With many expecting the imminent meeting of the G20 group of countries to shake up the financial regulatory landscape, commentators believe that the rest of the world will follow the UK's call for broader financial services reforms.
PJ DiGiammarino of think tank, JWG-IT, expects that there will be a "big push" by the G20 to support the de Larosière and Lord Adair Turner (chairman of the FSA) recommendations. " A serious rework of capital adequacy, liquidity, hedge fund control, offshore oversight, remuneration and the supervisory architecture is now on the cards - starting this year," he states.
The UK financial services regulator, the FSA, has indicated that in future regulatory supervision will take the form of "making judgments on the judgments of senior management". The US is talking about the need for firms to be able to measure their counterparty exposure enterprise-wide within a matter of hours, not days or weeks. However, there are those that maintain it is about smarter regulation, not more regulation, says Charles Ilako, partner, global regulatory practice, PricewaterhouseCoopers.
Sceptics, including myself, believe that little 'meat' is likely to come out of this week's G20 meeting. Those looking for specifics are likely to be disappointed as the G20 group of countries is hardly in agreement on many matters, with countries like China and Brazil apportioning most of the blame for the current crisis on Western governments, regulators and financial service providers.
And despite utterances to the contrary, protectionism is likely to creep in as national governments and regulators look to prop up domestic institutions at the expense of foreign financial service providers.
Pricewaterhouse calls for a global financial regulatory body to coordinate regulation globally, but there are many unresolved questions as to how such an arrangement could work in terms of governance and structure (will certain countries have more say or be given more weighting than others, for example).
PricewaterhouseCoopers suggests making global the European Systemic Risk Council, but regulatory supervision will still be required at the national level and the enforceability of anything a global or supra-national regulator says or recommends is questionable and likely to be at the behest of national regulatory bodies.
While the new world of financial regulation is raising the bar, all this talk of enterprise-wide risk management does not bode well for banks, who let's face it do not have a true enterprise-wide view of their risk or exposure, as this tends to be measured in operational silos.
"We typically find the trader doesn't have a detailed view of the stress tests, the CFO doesn't know the reliability of the reference data and nobody knows who owns the record," says DiGiammarino. "Key information needed for integrated risk management and regulatory compliance is locked in isolated silos and no single individual, or even a single operating committee, has an overall view."
Showing posts with label Risk management. Show all posts
Showing posts with label Risk management. Show all posts
Monday, March 30, 2009
Tuesday, February 17, 2009
Liquidity standards - The FSA is on the war path
It seems that the UK financial services regulator, the Financial Services Authority (FSA) much maligned by the media and the public in the wake of banking failures under its watch, is eager to restore its credibility by wielding the heavy hand of regulation in the form of its onerous requirements for strengthening standards around liquidity risk.
The FSA is the first regulator to issue a consultation paper (CP 08/22) on strengthening liquidity standards and has set the rather ambitious deadline of October this year for banks, investment banks and building societies to comply with its new liquidity risk standards, which does not leave firms much time for planning, selecting solutions, building interfaces, testing and firm-wide education, says Selwyn Blair-Ford, senior domain expert, UK & Ireland, Financial Reporting Services, FRS Global, particularly given that the FSA is not expected to finalize the new rules until April.
Reading between the lines of the Consultation Paper (CP 08/22), one can see that the FSA is eager to come down hard on those banks with business models characterised by unsustainable lending practices and a reliance on wholesale funding or funding from foreign subsidiaries rather than retail deposits.
One of the key tenets under the new liquidity risk standards is that banks will need to maintain "adequate" liquidity at all times without relying on other parts of the group. Blair-Ford says this requirement will "break up" the centralised treasury management model that most banks operate under and will require liquidity to be held locally, which is an expensive undertaking. This appears to be specifically aimed at preventing what happened in the case of Lehman Brothers, where the illiquid US operation reportedly "sucked" all the liquidity out of its European offices.
In its consultation paper, the FSA estimates that IT, reporting and training costs for the new liquidity risk standards will cost firms between £150 million to £200 million, however industry feedback suggests that the FSA has underestimated the "true" costs to the industry.
Regardless, the FSA makes no apologies for its ambitious implementation time frame or what it terms "tough prudential standards", and while it may be tempting to think that the regulator will at worst fine firms for non-compliance with the new liquidity risk standards, according to FRS Global, the penalties are likely to be more severe and could take the form of bank directors (bank chairmen, executive and non-executive board members) being "disbarred".
It appears that the FSA is on the war path eager to make amends for the unwanted media and public attention it has received for falling asleep at the wheel and it will be interesting to see which firm or firms are first in the firing line. Could it be a US bank? After all, many think this is largely a US banking problem that spread to other markets, and it seems the FSA is keen to extend its regulatory tentacles beyond UK shores.
The FSA is the first regulator to issue a consultation paper (CP 08/22) on strengthening liquidity standards and has set the rather ambitious deadline of October this year for banks, investment banks and building societies to comply with its new liquidity risk standards, which does not leave firms much time for planning, selecting solutions, building interfaces, testing and firm-wide education, says Selwyn Blair-Ford, senior domain expert, UK & Ireland, Financial Reporting Services, FRS Global, particularly given that the FSA is not expected to finalize the new rules until April.
Reading between the lines of the Consultation Paper (CP 08/22), one can see that the FSA is eager to come down hard on those banks with business models characterised by unsustainable lending practices and a reliance on wholesale funding or funding from foreign subsidiaries rather than retail deposits.
One of the key tenets under the new liquidity risk standards is that banks will need to maintain "adequate" liquidity at all times without relying on other parts of the group. Blair-Ford says this requirement will "break up" the centralised treasury management model that most banks operate under and will require liquidity to be held locally, which is an expensive undertaking. This appears to be specifically aimed at preventing what happened in the case of Lehman Brothers, where the illiquid US operation reportedly "sucked" all the liquidity out of its European offices.
