Top 10 op risk losses for 2021 hog $15bn total

Despite more fraud and crypto crime, firms’ op risk losses fall in number and in volume. Data by ORX News

Nickel mining
Nickel mining in Indonesia: a nickel trading fraud was the largest op risk loss in 2021

The largest op risk losses of 2021 by sheer mass occurred in the hinterland of institutional finance – the world of cryptocurrency trading – where two mega-heists of more than $2 billion apiece topped the charts. While these losses, perpetrated on retail investors, ultimately accrue to the retail platforms themselves as the parties liable to make good their customers – and while they form part of the rolling loss tallies compiled by ORX News – they do not feature in’s main summary of the year’s largest operational losses, which focuses on institutional rather than investor losses (see box: Crypto casualties of 2021 for the year’s biggest crypto losses).

Elsewhere, the top 10 largest losses of 2021 represent a significant proportion of the year’s total losses in the field; institutional op risk losses by volume and by number actually fell from $28 billion in 2020 to $15 billion in 2021, and from 490 events to 466 in the same period.

The year’s single-largest loss featured an alleged elaborate investment fraud centred on nickel trading in Singapore. In March 2021, the Monetary Authority of Singapore sanctioned firms in the Envy Group – Envy Asset Management and Envy Global Trading – for their part in a scam, perpetrated by former director Ng Yu Zhi, that racked up debts of $1.23 billion.

Between 2017 and 2021, Ng promised investors high returns on a supposed deal involving the purchase and resale of nickel. Envy companies would buy the commodity at a discount from Australian firm Poseidon Nickel, Ng suggested, and make handsome profits through selling it on to buyers such as BNP Paribas, with the sales guaranteed through forward contracts.

But Singapore police say the BNP deals never existed, and that Ng didn’t purchase any nickel from Poseidon. Detailed forgeries of contracts were produced to fool investors, and several million Singapore dollars transferred into Ng’s personal bank accounts.

As of December 2021, Ng faces a long list of charges, including forgery and fraudulent trading.



Erste Abwicklungsanstalt (EAA), a successor of now-defunct German state bank WestLB, took the second-largest hit of 2021 to the tune of $1.17 billion. In 2012, when WestLB divided into EAA and Portigon Financial Services, EAA became responsible for the resolution of non-performing assets and Portigon took over the remaining viable services of the bank.

In September 2021, a Frankfurt court ordered EAA to pay Portigon at least €1 billion in tax debt for which Portigon had wrongly been made liable. Prosecutors found that WestLB board members engaging in cum-ex trading between 2005 and 2011 had offset capital gains tax on dividend payments against WestLB corporation tax liabilities – positions which EAA had wrongly assumed after WestLB’s closure.

ABN Amro has the dubious honour of being the only firm to feature twice in the ranking of 2021’s largest losses. The year’s third-largest loss hit the Dutch bank in April when it made a €480 million ($575 million) regulatory settlement with the Netherlands Public Prosecution Service (NPSS). The settlement consisted of a €300 million fine and a €180 million disgorgement, following investigations into the bank’s compliance with Dutch anti-money laundering (AML) laws between 2014 and 2020.

Investigations by the Netherlands Bank (DNB) found the bank repeatedly failed to conform with AML and due diligence rules. ABN did not maintain adequate customer records for thousands of private and retail banking clients, investigators said, and failed to conduct proper due diligence on new private banking clients, or adequately establish asset origins. Further, the bank was found to have assigned incorrect risk classifications to large numbers of clients without performing appropriate analysis.

Additional failures were uncovered in the bank’s assessments of client relationships, surveillance practices, including transaction-monitoring and unusual transaction-reporting, as well as event-driven reviews, terminating undesirable client relationships and more.

The NPSS said the bank had violated AML laws on a “structural” basis.

Regulators smelled something off in the year’s fourth-largest loss, a further AML case, in which NatWest was slapped with a criminal charge and a fine of £264.8 million ($363 million). The Financial Conduct Authority issued the mega-money-laundering fine in December over the bank’s failures to adequately monitor client activity – its first effort to pursue criminal proceedings over money laundering.

