Microsoft's Perspective on the Future of Risk & Compliance

Federal Preemption in the Area of Data Security Breach Laws - an update from Jeff Jinnett

AnnaVAubry — Mon, 26 Oct 2009 19:10:00 GMT

As we have noted in previous postings on this weblog, there appears to be an increasing trend toward the federalization of regulatory areas impacting the financial services industry. Thus, the legislation to create a new Consumer Financial Protection Agency (CFPA), which passed out of the House Financial Services Committee on October 22, 2009 includes a provision to preempt contrary state laws under certain circumstances, such as where the state laws would significantly interfere with a national bank’s ability to do business. In the area of data security breach laws, a similar trend appears to be emerging.

With respect to the obligation to make disclosures to the individuals whose personal information was not kept confidential, over 45 states have enacted data security breach laws that require such a disclosure. The California data security breach notification law (SB 1386) , which was one of the first state data breach security laws, requires “a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." An important exception to the requirement to notify of a data breach under the California law (and various other state laws) is if the personally identifiable information was encrypted. This is an example of how critical information technology can be to either complying with a new law and/or securing an exemption from the new law.

In addition to these state laws, there are a number of U.S. federal laws that impose disclosure obligations on specific types of regulated companies. For example, public companies filing with the U.S. Securities and Exchange Commission (SEC) have an obligation under Regulation S-K to disclose information to shareholders that materially negatively impact the company, such as a material impairment to the goodwill of the company. This type of disclosure would normally be made in a Form 8-K, but could also be required to be made in the annual report on Form 10-K. For example, during the Y2K years, the SEC required public companies to describe their potential risks from the Y2K problem and their ongoing Y2K programs, if the Y2K risk was deemed to be a material risk for the companies (See http://www.sec.gov/interps/legal/slbcf5.htm). The SEC also has proposed an amendment to Regulation S-P affecting companies subject to the Gramm-Leach-Bliley Act that would impose additional disclosure obligations in the case of loss of consumer private information. As interpreted by one law firm:

“[F]irms must establish procedures to provide prompt notice to affected individuals if a data security breach has occurred or is reasonably possible. The Commission did not provide guidance on what is meant by ‘reasonably possible’ but is seeking comment to determine if this threshold for notice is appropriate or whether there should be an alternative threshold for notice. The Commission indicated that it did not want to trigger notice ‘in every instance of unauthorized access or use, such as if an employee accidentally opened and quickly closed an electronic account record,’ because otherwise ‘individuals could receive an excessive number of data breach notifications and become desensitized to incidents that pose a real risk of identity theft.’ If a data security breach results in substantial harm or inconvenience to an individual or an unauthorized person has intentionally obtained access to or used sensitive personal information, notice must also be provided to the Commission (or, for certain broker-dealers, their designated examining authority). The Commission believes this trigger for regulatory notice will conserve ‘administrative resources by allowing minor incidents to be addressed in a way that is commensurate with the risk they present’.” (See http://www.bingham.com/Media.aspx?MediaID=6636)

There are also certain U.S. federal laws that require notification in the event of personally identifiable health information, such as under the HITECH Act. The HITECH Act’s notification requirements for breaches of unsecured protected health information apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must compromise the security or privacy of such information. The U.S. Department of Health and Human Services (DHHS) has issued guidance that lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the DHHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements. It should be noted, however, that these breaches may still be subject to state law notification mandates.

Over the past few years, the U.S. Congress has considered a number of bills that would create a federal data security breach law that would preempt contrary state laws. For example, on April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act . The “Data Accountability and Trust Act” would implement uniform federal breach notification requirements and preempt the various state laws requiring notification.

Data security breach laws are an example of the need for regulated companies to become adept at understanding the intersection between U.S. federal and state laws and regulations and the information technologies that can help them confirm compliance and/or exemption from coverage with respect to such mandates.

Sai Sireesh: Australian secret sauce for managing risk sprinkled with APRA’s Meta Regulation!

AnnaVAubry — Thu, 08 Oct 2009 22:13:00 GMT

I was fortunate enough to have short work stints in Australia (both Sydney and Melbourne), a beautiful country with its free spirited fun loving sporty population.

I continue to be amazed at the sophistication and depth of their financial markets. There is also a lot of cross pollination of global markets expertise, ideas and world class talent between London and Sydney.

Their regulators RBA, ASIC, APRA and ACCC are amongst the most proactive and knowledgeable in the world. Australia’s top 4 financial groups - commonwealth Bank of Australia(CBA), WestPac, Macquarie, National Australia Bank(NAB) rank amongst the top banks globally. Despite the crisis all round in banks globally, all of these Australian institutions remain profitable, well capitalized and well managed. The Australian banking sectors’ profit margin is robust. At 1.3% of assets, Australian banks’ profit ratio sits in the middle-to-upper range on the international league table.

So what is Australia’s secret sauce?

Some of the key ingredients are:

Mortgage Discipline: Securitization in lending is an Australian practice too. But banks in Australia did not adopt the US banking mortgage business model of originate to distribute. They are more of an intermediaries with a balanced risk and reward equation. Also Australian financial institutions had relatively less or little exposure to complex structured instruments collateralised by US sub-prime mortgages.
Too Strong to Fail & 4 Pillar Policy: The small number of Australian banks are extremely large relative to the size of its economy. There is a 4 pillars legislative policy that maintains the separation of the four largest banks in Australia by disallowing their merger or acquisition by any of the other four banks. This is both a handicap and an asset. But as a result the banks have also been able to withstand the takeover pressures that other banks around the world face. And all these banks have adopted a fairly robust risk management cultures, prompted by tight regulations. Australia was one of the first countries to adopt and achieve Basel II compliance for its banks. With higher capital adequacy norms, healthy capital buffers have also been an critical confidence factor for the banks.
Credit Assessment Standards for 3rd Party Loan Origination: For example banks can use third party loan originators. But banks must ensure that the originator applies the same credit assessment standards as the bank’s own. Also banks must monitor and audit loans being originated via third party for on-going compliance with its lending criteria. Additionally banks can also include a best practice of a risk-based component in the fees it pays for broker-originated loans.
Higher Capital Charges for Sub-prime Lending: There are significantly higher capital charges for “low-documentation” loans since 2004. APRA has adopted a higher capital adequacy norms than most countries.
APRA’s Meta Regulation Approach: APRA adopts a ‘risk-based’ approach to regulation. Its focus is to empower and ensure that banks embed sound Risk management practices deeply across their organizational DNA’s. Some academics refer to this method as “meta-regulation”.

This is backed up by risk assessments of the bank to check internal risk management processes; and direct intervention for improvements. Australia has four government agencies overseeing the financial system, namely the ACCC(Australian Competition and Consumer Commission), ASIC (Austrlian Securities & Investments Commission), APRA(Australian Prudential Regulatory Auth.) and the RBA. There are “twin peaks” model with APRA as the prudential regulator and ASIC as the market conduct regulator.

Ozzie..Ozzie..Ozzie..oye..oye..oye!

(a popular cheering cry in activities, sports etc.)

----------------------------------------------------------------------

Sources: My own personal experiences; APRA speeches 2009: David Lewis, GM, March 2009; John Laker, Chairman, Aug 2009;

----------------------------------------------------------------------

Sai Sireesh is Director of Risk Management & Compliance Strategy & Solutions, Worldwide Financial Services for the Microsoft Corporation. Mr. Sireesh has over 18 years of global experience across Risk and Compliance Consulting, Financial sector Strategy and blueprints execution. He has worked in North America, Australia, Singapore, Malaysia, Philippines, Thailand, Indonesia and India, is a regular contributor to the Journal of Regulation & Risk, and has authored several global research studies and articles.

