risk update GLOBALriskrewardlimited.com/admin/pdf/Risk Update 2014 Q4.pdf · assess their business models to ensure that they remain relevant. In this the Q4 2014 edition of the GRU

riskupdateThe quarterly independent risk review for banks and financial institutions worldwide

GLOBAL

© Risk Reward Ltd UK. All rights reserved. Available by subscription only – not for sale or resale

Financial Crime Compliance:A Brief Guide for SeniorBank Management,Compliance Officers andInternal Auditors

Q4

2014

Also in this issuen HR & Risk Managementn Derivatives: Limiting MarketChange

n NEW BIS Bank CorporateGuidelines

n The Implications of ClimateChange

n Client Money: Don’t Be in aBad Place

n The Value and Managementof Intellectual Property,Intangible Assets andGoodwill

n MoneyScience InterviewsDennis Cox

Global Risk Update 2014 – Q4

Index PAGE

Financial Crime Compliance 3

Human Resources & Risk 8Management – A Risk Upskilling Case Study

Derivatives: Limiting Market Change 17

New BIS Bank Corporate Governance 20Guidelines: Insights and Analysis

The Implications of Climate Change 26

Client Money: Don’t be in a Bad Place 30

The Value and Management of 33Intellectual Property, Intangible Assets and Goodwill

MoneyScience Interviews Dennis Cox 37

Risk Reward Limited, serving the banking and financial servicessectors with risk consultancy and risk training in developed andemerging markets since 2002. Risk Reward is registered with UK

Companies House no 4346234.

©Risk Reward Ltd UK 2015. All Rights Reserved.By subscription only - not for sale or resale

Designed by mfp – [email protected]

Banking is always a complex industry to predict and with bothsignificant economic pressures combined with major regulatorychange this can never have been truer. As we write the US FederalReserve Bank has announced the end of QE or quantitative easing.What impact will this have on the financial services sector and the realeconomy and will this lead to the expected interest rate rises? WithBasel 3 (for banking) and Solvency 2 and the ORSA (for insurance)in the process of being implemented including new requirements forliquidity and capital all firms in the financial services industry need toassess their business models to ensure that they remain relevant.In this the Q4 2014 edition of the GRU you will read about how thefinancial regulators have’ turned the guns’ from risk managers and internalauditors to risk, audit and now human resources and compliance functionsas they seek to mitigate Conduct Risk. Lisette Mermod shares herexperience and insights as to what happened when risk and HR were forcedto meet at the watercooler in a failed EU regional bank. Gruesome readingbut with a happy ending.How regulators are limiting market change especially in the derivativesmarket is a question expertly discussed by Madrid-based risk specialistFlora Prieto. Julian Sampson (Client Money) and Jonathan Ledwidge(Financial Crime Compliance for Auditors) experts have each been knee-deep in AML and sanctions projects this year and share with us some keylessons. As does Kelvin King, one of the world’s leading valuations experts.His article offers practical guidance for those in risk roles struggling tovalue intangibles, good will and intellectual property. And with winter uponus in the northern hemisphere David Thompson, FCA and fund broker forNivenCapital’s energy and environment unit cautions risk managers on theimpact of Climate Change Risk on asset management, investments andlending.Finally, as the BIS has just released its latest consultative paper on BankCorporate Governance – with definitions! – I just had to share my owninsights and analysis. Yes, it is 13 principles but the real question is what’smissing and do firms need to start making changes to comply now?On behalf of all of us at the GRU Editorial team, Happy Holidays to youand yours – and in the spirit of the season, (as this publication is still freeof charge)please support your most needy charity.

Dennis Cox BSc, CFSI, FCAChief Executive Officer

PLEASE CIRCULATE TO:

n Chief Risk Officer

n Head of RiskManagement

n Head of HumanResources/LPD

n Head of Internal Audit

n Head of Operations

n Head of ALM

n Head of Treasury

TO THE EDITORDo you have risk issues inyour organisation or regionyou would like to share?

Email your thoughts to the Editor [email protected]

Global Risk Update, a regular journal coveringinsights and global risk issues of interest to thebanking, insurance and financial sectors indeveloped and emerging markets.

Available by subscription via the websitewww.riskrewardlimited.com. To unsubscribe pleaseemail to [email protected] and enterUNSUBSCRIBE in the subject field.

Gamechangers

For a very long time banking was all about the extension ofcredit in one form or another—and thus a borrower’s abilityto repay. Regulators had guidelines for both capital andliquidity but within the industry these were only ofsecondary importance to the decisions on credit.

Then came the financial crisis of 2008 which tested theresilience and sustainability of not only individual banks butthe entire financial system. The main issue here of coursewas the impact of poor credit decisions on bank capital andliquidity. Regulators have now responded to the financialcrisis by significantly increasing said capital and liquidityrequirements.

The impact of these increases has been such that they havechanged the competitive nature of the industry.Consequently, strategy within banking and thus decisionson credit, are no longer about the business you want to dobut what the regulatory capital and liquidity constraints willallow you to do.

There is no doubt that the Basel requirements on capitaland liquidity have been a regulatory

gamechanger. Just as banks havestarted to

come to grips with the Basel requirements another set ofregulations have emerged to take centre stage. They are theregulations in respect of Financial Crime and what in effectthose regulations are saying is this: it is no longer goodenough to know your sources of funding and liquidity, youalso need to know where that money originally came from.

We have another gamechanger.

The Importance of Financial Crime Compliance

Financial Crime is defined broadly into six categories:

1. Money Laundering2. Bribery & Corruption3. Terrorist Financing4. Sanctions Evasion5. Tax Evasion (Not Avoidance)6. Fraud

If there is any doubt as to the importance of Financial Crimeand Financial Crime Compliance (FCC) then one has onlyto read the financial press to see the enormous fines leviedagainst banks. Big Bank 1 (let’s call them) paid $1.9 billionwhile Big Bank 2 has paid a whopping $8.9 billion in fines.In the case of Big Bank 1 the fines were leviedfor allowing that bank

Financial Crime Compliance: A Brief Guide for Senior Bank Management,Compliance Officers and Internal AuditorsRecent events and penalties have resulted in Financial Crime moving to the forefront of financialindustry concerns and this poses particular challenges for Senior Management, ComplianceOfficers and Internal Auditors who are all struggling to come to terms with this ‘monster.’ Theauthor is currently engaged in a global AML CDD compliance project for a major bank.


3

to be used to facilitate the laundering of money by Mexicandrug cartels. Big Bank 2 on the other hand got into trouble

for facilitating paymentsto sanctioned countriesincluding Iran.

More importantly, thefines are not the end ofthe story. Big Bank 1 hasbeen placed under aDeferred ProsecutionAgreement (DPA)—meaning that criminalcharges would follow ifthe bank did notundertake and effect

significant improvements in FCC. For Big Bank 2, thelandscape is even worse. The bank had been advised thatcriminal charges will follow and that it will not be allowedto clear any dollar transactions in 2015.

Then there is the case of Big Bank 3, a bank which utilisedSwiss secrecy laws to help thousands of US citizens evade anestimated US$20 billion in taxes. The bank has since beenfined US$980 million and is now also operating under aDPA, while the former Chief Executive of its Global WealthManagement division has been charged with conspiracy todefraud the IRS and is now under house arrest awaiting trial. Another Swiss bank, Big Bank 4, was fined US$2.6 billionand also faces criminal charges for aiding and abetting taxevasion by its US customers.

On a somewhat different note, a MENA bank has been heldcriminally liable for financing terrorism by a court in theUS—because it provided bank accounts to individuals whowere members of Hamas, the Palestinian militant group. Thejudgement was granted on behalf of US citizens who werevictims of terrorist attacks for which they held Hamasresponsible.

Huge and consequential fines, possible criminal convictions(both personal and corporate) and curtailment of businessactivities coupled with very negative reputational impactsall mean that FCC is easily one of the most significantchallenges facing banks today.

The Industry Response to FCC

How have banks been responding to this immensechallenge? How should they be responding? What shouldSenior Management, Compliance Officers and InternalAudit actually be doing about this?

Here are five ways banks have been responding:

1. Reviewing & Exiting of Certain JurisdictionsThere is no question that certain jurisdictions are moresusceptible to Financial Crime than others. The FinancialAction Task Force, an inter-governmental body also knownas FATF (GAFI for some non-English speakers) regularlypublishes lists of those countries which are either non-compliant or deficient in combating Financial Crimes.

Another very useful indicator of corruption isTransparency International’s Corruption PerceptionIndex (CPI). The CPI index ranks countries inaccordance with the level of corruption on a scale of 0 to100, with 0 being extremely corrupt.

Banks are using the information provided by the likes ofFATF and Transparency International to determinejurisdictions they should be either reducing theirbusiness exposures or avoiding altogether.

2. Reviewing & Exiting Certain Industries &RelationshipsBanks are also busy identifying industries where the risksof money laundering are considered greatest because ofthe amounts of cash involved and where there is anincreased risk of disguising and integrating legal andillegal funds. Another consideration is whether or not anindustry lends itself to bribery and corruption.

Examples of the industries/categories which are nowbeing targeted by banks for either exiting relationshipsor enhancing due diligence includes:

a. Charitiesb. Jewellery, Gems, Precious Stonesc. Arms and Munitionsd. Casinose. Shell Companies f. Offshore Banking Institutionsg. Money Service Businesses (MSBs)h. Transactions Involving Bearer Sharesi. Politically Exposed Persons (PEPS)

3. Reduction in Correspondent BankingRelationshipsThere was a time when the major international banks hadas many relationships with other smaller banks in as manyjurisdictions as they possibly could. The fees earned fromcorrespondent banking were of secondary importance—the general rule was that the more correspondentbanking relationships a bank had the more it wouldattract deposits from those other banks and the greaterits importance within the global financial system.

However, having finally realised that banks that reside inpoorly regulated jurisdictions, offshore centres or thosewith less than transparent ownership structures are highlysusceptible to Financial Crimes, the major internationalbanks have been busy exiting a large number ofcorrespondent banking relationships.

4. Greatly Increased Customer Due DiligenceCustomer Due Diligence or CDD is at the heart of thenew regulatory environment. The general principle isthat the more an organisation knows about itscustomers the better it can avoid and reduce theincidents of Financial Crime. The concept of CDD goeswell beyond simply identifying the name and residenceof a customer—it actually requires an in-depthknowledge of their business including their customersand suppliers, as well as the source of their wealth andcapital.

Overcoming the Governance & Internal Audit Challenges of Financial Crime Compliance


4

... the FCC is easilyone of the mostsignificant challengesfacing banks today

The amount of resources being required for devotion toCDD, Know Your Client (KYC) and the onboarding ofcustomers is now both exhaustive and exhausting—yetmany banks feel that in light of the risks involved theysimply have no other option.

5. Increased Investment in Compliance &Financial Crime Intelligence The onerous and apparently unforgiving nature of FCCis such that it is vitally important that banks invest in boththe requisite people and systems in order to ensure thatthey manage their business within the vast and ever-changing guidelines with a focus on both detecting anddeterring Financial Crime.

In FCC, failure is simply not an option.

As such, as Financial Crime regulations are constantlybeing updated and new individuals, countries, groups andactivities are constantly being added plus watch lists formoney laundering and sanctions, the investment in ITand systems required to maintain pace is both immenseand ongoing.

What This Means for Senior Management,Compliance Officers & Internal Auditors?

In the case of Financial Crime salespersons, relationshipmanagers and others either in direct contact with customersor processing customer transactions and data represent thefirst line of defence. Financial Crime Compliance is the second line of defenceas it falls to this group to develop the knowledge, knowhowand capabilities to deter and detect Financial Crime.Internal Audit represents the third line of defence and the

independence of its role in assessing and evaluating FCC isspecifically recognised in the FATF guidelines.

Within this context there are several issues which SeniorManagement, Compliance, FCC and Internal Audit mustfocus on if banks are to reduce the very significant risks ofgetting it wrong. The most important of these issues areoutlined below.

1. The Adequacy & Effectiveness of FinancialCrime ResourcesFCC regulations and guidelines are vast given thenumber of bodies involved in developing them. Inaddition to the transnational and multilateral entities suchas the UN, EU and FATF, every single country will eachhave its own Financial Crime regulations. For banks thatoperate in several jurisdictions the task of interpreting,responding to and acting appropriately on theseregulations is thus extremely demanding.

Consequently, Senior Management has the primaryresponsibility for ensuring that FCC has all requisiteskills, systems and other resources necessary forexecuting their tasks and that these resources areconsistent with the nature of the business, thejurisdictions in which it operates, the customers it willtarget and the products which it intends to offer.In this regard, Chief Compliance Officers are responsiblefor ensuring that they develop, obtain managementapproval for and execute FCC plans that arecomprehensive, sufficient and fully reflecting of both thebusiness and regulatory environments.

Internal Audit should review and assess the adequacy,efficiency and effectiveness of the FCC strategy and



5

plans. Internal Audit should also ensure that said plansare reviewed, approved by Senior Management andwhere appropriate revised on a periodic basis—inaccordance with the demands of the operatingenvironment.

2. Establishing Standards – Policies, Procedures,DocumentationGiven the legal and regulatory requirements of FCC it isvitally important that suitable policies and procedures areestablished in order to consistently apply the appropriatestandards. Having such standards is critically important inrespect of demonstrating to regulators and if required thecourts, precisely how the institution is fulfilling itsobligations—including the determination of whether aFinancial Crime is being committed or not.

Consequently, there is a need to ensure that not only arepolicies and procedures properly documented but thatcustomer records, correspondence and employeeworkflows all fully reflect the onboarding and otherdecision making processes as they relate to FinancialCrime.

It is the responsibility of the Chief Compliance Officer,working in conjunction with FCC, to ensure thatstandards are suitably implemented and that they areconsistent with the nature of the business and the legaland regulatory environment.

In this instance the role of Internal Audit is one ofensuring that there is consistency in the application ofstandards and that that they are subject to regular reviewin accordance with changes in both the business and thelegal and regulatory environments.

3. Developing a Culture of ComplianceThe best operating standards will prove inadequate if

they are not accompanied and supported by anappropriate culture of adherence and behaviours. Theimplementation and success of a suitable Culture ofCompliance is dependent on the actions of both SeniorManagement and FCC.

Senior management has the primary responsibility forengendering a culture that both respects and exemplifiesthe Financial Crime governance framework. It canachieve this by:

A. Ensuring that the overall strategic approach, in termsof the types of jurisdictions, customers and productsbeing targeted, are consistent with stated cultural andbehavioural objectives e.g. if the target marketsinclude casinos in Macau or mining in the Congo thenthis would be sending the wrong message

B. Communicating and reinforcing very clear messagesin respect of what is considered as ‘good’ and ‘bad’behaviours supported by appropriate training (seebelow)

C. Providing Compliance and FCC in particular with thenecessary resources and operational independence tofulfil all its obligations

D. Ensuring that rewards and promotions are based onthe right (‘good’) behaviours

E. Ensuring that ‘bad’ behaviours are sanctioned andpunished

F. Ensuring that absolute remuneration levels do notnegate cultural objectives

G. Establishing an appropriate whistleblower policy

The Chief Compliance Officer in conjunction withFCC must ensure that:

H. It has properly identified the universe of FinancialCrime risks to which the institution is exposed anddevelops an appropriate strategy for addressing them



6

I. Resources notwithstanding, adequately and effectivelyimplementing the stated strategy and programmes

J. It provides consistent and proactive support to thebusiness units

K. It develops suitable risk-based programmes andapproaches to:i. CDD and the onboarding clientsii. When, where and under what circumstances

higher levels of due diligence and/or approvals arerequirediii. The active monitoring and surveillance of

customer accounts, data and transactions iv. The escalation of FCC issuesv. Reporting suspicious transactions and activitiesvi. Client reviews and exit

L. There is an active, ongoing and consultativerelationship with the relevant regulatory authorities aswell as industry professional bodies

The role of Internal Audit in this instance is to ensure that:

M.Compliance and FCC have properly documentedprogrammes in support of the above

N. Such programmes have been approved at the highestlevels

O. That said programmes have and are beingimplemented in accordance with the stated plans andbusiness strategy

P. That such programmes are regularly reviewed andapproved in accordance with the changes in thebusiness and legal and regulatory environment

Q.That any variations or alteration is programmes orprocedures are properly documented and approved

4. Financial Crime EducationAs noted above Financial Crime education is a key andintegral aspect of developing the right cultures andbehaviours—but that is only part of the story. FCC is acomplicated, ever changing and continuously expandingsubject. It is therefore vital that all members of staff areaware of and know their specific responsibilities inrespect of FCC. That awareness can only be achieved byway of a comprehensive and ongoing programme ofeducation.

In addition, given that in most jurisdictions all employeesworking in regulated sectors are responsible for beingaware of and taking the appropriate steps wherenecessary to prevent Financial Crime—from a legal

perspective it is absolutely vital that staff are made fullyaware of their specific responsibilities under the law.

Given the above, the Chief Compliance Officer inconjunction with FCC must ensure that the trainingprogramme is consistent with needs of the business andthe legal and regulatory environment. Such a programmeof education must:

A. Have the full support of Senior Management, whoshould also participate when and where relevant

B. Make all members of staff aware of their specificresponsibilities in respect of FCC

C. Consist on online learning, classroom sessions andother learning resources such as websites and regularjournals or newsletters

D. Form part of each employee’s annual review andassessment

E. Form part of the employee onboarding process

In this instance the role of Internal Audit will be to:

F. Ensure that the scope of the programme is adequateG. That the areas covered by each employee, business or

operational unit is consistent with their roles andresponsibilities

H.That the programme is run in accordance with apredetermined schedule

I. That attendances, non-attendances and test scores (ifany) are properly recorded in employee records

J. That the programme is continuous and thus reflectiveof ongoing changes

Summary

Financial Crime Compliance has moved to the forefront ofthe list of matters that financial institutions must get right asthe possible penalties, both personal and corporate, are nowso severe that failure is clearly not a good option. Seniormanagement, Compliance, FCC and Internal Audit all havea vital role to play and it is important that they all performwell.

As the third line of defence, Internal Audit is tasked withensuring that the other areas of the business and governanceframework are performing at optimum levels. This is theultimate backstop and safeguard to the business.

The author invites your comments via email to [email protected]



7

RiskRewardSearch.comMore than 12 years delivering the right GRC directors and executives plus the

right services to our clients. From high-profile retained searches on keyexecutive hires to quick risk market perception feedback, Risk Reward Searchis uniquely rooted in risk expertise to guarantee 100% client satisfaction.

