Risk managers are well versed in the mechanics of operational risk capital. By now, they should be equally familiar with UK authorities’ latest attempt to make bank executives accountable for the failings of their firms, known as the Senior Managers Regime. Few, though, would have placed those two elements together, one contingent on the other.
But that was what Bank of England governor Mark Carney appeared to do in a speech last November, when he suggested that misconduct by senior bankers could result in additional capital add-ons for their institutions.
Since then, operational risk managers have been trying to decode Carney’s words and establish when, and how, the UK’s financial supervisors might use the recently implemented SMR as a means of jacking up banks’ capital requirements.
“In the way the SMR was originally written and the way it was initially communicated it didn’t draw links to explicit capital charges,” says a senior risk officer at a US bank in London. “If you’re having a notable problem in risk management you are likely to have some of your Pillar 2A assumptions questioned, but I haven’t seen that link made explicitly before.”
Pillar 2A is the additional capital that local supervisors force banks to hold to take account of risks not covered under Pillar 1, or core, capital. In the case of UK banks, the Prudential Regulation Authority determines its Pillar 2A requirements for conduct risk using a principles-based, rather than rules-based approach. Instead of sticking to a set formula, the authority exercises what it terms “supervisory judgement”.
This leaves room for discretion, and some observers believe Carney’s remarks were deliberately ambiguous, designed to give the regulator ammunition when it comes to assessing an individual bank’s operational risk controls and its management’s fitness and propriety.
The Bank of England, when asked to amplify Carney’s words, commented: “There has been no change in policy on Pillar 2A capital.” It stressed that failures in firms’ governance, culture and accountability are addressed in the first instance through the SMR – prevention being better than cure (see box: The BoE on conduct risk capital).
But, it added, if the PRA assessed the governance of a firm to be particularly weak, then it may also size its buffer to cover the risks posed by those weaknesses. “This will generally be calibrated by scaling the amount of Common Equity Tier 1 required to meet Pillar 1 capital requirements, plus Pillar 2A capital requirements,” the Bank said.
This looks a lot like a capital add-on, observers point out: “Regulators have always, especially post-crisis, utilised risk management and governance scalars in Pillar 2B; it’s been almost the norm to see scalars applied. Moreover, governance is obviously all about operational risk – so the scalar is often really an op risk [capital] add-on in another name,” says Jimi Hinchliffe, regional chair of the Institute of Operational Risk and a former UK senior regulator.
Not everyone agrees this is what Carney meant, however. “I don’t read Carney’s comments as suggesting the PRA will leverage additional capital,” argues a senior bank lobbyist. “In practice, should shortcomings in SMR occur, then this will have the logical consequence of demanding more capital. He’s simply making an observation.”
Others see the debate over the catalyst for any additional capital as moot: “I was surprised at the suggestion that the SMR could be used as a trigger to add capital, but it doesn’t really matter as the home regulator already has the power to levy Pillar 2A capital. The failure to comply with the SMR could be a trigger for them to use existing powers,” says a senior op risk manager at a UK bank.
Called to account
The op risk manager is not alone in expressing surprise that the ambit of the SMR has been seemingly broadened to include punishment by extra capital burdens. This isn’t what bankers understood the SMR to be about. The thrust of the regime is about accountability for business decisions, and ensuring that banks had clear and unambiguous reporting lines so that individual managers can and will be held responsible for incompetence and unprincipled behaviour.
But though the scope of the regime is vast, its power is largely untested; with the SMR less than two years old – it entered into force in March 2016, and currently only applies to larger banks and insurers – banks are still waiting for the first enforcement actions under the regime.
No senior individual has yet been targeted by regulators for special attention, either – though these will inevitably come: “If there aren’t any prosecutions, people will get lax,” Paul Fisher, former deputy head of the PRA, told Risk.net in September.
The Staley test
An early trial of the Senior Managers Regime may come in the form of the Financial Conduct Authority’s ongoing investigation into Barclays chief executive Jes Staley, and his role in attempting to unmask an anonymous whistleblower.
Staley admitted that his actions, which came to light last year, were “a mistake”, and offered a public apology. He faces internal punishment in the form of a cut to his bonus for the 2017/18 financial year. The FCA is due to conclude its probe in the coming weeks.
Analysts suggest Staley could find himself one of the first senior executives to have his case heard by the Bank of England’s new Enforcement Decision Making Committee – the body the BoE is in the process of setting up to decide any contested enforcement cases brought by the Bank, including the PRA. The Bank says the creation of the body is a response to a 2014 review by the UK Treasury into enforcement – but it appears to presage a likely rise in challenges to judgements against individuals following the implementation of the Senior Managers Regime.
According to the minutes of the November meeting of the Bank’s court of directors, the committee as proposed will constitute a group of five members – at least two including the chair legally qualified – and in any specific case a panel of three of the five would be formed to determine it. Subject to a final consultation, the committee will be established by the court in the first quarter of this year.
