Banks with Weak Cybersecurity Could Be Downgraded: S&P

From CFO –

“Standard & Poor’s on Monday said that it could downgrade banks with weak cybersecurity, even if they haven’t been attacked.

S&P has yet to downgrade any bank that has suffered a security breach because the cyberattacks so far have not resulted in reputational issues or monetary or legal damages that significantly hurt profits, S&P analysts led by Stuart Plesser wrote in a report.”

Read more>>

Fitch: Operational RWA New Twist in Regulating US Bank Capital

From Reuters

“(The following statement was released by the rating agency) CHICAGO, February 25 (Fitch)

The Federal Reserve's move to allow the use of Basel III advanced approaches in the calculation of large banks' risk-based capital will give some institutions more flexibility in meeting capital targets. But Fitch Ratings sees accompanying increases in operational risk-weighted assets (RWA) as an additional tool for U.S. bank regulators to use in supervising capital levels in the industry.”

read more>>

How Moody’s bank downgrades affect you

Some think Moody's downgrades of major banks will hurt lending but others think the affect will be minor. What do you think?

Financial Stability Board publishes principles to reduce reliance on Credit Rating Agency Ratings

The Financial Stability Board (FSB) believes that the use (or “hard wiring”) of Credit Rating Agency (CRA) ratings in regulatory regimes for banks and other financial institutions has contributed significantly to mechanistic market reliance on ratings. This in turn is a cause of herding and cliff effects from CRA ratings changes that can amplify pro-cyclicality and cause systemic disruption.

More widely however, the official “seal of approval” implied by the use CRA ratings in regulatory rules has contributed to an undesirable reduction in banks’, institutional investors’ and other market participants’ own capacity for credit risk assessment and due diligence.

The goal of the principles is to reduce mechanistic reliance on ratings and to incentivize improvements in independent credit risk assessment and due diligence capacity. Banks, market participants and institutional investors should be expected to make their own credit assessments, and not rely solely or mechanistically on CRA ratings. The design of regulations and other official sector actions should support this. Accordingly, authorities should assess references to CRA ratings in laws and regulations and, wherever possible, remove them or replace them by suitable alternative standards of creditworthiness.

The principles aim to catalyze a significant change in existing practices. They cover the application of the broad objectives in five areas:

• prudential supervision of banks
• policies of investment managers and institutional investors
• central bank operations
• private sector margin requirements, and
• disclosure requirements for issuers of securities.

The FSB has asked standard setters and regulators to consider the next steps that could be taken to translate the principles into more specific policy actions to reduce reliance on CRA ratings in laws and regulations. It recognizes that changes in market practices cannot happen overnight. This means incentivizing a transition to a reduced reliance over a reasonable timeframe extending into the medium term, taking into account the need for market participants to build up their own risk management capabilities to replace reliance on CRA ratings, and the particular circumstances of products, market participants and jurisdictions. Such actions have already been taken or are being considered by some international standard setters and in some jurisdictions. The FSB will monitor progress in this transition.

The FSB’s report was endorsed by G20 Finance Ministers and Central Bank Governors at their meeting in Gyeongju, Korea, on 22-23 October.

US cautions credit rating agencies

The US Securities and Exchange Commission (SEC) has issued a report cautioning credit rating agencies about deceptive ratings conduct and the importance of sufficient internal controls over the policies, procedures, and methodologies the firms use to determine credit ratings.

The SEC’s Report of Investigation stems from an Enforcement Division inquiry into whether Moody’s Investors Service (MIS) – the credit rating business segment of Moody’s Corporation – violated the registration provisions or the antifraud provisions of the federal securities laws.

The Report says that because of uncertainty regarding a jurisdictional nexus between the United States and the relevant ratings conduct, the Commission declined to pursue a fraud enforcement action in this matter. The Report notes that the recently enacted Dodd-Frank Wall Street Reform and Consumer Protection Act provided expressly that federal district courts have jurisdiction over SEC enforcement actions alleging violations of the antifraud provisions of the securities laws when conduct includes significant steps, or a foreseeable substantial effect, within the United States. The Report also notes that the Dodd-Frank Act amended the securities laws to require nationally recognized statistical rating organizations (NRSROs) to “establish, maintain, enforce, and document an effective internal control structure governing the implementation of and adherence to policies, procedures, and methodologies for determining credit ratings.”

“Investors rely upon statements that NRSROs make in their applications and reports submitted to the Commission, particularly those that describe how the NRSRO determines credit ratings,” said Robert Khuzami, Director of the SEC’s Division of Enforcement. “It is crucial that NRSROs take steps to assure themselves of the accuracy of those statements and that they have in place sufficient internal controls over the procedures they use to determine credit ratings.”