Tel +44 (0)20 7638 5584 www.riskrewardsearch.comS E A R C H

People Risk has been defined asdifferent from riskmanagement – the latter withits measurements and Basel

rules – and seems to be looking for ahome within an organisation and isoften determined as ‘owned’ by theHuman Resources function in financialinstitutions. But HR and riskmanagement departments are oftenpractically unknown to each otherbeyond senior level recruitment andexit functions (and those are moreoften than not using externalExecutive Search experts and notinternal HR managers and staff.)

Therefore when the financialregulators looked to the financialinstitutions to correct or restructuretheir corporate governance and riskmanagement teams, prepare risk rolesjob descriptions and risk communitydata, the HR departments were, withfew exceptions unfamiliar with riskmanagement and unprepared toparticipate in remediation solutionsimposed by regional and nationalregulators.

This is a Case Study of one suchremediation solution.

Background

Why was this remediation required?As a consequence of the global creditcrisis and the regulatory response toprotect the public from a ‘run on thebanks’ a number of national andregional US, UK and European banksdid not meet the new capital andliquidity rules - often suffering largelyfrom massive losses due to holdingbad debts and/or financialmismanagement – and were deemed‘failed banks’.

Remediation plans to attract and injectnew capital and reduce costs(including large numbers of job layoffs) ensued. Some banks wereeffectively ‘split’ into ‘good’ and ‘bad’banks with a view to attract newcapital and investors to a ‘cleaned upgood bank’ and the sell off debts andvarious assets of relatively low valuefrom within the ‘bad bank’ to the openmarkets. In some cases the ‘bad bank’ultimately was wound down andclosed, its management and employeesdispersed.

Regulators proposed strongly worded‘recommendations’ for failed banks toinvest in the professional and technicaleducation of their management andemployees – including Boards andNon-Executive Directors andspecifically in the areas of riskmanagement. Technical assistancebudgets for the design andimplementation of large scale (oftenglobal) training programmes followedsuit, often the first of its kind beingundertaken within a financialinstitution in association with the riskmanagement function and the HRdepartment together.

How to prepare then to upskill the riskmanagement function bank wide inpreparation to keep the bank businessviable (not fail) while demonstrating topotential investors the bank’s ‘value’(its people) was a tall order to beachieved in a relatively short period oftime.

This was the challenge for thisparticular regional bank. However thefollowing Case Study offers keymessages to all banks and financialinstitutions seeking to address thestructural and operational issues of

Human Resources & RiskManagement – A RiskUpskilling Case StudyKey Messages for People/Conduct Risk Implementation inFinancial Institutions

People Risk and Conduct Risk are the latest trending terminology as financial regulators cometo review not only a bank’s capital adequacy and liquidity as vital to a bank’s viability but moreso how a bank operates as a business. People – as different from operating processes – arethe latest focus by regulators who are expanding the integrity issues to a more general reviewof how people behave, make decisions and implement those decisions into actions andapproaches that impact on the viability of the financial organisation, the financial consumerand society at large. Risk Reward Group Managing Director, Lisette Mermod shares someinsights for risk and human resource teams when preparing for implementing People/ConductRisk compliance and risk upskilling initiatives based upon her ongoing oversight of four suchprojects within the UK, two EU failed European regional banks, and a TARP-funded US regionalbank arena. (The project details are an indication of the similarities amongst the projects in anEU setting.)


8

bringing the HR and risk managementfunctions and teams together to workout a remediation, especially in light ofimpending Risk, HR and Compliance(Conduct Risk) rules and theirimplementation in all regulatedfinancial entities.

Case Study: The Risk Academy

I Risk Upskilling ProjectOverview

A large, failing regional European bankwith 10,000 employees distributedacross 8 countries and among 22 legalentities was under regulatorysupervision to ‘turnaround’ resultingultimately in a ‘good bank’ and a ‘badbank’, with wind-downs and businessspin-offs planned within a 3 yeartimetable. A foreign investor topurchase the ‘good bank’ was a goal ofthe EU Commission and nationalregulator.

One of the foremost challenges wasbringing its risk management teams upto international best practise and BaselII/III standards as quickly andeffectively as possible as the bank wasstill trading. This involved nearly 2500people dispersed among (initially)eight countrie and later double thatnumber.

With the regulators’ approval a 24-month training initiative wasconceived to cover training tocompetencies required for six

proscribed risk job roles at threedifferent knowledge levels asdetermined by the Bank. The RiskUpskilling Request for Proposal (RfP)included 45 different training coursetopics to cover for a budget of 10 daysper employee over the 24 monthperiod. There would be blocks oftraining days – 3-5 in one week - anda short 20-question examination tocover each course learning. At the endof year 2 a cumulative examinationwould be taken by delegates todemonstrate learning retention andcapacity to implement their upskilledrisk knowledge in the workplace.Result? A better bank.

The multi-million euro training tender(RfP) was issued by the Bank’s GroupProcurement team in association withthe Group Risk and Group HumanResources teams. During thetender/bid process it became clearthat the Chief Risk Officer (formerActing CEO) and his Number 2, atrained lawyer and Acting Head ofRisk Champions for this project, madeinputs into the RfP for risk trainingthroughout the bank but specialist riskconsultants were not engaged norwere the heads of the Bank’s riskdepartments, business heads (Groupand regional) or HR Heads (regional)consulted to produce the RfP. This wasthe first structural challenge to thesuccess of the risk upskilling initiative.

Further, the Group Head of HR andhis Number 2 were unfamiliar andunknown to the risk community within

the Bank and although experts inchange management and highlyrespected as corporate HRprofessionals they were already at aloss as to literally who would beincluded in the risk upskilling projectand who would not, whatcompetencies were required and howto prepare for such a risk managementproject.

The role of the contracted riskspecialist consultants and trainerswould be to ‘bridge the gap’ betweenGroup Risk and Group HR to achievethe risk upskilling goals among theBank’s employees and affiliates.

A closed RfP invitation to regionaltraining firms was sent out with aMarch 2012 due date, bidssubsequently placed, a shortlistachieved and ultimately the Tender Bidwas won by a specialist riskconsultancy and training firm to serveas the Main Risk UpskillingConsultants and Training Vendor(other training would be engaged inareas of legal and retail banking as partof the wider project).

The contracting process took fivemonths to complete which includedthe usual document preparation andsubmissions, numerous conferencecalls, several training demonstrationsat the Bank’s headquarters andextensive contract negotiations withGroup Procurement regarding projectterms and conditions, payments,invoicing, software licenses, project

Human Resources & Risk Management – A Risk Upskilling Case Study


9

management, interactive website tooldevelopment, third-party logistics andtravel management, projectmanagement workshops and whencontracts were signed a series of KickOff Workshops for local CROs andHR heads in four cities.

The RfP included an aggressivetimetable whereby the first 100keyrisk managers would be trained bythe end of the fourth quarter of 2012and 1000 of the total 2500 riskmanagers and staff would have gonethrough the first level of trainingcourses by end of Q2 2013. The entirerisk upskilling project would becompleted – all 1500 individuals wouldhave received 10 days of training,some at only one learning level andothers at Levels 201 or 301, mosttraining to be attended at workshopsin their location of employment,others travelling to the London for aRisk Study Tour with UK/EUregulators – by the end of Q2 2014.

II Key Governance Issues

The Bank’s Group HR and GroupRisk as the Risk Academy ProjectOwners

For this project the Bank broughtGroup Risk and Group HR togetheras project team leaders for a risk

upskilling training initiative – theBank’s Risk Academy - being amongthe first of its kind, driven byregulatory pressure, to do so.

Both owner groups faced difficultpressures. Group HR had to dedicatea full-time risk upskilling project teammember to act as the Board liaisonwhich impacted on his time and abilityto manage the HR Heads throughoutthe Bank once the project was rollingout. Eventually he had to ‘forcedownward’ his management role to thelocal HR Heads very early in theproject. It caused increased fees andtravel expenses incurred by the riskspecialist contractors to work directlywith the numerous regional HR heads.Group HR also did not plan or budgetfor a finance liaison for the riskupskilling project which ultimatelyresulted in a series of regular projectshut-down threats when invoicing andpayments were not ‘owned’ by acentral resource.

The Chief Risk Officer wasparticularly stressed spending most ofhis time with the national regulators.His absence as an active KeyStakeholder, Influencer and ProjectLeader for the Bank’s risk communitywas notable, especially whenleadership to manage the RiskChampions was urgently required for

decision-making from his office. HisNumber 2 was unable to manage thededicated project Risk Championswithout frequent delays, cost overrunsand acrimony among them; GroupHR, regional HR heads and businessmanagers and the risk specialistcontractors were left to fend forthemselves in a scrum.

The Bank’s Risk Champions

The role of the Risk Champions wascreated to support the Group CRO’svision, serve as a channel to achievethe risk upskilling key messagesthroughout the Bank’s risk communityacross functional lines (credit andmarket risk controllers, credit backoffice processing, rehabilitation teams,etc) and cross-border (amonggeographic business units). Theywould be influencers and enablers tothe risk upskilling project and remainas the ‘owners of the corporatememory’ for this upskilling initiative.

However much to our dismay GroupHR presaged that the Risk Championswere ‘a dangerous bunch’ and thatthey should never be brought togetheras a group, an observation which rangalarm bells to the risk specialists andwas an indicator of the ‘distance’between HR and Risk within the Bankand a real threat to the success of theproject. And this was the kick-offmeeting.

Group HR’s perception of the RiskChampions - that their inputs will notbe valued - cannot be discounted, andGroup HR’s wish to avoid having toengage with the Risk Champions wasclear. In fact the project was delayedone month while the risk specialistswere wedged between Group HR andthe Risk Champions to finalise theirinputs, make changes to the trainingprogramme, redesign the trainingdelivery schedule and begin riskupskilling training still on time. TheGroup CRO needed to ensure theRisk Champions would indeed drivethe project internally as he wasengaged with the regulator on a day today basis, so whatever changes theywished for, they had a blanket approvalfrom him. Again the problem of theincorrect risk roles and levels had notbeen addressed by the RiskChampions; they were concerned thattheir teams needed ‘practical, not risk



10

RiskAcademyProject

RiskSpecial-

ists

Suppliers

HostedLearning

ManagementSystem

HostedWebsite

SMETechnical

ProjectLeader

Content&

SMEs

PlanningLogistics, IT

&Helpdesk

ProjectManage-

ment

SeniorProject

Managers

Bank

BusinessUnits

RiskChamp-

ions

LocalProcurement

Heads

LocalHR

Heads

LocalFinanceHeads

RiskTrainers

RiskCommunity(Employees)

LocalCROs

ChiefRisk

Officer

CROTechnicalAssistant

ProjectManager

& IT

DeputyGroup

Head HR

GroupHeadHR

GroupRisk

GroupHR

GroupProcure-

ment

management training’ and as a finalpush to get the project rolling the RiskChampions not only opted out fortaking the risk competency on-linesurvey like all of their teams but hadto be negotiated with – sometimesunder heated conditions – to reviewcourse training course content andparticipate in the approvals processunder tight deadlines.

Like the Group CRO and the GroupHead of HR, the Risk Champions hadtheir pressures too, and other banksfacing similar challenges and projectswill be wise to consider the time andenergy required by these risk heads tonot only perform their own work –under constant pressure rainingdownwards from the CRO and theregulator – but also to meaningfullyparticipate in a project they were notinitially consulted on. Early stageengagement with the Risk Champions,and indeed ideally the local CROscombined with strong leadership fromthe Group CRO could have greatlyimpacted earlier successful results.

The Risk Specialists (Contractors)

As previously mentioned the riskspecialists emerged as not simplytraining contractors but were neededto ‘connect’ the Group CRO andGroup HR, project manage the bulkof the project, and to serve as subjectmatter experts and trainers. While theglobal financial regulators offeredguidance as to improvements in riskknowledge and better decision-making capacity the rules wereinterpreted by the national andregional financial regulators uniquely,not always adopting BIS guidance tothe extent required. And this Bank,like others, must find the right balancebetween regulatory compliance andmaintaining a sustainable commercialprofit-making business. Hencethe risk specialists wererequired to not

only advise on technical risk andrelated matters but also to interpretthe bank’s business lines and how bestrisk roles can perform as is requiredand adapt the training needs asexpressed by those in everyday riskroles and those of senior management,and the Board.

In response to this particular RfP forrisk upskilling through training, therisk specialists recommended theentire project ‘sit’ inside a RiskAcademy model which would allow fora variety of consultancy pre- and sub-projects to prepare for the riskupskilling and add value to its roll out,be an interactive project managementtool for accessing training materials,booking course participation, takingexaminations, report exam results,generate invoices and post projectfinancial reports by individual user,business unit and country to deliver,monitor and report the desiredoutcomes.

The Risk Academy would be a projectin its own right, with its own branding,messages and mobilisation; alsoserving as a repository for everythingrelated to the risk upskilling project –from project management to planningto financials to examinations andreports to the Board and the regulators– in one location. This would take theform of a password-protected triangleof (1) intellectual property (trainingcontent, materials) and sensitive Bankpersonnel data (names, contact details,exam results, etc), (2) an interactiveproject management website and (3) alearning management system forinteractive use by the learners andproducing reports for both the financeand examination results requirements.

The Risk Academy would be designed

to allow multiple access for Group-,Business Unit- and Learners levelswithin the Bank and its affiliate legalentities. Compensation was made inthe Risk Academy design toaccommodate US, UK, EU and nonEU multinational access and use, dataprotection laws relating to HR andexaminations and reporting protocolsaligned to national regulations.

In addition the risk specialists wouldprepare the course materials,examination questions and answers,and provide expert risk trainers toconduct most of the risk upskillingcourses in six main cities.

The Risk Academy was designed to‘pull’ the users to it, by emailmessaging, gaming, discussion andchat groups and a Risk AcademyMembership Smartcard to tracklearning progress by the riskexecutive.

As the Main Vendor to the RfP, therisk specialists were ‘responsible’ toaccommodate the learning materialsand make the examination functionsavailable to other sub vendors toensure the total risk upskilling projectwas contained within the Risk



11

Academy model. The Main vendorswould meet with the subvendors tofacilitate the transfers of data and itsmanagement (generating reports, etc)to the Bank as agreed.

III Key Project Skills,Determining Risk Roles andIdentifying the RiskCommunity

The Need for Project ManagementSkills

Within a 3-month period aftercontract signing an initial kick-offmeeting took place with additional,wider stakeholder meetings followingin London and the Bank’sheadquarters over the ensuing 6months. During the meetings itbecame clear that project managementskills were light among the variousBank’s HR teams; they were candidabout this and when the risk specialistsrecommended a project managementworkshop for the combined RiskAcademy Project Team Leaders andKey Stakeholders, it was the RiskChampions who worried that thiswould ‘slow the project down’ and thisinternal training among the top teamdid not take place. One observer later

noted that when the Bank’s keyproject manager was removed andrelocated to her home country (ratherthan at the Bank’s HQ) the handoverwas delayed and the project ground toa halt 9 months into the project - thesummer of 2013 - as the new projectmanager came on board having mademajor structural changes to the projectwithout engaging the risk specialists orthe entire project team bothhorizontally and vertically.

While this might still have occurred ifa strong PM protocol had been inplace it would have been less likely askey team members, Bank departmentheads, and the risk specialists wouldhave engaged an agreed change order,standard operating procedures (SOP)and approval procedures which wouldhave ‘corrected’ any project ‘runaway’or ‘drag’ scenarios.

The risk specialists were ultimatelyable to propose a detailed trainingprogramme, project teamsorganisational chart, pilot and trainingroll-out timetable, travel,documentation and logistic plans andoperational budgets, development anddelivery of a hosted project websiteand learning management system to

engage the delegatesduring the

actual learning, to sit exams, ratetrainer performance and offercomments. This was delivered at thesame time as the content outlines forthe original 45 risk upskilling topicspresent within the RfP and distributedto the Risk Champions across theGroup for comment/approval. As thisgroup were responsible for promotingand enabling implementation of therisk upskilling project (but haddeliberately not been consulted at thedesign stage) it is not too hard toenvision what was about to happennext. Let us come back to this a bitlater.

The Challenge of Determining RiskJobs Roles and Levels

The next major challenge arose whenit became evident that the Bank didnot have risk job descriptions,competencies and training needsmapped to each job role and level. Partof the challenge was that the Bankprepared its risk upskilling to existingrisk jobs roles and levels defined in thepast (pre Basel) and clearly not inaccordance with Basel II/III orinternational best practise. As thesepre-existing risk job roles and levelshad been pre-approved by the ChiefRisk Officer and the Bank’s Board, andan RfP had been published, it wasconsidered ‘inefficient’ to suggest theyreturn to first principles and startafresh by delineating the proper and

updated risk roles compliant to thechanging banking codes.

Hence the risk upskillingbegan with critical flawswhich led to theomission of largenumbers of people



12

in risk and whole departmentsengaged in risk managed activities andsubject to internal audit andcompliance scrutiny.

In order to earn buy-in with the RiskChampions it was agreed to schedulean interview with each of the eightRCs to allow the external riskspecialists to ‘take the brief ’ on thetraining needs as perceived by theRCs. During this interviewingprocess the risk specialists – meetingsaccompanied by the Group HRNumber 2 – it emerged that nearly450 people in treasury andoperational risk functions had beenomitted from the original projectheadcount as they were not deemedpart of the risk community. A budgetto include this group had to benegotiated internally which was notapproved as it would have hadembarrassing implications. Parts ofthe operations group were notsubsequently included into the riskupskilling. This was red-flagged tothe Risk Champion responsible forthis area and a message sent up theline internally to the Group CRO.

Another major result of the meetingsbetween the risk specialists, the RiskChampions, local CROs and businessheads was the deconstruction of the 3-5 days of training block for each riskcommunity member annually (10 daysin total) and change to a 1-,2- and 3-day training programme throughoutthe year to allow for less time awayfrom the workplace.