As a result of the FSA's new requirements around managing liquidity risk the FSA anticipates that "...many institutions will need to significantly reshape their business model over the next few years as a result. Current agreements and practices will have to be reviewed and the status quo may no longer be acceptable. In line with our objectives, our regime will continue to put the responsibility of adopting a sound approach to liquidity risk management on firms and their senior management"."There is an arms race to see who is the toughest [regulator]," says Blair-Ford of FRS Global. He anticipates that the cost of complying with the new liquidity risk standards will make banking less profitable, not exactly what the beleaguered banking sector wants to hear, but then it seems the FSA wants to change the face of banking, at least when it comes to stemming the systemic implications of liquidity risk, and if it has to claim a few scalps along the way or force further bank consolidation then so be it.
In its consultation paper, the FSA estimates that IT, reporting and training costs for the new liquidity risk standards will cost firms between £150 million to £200 million, however industry feedback suggests that the FSA has underestimated the "true" costs to the industry.
Regardless, the FSA makes no apologies for its ambitious implementation time frame or what it terms "tough prudential standards", and while it may be tempting to think that the regulator will at worst fine firms for non-compliance with the new liquidity risk standards, according to FRS Global, the penalties are likely to be more severe and could take the form of bank directors (bank chairmen, executive and non-executive board members) being "disbarred".
It appears that the FSA is on the war path eager to make amends for the unwanted media and public attention it has received for falling asleep at the wheel and it will be interesting to see which firm or firms are first in the firing line. Could it be a US bank? After all, many think this is largely a US banking problem that spread to other markets, and it seems the FSA is keen to extend its regulatory tentacles beyond UK shores.
Thursday, February 12, 2009
Strengthening or weakening liquidity standards?
The UK financial services regulator, the Financial Services Authority (FSA) has been consulting with banks and financial market participants on its response to the so-called liquidity crisis.
Boasting the memorable title of CP08/22:Strengthening Liquidity Standards, the FSA consultation paper talks about "high-level" requirements for banks to maintain "adequate" liquidity at all times without relying on other parts of the group.
The consultation paper also mentions the need for adequate systems and controls for liquidity management; quantitative standards for liquidity; standards around quality and quantity of liquid assets and the requirement for a liquidity buffer of "high quality unencumbered assets"; as well as data pertaining to a "firm-specific" and "market-wide view" of liquidity risk.
It sounds reminiscent of Basel II in that the consultation paper talks about qualitative and quantitative standards. I would not be surprised if the FSA's consultation paper gives rise to a cottage industry of conferences, vendor solutions and consultants, all eager to plug their FSA- friendly liquidity risk management expertise.
While the FSA proposes that it will conduct a supervisory liquidity review of each firm, alarm bells start ringing when one reads that the FSA is still pursuing a "high-level" principles-based approach to regulation.
In light of recent market events, which clearly demonstrate that the banks themselves and the regulators got it so horribly wrong, one has to question whether a wholly principles-based approach to regulation works. The FSA also mentions that responsibility for liquidity risk lies with the banks themselves, not the central banks or regulators, but haven't we seen the devastating consequences of what happens when banks are left to their own devices?
Some risk management consultants I have spoken to have also expressed misgivings about the consultation paper (CP08/24) that the FSA published on stress and scenario testing back in December 2008.
The FSA proposes to introduce a "reverse-stress test" requirement for banks, building societies, investment firms and insurers, requiring firms to consider "the scenarios most likely to cause their current business model to become "unviable".
Sounds great in theory, but as one risk management consultant pointed out to me, the banking industry and the FSA are not "up to speed" on scenario planning, unlike the oil and aerospace industries which have 40 years of experience. So what chances do we have of the banks and the FSA, who are part of the problem, getting it right?
The consultant said the current risk management strategies banks use such as Value at Risk (VaR) were no good at predicting extreme events. Using the example of a plastic ruler being bent, the consultant said while mathematics could calculate how much the ruler would bend, it could not predict at which point it would snap. "[The collapse of] Lehman Brothers was like the ruler snapping," he said. Yet, standard risk models failed to predict the point at which Lehman's would snap, let alone the consequences that ensued.
While placing more emphasis on stress testing and scenario planning in terms of contemplating a myriad of "what if" scenarios may help firms better anticipate the unexpected, the consultant said that the problem with the FSA's approach is that it was taking the standard risk models (how much the ruler is bending) and applying them to something that only matters when the ruler snaps.
Boasting the memorable title of CP08/22:Strengthening Liquidity Standards, the FSA consultation paper talks about "high-level" requirements for banks to maintain "adequate" liquidity at all times without relying on other parts of the group.
The consultation paper also mentions the need for adequate systems and controls for liquidity management; quantitative standards for liquidity; standards around quality and quantity of liquid assets and the requirement for a liquidity buffer of "high quality unencumbered assets"; as well as data pertaining to a "firm-specific" and "market-wide view" of liquidity risk.
It sounds reminiscent of Basel II in that the consultation paper talks about qualitative and quantitative standards. I would not be surprised if the FSA's consultation paper gives rise to a cottage industry of conferences, vendor solutions and consultants, all eager to plug their FSA- friendly liquidity risk management expertise.
While the FSA proposes that it will conduct a supervisory liquidity review of each firm, alarm bells start ringing when one reads that the FSA is still pursuing a "high-level" principles-based approach to regulation.
In light of recent market events, which clearly demonstrate that the banks themselves and the regulators got it so horribly wrong, one has to question whether a wholly principles-based approach to regulation works. The FSA also mentions that responsibility for liquidity risk lies with the banks themselves, not the central banks or regulators, but haven't we seen the devastating consequences of what happens when banks are left to their own devices?
