Over the last two years, banks have been inundated with a range of punitive regulations, requiring them to hold capital against many aspects of the risk profile that the previous framework had neglected. Among the first set of regulatory proposals to be enforced is the revised market risk framework, which supplements the traditional VaR-based approach with Stressed VaR, Incremental Risk Charge (IRC) and Comprehensive Risk Measure (CRM). The IRC is intended to cover the omnipresent risk in the trading book of credit migrations and default, which VaR does not capture fully.

Key Findings

• Methods of obtaining transition probabilities – All banks, without exception, use external transition matrices, with S&P being the primary source. Different matrices are also specified for sovereigns and corporates / financial institutions by a number of banks. The time period of data typically spans 30 years.
• Correlation modelling – Most banks use KMV-style models for obtaining probabilities of default, and the Gaussian Copula model for correlations. At many banks, these models are based on economic capital and IDRC models, with significant enhancements to model correlations and basis risk.
• Liquidity horizon – Whilst a number of banks have chosen to adopt three and six month horizons, many banks have also assumed a one-year constant position for all products. These banks have analysed shorter liquidity horizons, but have found the capital savings to be insignificant and the added consideration of rebalancing and hedge slippage too onerous.
• Model validation and governance – At a 99.9% confidence interval, backtesting the IRC model over a year-long horizon is not possible, but one bank performs 1-day backtesting. All of the other banks perform sensitivity analysis and stress testing. Standard validation procedures for market risk models also apply to IRC, with expert judgement required mainly to determine liquidity horizons and the credit quality of sovereign bonds.
• Challenges – Although the majority of banks find the capital charge to be too high, the implementation of IRC has been relatively straightforward. Poor data quality, lack of an integrated IT infrastructure and lack of clarity on regulatory requirements were identified as the main issues.

Conclusion

Like all regulatory proposals over the last three years, the revised market risk framework has been thoroughly criticised for its cumbersome nature and high capital charges, which, for many institutions, can dwarf those in the banking book. In this framework, the IRC attracts the least controversy, being identified by the respondents as a largely sound measure that only needs to be defined in greater detail by regulatory bodies.

Elevated country risk has historically been associated with developing economies. The 2008 financial crisis has, nevertheless, exposed the vulnerability of many eurozone economies and, hence, a great deal of attention has been paid to the sovereign debt crisis in Europe. Greece, Italy, Ireland, Portugaland Spain (GIIPS) have found themselves increasingly mired in the distressing consequences of the negative global economic climate. With increasing uncertainty about the future of the periphery of the European Union, financial institutions are now looking to redesign their country risk framework by devoting increasing resources to the country risk analysis of distressed industrialised countries.

Key Findings

• Organisation of country risk operations – The allocation of responsibilities in the Country Risk department is organised along geographic lines. Four out of six interviewed banks divide the responsibility for various countries amongst analysts by categorising countries into geographical groupings and assigning analysts to each group. Only Bank 2 separates countries into developed and emerging markets.
• Review of country risk framework – Although interviewed banks are clearly directing more human resources to assess the country risk associated with distressed eurozone economies, it is unlikely that they will redesign their organisational framework in order to assign a separate group of analysts to focus solely on GIIPS.
• Limit settings – Banks have started to set lending restrictions, not only on emerging economies, but also on distressed eurozone countries. Yet, it is very unlikely that GIIPS will be downgraded to emerging market status, and banks still institute more limit settings for emerging markets than for eurozone countries.
• Regulatory reporting – The majority of banks have not invested in additional IT infrastructure to contend with the additional reporting requirements for the distressed eurozone countries.

Conclusion

The European sovereign debt crisis has brought about important changes to the country risk framework. Banks are devoting additional human resources to more closely monitor the rapidly unfolding events in both emerging and industrialised countries. Yet, it is very unlikely that distressed eurozone countries will be downgraded to emerging market status. Rather, banks are trying to reduce their exposure to the crisis inEuropeby setting additional lending restrictions to troubled eurozone economies.

There is a powerful reliance within contemporary finance on corporate IT networks and their connections with the Internet. Although these networks and their global interconnections facilitate business growth and technological innovation, they are also increasingly being attacked by individuals and groups for a variety of motives.