The ‘new’, shorter training eventswere now ‘stand alone’ learningexperiences, not part of a week-longlearning experience, and as suchrequired complete deconstruction ofthe pre-approved course content.What began as 54 risk topics andindividual courses emerged as 80 riskand remedial level upskilling topics.The entire training programme andschedule – the mapping of job rolesand levels to competencies andtraining courses to achieve thosecompetencies, and the dates andlocations to deliver those trainings –had to be discarded and rewrittenfrom scratch, effectively doubling theoriginal ‘concept’ stage of the projectboth in budget and time. The businessheads, local CROs and RiskChampions were able to redesign the

risk upskilling to meet some of theirperceived critical learning/trainingneeds for their teams including topicssuch as Business Mathematics 101,Business English 101 andUnderstanding Balance Sheets. Theywanted more training for their teams,not simply risk management upskillingand they were able to achieve this inthe end.

Data Requirements to Identify theBank’s Risk Community

The fourth major challenge at theproject outset was that the Bank didnot have a database or means toproduce a single report of names,contacts details, job roles and levels,company ID numbers, emailaddresses, business unit ID codes fortheir deemed risk community withinthe bank and within its regulatedaffiliate legal entities. This requiredanother non-budgeted project andalthough only 2,500 individuals wasextremely labor intensive andrelatively slow to achieve (6 weeks)and in fact an on-going process asmanagers and staff were reassigned todifferent departments, were hired orleft the Bank as part of the wind downprocess.

Once the risk community wereidentified it was possible to create asnapshot of where the risk knowledgeexisted within each department, team,geographic unit and individual and toproduce an interim report to the ChiefRisk Officer, Group HR and the Board(and later, to indicate improvement,the regulators).

Working within the Bank’s owndefined six risk job roles and threelevels, a 2,500-person on-line initialranking survey was created. Five setsof 30 questions and answer banks weredesigned to measure how much of theknowledge required for each risk jobrole and three levels was actuallyknown by the employees (credit andmarket risk were blended into one setof questions). It was considered to bethe fastest, least expensive and mosteffective means to show the areas ofknowledge and gaps, and with itsresults the risk specialists would designthe techniques, skills and behaviourcourses and learning pathways toachieve competency in riskmanagement.

The key message here for banks andfinancial institutions preparing toengage their Risk and HR top teamsis that should be a strong connectionbetween the senior management riskteams and the business unit levelCROs and risk teams. This gap incommunication can manifest itself inunexpected ways during risk job rolesidentification and upskillinginitiatives.

IV Project Challenges,Successes and Key LessonsLearned

A) What were the main riskupskilling project challenges?

Uncertainty: The regulator and thebank’s Board were making decisionswhich would make a profound impactas to the budget and planning for the24 month long project which oftenhad milestones unrelated to thetraining initiative; this resulted in astop-go-stop-go scenario whichcaused delays and cancellation fees atshort notice to the project for the first12 months. There was a widespreadclimate of anxiety among the projectparticipants as daily press reportspromoted messages of massive layoffsand fear for managers and employeesall levels at the Bank.

Unfamiliarity: The Bank’s GroupHuman Resources, led by a successfulchange management expert, had arelationship with the Group ChiefRisk Officer but little knowledge of orworking relationship with the riskmanagement teams within the bankand as such was challenged to initiallyidentify risk jobs/roles from amongstthe headquarters and the numerousrelated affiliate legal entities. The riskspecialists travelled with the bank’sHR Project Leaders to various bankdivisions to help identify thoseemployees who should be ‘counted in’and become members of the RiskCommunity and budgeted to receivetraining. One benefit of this was thatan entire operational risk team ofnearly 450 employees had not initiallybeen included in the Group HR’sheadcount of the bank’s riskcommunity. Without an understandingof Basel II and Operational risk, thisvital unit was overlooked as wasoperational risk training for the creditprocessing units.



13

Data Unpreparedness: There was norisk jobs/roles database at the bank inany of its functions at any level.Names, employee ID numbers,business unit/department/functionnames were different acrossgeographic units and historicallywithin the bank’s HQ and requiredcontinuous assurance in order toproduce detailed reports to the Boardand the regulator that individualswere engaged in risk managementtraining.

Technology and systems: In theabsence of their own LearningManagement System the Bankengaged the ACCADEMIAProgramme which provided a hostedLMS for their use for this project tosave time and resources. Access to theinternet and issuing user names andpasswords required clean data from awide range of bank sources. Thesevaried widely amongst and betweenthe geographic business units and legalentities; spellings when translated intoEnglish, accent marks and symbolswere not transferable between ITsystems resulting in errors,inconsistent department codes, emailserver blocks, and general internetaccess were all addressed on a rapidresponse model to get the projectrolling. The risk specialists ProjectManager handled all theIT/Operations support and interfacewith the bank’ s IT manager and HRdepartment heads as well as the totaluser group (approximately 1500people).

Team Building/Project Buy-In: Thebank’s internal transition from GroupHR/CRO to the business unit levelHR/CROs was ‘pushed down’ to anoperational level for the training roll-out requiring the risk specialistProject Managers to travel to each ofthe six countries to work with thelocal HR teams to apprise (oftenjunior or new) HR staff of theprocedures, costs and operationallogistics of identifying, inviting andclearing employees to leave theirdesks to attend required courses. TheBank’s business unit heads werechallenged to let their teams go totraining courses and there werenumerous ‘push me-pull you’moments between HR, the RiskChampions, risk specialists at Groupand local levels.

Morale and Mobilisation: Ensuringa successful risk upskilling projectmeant the bank and its employeesneeded to feel ‘this was worth it’which was difficult when press reportsregularly appeared in national andinternational newspapers as the tobank’s crisis and talk of massive lay-offs and wind-down of departments.Group HR was challenged once againwhen the HR policy – if you join thefirm, get the benefit of ‘free’ technicaltraining and then leave the bankwithin 24 months you would beobligated to repay the bank for thetraining - resulted in forcing a‘financial burden’ on internal transfersand new hires into the risk teams. This‘burden’ was a deterrent to gettinggood risk people in the risk teams. HRhad to petition the Bank Board tochange a company policy toaccommodate the changing bankorganisational structure and the riskupskilling project in parallel. Thetraining project was ultimatelyclassified as ‘Strategic’ and as suchexempted from the Bank’s HR policy.

The Group CRO was actively engagedwith the bank Board and the Regulatoron a daily basis and was not able to bean active champion internally for therisk training project or to the riskemployees. Hence with Group HRand the risk specialists created a RiskChampions programme intended totrain the business unit level CROs toqualifications and help them lead theirrisk teams and take advantage of thetraining programmes being madeavailable to employees.

This proved to be a mixed blessing:these highly competitive young menand women were actually vying forleadership roles within the newlyreforming bank and while runningtheir divisions (credit risk,rehabilitation, credit processing, et al)only engaged with the risk academyproject ‘under duress’ to approvecourse materials and local case studiesto be presented to their teams. Theywere also not keen – and never did –take any exams themselves – nor wasthis pressed upon them.

Procurement and Finance: Group HRhad little experience with either theGroup Procurement or Financefunctions within the Bank prior to thisproject. By the end of the tender there

was also little time available inpreparing for this project to allow thebank’s finance function to work withlocal procurement and the financedepartments in each of the legalentities to disperse their trainingbudgets to a single or multiple trainingproviders and to standardise invoicingprocedures, protocols and payments.

Payment policies and documentationrequirements to process invoicesvaried widely within and outside theEuropean Union locations (e.g.taxation) and business culture (e.g.originals, faxing, use of official stamps,postal vs electronic, e-signatures, etc).This resulted in inconsistencies inproducing invoices and delays incollections often requiring ‘paymentcatch up time’ and training stoppageswhen open balances ran over sixfigures (Euros).

B)What were the main riskupskilling project successes?

Ultimately the external risk specialistswere given the authority by the Bankto take the lead in consulting,designing, promoting, operating anddelivering the training programmeworking closely with Group and thelocal HR teams. This involvedperiodic face –to- face meetings at theBank’s headquarters, regular weeklyconference calls with the Group HRProject Manager and local HR headsto work out practical matters in areasonable manner but with room toadd terms and conditions as needed tomeet new challenges as the RiskAcademy rolled out and grew withinthe entire bank and among itsaffiliates.

Once the preliminary hurdles werecleared the training roll- out changedfrom a 3-city ‘hub and spoke’ model(bringing employees from 6 countriesto 3 cities) to a localised trainingmodel. This was mainly as a result ofhigher than planned for travel costsand the lower, pre-established annualtravel budgets set for training by thebank. Addendums to the FrameworkAgreement (contract) allowed formore efficient and ‘back-to-back’training scheduling reducing travelexpenses by more than 40% andkeeping fewer employees spendingvaluable work time driving or flyingbetween training centres.



14

The project has been considered asuccess. Project Leaders and Managers– the Bank’s and the Risk Specialists’ -met a difficult fast-track timetable anddelivery schedule. Between August 1and October 31, 2012 the RiskAcademy project was conceptualised,agreed, project ‘infrastructure –human and data/IT/systems – weredeveloped and approved/tested,trainers briefed to the special needs ofthis project, language issues, travelfrom London and first pilot trainingsdelivered. Between late February andJuly 2013 nearly 2500 individuals wereexamined/surveyed as to their level ofrisk management knowledge relativeto their risk job/role, risk job roles anddescriptions written/approved, and1500 individuals attended a selectionof 100 different 1-3 day courses,previewed course materials and satonline exams in the classroom, andissued performance reviews of thetrainers using the Risk Academycustomised and hosted LearningManagement System. Of the threelevel groups, nearly all 2500 attendedthe Risk Foundations series (101) andby end of September 2014, 1500 riskmanagers completed level 201 Risk forProfessionals. Level 301 Measuringand Managing Risk workshops andseminars were scheduled for earlyNovember 2014 to complete the 100-person top risk managementspecialists employed at the bank.

Positive exam results of theemployees/delegates ran very high ingeneral, with pockets ofunderdevelopment of risk roles inspecific geographic locations.Remedial programmes were underwayin these areas to further supportlearning and skills development to taketo their daily jobs/roles.

The additional budget and the supportinternally for the Bank’s Risk Academyhas been enhanced both by a decisionto continue funding by the European,the national regulator, and by theappointment of a new Group ChiefRisk Officer appointed in September2014 and the acquisition of the ‘goodbank’ by a foreign group of investorsensuring the Bank’s viability andsustainability.

C) Key Lessons Learned

(1) Governance Preparation for

major multi-departmental changemanagement project is critical, butcircumstances may not always permit.The key to managing a successfuloutcome of a large scale project likethis have a clearly defined top team,their leadership and enabler roles andresponsibilities, professionalism, goodorganisation, good communications,clear goals and agreed methods andtechniques to measure and monitorprogress or flag when progress pathsare de-railed, and with strategies inplace to deal with de-railments quicklyand effectively.

Group Risk and Group HR needthird-party support to bring eachother together, to understand eachothers’ pressures, challenges anddrivers, and ultimately to ideallyembed one of their own into theothers’ camp in the earlier stages of anHR and Risk project. As co-promotersof a risk upskilling or People/ConductRisk initiative a solid workingrelationship must be in place at the topof the organisational chart withdependable, reliable and accessibleindividuals having leadershipcapabilities and channels throughoutthe risk and HR communities withinthe organisation.

(2) Project Definition and ProjectManagement skills are also criticaland were found oddly ill-perceived: fora risk upskilling project Group HR didnot know who were the members ofthe risk community in theirorganisation. How much does HRknow about risk management, its jobroles and levels? Shouldn’t they cometo grips with the topic initially first,then work with the CRO to create thebedrock of relationships needed tomanage the bank’s risk rolessuccessfully, not just recruitment andexiting employees? When it wasproposed to run a risk managementworkshop for HR teams and a PMworkshop at the outset the responsefrom the risk heads were ‘it will taketoo much time and distract us from thereal project’. Lesson learned here? Ifyou are in Group HR and don’t knowthe essentials of risk management orhow to design and run a major projectyour risk upskilling, people risk orconduct risk project will sufferseriously and cost you possiblepenalties, consultant fees, overrundeadlines and as in one case on this

project, loss of your position (Number2 to Group CRO).

(3) Leadership is key. Anotherlesson learned is that without topdown leadership at the highest levelwithin the bank there will be in-fighting and delays. The Bankstruggled with leadership andeventually found it easier to allow theexternal contractor ‘ to run theproject.’ In this case it was thedisconnection of the Group ChiefRisk Officer from the project at nearlyall levels. Often the Group CRO is atechnical specialist and not a credibleteam leader. This means your projectleadership may lay elsewhere. Astrong, talented and effective ProjectManager may leave the project: thesudden departure of the Bank’s GroupHR Project Manager (who wasmaternity cover transfer into theproject) whenher contractwas completedcausing a 3-month delay tothe projectwhilst the newPM executivecame up tospeed andbrought newprocedures andprocesses to ano n - g o i n gproject while in full flow. The RiskChampions had no time to act as theGroup CRO’s emissaries and whileprofessional and personable were notable to add value to the risk academyproject. The Group HR ProjectLeader was will ultimately agreed toallow the risk specialists/consultants totake the project reins, permitting for aclear, strong direction focused on thegoals and tangible objectives,including micro-matters such asmanoeuvrering the risk employeesinto the classroom with the risktrainers or cajoling the various financeheads to cooperate and work as part ofa team.

(4) Ensure Good Project TeamsAs a result of this particular projectand under these rushed and tightplanning deadlines it became clear thatgoing forward insistence should bemade to bring together Group Riskand Group HR, Group Finance andIT/Operations early on. Allowing a



15

without top downleadership at thehighest level ... therewill be in-fighting anddelays

bank’s Project Leaders to say ‘we haverun projects like this before, this/thatwill not be a problem’ just will notsuffice.

Key risk community data was notavailable within HR or the Riskfunctions in the aggregate.Recommending IT to join the projectteam was a vertical climb for the Bankto achieve with much resistance.Once the risk specialists were able toconvince the Bank that they neededto engage an IT manager for thisproject – and the risk specialists’ ITmanager engaged with theirs – thedata mining, data flows and reportpreparations went relatively smoothly.They spoke each others’ ‘language’ so

to speak andd e l i v e r e dcomplex resultseffectively andefficiently.

Ideally theGroup HRfunction shouldhave insisted onhaving finance,operations andIT attend a 1-day RiskManagemen tWorkshop forHR Profession -als for them toprepare foridentifying riskfunctions andjob roles andlevels withintheir organis -

ation and to deal with operational anddata/systems/IT issues. This is thenatural progression driving the recenttrend for HR Departments to searchfor risk specialists to join their teamsas full time technical risk specialistsand in preparation for the People Riskand Conduct Risk rulesimplementation within theirorganisations.

(5) Get Buy-In from ParticipantsInternal marketing, messaging andmobilisation were key issuesaddressed early in the planning stagesas industry reports indicate that while70% of organisations internally markettheir training courses to theiremployees via intranet or externalwebsite this method has an very low

effectiveness rate. With the benefit ofthe risk academy design expertise inthis area – earning professionalCPD/CPE points on a smart card,gaming, chat rooms and social mediachannels, prizes and performanceawards this was part of the ProjectPlan to optimise employeeparticipation.

The mid-2013 replacement of theGroup HR Project Manager had beenbrought in from the bank’s marketingdepartment, which under theturnaround plans, had managed anoutsourced 100% rebranding of theentire bank, from its trading name toits full media. Graphics and soundpackages were available to build intothe Risk Academy ProjectManagement website and LearningManagement Systems to align fully tothe re-branding.

The Bank missed opportunities toensure uptake of the training by theirinternal risk community at varioustimes. The Group HR departmenthad an awards programmethroughout the bank already in placeand was not interested in ‘duplicating’another or having ‘their’ programme‘touch’ the training programme.Hence a rewards or competition –popular among young people at thebank – was nixed.

Use of technologies amongst both thenon-EU bank legal entities was literallyfrowned upon for fear of misuse and alack of familiarity with user technologyhabits of the bank’s millennialgeneration employees. Gaming andtraining on hand held devices wasdeclined (although well established inthe banking and finance sector fortraining).

There was no plan accepted by thebank to mobilise or send ‘sign up forthe ‘free training’ messages by thebank (even once the ‘strategic policy’was in place.) The Group HR ProjectLeaders also did not perceive value inthe ‘push-pull’ mechanism of havingdelegates sign up for participation viathe project website and chose instead,to press upon their subordinate HR

teams in -country to draw up thenames of training budget approvedemployees and sent them in bulk tothe risk specialist training managers for‘signing up’ effectively overriding awebsite system they had bought andwere paying for and taking the‘participant ownership’ out of theequation.

The result was an unplanned formassive wave of data coming from 18legal entities to the single dedicatedrisk specialist training managersresulting in delays in responding todelegates as to when, where they wereattending a course which their HRmanager told them they had toattend, often on very short notice(often on a Friday afternoon for aMonday morning course start inanother city).

It was later made known to theexternal risk specialists that the fear oflosing their jobs in the turnaround wasso fierce that the HR teams took onany additional tasks they could to besure ‘they were needed’ even if itcaused problems for the project andultimately increased costs. Most ofthese were young working mothers inboth EU and non-EU locations so theanxiety was very real to them anddifficult to explain to the ‘foreign’training contractor acting as the defacto Group HR leaders.

The lesson learned here is to bewareof the ‘heavy handedness’ of top downdecision makers (both in Group HRand Group Risk functions) and dispelthe view that training is a ‘perk’ not be‘wasted’ on the younger members ofstaff (as we observed). Explore the‘mission critical’ projectcommunications and messaging toolsavailable, and avert fear by reassuringproject teams and key stakeholdersthat by doing so the project will runmore smoothly, efficiently; and ideallyto engage your project participants inways meaningful to and valued bythem.

The author invites comments or questions on their related projects via email to

[email protected]



16

beware of the‘heavy handedness’

of top downdecision makers

and dispel the viewthat training is a‘perk’ not be

‘wasted’ on theyounger members

of staff

REFERENCES: People Risk April 2012 by Richard Sargeant and Conduct Risk: Doing What is Right by Markus Krebsz, November 2013 published in Global Risk Update

Taking a long look at thefinancial industry – thechallenges it faces and thechanges being pushed

through – is a thoroughly interestingexercise, regardless of one’sperspective. Because when aparticular market experiences radicaltransformation, the urge to commentbecomes an imperative.

The Derivatives Market

The great dynamism seen in thederivatives market is positive as well asencouraging. Bypassing criticisms tosome of these products’ featuresseems to be pushing forward newdevelopments. Ethical drivers may endup creating different operatingprocesses. However, it should benoted that these are changes are beingdriven by investor demands.