“It looks to me as if his case is going to be the first job for the new process, and seems weird to me to do it any other way,” says Dan Davies, senior adviser at Frontline Analysts, “but I suppose they might decide to get it done and let the new committee start with a clean slate.”
Barclays did not respond to a request for comment by time of publication.
In the absence of examples of enforcement, the industry has no concrete indicator of the types of “persistent failings” that Mark Carney suggested might incur the imposition of an additional capital burden.
“Carney is clearly talking about the incentives to encourage good behaviour,” says Edward Sankey, risk consultant and former chair of the Institute of Operational Risk. “There is a carrot and stick approach.”
Hinchliffe says banks have in the past been slow to adapt to regulatory change, only introducing the required processes and systems just in time, but the possibility of capital add-ons will smarten up their act. “It’s a useful mechanism. It’s the one thing that’s guaranteed to get profile in the boardroom and get senior management attention,” he adds
That doesn’t stop the banks wondering, privately, how the PRA would make the required calculations if it deemed a capital add-on was called for. Modelling for conduct risk is notoriously difficult, and a lot of banks have lost faith in it. The data points are too few and the correlation between them virtually nonexistent.
“Conduct risk modelling is very difficult: you have got lots of relatively small pieces of data. We try to combine them, but often they have nothing in common – you can’t combine risks that are not homogenous. I can’t imagine anyone has done it with a great deal of confidence,” says the chief risk officer. This led to view that the AMA, or advanced measurement approach to calculating op risk capital, won’t work for conduct risk under a loss distribution approach, he adds.
Governance is obviously all about operational risk – so the [PRA’s Pillar 2B] scalar is often really an op risk capital add-on in another name
Jimi Hinchliffe, regional chair of the Institute of Operational Risk
One of the reasons conduct risk is so hard to model, say risk officers, is that the fines imposed on banks since the financial crisis (some $320 billion and counting) appear to have been calculated unscientifically and are based upon satisfying a political audience rather than anything else.
“Multi-billion dollar fines come out of perfect political storms and they don’t fit any model. Regulators pick a number they feel comfortable with when asking firms to factor this into capital,” says one.
So what criteria would the PRA use when adjudging capital additions if it deemed them necessary? The answer is not clear. “The SMR is about business accountability and, secondly, effective governance. How might one explicitly include that to include Pillar 2 calculation? There are risks you can model, using scenarios, but I’m not sure how you would use that approach unless the regulators are a little more prescriptive in terms of what they want,” says the UK bank’s op risk manager.
A prescriptive stance, though, would not chime with the PRA’s self-professed “supervisory judgement” approach.
‘Janet and John’
Deficiencies in modelling are no excuse for banks not embracing the principles underpinning the SMR now, and the avoidance of possible capital additions is not difficult, say operational risk consultants. “Where firms don’t have the basics in place, it’s right and proper that they are hit by capital add-ons. The SMR can be seen as a ‘Janet and John’ guide to management and if you can’t even get to that level, then you can’t complain when you’re hit in Pillar 2,” says Hinchliffe.
As Sankey observes: “On the one hand, banks’ concern that they might be hit with capital is justified as there are no precedents and guidelines. But on the other hand, the SMR should be regarded by firms not as the operating standard they are being told to attain but as the minimum accepted standard.”
That is to say, if firms attain the principles and structure outlined by the SMR then they have no need to worry about capital add-ons. Instead, banks should be looking to achieve a quality of performance over and above the precepts of the SMR.
As Colin Lawrence, consultant and former strategic risk director at the PRA, says: “Bank shareholders should be encouraged by what Carney says, but accountable senior executives should be alarmed if they’re not transparent, if they’re not vigilant to what is going on at desk level and haven’t implemented a robust governance structure of identifying, managing and reporting critical risks with a robust control framework.”
In brief: SMR
The Senior Managers Regime is part of a wider suite of regulations introduced by the Bank of England to tighten up conduct in financial firms. Known collectively as the SM&CR, the regime’s three elements are:
• The SMR, which requires firms to formalise responsibility for 17 management functions among FCA-approved individuals.
• The Certification Regime, which covers individuals who aren’t senior managers, but whose jobs have an impact on clients, markets or the firm. The competence of these individuals is monitored internally.
• The Conduct Rules, which apply to almost all those working in financial services, codifying standards of behaviour.
That has not stopped some firms from exploring ways of following the letter of the law if not the spirit. Industry insiders cite anecdotal evidence that some banks have ‘juniorised’ some roles to avoid responsibility, and also that the PRA has on occasion been obliged to bring interviews with senior managers to a premature halt because the bankers have been so inadequately prepared.
Senior risk bankers refute these suggestions. They stress that the SMR has entailed extensive remapping of procedures and reporting lines, particularly within global banks that operate across jurisdictions and where local managers of local businesses can report to product heads in a different time zone.
Amongst international banks, US firms based in the UK – the largest banking subsidiaries of which are directly supervised by the PRA – are said to have experienced more difficulties adapting to the SMR than their UK or European counterparts. This is partly due to their familiarity with a more prescriptive regulatory system rather than a principles-based system.
