP_Certification_Steps_1.pdf

P a g e | 118



C. Personalized Certificate printed in full color. Processing, printing, packing and posting to your office or home.

D. The Dodd Frank Act and the new Risk Management Standards (976 slides, included in the 3285 slides) The US Dodd-Frank Wall Street Reform and Consumer Protection Act is the most significant piece of legislation concerning the financial services industry in about 80 years. What does it mean for risk and compliance management professionals? It means new challenges, new jobs, new careers, and new opportunities. The bill establishes new risk management and corporate governance principles, sets up an early warning system to protect the economy from future threats, and brings more transparency and accountability. It also amends important sections of the Sarbanes Oxley Act. For example, it significantly expands whistleblower protections under the Sarbanes Oxley Act and creates additional anti-retaliation requirements. You will find more information at: www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

http://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

http://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

P a g e | 119



Visit our Risk and Compliance Management Speakers Bureau The International Association of Risk and Compliance Professionals (IARCP) has established the Speakers Bureau for firms and organizations that want to access the expertise of Certified Risk and Compliance Management Professionals (CRCPMs) and Certified Information Systems Risk and Compliance Professionals (CISRCPs). The IARCP will be the liaison between our certified professionals and these organizations, at no cost. We strongly believe that this can be a great opportunity for both, our certified professionals and the organizers. To learn more: www.risk-compliance-association.com/Risk_Management_Compliance_Speakers_Bureau.html

www.risk-compliance-association.com/Risk_Management_Compliance_Speakers_Bureau.html

www.risk-compliance-association.com/Risk_Management_Compliance_Speakers_Bureau.html

http://www.risk-compliance-association.com/

P a g e | 120



Monday June 4 2012 - Top 10 risk and compliance management related news stories and world events...

Business

Transcript of Monday June 4 2012 - Top 10 risk and compliance management related news stories and world events...