Throughout this year, within theEuropean Union context, the MiFIDII Directive and the MiFIR regulationare in effect. At an industry level, theInternational Swaps and DerivativesAssociation (ISDA) has released its2014 Credit Derivatives Definitionsaimed to replace and update the 2003ones, over the final quarter of this year.The driving forces for these changescan again been found at asupranational level, in particular, theG-20 formal declarations in 2009.During its meetings in Pittsburgh andLondon the G20, in response to whatwere considered as “major factors ofcrisis”, insisted on the need for moretransparency in financial markets andthe application of risk mitigationtechniques which would allow to keep(among other things) OTC derivativesunder control. Recent changes in theregulatory frameworks of the leadingeconomies like Japan or the US withthe Dodd-Frank Act, have already setup requirements aimed to giveresponse to most of these demands,completing the picture of a market andan industry, undergoing a radicalreshape.

At the EU level, the efforts seem to beoriented towards building up strongermarkets. There is no questioning onthese products’ characteristics or theimportant financial role they play formany corporations, financialinstitutions and governmentsworldwide.

Let us address some concerns on howthe overall process is managed at thebuy and sell side, by originators andinvestors. The EU Authorities’approach has followed a very logicalsequence. First, they set up aregulatory and supervisory body, likethe European Securities and MarketsAuthority (ESMA) in 2011, followeda few months later by the passing ofthe European Markets InfrastructureRegulation (EMIR) in 2012.Supposedly, if market participants aregiven clear guidelines with a strongcommitment towards implementingthe changes, the derivatives ‘jungle’can be turned out into a friendlierworld.

Both MIFID II and MIFIR regulateaspects of the derivatives’ business.The first one is mainly focused oninvestors’ protection issues. With thispurpose, it establishes position limitsto be held by one person oncommodity derivatives as well asreporting requirements applicable alsoto emission allowances and other typesof derivatives. The information to bedisclosed should differentiate thepositions aimed to outweighcommercial activity risks from otherones. This is a relevant distinction aslimits do not apply to non-financialentities hedging their commercialexposure. Nothing has been said yeton the criteria to apply in order todifferentiate hedging from speculativetransactions. In any case, there are stillmany areas of this Directive, like thisone, which need a more detaileddevelopment. This task is expected tobe accomplished by ESMA by mid-next year through the drafting ofregulatory technical standards.

The MIFIR Regulation, on the otherhand, emphasizes the need for greatertransparency in the market byimposing disclosing requirements onvolumes and prices that would ensurea correct price’s formation. Tradingand clearing obligations for certaintypes of derivatives, portfoliocompression or non-discriminatoryaccess, are just some of the othertopics covered by this law. It reaffirmsthe supervisory role on financialmarkets of ESMA, granting it eventemporary intervention powers on thesale and distribution of financialproducts or the practice of financialactivities, if deemed necessary. Thecorresponding national authoritieswould also share some of theseresponsibilities.

The goal of transparency is achievedby imposing reporting obligations ofderivatives’ contracts to TradeRepositories (TRs) as well as centralclearing through CentralCounterparties (CCPs) for a greatnumber of them. For those, fallingout of this scope, risk mitigationtechniques should be applied. Theselast ones include daily mark-to-market, timely confirmation,

Derivatives: LimitingMarket ChangeAuthor Flora Prieto, a senior risk management specialist based in Madrid, contributed this article,aimed to reflect on the role of debt in the current economic environment.


17

2014 ISDACredit DerivativesDefinitions

Cr2014 ISDA

edit Derivatives

2014 ISDAedit Derivatives

2014 ISDAedit DerivativesDefinitions

CrDefinitions

edit DerivativesCrDefinitions

edit Derivativesedit Derivatives

portfolio reconciliation, portfoliocompression, dispute resolution andexchange of collateral. Certainexemptions may exist depending onthe nature of the transaction (e.g.intragroup) and, indirectly by thedefinition of clearing thresholds.Both financial and non-financialcounterparties may be subject to thisregulation.

The process is still ongoing and manyhave been accomplished in 2014 suchas reporting to TRs started in Februaryand the authorisation of the first CCPtook place in March.

These new rules are not aimed to actas boundaries which would close theEU market to third-country providers

wanting to participate in it as CCPs orTRs, to the extent ESMA, assupervisory authority, would recognizethem. The EU authorities’ mainconcern lies on the potential negativeimpact derived from asking themtwice to comply with the samerequirements. This open attitude mayend up playing a key role in ensuringthat derivatives continue to be a globalbusiness. Its importance may betwofold: from an institutionalstandpoint, because it can contributeto the development of emergingmarkets as these participants need toget adapted to a certain set ofrequirements; and from a marketsperspective, as mechanisms reinforcethe desired transparency which shouldprevail everywhere.

The Impact of Change

Although there are many benefitsexpected from this transformation inthe financial markets some concernsare also arising. Different ISDAresearch reports published throughout2014 have highlighted the fact of anincreasing market fragmentation alonggeographical lines as a consequence ofthe new rules being put in force by USauthorities, and in response to theglobal demands for more regulation ofthe derivatives’ business. The differentregime affecting US and non-USpersons, in terms of obligations ofwhere to trade (trading platformsshould register as SEFs or swap-execution facilities) and what to trade(the made-to-available trade or MATrule defines the products which should

be mandatorily negotiated on SEF)have affected the way the marketoperates, leading to a higherpreference for counterparties of thesame geographical area.

In other words, European dealerspreferably engage in derivatives’transactions with other Europeancounterparties while US-based onestend to do the same amongthemselves. As an example, justconsider Euro interest rate swaps:data released by ISDA shows anincrease in cleared Europeaninterdealers’ activity from 75% in May2013 to 93% one year later. European-US dealers’ transactions during thesame period fell down fromrepresenting 24% to just 6%. An ISDAInsight Survey on end-user’s opinionson these facts revealed a perceivednegative impact on firm’s riskmanagement activities as well as anincrease in costs.

There is the risk that this marketgeographical disruption would tend toconsolidate leading to the surge ofdifferentiated areas where derivativesdeals are arranged subject to specificand different conditions, regardless ofthe product type. Thus, whenreviewing the scheduledimplementation calendar applicable to2014 ISDA Definitions, it can be seenthat not all the same terms wouldapply everywhere. Well-establishedmarkets such as Europe, the US,Japan, Australia or New Zealandwould lead the change from thebeginning while emerging ones, such

Limiting Market Change


18

as EMEA or Latin America would notjoin this trend. In practice, this impliesto acknowledge the fact that marketdifferences go beyond counterparties’peculiarities and get, directlyinfluenced by the existing economicand regulatory environments. It needsto be taken into account that some ofthe most relevant changes are relatedto the consideration of new creditevents (e.g. governmental inter -vention) and widening of settlementfacilities (e.g. asset-package delivery).As these definitions would mostlyaffect credit default swaps, preventingdeveloping economies’ parties fromincorporating them, it can beunderstood like the acceptance of atwo-level industry on the basis of theircorresponding financial systems’stability. This poses a potential threatif understood as if OTC transactionswould be questioning global financialsystem’s presumptions. This hasnothing to do with the unfortunateepisodes of unethical behavior seen inthis industry whose consequences areknown to everybody.

The recent financial crisis is,undoubtedly, leaving its mark on thesechanges. It would be odd to neglectthe importance that setting stronggrounds have for the development ofany market. A clear lexicon, capable ofgiving response to the new financialproducts stream, detailed regulatorytechnical standards defining the needand conditions under which technicalprocesses such as portfoliocompression or portfolioreconciliation should be undertakenor the parties’ acceptance that, despitebeing OTC deals, they should besubject to certain enforceable termsand conditions, result necessary.

The imposed clearing obligation is acommon feature in the laws beingapproved by the different countries, inresponse to G20 demands. However,

despite all the efforts being done, theresults are evident that there wouldcontinue to be a part of non-clearedtransactions. ISDA reports estimatethat they would end up representingaround 30% of the global OTCderivatives activity.

Non-cleared transactions have beentackled by regulatory authorities from adifferent perspective which is mainlyfocusing its interest in the application ofrisk mitigation techniques and definitionof margin requirements. The overallpurpose is to reduce counterparty risk.Financial experts agree on the fact thatthis is a necessary segment of the marketwhich cannot be eliminated. The widevariety of types of existing derivatives,the need for their customization andstakeholders’ interest in ensuringcompanies apply an active riskmanagement strategy, make necessarytheir continuity. The existence ofreduced levels of liquidity as aconsequence of deal’s features (like itsunusual or long maturity periods or itsdenomination in non-frequentlynegotiated currencies,) should not implylower levels of investor’s protection orhigher sources of market instability.

All these steps being taken up to nowand the ones to follow over thecoming years, confirm the critical rolethat adequate hedging strategies havefor any company’s financial success.As it has been mentioned above, aclear distinction is drawn betweencommercial risk’s management andother risks’ management. However, itshould be kept in mind the fact thatthis is a financial alternative notsuitable for everyone. Stricter margindemands, both in the form of variationand initial requirements, do not acttaking liquidity out of the market, butrather the opposite by increasingparticipants’ confidence and keepingbasis risk at a minimum level. Thechallenge lies on the industry which

would need to find out other ways ofgiving response to customers’ needs.

The new regulations have broken upexisting prejudices by allowing thepossibility of limiting positions,defining clearing thresholds, imposingstricter margin requirements or even,temporarily ban a product. There is nodoubt that although this affects allparticipants, non-financial counter -parties are the ones seeing how theirway of doing business changes themost. The fact that the bulk of theirhedging activity may fall under thecategory of commercial risk and,therefore could benefit more fromclearing thresholds, would not preventthem from having to implementinternal monitoring tools, which wouldensure their compliance with the newrules. The consequence of this wouldbe more control on their derivatives’activities. Over the long-run, it is evenpossible to think of the surge of a newmanagerial approach, the corporateportfolio one.

Any attempt to make the derivativesworld a more manageable one shouldlead to positive results from atransaction’s perspective, because thefigures managed in this market are,simply, exorbitant. Companies andinvestors could just feel that theyneeded to be a part of it, despite nothaving at hand, all the necessary toolsfor correctly benefitting from them.From a dealer’s perspective, becausethey have to manage simultaneously -the product, the customer and theirrisk – each of them with itspeculiarities and demands, avoidingany overlaps while taking use of thecapability to supersede some of themby applying some of the mostsophisticated technical tools currentlyavailable in the market.

The author invites your comments and feedbackvia email to [email protected]

Limiting Market Change


19

REFERENCES• ESMA “Annual Report 2013”. [Online]. Available from: http://www.esma.europa.eu/system/files/esma_2013_annual_report.pdf• ESMA “Questions & Answers – Implementation of the Regulation (EU) 648/2012 on OTC Derivatives, Central Counterparties and Trade Repositories

(EMIR)”. [Online]. Available from: http://www.esma.europa.eu/content/QA-X-EMIR-Implementation• EU “EMIR – Frequently Asked Questions”. [Online].

Available from: http://ec.europa.eu/internal_market/financial-markets/docs/derivatives/emir-faqs_en.pdf• ISDA research reports are available at: http://www2.isda.org• MIFID II “Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014”. [Online].

Available from: http://ec.europa.eu/internal_market/securities/isd/mifid2/index_en.htm• MIFIR “Regulation (EU) No.600/2014 of the European Parliament and of the Council of 15 May 2014” [Online].

Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R0600

Corporate governance has been a prime concern forregulators and stakeholders since the start of thefinancial crisis. In response we have seen a rangeof pronouncements and

revised sound practices papersseeking to change the way thatbanks operate. Now the Bank forInternational Settlements (BIS)has published new CorporateGovernance guidelines as aconsultative paper for response by9 January 2015.

There are a number of issues thatare interesting about the BIS paperin addition to the Principles thathave been set out (a lucky? 13).The first is that the paper starts witha glossary that actually definesconcepts such as Control Functions,Risk Appetite and CorporateGovernance:

Control FunctionsThe first definition that is of interest iswhat they are referring to as ControlFunctions, which are defined as follows:

“Those functions that have aresponsibility independent frommanagement to provide objective

assessment, reporting and/or assurance.This includes the risk management

function, the compliance function andthe internal audit function.”

It is perhaps interesting that they have highlighted riskmanagement and compliance and actually not mentionedinternal control or ownership of the second line of defence.Risk management and the Chief Risk Officer are generally

decision-making functions and therefore part ofmanagement so it is questionable the extent to which they

can be seen as truly independent.

Likewise does compliance really providethe objective assessment, reportingand/or assurance that is suggested here?In many cases this may not really be thecase. Clearly responsibility forcompliance lies with the first line ofdefence and it is perhaps unrealistic toexpect compliance functions to meetthis objective. Indeed they should workwith the business to find methods tocomply with rules and regulations andtherefore are unlikely to be fullyindependent.

That leaves internal audit, but theycannot really be a control function.Rather they bring periodicindependent assessment to the Boardand therefore to the Audit Committeeas a committee of the Board.

Risk AppetiteAnother definition worthy of consideration is risk appetitewhich is defined in the BIS paper as follows:

“ The aggregate level and types of risk abank is willing to assume, decided in

advance and within its risk capacity, toachieve its strategic objectives and

business plan. “

We use the following general definition:

“The level of divergence from goals and missions which are unacceptable

to the Board”

NEW BIS Bank CorporateGovernance Guidelines:Insights and Analysis Risk Reward Group CEO Dennis Cox, BSc FCA CFSI, is a global banker, Big Four charteredaccountant, risk management and bank internal audit specialist, as well as an internationallecturer and noted published author. As an official Observer to the African Development Bank,Chairman Emeritus of the Risk Forum within the Chartered Institute of Securities andInvestments (UK), former National Council Member of the ICAEW (UK) he is regularly askedto present positions and replies on behalf of financial services professional bodies to the Bankfor International Settlements (BIS). In this article he offers insights and analysis on the latestBIS consultative paper on Corporate Governance for banks.


20

However the definition provided by the BIS is clearlyworkable and the important thing here is the wording“decided in advance and within its risk capacity”. The riskcapacity is defined as “The maximum amount of risk a bankis able to assume given its capital base, risk management andcontrol measures, as well as its regulatory constraints.”Essentially this therefore links directly into the reverse stresstest and the recovery and resolution plan. Within thatcapacity risk appetite as defined here is the level of risk thatthe Board are willing to accept and this clearly has aboundary at risk capacity. It is suggested that no firm shouldhave a risk appetite that is higher than 70% of the riskcapacity as defined in these terms.

Within the paper itself there is a discussion as to what a riskappetite statement really is with the following clarification asto what it should include:

“The [statement] should:

n Include both quantitative and qualitativeconsiderations;

n Establish the individual and aggregate level and typesof risk that the bank is willing to assume in advance ofand in order to achieve its business activities withinits risk capacity;

n Define the boundaries and business considerations inaccordance with which the bank is expected tooperate when pursuing the business strategy; and

n Communicate the board’s risk appetite effectivelythroughout the bank, linking it to daily operationaldecision-making and establishing the means toraise risk issues and strategic concerns across thebank.”

Given this definition of risk appetite and capacity that hasbeen made this is seen as being potentially unhelpful becauseit brings in qualitative and quantitative measures. Ascapacity and appetite are both clearly values then it isnecessary to change all of these measures into values. Notdoing so would surely prevent appropriate risk correlationto take place. And note the alignment of risk appetiteto the strategy of the bank. Risk management is notjust about preventing losses; rather it is aboutensuring that the goals of the bank are achievedwithin stakeholder expectations.

Corporate GovernanceCorporate governance is an often discussedterm but this new BIS consultative paper seeksto provide a definition. It states that:

“Corporate governancedetermines the allocation ofauthority and responsibilitiesby which the business and

affairs of a bank are carried outby its board and senior

management, including howthey:

n Set the bank’s strategy and objectives; n Select and oversee personnel; n Operate the bank’s business on a day-to-day basis; n Protect the interests of

depositors, meet shareholderobligations, and take intoaccount the interests ofother recognisedstakeholders;

n Align corporate culture,corporate activities andbehaviour with theexpectation that the bankwill operate in a safe andsound manner, with integrityand in compliance withapplicable laws andregulations; and

n Establish control functions.”

This raises the issue of corporatebehaviour which is aligned toethical standards stated as actingwith integrity. The requirement toact in a safe and sound mannermeans operating above the minimum standards set byregulators. They remain a minimum but not a benchmarkand need to be exceeded to meet these requirements.

The New BIS Principles: Insight & Analysis

Principle 1: The Bank Board’s overall responsibilities The board has overall responsibility for the bank,including approving and overseeing the implementationof the bank’s strategic objectives, governance frameworkand corporate culture. The board is also responsible forproviding oversight of senior management.

NEW BIS Bank Corporate Governance Guidelines: Insights and Analysis


Risk management isnot just aboutpreventing losses;rather it is aboutensuring that thegoals of the bank areachieved withinstakeholderexpectations.

21

The paper discusses the duty of care and what they refer toas a duty of loyalty which they apply to the bank (of coursethis really means to relevant stakeholders.) To achieve this“Accordingly, the board should:

n Establish and monitor the bank’s business objectivesand strategy;

n Establish the bank’s corporate culture and values; n Oversee implementation of the appropriate

governance framework; n Develop, along with senior management and the

CRO, the bank’s risk appetite, taking into account thecompetitive and regulatory landscape, long-terminterests, exposure to risk and the ability to managerisk effectively;

n Monitor the bank’s adherence to the risk appetitestatement, risk policy and risk limits;

n Approve and oversee the implementation of thebank’s capital adequacy assessment process, capitaland liquidity plans, compliance policies andobligations, and the internal control system;

n Approve the selection and oversee the performanceof senior management; and

n Oversee the design and operation of the bank’scompensation system, and monitor and review thesystem to ensure that it is aligned with the bank’sdesired risk culture and risk appetite.”

Notice the level of concentration on risk appetite within thisprinciple highlighting its importance, a trend we have seenin other papers. By trying to deal with it at this level themonitoring that needs to be conducted by the Board isenhanced. Periodic internal audit is surely not sufficientlyregular to achieve this for the Board and accordingly theywill need to have a structure of reporting metrics which theyare able to monitor to achieve these goals.