Key Findings

• Perceptions of the cyber threat – All of the banks interviewed for this research had cyber attack defence policies in place in their institutions. Even the best-designed IT security system, however, will be undermined if banks do not educate their employees and clients of the vital need for maintaining proper IT security protocols. There is a lack of appreciation among the general public but also, frequently, among senior bank management of the necessity for IT security
• Threats and vulnerabilities – The majority of banks, with one exception, view organised crime groups as the most significant cyber attack threat source. With the growing sophistication of malware code and its availability on the Internet, cyber attacks will increase in number and technological proficiency. There is an increasing trend for highly specific spear phishing attacks on senior figures in investment banks.
• Infrastructure and software – Although banks and financial institutions commonly use open source software to build and develop their IT infrastructure, this was not an option for most of the banks interviewed for this research. They cited security and legal objections to such an approach. The security protocols used within the banks are, broadly speaking, a two-factor process with passwords, tokens and Single Sign-On being deployed in several of the banks
• Data storage and mobile computing– All of the banks maintain a minimum distance between their primary and back-up data storage sites. Some of the banks expressed reservations about potential privacy questions in terms of the different legal jurisdictions. Use of personal mobile computing devices is problematic in security terms and several banks restrict use of devices to corporate devices only although pilot schemes for use of personal devices are being tested at some of the banks.

Conclusion

The number of cyber attacks that have taken place on institutions and firms within the public and private sector has steadily increased over the past ten years. Recent high-profile cyber attacks, such as the hacking of Citibank accounts in June 2011, highlight how vulnerable IT networks and systems are to contemporary cyber criminals. Given the increasing level of sophistication on the part of cyber criminals, banks now recognise the importance of putting robust and flexible cyber defences in place.

Efficient mobile communications are increasingly driving the success of modern business as the workforce becomes more mobile and we store ever more corporate data in the cloud. Whilst this brings huge business benefits in terms of improving efficiency and productivity, the safe use of mobile devices to access corporate cyberspace requires a deeper understanding of the security risks involved. Supported by the proliferation of high-end consumer technology such as smartphones, tablets and netbooks, the adoption of personal, mobile technology in the corporate environment is increasingly common.

Key Findings

• Corporate policies – Banks are finding that Blackberries have better security than the iPhone for corporate usage and, therefore, most have them as their preferred device. Staff are issued the phones based on their role and/or seniority, and there are various tariff packages and spend guidelines in place.
• Uses – Other than for phone calls, emails and Internet browsing, mobile devices are not being used in the corporate environment as much as they are for personal use, for security reasons. There are, however, various applications that are being introduced.
• Risk and security – Technology has advanced beyond the security required to use it effectively in the corporate environment, although the latter is catching up. Banks are keen to build security so that personal and corporate usage can be combined, reducing costs.
• The future – The use of two mobile devices will become normal, with professionals using three or more devices. Capabilities to make applications, services and information available coherently across devices, including middleware, synchronisation and self-provisioning solutions are important here. Cloud computing, being considered by some, will allow more applications to be connected.

Conclusion

It is hardly surprising that this new generation of powerful, personal mobile devices has entered the enterprise space.  Employees look to them as business aids and, in some cases, as replacements for traditional computing tools such as laptops and desktop PCs. Indeed, some business leaders argue that personal devices used for corporate activity can actually lower costs for the organisation, particularly if the employees are purchasing the devices, software and accessories themselves. Compliance regulations, however, are restricting the pace of the growth of applications being used, and it is less of a business requirement than a ‘nice to have’ device to increase flexibility in the workplace.

Mandatory clearing of over the counter (OTC) derivatives, as prescribed by the G-20 nations, is scheduled to take effect from the end of 2012.  Work on developing regulations to provision this is progressing, albeit with delays, both in Europe and theUS. The APAC region, however, is lagging somewhat behind the other two regions at present. InEurope, the European Markets Infrastructure Regulation (EMIR) has passed a significant milestone. Agreement on the EMIR proposals between the European Commission, the European Parliament and the European Council means the industry is close to the end of lengthy negotiations and is commencing a process that will significantly alter the structure of OTC derivative markets.

Key Findings

• Current strategy – Each of the interviewed banks has already established a clearing strategy in Europe to ensure compliance with G20 sanctions. At four of the banks, this strategy has been finalised, inasmuch as they are able to do given the immaturity of the regulation and the limited number of available central counterparties (CCPs).
• Issues with EMIR – The lack of clear asset class-specific rules and implementation timelines for EMIR remain major concerns for market participants. After a lack of asset class specific standards in the initial discussion paper, financial institutions are still unsure which classes of derivatives European Securities Markets Authority (ESMA) will ultimately define as subject to mandatory clearing and how closely the European region will follow the lead of the US in the exemption of FX swaps and forwards.
• Client clearing as a future revenue source – The majority of the banks interviewed during the course of this research do not foresee client clearing as being a major revenue source in the future. Three of the banks expect that client clearing will simply be part of their overall product offering to provide a satisfactory and fully rounded service to their clients. Only one of the tier-1 banks expects that client clearing will be a source of revenue.

