Post-Event Summary BBA Annual Risk Management Conference 2012
-
Upload
lombard-risk -
Category
Documents
-
view
214 -
download
0
Transcript of Post-Event Summary BBA Annual Risk Management Conference 2012
-
7/30/2019 Post-Event Summary BBA Annual Risk Management Conference 2012
1/6
Post event summary
www.lombardrisk.com Managing collateralised trading. Enabling regulatory compliance
Lombard Risk at the British
Bankers Associations annual
risk management conference:
27th November 2012
Introduction
On November 27th
2012 the British
Bankers Association (BBA) held its
annual risk management conference.
The event was attended by a
combination of BBA members, regulators
and representatives from firms associated with the financial
services industry.
Speakers included:
Jo Paisley, Director, Risk Specialists Division,
Financial Services AuthorityThe FSA on banking
in the new financial landscape
Michael McKee, DLA Piper - Legal update on risk
management
Alain Stangroome, Head of Group Capital Planning,
HSBC Holdings plcRisk and bank capital
Christopher Blake, Senior Manager, Liquidity Risk
Group Asset & Liability Management, HSBC
Holdings plcThe relationship between liquidity
and risk management
Conor MacManus, Head of Prudential
Requirements, HM Treasury- Measuring the
impact of Basel 3 on banks
Annemarie Durbin, Group Head, Corporate
Governance, Property, Environment and Security,
Standard Chartered - How can non-executive
directors (NEDs) be supported in their oversightfunction?
The BBA Annual Risk Management
Conference highlighted the considerable
changes in the regulatory landscape and
the challenges ahead for risk andcompliance professional. David Wilford
Lombard Risk at the BBA risk conference
Lombard Risk sponsored, exhibited and presented at the
BBA annual risk conference.
John Wisbey - CEO, John Shield - Advisor to the CEO,
Rebecca Bond - Group Marketing Director, James Phillips -
Director Regulatory Strategy, Tony Glover - Business
Development Manager Lombard Risk attended the risk
management conference and were on hand to discuss
delegates regulatory and risk issues.
ComplianceASSESSOR
Lombard Risk
announced
Compliance
ASSESSOR at the
event a solution
that provides firms
with a centralised,
secure and dynamic
means of assessing,
evidencing and
recording
compliance against
an unlimited library
of regulations.
Lombard Risk ComplianceASSESSOR
addresses regulatory risk
being the risk of non-compliance
and the penalties andreputational risk that follow.
-
7/30/2019 Post-Event Summary BBA Annual Risk Management Conference 2012
2/6
Post event summary
www.lombardrisk.com Managing collateralised trading. Enabling regulatory compliance
Introducing David Wilford
David Wilford
Director Compliance Productat
Lombard Risk
Email:[email protected]
David Wilford has over 35 years
experience, primarily in the area of
credit risk management and
regulation. Over the last 10 years he has been involved in
the interpretation and implementation of the Basel II/III
Accord as reflected in the EU CRD and subsequently the FSA
Prudential Sourcebooks. He has been advising banks on the
adequacy of their risk governance frameworks to address
these and other regulatory requirements and
implementation issues.
David Wilford, Director of Compliance Product at Lombard
Risk presented at the event:
The challenges of
compliance in the new
regulatory framework
The biggest challenge banks now face
Why banks remain exposed to compliance
issues
A new approach to compliance?
Transcript
As you are all aware, the banking sector is currently subject
to a plethora of regulations governing every aspect of an
institutions business. As a result, even the smallest
institution is now subject to thousands of regulations. This
may appear to be an exaggeration but the FSAs GENPRUand BIPRU alone contain in excess of 5,000 regulations and
guidance that banks are expected to comply with. Add to
these SYSC, COBS, Internal Regulations governing KYC and
TCF not to mention the Data Protection Act, Consumer
Credit Act, AML legislation and other applicable laws and
regulations and the number of regulations can soon be
counted in their tens of thousands.
Cross border organisations are further faced with European
and other directives, complicated in some cases by the
application of National Discretions by individual regulators,
increasing substantially the number of regulations and
therefore the complexity of ensuring compliance in the
various jurisdictions.