The background to the principle continues with the followingimportant statement on the role of the Board: “In order topromote a sound corporate culture, the board should takethe lead in establishing the “tone at the top” by:

n Setting and adhering to corporate values for itself,senior management and other employees that createexpectations that all business should be conducted ina legal and ethical manner;

n Promoting risk awareness within a strong risk culture,conveying the board’s expectation that it does notsupport excessive risk-taking and that all employeesare responsible for helping ensure that the bankoperates within the agreed risk appetite and risklimits;

n Ensuring that appropriate steps are taken tocommunicate throughout the bank the corporatevalues, professional standards or codes of conduct itsets, together with supporting policies; and

n Ensuring that employees, including seniormanagement, are aware that appropriate disciplinaryor other actions will follow unacceptable behavioursand transgressions. “

So the Board needs to be seen to be doing the right thingsand minimising excessive risk taking. Risk management isnot about not taking risks; it is about taking appropriate risksaligned to the risk appetite of the firm. Risk is the realcurrency of banking but imprudent risks are now clearlyunacceptable and are to be avoided.

Corporate ValuesThere is also a discussion regarding this important topic.Changing corporate culture and developing values is nevereasy and the paper proposes the following to deal with thismatter:

“The bank’s corporate values shouldrecognise the critical importance oftimely and frank discussion and

escalation of problems to higher levelswithin the organisation.



22

n Employees should be encouraged and able tocommunicate, confidentially and without the risk ofreprisal, legitimate concerns about illegal, unethical orquestionable practices. This can be facilitated througha well communicated policy and adequate proceduresand processes, consistent with national law, whichallow employees to communicate material and bonafide concerns and observations of any violations in aconfidential way (e.g. whistle blower policy). Thisincludes communicating material concerns to thebank’s supervisor.

n There should be direct or indirect communications tothe board (e.g. through an independent audit orcompliance process or through an ombudsmanindependent of the internal “chain of command”).

n The board should determine how and by whomlegitimate concerns shall be investigated andaddressed by an objective independent internal orexternal body, senior management and/or the boarditself. “

Notice this is bringing the Board directly into the processfor dealing with inappropriate conduct. The use of the termombudsman is also interesting since it suggests almost ajudicial process of independence which most likely does notexist in many firms. Clearly the goal is effective and opencommunication of key issues related to ethical standards andthis is to be encouraged.

Principle 2: Board qualifications and composition Board members should be and remain qualified,individually and collectively, for their positions. Theyshould understand their oversight and corporategovernance role and be able to exercise sound, objectivejudgment about the affairs of the bank.

This is further clarified with the following explanation:

“Board members should have a range ofknowledge and experience in relevantareas and have varied backgrounds topromote diversity of views. Relevantareas of competence include financialand capital markets, financial analysis,financial stability, strategic planning,risk management, compensation,

regulation, corporate governance andmanagement skills.”

What is clearly needed is for Boards to assess the extent towhich the skills needed to achieve these goals are met bythe existing board membership. We would, for example,recommend that a non -executive risk specialist be addedto the Board and indeed provide such people. We alsoundertake training to enhance Board skills in key areas whichalso is important.

Too often the recruitment process within banks has nottaken full account of ensuring that the necessary balance

exists on a Board. This clearly now becomes of increasingimportance.

Principle 3: The Bank Board’s own structure and practices The board should define appropriate governancestructures and practices for its own work, and put inplace the means for such practices tobe followed and periodically reviewedfor ongoing effectiveness.

The explanation discusses the periodicreview of Board performance and therole of chairs of committees, forexample. One of the key issues is therole played by the internal auditfunction. Reviewing internal governanceprocesses is clearly important yetdifficult for the internal audit function toundertake them. The risk for the internalauditors is that they may be producing what might best becalled ‘career limiting’ audit findings. Sometimes delegatedto third-party internal audits governance audits and thefindings have generally resulted in changes to structures,roles and memberships. (On one notable occasion thefindings report resulted in that the entire Board resigned.)The role is important and needs to be undertaken carefullyand with strategic outcomes planned for. This section also highlights that the financial reportingprocess is a key responsibility of the audit committee,replicating the comments in the revised BIS paper oninternal audit in banks. However in looking at the riskcommittee the following is shown:

“The risk committee of the board:

n Is required for systemically important banks. Forbanks of large size, risk profile or complexity it isstrongly advised. For other banks it remains stronglyrecommended.

n Should be distinct from the audit committee, but mayhave other related tasks, such as finance.

n Should have a chair who is an independentdirector and not the chair of the board, orany other committee.

n Should include a majority of members whoare independent.

n Should include members who haveexperience in risk management issues andpractices.

n Should discuss all risk strategies on both anaggregated basis and by type of risk andmake recommendations to the board thereon, and onthe risk appetite.

n Is required to review the bank’s risk policies at leastannually.

n Should oversee that management has in placeprocesses to ensure the bank’s adherence to theapproved risk policies. “

What is new here is the requirement for the members tomostly be independent directors and for the Chair toalso be independent. This is an extension to existingguidance and follows the logic of the internal audit



23

One of the keyissues is the roleplayed by theinternal auditfunction.

risk is thecurrency ofthe firm

committee being made up of independent members.However there is clearly a difference. The risk committeewithin its area of responsibility does look at key limits and ispart of the executive management team. It designs limits andstructures aligned to the goals and missions of the firm beingas interested in making money as preventing the firm fromlosing money. While it is agreed that some external inputcan improve the quality of the debate at such a committee,risk is the currency of the firm and therefore the majority ofthis committee should in our opinion be executive.

Principle 4: Senior management Under the direction and oversight of the board, seniormanagement should carry out and manage the bank’sactivities in a manner consistent with the businessstrategy, risk appetite, incentive compensation and otherpolicies approved by the board.

There is nothing new in this area of guidance.

Principle 5: Governance of group structures In a group structure, the board of the parent companyhas the overall responsibility for the group and forensuring that there is a clear governance frameworkappropriate to the structure, business and risks of thegroup and its entities. The board and seniormanagement should know and understand the bank’soperational structure and the risks that it poses.

Again this is hardly surprising. However there is someimportant information in the key clarification statementprovided:

“In order to fulfil its responsibilities,the board of the parent company

should:

n Establish a group structure (including the legal entityand business structure) and a governance frameworkwith clearly defined roles and responsibilities,including those at the parent company level and thoseat the subsidiary level;

n Define an appropriate subsidiary board andmanagement structure to contribute to the effectiveoversight of businesses and subsidiaries, which takesinto account the different risks to which the group,its businesses and its subsidiaries are exposed;

n Assess whether the group’s corporate governanceframework includes adequate policies, processes andcontrols and addresses risks across the business andlegal entity structures;

n Ensure the group’s corporate governance frameworkincludes appropriate processes and controls toidentify and address potential intragroup conflicts ofinterest, such as those arising from intragrouptransactions;

n Approve policies and clear strategies for establishingnew structures and legal entities, and ensure that theyare consistent with the policies and interests of thegroup;

n Assess whether there are effective systems in place tofacilitate the exchange of information among the

various entities, to manage the risks of the separateentities as well as of the group as a whole, and toensure effective supervision of the group;

n Have sufficient resources to monitor compliance ofsubsidiaries with all applicable legal, regulatory andgovernance requirements; and

n Maintain an effective relationship with both the homeregulator and, through the subsidiary board or directcontact, with the regulators of all subsidiaries. “

Nothing here is revolutionary but it certainly is evolutionary.The most important sentence here is that the Board shouldmonitor local compliance. That is quite a challenge. Theexisting structure of compliance will need to be enhanced toachieve this perhaps with internal audit also changing theirrole. However to get internal audit to understand localregulation in sufficient detail to undertake this role will alsorequire training and some changes to the nature of theirpersonnel.

Principle 6: Risk management Banks should have an effective independent riskmanagement function, under the direction of a ChiefRisk Officer (CRO), with sufficient stature,independence, resources and access to the board.

This section is a reiteration of the existing requirements.

Principle 7: Risk identification, monitoring andcontrolling Risks should be identified, monitored and controlled onan ongoing bank-wide and individual entity basis. Thesophistication of the bank’s risk management andinternal control infrastructure should keep pace withchanges to the bank’s risk profile, to the external risklandscape and in industry practice.

The important point again to notice here is the emphasis onthe entity basis. The obligations of entity Board directorsshould be enhanced to meet these requirements.

The paper does in some ways duplicate the soundpractices papers including the one on stress testing, whichis perhaps surprising. However there is little here which isactually new.

The remaining principles are as follows:

Principle 8: Risk communication An effective risk governance framework requires robustcommunication within the bank about risk, both acrossthe organisation and through reporting to the board andsenior management.

Principle 9: Compliance The bank’s board of directors is responsible foroverseeing the management of the bank’s compliancerisk. The board should approve the bank’s complianceapproach and policies, including the establishment of apermanent compliance function.

Principle 10: Internal audit The internal audit function provides independent



24

assurance to the board and supports board and seniormanagement in promoting an effective governanceprocess and the long-term soundness of the bank. Theinternal audit function should have a clear mandate, beaccountable to the board, be independent of the auditedactivities and have sufficient standing, skills, resourcesand authority within the bank.

Principle 11: Compensation The bank’s compensation structure should be effectivelyaligned with sound risk management and shouldpromote long term health of the organisation andappropriate risk-taking behaviour.

Principle 12: Disclosure and transparency The governance of the bank should be adequatelytransparent to its shareholders, depositors, otherrelevant stakeholders and market participants.

Principle 13: The role of supervisors Supervisors should provide guidance for and supervisecorporate governance at banks, including throughcomprehensive evaluations and regular interaction withboards and senior management, should requireimprovement and remedial action as necessary, andshould share information on corporate governance withother supervisors.

Again much of this actually duplicates more detailedguidance provided within existing sound practices paperswith little additional information.

What is Missing

The question perhaps is what if anything is missing. Noticethat there is a lot of focus on risk appetite and riskmanagement, together with compliance and financialreporting. What there is less focus on is the strategy andprofitability of the firm leading to long term survival. In thecurrent climate given the level of change that is currentlytaking place it is clear that Boards need to be forward lookingnot only in their risk management but also in their strategy.To an extent the paper is rather negative and this is perhapsunderstandable (if disappointing). However there are clearmessages here which any firm should take into account.

Take away message

Whilst this is a consultative or discussion BIS paper wewould not anticipate major change prior to finalisation.Hence we recommend that firms consider their governancepractices against this benchmark and begin to develop aprogramme to deal with any gaps that are perceived to exist.

The author invites comments via email [email protected]



Risk Reward Ltd, recognised as a CISI AccreditedTraining Provider, has developed training for theAccredited Risk in Financial Services qualification andoffers the most comprehensive and intensive course opento the public, banks, institutions and governmentagencies worldwide.

This 3-day programme is delivered by majorinstitution risk management professionals (riskmanagers, bankers, brokers, dealers and internalauditors) and will cover:

n Principles of Risk Management n CorporateGovernance and Risk Oversight n International RiskRegulation n Operational Risk n Credit Risk nMarket Risk n Investment Risk n Liquidity Risk nModel Risk n Enterprise Risk Management (ERM)

Who should attend? Thequalification is appropriatefor Risk Managers, InternalAuditors, ComplianceOfficers, External Auditors and Consultants and Suppliers.

The price per delegate for the 3-day programme is£1345 (+ UK VAT when applicable).Please remember to budget £350 for the Link Pack (Textbooks forDelegates personal use, 1 year Student Membership to CISI and ExamFees).

2015 Global Public Course dates – CISI

Risk in Financial Services CertificateLondon Feb 3-5 Sep 7-9Dubai Mar 16-18 Nov 9-11

Public Training CoursesPreparatory training to internationally recognised qualifications

For more information about training, to book or ask for an in-house quote pleaseemail Tony Subryan at [email protected] or telephone +44 (0)20 7638 5558.www.riskrewardlimited.com/public-course-calendar

25

Risk in FinancialServices Certificate

Save up to with in-house training.

Please contact us

for details.

60%

Whatever your views on Climate Change –natural or man-made or a bit of both - it is clearthat no business (or government) can ignorerecent extreme weather events and the

momentum that is starting to build amongst worldgovernments towards more action and regulation aimed atreducing carbon and other greenhouse gas (GHG)emissions which are thought to contribute to climatechange. Whilst much of the impact of additional regulationis likely to fall on the major emitters in the energy and powergeneration sector, there is no doubt that climate change inall its aspects will become of greater import to the widerglobal business community.

Although great efforts are being made on the global stagethrough organisations like the United Nations on the needto combat climate change by reducing the GreenhouseGases (GHGs) emissions, the lack of global action is thewrench in the wheel slowing this battle against climatechange. On September 23rd 2014 more than 120 Heads ofState attended the United Nations Climate Change Summitin New York under the mantra of catalysing action for therun up to the 21st Conference of Parties (COP) in Paris2015 and post 2020 commitments. Although this summitgenerated mass media coverage of the awareness that furtheraction must be taken to combat climate change, it yieldedlittle in the way of new commitments which only increasesthe uncertainty in the international regulatory environment.Furthermore, key political leaders in China, India, Russia,Germany and Australia emissions failed to attend thissummit in New York which sends a signal of a lack of globalconsensus leading to further uncertainty at the global level.

It is clear that ‘something’ must be done to reduce GHGemissions however, the what and the how is still a topic opento wider debate and varying opinions which have lead todivergences in the response of countries to climate change.These divergences have led to risks facing businesses due toclimate change varying from country to country.

In this article we consider the various aspects of climatechange risk facing UK businesses – all 4.9 million of them –trading domestically and internationally.

In general, for each aspect of Climate Change Risk allorganisations will have to consider:

a) The potential impact b) Timeframe involvedc) Whether or not the Risk is Direct or indirect d) The likelihood of occurrence ande) Magnitude of the impact

For the purposes of this discussion Climate Change Risk canbe categorised into 2 main areas which we will examine inturn: the impact of regulation and the impact of extremeweather events.

The Implications ofClimate Change Risk David A. Thompson, FCA is a chartered accountant and turnaround business leader based in theUK for more than 30 years. As part of a fund raising unit for technology firms seeking toexploit innovations in the global environment and energy sectors he sees climate change riskimpacts firms and their funders alike. In this article he explores how an awareness of theexistence of Climate Change Risk in all its guises is essential for all financial institutions investingin or to lending to businesses wherever located but particularly those businesses operating inparts of the world that are subject to greater climate change regulation and/or frequent extremeweather events.


26

I The Impact of Regulation

The UK is one of the 28 member countries part of EuropeanUnion Emission Trading Scheme (EU ETS) which meansthat the UK businesses with installations that meetEuropean Commission (EC) criteria1 are subject to the rulesand regulations dictated by the EC. These regulations relateto issues surrounding the Cap-and-Trade system for examplethe cap of the installation, the monitoring, reporting andverification (MRV) process, the allocation of allowanceswhich all fall under the National Allocation Plan (NAP). Inaddition to this the UK has its own country specificregulations on climate change stemming from the ClimateChange Act 2008 which set a legally binding target toreduce UK’s GHG emissions by at least 80% by 2050.

With regard to UK businesses one of the most pressingregulations is the recent introduction of mandatory carbonreporting for companies listed on the London StockExchange (LSE) to publish full details of their GHGemissions2. The idea is that creating more transparencythrough the financial statements, will allow publicperception to shape the decisions of investors andconsumers by employing the forces of public pressure. Theperceived risks to business is linked to reputational riskwhere companies with activities that damage theenvironment and inadequate steps are being taken tomitigate this, these companies will suffer from a loss ofbusiness as investors and consumers choose other cleanercompanies. At the times of this article mandatory carbonreporting only applies to companies listed on the LondonStock Exchange however there are talks of extending thisbeyond listed companies.

In July 2014 the new Sentencing Council Guidelines cameinto effect where a tariff-based approach to the sentencingof environmental offences was introduced where criminalcourts will be required to take account of the guideline whensentencing wrongdoers. Also the size of the penalties forenvironmental offences3 has increased4 for example for largeorganisations where turnover is greater than £50 million canface fines up to £3 million. Furthermore, fines in thehundreds of thousands will become more the standard ratherthan the exception. Therefore the risks of non-complianceto business are the loss of revenue and the potential ofreputational damage following the sentencing.

There are a number of issues that businesses need to beaware of to avoid the implications of climate change risk butalso benefit from the changes in regulations;

a) Changes being needed in product ranges andassociated production technology and facilities due tochanges in demand for certain items (low carbon vhigh carbon – e.g. the motor vehicle industry),

b) Product specifications needing to be reviewed to

comply with new regulation,c) Increase in the cost of R&D into low carbon productsd) Changes to the skill sets required by employeese) Changes in local government planning requirements

resulting in higher standards being set for buildingprojects leading to development projects beingdelayed or shelved.

f) Increased capital expenditure costs to meet newstandards,

g) A move towards greener energy solutions (which aregenerally more expensive),

h) Reduction in governmentsubsidies for Green energyfurther increasing the cost tobusiness

i) The introduction of carbonpricing schemes (e.g. Cap &Trade as in the EUEmissions Trading scheme,the Auctioning of CarbonAllowances or Taxation),leading to additionaladministrative burdensand costs,

j) More regulation givingrise to increasedmonitoring by theauthorities and stricterenforcement and higherpenalties for failure tocomply fully withregulations.

k) Reduced publicexpenditure on waterways, coastalmanagement and other projects intended to mitigatethe effect of Climate Change resulting in weaker flooddefences leading to increased risk to businesses andcommunities located in coastal, low lying and othervulnerable areas.

The risks and opportunities stemming from climate changepolicy are increasingly becoming more perception based,therefore companies which invest in greener technologiesand have more environmentally friendly activities canbenefit from a boost in its corporate social responsibilityimage which improves the brand status.

However, before taking any action, businesses should seekto quantify:

n The potential financial implications of the risk n The methods proposed to manage the riskn The costs associated with such proposed methods

This process is critical to mapping the extent to whichembedding a green culture within a company can benefit or

The Implications of Climate Change Risk


27

1 These include power stations, oil refineries, offshore platforms and industries that produce iron and steel, cement and lime, paper, glass, ceramics and chemicals.Also depending on the level of combustion, universities and hospitals may be included. Lastly, aviation operators flying into or from a European airport arealso covered by the EU ETS.

2 Starting in October 20133 The unlawful deposit of waste and the discharge of polluting matter into the air, freshwater or groundwater4 Subject to the nature of the offence i.e. no culpability, negligent, reckless or deliberate

cost the company which will ultimately determine the paceat which the ‘green’ pivot will happen for the UK businesses.