Conclusion

Banks are still unsure as to how EMIR will impact the products and the markets in which they trade, as this is very much dependent on the finalisations of EMIR and other European regulations. It is CRD IV that will have the greatest impact on the OTC market according to a majority of the banks. These banks expect that the regulatory capital requirements for OTC derivatives may be severe enough to quash the value of trading in these derivatives and, therefore, push a greater proportion of the overall portfolio onto central exchanges. It is, therefore, essential that banks focus on ensuring that their clearing strategy and technology infrastructure allow them to clear whatever contracts regulators deem eligible and in as many marketplaces as possible.

The strengthening appreciation of risk management in the last four years extends to all areas of the banks, with senior business managers increasingly being urged by regulatory authorities to be more cognisant of the implications of the decisions they take. In times such as these, where the main focus of risk managers is to implement robust processes to meet changing regulatory demands, Risk IT professionals need to be extremely responsive and knowledgeable in many different aspects of risk management.

Key Findings

• Importance of risk knowledge for IT personnel – The level of satisfaction with the risk knowledge of Risk IT personnel differed between the interviewed institutions. Tier-1 institutions find that this knowledge generally falls short of the standards that should be met, whilst the tier-2 institutions face less of an issue in this regard.
• Challenges faced – Whilst IT staff are able to meet business requirements adequately at all institutions, some difficulties do arise when IT staff move into new areas and have to acclimatise accordingly. Some banks are also trying to determine the optimum amount of risk knowledge that Risk IT should hold, as placing too much emphasis on it may come at the cost of a gradual erosion of technical expertise among staff.
• Risk training – Only one of the four interviewed institutions has a formal policy in place to test the risk knowledge of prospective IT personnel. At the other institutions, the emphasis placed on this knowledge depends on the role, with business analysts, project managers, architects, amongst a range of others being required to be highly proficient in interpreting and communicating business and risk requirements. None of the institutions, however, require Risk IT personnel to gain any qualifications in risk management for further development.

Conclusion

A greater awareness of risk is being demonstrated by stakeholders at all financial institutions. This educational development is particularly important for the Risk IT department, as it deals with quantitative methods, as well as swathes of data that need to be aggregated and analysed within a short period of time. Whilst all of the interviewed institutions have formal training programmes for Risk IT personnel, they typically cover areas broader than risk management. As organisations such as PRMIA have begun to offer widely respected qualifications in risk management for non-risk professionals, however, more opportunities are available to the industry in this regard. Nevertheless, it remains to be seen whether the industry avails itself of them.

The onslaught of new regulation and compliance requirements in recent years has meant that departments, as yet only lightly touched upon by the regulatory authorities, have been increasingly required to develop a range of new policies, measures and controls, which have, as often as not, been developed in isolation. This siloed approach often has the unfortunate outcome that departments duplicate the effort already expended by another to achieve the same end. The outcome is a waste of valuable time and resources, and the introduction of redundancy and confusion to the business.

Key Findings

• Organisational structure – Only 18% of the banks surveyed during this research consider themselves to have fully integrated Governance, Risk and Compliance functions. Half of respondents, nevertheless, stated that some GRC processes and/or teams have been integrated.
• Influence – At a little over three quarters of the responding institutions, heads of the integrated GRC teams or, indeed, those of separate Governance, Risk and Compliance teams sit on the Senior Risk Committee.
• The benefits of a specialised GRC Team – There is no particular one benefit that stands out as more widely realised than any other. Of the complete research sample, 68% have experienced greater transparency of enterprise wide risks. Tellingly, 91% of banks that have a fully integrated GRC team have experienced this particular benefit.
• Obstacles to fully integrating GRC – A lack of clarity over the responsibilities and organisational structure of a GRC function is one of the main factors hindering the harmonisation of the three functions at present. This suggests that without clearly defined policies that allow for information to be collected and distributed to relevant stakeholders, integrating the three distinct functions effectively can be a difficult task.

 Conclusion

 Banks that have fully integrated GRC teams are already realising the benefits of this structure, with the vast majority gaining a greater transparency of the risks faced, thereby, improving enterprise risk management practices. Furthermore, over half of these banks stated that an integrated GRC approach has empowered risk managers, Compliance and Governance personnel, giving them a greater say in determining risk appetite.