Some risk management consultants I have spoken to have also expressed misgivings about the consultation paper (CP08/24) that the FSA published on stress and scenario testing back in December 2008.
The FSA proposes to introduce a "reverse-stress test" requirement for banks, building societies, investment firms and insurers, requiring firms to consider "the scenarios most likely to cause their current business model to become "unviable".
Sounds great in theory, but as one risk management consultant pointed out to me, the banking industry and the FSA are not "up to speed" on scenario planning, unlike the oil and aerospace industries which have 40 years of experience. So what chances do we have of the banks and the FSA, who are part of the problem, getting it right?
The consultant said the current risk management strategies banks use such as Value at Risk (VaR) were no good at predicting extreme events. Using the example of a plastic ruler being bent, the consultant said while mathematics could calculate how much the ruler would bend, it could not predict at which point it would snap. "[The collapse of] Lehman Brothers was like the ruler snapping," he said. Yet, standard risk models failed to predict the point at which Lehman's would snap, let alone the consequences that ensued.
While placing more emphasis on stress testing and scenario planning in terms of contemplating a myriad of "what if" scenarios may help firms better anticipate the unexpected, the consultant said that the problem with the FSA's approach is that it was taking the standard risk models (how much the ruler is bending) and applying them to something that only matters when the ruler snaps.
Thursday, December 11, 2008
Risk management in your Xmas stocking
Go to a Christmas lunch these days and most people will be talking about what they are filling their Christmas stockings with or how they are looking forward to eating turkey yet again for the fourth time in a week.
While the conversation at business intelligence and analytics vendor, SAS's Christmas press lunch today may have been peppered with such conversational tid bits, the subject of the lunch was for SAS to publicise its recent foray into the capital markets space.
Building on its already strong base in the retail banking sector, particularly in the areas of operational risk, credit risk, market risk and financial crime, SAS has put together a team based in the UK that is wholly focused on selling its analytics and risk management solutions to capital markets firms.
2009 is likely to see increased regulatory oversight, particularly when it comes to the overlooked areas of liquidity and counterparty risk; and not one too miss an opportunity, SAS is eager to sell its solutions to a business that is drowning in information, but not quite sure what to do with it or how to make sense of it in order to determine risk, fraud liability etc.
It seems the poor old trader is likely to come under increasing surveillance with intelligent software algorithms monitoring their every move and looking for unusual patterns of behaviour (the ability to match seemingly unrelated events across different parts of the business). The technology is certainly to provide such surveillance, but the cynic in me says most banks are only likely to embrace these technologies as a 'box ticking' exercise in order to comply with regulation, rather than seeing it as good business per se.
Risk management is suddenly the business to be in, but one has to wonder where was all this wonderful bells and whistles technology when things started going wrong in capital markets? And at the end of the day technology can only do so much.
If the people in charge still view "betting on the bank" as a necessary part of making money, or don't want to listen to those 'little voices' in their risk department warning them that something bad is about to happen; then no amount of technology can account for the fact that the culture within firms has to fundamentally change if risk management is to be viewed as a strategic asset and not something that is ferreted away in a back office somewhere filing reports to regulators that no one really concerns themselves with.
Interestingly, while we only get to hear about the multi-billion dollar losses racked up by rogue traders like Jerome Kerviel, there are plenty of other million dollar losses within banks, which occur on an almost daily basis (be they the result of human error or internal fraud) that we don't get to hear about.
Mark Hudson, industry consultant, Capital Markets, SAS, believes if firms can start minimising those million dollar losses we don't get to hear about via market or trader surveillance technologies then perhaps the industry will have achieved something.
Surely saving the bank a few 'mill' from combating accidental or internal fraud is going to make a CFO's ears prick up in this challenging business climate? And even if it doesn't, then Hudson believes the banks' customers and may be even their shareholders (which lets face it is the government these days) may insist on more risk management oversight.
While the conversation at business intelligence and analytics vendor, SAS's Christmas press lunch today may have been peppered with such conversational tid bits, the subject of the lunch was for SAS to publicise its recent foray into the capital markets space.
Building on its already strong base in the retail banking sector, particularly in the areas of operational risk, credit risk, market risk and financial crime, SAS has put together a team based in the UK that is wholly focused on selling its analytics and risk management solutions to capital markets firms.
2009 is likely to see increased regulatory oversight, particularly when it comes to the overlooked areas of liquidity and counterparty risk; and not one too miss an opportunity, SAS is eager to sell its solutions to a business that is drowning in information, but not quite sure what to do with it or how to make sense of it in order to determine risk, fraud liability etc.
It seems the poor old trader is likely to come under increasing surveillance with intelligent software algorithms monitoring their every move and looking for unusual patterns of behaviour (the ability to match seemingly unrelated events across different parts of the business). The technology is certainly to provide such surveillance, but the cynic in me says most banks are only likely to embrace these technologies as a 'box ticking' exercise in order to comply with regulation, rather than seeing it as good business per se.
Risk management is suddenly the business to be in, but one has to wonder where was all this wonderful bells and whistles technology when things started going wrong in capital markets? And at the end of the day technology can only do so much.
If the people in charge still view "betting on the bank" as a necessary part of making money, or don't want to listen to those 'little voices' in their risk department warning them that something bad is about to happen; then no amount of technology can account for the fact that the culture within firms has to fundamentally change if risk management is to be viewed as a strategic asset and not something that is ferreted away in a back office somewhere filing reports to regulators that no one really concerns themselves with.
Interestingly, while we only get to hear about the multi-billion dollar losses racked up by rogue traders like Jerome Kerviel, there are plenty of other million dollar losses within banks, which occur on an almost daily basis (be they the result of human error or internal fraud) that we don't get to hear about.
Mark Hudson, industry consultant, Capital Markets, SAS, believes if firms can start minimising those million dollar losses we don't get to hear about via market or trader surveillance technologies then perhaps the industry will have achieved something.