Jeff Jinnett: The Nimble Approach to Compliance: Multi-Purpose IT Solutions and “Nexialist” Compliance Attorneys

AnnaVAubry — Sun, 04 Oct 2009 21:58:00 GMT

Regulatory compliance has become an increasingly costly burden. For example, SIFMA has estimated that the U.S. securities industry in 2004 spent $23.2 billion on compliance-related activities(1). In addition, regulatory mandates have become more intrusive in their application to how business is conducted. In response to corporate scandals such as Enron, the mandates have shifted from regulating the final work product to be produced for regulatory review, such as the enterprise’s financial statements, to also regulating the process by which the final work product is produced. This principle is clearly evident in Section 404 of the Sarbanes-Oxley Act (“SOX”)(2). Section 404 requires corporate management to prepare a report on their internal controls and disclosure and their analysis as to the effectiveness of the internal controls in producing reliable financial statements for the corporation. As part of the Section 404 requirement, management must identify the internal controls framework on which the internal controls are based (e.g., the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework). Management also must obtain an attestation from an independent auditor as to the sufficiency of their internal controls.

Additional requirements in the areas of compliance training and oversight stretching from the worker's desktop to the boardroom have led to the realization that an effective compliance program must be enterprise-wide. For example, Section 301 of SOX requires the Audit Committee of the board to oversee the "Internal Control Report" prepared by management pursuant to Section 404, and establish procedures to accept complaints regarding internal controls and auditing issues from employees on an anonymous basis. In an attempt to institutionalize a more rigorous and open approach to financial documentation disclosure, reporting and compliance, Section 406 of SOX requires issuers to adopt a "Code of Ethics" for its senior financial officers.

Increasing the regulatory pressure, the frequency with which important mandates are being issued has grown over the past few years. Further, reporting deadlines also have been shortened. For example, under Section 409 of SOX, issuers must publicly disclose "on a rapid and current basis" any "additional information concerning material changes in the financial condition or operations" of the company. In order to implement this SOX provision, the U.S. Securities and Exchange Commission shortened the period within which a Form 8-K “Current Report” must be filed to four business days. Four day reporting periods can pose a serious problem for companies with data contained in a multitude of repositories supported by multiple IT platforms. This environment can result in the time-consuming need to conform data before consolidation into one master data set for reporting purposes.

One consulting study estimated that a likely allocation of industry compliance budgets is as follows: (a) 55% for staffing, (b) 15% for IT, (c) 12% for training, (d) 10% for external counsel, and (e) 8% for auditing and monitoring. The study’s formula makes it clear that the majority of compliance cost (67%) results from training and staffing, rather than from IT and other costs. This suggests that enterprise-wide standardization on multipurpose, reusable IT solutions requiring less training and smaller staffs to implement and maintain could help to improve compliance personnel collaboration and reduce total compliance costs. It could also help companies more effectively accomplish the goal of establishing an enterprise-wide compliance program that can (a) identify and apply controls to the business processes resulting in regulated work output and (b) meet shortened reporting deadlines.

Technology alone, however, cannot accomplish these goals. Success will depend also on compliance attorneys becoming more IT-savvy and less dependent on compliance “point solutions”. Compliance traditionally has been of concern to attorneys who tended to be specialists in fields of law, such as healthcare, banking and securities law. Accordingly, the compliance teams formed on a law-by-law basis would have healthcare lawyers on the HIPAA team, banking lawyers on the Basel II team and securities lawyers on the SEC Rule 17a-4 team. Since the healthcare lawyers on the HIPAA compliance team would not consider themselves to be experts on banking or securities laws, they typically would not communicate with the Basel II and SEC Rule 17a-4 teams. This law-by-law approach naturally leads to a "silo" approach to compliance, where each team would work with its own budget and team members to identify their own unique compliance solutions. They also would maintain their own compliance documents, produce their own unique compliance reports and would report separately to top management and the board on their individual compliance efforts.

This legal compliance regime will need to change in order for large corporate enterprises to move toward a more nimble, “holistic” approach to compliance utilizing multi-purpose IT compliance solutions. In the classic science fiction novel The Voyage of the Space Beagle(3), the author A.E. Van Vogt described a scientist called a “Nexialist”. The Nexialist was trained to understand all of the fields of science – chemistry, physics, biology, etc., and to find solutions to problems based on connections between scientific fields. The common definition of a “Nexialist” is “one skilled in the science of joining together in an orderly fashion the knowledge of one field of learning with that of other fields". Compliance attorneys need to become legal “Nexialists” in order to help develop multi-purpose IT solutions, by recognizing the commonalities that run through seemingly disparate legal mandates. For example, instead of developing or buying twenty different encryption tools for a variety of privacy and security mandates applicable to the enterprise’s banking, healthcare, securities and insurance businesses, the “Nexialist” compliance attorney could help identify a smaller set of encryption tools that can be multi-purpose and reusable across multiple regulatory mandates.
____________________________________________

(1) Seehttp://www.sifma.org/research/surveys/pdf/CostofComplianceSurveyReport.pdf
(2) See http://www.sec.gov/about/laws/soa2002.pdf
(3) See, e.g., http://www.amazon.com/VOYAGE-SPACE-BEAGLE-Vogt-vogt/dp/0020259905

____________________________________________

Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).

Susan Hauser, VP of Microsoft Financial Services, on New Challenges in Risk Management and Compliance

AnnaVAubry — Sun, 27 Sep 2009 00:17:00 GMT

As the global economic crisis rumbles on, financial firms of all kinds anticipate an overhaul of risk management and regulatory frameworks. I asked Microsoft’s global head of Financial Services, Susan Hauser, for her views:

Sai: Susan, as the global head of Microsoft Financial Services, what has the past year meant for financial firms in terms of risk management and compliance?

Susan: Over the past 12-18 months, we’ve seen major changes in the organisational structure of many financial institutions, as well as the products they offer. Mergers and government bailouts are only part of the story. As banks try to ensure their survival, we’ve seen a more cautious attitude to lending and measures – such as interest rate cuts – aimed at stimulating the credit markets. Through all of this, banks are both recognising past failures and facing new challenges in governance, risk management and compliance.

It remains to be seen how the regulatory landscape will develop – will it go to a more light-touch, supervisory mode, or a heavier-touch, regulation-driven model? While there are some trends towards the latter, the picture is not yet clear. However, one thing is obvious: risk management is more crucial than ever to financial organisations, and failing to deal with it is not an option.

Sai: In your interactions with financial firms around the world, what are you hearing from clients about their expectations and concerns in this area?

Susan: Many financial firms are trying to understand how they can enhance their risk management capabilities, keep up with all the regulatory changes, and review proposed new changes, while at the same time ensuring their survival in the aftermath of the current financial crisis. In such an uncertain situation, nobody can say that this will be easy – a fact that is reflected in the predictions of analysts like Tower Group that despite pressure on budgets, risk management will be a key area for IT spending among financial firms this year. However, while the issues might demand some investment, there are steps that businesses can take to minimise the cost and complexity of their risk management environment while maximising its effectiveness.

Sai: What advice would you give to firms considering a risk management and compliance project?

Susan: In risk management, context is key – it might take somebody who works with certain tools on a day-to-day basis to recognise that something is amiss, while a manager looking at a set of figures might see nothing out of the ordinary. That gives all the more reason to take a holistic and inclusive approach to risk management and compliance, rather than boxing it off as a separate function – risk affects every part of the business, so risk management should be intrinsic to every function.

For this reason it’s a good idea to take a step back and look at how risk management and compliance practices need to work across the organisation, as part of everyday operations. This in turn can lead to a realisation of how your existing technologies can be used to address risk management and compliance issues – a practice that can help to minimise complexity, as well as IT spend.

Microsoft’s focus is to help its customers enhance and execute their vision for an integrated risk management and compliance culture and environment. By adopting a people-ready business approach based on five principles, which are: to simplify and automate the adoption for employees to be more productive; embed risk management best practices in everyday activities; enhance the risk analytics and computing and unlock data; manage risk across structured and unstructured business information; and define long-term sustainable risk management and compliance blueprints. It helps financial institutions execute their long-term risk management and compliance vision and blueprints.

Sai: How do you see firms making the best use of existing technologies in this area?

Susan: By using service-oriented architecture (SOA) based technologies that are familiar to users, financial firms can go a long way to ensuring a solid risk management and compliance environment. New risks and regulations are bound to emerge, but basing the system on SOA will enable it to be continuously updated with new applications as regulatory and business demands evolve. We have seen an increasing adoption of Microsoft Office SharePoint Server 2007 (MOSS) for enterprise and operational risk management frameworks. We see this increasing with the risk and compliance capabilities in the 2010 wave offerings, which include Exchange 2010, Office 2010, SharePoint 2010, System Centre, Windows 7.