Drafted in response to the 2008 financial crisis, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd Frank Act) aims to promote the financial stability of theUnited Statesby improving accountability and transparency in the financial system. Being over 2,300 pages long, it touches every corner of the financial services sector. Its implementation will affect not only every financial institution that operates in theUnited States, but the global economy as a whole.

Key Findings

• Tackling the uncertainty – Two divergent approaches to managing the Dodd-Frank Act’s under-defined rules have emerged; one pragmatic and the other precautionary. Whilst some may feel it best to delay internal operational redesign, due to concerns that early investment will be wasted if the finalised regulatory detail does not pan out as anticipated, others aim to be ahead of regulators by starting implementation before the final rules are defined.
• Major technological/compliance challenges – The focus of concern is mainly centred on three aspects of Dodd-Frank: the Volcker Rule, Title VII (OTC derivatives) and the regulatory reporting requirements that derive from the Volcker Rule and Title VII. Some of the strategies banks are putting in place include creating an enterprise-wide data repository, investing in server capacity and new management/client information systems and integrating disparate derivatives trading platforms into one single manageable system.
• Overly complex regulations – There are clearly areas where unnecessary complexity, introduced by the Dodd-Frank Act, may have serious unintended economic consequences. Furthermore, it is anticipated by some that Compliance departments may have to work for over 15 years to meet all aspects of this emerging regulatory framework.

Conclusion

The 2008 financial crisis forcibly demonstrated the necessity for greater transparency and accountability in the financial services industry, and the Dodd-Frank Act is an important step forward in this respect. Given the breadth and scope of the law, however, it is unrealistic to expect that financial institutions will be fully able to comply with all required reforms in such a short timeframe. It is imperative that domestic and international regulators improve communication with all stakeholders in order to create a consistent international regulatory framework.

London Seminar – 8^th May 2012

On

“OIS, CVA, DVA, What’s Next?”

In excess of 189 people attended this seminar.

The seminar took place from 18:00 – 19:30 followed by a drinks reception.

The panel  included:

Alan Baxter – Executive Director, CVA Trading Desk – UBS

Andrew Green – Head of Quantative Research, CVA – Lloyds Banking

Jeremy Johnson – Group Treasurer – Hitachi Capital (UK) Plc

Paul Lawton – Former CVA Risk Manager – Major European Bank

Robert McWilliam – MD, Global Head of CVA Desk and Collateral – ING

Areas covered included:

• How should banks determine whether or not to calculate and charge CVA?
• How can banks resolve the challenges posed by lack of sufficient data to obtain reliable estimates of CVA?
• Where are buy-side and sell-side firms today in the implementation of CVA?
• What are the biggest challenges firms are facing with regard to CVA and what measures are being taken to resolve them?

For more information and to register for this seminar please

email Karen.connelly@lepus.com

As a result of regulatory proposals, such as Basel III, there has been much discussion around liquidity risk management. It is of no surprise that banks are now seeking to factor liquidity into the pricing structure of new products, positions and transactions. Whereas liquidity risk was once seen as a secondary factor when analysing market and credit risks, it is now expected that all banks have established specialised teams to ensure that liquidity risk is being managed effectively.

Key Findings

• Current practices – For the banks where liquidity management was not a priority, new teams will have had to be created, and for banks that were already monitoring liquidity issues closely, existing teams may have increased in size and have a broader remit.
• Response to recent regulatory proposals – All of the banks are heavily engaging with regulators, as well as peer banks, to formulate the ideal reforms. Although all of the interviewees are in agreement that changes to the liquidity framework are logical, they do not think that the measurements are calibrated accurately enough as yet.
• Issues with current proposals – There is a unanimous belief amongst the banks interviewed that measures in the regulatory proposals are not yet suitably calibrated; scenarios are too severe and definitions are too vague.
• Liquidity risk systems – The interviewees concur that the latest liquidity proposals will require their bank to upgrade its systems. Each of the banks is either currently undertaking initiatives to upgrade current systems, or is currently waiting for finalisations to regulatory proposals before committing to a re-engineering programme.

Conclusion

As is to be expected, liquidity risk management is now a major focus area for investment banks and regulators alike. At the majority of banks, liquidity has been closely managed for a number of years, even before the crisis, but events since 2008 have given banks further impetus to strengthen liquidity management practices. Each of the interviewed banks has either a dedicated group, or a team of people across the bank, that is responsible for dealing with the new rules and regulations.