NatWest had allowed jeweller Fowler Oldfield to deposit large amounts of cash at bank branches between 2011 and 2016, the FCA found, despite having earlier assessed the business as a high-risk customer for which it would not handle cash. Police notified NatWest in 2016 that extensive money laundering had been uncovered at Fowler Oldfield, at which time the bank terminated its relationship.

In a curious turn, the FCA found that NatWest had amended the client’s risk rating from ‘high’ to ‘low’ in 2013, and was unable to explain why. Throughout the period in question, NatWest staff repeatedly raised red flags, reporting suspicious behaviour and significant quantities of “musty” Scottish banknotes being deposited in England. At the peak of its activity, Fowler Oldfield deposited over £1.8 million per day in cash with NatWest.



In ABN Amro’s second appearance in this year’s top 10, the bank provisioned $297 million to compensate consumers for interest overcharging – the year’s fifth-highest op risk loss.

In March 2021, the Dutch Institute for Financial Disputes (Kifid) ruled that ABN Amro had not informed consumers that interest rates on credit accounts would not move in line with market rates, following complaints from account holders. Interest rates published by the DNB should be used to recalculate charges from 2010 onwards, Kifid said. As a result, ABN Amro paid out compensation between €50 and €1,750 to affected customers – around 15% of revolving credit account holders.

The sixth-highest loss stems from another case of fraud, in which Australian bank Westpac was reportedly defrauded of U$255 million (A$341 million) by the Sydney-based Forum Finance, a subsidiary of business services firm Forum Group. The fraud involved a portfolio of equipment leases, according to Westpac, in which Forum allegedly posed as legitimate clients, such as machinery and healthcare suppliers, and would forge signatures and documents to obtain loans from the bank.

Forum is also reported to have defrauded other financial firms, including Societe Generale and Sumitomo Mitsui, and its owner, Bill Papas, left Australia for Greece in July. In August 2021, Forum was put into liquidation.

Westpac identified over 100 suspicious transactions involving Forum. An employee in the bank’s financial crime department said the bank had “poor controls” for invoice verification.

The year’s seventh-largest loss was incurred by UBS. In May, the Swiss bank was fined $210 million by the European Commission (EC) for a breach of European Union antitrust rules.

Along with Bank of America, Natixis, Nomura, NatWest, UniCredit and WestLB – now Portigon and EAA – UBS was found to have participated in a trading cartel in the European government bond markets, between 2007 and 2011. Nomura and UniCredit were also hit with fines.

The EC charged a number of traders from the banks in question with operating a “closed circle” via chatrooms, through which they shared sensitive market information, including auction prices, volume data and the bidding strategies of their respective institutions ahead of issuances of euro-dominated bonds. NatWest received immunity from penalties in return for exposing the cartel to the EC.

ING Bank Netherlands incurred the eighth-largest loss, provisioning $209 million in October 2021 for overcharging on customer interest.

Mirroring ABN Amro’s provision of $297 million for overcharging holders of revolving credit accounts – spurred by a 2020 ruling from Dutch regulator Kifid that flexible credit interest should not exceed market rates – ING compensated consumer loan customers that it identified as having been overcharged since 2010. It estimates that around 10% of the customers of such products paid too much interest. The compensation scheme is ongoing, and is expected to be completed by the end of 2022.

2021’s ninth-largest loss fell to JP Morgan. In December, the US global systemically important bank was fined $200 million by the Securities and Exchange Commission and the Commodity Futures Trading Commission for failures to preserve employee communications relating to the firm’s securities, swaps and commodities business. The SEC hit JP Morgan Securities LLC with a $125 million penalty, and the CFTC fined JP Morgan Chase Bank, JP Morgan Securities LLC and JP Morgan Securities PLC a total of $75 million.

Between 2018 and 2020, the SEC said, JP Morgan employees – including senior staff – had made regular use of personal devices to discuss business matters relating to the bank’s securities activity across WhatsApp, text and email. Topics discussed included investment strategies and meetings with clients. The firm did not preserve these communications, despite requests from the regulator.

The CFTC identified the same behaviour, although it said the conduct stretched back to 2015. As was the case with the SEC, the record-keeping failures were revealed to the CFTC by a third party during the course of an investigation.