The US bank’s senior risk officer disagrees, saying that the CCAR stress-testing regime, which a number of banks in the US have failed, are predicated on similar principles to the regulatory regime across the Atlantic. The officer adds that although the US does not have an equivalent senior managers regime at the moment, it is rumoured that regulators are interested in the concept and have been studying the UK model.
The real test of the SMR and whether, indeed, shortcomings uncovered by the regime will lead to capital additions, will come over the next year or two. Whether banks have made changes, and what sort of punishments the regulator will hand out for what sort of breaches, will become clear only during the period of supervision and enforcement.
Conduct risk modelling is very difficult: you have got lots of relatively small pieces of data, [and] you can’t combine risks that are not homogenous
Senior UK op risk banker
The FCA must first recruit enough senior and experienced supervisors to be “able to see through the presentations made by the banks”, in the words of Edward Sankey, but also it must show the determination to impose punishments in the face of any legal challenges to its judgements.
The paradox, as Paul Fisher points out, is that the more enforcement actions the authorities impose under the SMR, the greater the evidence of the regime’s failure.
Another possible influence on the enactment of the SMR may come in the form of Brexit. Analysts suggest the FCA may seek to differentiate itself from European regulators in an effort to keep banks in the UK. “It is perhaps more likely that the FCA and the PRA will be more relaxed as they want banks to stay. The impression I have is that post-Brexit, regulators in the UK might look again at the bonus system possibly with a view to making it more relaxed,” says Ian Mason, a legal director at DLA Piper and former enforcement head at the FSA.
Some senior risk officers argue this new era of greater transparency and punitive consequences for failures of good governance is all to the good. Others also suggest that banks can hardly be either surprised or outraged by every new demonstration of the iron fist of regulation.
“I think maybe I am an outlier, but I don’t have a problem with regulation as firms have demonstrated time and time again that they are unable to self-regulate. You reap what you sow,” says the UK chief risk officer.
Additional reporting by Tom Osborn
The BoE on conduct risk capital
In his November speech, Mark Carney appeared to draw an explicit link between the Senior Managers Regime and banks’ required levels of operational risk capital for the first time.
“For supervisors – us and the FCA – the [SMR] is helping identify weaknesses in governance and accountability. It’s helping us assess the fitness and propriety of senior managers and others in positions of responsibility – and [assess] whether a firm has the appropriate culture and is encouraging the necessary changes. If that isn’t the case, in the first instance, widespread or consistent shortcomings would have consequences for the compensation of individuals. More persistent failings could increase the capital that is set aside for operational risk – so it would have consequences for the firm itself. And in the extreme, it could influence our judgements regarding the fitness and propriety of senior managers.”
In light of Carney’s comments, Risk.net asked the Bank of England to clarify its stance on the mechanism by which failings under the SMR could translate into capital add-ons. Its response was as follows:
“The PRA’s current policy on operational risk Pillar 2A is unaltered. This policy is described in our Pillar 2 statement of policy (SoP). As the governor pointed out, failures in firms’ governance, culture and accountability are addressed in the first instance through the Senior Managers Regime (SMR). These failures are usually not addressed through operational risk capital but rather through another element of the capital stack: the Risk Management and Governance (RM&G) scalar.
The SoP states:
Where the PRA assesses a firm’s RM&G to be significantly weak, it may also set the PRA buffer to cover the risks posed by those weaknesses until they are addressed. This will generally be calibrated by scaling the amount of CET1 required to meet Pillar 1 capital requirements plus Pillar 2A capital requirements. To ensure consistency, RM&G decisions are subject to a supervisory peer review process. As with other risks identified, supervisors will discuss RM&G weaknesses with firms.
The SoP also states:
If an overall RM&G scalar is applied, RM&G weaknesses identified in specific risk categories should not be reflected separately in Pillar 2A capital requirements for those categories.
There are two ways, however, in which failures in governance and culture could indirectly impact the Pillar 2A operational risk capital:
i) If these failures lead to conduct fines, these would be reflected in future years in the conduct part of the operational risk Pillar 2A capital add-on. As stated in the SoP:
Pillar 2A capital for conduct risk is informed by: supervisory knowledge of a firm’s exposure to conduct risk; a firm’s largest conduct losses over the past five years; the level of expected annual loss for conduct risk; and conduct-related scenarios where potential exposures over a shorter time horizon (e.g. five years) are considered.
ii) These failures might influence supervisors’ judgement on Pillar 2A non-conduct operational risk capital. As stated in the SoP:
Supervisory judgement is used to determine the operational risk add-on, taking into account considerations such as: the quality of the firm’s own Pillar 2A assessment; the capital range generated by C1, C2 and C3 for non-conduct risk; confidence in the firm’s scenario analysis process and internal loss data; the quality of the firm’s operational risk management and measurement framework; and peer group comparisons.”
The week on Risk.net, March 10-16 2018Receive this by email