II Risk driven by changes to the weather orclimate

There have always been extreme weather events however itdoes seem that these have been occurring with greaterfrequency. No business, wherever located, can afford todiscount the possibility and ignore the consequences of anextreme weather event. The challenges that UK businessesface stem largely from flooding and coastal erosion,increased competition for water, energy and materials; andthe disruption of transport networks and communicationlink.

In recent years we have seen searing heat waves over thesummer months with falling levels of rainfall to some of thecoldest, fiercest winters in decades and the worst flooding ina century. Changes in the frequency and intensity of rainfalland with trends indicating increasing the flooding frequency,businesses previously used to operating in relatively benignclimatic conditions, particularly those located in near riversystems or in low-lying and/or coastal areas, should considerhow to mitigate the risk of damage to infrastructure anddisruption to the business operations.

Businesses that rely largely on fixed assets especially nearmain rivers or the coast, or have complex supply chains or

rely substantially on natural assets have a particular acuterisk to changes in the climate dynamic. Although, it is likelythat the risk of operating in such extreme conditions hasbeen a major part of operating considerations for many yearsbut with climate change the frequency, duration andmagnitude of weather events have changed and businessesmust have the ability to accurately risk assess these changesto weather.

For UK business the main risks factors5 are:

n Possible decrease in output for UK businesses due toan increase in supply chain disruption as a result ofextreme events.

n Risk of increase in monetary losses as a result ofinterruption to business from flooding.

n Greater variability in the availability of water.n Potential loss of staff hours due to high internal

building temperatures (assessed as being of particularrelevance to health, education and retail sectors,which have large workforces).

Businesses that are not directly subject to the main riskfactors should be aware of the interconnectivity of thedomestic to the international economy. For exampledisruptions to the transport links can have a knock on effectsthat ripple through the economy or businesses withinternational supply chains have to be ever vigilant of howclimate change is affecting other parts of the world.


28


In planning for such extreme weather events, businessesshould consider:

a) The Impact on operating costsb) The Impact on Capital expenditure on defensive/

protective measuresc) Loss of productive capacityd) Employee welfare and safetye) The possibility of damage caused by an extreme

weather event to business infrastructure resulting inenvironmental damage/pollution due to key systemsfailures, the direct cost of rectification, compensationto local population and loss of reputation.

In the face of all these risks due to weather changes there arealso some opportunities which businesses can be leveragedfor example warmer summers in the UK can provide marketopportunities to especially the tourism and leisure industry.

Investors and Lenders

Awareness of the existence of Climate Change Risk in all itsguises is essential for all financial institutions investing in orto lending to business wherever located but particularlythose businesses operating in parts of the world that aresubject to greater climate change regulation and/or frequentextreme weather events.

An examination of Climate Change Risk and the impact ofan extreme weather event on a business, its profitability, cashflow and its ability to recover operations following such anevent i.e. the insurance policies surrounding weather damageshould be included in Due Diligence process alongside themore usual risk considerations. In high risk businesses it islikely that Investors already plan for these eventualities intheir risk assessment. In addition to this investors also needto be aware of the inter-connections between businesses andunderstand how sectoral responses to climate change maylead to changes in the risks that they have to manage6 whenconsidering where to invest their money.

Corporate Governance

With the onset of mandatory carbon reporting for UKbusinesses listed on the LSE businesses will be required toinclude carbon information within their director’s reportwhich one or more committees will need to sign offinternally. The predicted effect of this is that mandatorycarbon reporting should raise the profile andimportance of climate change to senior levelexecutive.

In addition mandatory carbon reporting willensure that the work that environmental

managers do to measure, collect and report on sustainabilitydata will gain greater recognition from a variety ofdepartments. This will largely be due to the requirement topublish this data within annual reports, rather than onlywithin standalone sustainability reports7.

Mandatory carbon reporting will improve the status andimportance of Climate Change Risk and the management ofGHG emissions as a routine item on the agenda of Boardlevel and Senior Management meetings. However, thequestion is whether mandatory carbon reporting alone willbe enough to change the climate change culture of acompany which is of course dependant on how climatechange risk can be embedded into the corporate governancestructure.

What is sure though is that businesses seeking to expandinto new geographical areas along with their funders willhave to give major consideration to the possible impact ofClimate Change Risk.

Conclusion

Climate change is upon us - whatever the cause - and theimpact is being felt now. Without action it may only worsenfor future generations for many years to come. In themeantime, all businesses and lenders must ask if theirorganisation has considered the impact of Climate Changeand the current and future Climate Change Risks that mayresult in major changes to compliance, operations andprofitability.

The author invites feedback via email [email protected]



5 HM Government UK Climate Change RiskAssessment: Government Report (January 2012)

6 Ibid7 Source: Laura Paddison - Mandatory carbonreporting: can it address climate change? (July 2013)

29

Don’t Be in a Bad Place

If your firm has Financial Conduct Authority permission tohold client money or assets you should, by the time you readthis, be well on the way to completing the changes to yourprocedures and documents in the light of the FCA’s recentrule changes.

It’s well to give this area close scrutiny. Client moneycontinues to be a hot topic for the UK regulator, with aconstant stream of fines handed out to firms for failures ofprocess. As is usual with the FCA discipline, it doesn’t haveto be the case that someone’s actually been caught with hisor her hand in the till, or that the money has gone “missing”.

It’s simply enough that your procedures were notsufficiently robust to prevent the possibility of such an event– or any other infraction – from happening.

And again with FCA discipline, there’s little value in arguingwith the FCA once they’ve made up their mind to thateffect. You may think, with good reason, that yourprocedures are sufficiently robust and point to a blemish-free track record. But if the FCA disagrees with youranalysis, you’re in a bad place.

So it’s good policy to pay close attention to the new rules inthis area. Some of them have already passed theirimplementation date, but most come into effect by the end

Client Money: Don’t Be in a Bad PlaceJulian Sampson is a Compliance expert with a respected track record as both a financialregulator, Chairman of the Chartered Institute of Securities and Investment Compliance Forumand consultant. In this article for the GRU he tackles the challenges of separating FCA ‘reality’from ‘perception’ by banks and regulated entities while confirming that the FCA latest rules arein fact meant to be taken seriously and on time – or else.


30

of 2014 or mid 2015. And the most difficult to implementwill be those which require the co-operation of partiesoutside your firm, and those which require a degree of lateraland green field thinking.

Here are some of the new rules whichmay be more than a simple challengeto overcome:

Letters

In the former camp come the new requirements for theletters to banks holding client money. These“acknowledgement of trust” letters are intended to confirmthe beneficial ownership of the funds in the account andshow their segregation from any other funds held in thebank.

Historically, this area has been rife with poor practice.When these letters did exist (and there have been significantcases where they did not) they had often been done poorly.The FCA pointed out in its Policy and Consultation papersissued in the run up to the new rules that often the mostbasic of execution formalities were not observed – letterswere not dated, signed, or even when they were it wasimpossible to tell who had signed them.

On a more substantive basis, banks had inserted wordinginto the letters that undermined the letters’ substance, andthe FCA often found cases where firms were holding clientmoney in accounts which were not covered by theprovisions of the letter.

All should be much clearer now. The new rule, andassociated guidance, gives firms a number of template lettersto complete, with specified optional text to be deleted orretained as appropriate. The guidance specifies in somedetail how the letters are to beexecuted, right down to theseemingly obvious points, such as this- don’t do it in pencil. Thus manyfirms have made a start with theirbanks in agreeing these letters.

But beware. When dealing with largebanking organisations – especiallythose headquartered overseas – therecan be a time lag. There are a numberof cases where the FCA’s new rules andtemplate letters have yet to filter down to the relevant levelin their organisation where their staff face off to theregulated firm. As such, firms are still being presented bybanks with old-style and soon-to-be-non-compliant letters.This can be immensely frustrating for the firm, but only goesto re-enforce the case that firms should be on the front footwith their banks as soon as possible.

Reconciliations

The new rules also embody a number of seemingly minorclarifications on process and procedure, for example, thoseon the central process of performing the client money

reconciliation. These rules require firms to carry out somelateral and green field thinking. Firms are still free (largely)to choose the process that best fits their business but theymust now define, for example, the frequency with whichthey carry out their reconciliations and their materialitythreshold when dealing with differences. The FCA hasstated that it expects firms to set out in their Client Moneyprocesses just how and why they do things the way they do.

For firms who have been used to a routine process oversome years, this may induce a certain amount of headscratching. Just how often should client money bereconciled? What risk is posed by the volumes oftransactions passing through the client money accounts?What is the link between the two? It’s a reasonableassumption that in the absence of detailed metrics to guidethe firm to an answer, the default position of reconciling ona daily basis will satisfy the FCA. However, for the smallerfirm, this would be likely to impose significant administrativecosts.

Material Breach

It’s the same when considering materiality and therequirement to notify the FCA of a breach. Again, theserequirements aren’t new, but firms need to consider whatthey would regard as a material breach and when they wouldreport that to the FCA. Early engagement with the firm’sauditors will assist this process, given the auditor’s own rolein reporting to the FCA on whether the firm has or has notadhered to the rules.

Diversification

Similar thinking needs to be concluded in the matter of thechoice of bank used to hold the client money. Therequirement to consider both the soundness of the bank,and the need for diversification, are neither of them new.

However both have been given addededge in the new rules. It may nolonger be sufficient for firms to puttheir money with a major UK highstreet clearer on the grounds thatthey are who they are, thinking thatif that bank fails then the FCA – andUK government – will cover therisk. This leads to a much widerproblem than just client money.

So some rationale and documentationof thinking is required. It is likely that those high-streetbanks will still be the chosen client money bank for mostUK investors. But this needs to be a considered process.It’s also likely that most firms will only have a requirementfor one client money bank, notwithstanding the FCA’scomments on the advantages of diversification. For smallerfirms, the administrative overhead of running parallelbanking systems will not be in the client’s best interests.The FCA has more or less acknowledged this, saying that itwill be monitoring the diversification in those firms classifiedas “medium” and “large” client money firms – theimplication being that smaller firms are not quite in thisspotlight.


31

Client Money: Don’t Be in a Bad Place

While no new rules have been issuedby the FCA about the following it isgood sense to ensure these areas areunder scrutiny alongside complianceto the new rules:

Governance

Beyond the detail of the rule changes – and not specificallyreferred to by the FCA – firms need to consider the overallgovernance framework within which client money rests.Governance remains a critical area for the FCA across allareas of firm’s activity, and they will want to know that theclient money operations are adequately overseen by the firm.

All firms holding client money will already have either asenior member of staff holding the “Client Assets / MoneyOversight” controlled function (CF10A) or a specifieddirector responsible for this area. Their knowledge of thefirm’s processes and controls will be critical in convincingthe FCA that this area receives adequate scrutiny.

But it can’t end there. There’s an extent to which the FCAwill assume that this person knows their job - after all, ifthey’re a CF10A they will have already been approved bythe FCA. The FCA are just as likely to question fellowdirectors/non-executives on what they know about clientmoney. For this to come off well for the firm there will needto be a regular routine of reporting from the CF10A ordirector responsible to the Board on client money matters,

and not just once a year. The Board will be expected toknow how the firm comes to hold client money, where it isheld and some details of reconciliation processes. It’sparticularly important that the Board should be fully briefedon any process failure from late reconciliations tounexplained differences on the reconciliations themselves.

Training

All firms holding client money will have already recognisedthe need to ensure that their direct client money team areproperly trained in the new rules. But consider casting thetraining net wider and giving all staff a general overview ofthe issues involved. Any FCA visit may involve interviewswith staff from all levels of the organisation, most of whomwill be remote from the day to day client money process.It’s important that they know what to do if, for example,they open a letter which includes a client cheque. It wouldbe unforgivable if they were allowed to think that they wereacting within the scope of the firm’s procedures by merelylocking such receipts, however securely, in their desk drawerovernight.

And whilst you’re looking at all of this, spare a moment tocheck on the Client Asset Resolution Pack. The rules in thisarea have not changed, but the FCA have recently carriedout a review of Resolution Packs around a sample of firms.There’s nothing inherently complex about the Pack – theinformation content should all be relatively attainable. Thedifficulty is making sure that it is up to date. Most firms willhold their Packs in electronic format, so take care to ensurethat links to relevant folders / directories are all up to dateand working properly.

Timetable

So what should firms be doing in the time still available to thembefore the implementation date? There is certainly still time toget everything in place – but that time should not be wasted.The first step should be to draw up a gap analysis setting outthe changes required to be made to the firm’s processes andpolicies. Once these have been identified, specific individuals/ groups can be identified and tasked with drawing up therevised processes.

The culmination of this exercise should be the approval bythe Board of the new processes and policies. This shouldcertainly be at the macro level, in order for the Board tograsp the strategic issues of why the firm is holding cash orassets at all, and the control environment around them.

Once that process is complete, the firm can relax - but notfor long. Central to the client money and assets regime isthat the firm reviews its relationships and processes on atleast an annual basis. The higher the volume of transactionsor level of balances the more frequent such reviews shouldbe. Such reviews will generally be conducted by or for thedirector responsible, CF10A, and will be reported to theBoard. But there is a consolation: having put so much effortinto the initial re-drafting of procedures and policies, suchsubsequent reviews should be a breeze!

Julian Sampson invites your questions via the GRU Editorial [email protected]

Client Money: Don’t Be in a Bad Place


32

Intellectual capital is recognised as themost important asset of many of theworld’s largest and most powerfulcompanies; it is the foundation for themarket dominance and continuingprofitability of leading corporations. Itis often the key objective in mergersand acquisitions and knowledgeablecompanies are increasingly usinglicensing routes to transfer these assetsto low tax jurisdictions. AccountingStandards have traditionally not beenhelpful in representing the worth ofintellectual property rights andintangible assets (IPR) in companyaccounts.

Future winners will be those who ownand effectively manage intellectualcapital which, an asset such as a brand,patent portfolio, etc. has becomepossibly the most critical successfactor. No sector has been untouchedby IPR.

It is impossible to ‘manage’ withouthaving some understanding of valueand the benefits of good IPRmanagement. Critical issues include:

n Increased returns on capitalinvested in the business,particularly capital tied up inintellectual property

n Increased shareholder valuen A thorough understanding of the

alignment of intellectual propertydevelopment or acquisitions andbusiness strategic objectives

n The ability to make informeddecisions about intellectualproperty development oracquisition

n The creation of new and diverserevenue streams from intellectualcapital and especially from

underused intellectual capitaln The ability to know the valuable

intellectual capital (perhaps withina large portfolio) and so protect itfully, and the intellectual capital ofno significant value which, mightbe sold or abandoned

n Achieving lower overall costsassociated with intellectual capitaldevelopment or acquisition,protection, and utilisation

n Creating internal awareness of theimportance of intellectual capital tosuccess

It is fair to say that the role of IPR inbusiness is often insufficientlyunderstood. It may be under-valued,

under-managed or under-exploitedand enjoying little co-ordinationbetween the different professionalsdealing with an organisation’s IPR. Itis often commonly perceived as thedomain of the legal profession, costlyand difficult to easily and readilyaccess when required. Whether part ofa C-Suite, an accountant, a corporatefinance professional, investor or aventure capitalist a thoroughunderstanding of intellectual capitalespecially IPR is required to do yourjob better. IPR are both important andcomplex.

A good start is by asking the followingquestions:

The Value and Management ofIntellectual Property, IntangibleAssets and Goodwill When a company buys another company, how does it value its brands? When an investor isassessing the value of a technology business how does it value its assets? What's a biotechasset worth? In this article valuations expert Kelvin King takes GRU readers through the legaland accounting principles that govern the valuation of intellectual property rights, intangibleassets and goodwill, a crucial problem for legal, accounting, banking and venture capitalprofessionals and the owners and managers of IP assets.


33

n What are the IPRs used in thebusiness?

n What is the value (and hence levelof risk)?

n Who owns it (could we sue orcould someone sue us)?

n How may it be better exploited(e.g. licensing in or out oftechnology)?

n At what level do we need to insurethe IPR risk?

Legal and Accounting IssuesImpacting IPR Valuation

The current big five issues for IPRvaluation include AccountingStandards, Corporate Governance, Litigation (Defence and Attack),Fairness Opinions and in -processResearch and Development.Let us review the first two here:

Accounting StandardsIFRS 3 business combination valuationallocations, IAS 38 recognition of IPRin accounts and IAS 36 valuationimpairment tests

Purchase accounting must be appliedto all acquisitions (businesscombinations are also treated asacquisitions, and there is no moremerger accounting). Many intangibleassets that would previously have beensubsumed within goodwill must beseparately identified and valued.Explicit guidance is provided for therecognition of such intangible assetsand IFRS3 includes a list of assets thatare expected to be recognisedseparately from goodwill.

The valuation of such assets is acomplex process and nearly alwaysrequire specialist IP valuation skills andfrequently an IP lawyer to undertakethe categorisation the valuer requires.Examples of intangible assets to beseparately recognised and categorisedwithin the purchase cost are set out inthe regulations and include thosemarketing related (trademarks, brands,domain names, newspapermasterheads): customer related(customer lists and contracts): artisticrelated (television programmes,photographs, films, publications):contract basis (e.g. licensing androyalty agreements, contracts fornumerous situations such asadvertising, construction and supply):technology based (patents, computer

software, databases, trade secrets etc.).

Additionally under IAS 36 valuationsneed to be independently tested forimpairment by the valuer on a regularbasis. Obviously one of the valuersfirst questions will be, with advicefrom the IP lawyer, patent ortrademark attorney; has there been anydiminution of the legal nature of theoriginally categorised IP.

Corporate GovernanceThere is developing statute and caselaw which will compel boards ofdirectors to accept that they mustundertake and lead IP decisions ratherthan leave them to management.

n Sarbanes – Oxley. The provision ofvaluation services for audit clientsis prohibited.

n Caremark International Inc. 1996imposed on directors the duty toensure adequate reporting.

n A Walt Disney case in 2003 andResearch in Motion (theBlackberry case) establish thepotential liability of directors inrespect of IP.

The Valuation Expert

For the valuer, this process ofunderstanding is not usually a problemwhen these rights have been formallyprotected through trademarks, patentsor copyright. This is not the case withintangibles such as know how, (whichcan include the talents, skill andknowledge of the workforce), trainingsystems and methods, designs,technical processes, customer lists,distribution networks etc. Theseassets are equally valuable but moredifficult to identify in terms of theearnings and profits they generate.With many intangibles a very carefulinitial due-diligence process needs tobe undertaken together with IPlawyers and in-house accountants.