For Bank of America, one of the world’s leading financial institutions, compliance with international financial regulations is of vital importance and the recent global Basel II Accord regulation, required for implementation by US banks by 2011, resulted in the bank’s creation of a portal solution based on MOSS this past year. Developed and deployed in just four months, the risk and control self-assessment solution collects data associated with operational risk from employees and compiles it so as to accurately measure operational risk at an enterprise level. Some 1,500 Bank of America employees across 200 organisational units use the portal solution to access data on 1,800 key operational risks. About 800 of those risks are reported as part of the bank’s enterprise risk and control assessment, as required by the Basel II Accord. The bank has enjoyed significant benefits from the solution, which include efficient development and deployment; a powerful way of assessing trends; and an easier approach to risk mitigation.

Microsoft works with a wide array of partners across the world, many of them financial sector specialists. These partners deliver solutions that take advantage of strong infrastructure and reusable business components while using enterprise-ready technologies. I am also happy to see the our team, comprised of leading experts like Jeff Jinnett and you, Sai, is driving efforts to embed more risk management and compliance related functions and capabilities in our technology offerings and customer blueprints. For example, our recently released IT Compliance Management Guide and IT Compliance Management Resources Workbook can help companies view their compliance obligations in the context of authority documents such as Sarbanes-Oxley, enabling them to assess their risk management and compliance needs and address them by implementing controls within their Microsoft infrastructure.

Sai: Thanks for your thoughts, Susan. I am also excited to announce that we have commissioned a global study on the Future State of Risk Management, with Professional Risk Managers International Association (http://prmia.org/). The study will be released in November 2009.

Note: The IT Compliance Management Guide is free to download at: www.microsoft.com/solutionaccelerators

- - - - - - - - - - - - - - - - - - - - -

Susan Hauser is Vice President, Worldwide Financial Services group at Microsoft.

Susan began working for Microsoft in 1997, focusing on banks in New York City and was responsible for wins where retail bank branch platforms deployed on Windows NT and thus established Microsoft as a key player/provider within financial services. In 2000, she assumed the role of financial services director for the East Region in the US, where she managed strategy, operations, and key relationships with strategic financial services customers across all financial services firms in the region.

Jeff Jinnett: The Catch-22 of Record Retention

AnnaVAubry — Sat, 19 Sep 2009 21:41:00 GMT

At the heart of the record retention challenge is the difficult question as to what types of documents to maintain for compliance purposes and how long to maintain them. In certain cases, applicable laws and regulations specify the types of documents to retain and the length of time to retain them. For example, for purposes of electronic records maintained in a company’s role as a taxpayer, IRS Revenue Procedure 98-25 serves as a useful guide to the IRS’s document retention expectations. In addition, IRS Revenue Procedure 97-22 provides guidance for taxpayers who maintain books and records in the form of electronic storage[1].

The significant cost of maintaining records has motivated many companies to aggressively discard documents that are not expressly required to be maintained under applicable laws or required to be held for production in pending litigation. Indeed, if a company were to retain all of its documents, the cost of searching, identifying and producing documents in a particular lawsuit might become so expensive that the company would be forced to settle the case rather than incur the expense of discovery[2]. Certainly there is support for this position. Guideline Three of the Sedona Principles [3] states that an organization need not retain all electronic information ever generated or received. Also, Rule 37(e) of the U.S. Federal Rules of Civil Procedure [4] creates a safe harbor providing that sanctions will not be imposed on a producing party for “failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system”.

On the other hand, if a company adopts a “just barely compliant” approach to record retention, it runs the risk of being accused of spoliation or deliberately destroying documents in an effort to impede regulatory investigations or discovery in a lawsuit. While current case law is trending against requiring companies to maintain records merely on the speculation that they might be relevant for some unknown future litigation, companies still are required to maintain documents that are the subject of investigations that are pending or that the company knew or should have known were imminent [5] .

A catch-22 therefore faces many companies: if they retain too few documents, they may end up failing to retain key documents needed for regulatory audits or for production in litigation. This could result in the company being sanctioned by the regulator or by the courts. On the other hand, if the company retains all of its documents, the cost of retention may become exorbitant and the company may end up retaining documents that could hurt it in the course of a regulatory audit or in litigation. Clearly, a balance needs to be struck between keeping either too few or too many documents.

Further, the retention and archival of documents should be done in such a way that the company avoids the use of multiple repositories and data formats, to the extent possible, in order to simplify and speed up the identification and retrieval of documents for audit and litigation purposes. A current trend in regulatory compliance is the imposition of increasingly shortened reporting deadlines. For example, Section 409 of the Sarbanes-Oxley Act [6] requires public companies to disclose information on material changes in the financial condition or operations of the companies on a rapid and current basis. The SEC has implemented this Sarbanes-Oxley Act requirement, by, among other things, requiring that current reports on Form 8-K must be filed within four business days. Segregating current, live data from older, stale information to reduce the size of data repositories that must be searched for purposes of reporting and become subject to automatic production requirements in litigation can help to reduce the burden on companies.

In addition, in the process of crafting a new records retention approach or re-examining an existing records retention policy, companies should keep in mind recent trends in compliance. One key trend is that regulators tend to set standards of compliance, but are reluctant to specify what technologies and methodologies would be acceptable to achieve the mandated standards. For example, when states began enacting electronic signatures and records laws, a number of them also described digital signature technologies that would produce electronic signatures conforming to the state law’s requirements. When the federal government enacted the ESign [7] law, it prohibited states from specifying conforming technologies[8]. On the one hand, this regulatory approach gives companies a great deal of discretion in deciding how best to meet regulatory compliance challenges. On the other hand, this approach can give a company just enough rope to hang itself if it makes poor technology choices.

In conclusion, companies today face a risk in connection with their records management approach of either keeping too many documents and potentially handing an investigator or plaintiff a “smoking gun”, or keeping too few documents and having a court impose sanctions on the company for alleged spoliation of evidence. There is no “one size fits all” solution to this catch-22 dilemma. Companies need to map applicable laws, standards and best practices against their business operations and implement a records retention policy that can be defended in the event of an investigation or litigation. In addition, the company’s approach needs to take into account the capabilities of the company’s employees and the IT infrastructure in place. Ultimately, this process will only be successful if it results from a combination of the right personnel, an accurate mapping against the processes of the company and effective and scalable technology that is suited to the company’s operational environment.

________________________________________

[1]See, e.g., http://www.uiowa.edu/~fusrmp/irsprocedures.html.
[2]See, e.g., http://www.du.edu/legalinstitute/news/Focus_Reprint.pdf.
[3]See http://www.thesedonaconference.com/content/miscFiles/Guidelines.pdf.
[4]See http://www.law.cornell.edu/rules/frcp/Rule37.htm.
[5]See, e.g., http://www.mass.gov/obcbbo/eve.htm.
[6]See http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf.
[7]See the Section 102(a)(2)(A)(ii) of the “Electronic Signatures in Global and National Commerce Act (ESign)”, located at the URL of http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf.
[8]See, e.g., http://www.thelenreid.com/index.cfm?section=articles&function=ViewArticle&articleID=1388&filter=.
__________________________________________

Sai Sireesh: The Spanish Approach to Risk Management!

AnnaVAubry — Sun, 13 Sep 2009 22:28:00 GMT

As a major European economy Spain’s banking sector has relatively fared well in the international financial crisis. Both Banco Bilbao Vizcaya Argentaria (BBVA) and Banco Santander (BS), amongst the largest banks in the world, have done relatively well compared to their peers. With very few banks needing capital infusion and government hand holding,Spanish banks have done quite well in past years fueled by a real estate boom. Of course as the real estate declines over the past two years and the economy is in recession, many banks do have heavy exposures to the real estate sector and are saddled with a rising rate of bad loans. The government is stepping up with a fund of up to €90 billion (US$125.46 billion) to help banks restructure and cope with the effects of recession.

