In a recent audio conference, James Hicks, EVP, Treasury Management, Trade and Deposit Services, and Keith Sides, SVP, Settlement and Counterparty Risk Credit Officer, both from Regions Bank, focused on three important risk areas: settlement risk, counterparty risk, and operational risk.

Settlement risk refers to exposures arising in treasury management services including ACH/wire transactions, online banking, etc. These exposures occur when a bank disburses funds on behalf of a customer, or is obligated to do so, before the bank may even have collected funds to cover the disbursement. Should funds not be available to cover the transaction, this would result in an overdraft of a depository account and credit exposure to the account owner.

Counterparty credit exposures are often non-loan transactions with other institutions to facilitate the funding and other balance sheet and risk management needs of an institution or the needs of a customer. These counterparty exposures may be long or short term, direct or indirect, with fixed or market driven, variable values.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events. Operational risk can arise from a technology failure, human or technical errors in financial models and reporting, or other internal control system deficiencies.

Effective mitigation of these risks starts with a top-down, enterprise-wide risk culture. The age-old banking principle of knowing your customer brings on deeper meaning with an emphasis on knowing your customer’s customers. Hicks and Sides concluded with additional tactics for managing risks through the establishment of a well-defined credit policy, centralized underwriting, approval, and management, continuous monitoring, and quarterly reviews.

Please join us for the next audio conference in the series on June 11, The Future of Community Banking: Where Do We Go from Here?

2013 RMA-UNC Forum Chairs, Authors, and Discussants.

The RMA UNC Kenan-Flagler Business School Academic Forum was designed in 2008 as a leading securities finance/short selling research venue for global academics and business persons expert in SBL to communicate effectively during research paper development. Initially suggested and designed by Adam V. Reed, Associate Professor of Finance and Julian Price Scholar at the Kenan-Flagler Business School, UNC Chapel Hill in conjunction with the RMA Committee on Securities Lending, Professor Reed and senior executive committee members designed the day-long event to bring business experts together with global research academics from universities around the world including, University of Pennsylvania, UNC, Ohio State University, Columbia, Dartmouth, Hong Kong University, Notre Dame, Nova (Portugal) and many other research institutions.

Papers discussed are usually nearing completion for final submission to US national and global periodicals such as the Journal of Finance and The Economist, and also to support research efforts at US and global regulators. Key papers within securities lending are selected on a non-biased basis from the Social Science Research Network (SSRN) for their topic, content, and relation to the SBL business at hand. A steering committee inclusive of RMA staff, committee members, and UNC professors help select the key papers represented each year.

Discussions of these papers allow the researching academics to learn exactly how a business is executed and if that affects assumptions and theories as authors round out their research. This successful meeting of academics and business persons has allowed for four such annual forums in the past five years. 

“Future Lending Income and Security Value” by Melissa Porras Prado, Nova School of Business and Economics, Portugal

This year’s forum included discussions on the following papers: “Future Lending Income and Security Value” by Melissa Porras Prado, Nova School of Business and Economics, Portugal, which examines how institutional ownership structure gives rise to limits to arbitrage through its impact on short-sale constraints; and “Limits to Arbitrage and Expected Short Sale Constraints” by Joseph E. Engelberg (UCSD), Adam V. Reed (UNC), Matthew C. Ringgenberg (Washington Univ. – St. Louis), which explores the degree to which short sale constraints are predictable and how the risk of future short-selling constraints limits an arbitrageur. 

Operational risk management must be decision-oriented and action-oriented, said Ken Fulton, Operational Risk & Basel Advisor to Deputy Comptroller, OCC. During the Regulatory Update, Fulton, joined by Eric Caban, Supervising Examiner, Federal Reserve Bank of New York, discussed areas of importance to regulators including increased cybersecurity threats in both volume and sophistication, particularly distributed denial of service (DDoS) attacks. (Note: RMA addresses this growing concern with its Cybersecurity Audio Conference Series on April 30 and May 22). Fulton and Caban also discussed the growing trend of third party outsourcing, material change management, litigation, and the need for strong risk governance structure and stress testing. Regulators urged caution in certain areas such as delaying investments to infrastructure, increased concentration risk associated with outsourcing, and discipline around management adjustments process.

Other Day Two speakers included Jonathan Rosenoer, SVP, Head of Operational Risk, Bank of the West, who discussed the use of big data as a new way to understand the risks associated with information technology and forecast the danger, while also providing solutions. Providing a current view of AML and BSA, Kim Rhodes, Senior Vice President and Director of AML Compliance, Sun Trust Banks, explained how today’s landscape has been affected by recent fines and consent orders. Regulators are reworking their standards and drafting guidance on new corporate governance processes, designed to ensure that senior bank executives and the board of directors are held responsible for AML lapses. Exams are likely to be much tougher on banks of all sizes.