According to the Report, an MIS analyst discovered in early 2007 that a computer coding error had upwardly impacted by 1.5 to 3.5 notches the model output used to determine MIS credit ratings for certain constant proportion debt obligation notes. Nevertheless, shortly thereafter during a meeting in Europe, an MIS rating committee voted against taking responsive rating action, in part because of concerns that doing so would negatively impact MIS’s business reputation.

MIS applied in June 2007 to be registered with the Commission as an NRSRO. The Report notes that the European rating committee’s self-serving consideration of non-credit related factors in support of the decision to maintain the credit ratings constituted conduct that was contrary to the MIS procedures used to determine credit ratings as described in the MIS application to the SEC.

In the Report of Investigation, the Commission makes clear that credit rating agencies registered with the SEC must implement and follow appropriate internal controls and procedures governing their determination of credit ratings, and must also take reasonable steps to ensure the accuracy of statements in applications or reports submitted to the SEC.

The Report cautions NRSROs that, when appropriate, the Commission will pursue antifraud enforcement actions against deceptive ratings conduct, including actions pursuant to the Dodd-Frank Act provisions regarding conduct that physically occurs outside the United States but involves significant steps or foreseeable effects within the US.

Under Section 21(a) of the Securities Exchange Act of 1934, the Commission may investigate violations of the federal securities laws and at its discretion “publish information concerning any such violations.” David Frohlich, Margaret Cain, Roger Paszamant, and Dean Conway conducted the SEC’s investigation. The Commission acknowledged the assistance and cooperation of foreign regulatory authorities in Europe in the investigation.

Sins of the Risk Managers

Have risk managers really been doing their jobs properly? According to many they certainly have not. I came across this interesting item on the sum2llc Blog. It is certainly worth a read.

Click on the post title or the link below.
http://sum2llc.wordpress.com/2009/09/28/day-of-atonement-al-chet-for-risk-managers/

Risk Management in a Post-Financial Crisis World

By Stanley Epstein – Principal Associate at Citadel Advantage


One thing that the financial meltdown has show in crystal clear relief is that among the many contributing factors, there can be no doubt that Risk Management didn’t adequately manage risk. Why this was so is going to be the subject of much debate in the coming months and years. Were Risk Managers constrained by the executive suite who wouldn’t hear the warnings, or were Risk Managers not answering or not even able to answer the basic questions of their trade? Whatever the reason the profession of Risk Management has some deep soul-searching to do.

Now, all of a sudden, that the economies of many countries, not to mention the banking industry, is in tatters, we have dozens of articles and blogs all bemoaning the state of risk management and what we need to do to get everything right again; as if there is some elixir, or some magic wand that will put it all right.

All these blogs and articles are pounding away on the same old drum; all are documenting how badly everyone has done in managing risk and all are extolling bank boards, senior management, regulators and rating agencies to do better next time.

Where were all these authors and bloggers in the good times? Where were they in the heady days prior to the summer of 2007 when the banks and the rest of the financial industry was gaily acting if the only way forward was “up”; when the “old” economy had been declared dead as a dodo and the mantra of the “new economy” was “profits”, “bonuses” and “innovation”. Like the “old economy”, “risk” in all its forms had, by the invocation of all the new hedging and derivative strategies been declared dead too.

True there were some (all too few) who sounded dire warnings of where this was going to end – but who wants a Jonah in their midst when there is a never-ending beach party on the go?

As a professional risk management practitioner and trainer I really feel aggrieved with all the soul searching and hand wringing going on at the moment. Tell me please where all these new risk averse converts have come from? Where were they when they were really needed?

Now that the party is finally over it is time to do things properly. Risk management in the first decade of the 21st century failed miserably. The tone at the top was rotten, whether in the banks or the regulatory agencies or the risk raters themselves. And this rot permeated all the way down to the bottom of the pile.

What were the failures?

The failure to measure risk – risk models were misused, misspecified and most of all misunderstood.

The failure in training – bank boards and regulators were not adequately instructed in what “risk” really meant. Bank staff was only trained in the three P’s – Product, Performance and Profit. Issues like risk concentration, scenario planning, operational failures were only concepts that made one sound intelligent. Worst of all – risk management costs money and of course “unjustified costs” are the bane of every diligent (but not prudent) banker.

The failure to mitigate risk – without understanding risk it cannot truly be measured and without measurement it cannot be mitigated. These factors are interconnected. The one leads to the other.

Enough of this hand wringing! We all know where the blame lies. What is needed now is some courageous risk managers who will roll up their sleeves and get the job done – properly this time.