HSBC rounds out the year’s top 10. The EC found the bank had participated in a trading cartel involving other banks. Its fine was $174 million, as reported by the EC in December.

In addition to HSBC, the cartel, which focused on foreign exchange spot trading, also included Credit Suisse, RBS, Barclays and – once again – UBS. This time around, UBS escaped a fine for revealing the existence of the cartel. The EC said that it began investigating the manipulation of benchmark currency rates back in 2013, focusing on Group of 10 currencies. Some FX traders at the banks named, it continued, were found to have colluded via the exchange of sensitive market information and the creation of trading plans. Traders, it said, would “stand down” in certain instances to avoid clashing with one another.

Barclays, HSBC and RBS had their fines reduced for co-operating with the investigation. Credit Suisse’s reduction was just 4% of the total penalty, as it did not co-operate.

Crypto casualties of 2021

“Services will remain closed for about five working days, but users needn’t worry about their investments.” This was the assurance from popular Turkish cryptocurrency exchange Thodex to customers and press in April 2021, explaining that its platform had been temporarily shut down for maintenance.

Days later, Thodex users – numbering up to 390,000 traders – reported trouble withdrawing funds from the exchange, and were soon locked out from accounts altogether. Reports then emerged that Thodex’s founder, Fatih Faruk Özer, had fled Istanbul, alleged to have stolen $2 billion in users’ cash.

This cautionary tale of internal theft is the joint-largest crypto-related loss on ORX News’s yearly tally of the largest operational risk loss events. The 28-year-old Özer, who claimed to have left Turkey to meet with foreign investors, is still on the run. In addition to the thousands of criminal complaints filed by Thodex’s users, various Turkish authorities, including the Financial Crimes Investigation Board (MASAK) and the Istanbul public prosecutor’s office, began investigations into Özer and the firm. The latter probe has sparked 68 arrests, including two of Özer’s siblings.

On top of this, the Turkish government banned the use of cryptocurrencies as payments in 2021, citing “excessively volatile” markets and risks of “non-recoverable” losses. The value of bitcoin took a hit following the April announcement.

Tied with Thodex for the largest crypto-related loss last year is lender BitConnect. Over the course of 12 months, senior BitConnect staff siphoned $2 billion from customers, according to the US Securities and Exchange Commission, which filed a class action suit against the firm in September 2021.

The SEC alleged that founder Satish Kumbhani and so-called ‘lead promoter’ Glenn Arcaro “stole billions of dollars from retail investors” through BitConnect between 2017 and 2018. In a parallel suit, the US Department of Justice accused the men of taking part in a “massive conspiracy” to defraud investors, believed to be the “largest cryptocurrency fraud ever charged criminally”.

Large profits could be generated, BitConnect told investors, through the use of a proprietary bot that would track bitcoin/USD volatility. Returns on deposits, paid in its own BitConnect Coin, would reach heights of 40% per month, the company claimed, at no risk to investor capital. As investors piled into the programme, Kumbhani, Arcaro and associates collected large “commissions”, and operated a Ponzi scheme in which deposits by new investors were used to pay withdrawal requests. Arcaro pleaded guilty in the federal case in September 2021.

The company drew widespread attention in 2017 when early investor Carlos Matos gave an unconventionally enthused introductory speech at a BitConnect conference, held in Thailand.

The third-largest crypto-related loss was sustained by decentralised finance platform Poly Network in August. Breached by a Heidegger-quoting hacker known as Mr White Hat, the firm reported an initial loss of $610 million of crypto assets. In an unusual twist, however, the hacker began returning the funds – including digital currencies such as ether – to the platform soon after the theft, saying its actions had been motivated by a desire for “unique adventures” and to make Poly Network aware of the vulnerabilities in their systems.

Although the hacker eventually gave back the full amount taken – receiving a job offer from Poly Network into the bargain – the platform did not recoup the funds fast enough for the incident to be designated a ‘rapid recovery’ event by ORX. Nine days later, $269 million of the total remained in crypto wallets outside Poly Network’s control.

Editing by Louise Marshall

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here:

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: