- Brenda Boultwood, Senior Vice President of Industry Solutions, MetricStream
- Rod Lowe, Senior Risk Advisor, Retail Operations and Regulated Output, Enterprise Risk Management, Vanguard
- Michael Sicsic, Chairman, Oric International & Group Risk Director, Aviva
Have the regulatory changes since the crisis changed how you interact with regulators?
Brenda Boultwood, MetricStream (left): There are new, more prescriptive requirements in place. Some small and mid-size banks have had to move from manual processes, where they might have had strong risk assessment and capture practices in place, towards something more automated data capture, with a shorter time period to aggregate results.
Larger banks have also been affected. Rather than just risk-assessing a business unit, regulators now expect a risk assessment to be based on an end-to-end view of business process. Some banks are also being told they take too long to aggregate reports for the board. Banks might have disparate systems, with manual processes to bring information together, which, in the past, might have taken a few weeks. Now regulators say this needs to be done within a few days. Also, some non-bank financial institutions are considering de-designating as Systemically Important Financial Institutions (Sifi) in the US, to avoid increased capital requirements and regulatory oversight.
Rod Lowe, Vanguard: Vanguard is a complex institution. The increased regulation has prompted us to create better partnerships between our compliance and tax teams, enterprise risk management (ERM) and the business to ensure we understand the changes in the regulatory environment, what risks they expose our organisation to and what controls we need in place. We rely heavily on IT infrastructure to provide clarity and consistency regarding our controls. We are even more dependent on disaster recovery and contingency plans, and on communication within the organisation to know that the controls within IT are working appropriately for us to give the regulator what it requires.
Michael Sicsic, Aviva: We are seeing the same trend in insurance. There are two aspects that have an impact on our sector. One is capital, which is driven by the Solvency II rush. Solvency II will come into effect in January 2016, and people are in the last stages of preparation in terms of getting their models approved.
The second aspect is what we call conduct regulation – regulation around treating customers fairly and avoiding customer detriment. This perhaps has an even greater impact than capital because it might also affect the way you design and sell your product, which, in turn, affects your business model. This is clearly the push from the [UK] Financial Conduct Authority, but regulators in continental Europe are also pushing in this direction. This is not exclusive to insurance, because it also affects banks, but the pressure is heavy in our sector.
The amount of publicity around recent conduct risk management failures has made this a big topic for regulators. Are they demanding a more granular view of conduct within organisations?
Brenda Boultwood: With conduct risk, there is an expectation to take the end-to-end view of a business right through to the customer base, to understand whether products are having the intended effect at the client level. Some of our clients are surveying their customers as part of the risk assessment of a product, to ensure internal views coincide with the customer view.
Another area of increased focus, both in Europe and the US, is around identifying priority risks. Once these risks are understood, a bottom-up process is carried out whereby subject-matter experts come together to do robust scenario analysis, then that scenario analysis is used to formulate ideas about the stress testing that should be performed.
Rod Lowe (right): Previously, regulators would come in, meet our compliance team and talk about processes. They would do some level of inspection down at the process level, but they were always partnered with compliance. One thing I’ve noticed over the past few years is that regulators are directing questions directly to the people responsible for businesses, and when regulators come on site, they’re asking these people to show they understand the control environment end-to-end, and they are being asked to answer such questions without compliance support. This has raised the stakes in terms of the ability to demonstrate that the person owning a written supervisory procedure understands the process is working effectively and that any issues that come out of the process are also their responsibility. It is ensuring there is adequate risk management understanding throughout the business.
Meeting these increased regulatory requirements might require greater spending on infrastructure and staff. Could these new requirements be leveraged to improve profitability?
Michael Sicsic (left): I do see a lot of costs. If we are speaking about changes required to business models, there are products you might need to stop selling, or you might need to review the profit a bit differently at the board level. Regulatory pressure often starts at a board level, and the bar has been raised in terms of the level of engagement regulators want from the board. In some situations in banking we have seen people prefer to leave the board than commit to new requirements. Thinking as risk managers, we must look at how we train and support a board in this instance. Profitability is a broad matter, so I think it should be reviewed at this level.
Another, more positive, view is to take op risk not only as something to tick the regulatory boxes, but also as something that improves your processes and what a process delivers. It can be seen as quality management or improving your processes. For example, if you can treat claims management as a project to improve customer relations and improve performance, then that will manage your profitability and customer satisfaction and, at the same time, manage your operational risk.