However the relatively better performance of Spanish banks is still commendable and can be attributed to below key factors:

Strict Financial Regulation Environment enforced by the Bank of Spain (Banco de Espana)
More Prudent Trading and Risk Management practices
Dynamic Capital Provisioning - Banks forced to set aside provisions during an economic boom fueled by construction and consumer spending
Loan Loss Provisioning - Spanish banks have higher loan-loss provisions than many of their foreign counterparts because of the way Banco de Espana set reserve requirements
Traditional Banking Focus – Most banks focus on traditional retail banking business and are less enamored by exotic business lines and products
Spanish Approach to Securitization – More for funding purpose than the most common risk transfer mechanism
Strict Treatment of Off Balance Sheet Items – All instruments need to be reflected in balance sheets and i.e. no structured products that treated as off balance sheet items
Strong On-site Supervision
Different Capital Requirement for Mortgage Loans depending on their loan-to-value ratios.

In many countries across the world, banks are required to increase reserves as losses increase and allowed to decrease reserves as profits rise. This setup increases bank lending during economic boom periods and decreases lending activity during downturns, a cyclical tendency.

Banco de Espana sets reserves based on an weighted average of a banks’ assets, with the weights determined by past default frequencies for different asset classes. The hypothesis is that historical default frequencies will accurately reflect reserves going forward. This presumes that the historical record provides a good indication for distinguishing between cyclical and more permanent components of loan performance.

We already see many countries starting to look at dynamic provisioning as a best practice. Of course the issue with dynamic provisioning and its compatibility with IFRS needs to be handled. Here again Bank of Spain has led the way to find common ground in terms of accounting standards.

So hats off to Spain for showing the way for prudent banking via solid commonsense risk management!

-------------------------------------------------------------------------------

Sources & Acknowledgements: BBVA Economic Research Working Paper, Feb 2009 – "Dynamic Provisioning and other tools"; Banco De Espana; Financial Times; Financial Week.

_____________________________________________

Jeff Jinnett: Value of an IT Security Due Diligence Document/Risk Mitigation Plan

AnnaVAubry — Mon, 31 Aug 2009 19:25:00 GMT

If a company were ever asked to describe its IT security program, the company likely would have to bring in numerous staffers from the IT department and refer to reams of documents to present a full picture of the company’s IT security approach. The need to be able to describe the company’s IT security program in layperson’s terms, without having to resort to a series of technical interviews of IT team members, could arise if the company is sued as a result of a data security breach and has to describe its IT security program to a jury. It also could be necessary if regulators, board directors, bank lenders, outside accountants, insurance underwriters, or other critical third parties meet with the company and seek information about its IT security program.

A due diligence document summarizing the company’s IT program could be very helpful in this situation, since it could be prepared based on interviews with key IT department members and a review of relevant documents. The due diligence document would be designed to make the company’s IT security approach as clear and understandable as possible. Rather than being prepared to be an attorney-client privileged document, the summary due diligence report would be designed to be disclosed. In addition, in the course of finalizing the summary due diligence record, the company would in effect be creating a “risk mitigation plan” for the program, since the process of interviewing project team members and reviewing documents would force the company to step back and look at its overall program from the view of a third party.

In addition to providing a “30,000-foot view” of the company’s IT security approach, the risk mitigation plan (RMP) could include references to industry standards, private sector white papers, public sector directives, and other third-party “best practice” guidelines the company believes match portions of its IT security approach. For example, the company could obtain a HIPAA[1] Security Accreditation from URAC[2] and cite this as an “external validator” of the company’s IT Security approach. The URAC HIPAA Security Accreditation[3] can be applied for by any company having to deal with “protected health information”, such as a HIPAA “Business Associate”, not just by healthcare companies. Since HIPAA is arguably the most stringent U.S. Federal IT standard for the private sector, evidence of compliance with the HIPAA Security Rule[4] could be helpful in validating the strength of a company’s IT security program.

Alternatively, the company might have an outside consultant review the IT security methodology used by the company and have the consultant write a report stating that the company’s methodology is substantially similar to the consultant’s own methodology, which the consultant has used for comparable companies. By creating the RMP and attempting to find “external validators” for each of the key IT security program documents, the company is forced to think in terms of how best to defend its IT security decisions as meeting best practices to the extent known at the time.

The drafting of an IT Security RMP also enables the company to see where its IT security program may be subject to attack in litigation as not matching industry standard practices. This gives the company time to locate a potential expert witness who could support the company’s deviation from the industry norm as reasonable in light of the company’s circumstances. Since the preparation of the document requires interviewing the key IT department members to debrief them on their understanding of the IT security program, it also will give the company and its in-house and outside counsel the opportunity to determine which IT department members would make the best witnesses to testify on behalf of the company should it become involved in litigation. The company also could seek to introduce the RMP into evidence as the outset of the company’s defense as a pre-existing business record kept in the normal course of business[5]. The RMP could help to persuade the jury that the defendant company was not guilty of gross negligence or willful misconduct, so as to avoid the imposition of punitive damages.

Athough readers of this blog may think that the effort required to create the IT security RMP only makes sense for a Fortune 500 company with a large IT security program, it could also be helpful for small and medium-sized companies. This is because business partners may begin to worry about the IT security-readiness of their smaller business partners. If a small or medium-sized company cannot convince its business partners that it has a good IT security program in place, it might lose its business partners to a larger competitor due to the business partner’s “flight to quality.” If the smaller company had created an IT Security RMP, it could disclose that document (subject to appropriate confidentiality agreements) to the business partners in order to reassure them and preserve the relationship.

____________________________________

[1] Health Insurance Portability and Accountability Act (HIPAA): see http://aspe.hhs.gov/admnsimp.
[2] URAC is a healthcare accreditation organization: see http://www.urac.org.
[3] See http://www.urac.org/programs/prog_accred_HIPAAS_po.aspx.
[4] See http://www.cms.hhs.gov/SecurityStandard/02_Regulations.asp#TopOfPage.
[5] This is relevant for admitting evidence under the business records exception to the hearsay rule under U.S. Federal Rules of Evidence, Rule 803(6): see http://www.law.cornell.edu/rules/fre/rules.htm#Rule803.

_____________________________________

Sai Sireesh: Insurance Supervision - The Future

AnnaVAubry — Wed, 26 Aug 2009 20:24:00 GMT

Whilst there is a lot of focus on banking, the insurance sector is also witnessing a wave of regulatory changes specially around cross-border exposures. So I did some quick research on the world of insurance supervision.

Devoid of dramatics, the Basel, Switzerland based IAIS (International Association of Insurance Supervisors) has been quietly driving adoption of enhanced regulatory and risk management best practices. IAIS represents insurance supervisors of around 190 jurisdictions in nearly 140 countries. The IAIS issues global insurance principles, standards and guidance papers, provides training and support on issues related to insurance supervision and works closely with other international institutions to promote financial stability. During the Jul-Aug 2009 timeframe, IAIS reaffirmed a number of actions being taken to reinforce insurance regulation and improve the resilience of the global insurance sector against new challenges. Some of the broad actions being:

• Developing guidance on the use of supervisory colleges in group-wide supervision, which will be consistent with the FSB protocols. This guidance will take into account responses from a recent IAIS survey among insurance supervisors on their experience with supervisory colleges;

• Expediting the application approval process and encouraging additional members to join the IAIS Multilateral Memorandum of Understanding (MMoU) which is now operational; The MMoU is one of the IAIS’s key responses to the G20 Declaration to strengthen international cooperation among supervisors. The MMoU is a framework for cooperation and the exchange of information and sets minimum standards to which signatories must adhere. With the MMoU in place, insurance supervisors will be better equipped to improve the effectiveness of cross-border supervision of insurance companies. The MMoU will also contribute to the global effort to ensure that systemically important financial institutions are appropriately regulated. The MMoU has a crucial part to play in this. Each authority applying to be a signatory undergoes a rigorous and independent validation process to ascertain whether the minimum standards of the MMoU are satisfied. Signatories can therefore take comfort that the information they exchange is properly protected.

• Proceeding with research into the design and practicality of a common assessment framework for insurance group supervision.