Day Two of GCOR VII wrapped with a Chief Operational Risk Officers Panel with representatives from large and community banks. The panel was asked to define operational risk as it is today, and discuss some lessons learned. Also discussed were the benefits and challenges of using external data. Most on the panel found case studies invaluable, but challenges exist in using external data in estimation of capital.

Questions from the audience focused on guidelines for board reporting. The panel agreed on the importance of knowing your board members and keeping them informed on big ticket problems as well as emerging risks. The panel also stressed the importance of finding the balance between not enough information and information overload.

For additional coverage of GCOR VII, please look for our in-depth article in an upcoming edition of The RMA Journal.

RMA would like to thank this year’s GCOR VII sponsors and exhibitors: Wolters Kluwer, KPMG, BWise, MetricStream, Treliant, Protiviti, Thomson Reuters, and Centerprise.

We look forward to seeing you in the spring 2014 for GCOR VIII in Boston, MA.

Daniel J. Roussell, senior vice president and head of operational risk at State Street, delivered the opening address at RMA’s seventh annual Governance, Compliance, and Operational Risk conference (GCOR VII). Roussell also chairs RMA’s Operational Risk Council. He discussed the importance of managing tail risks – low frequency, high severity events – referencing the Boston Marathon tragedy and how, as a country, we have not come to grips with effectively managing tail risks such as this, while the frequency and severity of these events seem to increase. Roussell identified additional challenges facing the operational risk industry in the next three to five years – capital estimation and modeling, management engagement culture, risk assessments and changing times, and loss data collection – however, he focused instead on the challenge of creating/implementing an effective challenge program. He stated that an effective challenge process is key to achieving a company’s operational risk objectives and it hinges upon the right people coming together to talk about risk in an organization, rejecting the notion of the status quo, unless it has earned the right to be accepted, and foregoing confirmation biases.

Bill Githens, President and CEO of RMA, emphasized the importance of the operational risk discipline as an area of focus at RMA and introduced the second keynote speaker, Robert Rose, Chief Credit Officer, Brookline Bank and RMA Chair. Mr. Rose described the interplay of culture and risk appetite and the necessity of embedding risk culture to drive value for the institution. Well understood and communicated core competencies, common descriptions, and shared understandings of levels of risk taking within the organization are among the indicators of an embedded risk culture. Developing a statement of risk appetite and comprising high level guiding principles and qualitative statements is one of the most important steps in building risk culture. Reputational risk assessment and the role of the Board in communication of risk tolerance need to be factored into the process of embedding the risk culture, advised Rose.

Jodi L. Richard, EVP and Regional Head of Operational Risk and Control, HSBC North America, led an interactive and lively discussion on what constitutes strong enterprise risk management. Although subjective, strong ERM can be defined as a principle-based process, necessitating a fully integrated risk management system, an alignment to the organization’s strategy and profitability, with the importance of culture underpinning all of these elements.

The focus of product risk management is to help the organization make sound decisions and identify the potential risks associated with introducing a new product or changes to an existing product explained Kevin Slane, EVP, Enterprise & Operational Risk Management, First Horizon National Corporation. In his presentation, The Role of Risk Management in New Product Development, he stressed that success is dependent on creating an environment that focuses on a discussion between risk and the business line, working within the organization’s risk appetite and overall strategy, and determining that the proper control environment is in place.

Michael J. Stevens, ERM Analytics & Business Intelligence Manager and EVP at BB&T discussed the merits of a more business process-based approach to OR measurement and modeling, as well as a call for more open and frequent knowledge sharing amongst OR practitioners as a way to accelerate development of methodologies that enhance firm performance.

Other speakers included Robin L. Phillips, Managing Director, Head of Corporate Operational Risk, Bank of America, who discussed the effectiveness of key risk indicators in helping us understand critical exposures and how they might avoid potential disaster. Check back for Day Two highlights from GCOR VII.

Every article published in the Journal is reviewed by at least one and often several members of The RMA Journal Editorial Advisory Board. Late last year, 12 members of the board participated in a survey asking about the most serious challenges facing banks today.

Below are the top 10 concerns of Editorial Advisory Board members. Topping their list of concerns was economic uncertainty in the U.S. and globally. The opinions expressed are their own and do not necessarily reflect the positions of their institutions.