It is therefore not surprising that many of the smaller
institutions are now having difficulty in even keeping track of
new and amended regulations, never mind ensuring
adequate compliance.
Indeed, the pressure on compliance functions was borne out
in a Thomson Reuters survey earlier this year when over500 compliance professionals were surveyed. The results
indicated (quote) that the deluge of new rules, regulations
and enhanced vigour of regulators coupled with a lack of
additional internal resources and headcount has pushed
compliance departments to the breaking point.
Unfortunately, the situation is set to deteriorate further
from a compliance perspective, as the regulatory landscape
is now undergoing a radical change in response to political
and regulatory pressures and demands designed to restore
economic and financial stability, both here and abroad.
Clearly a major challenge is the need to increase both capital
and liquidity to levels deemed by the regulators to be
sufficient to weather another financial crisis no easy task
given the increasing scarcity of high quality capital in a
deteriorating economic climate, particularly in Europe.
And in the case of those firms deemed too big to fail, these
challenges are further complicated by demands to
restructure or even ring fence their retail and investment
activities whilst remaining compliant with all applicable
regulations.
In addition, firms are also facing the challenge of both
restoring and promoting the sectors reputation andintegrity, helped in no small measure by the regulators who
are demanding propriety, transparency, better risk
management and perhaps most important of all,
accountable governance.
And finally, as we heard this morning, the new Prudential
Regulation Authority intends to exercise a more judgemental
approach to supervision aimed at promoting the safety and
soundness of financial institutions whilst the new Financial
Conduct Authority intends to exercise a similar approach
with regard to conduct in the financial market place. On the
face of it, the application of a more judgmental approachthat will no doubt be based on empirical evidence may be
welcomed by many in the belief that such an approach
provides firms with more flexibility in the interpretation of
the underlying regulations. However, as many of us know
from past experience, the application of such an approach
can lead to differences in opinion as to the interpretation of
the evidence, leading to even more challenges for firms
when trying to justify their interpretation to the authorities.
And no doubt there will be even more regulations - and
differing approaches - as politicians and regulators seek to
further refine and tighten their control over the banking
sector as a means of protecting individual economies.
mailto:[email protected]:[email protected]:[email protected] -
7/30/2019 Post-Event Summary BBA Annual Risk Management Conference 2012
3/6
Post event summary
www.lombardrisk.com Managing collateralised trading. Enabling regulatory compliance
In conclusion, it is clear that the situation for many
compliance functions is extremely serious, especially given
the lack of investment in appropriate resources that many
firms have experienced.
I would therefore venture that given the enormous task
faced by compliance functions in ensuring compliance in anever changing and demanding regulatory environment, the
biggest challenge firms now face is REGULATORY RISK that
may be defined as the risk to earnings, capital and
reputation associated with a failure to comply with
regulatory requirements and expectations; or to put it more
bluntly, the risk of non-compliance.
There is obviously no way to avoid these changes or the
challenges they pose.
The question therefore is How are compliance personnel
consisting of Risk, Compliance and Audit officers - going to
ensure compliance with the current and future regulations
that under pin these regulatory demands?
And I include Risk officers as their duty is not only to identify
and mitigate risk but to ensure that the methodologies and
approaches they use comply with the underlying regulations
that are designed to ensure minimum standards of
acceptability and integrity in the output of their
deliberations and computations.
To answer this question, I believe that we first need to
examine current practices and then the challenges to
understand the enormity of the problem..
If we go back approximately 20 years, the approach to
auditing changed significantly from a tick box approach to a
risk based approach, the latter identifying high risk business
operations and processes and auditing them on a more
frequent and comprehensive basis than low risk areas. While
this approach had the benefit of utilising more efficiently
audit and compliance resources, there were two
consequences. First, simple, straightforward businesses
and processes within the institution were effectively
removed from the radar; and conversely, compliance and
audit became focused on specific, high risk areas and
processes, the risk being measured in terms of risk to the
bottom line. And this was in the days when institutions were
required to follow the spirit of the regulations and
regulations could be measured in a couple of thousand
rather than tens of thousands.