In mid of 2009, IAIS announced a long term vision to adopt and develop a global regulatory insurance standard similar to EU’s Solvency II. In EU, the new Solvency II that will become a law by 2012 introduces risk-based solvency and economic capital requirements for insurance firms across Europe. The focus is on more risk-sensitive measures to better manage risk exposures. This IAIS proposal has already received support from 17 national supervisors as part of a memorandum of understanding (MOU) that will be validated soon. This MOU will form the basis for consistent coordination and information exchange between insurance supervisors across borders. Albeit not a legally binding obligation, this is a significant step towards a global insurance regulatory framework. A working group has been setup to help explore a regulatory and supervisory framework that will help better manage internationally active insurance groups.

The IAIS has committed to ensuring that insurance supervisory tools are continuously improved and kept up-to-date with developments in the global financial environment. At the same time, IAIS is also focusing on reinforcing its standards, in particular through a comprehensive review of the Insurance Core Principles. Let us await more developments, but the road ahead for insurance supervision does look exciting and global and regional insurance with cross- border operations need to keep an eye on this to be prepared in future.

By the way for those of you in the Insurance firms who are interested to participate, you can sign up as observers to the IAIS proceedings. And, the 16th IAIS Annual Conference is to be held on 21-24 October 2009, at Rio de Janeiro, Brazil.

_________________________________________

Jeff Jinnett: Adopting an Enterprise-Wide EDRM Platform to Get Electronic Discovery Under Control (Part II)

AnnaVAubry — Mon, 17 Aug 2009 21:59:00 GMT

Our previous posting provided an overview of the typical ediscovery lifecyle and identified the need for an enterprise-wide approach to ediscovery. This posting will explore the explore some of issues relating to the ediscovery process steps in more detail and describe the characteristics of an enterprise-wide EDRM system for ediscovery.

Some Issues Relating to Ediscovery Process Steps

Legal Hold Put in Place: The producing party’s counsel will notify all appropriate company personnel of the existence of the claim, preservation letter and/or document request and advise personnel not to delete, discard or otherwise interfere with the integrity and availability of the requested documents pending resolution of the claim. This legal hold would override the normal deletion provisions under the company’s retention policy. Failure of the producing party to institute this legal hold after receiving notice of a claim may result in a charge of “spoliation” of evidence. This may lead to a court imposing sanctions on the producing party.

Prepare for Production: The counsel and/or paralegals for the producing party typically would identify those documents and records that were responsive to the document request. At this stage the producing party could create a file plan for the documents placed on legal hold and being prepared for possible production.

Court Proceedings: U.S. Federal Rules of Civil Procedure (FRCP) Rule 16 (c) empowers the court to issue orders controlling and scheduling discovery, including orders affecting disclosures and discovery. This could involve the issuance of protective orders requiring the requesting party to maintain the confidentiality of trade secret documents, barring the production of privileged documents or amending the scope of a document request. At a FRCP Rule 16 pre-trial conference, the court usually would meet with the parties and work out a schedule for production of documents based on a discovery checklist. Also, several federal jurisdictions have promulgated local rules of practice and other guidelines concerning electronic discovery (e.g. D.N.J. Local Rule 26.1(d) [1]. These local rules would supplement the FRCP.

Review Against Production Response Plan: Counsel would at this stage review the steps taken to date to ensure that they have been in conformity with the enterprise policies for ediscovery, such as a “Litigation Response Plan[2]”. The Litigation Response Plan acts as a blueprint for the litigation response team and addresses topics such as (a) accounting for archived and non-archived information, all storage locations, backup protocols, and (b) chain of custody issues.

Use of Virtual Due Diligence Room: In cases where the documentation is voluminous, where the documents are widely dispersed geographically, where the documentation is in electronic format or where speed is essential, the parties may opt to use a secure extranet of the producing party whereby the requesting party’s personnel can access the extranet through a “portal” and review the produced documents online. Virtual data rooms are already used extensively for mergers and acquisition due diligence in the U.S[3] .

Characteristics of an Enterprise-Wide EDRM System for EDiscovery

The typical process steps involved in litigation and ediscovery illustrates the need for an enterprise-wide communication and collaboration portal that connects into the enterprise’s document and records management systems. This portal would facilitate the needed information-sharing and decision-making that supports an effective ediscovery program. It also could be utilized for the production of documents to opposing counsel through the use of extranet portals for “virtual discovery rooms”. The ideal enterprise-wide EDRM system would support policy management, providing administrators with the ability to set policies to manage the lifecycle of records from creation to destruction. Policies would also be created to move records from one storage media to another as they age. This may also be used for technology refresh to ensure that the records are always stored on current media so that they can be retrieved. Mapping this architecture against a process-based view of the company should help the company avoid expensive point solutions and duplication. The achievement of an enterprise-wide EDRM solution also would help the company better understand the true cost of recovering data and records from inaccessible media, so as to allow the company to support a request to the court to shift document production costs to the other party.

___________________________________________________

[1] See http://www.klgates.com/files/upload/eDAT_rules_D_N_J_LCivR26_1.pdf.
[2] See, e.g., http://www.law.com/jsp/legaltechnology/roadmapArticle.jsp?id=1158014995172&hubpage=Identification
[3] See, e.g., http://en.wikipedia.org/wiki/Data_room.

___________________________________________________

Jeff Jinnett: Adopting an Enterprise-Wide EDRM Platform to Get Electronic Discovery Under Control (Part I)

AnnaVAubry — Mon, 17 Aug 2009 21:43:00 GMT

One of the challenges facing many companies today is how to handle the production of electronic documents in the course of litigation discovery. For companies embroiled in litigation, electronic document records management can be an increasingly daunting and expensive task[1] . It is black letter law that computerized data is discoverable in litigation if relevant and it has been estimated that more than 93% of all information generated is generated in digital form[2] . Computerized data can reside in a variety of structured and unstructured formats (e.g., email and instant messages) and can be found in both accessible and inaccessible media. The cost of legal discovery can become a major expense if an enterprise-wide electronic documents and records management (EDRM) approach is not taken to the problem. The ideal enterprise-wide EDRM platform for litigation discovery would implement best practice business processes that conform to statutory, regulatory and case law guidelines. It also could be mapped against the business processes of the enterprise, taking into account the process steps of a typical legal discovery lifecycle.

EDiscovery Lifecycle

There are five distinct processes within the typical Legal Discovery lifecycle:

1. Analyze Claim - legal counsel analyzes either an actual claim (e.g., a summons and complaint served on the company) or the facts surrounding a situation that is reasonably likely to result in litigation, thus giving rise to the need to preserve documents for possible future production in a litigation matter. The party intending to raise the claim will (a) determine the scope of the claim, the documents that would be relevant to the disposition of the claim, and determine the likely media and storage locations of the needed documents, utilizing the services of a forensic expert, if necessary, (b) prepare and send to the other party a complaint, letter or other communication to the other party notifying that party of the existence of the claim and requesting the preservation of documents that would be of relevance to the resolution of the claim, and (c) prepare and send a formal document request to the other party.

2. Review Document Request - legal counsel and non-legal personnel review a request to produce documents served on the company by the other party to the litigation in order (a) to determine its scope and the types of documents that would be encompassed by the document request, (b) determine the necessity of seeking court orders (e.g., protective orders and orders to shift all of part of the cost of production to the requesting party for documents that are not easily accessible).

3. Put Legal Hold in Place: legal counsel of producing party (a) advises relevant company personnel of the existence of a litigation matter and of the necessity to maintain pertinent documents relating to the subject matter of the litigation pending resolution of the litigation, overriding otherwise applicable retention periods, and (b) monitors compliance by company personnel with legal hold restrictions.

4. Prepare for Document Production: legal counsel and non-legal personnel (a) identify the types and medial locations of documents that would be responsive to the document request, utilizing the services of experts as needed, (b) eliminate or redact documents and text that are deemed to be exempt from production due to attorney-client privilege or other privileges, (c) map the steps being undertaken against any applicable company production response plan, (d) undertake any necessary court proceedings (e.g., motions for protective orders)

5. Produce Documents Pursuant to Document Request: legal counsel (e.g., paralegals, in-house counsel and associates of outside law firms representing company) and non-legal personnel of the responding party (a) organize the electronic documents into groups that map against the sections of the relevant document request, (b) separately identify in a response to the document request those portions of the document request that require further explanation (e.g., documents are being produced for only a portion of the time period indicated or certain documents have been omitted because they are protected by privilege), (c) arrange for supervisory legal counsel to review and authorize the final proposed document production (including proposed redactions and privileged documents), and (d) deliver the electronic documents to the requesting party. Legal counsel for the requesting party (a) reviews the document production in order to determine the adequacy of the production, and (b) initiates court proceedings (e.g., motion to compel production) if the documents produced are not responsive to the document request.