Surely saving the bank a few 'mill' from combating accidental or internal fraud is going to make a CFO's ears prick up in this challenging business climate? And even if it doesn't, then Hudson believes the banks' customers and may be even their shareholders (which lets face it is the government these days) may insist on more risk management oversight.
Friday, November 21, 2008
Desperately seeking an "enterprise-wide" view of risk
One of the consequences of the current economic crisis is that banks' risk management practices - or lack of them - have been exposed. Like peeling back the various layers of an onion only to find that the inner layer is rotting, the more so-called risk experts have delved into the risk management practices of banks, they have not liked what they have seen.
Something is rotten in the state of financial risk management, and there should be no surprises that banks' siloed view of risk based on asset class or geography has played a rather significant hand in the dire predicament they now find themselves in. Not only do banks not have an enterprise-wide view of risk across asset classes and geographies, they apparently also find it difficult to stop or prioritise payment flows. Few banks it seems had the ability to stop payments going to ailing investment bank Lehman's Brother as it collapsed.
Not only are banks' risk management systems siloed, the experts say, they also do not speak to liquidity management and collateral management systems. Liquidity management was traditionally seen as the preserve of a bank's treasury department, but Bob McDowall, a research director with TowerGroup in Europe, says that has to change.
McDowall said forthcoming regulation in the wake of the current crisis meant that banks would need to develop the capability to measure and manage liquidity risk on an enterprise-wide basis. Aleri says complex event processing is one technology that can help pull together disparate sources of information together without having to connect to the different silos within banks.
"At any time, banks need to be able to take a view as to what their risks and liabilities are up-to-the minute, not at the end of the day or periodically throughout the day," said McDowall.
He anticipates that banks will need to move from real-time to "predictive" risk management based on analysis of prices and behavioural patterns.
The national financial regulators are also going to have to pull their socks up it seems, as McDowall says that in order to monitor how well banks are managing liquidity risk, they will need to take a more "forensic" approach to risk management and build systems that enable them to share information with one another.
According to Tony White, managing director, product and R&D, Wall Street Systems, "next generation" liquidity management systems will need to provide a quick overview of everything and be tied to front office systems. They cannot be product agnostic as they will need to understand the product if banks want to combine collateral and cash. Liquidity management policies will also need to be reflected in these systems and stress testing of different scenarios will need to be done in minutes not months.
Sounds like banks are going to have their hands full over the next few months, but one wonders how many banks will actually achieve a truly enterprise-wide view of their risk, given that risk management projects have tended not to receive that much support from senior banking executives.
Something is rotten in the state of financial risk management, and there should be no surprises that banks' siloed view of risk based on asset class or geography has played a rather significant hand in the dire predicament they now find themselves in. Not only do banks not have an enterprise-wide view of risk across asset classes and geographies, they apparently also find it difficult to stop or prioritise payment flows. Few banks it seems had the ability to stop payments going to ailing investment bank Lehman's Brother as it collapsed.
"How many banks have the ability to say I don't have enough cash in nostro A , but there is plenty in nostro B, so I can re-route payments?", asked an executive from complex event processing vendor, Aleri, during a recent webinar it hosted on liquidity risk management.
Not only are banks' risk management systems siloed, the experts say, they also do not speak to liquidity management and collateral management systems. Liquidity management was traditionally seen as the preserve of a bank's treasury department, but Bob McDowall, a research director with TowerGroup in Europe, says that has to change.
McDowall said forthcoming regulation in the wake of the current crisis meant that banks would need to develop the capability to measure and manage liquidity risk on an enterprise-wide basis. Aleri says complex event processing is one technology that can help pull together disparate sources of information together without having to connect to the different silos within banks.
"At any time, banks need to be able to take a view as to what their risks and liabilities are up-to-the minute, not at the end of the day or periodically throughout the day," said McDowall.
He anticipates that banks will need to move from real-time to "predictive" risk management based on analysis of prices and behavioural patterns.
The national financial regulators are also going to have to pull their socks up it seems, as McDowall says that in order to monitor how well banks are managing liquidity risk, they will need to take a more "forensic" approach to risk management and build systems that enable them to share information with one another.
According to Tony White, managing director, product and R&D, Wall Street Systems, "next generation" liquidity management systems will need to provide a quick overview of everything and be tied to front office systems. They cannot be product agnostic as they will need to understand the product if banks want to combine collateral and cash. Liquidity management policies will also need to be reflected in these systems and stress testing of different scenarios will need to be done in minutes not months.
Sounds like banks are going to have their hands full over the next few months, but one wonders how many banks will actually achieve a truly enterprise-wide view of their risk, given that risk management projects have tended not to receive that much support from senior banking executives.
Tuesday, June 03, 2008
Rogue trading - not an isolated incident
With rogue trading, data leakage and malicious attacks adding to banks' litany of reputational woes, it is no surprise to learn that banks are taking a peek 'under the bonnet' to see how well their risk management and detection systems are actually performing in today's more heightened regulatory environment.
When the SocGen rogue trading incident blew up earlier this year, other banks may have breathed a collective sigh of relief that it wasn't them receiving the unwelcome publicity, but at the same time they probably secretly acknowledged that rogue trading was not isolated to a single institution.
In fact it is probably fair to say that the bonus culture within most investment banks means they are unlikely to design and implement risk management systems that wholly curtail the creative urges of their traders.
Having said that,it is interesting to hear that an increasing number of firms (85%) plan on modifying internal controls in light of recent rogue trading incidents and that 60% have created special task forces in response to high-profile rogue trading incidents, according to Actimize's Rogue Trading Peer Review.
In order to keep the regulators at bay, banks need to be seen to be doing something to address what is at best an endemic problem. According to Actimize's review findings, more than 75% of respondents anticipate another large rogue trading fraud loss, worth more than $100 million to be uncovered at a large financial institution within the next 12 months.