1. Economic Uncertainty both in the U.S. and Globally
“Southern Europe risks destabilizing the north and will limit its growth. Middle East instability has resulted in wasteful spending by the U.S. and other alliance supporters. The Middle East has yet to achieve its considerable potential.” 
Rona Pocker, Turnaround Risk Management

2. Regulatory Overload
 “The Dodd-Frank Act serves as a super open-ended regulatory credit card that allows, encourages, or  requires regulators to charge new regulations to us regulatees, whether we need it or not. To make matters worse, the agencies have overlapping responsibilities, and the history of the agencies playing together is not very encouraging.” 
Dev Strischek, Senior Credit Policy Officer, Credit Risk Management Division, SunTrust Banks, Inc.

3. Gridlock in Congress
“At the end of the day, it will be addressed, but at what future cost?  It seems that ‘gridlock’ has existed more often than not in the history of all living Americans.”
William L. Perotti Jr., Chief Credit Officer and Chief Risk Officer, Frost Bank

4. Net Interest Margin
“Burdensome and increased regulations are causing net interest margins to be squeezed even further. Sound judgment—holding to good underwriting—and clear minds must prevail to avoid a repeat of throwing the baby out with the bath water!”
Mary Jo Taylor, Director, Multifamily, Capital Funding, LLC

5. Loan Growth
“The seeds of the next great credit implosion are being sowed. Longer maturities, fewer controls, lower returns, and underwriting liberalization are occurring.”
William L. Perotti Jr., Chief Credit Officer and Chief Risk Officer, Frost Bank

6. Systems/ IT Risks
“The ability of systems to keep pace with demanding regulatory changes, audit requirements, and cost reduction targets is a concern.”
Tom Brown, Managing Director, Nord LB, London

7. Execution Risk in New Initiatives
“New initiatives are desperately needed.  The challenge is to explore and identify new avenues for earning profits while functioning within the confines of the legislative and administrative framework imposed on banks.”
Michael Weissman, Counsel, Levin Ginsberg, and Tales of Whoa columnist

8. Fraud
“Losses from operational risks, including fraud, are on the increase and bank management needs to devote more time and resources to this area. Cyber attacks and software glitches are included in this risk.”
Tom Brown, Managing Director, Nord LB, London

9. Regulatory Burden on Other Industries
“Not urgent, but extremely important.”
Robert Messer, EVP, CFO, American National Bank

10. Staffing Issues
“Staffing on the credit side is a challenge brought about by the industry itself. Strong credit talent takes time to develop, but the comparative financial and advancement allure offered by sales roles will cause many to commit to those avenues instead. If they don’t gravitate to sales, bankers need to believe they have an attractive future in credit within the organization, so they don’t have a reason to look outside the bank to continue their chosen career path.”
John Cassis, Vice President, Credit Management, Wells Fargo Bank, N.A.

********************************
This post is an excerpt from the RMA Journal article “Journal Editorial Advisory Board Survey: Economic Uncertainty Tops List of Risk Management Concerns”.  To read this article in its’ entirety, including all other comments from the Board, please log on to the RMA website and view the April issue: http://www.rmahq.org/thermajournal.  Find out what additional concerns the Board discussed.  

Since one of RMA’s purposes is to highlight issues and solutions, we invite you to share your own risk concerns with Journal readers. Send your comments to editor Kathie Beans (kbeans@rmahq.org), and if possible she will publish them in the Readers Forum section of an upcoming issue.

1. Increase in cybersecurity attacks – it is no longer a question of if, it’s a question of when an attack will occur and how much will it cost your organization?

2. The attackers have evolved and arise from a wide array of sources.

3. Legislation may be needed to drive the solution – we can no longer afford to be reactive.

4. The cybersecurity community needs to mature – organizations need to share information about what they are doing to protect their information and operations.

5. Cybersecurity insurance is emerging for assets and reputational risk.

6. Cybersecurity supply chain risk management (CSCRM) requires new levels of collaboration among security, IT, and supply chain managers. Global sources provide many advantages, but often create increased risk of compromised supply chains.

7. The cybersecurity community is moving to a risk management framework that will focus on high impact, high likelihood risks in order to ensure a high level of resilience.

8. Limited resources plague most organizations as global cybersecurity spending is expected to top $60 billion this year according to the Cybersecurity M&A Report by Pricewaterhouse Coopers.

9. A move toward cybersecurity intelligence is happening in which the only barriers to collaboration across devices, people, and organizations are those we choose to impose by policy, not those that are imposed on organizations or technology.

10. Meaningful reporting is essential that provides an overview of the selected enterprise-wide risks identified through the assessment process involving the survey of organizations across the enterprise. Although the proposed Cybersecurity Act of 2012 is not considered viable legislation, the necessity in developing standards in reporting and information pertaining to cybersecurity is still a national imperative.