Part II of this posting will examine a few issues related to the above five processes and a few key characteristics of an enterprise-wide EDRM platform.

______________________________________________

[1] “For some, costs have skyrocketed; one company reported processing and hosting expenditures leaping from under $100,000 three years ago to over $10 million last year.”: see Socha & Gelbman, “EDD Showcase: Strange Times”, located at http://www.lawtechnews.com/r5/showkiosk.asp?listing_id=3296867.
[2] See “How Much Information”, located at http://www2.sims.berkeley.edu/research/projects/how-much-info.

______________________________________________

Sai Sireesh: GRM - Global Risk Management or Government Risk Management ?

AnnaVAubry — Thu, 06 Aug 2009 01:33:00 GMT

The ongoing global credit crisis and the systemic risk tsunami is leading to a review and potential overhaul of the regulatory frameworks around the world. Combined with the global and pan asian $5 trillion regulatory interventions to help deal with the global economic and financial turmoil, current developments will reshape the financial markets of the future.

GRM - Global Risk Mgmt or Governments Risk Mgmt with a $5 trillion plus kitty:
With US floating the Aggregator bank idea in Jan 2009, there is a fascinating convergence of free markets and role of Governments as Risk Managers of last resort. There is an ongoing global risk management effort that although coordinated in some parts (e.g. G7, EU) and disparate in other parts of the world, does show signs of an orchestrated and coordinated effort. The different measures listed below really being the tactical components of a broader and longer term Governments Risk Management effort to rescue firms and economies:

1. Unprecedented direct intervention by Government bodies and regulators like FDIC in overnight in takeover/shotgun sales of financial institutions
2. Unprecedented but time bound Governments pledge to guarantee all loans and deposits
3. Bailouts plans such as US TARP
4. Stimulus packages
5. Benchmark rates cut
6. Assumption of toxic securities
7. Equity stake and nationalization in extreme cases
8. Interbank and debt guarantees
9. Recapitalization
10. Asset Restructuring body/Aggregator bank

Today, it is very rare to hear debates on the role of direct government intervention even in the strongest bastions of free market economies. In the past it had been very subtle support and interventions by Sovereign Wealth Funds, but never of the current scale.

Looking at the summary of the global risk management efforts of governments of some of the major developed and emerging economies around the world:

• USA - $850bn (6% of GDP) - $700bn TARP; $300bn guarantees, FedReserve rate cut to 1%, $1.3 trillion bank lending, $150bn stimulus package, ($500bn planned by new govt)
• China - $586bn (16% of GDP) – 2 yr stimulus comprising rural infrastructure, social services, railroads, airports, health, education, housing and more
• UK - $450bn (21% of GDP) - $311bn to exchange illiquid securities for govt. debt, $116bn to recapitalize, $389bn guaranteed new bank debt, $23bn tax breaks
• Russia -$209bn (12% of GDP) - $50bn credit line for Corp debt refinance, $88bn bank loans,$19bn stock market support
• Germany -$151bn ( 7% of GDP) - $101bn in new capital, $25bn bad loans cover, $504bn interbank guarantees, $25bn tax breaks
• South Korea - $80bn (9% of GDP) - $25bn stimulus, $55bn foreign exchange loans for exporters, $100bn guarantees for banks foreign exchange liquidity
• Japan - $68bn (1%of GDP) - 2 stimulus packages including tax cuts, tax breaks, credit guarantees, $322bn loan guarantees for small and midsize businesses
• France - $50bn (2% of GDP) - $13bn to recapitalize ($37bn more pledged), $403bn interbank guarantees
• India -$ 41b (5% of GDP) - $4bn loans to mutual funds, $37bn in bank loans due to reserves rate cuts

The GRM program around the world is committing to around $5 trillion plus with amounts committed being anywhere from 1% of GDP to a high of 21% of GDP in UK. Many countries GRM initiative include nationalizing failed financial institutions as well. So the GRM is a facet of Risk Management that will remain in forefront for years to come and CRO’s.

For me, some of the takeaways from GRM are:

An additional dimension for CROs to deal with, if their institution is subject to GRM activities
Lessons learnt from GRM will feed into a heavier touch for Regulators in industry Risk management
The lessons learnt by governments around the world in rescuing” Too big to fail” firms will have an impact on the future viability and ambitions of the “financial supermarts” around the world.
This GRM effort will have far reaching impact on the Risk Management role of governments and implicitly the role of Risk Management in society.

What do you think ?
-----------------------------------------------------------
Sai Sireesh is Director of Risk Management & Compliance Strategy & Solutions, Worldwide Financial Services for the Microsoft Corporation. Mr. Sireesh has over 18 years of global experience across Risk and Compliance Consulting, Financial sector Strategy and blueprints execution. He has worked in North America, Australia, Singapore, Malaysia, Philippines, Thailand, Indonesia and India, is a regular contributor to the Journal of Regulation & Risk, and has authored several global research studies and articles.

Jeff Jinnett: Proposed Financial Services Regulatory Reforms (Part II): Possible Business and IT Impacts

AnnaVAubry — Fri, 31 Jul 2009 22:25:00 GMT

In our last blog posting, we summarized the Obama administration’s proposed financial services industry regulatory reforms, as set forth in its “New Foundation” white paper[1]. The following are some of the possible business impacts of the changes, if enacted into law:

For hedge funds and private equity funds (and their advisors) required to register with the SEC, this may entail new requirements with respect to record-keeping, disclosures to investors, creditors and counterparties and regulatory reporting
Non-banks determined to be Tier 1 FHCs by the Fed may face higher capital, liquidity and risk management mandates imposed on them and would have limitations place on their commercial activities – implying an increased role for Chief Risk Officers
For Tier 1 FHCs with broker-dealer or insurance subsidiaries, the Fed could impose more stringent prudential requirements on the subsidiaries than the subsidiaries’ primary regulators – a change from the Gramm-Leach-Bliley Act framework
Industrial loan companies, credit card banks, thrift holding companies, trust companies and other “non-bank banks” would be regulated under the Bank Holding Company Act, thus limiting their commercial activities
In order to reduce their susceptibility to runs, MMFs might be required to obtain access to reliable emergency liquidity facilities from private sources
Legal documentation for securitization transactions could be required to be made standardized and transparent
Asset backed securities issuers could be required to make ongoing reports to investors and credit rating agencies about loan level data, the nature and extent of broker, originator and sponsor compensation and risk retention for each securitization
CCPs clearing standardized OTC derivatives could require robust margin requirements as well as risk controls (e.g., adoption of business conduct standards, increased record-keeping and reporting) and the use of transparent electronic trade execution systems
The CFPA would be able to restrict or ban mandatory arbitration clauses, possibly resulting in increased litigation in courts
CFPA consumer protection rules would not preempt more protective state laws and national banks could be required to comply with consumer protections laws in all 50 states

The following IT impacts may result from the proposed new regulatory regime:

There may be an increased need for business intelligence applications and tools in order to support new risk analytic and reporting requirements
Enterprises might need to improve their document and record management capabilities and move to a standardized, enterprise-wide platform in order to comply with the enhanced record-keeping and reporting requirements
Compliance systems may need to become semi-automated or fully automated in certain cases due to shortened reporting periods
High performance computing (i.e., parallel computing systems) may need to be utilized to produce risk models and calculations on a timely basis
Greater controls of unmanaged end user computing applications (e.g., spreadsheets, Microsoft Access databases and forms) may become necessary in order to reduce the risk of fraudulent or faulty data being incorporated into financial reports produced for regulatory filings
E-discovery platforms may assume greater importance due to the movement away from arbitration of securities disputes towards more expensive, discovery-intensive litigation in courts
XBRL-enabled systems may assume greater importance in order to support SEC filings and standardized securitization documentation
Communication and collaboration portals might morph into compliance and risk management portals linked to regulatory databases
Insurance companies and other non-bank financial institutions identified as Tier 1 FHCs and coming under supervision by the Fed may begin to adapt compliance, capital, risk and other systems typically utilized by banks for use in their environments

In light of the complexity of the regulatory changes proposed in the New Foundation White Paper and the significant business and IT impacts of those changes, we plan to make additional postings that examine some of the specific New Foundation proposals, with updates as to what legislation in the U.S. Congress has been introduced to implement the proposals.