Overall risk affects valuation analysis,corporate valuation must reflect riskand most importantly risk assessmentshould reflect IPR value.

One of the key factors affecting acompany’s success or failure is thedegree to which it effectively exploitsintellectual capital and values risk.

Management obviously need to knowthe value of the IPR and those risks forthe same reason that they need to knowthe underlying value of their tangibleassets; because business managers needto know, or should know, the value ofall assets and liabilities under theirstewardship and control, to make surethat values are maintained. Markets(restricted or otherwise), institutionsand shareholders need to be educated.Exploitation can take many forms,ranging from outright sale of an asset, ajoint venture or a licensing agreement.Inevitably, exploitation increases therisk assessment.

The Valuation Procedure

Valuation procedure is, essentially, abringing together of the economicconcept of value and the legal conceptof property. The presence of an assetis a function of its ability to generate areturn and the discount rate applied tothat return. The cardinal rule ofcommercial valuation is: the value ofsomething cannot be stated in theabstract; all that can be stated is thevalue of a thing in a particular place, ata particular time, in particularcircumstances. The questions ‘towhom?’ and ‘for what purpose?’ mustalways be asked before a valuation canbe carried out. This rule is particularlysignificant as far as the valuation ofintellectual property rights isconcerned. More often than not,there will only be one or twointerested parties, and the value toeach of them will depend upon theircircumstances. Failure to take thesecircumstances and those of the owner,into account will result in ameaningless valuation.

Value Concepts

There are four main value concepts,namely, owner value, market value, taxvalue and fair value. Owner valueoften determines the price innegotiated deals and is often led by aproprietor’s view of value if he weredeprived of the property. The basis ofmarket value is the assumption that ifcomparable property has fetched acertain price, then the subjectproperty will realise a price somethingnear to it. The fair value concept, in itsessence, is the desire to be equitableto both parties. It recognises that thetransaction is not in the open market

The Value and Management of Intellectual Property, Intangible Assets and Goodwill


34

and that vendor and purchaser havebeen brought together in a legallybinding manner. Tax valuation hasbeen the subject of case law worldwidesince the turn of the century and is anesoteric practice. There are quasi-concepts of value which impinge uponeach of these main areas, namely,investment value, liquidation value,and going concern value.

Methods for the Valuation ofIPR

Acceptable methods of the valuationof identifiable intangible assets andintellectual property fall into threebroad categories. They are eithermarket based, cost based, or based onestimates of future economic benefits.In an ideal situation, an independentexpert will always prefer to determinea market value by reference tocomparable market transactions. Thisis difficult enough when valuing assetssuch as bricks and mortar because it isnever possible to find a transactionthat is exactly comparable. In valuingan item of intellectual property, thesearch for a comparable markettransaction becomes almost futile.This is not only due to lack ofcompatibility, but also becauseintellectual property is generally notdeveloped to be sold and many salesare usually only a small part of a largertransaction and details are keptextremely confidential. There areother impediments that limit theusefulness of this method, namely,special purchasers, differentnegotiating skills, and the distortingeffects of the peaks and troughs ofeconomic cycles. In a nutshell, thissummarises my objection to suchstatements as ‘this is rule of thumb inthe sector’.

n Cost based methodologies,such as the cost to create or thecost to replace, assume that thereis some relationship between costand value and the approach hasvery little to commend itself otherthan ease of use. The methodignores changes in the time value ofmoney and ignores maintenance.

n The method of valuationflowing from an estimate ofpast and future economicbenefits can be broken down tofour limbs; 1) capitalisation of

historic profits, 2) gross profitdifferential methods, 3) excessprofits methods, and 4) the relieffrom royalty method.

Discounted cash flow (“DCF”)analysis sits across the last threemethodologies. DCF mathematicalmodelling allows for the fact that 1Euro in your pocket today is worthmore than 1 Euro next year or 1Euro the year after. The account ofthe time value of money iscalculated by adjusting expectedfuture returns to today’s monetaryvalues using a discount rate. Thediscount rate is used to calculateeconomic value and includescompensation for risk and forexpected rates of inflation.

The capitalisation of historic profitsarrives at the value of IPR’s bymultiplying the maintainablehistoric profitability of the asset bya multiple that has been assessedafter scoring the relative strengthof the IPR. For example a multipleis arrived at after assessing a brandin the light of factors such asleadership, stability, market share,internationality, trend ofprofitability, marketing andadvertising support and protection.While this capitalisation processrecognises some of the factorswhich should be considered, it hasmajor shortcomings, mostlyassociated with historic earningcapability. The method pays littleregard to the future.

n Gross profitd i f f e r e n t i a lmethods are oftenassociated withtrade mark andbrand valuation.These methodsadopt

the differences in sale prices,adjusted for differences inmarketing costs. That is thedifference between the margin ofthe branded and/or patentedproduct and an unbranded orgeneric product.sophie Thisformula is used to drive outcashflows and calculate value.Finding generic equivalents for apatent and identifiable pricedifferences is far more difficult thanfor a retail brand.

n The excess profits methodlooks at the current value of the nettangible assets employed as thebenchmark for an estimated rate ofreturn to calculate the profits thatare required in order to induceinvestors to invest into those nettangible assets. Any return overand above those profits required inorder to induce investment isconsidered to be the excess returnattributable to the IPR’s and whiletheoretically relying upon futureeconomic benefits from the use ofthe asset; the method has difficultyin adjusting to alternative uses ofthe asset.

n Relief from royalty considerswhat the purchaser could afford, orwould be willing to pay, for thelicence. The royalty stream is thencapitalised reflecting the risk and



35

return relationship of investing inthe asset.

n Discounted cash flowanalysis is probably the mostcomprehensive of appraisaltechniques. Potential profits andcash flows need to be assessedcarefully and then restated topresent value through use of adiscount rate, or rates. With theasset you are considering, thevaluer will need to consider theoperating environment of the assetto determine the potential formarket revenue growth. Theprojection of market revenues willbe a critical step in the valuation.The potential will need to beassessed by reference to theenduring nature of the asset, and itsmarketability, and this mustsubsume consideration of expensestogether with an estimate ofresidual value or terminal value, ifany. This method recognisesmarket conditions, likelyperformance and potential, and thetime value of money. It isillustrative, demonstrating the cashflow potential, ‘or not’, of theproperty and is highly regarded andwidely accepted in the financialcommunity.

The discount rate to be applied tothe cashflows can be derived from anumber of different models,including common sense, build-upmethod, dividend growth modelsand the Capital Asset PricingModel utilising a weighted averagecost of capital. This appraisaltechnique will probably be thepreferred option.

These processes lead one nowhereunless due diligence and the valuationprocess quantifies remaining usefullife and decay rates. This willquantify the shortest of such as thefollowing lives: physical, functional,technological, economic and legal.This process is necessary because justlike any other asset IPR has a varyingability to generate economic returnsdependant upon these main lives. Forexample in the discounted cashflowmodel it would not be correct todrive out cashflows for the entirelegal length of copyright protection,which may be 100 plus years, when avaluation concerns computer

software with only a short economiclife span of 1 to 2 years. Howeverpatent legal protection of 20 yearscan prevent infringement situationswhich may be important as oftenillustrated in the pharmaceuticalsector with generic competitorsentering the marketplace at speed todilute a monopoly position whenprotection ceases. The message isthat when undertaking thediscounted cashflow modelling neverproject longer than what is realisticby testing against these major lives.

It must also be acknowledged that inmany situations after examining theselives carefully, to produce cashflowforecasts, it is often not credible toforecast beyond say 4 to 5 years. Themathematical modelling allows for thisin that at the end of the period whenforecasting becomes futile, but clearlythe cashflows will not fall ‘off of a cliff’,by a terminal value that is calculatedusing a modest growth rate, (sayinflation) at the steady state year butalso discounting this forecast to thevaluation date.

Valuation is an art more than a scienceand is an interdisciplinary studydrawing upon law, economics,finance, accounting, and investment.It is rash to attempt any valuationadopting so-called industry/sectornorms in ignorance of thefundamental theoretical framework ofvaluation.

Conclusion

As mentioned earlier, IPR valuation ismore of an art than a science, andwhile important it is clearly complex.The following general principlesconcerning the management andvaluation of intellectual property allowfor making some sense of it all to boththe practitioner and the newlyinducted.

n Principle 1 - Make intellectualcapital a part of the businessstrategic thinking and planning.For example risk control,maximising value, being aware ofemerging technologies, seekappropriate legal protection etc.

n Principle 2 - Understanding therole of intellectual capital. Involvesassessing the importance of

intellectual capital now and in thefuture to the market position andfuture success of your business.Part of this is the challenge toidentify the intellectual property ofothers and avoid infringing theassociated legal rights.

n Principle 3 - Be aware ofcompeting intellectual capital.

n Principle 4 - Know your ownintellectual capital. Imply rigorousprocesses to identify and evaluatethe existing intellectual capital inthe business, creating acomprehensive record of resultsand developing a process foridentifying future IPR beingdeveloped. Positive due-diligence.Successes or not is dependent upona management process to do justthe aforementioned.

n Principle 5 - Identify requiredintellectual capital which s aprocess of forecasting future needs.

n Principle 6 - Acquire anyrequired intellectual capital.

n Principle 7 - Think tax andbalance sheet.

n Principle 8 - Be ready to protectyour rights.

n Principle 9 - Measureimprovements as an essential partof good intellectual capitalmanagement to develop measuresof success of the management andevaluation of IPR.

n Principle 10 - Spread themessage because just as importantas measuring improvements iscommunicating a strategy andprocess, not least via financial PRetc.

n Principle 11 - Know the cost andvalue of your intellectual capital.

Kelvin King invites feedback and questions viaemail [email protected]



36

Jacob Bettany: Perhaps you could begin bytelling us a little bit about your background andhow you became interested in this particulartopic.

Dennis Cox: I’m a chartered accountant with amathematics degree and I got involved in the bankingindustry with one of the Big Six accountancy firms in thelate 1970s early 1980s. I had an interest in forensic work andthat leads quite closely into money laundering deterrence.When I joined the banking industry itself, initially withMidland Bank and later on with HSBC and Prudential,financial crime was very much one of those key risks thatany financial institution has to try to avoid. Trying tomitigate that risk to the maximum extent possible clearlybecomes quite a major issue, and it was a major concern forus working within the risk and audit areas so I clearly had aninterest.

JB: You’ve previously written about RiskManagement from the more mathematical side,is that right?

DC: Yes, I’ve written a book with Wiley Finance on TheMathematics of Banking and Finance, with the intention oftrying to get people to understand the limitations of themathematical techniques as this was one of the problems ofthe financial crisis - but I also did a book with Wiley Financeand the CISI An Introduction to Money Laundering whichhas been out now for a few years and is a good introductorybook for non-specialists with quite a relaxed non-technicalstyle of writing. This book is slightly more technical, thoughI’ve tried as far as I can to maintain a relaxed style so it isactually readable.

JB: Why did you feelthis latest anti-moneylaundering handbook wasnecessary, and what distinguishes it fromother titles in the subject literature?

DC: It’s the level of depth and the style of approach whichI think differentiates this book. It takes up to date rules andregulations from the various regulators including theFinancial Actions Task Force, the Wolfsberg Group and theEU and puts them into a single context, which I don’t thinkanyone’s really tried to do before. It then looks across to theindividual countries and details the things that are differentin the way they have implemented the rules and regulations– because even with all this standardised recommendationsincluding the recent papers for example from the Bank forInternational Settlements - there are differences betweencountries in the way they’ve done it. Clearly theIntroduction to book, is very good for the person who justwants to get an overview for generalists, but the Handbookis a very in-depth work for people already working in thatindustry.

JB: So the book is targeted at financialpractitioners?

DC: Yes, people that are either Money LaunderingReporting Officers or advising those officers or heads of lawor compliance; people that really need to know a reasonableamount about the issues and rules. This is not a book forsomeone who just has a passing interest in financial crime,it’s for someone who is really trying to deter it. Perhaps youare a director in the retail banking or wealth managementand you’re wondering how to apply these rules somewhere

MoneyScience’s Jacob Bettany Interviews Dennis Cox on Anti-money Laundering DeterrenceRules and Practises from Albania to Vietnam

On the occasion of the publication of his latest book, theInternational AML Handbook (Wiley Finance) Dennis Cox shareshis 30 years of financial forensic experience and expertise in thisfirst book of its kind. a compendium of more than 37 globalfinancial markets – featuring the New Markets - their AMLregulations, deterrence rules and practises for the practitioner.Eagerly awaited during its 24 month development and September2014 publication the Handbook has been ranked among the topten books on Google’s Legal rankings. In this interview Coxtouches on some of the key challenging specialists - such asMLROs, Nominated Officers, senior bank management throughto Business Analysts - are faced with in everyday clienttransactions and offers insights and practical wayfinding forthose active in anti-money laundering and deterrence roles.


37

like the Cayman Islands for example, then that will actuallybe included here and you’ll be able to think about the keyissues, think about the nature of the controls and for peoplewho are at that level of seniority. The Business Analysts whoare designing products and trying to think throughapproaches and controls will also be interested in this text.Also, as a tool it’s affordable and it’s designed to be a flexiblewith online text available in individual sections so you canaccess them only as you need.

JB: How did you choose which countries tocover?

DC: Those selected are the major financial centres,countries which banks are most likely to be dealing with. It’salso the ones which produce the best information. In Europeyou don’t get massive differences between countries as youdo in other areas that don’t have the same commonality. I’veincluded the major African financial centres which are alsosome of the ones which have the most interesting rules andregulations or the ones that other countries would looktowards as a source of information. We can’t cover everysingle country in the United Nations – the book would beenormous and it’s pretty large as it is! It was even harder totry to finish it because the challenge is to try to be as up- to-date as we possibly can at the point of publication so there’sa mixture of things that come into choosing but we coverthe most important major financial centres.

Trying to find examples where there have been prosecutionsin countries which we could discuss – that means completedprosecutions not open ones where there is still potentialcourt action – was quite difficult. There aren’t as manypublic cases available once you look towards the developingworld as compared to countries like the UK or the USA. Itwas a challenge finding completed public cases that we wereable to refer to without any risk. Some cases had not beenwell publicised so we were looking at newspaper reports andregulatory reports.

JB: How did you tackle the ever-changingregulation when writing?

DC: Slowly and carefully I think is the answer! It wascertainly a challenge when suddenly a major change wouldcome through just before publication. Actually there was achange between the first and second edits which was quitesignificant and required us to redraft while sections. TheFinancial Action Task Force to replaced theirrecommendations unexpectedly for example and that causedobviously change to come through that then rippledthrough the rest of the book. So the change of regulation isa key issue and trying to keep ahead of it and keep it as freshas you possibly can, with the number of regulations we aredealing with in a single text, was a pretty daunting challenge.

JB: How much innovation, shall we say, is thereto keep up with in financial crime?

DC: Well, financial crime itself is clearly a growth industry.Any techniques used by money launderers tend to stay onestep ahead of the regulators. I would draw a distinctionbetween professional and amateur money laundering.

Regulations in countries are very good at picking up amateurmoney laundering but the connected transactions trail of aprofessional money launderer is much harder for theorganised agencies to try to find their way through. Doesthe approach of the money launderer change? They arealways seeking to exploit a weakness within the bankingsector in an identification process or a payment service andwill go to the area where they think they can most easilydisguise the source of funds. At the end of the day they wantthe funds to be in a legitimate market. As you can see fromthe cases covered in this book, it tends to be errors or greedthat results in the money launderer being found out. Thedifficulty for the financial institution is particularly whereyou have illegitimate and legitimate funds mixed into thesame account so that when they start to ask their enquiriesthey find about the legitimate but they can’t thendifferentiate between the legitimate and the illegitimate.Those kind of areas are very difficult to financial institutionsand it’s always about really trying to understand your clients.Areas where the client is not understood so well and thereis more distance become the kind of areas which moneylaunderers can start to exploit and target. The regulation andthe rules and the guidance are all trying to reduce as muchas possible the amount of risk but it can never eliminate it,that’s just not plausible. As long as there’s crime there aregoing to be money launderers.

JB: Could you give us a brief overview of thetopics that the book covers?

DC: The first section covers the process of moneylaundering and the layering process from the initial fundscoming in from the drug trafficker or thief or extortionspecialist, and then coming in towards the actual processwhich will be layered to try and disguise the initial source ofthe funds and then placed back in the market. The bookthen talks about regulation, whether that comes from theFinancial Action Task Force, or the EU or the UN and thenthe change and the depth of the UK regulator with the JointMoney Laundering Steering Group having produced someof the most detailed rules in the world. Even for countrieswhich are not having to comply with UK regulations theinformation is quite important and we highlight the key partsof it in about 20-odd pages.

Then we go into the Wolfsberg Principles which are anotherset of high level principles before we move to look at theUS regulatory framework which is a nonstandard framework.The way they have organised things in the US at present isquite different to any other country. We then cover thesanctions regime and that is also quite different because it isnot risk based and if someone is on the sanctions regimethen you must not deal with them and that’s it.

We focus on each of the main areas that would exist in afinancial crime deterrent regime. That is in know yourcustomer, the training, or the identification of retail orcorporate customers or whatever, and lead each of thoseareas through to how you should investigate a suspicion.One of the difficulties that many of the banks have is thatutilisation of software means you get quite a lot of falsepositives, transactions that would be reported to theinvestigational agency within the firm which could be money

MoneyScience’s Jacob Bettany Interviews Dennis Cox on Anti-money Laundering Deterrence Rules and Practises fromAlbania to Vietnam


38

laundering but when you actually do the investigation youfind that they’re not, so the investigation process and howyou would go about swamping the reporting bodies with awhole load of information which is no use to themwhatsoever, is being included.

We go into areas regulators are most concerned about likecorresponding banking where there’s been a lot ofpublication and we think about that ending up talking aboutsoftware. Then we go through 37 different countries interms of how money laundering has happened and beendealt with. We cover countries from Albania to Vietnam, andyou’re probably wondering why Albania; it’s the nature ofthe country and its positioning at the edge of Europe thatmade it important. We’ve got a mixture there of biginternational financial centres through to smaller institutionsperhaps used for tax minimisation strategies, together withsome interesting ones that people might be surprised webothered to look at. In places like South America youimmediately go and look at somewhere like Brazil, which isthe driver there, and in Africa you want to look atsomewhere like Nigeria and Kenya and South Africa, wetried to hit those main markets but of course you can’t doabsolutely everything.