Jumping forward to the years leading up to and immediately
after Basel II came into force, compliance with the new
regulations was embedded within the implementation
process so that when the projects went Business As Usual,
businesses and their processes were, by default, compliant
with the new regulations. Some institutions went so far as to
develop tools to determine compliance with the Basel IIregulations during implementation. However, most of these
models were mothballed upon implementation or have
subsequently become out of date. And in the case of the
smaller institutions, their size and / or lack of complexity did
not warrant expenditure on the development of such tools.
Whether tools were employed or not, the same process of
ensuring compliance with new regulations within the
implementation process has persisted over the years.
The result is that even today reliance is placed upon the
majority of simple business operations being inherently
compliant with applicable regulations and therefore off the
radar as far as a detailed examination - to determine the
state of compliance - is concerned. Yet the majority of fines
and settlements this year alone have been in respect of
these exact same simple operations. Take for example the
back office processing of payments to and from countries on
the U.S. embargo list, lack of due diligence on the source of
funds when processing payments, the simple processing of
mortgage applications prior to securitisation or indeed the
reasonable business model of selling insurance products toexisting customers. All of these processes were no doubt
deemed simple and straightforward and as a consequence,
only warranted the occasional cursory review, yet the
financial and reputational impact on individual banks for
non-compliance with the relevant regulations has been
enormous.
At the other end of the spectrum, compliance and audit
functions still focus on high risk to the bottom line
businesses and areas of operation and undertake specific
audits and investigations at the coal face, usually relying
upon hard copies of the regulations, manual files and Excel
spread sheets. Unfortunately, this focused approach, while
serving a particular purpose, prevents senior management,
auditors and compliance officers from seeing the overall
state of compliance of the institution against the tens of
thousands of regulations applicable to their business. It also
fails to address the fundamental requirement of the
regulators and that is to comply with their regulations,
irrespective of how insignificant an institution may think
they are, because at the end of the day, a regulation is a
regulation and a breach in compliance is not acceptable.
Having said that, Mr Andrew Baileys introduction to the
joint Bank of England / FSA paper issued last month andentitled The PRAs approach to banking supervision stated
that the PRAs approach will be very clearly based on
judgement rather than narrowly rules-based, and it will be
forward looking to take into account a wide range of
possible risks to our objectives. And as mentioned earlier,
the paper then goes on to say that the PRA intends to focus
its approach on the safety and soundness of individual
firms and therefore the stability of the financial system.
Clearly, safety and soundness are the new buzz words,
having been repeated 52 times in this paper alone!
Consequently, on the face of it, we appear to have come fullcircle with the PRA, and indeed the FCA, exercising
judgement rather than imposing a rules-based approach.
-
7/30/2019 Post-Event Summary BBA Annual Risk Management Conference 2012
4/6
Post event summary
www.lombardrisk.com Managing collateralised trading. Enabling regulatory compliance
However, there is a catch and a rather large one at that,
which can be found in Clause 69 of the paper.
This Clause states: This requirement, for the firm and those
managing its affairs to be fit and proper, is in addition to
the obvious need for a firms board and senior management,
and in particular its Chair, to have regard to the need for thefirm to comply with all applicable laws and regulations.
These obligations are extensive and not limited to the laws
and regulations enforced by the PRA. This is because other
laws and regulations for instance, conformity with tax
laws could affect a firms fitness and properness, and the
probity and reputation of its management.
Clearly, compliance and audit functions are faced with a
dilemma, particularly given limited resources. Should the
focus continue to be on high risk business areas and run the
risk of non-compliance in what are deemed low risk areas
OR should compliance functions restructure their approach
to try and address both the principles based and rules based
regulatory requirements?
But before answering that question, consider the following.
In the not too distant past, an identified breach in
compliance would have been dealt with quietly by the
regulator, enabling the bank to correct the situation and
contain or at least control any reputational damage.
Unfortunately, the current climate is far more hostile and
unforgiving as banks are now subject to the full glare of
publicity and public opinion. This is certainly the case in the
U.S. where even the slightest hint of non-compliance orimpropriety the two being indistinguishable in the eyes of
the general public attracts head line news, sizable fines or
settlements and immediate reputational damage
irrespective of the validity of any accusation or the extent of
any breach being known.
Whether the substantial increase in litigation in the U.S. is
an attempt to be seen to be doing the right thing and / or
perhaps taking advantage of the political climate for a
regulator to stamp their mark within their peer group is
difficult to tell. What is certain is the impression that the U.S.
regulators have a tendency to litigate first and ask questionslater with serious consequences for the institution
concerned in terms of retained earnings and reputation.
Fortunately, on this side of the pond, any response to
wrong doing is a measured response to identified breaches
in compliance. And may this approach ever continue!
Clearly, one of the major problems, particularly in the U.S., is
that many firms appear unable to evidence the fact that they
have at least endeavoured to comply with, what are often
very complex and constantly changing, regulations.
Obviously, endeavouring to comply is not the same ascomplying and will not prove to be a defence if a regulator
really wants to punish a firm, for whatever reason. However,
it may sway public opinion and help to restore confidence in
the sector if the enormity of the task facing compliance
officers is better understood and firms are at least seen to
be doing their very best to comply with the regulations.
The answer may therefore be to adopt a more transparent,
dynamic and comprehensive approach to compliance thatevidences a concerted effort to comply. This may in the
future enable a firm to at least evidence to a regulator that
all reasonable action had been taken to comply with the
regulations at the time of the apparent offence. And
hopefully, this may even sway public opinion and help to
restore confidence in the sector.
There is also another reason to take this type of approach.
Going back to the speech this morning from the FSA,
regulators are clearly going to place more and more reliance
on a firms compliance and audit functions to enforce
compliance and where necessary, justify partial or non-
compliance. There is therefore a compelling argument to
manage compliance more dynamically and evidentially in a
centralised fashion.
Ultimately, the Board of Directors and senior management
will be held responsible possibly at a personal level - for
any failures in compliance. It is therefore imperative that
compliance and audit functions, senior managers and
executives have the ability to clearly and easily determine
the state of compliance with all relevant regulations
throughout their institution, identifying any deficiencies and
areas of concern for appropriate action.
Ensuring full compliance with every applicable prudential
and non-prudential regulation is obviously an impossible
task given the dynamics of any financial institution and the
resources available to compliance and audit functions who,
historically, have suffered from a lack of investment. The
answer may therefore be to assess regulations not only in
terms of the impact on the bottom line but also in terms of
the regulatory consequences of non-compliance. In other
words, a regulation may be deemed low risk if the institution
believes that the consequences of non-compliance would be
a disapproving look from the regulator whilst non-
compliance with a high risk regulation may prompt a Pillar2 capital levy or drop in share price as a result of
reputational damage. Determining what regulation is low
risk and what is high is obviously subjective. However, the
simple task of determining the appropriate risk may focus
attention on areas of the business previously deemed to be
of little concern from a compliance perspective.
Certainly, it would be inappropriate to focus simply on high
risk regulations for exactly the same reason as focusing on
high risk business areas diverted attention from areas that
subsequently proved to be costly when breaches in
compliance were uncovered. However, combining the two
approaches may assist an institution in avoiding the same
mistakes made by some institutions this year.
-
7/30/2019 Post-Event Summary BBA Annual Risk Management Conference 2012
5/6
Post event summary
www.lombardrisk.com Managing collateralised trading. Enabling regulatory compliance
In summary, compliance and audit functions are caught
between a rock and a hard place, having responsibility for
compliance with thousands of regulations but often
restricted as to appropriate resources, on the grounds of
cost. Indeed, it is fair to say that these functions have in the
past been deemed to be a necessary evil, costing an
institution money to run but with no apparent benefit.Unfortunately, it is failures in compliance that are head
lined, not the success of ensuring compliance.
A new approach to compliance
Having examined the past approach to compliance, the
current environment and the proposed New World, what
else can be done to address the problems of compliance,
going forward.
As detailed in many articles recently, and in fact headlined in
City AM just last week, risk, compliance and audit experts
are in high demand as a direct result of the new regulatory
landscape and the challenges it brings. However, I would
suggest that increasing headcount cannot be considered the
sole answer for a number of reasons.
First and foremost, given the lack of investment in
compliance functions in the past and therefore a lack of
appropriate training in compliance and the interpretation of
regulations, it must be questionable as to whether there is a
sufficiently large pool of appropriately experienced
personnel available to meet demand. Certainly, firms that do
not have a large enough budget to recruit these experts are
going to lose out, with possibly severe consequences.
Secondly, even if a firm does recruit additional risk,
compliance and audit experts, are they really going to be
able to ensure compliance with the tens of thousands of
regulations and the interpretation and application of new
regulations and approaches in supervision? Very doubtful.
Clearly, more needs to be done than just increasing
headcount and hoping for the best. The answer may lie in
better utilisation of existing staff by appropriate training
within an enforced culture of compliance throughout the
firm. Perhaps then firms may avoid the reputational and
financial damage suffered as a consequence of non-
compliance with even the simplest of processes, as
discussed earlier. However, it is all very well increasing
headcount and training front-line officers to be more vigilant
in what they do. They also need the right tools to do their
job.
It cannot be denied that many compliance and audit
functions still operate in a very labour intensive environment
with spread sheets and hard copy files of regulations that
are often in different filing cabinets or even different
departments within the bank. As a consequence, one of the
problems many firms face is the easy identification ofapplicable regulations to a particular business area or
authoritative body. Considerable reliance is therefore placed
on the knowledge of individuals as to which regulations are
applicable.
Another major problem is that compliance and audit
information relates to specific exercises and consequently
senior management and executives are unable to appreciate
the overall level of compliance or identify weaknessesthroughout the whole firm, a serious issue given the PRAs
intention to hold senior officers collectively and individually
responsible for non-compliance.
It is therefore essential that compliance functions are armed
with appropriate tools that can assist in addressing these
issues. To address these and other issues, Lombard Risk has
developed a powerful web-based compliance and audit
application - ComplianceASSESSOR - that not only assists
institutions to determine, manage and achieve compliance
with applicable regulations but provides senior
management, audit and compliance functions with
comprehensive reporting and a multi-functional dashboard
that identifies the state of compliance with any and all
regulations at company, division and business unit levels.
To overcome decentralisation of applicable regulations,
ComplianceASSESSOR accommodates an unlimited and
searchable library of multi-jurisdictional prudential and non-
prudential regulatory books applicable to the firms
businesses, including internal regulations. For example, the
FSA Prudential Sourcebooks, European Directives, Sarbanes
Oxley and even the various UK laws applicable to in this
case - the financial sector.
Once loaded and the regulations assessed for applicability, it
then becomes very easy to search and identify all regulations
applicable to a particular subject or business area and the
state of compliance against those regulations.
But the library is not limited to regulations applicable to the
business. Those appertaining to corporate governance may
also be added; in other words, regulations governing the
conduct of Boards of Directors, committees and specific
functions within the institution. There are also two further
categories of book: staff training material; and even
Consultation and Discussion Papers, each category having itsown security access arrangements. Staff training material
may therefore be made available firm-wide whilst
consultation and discussion papers may be restricted to
selective officers or even made available for assessment in
order to determine the degree of current compliance with
potentially new regulatory requirements.
Clearly, it is essential that new and amended regulations are
assessed in a timely manner, especially given the current
climate. ComplianceASSESSOR therefore highlights these for
review and / or possible assessment, thereby avoiding
inadvertent breaches in compliance.
Conversely, a change to a policy or procedure also poses a
threat as the change may inadvertently result in a breach in
-
7/30/2019 Post-Event Summary BBA Annual Risk Management Conference 2012
6/6
Post event summary
www.lombardrisk.com Managing collateralised trading. Enabling regulatory compliance
compliance. One of the features of ComplianceASSESSOR is
the ability to map policies, procedures or indeed any
documents to the relevant regulations in order to evidence
compliance with the relevant regulations on the
assumption that policies and procedures are adhered to in
practice. Providing that the institution maintains strict
version control over such documents, any changes to themapping are identified and the relevant regulations
highlighted for review and possible re-assessment.
At the heart of the system is the assessment process where
not only are policies and procedures mapped to the relevant
regulations but action plans may be established to address
deficiencies in compliance, each action plan being
documented where appropriate. The requirement to review
assessments before approval by an independent officer not
only enforces the four eyes requirement but also enables
the application of the three lines of defence adopted by the
larger institutions.
But perhaps the most important feature is the ability to code
the regulations in terms of the consequences of non-
compliance, as mentioned previously. While the concept is
relatively simple, it enables the application to highlight
issues previously over looked by audit and compliance
functions. More importantly, assessments relating to high
risk regulations must not only be approved by an
independent officer but must also be signed off by an
appropriate executive or senior manager who should take
overall responsibility, especially where full compliance is not
possible and partial compliance is accepted. As can be
appreciated, this should prove a useful tool given the PRAs
intended approach to executive responsibility.
This Risk Severity Indicator is also used extensively in the
dashboard to highlight, for example, action plans associated
with the assessment of high risk regulations that exceed
their anticipated completion date or where confidence in
achieving compliance moves to red on a RAG code. As one
would expect, all of this information and much more is
captured and displayed, focusing attention on compliance
issues and enabling senior management to monitor and
manage compliance more efficiently, throughout the
organisation.
As one would expect, all of this information relating to the
assessment of applicable regulations, including all
supporting documentation and reports, is immediately
identifiable and retrieval, saving considerable time and
expense when responding to a query or demand.
Unfortunately, it appears that the frequency of such
requests and demands is most likely to increase in the
months and years ahead.
Finally, ComplianceASSESSOR provides the means of viewing
all regulations, assessments, reviews and approvals, AND all
policies & procedures and even old audit reports within the
organisation on an iPad which must be a first!
In summary compliance functions have a major challenge
ahead but perhaps with additional headcount, a more
instilled compliance culture and of course
ComplianceASSESSOR, life may easier going forward.
Lombard Risk ComplianceASSESSOR
ComplianceASSESSOR is a powerful web-based compliance
and audit application accommodating an unlimited library of
multi-jurisdictional prudential and non-prudential
regulations mapped to internal policies & procedures.
Assessments, action plans, reviews and independent
approval together with dashboards, heat maps, alerts and
reports ensure that appropriate action is taken to
determine, achieve and maintain compliance.
Off the shelf, plug & play facilitates same day set-up, yet can
be tailored to accommodate specific requirements
Ability to load multi-jurisdictional regulations to address cross
border requirements
Searchable, centralised library provides one stop shopping
when seeking applicable regulations
New and amended regulations and amended policies and
procedures identified for review thereby ensuring that new
regulations and changes are not overlooked
Policies & procedures mapped to individual regulations to
evidence compliance and instantly retrievable together
with assessment data in response to regulatory demands and
enquiries
Identified compliance deficiencies addressed through action
plans supported by appropriate documentation
Independent review and approval of assessments enforces
the four-eyes approach to compliance and accommodates
the three lines of defence
Executive sign off required for high risk regulations in terms
of repercussion of non-compliance
Comprehensive dashboard provides an overview at company,
division and business unit level while a heat map identifies
deficiencies in compliance and the degree of impact
Email alerts and reminders ensure the timely processing of
assessments, action plans and approvals Compliance reports
and tailor-made audit reports
against individual assessments produced effortlessly
All actions fully audited and archived to further evidence and
support compliance
View and assess proposed regulations in CP and DP papers to
determine state of compliance and identify deficiencies
Auditors and Compliance officers can view all regulations,
assessments, reviews and approvals, policies & procedures
and even old audit reports even on an iPad!
For more information visitwww.lombardrisk.comand/or
http://www.lombardrisk.com/http://www.lombardrisk.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.lombardrisk.com/