[1] See http://www.financialstability.gov/docs/regs/FinalReport_web.pdf.

__________________________________________________

Jeff Jinnett: Obama Administration Proposed Financial Services Regulatory Reforms (Part 1): An Overview

AnnaVAubry — Fri, 31 Jul 2009 01:00:00 GMT

On June 17, 2009, the U.S. Department of the Treasury issued a white paper entitled “Financial Regulatory Reform – A New Foundation: Rebuilding Financial Supervision and Regulation” (the “New Foundation White Paper”).(1) The New Foundation White Paper outlines the Obama administration’s proposals for significant changes in the framework under which financial institutions are regulated by the federal government. The regulatory changes proposed in the New Foundation White Paper map against a few major themes:

Centralize regulatory authority and/or harmonize regulation if split between federal agencies

The Federal Reserve Board (the “Fed”) would become the macro-prudential systemic risk regulator of all large, interconnected financial firms (including banks and non-banks such as investment banks) deemed “too big to fail”, which are identified as “Tier 1 FHCs” and the Fed would have the authority to subject Tier 1 FHCs (including their parent companies and subsidiaries, whether domestic or foreign), to consolidated supervision and regulation
The constraints that the Gramm-Leach-Bliley Act introduced on the Fed’s ability to require reports from, examine or impose higher prudential requirements or more stringent activity restrictions on the depository institution subsidiaries of Financial Holding Companies would be removed
The Fed would be given responsibility and authority to conduct oversight of systemically important payment, clearing and settlement systems (including clearance systems such as DTCC) and activities of financial firms
A resolution regime, based on the current FDIC resolution regime, is established for bank holding companies and Tier 1 FHCs, under which the Treasury Department would decide whether to have a failing firm taken over, with consultation from the Fed and either the FDIC or the SEC, depending on the type of institution involved
A new National Bank Supervisor would be created to supersede the Office of the Comptroller of the Currency (the “OCC”) and the Office of Thrift Supervision (the “OTS”)
The U.S. Securities and Exchange Commission (the “SEC”) and the Commodities Futures Trading Commission (the “CFTC”) would be required to seek harmonization of their respective regulation of similar financial products
A new Consumer Financial Protection Agency (the “CFPA”) would be charged with protecting consumers from unfair, deceptive and abusive practices in connection with credit, savings, payment, mortgage and other financial products and services, taking over some of the current responsibilities of the Federal Trade Commission (the “FTC”)(e.g., promulgate and interpret regulations under statutes such as the Truth in Lending Act, Real Estate Settlement and Procedures Act and the Fair Debt Collection Practices Act)
The CFPA would have the authority to intervene in an enforcement action brought by a state agency
The FTC would remain the lead federal consumer protection agency on matters of data security, with privacy protection related to financial issues transferred to the CFPA
A Financial Consumer Coordinating Council would be created to enable the CFPA to coordinate activities with the SEC, the FTC and other state and federal regulators
The Fed would be advised by a new Financial Services Oversight Council (the “FSOC”), comprised of the Secretary of the Treasury, the Chairman of the Board of Governors of the Fed, the Director of the National Bank Supervisor, the Director of the Consumer Financial Protection Agency, the Chairman of the SEC, the Chairman of the CFTC, the Chairman of the FTC and the Director of the Federal Housing Finance Agency

Increase regulation over OTC derivatives and similar exotic securities and over advisors of such products

Standardized over-the-counter (OTC) derivatives (including credit default swaps) would be required to be cleared through regulated central counterparties (the “CCPs”) and all derivatives dealers and firms with large OTC exposures would be subject to supervision by the Fed
Advisors to certain hedge funds and private equity funds whose assets under management exceed a specified threshold would be required to register with the SEC and be subject to certain record-keeping and reporting standards
The SEC would strengthen the regulatory framework around money market mutual funds (the “MMFs”) in order to reduce their credit and liquidity risk profiles
The SEC and other agencies would issue regulations enhancing regulation of the securitization markets, stronger regulation of credit agencies, imposing fiduciary duties on broker-dealers providing investment advice about securities to retail investors and requiring that issuers and originators retain a financial interest in securitized loans

Centralize and strengthen protection of consumers of financial products and services and investors

The SEC would be empowered to require public companies to give shareholders a non-binding vote on a company’s executive pay packages
Fair value (mark to market) accounting rules would be reviewed to improve transparency and accuracy of different types of investments held by financial institutions
Employee-directed workplace retirement plans, such as 401(k) plans, would be governed by the same principles of transparency and accountability that govern investor protection in the retail marketplace

Harmonize and coordinate U.S. efforts with international initiatives where possible

The New Foundation White Paper endorses moving toward an enhanced international capital framework, such as the G-20 “Declaration on Strengthening the Financial System”
An Office of National Insurance (the “ONI”) would be established within the U.S. Treasury Department to negotiate international insurance agreements (e.g., equivalency with the EU Solvency II initiative) and coordinate policy in the insurance sector.(2)

An in-depth analysis of the many complex regulatory changes proposed in the New Foundation White Paper is outside the scope of this paper and readers are encouraged to review some of the existing law firm and other analyses that are publicly available.(3) These analyses discuss the Obama administration proposed regulatory changes in detail. Part II of this posting will analyze possible business and IT impacts of the “New Foundation” proposals, if enacted into law.

___________________________________

See http://www.financialstability.gov/docs/regs/FinalReport_web.pdf.
For further information, see Mark Hoffmann, “Obama Administration to Back Office of National Insurance,” located at http://www.businessinsurance.com/article/20090617/NEWS/906179992 and Dewey & LeBoeuf, “Obama Administration Would Create Office of National Insurance But is Unclear on Federal Chartering” (June 17, 2009), located at http://www.deweyleboeuf.com/en/Ideas/ClientAlerts/2009/06/20090617_ObamaProposalWouldCreateOfficeofNationalInsuranceButisUnclearonFederalCharting.aspx
See, e.g., Davis Polk, “A New Foundation for Financial Regulation” (June 22, 2009), located at http://www.davispolk.com/files/Publication/726890c9-123c-4113-a924-a129bc96fbce/Presentation/PublicationAttachment/d1bbea9e-1369-49a5-838f-c83e8f4fae1b/062209_New_Foundation.pdf; James Hamilton, “The Obama Administration’s Proposal to Reform the U.S. Financial Regulatory System,” Wolter Kluwers Law & Business, located at http://business.cch.com/securitiesLaw/news/06-18-09a.pdf and Latham & Watkins, “Obama Administration Releases Financial Regulatory Reform Proposal”, located at http://www.lw.com/upload/pubContent/_pdf/pub2686_1.pdf .

___________________________________

Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group., for the Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companies in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersection of law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).

Sai Sireesh: Regulatory Oversight & Risk Management of the Future

AnnaVAubry — Tue, 21 Jul 2009 22:28:00 GMT

Year 2008 was a humbling and significant event for the Investment Banking and Risk Management professions. Many epitaphs will be written for legendary institutions that disappeared overnight and will be spoken about for decades to come in terms of the crunching global impact and the associated learnings. About $650bn of sub-prime bonds outstanding in March 2008, about 75% of them being rated triple A at issuance, and banks raised around $600 billion in 2008 worldwide to survive. The ongoing global credit crisis and the systemic risk tsunami is leading to a review and potential overhaul of the regulatory frameworks around the world. Combined with the global & pan asian $5 trillion regulatory interventions to help deal with the global economic and financial turmoil, current developments will reshape the financial markets of the future. It remains to be seen if the pendulum will swing from the much touted Supervisory mode back to Regulation mode. It’s a tough choice between light touch and heavy handedness. This article highlights some of the trends that I observe around the world around Regulatory oversight and possible impact for Risk management principles.