JB: What is it about the US regime that is sodifferent to the rest of the world?

DC: Essentially many of the laws they have predate theFinancial Actions Task Force guidelines – the Bank SecrecyAct 1970 is effectively an older act which has been amended,so they come from a different source when trying to comeup with a regime. The rules are also broken up in a numberof places between different Acts so it’s just a different wayof doing things.

JB: Are there grey areas in money launderingwhere people can get tripped up without evenrealising?

DC: I think that if someone is moving money from acriminal source that is very clearly money laundering. Butthen you have to ask the question what is a crime? Comingfrom the United Kingdom, if you fail to pay your TV licencein principle that is a crime with proceeds which inprinciple is money laundering. Clearly thatis not what we are seeking to identify.

Another would be tax avoidanceand tax evasion. Tax avoidance isclearly seen as a typical thingthat companies do althoughthat’s been challenged byexploitive tax avoidanceperhaps on one or twojurisdictions. Tax evasion isclearly illegal. If you’relooking at someone thatmay be paid in cash like aplumber or taxi driver, isit plausible that theymight not disclose all oftheir income to the tax

authorities? Well if they fail do so that is criminal activityand therefore those funds are potentially going to belaundered but of course they are comingled with thelegitimate funds, so that’s quite difficult. The difficulty withterrorist financing is identifying who is actually a terrorist?How do you decide where a freedom fighter stops and aterrorist starts? So there are those kinds of grey areas.

Another problem is the definition of a politically exposedperson. I try and encourage firms to go beyond the rules ofthe country and always say the rules of the country are thereto make sure you are not committing criminal activity butthat may not be sufficient to fully protect the firm fromreputational risk. When you end up with a headline on thenewspaper it doesn’t tend to say “oh and by the way, theycomplied with the laws of the country”. So there are somegrey areas particularly in the area of how a crime is defined.

JB: You used the term layering, could you explainwhat that means in this context?

DC: Well a layering process would be for example, whenthere is a theft at your house and someone now has all ofyour electrical goods. They now want to turn those into cashand will do that probably by selling it at a market and turningit into physical cash. But for them to spend that moneypotentially they want to try to get it into a legitimate-looking bank account if they are doing this as a volumeactivity. The banking market gets touched when theproceeds are turned into physical cash, though it will notend up there, particularly if it’s organised crime when thelayering process will be used. It is similar to putting layers ofveneer onto a piece of wood, it tries to disguise the originalasset by moving it from place to place from asset class toasset class and then at some stage it is going to end up inthe place the criminal is going to try to extract the moneyfrom. At that stage it will go into an apparently legitimatelooking bank account but there could be 15-20 differentpaths it goes through before that.

We’re not going to stop crime by stopping moneylaundering but what we can do is make it more difficult forthe criminal to extract their funds.



39

JB: Typically money laundering is associated withorganised crime, but cases cover a much widerspectrum.

DC: Yes, organised crime is the area agencies are concernedwith most because that tends to have the greatest publicimpact. These are large networks. Tax authorities pick uptax evasion cases. You have to think about the amount ofterrorist activity that’s going on around the world. There area lot of arms being purchased for terrorists and that allcomes through this same set of rules and regulations and theterrorist financing part is a separate section. Clearly it isvery bad news when a firm is involved in that. Again, it’s notthat the terrorist phones up the arms manufacturer and sayslook, I’m a terrorist working in a certain country and I needa couple of tanks please! Much more likely there is anintermediary approaching the manufacturer who will bepretending to represent a country. The level of plausibilityis really the thing that enables money laundering or terroristfinancing to be successful. Much more interesting for theinvestigators to find something that really makes a difference– drug trafficking, child pornography, those kinds of areasare really high risk in terms of the impact on the public.

JB: How big a problem is money laundering in theUK?

DC: It is a big problem everywhere including in the UK.Money laundering and terrorist financing grows as crime andterrorism themselves grow. When someone wants to acquirearmaments they have to get across to the legitimateeconomy in some way with those funds. That’s obviouslyreally an unpleasant for a bank to be involved in and,everyone does what they can to avoid being involved withit. In the case of inappropriate pornography, or countrieswhere all pornography is inappropriate, that again is clearlyunacceptable activity. Child trafficking, slavery, extortion,those heinous crimes are of course the things people try

most to prevent, however, all the stats are showing us asareas of activity they are certainly not declining. We’ve seenquite recently the UK GDP figure changed for someactivities which might be considered as inappropriate nowadded into the figures and money laundering is, of course,one of those.

JB: Is it possible then that all banks are involvedto some extent?

DC: You have to be realistic – there is crime, and criminalshave bank accounts. People do say that the fear of crimeexceeds the probability of crime, but you see these things inthe press all the time. A person may open a bank accountand be doing perfectly legitimate activity at the time andthen at some stage they start doing something or get paid todo something criminal – perhaps they lost their job and theirneeds changed, they can be pressured into getting involvedwith something – the bank is not easily going to spot this.In some countries there are secrecy regulations whichactually get in the way of this. You are only really allowed tohold data for the purpose which it was originally intendedand this is going beyond that. In some countries you are noteven allowed to really link the customer with their spouse ortheir parents, you have got to look at them as an island andhow are you ever going to know as a bank the people thatsomeone is really dealing with and who they know – youdon’t get that data. The banks can only look at theinformation that they have and they are ever only part of thestory. Do they have people that they would rather not dealwith inside their client box? I’m sure the answer is going tobe yes. The question is what they knew when taking on thecustomer – are there things they ought to have done. That’swhere the rules come in, to try to encourage them to thinkthrough and really understand. They offer to do things likecheck the source of funds, but if you turn around and sayokay you’ve put a thousand pounds into a bank accountwhere do these funds come from? You’ll look at me and saywell it’s sort of leftover money really from my job. What amI supposed to do with this? If you say, I’ve sold a car, do

you expect me to go and check who you sold it to? Itstarts to become unrealistic and that’s one of thedifficulties. Often a bank is recording so they cangive the trail to the FIUs and they are questioningunder the risk-based approach if they have gonefar enough and really understand their customer.It is quite different if someone is depositing toif someone is borrowing – if you are borrowingI want to know a lot about you because I wantmy money back but depositing, it’s yourmoney. There’s a level I can ask for and that’sperhaps not quite what the public mightexpect.

JB: How effectively have approachesto dealing with money launderingbeen in the past in the UK?

DC: Approaches have changed. Initially whenthe anti-crime rules came through it was tickboxes, trying to come up with checklists. TheJoint Money Laundering Steering Groupproduced a series of coloured books. The



40

change that’s come through now is to move towards a morerisk- based approach so that you really try to understandyour client and the likelihood that they might be a moneylaunderer. It’s more investigative and it’s trying to place thebalance where it will add most value. If for example a wealthybusinessman comes to you with a legitimate business to banksome funds with you, you shouldn’t have to kill yourselftrying to find out information about them unless you thinkthey may be taking bribes or something of that sort whichof course is criminal activity. On the other hand if someonecomes in with a large sum of money and perhaps they’re amid-level government employee and that kind of sum is notcommensurate with the income I would expect this personto have then you start to ask questions under the risk-basedapproach. It’s now about trying to think a bit more. Therehas also been better use of technologies and betterinvestigative techniques encouraged by the regulations.

JB: So does Big Data make it easier for banks toidentify anomalous behaviour?

DC: The larger banks systems will parameterise thecustomer and then identify a transaction that is notconsistent with the expected behaviour for that type ofcustomer. That happens a lot on cards, and as someone whois travelling quite a lot around the world it can be quiteannoying to find my card is not working and that I then haveto speak to a nice card company on the phone! I have beendefrauded on my card before – once someone tried to buya painting, and somebody else tried to buy a whole load ofiron ore in Brazil. Now that was picked up by me finding mylimit had gone and asking questions and on those particularoccasions the card company didn’t find it, which I was a bitshocked by – I haven’t bought a museum quality paintingbefore and I certainly haven’t bought any iron ore or beento Brazil! So the advent of Big Data and the data miningtechniques that are available do facilitate better work. Thedata helps you find out quicker if you have been the subjectof attempted money laundering and what they do to reduceit is to reject suspicious transactions when they comethrough. It’s never going to be fool proof.

JB: How optimistic are you that currentapproaches will be effective, or is it a constantbattle?

DC: It is a constant battle and there is always a limit to howfar you can go. As a customer wanting to use the bank thereis a limit to how much intrusive questioning you’re going tobe willing to put up with and that is the key balancing issuebecause I don’t have to go to a bank to deposit my funds, Icould go and buy another asset. I could use electronicsystems like PayPal or I could just go to an antiques marketor something and pay cash for an item, sell it for cash and sayI have sold an antique. It doesn’t have to go through thebank. So many things can be the subject of moneylaundering it just depends on the mind-set of the moneylaunderer and how patient they are going to be and howmuch money they are willing to spend on the costs oflayering. The area of terrorist financing is one where I thinkwe can probably have a more successful approach. Crime issuch a broad term and organised crime is very difficult toprosecute. The complexity of it means that trying to put it

through an ordinary criminal court is always going to bequite difficult.

JB: So processes in banks are activated by asuspicion?

DC: Yes and it leads to a report being given to the organisedagencies because you are just one among many institutionsand if there is a complex money laundering scheme a lot ofother institutions will be involved and you won’t see thewhole story. Once you’ve made that report the MoneyLaundering Reporting Officer in pretty much everyjurisdiction gets it. That overrides bank secrecy rules anddata confidentiality and you have that protection as a MoneyLaundering Reporting Officer to enable you to do this. It isnot easy to put the story together, some cases are verycomplex. The obligation on the firm is to do what they canto assist the investigating agencies to do their workeffectively. A lot of our work within money launderingdeterrent is to try to identify information that needs to bereported. Also you don’t want some of the headlines thatwe’ve seen in newspapers. You don’t want your brandassociated with the word money laundering – or terroristfunding, or sanctions busting. So you do what you can toreduce as much as possible the probability that that’s goingto occur. Can I eliminate it totally? I can’t. I remember oneinvestigation we were involved in where we were looking fora particular person and there was a political thing, there’dbeen a problem and we were asked to do the investigationand I think we found $12,000 USD worth which was notsignificant in the great scheme of things but we were still inthe list and we still got the adverse publicity. Life isn’t alwaysfair and you do the best you can in this field and the peoplethat know financial crime deterrents well and know their wayaround the systems and controls are very valuable people tothe financial institutions in that they will reduce theincidence and likelihood of them being found guilty. Ofcourse you also have a defence and a story because you’vedone what a reasonable bank ought to have done to try andmake sure that you’re not caught by money launderingterrorist financer.

JB: Do you have a view on the emergingcryptocurrencies such as Bitcoin and whether weare equipped to deal with any potential threatsthey may pose?

DC:Well, if you take internet banking, when you open up acredit card or bank account and you’re not seeing the bank,there’s not a lot of point in me having your photograph nowis there? I’m never going to see you so what you look likeisn’t relevant to me and I’m going to have to think of a wayof being more analytic in trying to understand you as anindividual. I’m probably going to have to call up moreindependent reports than before and change the way that Iwork. Clearly anything that separates the customer from thebank and creates barriers is going to increase the probabilitythat it’s going to be exploited by a money launderer, sointernet banking becomes a preferred route of action. Wehave rules for non-face-to-face customers and a mixture ofthings that you must do and things you might like to do.The thing about Bitcoin is the lack of registration that is theconcern and it does make various things quite difficult such



41

as for a government to know the true money supply and howyour economy is moving so that is not a great thing. If I’vegot some Bitcoins, where do they come from? They are notregistered anywhere. Well if you think about the poundcoins in your pocket, they’re not registered anywhere eitherare they. It’s another set of thought processes you just needto go through and think about what additional challenges itpresents to you. Quite a high percentage of the coins in yourpocket are probably forged – I’ve heard various percentages.It’s about one in ten. You can tell by the weight and quality.

Of course if you spend that money, then you’ve launderedit. The Bitcoin is just another anonymous information sourcewith the difficulty that it is international. We’ve always beenworried about the payment services cross-border andBureau de Change, those kind of areas. There are rules andregulations about that already, it’s just another one of thoseI’m afraid.

JB: Mr Cox, thank you very much for talking tous.



42

Every criminal act that involves obtaining money illegally producesfunds which need to be laundered. The IMF estimates that 2- 5%of global GDP is laundered every year. Globally, regulations havecome in which affect certain businesses, especially banks andother financial institutions. These businesses have been requiredto put in place specific arrangements to prevent and detect moneylaundering and the criminal activity that underlies it.

The Handbook of Anti-Money Laundering by Dennis Cox, astrategy and risk consultant for the financial services industry,contains the most up-to-date information on all the latestregulations in the industry, including details of the recentlyupdated FATF (Financial Action Task Force) guidance. Writtenfrom an international perspective the book examines moneylaundering and money laundering deterrence, internationalstandards and rules, certain country-specific rules and regulations.The book, which provides practical advice and guidance, will bean invaluable source of information for anti-money launderingofficers, board directors, internal and external auditors and bankemployees, all of whom are required to undertake AML training.

ORDER ONLINE NOWOrder on-line http://eu.wiley.com £80.00 / €96.00

www.amazon.co.uk £68.07E-book also available at: http://eu.wiley.com £64.99 / €76.99

ISBN: 978-0-470-06574-7752 pages • Hardback

HANDBOOK OF ANTI MONEY LAUNDERINGDENNIS COX, CEO RISK REWARD LTD

GRUSubscriberssave 30%by entering entering promo codeMON30 at the Wiley website checkout.

NotesDennis Cox is CEO of Risk Reward Limited (link to http://www.riskrewardlimited.com), a specialist risk consultancy, training and recruitment firm servingthe global banking and financial services industry, and thought leaders in the world of risk management, audit, governance and compliance. He is a wellknown international expert in financial services risk management and has held senior management positions at top banking and accountancy firms, includingHSBC and Prudential. Dennis has authored several publications, including Banking, Audit and Accounting (Butterworths 1993), The Mathematics ofBanking and Finance (Wiley 2011), An Introduction to Money Laundering (CISI, Wiley) and The Frontiers of Risk Management. The Handbook of Anti-Money Laundering is his fifth book. GRU subscribers can access a sample chapter here (link http://media.wiley.com/product_data/excerpt/45/04700657/0470065745-1.pdf).GRU Subscribers can save 30% by entering entering promo code MON30 at the Wiley website checkout.

43

For more information about training to all our accredited qualifications (ACAMS, CII,CISI, ICAEW and IIA) or to book or ask for an in-house quote please email TonySubryan at [email protected] or telephone +44 (0)20 7638 5558.www.riskrewardlimited.com/public-course-calendar

Chartered Institute for Securities& Investment (CISI)

The CISI is the UK’s largest and most widely respectedprofessional body for the Securities and Investmentindustry. CISI Certificates are included in the UK’sFinancial Services Skills Council’s list of AppropriateExaminations and are recognised for all major activities.

More and more regulators, banks, stock exchanges, andbrokerage houses are increasingly seeking to respond tostresses and pressures to maintain high levels ofprofessionalism, integrity and competence especiallywhen interacting with retail consumers. Training tointernationally recognised and respected standards isamong those responses, whether seasoned

professionals, recent market entrants or new graduates.

Risk Reward Ltd has beendelivering successful trainingsolutions to CISI certificates in theUK/Europe, Africa and the MiddleEast since 2009. Known for ourhigh-quality, 20+ years industryexperienced trainers, our trainingcourses focus on learning,comprehension and application toroles, jobs and functions currentlyin demand in the real-world.

Combating Financial Crime CertificateLondon May 11-13 Oct 5-7Dubai Jun 8-10 Nov 2-4

Corporate Finance Strategy and Advice (Unit 2) DiplomaLondon Apr 20-23 Oct 5-8

Corporate Finance Techniques and Theory (Unit 1) DiplomaLondon May 12-15 Nov 24-27

Financial Derivatives DiplomaLondon Feb 16-19 Sep 7-10

Fund Management DiplomaLondon Mar 2-5 Oct 19-22

Financial Markets DiplomaLondon Feb 23-26 Sep 14-17

UK Financial Regulations CertificateLondon Feb 10-12 Nov 3-5Dubai Jan 20-22 Nov 23-25

Global Finance Compliance CertificateLondon May 18-20 Nov 2-4Dubai Apr 14-16 Oct 19-21

Global Operations Management DiplomaLondon Mar 16-19 Nov 9-12

Global Securities CertificateLondon Jan 27-29 Sep 14-16Dubai Mar 23-25 Oct 26-28

International Investment Management CertificateLondon Jun 22-24 Oct 12-14Dubai Apr 21-23 Dec 7-9

Investment Management CertificateLondon May 18-20 Nov 2-4Dubai Mar 23-25 Sep 28-30

Islamic Finance Qualification (IFQ) CertificateLondon Feb 9-11 Nov 16-18Dubai May 19-21 Oct 6-8

Operational Risk CertificateLondon Apr 27-29 Sep 23-25Dubai Jun 8-10 Oct 5-7

Private Client Investment Advice and Management DiplomaLondon Mar 9-12 Oct 5-7

Risk in Financial Services CertificateLondon Feb 3-5 Sep 7-9Dubai Mar 16-18 Nov 9-11

In-house training For an in-house training option, alternative datesand locations are available.We are happy to add additional content to theprogramme to meet additional requirementsfrom your company. Pleasecontact us for furtherinformation. We suggest acall with one of ourexperienced trainers tounderstand your specificrequirements so that we cancombine this with the CISIcourse as required.

2015 Global Public Course dates – CISI

Save up to with in-house training.

Please contact us

for details.

60%

Public Training CoursesPreparatory training to internationally recognised qualifications

designed by [email protected]

Risk Reward Limitedpart of Risk Reward Group of Companies

Global Headquarters

Risk Reward Ltd60 Moorgate, 1st Floor, London EC2R 6ELUnited Kingdom

Office hours: London (GMT)09.00 – 18.00 Monday – Friday

tel: +44 (0)20 7638 5558fax: +44 (0)20 7638 5571

Risk Reward Americas

Office hours: (EST)09.00 – 18.00 Monday – Friday

tel: +1 (917) 310-1334 New York+1 (305) 831-4913 Miami

email:[email protected]

www.riskrewardlimited.com

Documents

risk update GLOBALriskrewardlimited.com/admin/pdf/Risk Update 2014 Q4.pdf · assess their business models to ensure that they remain relevant. In this the Q4 2014 edition of the GRU