A little over ten years ago, in 2003, the SEC proudly announced record setting fines against ten financial institutions totaling over a billion dollars, working out to about $140 million for each (the actual cost varied per bank). The ‘research settlement’, as it became known as, was touted as ‘ground-breaking’ and ‘historic’ in the size of the financial penalties, disgorgement and other costs imposed by the agency. And the SEC quite rightly could feel proud, as they, including the then NASD and NYSE (now FINRA), had never imposed such a hefty, and coordinated, fine against some of the leading banks in the US, including some of the largest foreign banks such as Credit Suisse and UBS.
Fast-forward ten years later to today, and that $140 million would barely register as a blip in the world of regulatory fines. As highlighted in September by Neue Zürcher Zeitung, the top twelve fines ranged from the high of $1.9 billion to $450 million on the low end.
A few months later even those record-breaking numbers were eclipsed when just one bank, JP Morgan Chase, paid out over $20 billion in regulatory fines; double the total amount of what was the top twelve fines combined.
BUT NOT PEAK CHANGE
Yet, with all the noise around penalties, it is arguably reaching a peak (or more like a trailing indicator, as the impact of penalties and legal costs will still be a costly hit to balance sheets for months to come as the recent Deutsche Bank numbers demonstrate). It simply is not a sustainable model for regulators to pursue a strategy of doubling fines, to the point of which people start referring to a “White’s Law” (Mary Jo White, SEC Chair) analogous to Moore’s Law.
What is to be expected going forward is Change, with a capital “C” for emphasis (but does not rhythm with “P”) across a financial institution’s entire risk management approach. And here I am not referring to the known published, or in the pipeline, laws and regulations, such as Volcker. Those changes will clearly force expensive, and complicated modifications to say a trading platform or e-communications applications, or even what business lines to stay in, but those are relatively narrow, specific changes to the way a financial institution operates; albeit still quite challenging.
No, the Change being referred to in this piece is the need that must be taken out of the historically siloed approach and fully reflect the “risk” of a bank’s entire portfolio of risk type functions across all jurisdictions and legal entities. This means areas such as IT Risk, Op Risk, Market Risk, as well as Compliance, combined with legal entity A operating in country B, are all operating with common goals and systems. Crucially there must be visibility across these functions in terms of their standards, policies, what rules, and any changes, that must be followed. This requires changing not only the way people and processes work, but also requires the need to unify the tradition model of individual solutions for documentation and applications. The Op Risk group may have a great application to measure risk and display their standards in their space, but that no longer can be counted on as “success” if IT Risk has less than optimal application; and neither has the visibility of the other.
To implement such an approach will require a range of previously independent stakeholders to agree on a common platform. Issues such as scalability, flexibility and accommodation of potential multiple data repositories become critical to the success of any solution in meeting this challenge of integrated risk management. Or the alternative may very well be the creation of “White’s law” for the financial industry.