An additional 50% indicated that rogue trading activities ranging from thousands to millions of dollars go unreported every year at their firms. One has to ask why these incidents are going unreported? Is it because risk management systems are not detecting them? Or is it a culture of silence fuelled by the bonus culture within investment firms that is preventing these incidents from being reported?
According to Actimize's review, 24% of respondents said they had experienced a case of trading fraud at their firms in the last 12 months, and 44% confirmed a case of employee fraud had occurred in the same period.
This confirms the increasing view that the greatest threat financial firms face is not external but internal, be it either unintentional (accidental data leakage from laptops, P2P technologies, USB sticks) or malicious (disgruntled employees, rogue traders).
When it comes to securing trading systems, Frédéric Ponzo, managing director of NET2S consultancy, says historically it has been a case of trying to make conventional security technologies (firewalls, anti-virus, anti-spyware, anti-keyloggers etc) work in a trading environment.
One of the biggest problems, he says is providing a secure infrastructure around "black box" trading terminals, some of which have email systems that do not necessarily fall within the usual security guidelines and policies of a company. These email systems remain vulnerable to attack or data leakage.
French IT security firm, SkyRecon Systems believes it has the answer in the form of its TradeShield solution, which aims to replace point-to-point security solutions in the trading environment with a "single agent, single management console" for managing system and user risk.
Designed specifically for the trading environment, TradeShield provides integrated protection including device control, data encryption, intrusion detection, firewall, network access control and centralised security policy enforcement.
Instead of having to enforce security policies and procedures for normal desktop computer use and trading applications, SkyRecon says that when a trading application is launched, for example, the computer cannot be used for anything else (for example, sending emails, personal instant messaging, peer-to-peer downloads).
The challenge for any solution in this space has to be providing the right level of control while enabling traders to have access to the tools they need (files, emails, IM) in order to trade effectively. Instead of completely "locking down" applications, SkyRecon says TradeShield allows applications to run but with the appropriate level of protection.
When the SocGen rogue trading incident blew up earlier this year, other banks may have breathed a collective sigh of relief that it wasn't them receiving the unwelcome publicity, but at the same time they probably secretly acknowledged that rogue trading was not isolated to a single institution.
In fact it is probably fair to say that the bonus culture within most investment banks means they are unlikely to design and implement risk management systems that wholly curtail the creative urges of their traders.
Having said that,it is interesting to hear that an increasing number of firms (85%) plan on modifying internal controls in light of recent rogue trading incidents and that 60% have created special task forces in response to high-profile rogue trading incidents, according to Actimize's Rogue Trading Peer Review.
In order to keep the regulators at bay, banks need to be seen to be doing something to address what is at best an endemic problem. According to Actimize's review findings, more than 75% of respondents anticipate another large rogue trading fraud loss, worth more than $100 million to be uncovered at a large financial institution within the next 12 months.
An additional 50% indicated that rogue trading activities ranging from thousands to millions of dollars go unreported every year at their firms. One has to ask why these incidents are going unreported? Is it because risk management systems are not detecting them? Or is it a culture of silence fuelled by the bonus culture within investment firms that is preventing these incidents from being reported?
According to Actimize's review, 24% of respondents said they had experienced a case of trading fraud at their firms in the last 12 months, and 44% confirmed a case of employee fraud had occurred in the same period.
This confirms the increasing view that the greatest threat financial firms face is not external but internal, be it either unintentional (accidental data leakage from laptops, P2P technologies, USB sticks) or malicious (disgruntled employees, rogue traders).
When it comes to securing trading systems, Frédéric Ponzo, managing director of NET2S consultancy, says historically it has been a case of trying to make conventional security technologies (firewalls, anti-virus, anti-spyware, anti-keyloggers etc) work in a trading environment.
One of the biggest problems, he says is providing a secure infrastructure around "black box" trading terminals, some of which have email systems that do not necessarily fall within the usual security guidelines and policies of a company. These email systems remain vulnerable to attack or data leakage.
French IT security firm, SkyRecon Systems believes it has the answer in the form of its TradeShield solution, which aims to replace point-to-point security solutions in the trading environment with a "single agent, single management console" for managing system and user risk.
Designed specifically for the trading environment, TradeShield provides integrated protection including device control, data encryption, intrusion detection, firewall, network access control and centralised security policy enforcement.
Instead of having to enforce security policies and procedures for normal desktop computer use and trading applications, SkyRecon says that when a trading application is launched, for example, the computer cannot be used for anything else (for example, sending emails, personal instant messaging, peer-to-peer downloads).
The challenge for any solution in this space has to be providing the right level of control while enabling traders to have access to the tools they need (files, emails, IM) in order to trade effectively. Instead of completely "locking down" applications, SkyRecon says TradeShield allows applications to run but with the appropriate level of protection.
Thursday, February 21, 2008
What went wrong at SocGen?
Well, the SocGen saga continues, with the commercial and investment bank reportedly publishing a report in French detailing how the trader Jerome Kerviel managed to evade controls.
Following publication of the report, IBM, the latest vendor to jump on the What Went Wrong at SocGen bandwagon, sent out an email reiterating the question everyone has been asking: How can you manipulate tens of billions unnoticed?
As I do not read French I am going to have to rely on IBM's interpretation of SocGen's interim internal investigation report, which reportedly claims that Kerviel's "position keeping and risk systems were unable to report such a large exposure because they [failed] to capture distant forward, incomplete and modified trades, and they were known to function improperly and be prone to recurrent errors."
An IBM spokesperson expressed amazement that a sophisticated organization was not capable of managing and properly reporting such simple transactions as stock future purchases, on the account that they were following unusual trading patterns (distant forward dates, multiple modifications, cancellations and transfers.)