The next audio conference in the Cybersecurity Series will provide guidance in Conducting a Cybersecurity Risk Assessment on April 30, 2013.

The series will conclude with Developing a Cybersecurity Risk Implementation Management Plan (RIMP) on May 22, 2013.

BOVESPA’s market driven CCP affiliate has become one of the largest market-based SBL exchanges in the world in terms of total equities on loan and the leading SBL exchange in Latin America. This affiliate, the BTC, enables investors to make securities available for loan and interested parties may borrow them based on the presentation of collateral. The main features of the BTC system is that the BM&FBOVESPA acts as Central Counterparty (CCP); offers guaranteed payment of corporate actions and most other operational activities, and flexibility to establish contract fees. It has been gaining increased attention on a global scale as one of the more successful market-driven CCP products.

For large asset gatherers and institutional investors currently participating in the Brazilian equity and fixed income markets, the BTC appears to offer numerous advantages:
* Free choice of terms
* No costs for the lender; only revenues
* Fees freely agreed with the borrower
* Online consultation with the borrower, 24 hours a day, through CEI (Investor Electronic Channel)
* Guaranteed reimbursement of corporate actions payments (interest dividends, etc.)

From a risk management perspective, since BM&FBOVESPA acts as CCP, it guarantees the settlement of all loan transactions, and there is no direct link between the lender and the borrower. Employing a pre-margin model, collateral requirements are calculated and collected at the level of the beneficial owner before the contract is accepted. The Equities Clearinghouse maintains records of each beneficial owner’s collateral, avoiding commingling of assets.

Acceptable collateral for the BTC CCP program is broad, yet still a bit off from U.S. and UK standards. For instance, cash provision is in Real (Brazilian currency). Non-cash provisions include BGB’s, but also include U.S. Government securities (T-bills, bonds, and notes), select ADRs, and Euroclear custodied German sovereign debt. Kunkle mentioned that it might be positive to have a U.S.-based money market investment available, but that could have some withholding issues of its own. But there is room for the BTC to continue to develop.

U.S. tax-exempt institutions such as public funds and pension plans may have the first opportunities to participate in such a transaction if custodians develop an appetite for the potential size of this market. Since currently the largest (in size) companies being lent are Petrobras and Vale, there is room for continued development. A list of approximately 50 active companies on loan was provided by the BTC during this discussion.

Although the market has numerous advantages, investors need to be mindful of the complicated and costly tax system for lenders and borrowers domiciled outside of Brazil. However, despite tax concerns and recent market declines, the outlook remains positive for the Brazilian market as more investors are entering the securities lending market.

President Obama recently issued a much-anticipated Executive Order entitled “Improving Critical Infrastructure Cybersecurity” in the wake of cyber threats aimed at a wide range of industries – including financial services, construction, energy, transportation, and information technology. RMA recently spoke with Satish Kini of Debevoise & Plimpton LLP, who shared his firm’s summary of the Executive Order. Read the complete summary here.
 
To highlight several key points, the Executive Order provides requirements for information sharing about cyber threats from the federal government to “critical infrastructure” companies. The Order calls for “one-way” information sharing and does not require the industry to share information with the government. Sixteen different industries were identified as “critical infrastructure”: chemicals, commercial facilities, communications, critical manufacturing, dams, defense, industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waster, transportation systems, water, and waste water systems.

The Executive Order instructs NIST, an agency within the Commerce Department, to work collaboratively with industries to develop a technology-neutral, flexible, and cost-effective cyber-security framework that incorporates existing international standards, practices, and procedures. The framework will be designed to help owners and operators of critical infrastructure assess, manage, and mitigate cyber risks.On February 26, the NIST asked for responses to 33 questions regarding risk-management, best and industry practices; the questions seek information on how organizations assess risks, what cyber-security approaches are used and what limitations exist with respect to these approaches and how approaches relate to international standards. NIST indicates that responses to these questions will help it to develop the framework. Although participation in the survey is voluntary, the resulting framework could become widely adopted and deemed best practice. Mr. Kini and his firm are currently helping institutions determine their response. You can find the NIST’s survey questions here.

The OCC has issued an information security alert due to the recent spate of denial of service (DDoS) attacks which were directed at national banks and federal savings associations (collectively, banks) by sophisticated groups. A DDoS attack seeks to deny Internet access to bank services by directing waves of Internet-based traffic from compromised computers to the bank. In some instances, sophisticated groups shift their tactics during attacks and target Internet service providers (ISP). Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover). In this scenario, the DDoS can occur immediately before, during, or after the attack. DDoS attacks also have been used to deny bank customers the opportunity to report suspected fraud and to block the banks’ customer-alert communications.

