Beyond the Firewall: Mitigating Downstream Cyber Risk
Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity
Fines and Financial MisdemeanorsPrincipal, Financial Services, Finance & Risk group at Oliver Wyman
Over the past year, regulators in the United States, United Kingdom and the European Union have hit banks with more than $9 billion in fines for having rigged the London Interbank Offered Rate, better known as Libor. Libor—a critically important interest rate upon which trillions of dollars in financial contracts rest—is used by banks as the benchmark for setting rates on consumer and corporate loans. In April, Deutsche Bank alone was fined $2.1 billion by U.S. financial watchdogs and $348 million by the Financial Conduct Authority in the UK to settle charges that it allegedly participated in manipulating Libor, while the other banks involved in the scheme each paid more than a billion dollars in fines.
But the Libor case is only one in what seems to be a spate of financial misdemeanors. In a separate action, BNP Paribas agreed in June 2014 to pay nearly $9 billion and plead guilty for having violated U.S. sanctions rules against Cuba, Iran and Sudan. In November 2013, JPMorgan Chase paid $13 billion to settle various charges concerning mortgage securities that it had sold prior to the financial crisis, the largest fine ever paid by a U.S. corporation. Before that, HSBC was fined $1.9 billion in December 2012 following a U.S. Senate investigation into the role it played in laundering money of drug dealers and “rogue nations.”
Multibillion-dollar fines for alleged respectively committed financial crimes have become a new material financial risk for financial firms. In just five years, such fines have grown from being so miniscule in relation to banking industry profits that they were treated effectively as being nil, to totalling almost $58 billion in 2014. The average fine has increased seventy-fold in the past six years, rocketing from $22 million in 2008 to nearly $1.6 billion in 2014.
But the true cost of an adverse finding from legal or banking authorities goes far beyond the specific fine imposed. The real harm lies in the almost incalculable damage that has been done to the bank’s reputation. Banks face the risk that customers and counterparties will lose confidence in the bank’s sustainable performance, pushing up the cost of capital. And investors fear that the fines are actually harbingers of bad news to come and that the bank is likely to suffer future unexpected losses, thus adding to negative market reactions.
Many commentators attribute these larger fines to deteriorating ethics among bankers. But the real change, in fact, has not come from bankers. Instead, the true transformation can be traced to those whose role it is to regulate the financial services industry. Until recently, bankers were subject to little scrutiny. For all we know, it may be that bankers in the 1970s were just as inclined to misrepresent risks and conspire to manipulate market prices. Certainly, offshore banking and account secrecy, which have recently been condemned for facilitating tax evasion and money laundering, are nothing new.
By contrast, regulators have clearly responded to the widespread criticism and perception that the financial crisis was a failure of banking supervision by becoming much tougher on the banks they supervise. They are demanding unprecedented levels of disclosure and are applying massive fines when wrongdoing is discovered. The notion of wrongdoing has even been extended to include poor risk management. When JPMorgan Chase lost $6 billion in the London derivatives market, the bank’s woes were compounded by fines imposed by U.S. and UK authorities of about $1 billion for poor risk oversight.
The average fine has increased 70x in the past 6 years, from $22 million in 2008 to nearly $1.6 billion in 2014.
Managing the Shift from Victim to Alleged Perpetrator
In this new environment of intense scrutiny and massive fines, banks must take a more rigorous approach to managing the risk of financial crime—not the risk of being a victim of crime, but the risk of being a perpetrator or accomplice.
To date, managing financial crime risk has often been treated as a simple matter of mechanically complying with “know-your-customer” and anti‑money laundering regulations. The inadequacy of this approach is now clear. Apart from the HSBC scandal, the big fines of recent years have concerned conduct outside the scope of these regulations.
Besides money laundering, senior bankers must make sure their institutions are not involved in tax evasion, bribery, corruption or terrorism financing. They must also be sure that they abide by sanctions and embargoes and not participate in market abuse. Moreover, banks must not only be law-abiding, they must also be virtuous, given the extension under the UK’s Financial Conduct Authority of the regulator’s power to evaluate a bank’s “culture” and impose penalties on it.
Clearly, part of the answer towards putting an end to the banks’ misdemeanors lies in fostering a cultural change. Banks must use recruitment, promotion, training and financial incentives to encourage a high standard of business ethics. Not only will such measures reduce the chances of wrongdoing, but they are also likely to reduce the severity of penalties when such offenses occur. The standard management response to a scandal—that the malfeasance was a “rogue event” and not symptomatic of a corrupt culture—will be more believable if banks take these measures.
Effective Cultural Change
Such cultural change programs are already underway at many banks. To gain greater traction, however, those efforts must be backed by stronger internal scrutiny of staff and client conduct. This self-imposed scrutiny does more than just discipline staff. It helps to ensure that senior managers are ahead of the media and their regulators and that they are initiating action. If a senior manager is surprised by what external investigations uncover, that can only confirm suspicions that he has lost control.
The first step to achieving effective cultural change is figuring out where to look for problems. For this purpose, banking supervisors often recruit ex-bankers to help them understand how bankers behave. In a variation on this “poacher-turned-gamekeeper” tactic, banks are now recruiting ex-supervisors to help locate the behaviors that concern the authorities.
Banks must then be able to detect misconduct by their staff or clients. To this end, banks are moving beyond traditional risk management and into the kind of techniques more commonly associated with spy agencies such as the CIA and MI5. They are using advanced analysis of transaction patterns, communications and social networks to identify potentially criminal or unethical behavior. And they are being more vigilant about analyzing geopolitical risks and the individuals with whom the bank is associated. If the bank’s chief executive officer is going to have lunch with a political or business bigwig, then the bank needs to know who that person really is and what risks he or she may carry with him or her.
Banks are also increasing their financial crime risk-fighting resources. In 2009, they spent roughly $4 billion on relevant externally‑supplied software and services. In 2014, that figure jumped 60 percent, to $6.5 billion. While that may be a significant increase, it is not nearly as great as the 3,000 percent increase in the fines for financial crime incurred over the same period. (See Exhibit 1.)
Virtue is its own reward, according to Cicero. That may well be true. But even if it isn’t, when the public, the press, politicians and supervisors assume that banks are up to no good and are keen to punish them, virtue has another important bonus: It enables banks to remain in business. If the banks hope to be profitable, they had better learn to also be good.
This piece appears in the Oliver Wyman Risk Journal vol. 5.