Operational risk: Hell is other people

“Hell is other people”, wrote Jean Paul Sartre in his 1944 existentialist work No Exit, a play about eternal damnation. The same sentiments are likely being expressed by banks’ operational risk managers given that an increasing extent of this risk resides beyond the banks’ own employees and systems and with its vendors, clients and counterparties.

This operational risk is especially significant in the transaction banking business, where volumes are so high and the number of clients and counterparties are so diverse. Furthermore, the biggest fines and worst headlines in the banking world of recent years have centred on transaction banking with HSBC paying out $2 billion as a penalty for lax anti-money laundering controls.

“The focus of operational risk management today is to ensure connections with all of the relevant parties in the transaction chain and all the processes from front to back,” says Heike Nott, global head client and operational risk, global transaction banking, Deutsche Bank. “This gives a complete picture of risk and allows a more proactive approach to risk so that judgments can be made to mitigate, accept or avert risk. We have a diverse set of clients and a variety of products that we offer to them so it is vital that we know our clients very well.”

Banks have consequently bolstered their due diligence process for taking on new clients or helping existing clients enter new markets. “When we open an account for a client we have to understand what the client will be using it for, where that account will be based and how it will be used,” says Stephanie Wolf, head of North America financial institutions and Canada sales, global transaction services, Bank of America Merrill Lynch (BAML). “What I am looking for most from my clients is how well they know their own clients,” says Wolf. “Does the client have the sufficient risk controls and parameters that will help me to service them?”

Some industries and client types have greater operational risk than others and BAML has identified seven areas of heightened operational risk within a payments perspective and will investigate if a client’s activity involves any of these:

• Correspondent banking – the number of heavy fines levied in this area;
• Cash products and processes – always at risk of being used illicitly;
•  Private banking – non-transparent entities and complex structures;
•  Political risk and corruption;
• Non-bank payment providers – debt collection agencies, casinos, payday lenders;
• Shell companies – non-transparent legal entities; and
• Wire-stripping – the omission of transaction details.

Wolf recognises that this list is liable to constant change and is more likely to increase rather than decrease. For example, the next area to be identified might be ‘virtual money’ and transaction banks will have to examine exactly what this vague term means and to see whether it is something their clients are engaged in.

The bank then has to continue with ongoing monitoring. BAML uses a system to track the performance of its clients’ activities and to determine whether the value and volume of this activity is in line with what is expected, says Wolf. “It is a two-tail risk. It is our job to generate revenue for the bank but you also have to investigate when you get more than you expect.”

The more intensive due diligence towards a banks’ clients has been fuelled in part by the unfavourable headlines that have greeted other banks and the desire to avoid the same fate. And it has been helped by the advancement in technology, says Wolf. “Our systems are more sophisticated so it is easier to do the checking and monitoring. Much more of it is possible through the click of a button rather than through a tour of the client’s facilities.”

For custody banks, which are charged with the safeguarding of clients’ assets, there is an intrinsic aversion to any situations that would increase operational risk. “We do not outsource to providers or operate in the cloud. We are heavily dependent on Swift, which mitigates many of our operational risks,” says Goran Förs, head of custody at SEB.

However not every one of SEB’s counterparties is connected to Swift, which is ostensibly a bank to bank communication network, and this creates a supply chain risk for banks. “When we communicate with other banks it is via Swift which is very safe and secure. The problem is more with our clients who are happy to use the public Web. We provide them with an interface to communicate securely with us but it is very difficult to impose specific technology processes or protocols on clients.

“Going forward we will closely examine how a client fulfils its AML and KYC obligations and its regulatory requirements in general. We will be more careful in our due diligence and ensure that the client has a viable operation but it will not be as extensive as demanding the use of specific technology.”

The operational risk from a bank’s counterparties is also increasing in the securities world where new regulations around the globe will reduce the length of settlement cycles. In Europe, under the Central Securities Depository (CSD) Regulation proposed by the European Commission, all securities transactions must be settled on a T+2 cycle by January 2015. Euroclear will introduce T+2 settlement in October 2014 and other CSDs and international CSDs are expected to follow suit in the last quarter of 2014.

For participants, moving to T+2 creates some significant operational risk, says Tony Freeman, global head of industry relations at post-trade solutions provider Omgeo. “There will be a whole day taken out of the settlement cycle so firms will have to review their entire settlement process and this is not something they can do on their own.”

The investment management clients of brokers and custodians also will have to review their processes. This is likely to put pressure on those investment managers that have not automated their post-trade processes, including the communication of trade settlement instructions, says Freeman. “For the more sophisticated firms with automated processes, it is not too challenging to issue an instruction 24 hours earlier but for the more manually reliant firms there will be some operational issues.”

For the custodians and transaction banks that have a back-office based business model, there has been sustained pressure on clients to embrace automation. For brokers, where client relationships are less sticky and front rather than back office activity has led strategy, this has not always been the case.

However, says Freeman, the shortening of the settlement cycle has led broker dealers to take a closer look at the operational efficiency of their clients. “The penalty for a failing trade will rise and this will make operational risk more tangible and increase pressure from brokers on manually reliant clients. There are clear signs that if a client is operationally inefficient, the back office will have more say in determining the attractiveness of that client.”

Alongside the know your customer requirements, Europe’s Alternative Investment Fund Managers Directive and shortened settlement cycles there is the straightforward technology risk that comes from an increasingly connected banking environment. Here private and non-private networks co-mingle, exposing banks to greater operational risk and compelling them to take greater care in their vendor management. “There is an expectation of security from everyone in the supply chain and everyone is expected to do their part,” says Chris Pickles, head of industry initiatives, global banking and financial markets at UK-based teleco BT. “Banks are realising that they have to take on vendors and service providers that meet an operating standard. Regulation does not absolve banks of this responsibility.”

Requests for proposals are more explicit about the technology risks and for the vendors it is important that they are well equipped to respond in full and in time to these questions, says Pickles. “It is also important for vendors to take a role in industry initiatives around security and operational risk. Similarly it is important that vendors are able to participate in the discussions without abusing that position and launching into a sales pitch.”

Positively, there have been a number of market-wide security exercises in the past few years that have involved banks and their service providers. In the UK, an exercise led by the Bank of England, the Financial Conduct Authority and the Treasury has been carried out every two years to examine the effectiveness of business continuity plans.

Meanwhile in the US more than 60 broker dealers, clearing firms and exchanges working under the umbrella of the Securities Industry and Financial Markets Association staged a mock cyber-attack on 28 June this year to test the robustness of their respective trading systems in line with the proposed Regulation SCI. The Regulation is designed to ensure that all systems involved in the US trading market meet certain IT and business continuity requirements.

Pickles believes that as cloud technology becomes more pervasive the ability of the financial industry to work together on developing security standards and creating private cloud-based communities will be key to ensuring security and availability in a financial market of greater connectivity. “The development of cloud technology will be based on the ability to plug and play and to swap between company providers and application interfaces. Standards will be key to ensuring the right level of security.”