Regulation vs. Supervision - In the US, the US Treasury mandated executive pay ceiling of 500, 000 for institutions receiving exceptional TARP funds in an indicator, Regulation is back in full force for some time at least. At the US senate hearings this week, some of the captains of the financial sector were themselves advocating stronger regulation.

UK’s FSA has long been considered to be at the forefront of new thinking on regulatory frameworks, prudential policies but with a market friendly intent. It has been fairly known for its advocacy of a “light touch” based supervision approach vis-a-vis regulation approach. But since a few months, FSA has tightened its regulatory touch and requires some of UKs largest financial institutions to provide it with weekly disclosures on risk and performance, vis-a -vis monthly or quarterly requirement earlier. Each supervisor and regulator is scrambling to enhance its supervisory staff strength and capabilities, which has always been a challenge. Bigger fines and active role in executive hiring are some other facets that one sees.

Super Regulator - Many are talking of the need to have a “Super Regulator”. Something that UK FSA, Singapore MAS and Australia APRA (Australian Prudential and Regulatory Authority) has been experimenting for a while now. It will be interesting to see if USA will follow the route of a federal “Super Regulator” that combines and perhaps even supercedes silo functions of OCC, FDIC, SEC, US Treasury, and host of other state level regulators. Australia - APRA adopts a twin peaks model - Regulation being split into Prudential or traditional oversight and Market behavior with focus on business conduct and investor protection.

Stress Testing – There is a lot of focus on deeper and industry wide Stress Testing. I remember my time in Singapore & Malaysia during the 1997 Asia currency crisis, and some of the supervision departments in Asia - Bank Negara(Malaysia), MAS, Bank of Thailand, Reserve Bank of India (India) started exploring projects to model industry wide Risk to be able to simulate scenarios and impact around a system wide impact. I believe that this might be something that needs to be revisited back today in broader global system risk context & strong links between global financial services.

Liquidity Management - Focus on organizational level Liquidity management function and across the value chain. Specially with many global cases of the failure of the traditional principle of a Central Bank Discount borrowing window as a possible short term liquidity shortfall lender of last resort. This will be a key pillar of the rating frameworks of the supervisors in their onsite and offsite assessment. Some of the broad thinking is to embed the preparedness of an organization’s ability to tap short term liquidity into extra capital. Does this mean more focus on CFAR vs VAR ?

Traditional Measures of Bank Capital Requirements - Harsh scrutiny of the traditional measures of measuring a banks financial viability - e.g. Right before my eyes in Seattle, Washington Mutual with a Tier 1 Capital ratio of 8.4%, crumbled like a pack of cards, with liquidity issues, deposit over runs and free fall stock price before dramatically taken over by FDIC overnight and being sold to JP Morgan Chase. Similarly Wachovia, that was sold to Wells Fargo has a 3rd quarter Tier 1 ratio of 7.49%. National City Corp. had a Tier 1 capital ratio of 11%. All these being above the US 6% threshold for being well capitalized. Spain has a model wherein its banks need to increased their capital chests during good cycles, as a buffer against bad cycles. Something that FSA and a few other regulators are exploring.

Remuneration tied to Risk taken - One of the interesting comments made by Morgan Stanley Chairman during this week Senate hearings was around Call back or was it Claw back ? Those of us who have been in Sales functions understand Claw back quite well i.e. the need to pay back bonus/commissions etc. on a deal that backfires. Morgan Stanley has a policy (not sure if existing or new) that requires return of bonus/remuneration even after leaving the firm if in violation of some core guiding principles. Also see a lot of chatter around remuneration tied around amount of risk taken in the transaction. It will be interesting to see how far this really goes.

So let us pay close attention as the current evolving trends and developments are going to reshape the financial sector with an impact that will be felt for decades to come.

---------------------------

References/Sources: Dow Jones Financial News, Issue 635,A year in numbers; Business Week Dec 1 2008(Peter Coy, Enough Shock treatment) , FSA, The Financial crisis and future of financial regulation, The Economists Inaugural City Lecture; Wall Street Journal, Alistair Macdonald, Jan 2009; APRA Website & Consultation papers; MAS website & Consultation papers.

--------------------------

Jeff Jinnett: IT Approaches to State Law Preemption Under the Proposed Consumer Financial Protection Agency

AnnaVAubry — Thu, 16 Jul 2009 02:07:00 GMT

On June 17, 2009, the U.S. Department of the Treasury issued a white paper entitled “Financial Regulatory Reform – A New Foundation: Rebuilding Financial Supervision and Regulation”(1). This document sets forth the vision of the Obama administration for a new federal regulatory regime for the U.S. financial services industry. One proposed change is to create a new Consumer Financial Protection Agency (CFPA) with broad jurisdiction to protect consumers of financial products and services such as credit, savings and payment products (including mortgages). On June 30, 2009, the Treasury Department submitted a bill to the U.S. Congress to create the CFPA, substantially as proposed in the “New Foundation” white paper(2). Notable is that the CFPA’s rules would serve as a “floor” and not as a ceiling(3). Each of the states would have the ability to adopt and enforce stricter laws for institutions of all types, regardless of charter.

In light of the broad mandate of the proposed CFPA, if the CFPA is created by the U.S. Congress, financial institutions will need to develop an approach that permits them to quickly identify (a) which CFPA rules govern their activities, and (b) which state rules are either (i) preempted by the CFPA rules, or (ii) not preempted because they provide greater consumer protection than the CFPA rules. Fortunately, there are precedents to guide companies in navigating this minefield. For example, under Section 1178 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the requirements of HIPAA supersede any contrary provision of state law, with three exceptions, one of which is where the state privacy law is deemed “more stringent” than HIPAA in protecting “individually identifiable health information”(4). HIPAA therefore adopts a “floor” preemption approach similar to the “floor” approach adopted in the CFPA bill. In order to identify those state privacy laws that were “more stringent” than HIPAA (and the HIPAA Privacy Rule(5) adopted by the U.S. Department of Health & Human Services pursuant to HIPAA), some organizations conducted reviews of the various state medical privacy laws and published the results in chart form(6). As an example of using technology to streamline legal reviews, the BlueCross BlueShield Association retained a law firm to develop a database of the state laws not preempted for ease of use(7). It is possible that a similar database of state laws not preempted by CFPA rules might prove similarly useful.

Although the HIPAA preemption databases generally were simple query databases, it might be advisable for a CFPA preemption database to be semi-automated in order to permit users to quickly query the database and apply the result to transactions that need to be completed in real-time. Semi-automated compliance rules engines and databases are often difficult and daunting to develop, but have been successfully utilized in certain areas. Compliance rules engines have been fairly successful in the area of tax calculations (e.g., in the calculation of sales taxes using automated systems as part of the multi-state Streamlined Sales Tax Project)(8). Other successful efforts to utilize technology to semi-automate compliance and legal processes include the projects currently being undertaken by the Stanford University Center for Computers and Law (CodeX)(9). It remains to be seen how financial institutions will seek to adapt to new CFPA rules and whether they (a) will follow the example of the healthcare industry by developing regulatory databases in simple query format or (b) develop more sophisticated, semi-automated compliance databases comparable to what has been developed as part of the Streamlined Sales Tax Project and by the Stanford Center for Computers and Law.
___________________________

See http://www.financialstability.gov/docs/regs/FinalReport_web.pdf.
See http://www.financialstability.gov/docs/CFPA-Act.pdf.
See, e.g., Section 5136C(c)(2) of the CFPA Bill and page 14 of the “New Foundation” white paper.
See, generally, WEDI/SNIP Security and Privacy Workgroup, “Preemption White Paper”, located at http://www.wedi.org/snip/public/articles/protreguser/index.cfm?pdfid=76&ID=33.
See http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html.
See, e.g., http://www.health.state.ny.us/nysdoh/hipaa/hipaa_preemption_charts.htm.
See, e.g., http://www.aad.org/pm/compliance/hipaa/statelaw.html.
See http://www.streamlinedsalestax.org/certified%20service%20provider.htm.
See http://www.law.stanford.edu/program/centers/codex/#projects.

____________________________