Brenda Boultwood: Some companies are looking at this as a new challenge from a quality viewpoint. The first line of defence is becoming more engaged and being asked questions directly by the regulator. It is expected that they are performing risk assessments. It is also expected now that the second line of defence will perform a strong challenge of that first line and, ultimately, form its own view. But, in that challenge process, regulators are looking to see that an organisation can evidence the challenge process with information pulled from audit findings, change management, vendor risks, IT production risks, and so on. Companies that are pulling this information together are finding that, if they manage this more collaboratively across functional groups, they can streamline the key controls they use and the control testing performed. This process can highlight a lot of redundancy. A lot of controls have existed as ‘Band-Aids’, as actions are layered on in response to audit findings, compliance requirements or regulatory issues. This is an opportunity to step back, look at it from a quality perspective and invest in what is really fundamental to managing the risks in our end-to-end business processes.
New regulation seems to be coming thick and fast, creating some uncertainty. What are the best practices for this area of regulatory risk?
Brenda Boultwood: Regulatory uncertainty is a tremendous risk. Drawing on the newspaper headlines, for example, both HSBC and Standard Charted often raise the question of whether Hong Kong or Singapore would be better places for primary domicile. Both of those markets are highly regulated, but what is different is the degree of regulatory certainty they offer. We don’t see things fundamentally changing with the Singapore Monetary Authority, so companies see Singapore as a place where they have more certainty about the environment in which they operate, and how that affects products, customers and employees.
For large global banks that might operate in 150 different countries, the number of jurisdictions that has to be managed can be more than 500. Some banks address this large amount of potential regulatory change by saying it cannot be managed regionally and manually; it needs to be brought together. This is not just so they can understand at a corporate level the degree of change, but also so they can ensure they map those regulations correctly to their businesses, policies and the controls they operate, and know whether or not they are in compliance.
Rod Lowe: We have created a small internal taskforce made up of senior leaders in legal and compliance, as well as various divisional business teams, and they are tasked with ensuring we obtain as much information as possible about regulatory proposals. We have an opportunity to collaborate with our peers and share best practices and concerns, because the impact is the same for all of us and it is in our best interests to work together to figure out a cohesive approach to meeting the new regulatory obligations.
Michael Sicsic: Uncertainty also arises from inconsistency between regulators, and this is particularly true when you operate in more than one market. Even with Solvency II, which is a European regulation and so you would expect consistency, there is still a lot of room for interpretation between regulators. One of the major issues for an international group operating in different countries is trying to implement a complex regulation such as Solvency II when different regulators have different views.
Outside Europe, where countries have a Solvency II equivalent, there is a lot of room for interpretation around exactly what the regulation means. This is creating a burden for firms trying to understand how much latitude they have. Should there be one standard, and should that standard be set by the more demanding regulator? Or should we try to manage the differences between the local jurisdictions?
Could you give some examples of regulators expecting a faster response? Have you had to alter procedures to meet the shorter deadlines?
Brenda Boultwood: Regulators have been much more prescriptive around how quickly information must be compiled for senior management and the board. This has created a need to look at staffing, and the processes used to perform risk assessments, or collect risk event data, and other inputs to capital and scenario models.
Regulators are also looking for a rapid response when they visit. They are increasingly asking about specific desks, in specific countries, operating with specific products and which regulations they are subject to. They expect financial institutions to be able to look across the different regulators that may have jurisdiction and talk about different areas of compliance, whether market conduct, financial crime or sanctions are relevant. The first line of defence needs to be able to speak fluently about their controls and the regulations they’re subject to, which might have been topics they left for the second line of defence in a previous era.
Rod Lowe: The period of notice for these inspections and examinations is much shorter. Over the past few years we have seen a lot of surprise inspections, where we need to have our evidence packages available almost on the same day the regulators arrive. So we have worked with the business to risk-assess our process of providing information to the regulators. We’ve put better controls in place to ensure evidentiary packages are put together on a daily, weekly, monthly basis, and they’re available as soon as the regulators come. Ultimately, we understand it is our obligation to do this, and all our senior leadership supports these new processes.
Is the process of adaptation generally hardest for mid-size institutions?
Rod Lowe: Vanguard is a large, diverse firm where we have a lot of infrastructure, and we are in a position to respond more quickly to what the regulators ask for. But there are a lot of small asset management firms that struggle with pulling together this information, just because of their lack of infrastructure. It is difficult for some of the smaller, more niche, asset management firms to keep pace, but these are some of the lessons that we try to share at our conferences.
How have you seen this need for faster, deeper reporting reflected in what people have been asking the Operational Risk Consortium (Oric) to provide?
Michael Sicsic: The demand varies greatly, depending on the size or type of firm. Coming together as a consortium helps in terms of lobbying, but also in being able to provide answers. There is a key promise to make sure, particularly in op risk, that all the firms are treated fairly. We have a feeling that the number of demands – the number of models required just to prove firms don’t all follow exactly the same process – could be a potential issue. So we are trying to help in terms of ensuring that we do converge when it makes sense, and that we have a consistent approach.
Do you expect to see a withdrawal of mid-sized firms from parts of the market where compliance is most demanding?