Each of the groups had a different objective for conducting its attack, ranging from garnering public attention to diverting bank resources, while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information.

Banks need to have a heightened sense of awareness regarding these attacks and employ appropriate resources to identify and mitigate the associated risks. Preparations may include ensuring sufficient staffing for the duration of DDoS attacks in conjunction with pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow. Additionally, banks should ensure that their incident response effectively involves the appropriate personnel across multiple lines of business and external partners. Banks should also consider conducting due diligence reviews of service providers, such as ISPs and Web-hosting servicers, to ensure they have taken the necessary steps to identify and mitigate the risks stemming from potential DDoS attacks.

The OCC expects that as part of their contingency planning process, banks should be prepared to provide timely and accurate communication to their customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs. Banks should consider the recent DDoS attacks and concurrent fraud against customer accounts as part of their ongoing risk management program. Consideration should extend throughout the banks’ risk management process and encompass risk assessment, risk mitigation techniques, response plans, related policies and procedures, testing, training, and customer education.

Implications for Your Institution
RMA encourages its members in critical infrastructure industries to review the President’s Executive Order and the OCC Alert and update cybersecurity policies and practices, as well as contact trade organizations for guidance in responding to the NIST framework survey.

Due to the increasing frequency and severity of cyber attacks against financial institutions , RMA also strongly recommends attending our upcoming Cybersecurity Audio Conference Series for in-depth analysis on timely cybersecurity topics including Denial of Service (DDoS) attacks, cybersecurity risk assessments, and cybersecurity risk implementation management plans.

Delivery system changes will bring increased linkage between performance (outcomes, costs) and payments/incentives; increased integration of physicians, hospitals, and long-term care providers; increased access to health services by under-served populations; and increased alignment of coverage with evidence.

Insurance system changes will include the elimination of pre-existing conditions and lifetime and annual limits for insurance plans; required coverage of preventive health services without co-payments; creation of health insurance exchanges in each state to facilitate access to affordable insurance and manage subsidized purchases by individuals and employers; and federal-state regulation of insurance plan coverage, premiums, and medical expenditures.

As we move to this new “normal”, Mr. Weixel advised awareness of several key themes: compliance amidst tight regulation across sectors; necessity for radical cost reduction across the system for managing people, processes, and technologies; consolidation and collaboration – scale matters – go big or get out; and the transformation of patients into consumers.

For more insight into the ongoing health care reform debate, attend RMA’s Health Care Lending Forum, June 6-7 in Philadelphia.

Please join us for the next audio conference in the series on April 16, 2013 – Understanding and Managing Credit Risk in Non-Lending Products.

The “new regulatory paradigm” consists of a barrage of rules, regulations and guidance from every angle.  And according to Greg Lyons, Partner, Debevoise & Plimpton, LLP, and Paget Dare Bryan, Partner, Clifford Chance, the regulatory reform process is far from over.

Day Two of the 10^th Annual PASLA/RMA Conference on Asian Securities Lending highlighted some of the proposed regulatory developments and their possible effects on the Asia/Pacific region. 

Lyons kicked off the discussion highlighting how capital would be affected through the proposed Dodd-Frank Rule 165, and Basel III.  There is a particular focus on counterparty activities, like securities finance and derivatives that could put the US banks at a competitive disadvantage.  According to Bryan capital requirements are substantially increased under Basel III.  Even though Basel III implementation is still a work in progress, some organizations in Asia (Hong Kong, Singapore) have already begun adopting its methodology.    

Next the discussion turned to the FSB work stream on shadow banking.  The proposed regulation would include: increased transparency through the use of trade repositories, higher margin haircuts, and limitations on collateral reinvestment. 

The panel then focused on the European Union Financial Transaction Tax. This tax could be detrimental to trade profitability in many European countries b/c it taxes each transaction. 

While all of these actions are specific, their implementation remains in flux. For ex., Dodd Frank is only ¼ implemented as of this conference (a rule that was supposed to be implemented in July 2012). 
________________________
Thank you
Thank you to the PASLA and RMA teams, as well as this year’s Conference sponsors, exhibitors, and attendees, with special thanks to the staff at the JW Marriott Hong Kong, for making the 10th Annual PASLA/RMA Conference on Asian Securities Lending a success! 

See you next year for the 11th Annual PASLA/RMA Conference on Asian Securities Lending in Tokyo, 4-6 March 2014