Risk consultants from IBM Business Consulting Services outlined some of the major causes of large trading losses and stated that the "quality, coherence, and integration of position keeping systems," was crucial in counteracting some of these causes. "Effective position keeping" it said could also address employees trying to conceal losses and that "oversight mechanisms" which integrated monitoring, governance, and compliance requirements into a "holistic, focused, and practical framework," needed to be put in place.
Arguably however, there is only so much technology can do, and at some point a human needs to intervene or manage the process in order to prevent people who are clever enough from fooling or overriding internal risk control procedures and systems.
This is borne out by an independent report, which reportedly concluded that while risk control procedures were followed, "compliance officers rarely went beyond routine checks and did not inform managers of anomalies." According to the independent report, 75 warning signs on the activities of rogue trader Jerome Kerviel, were overlooked.
Following publication of the report, IBM, the latest vendor to jump on the What Went Wrong at SocGen bandwagon, sent out an email reiterating the question everyone has been asking: How can you manipulate tens of billions unnoticed?
As I do not read French I am going to have to rely on IBM's interpretation of SocGen's interim internal investigation report, which reportedly claims that Kerviel's "position keeping and risk systems were unable to report such a large exposure because they [failed] to capture distant forward, incomplete and modified trades, and they were known to function improperly and be prone to recurrent errors."
An IBM spokesperson expressed amazement that a sophisticated organization was not capable of managing and properly reporting such simple transactions as stock future purchases, on the account that they were following unusual trading patterns (distant forward dates, multiple modifications, cancellations and transfers.)
Risk consultants from IBM Business Consulting Services outlined some of the major causes of large trading losses and stated that the "quality, coherence, and integration of position keeping systems," was crucial in counteracting some of these causes. "Effective position keeping" it said could also address employees trying to conceal losses and that "oversight mechanisms" which integrated monitoring, governance, and compliance requirements into a "holistic, focused, and practical framework," needed to be put in place.
Arguably however, there is only so much technology can do, and at some point a human needs to intervene or manage the process in order to prevent people who are clever enough from fooling or overriding internal risk control procedures and systems.
This is borne out by an independent report, which reportedly concluded that while risk control procedures were followed, "compliance officers rarely went beyond routine checks and did not inform managers of anomalies." According to the independent report, 75 warning signs on the activities of rogue trader Jerome Kerviel, were overlooked.
Friday, January 25, 2008
Real-time volatility
Those of you who read my "Crisis of Confidence" post will know that I have been questioning to what extent advanced risk measurement approaches and real-time data management technologies could have prevented the current crisis of confidence in the banking sector.
Could it for example have enabled SocGen to detect and even prevent its €5 billion of losses caused by a rogue trader dealing in European stock futures? Maybe not. But it appears that in a new post-MiFID world, with multiple MTFs springing up and all of them looking to compete with one another on speed of trading and cost, that market surveillance and risk management is becoming more of an issue.
Project Turquoise, the MTF set up by a consortium of investment banks, has announced that it will incorporate a "real-time" market surveillance system combining Progress Apama's Complex Event Processing (CEP) engine and Detica's market surveillance expertise.
Turquoise's post-trade market surveillance system will capture breaches of trading rules, detect market irregularities and develop enhanced trading execution analytics. But given the risk failings that have been highlighted at individual banks recently, one has to ask how effective these technologies are.
The UK's Financial Services Authority (FSA) also worked with Progress Apama and Detica on its "next-generation market surveillance platform", called Sabre II, which also uses CEP to process and analyse real-time event streams. According to reports, the FSA's old market surveillance system only had "end-of-week" capabilities as opposed to the ability to detect market irregularities in real time.
If MTFs and the FSA are relying on CEP for market-compliance issues, is this likely to filter down to the individual bank level where risk management and detection systems are found to be wanting?
Giles Nelson, director of technology, Progress Software, says it is seeing an increasing number of organisations using technology to provide an integrated real-time view of their position and risk analytic systems, which he anticipates will only increase as electronic trading volumes increase.
Could it for example have enabled SocGen to detect and even prevent its €5 billion of losses caused by a rogue trader dealing in European stock futures? Maybe not. But it appears that in a new post-MiFID world, with multiple MTFs springing up and all of them looking to compete with one another on speed of trading and cost, that market surveillance and risk management is becoming more of an issue.
Project Turquoise, the MTF set up by a consortium of investment banks, has announced that it will incorporate a "real-time" market surveillance system combining Progress Apama's Complex Event Processing (CEP) engine and Detica's market surveillance expertise.
Turquoise's post-trade market surveillance system will capture breaches of trading rules, detect market irregularities and develop enhanced trading execution analytics. But given the risk failings that have been highlighted at individual banks recently, one has to ask how effective these technologies are.
The UK's Financial Services Authority (FSA) also worked with Progress Apama and Detica on its "next-generation market surveillance platform", called Sabre II, which also uses CEP to process and analyse real-time event streams. According to reports, the FSA's old market surveillance system only had "end-of-week" capabilities as opposed to the ability to detect market irregularities in real time.
If MTFs and the FSA are relying on CEP for market-compliance issues, is this likely to filter down to the individual bank level where risk management and detection systems are found to be wanting?
Giles Nelson, director of technology, Progress Software, says it is seeing an increasing number of organisations using technology to provide an integrated real-time view of their position and risk analytic systems, which he anticipates will only increase as electronic trading volumes increase.
"With the increasing pace of electronic trading it's vital that a real-time view is available. The volatility in markets over this last week demonstrates the need for this."
Thursday, January 24, 2008
A crisis of confidence
There is nothing like a whiff of a financial crisis, to inspire technology vendors to espouse such pearls of wisdom, which go something along the lines of, 'Well if they had implemented such and such a piece of software, that does so many millions of risk calculations per second, then they would have been able to calculate their real risk exposure much earlier on and perhaps prevented such a crisis.'