Brenda Boultwood: The number of start-up financial institutions is shrinking, while the amount of acquisition activity is increasing among the medium-sized entities. This could be driven by regulators trying to create a more protected position for assets by requiring similar-sized firms to merge, or the fact that the companies themselves think the cost of compliance is too high.
We’re also seeing privatisation of what were previously bank assets. For example, half of the assets that were regulated under GE Capital before it spun off a lot of its business were sold to Blackstone, the other half to Wells Fargo. As a bank, Wells Fargo will maintain visibility under its regulatory regime, but the assets bought by Blackstone are being taken out of sight and out of traditional banking regulation. Think of all the situations where large banks are selling off portfolios because the capital costs are too high. How much of that is being privatised, going to private equity or other non-public firms that do not have the same regulatory oversight?
Regulatory change is going to put a lot more emphasis on improving efficiency. Where can the big operational efficiency savings be found?
Brenda Boultwood: Often, when controls are linked to risks, policies and compliance requirements, it is surprising how many controls cannot be linked to a high-rated risk, or a compliance requirement or a policy. We visit institutions and talk about ‘orphan controls’. Things are happening, people are doing things, but we are not able to link that to any particular reason. Perhaps that control has been replaced by a more automated control and we can now allow that control to be stopped. When companies look at operational risk as an opportunity to address quality and operational efficiency, they’re finding opportunities to rationalise activities. That could lead to savings, but it takes a lot of detailed work to inventory controls, and map them to compliance requirements, risks and policies.
Rod Lowe: It is about embedding operational risk management into your strategic planning objective. When establishing the short-, medium- and long-term goals, ensure there is a risk lens on those goals and that resources are focused in the right places. There will be an element of rationalisation associated with that. There will also be an element of simply needing to build a better control, whether leveraging an IT or manual process. But it needs to be part of an organisation’s mission and vision. Then there is an opportunity to continue to build on the momentum that risk management has already begun to enjoy.
Looking at the increased responsibility for the first line of defence – how do you motivate them, and improve their level of knowledge and risk awareness?
Brenda Boultwood: When performing risk assessments or responding to regulatory requests, we create actions that need to be completed. And we track those actions: which businesses or people are complying; who was on time; where we were able to provide a response; where are we still looking for answers. Tracking of actions can be a motivator to creating compliance.
Some companies are embedding ERM into their strategic planning process and looking at risk appetite, talking about which risks they are comfortable with, and where they are comfortable from a compliance perspective. They do this before they get to the business plan, and then they cast that business plan within the boundaries of comfort, ensuring they have the investments, controls, policies and people they need to maximise their returns. You could see incredible focus and profitability created in this environment.
Rod Lowe: It is about building sustainable metrics with the new organisation. If an organisation is serious about risk management, it establishes actionable objectives at all levels of the organisation, because they all need to be involved in the overall risk management process –whether it is dealing with findings in a timely manner, preparedness for a regulatory exam, or the status of the risk assessments for high-risk processes, all of these are measures that can be tracked on a dashboard. It is important to see that, because then you really know the organisation has bought into the process.
What is the impact of this increased regulation going to be on vendor leasing firms, captive credit providers, and so on?
Brenda Boultwood: Some captive finance companies are deciding to exit the lending business. But we also see some diving in deeper, while trying to grow a deposit base to create stable sources of capital. Some see consolidation in the mid-market and smaller banks as opportunities to acquire. Others are saying this is just not an overhead they want to manage and maintain.
In terms of the overall interaction with regulators, what is proving the most difficult to deal with?
Rod Lowe: One problem is trying to forecast changes in regulations, and the impact they will have on our business model. It boils down to a lot of different scenario tests; what business and sales practice changes we have to make to prepare our workforce to perform at their highest levels. The internal task force I mentioned earlier is our leader on that front, and keeps us informed throughout the organisation.
Michael Sicsic: An issue that is very important is the lack of guidance or clarity about how to interpret regulation. I’m not asking for more regulation, but for more guidance. In insurance, there are fewer forums where regulators come together to issue common guidance at an international level. We don’t have the equivalent of the Basel Committee covering operational risk matters. So it is good if insurers can come together to establish common rules or achieve convergence on certain topics. One matter is capital – we do not want to let regulators alone decide what is good for them to regulate. So we are putting a lot of effort towards bringing insurers together to define best practice, to be in the best position to influence a regulator where we think it makes sense.
Brenda Boultwood: As the role of the regulator has become more prominent for a financial institution, how do we ensure there is enough experienced expertise among the regulators to ensure they are able to provide the type of guidance we need? Many of the rules recently created leave a lot to interpretation. We could go to five different law firms and ask for their guidance, but it might be more effective if we could get that guidance directly from our regulator. This becomes more of a struggle given the volume of regulation.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email firstname.lastname@example.org
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email email@example.com