Some grid computing and data management vendors have been having a field day with the current crisis sweeping through the global credit markets. I for one remain sceptical as to whether technology can really overcome the financial markets' overwhelming desire to not only make money, but to behave like a pack of herd animals converging on a tasty corpse.
Although risk management and Basel II may be at the top of the agenda (well at least it is at the top of regulators' agenda), does any amount of technology and advanced risk measurement approaches really make a difference, or have recent events merely provided the stimulus that tipped over an already precarious house of cards? The apple was already rotten and recent events have only served to demonstrate how rotten it actually is.
Confidence in banks, particularly those that were considered to be financial heavyweights that could survive almost anything, including a nuclear holocaust, is at an all time low, and one has to ask have we only seen the beginning of the unsightly chinks in the banks' armour?
Then there was today's announcement by Société Générale that it had uncovered €5 billion of losses caused by a rogue trader dealing in European stock futures. Sound familiar? Nick Leeson of Barings Bank lost approximately £800 million in 1995 in rogue trades.
Commenting on the SocGen announcement, David Dearman a partner at accountants and business advisers, PKF had this to say:
According to Dearman, there was much "soul-searching" and review of procedures at financial institutions in the City of London following the Barings' incident, and procedures were tightened in a number of instances.
Interestingly, perhaps what both incidences highlight is the ability for someone with detailed knowledge of a bank's control systems to override those very systems put in place to prevent such an incident from occurring.
It reminds me of a comment one compliance consultant made not so long ago, that banks tend to focus more on external threats as opposed to internal threats. One has to ask though, would any amount of sophisticated risk management techniques and real-time data management technologies have uncovered or even been able to prevent someone using their knowledge of a company’s security systems to conceal fraudulent positions?
Some grid computing and data management vendors have been having a field day with the current crisis sweeping through the global credit markets. I for one remain sceptical as to whether technology can really overcome the financial markets' overwhelming desire to not only make money, but to behave like a pack of herd animals converging on a tasty corpse.
Although risk management and Basel II may be at the top of the agenda (well at least it is at the top of regulators' agenda), does any amount of technology and advanced risk measurement approaches really make a difference, or have recent events merely provided the stimulus that tipped over an already precarious house of cards? The apple was already rotten and recent events have only served to demonstrate how rotten it actually is.
Confidence in banks, particularly those that were considered to be financial heavyweights that could survive almost anything, including a nuclear holocaust, is at an all time low, and one has to ask have we only seen the beginning of the unsightly chinks in the banks' armour?
Then there was today's announcement by Société Générale that it had uncovered €5 billion of losses caused by a rogue trader dealing in European stock futures. Sound familiar? Nick Leeson of Barings Bank lost approximately £800 million in 1995 in rogue trades.
Commenting on the SocGen announcement, David Dearman a partner at accountants and business advisers, PKF had this to say:
"This fraud highlights the continuing lack of controls at some major financial institutions. The lessons of the Nick Leeson and Barings case in 1995 appear to have been forgotten by some. The scale of this clearly surpasses that fraud and is truly shocking."
According to Dearman, there was much "soul-searching" and review of procedures at financial institutions in the City of London following the Barings' incident, and procedures were tightened in a number of instances.
"I can only trust that the procedures adopted in the City a decade ago are working and being regularly reviewed, but there will undoubtedly be some very nervous senior people in the industry today," Dearman continues.
Interestingly, perhaps what both incidences highlight is the ability for someone with detailed knowledge of a bank's control systems to override those very systems put in place to prevent such an incident from occurring.
It reminds me of a comment one compliance consultant made not so long ago, that banks tend to focus more on external threats as opposed to internal threats. One has to ask though, would any amount of sophisticated risk management techniques and real-time data management technologies have uncovered or even been able to prevent someone using their knowledge of a company’s security systems to conceal fraudulent positions?
Tuesday, January 15, 2008
Compliance tops the agenda
For those of you wanting to get a heads up on the post-MiFID environment, Basel II, the third Anti-Money Laundering Directive, what regulators may have in store for the hedge fund community or the next installment of 'MiFID-like' directives, Complinet is hosting its fifth annual Compliance Conference in London on the 6-7 February.
The conference program features some of the European Commission's and the FSA's leading lights who can fill banks in on the latest developments surrounding the MiFID Directive Level 3 (not so good news for those that thought MiFID had come and gone). The FSA's head of risk will happily share its vision of principles-based regulation and what it means in a post-MiFID environment, and why it is imposing so many fines for lack of compliance with Treating Customer Fairly breaches.
And if that wasn't enough to make any risk manager's head spin, there will also be sessions on how data protection laws and other regulatory requirements often result in competing and conflicting requirements (something I am particularly interested in). Do KYC requirements, for example, often conflict with firms' data protection obligations?
There will also be sessions on Basel II, the latest anti-money laundering edict handed down from on high, and leaping into the uncharted territory of principles-based regulation, which we know a number of financial service providers developed a distaste for in the run-up to MiFID's implementation.
The conference program features some of the European Commission's and the FSA's leading lights who can fill banks in on the latest developments surrounding the MiFID Directive Level 3 (not so good news for those that thought MiFID had come and gone). The FSA's head of risk will happily share its vision of principles-based regulation and what it means in a post-MiFID environment, and why it is imposing so many fines for lack of compliance with Treating Customer Fairly breaches.
And if that wasn't enough to make any risk manager's head spin, there will also be sessions on how data protection laws and other regulatory requirements often result in competing and conflicting requirements (something I am particularly interested in). Do KYC requirements, for example, often conflict with firms' data protection obligations?
There will also be sessions on Basel II, the latest anti-money laundering edict handed down from on high, and leaping into the uncharted territory of principles-based regulation, which we know a number of financial service providers developed a distaste for in the run-up to MiFID's implementation.
Thursday, April 12, 2007
An 'incremental' approach to compliance
The spate of regulations banks have to comply with reads like a shopping list; MiFID, Reg NMS, Know Your Customer, anti-money laundering, Basel II, fraud detection .....
And historically most banks have opted to buy separate solutions to address each regulation. Yet, given the zealousness with which the regulatory treadmill is churning out new or revised pieces of legislation, implementing separate solutions is no longer considered a viable approach. "When you deploy multiple compliance solutions, costs go up," says Stephen Epstein, vice president, head, product management, risk and compliance software provider, Mantas.
Epstein compares the scale of upfront investment required by most banks today to comply with a raft of regulations to the early days of order management system deployment. However, the difference with regulatory compliance, he says, is that the cost is not just a one-off investment; it is ongoing as new pieces of regulation come online, banks must source new data, documentation etc.
"The cost of supporting regulatory examinations is the real 'killer,' Epstein continues. "Banks need to have documentation readily available, the right policies and procedures in place and be able to say why an alert has been generated."
The only ones that appear to be benefiting from the overwhelming tide of regulation, corporate governance and compliance is the regulators, consultants and vendors implementing these myriad solutions. Yet, recognising that there is often overlap between different regulations in terms of the functionality and business processes required: transaction monitoring, scenario analysis, client classification, regulatory reporting; the latest industry buzzword to emerge is GRC (Governance, Risk and Compliance) framework.
According to Mantas, GRC is about implementing a flexible framework which does not just address regulatory, governance and compliance needs 'now', but 'future proofs' the business against future changes to regulation, governance or compliance, as well as allowing firms to re-use components from previous GRC implementations to address future needs.
"GRC is about repackaging old wine into new bottles; leverage-ability and re-usability is the value proposition," says S. Ramakrishnan, CEO, Mantas and Reveleus.
Forrester Research predicts that the GRC software platform market will grow from $590 million today to $1.3 billion by 2011.
By focusing on areas that overlap between regulations and integrating components that address these areas, Mantas and Reveleus have combined elements (transaction monitoring, behaviour detection, risk, control and self-assessment) from their once separate solutions to provide a GRC framework, a single platform which aims to reduce the duplication of effort and cost associated with implementing separate risk, governance and compliance solutions.
An example of the Reveleus/Mantas GRC platform at work is in the area of regulatory compliance with MiFID, where functionality; business execution analytics, scenario analytics, client classification, regulatory reporting; from both vendors' solutions are combined to help firms address various requirements such as best execution and KYC under MiFID.
But while GRC software platforms may be in the midst of a 'hype cycle', is it destined to fall into the 'trough of disillusionment' based on challenges around implementation and integrating data across traditional product silos within banks?
Ramakrishnan of Mantas/Reveleus says they are not trying to sell a 'monstrous' strategy to banks. The idea he says is to implement a GRC framework in incremental steps, starting with a specific regulation such as MiFID, for example, and then re-using data and analytic components of that installation to help with compliance, governance and risk management in other areas such as KYC, AML or fraud.
And historically most banks have opted to buy separate solutions to address each regulation. Yet, given the zealousness with which the regulatory treadmill is churning out new or revised pieces of legislation, implementing separate solutions is no longer considered a viable approach. "When you deploy multiple compliance solutions, costs go up," says Stephen Epstein, vice president, head, product management, risk and compliance software provider, Mantas.
Epstein compares the scale of upfront investment required by most banks today to comply with a raft of regulations to the early days of order management system deployment. However, the difference with regulatory compliance, he says, is that the cost is not just a one-off investment; it is ongoing as new pieces of regulation come online, banks must source new data, documentation etc.
"The cost of supporting regulatory examinations is the real 'killer,' Epstein continues. "Banks need to have documentation readily available, the right policies and procedures in place and be able to say why an alert has been generated."
The only ones that appear to be benefiting from the overwhelming tide of regulation, corporate governance and compliance is the regulators, consultants and vendors implementing these myriad solutions. Yet, recognising that there is often overlap between different regulations in terms of the functionality and business processes required: transaction monitoring, scenario analysis, client classification, regulatory reporting; the latest industry buzzword to emerge is GRC (Governance, Risk and Compliance) framework.
According to Mantas, GRC is about implementing a flexible framework which does not just address regulatory, governance and compliance needs 'now', but 'future proofs' the business against future changes to regulation, governance or compliance, as well as allowing firms to re-use components from previous GRC implementations to address future needs.
"GRC is about repackaging old wine into new bottles; leverage-ability and re-usability is the value proposition," says S. Ramakrishnan, CEO, Mantas and Reveleus.
Forrester Research predicts that the GRC software platform market will grow from $590 million today to $1.3 billion by 2011.
By focusing on areas that overlap between regulations and integrating components that address these areas, Mantas and Reveleus have combined elements (transaction monitoring, behaviour detection, risk, control and self-assessment) from their once separate solutions to provide a GRC framework, a single platform which aims to reduce the duplication of effort and cost associated with implementing separate risk, governance and compliance solutions.
An example of the Reveleus/Mantas GRC platform at work is in the area of regulatory compliance with MiFID, where functionality; business execution analytics, scenario analytics, client classification, regulatory reporting; from both vendors' solutions are combined to help firms address various requirements such as best execution and KYC under MiFID.
But while GRC software platforms may be in the midst of a 'hype cycle', is it destined to fall into the 'trough of disillusionment' based on challenges around implementation and integrating data across traditional product silos within banks?
Ramakrishnan of Mantas/Reveleus says they are not trying to sell a 'monstrous' strategy to banks. The idea he says is to implement a GRC framework in incremental steps, starting with a specific regulation such as MiFID, for example, and then re-using data and analytic components of that installation to help with compliance, governance and risk management in other areas such as KYC, AML or fraud.
Subscribe to:
Posts (Atom)
