May 21, 2006
Working together to fight fraud
Traditionally most banks small and large keep their management techniques for tackling potential business problems under tight wraps specifically if it results in the bank being more competitive however, when dealing with issues such as fraud banks often work together to form information sharing hubs to reduce such exposures.
In April this year the FSA and mortgage lenders have joined together to set up such an information sharing hub and have established a streamlined reporting system designed to reduce the level of fraud involving mortgage loan applications. The process has been designed to allow lending firms report specific account details they deem suspicious at any point within the loan process, both after the application has been approved or before. This reporting can also relate to single or multiple loans from one customer and has been designed to also target intermediaries that are not following appropriate practice when assisting customers through the loan approval process.
Mortgage fraud comes in many forms starting with applicants that misinterpret their income or employment details so that they are able to borrow larger amounts to customers that manipulate the valuation of the asset for an over inflated loan. At the other end of the scale entirely false documentation is used to draw down funds that the borrower has no intention of paying back and that are usually destined for an entirely different purpose than funding the purchase of a property. The minor mendacious detailing on a loan application form is often missed during application approval activities and will result in a higher probability of the mortgage defaulting or in the lending not being totally secured. While this appears on the surface as a credit loss to the bank it is in reality operational in nature because the bank has made a choice to bare a risk that is outside credit policy and thus becomes a non-chosen risk.
Some intermediary brokers have a tendency to assist the more impoverished customers and some even search out these demographics of clients when professionally these firms should be adjusting a customer’s expectations appropriately. Banks usually need to measure rejection rate and the concentration defaults for loans from specific intermediaries to identify whether there is an abnormal volume before being sure that such brokers are inappropriately operating and of course then it is often too late.
It is likely that this new initiative from the FSA is going to be welcomed considering only some of the factors we have listed here. The reporting system is of course going to require formalization for its long term success. Simply reporting suspected and fraudulent loans may assist in legal discourse but most banks would prefer to eject potential applicants very early on in conveyance process. They would also prefer to review potential brokers in a shared database for a rating of professional worthiness before engaging them and that then requires a process for fair treatment. Specifically in the case a broker or customer was incorrectly listed they need to be able to resolve their standing within this mortgage fraud database but before we jump ahead of ourselves we must accept that most good systems start of as an embryonic concept and will evolve over time, this FSA aspiration is well worth watching.
More information from the FSA.
Posted by CausalEvents at 09:46 PM
| Comments (0)
May 13, 2006
Different Strokes for Industry Folks
One recent trend that seems to be a common land on my desk is an interest in risk systems for the utility sector. Certainly energy is the hot topic of 2006 with advancements in technology on renewable sources and then market diversification of formal buying, selling and hedging is taking these companies into the financial markets and as they enter that realm there seems to be some incentive to improve or perhaps formalize operational risk. These organizations are certainly going about that, but they are doing it in quite a different manner than the financial sector as we shall see.
Really Operational risk in concept is the same in bank as it is in a utility provider however the emphasis seems to be on reducing faults in utility providers while in banks it is all about capital. Many analysts from the financial sector in particular argue that both are the same creature dressed in a different skin but with our more 'heavy industry' based businesses such as manufacturing and utilities the focus is generally towards bottom up techniques.
In particular Basel II doesn't seem to stress best practices for fighting risk, its’ focus is all about measuring the potential exposure so that a reserve of money can be held and this reserve is referred to as the tier I, II [III] capital reserve. There have been many critiques on this thinking, I am far from the first and I am also a big believer that if banks treated this risk class in a more real manner, closer to the cause and by learning techniques from operational risk programs in these adjacent industries then management of events becomes an easier task. Specifically if a bank simply treats risk as a compliance exercise then working tangible outcomes are often lost, tacit knowledge of staff is not utilized and enthusiasm for the program dwindles as costs escalate.
Utility providers on the other hand tend to lend themselves to being real about creating systems that actually reduce potential exposure and at the coal face of the business where such exposures can be seen. Their programs will generally include and be written in manner that:
# There is an ability to capture loss data and assign those events to a cause for a better understanding on the businesses problems in the context of the business.
# The company has incentives to locate and find potential pathogens for failure through an investigative approach into understanding causality. Causality and hazard solutions allow event description to be built up in a manner that one event can be proven to cause another, for example:
Water + slippery surface + people present = possible occupational & safety hazard.
That's the hazard, now we remove the hazard by destroying the equation. Here is a solution: It’s raining, we have a paved floor and people are at the door, we reduce the hazard by laying out a carpet and/or putting up a sign stating "the surface is wet watch out for a slippery floor".
Of course there are many of these hazard reducing tools in a power station and they form the key basis for policy; the rules of how staff use machinery around so that a safe, productive and importantly continuous environment is sustained.
A good program will also have a process for showing how to monitor potential causes that increase the likelihood of fault so that planning of activities can be carried out to reduce failure. Such a program is an ongoing exercise of review and record otherwise it is not representative of new potential threats and their associated problems.
The system also needs to allow the business to easily track its best practice so it should create a list of workable actions for staff to engage during failure, so that faults are resolved quickly, effectively and without incurring additional knock-on effects.
Taking this one step further these workable actions also allow benchmarks to be created between departments for a formal monitoring and reporting process. This process then tracks whether a department is reducing its operational risk as planned or whether there is an erosion on quality in staff efforts and that means more hazards.
I am not saying banks don’t do this, because they certainly do. Most financial institutions have a comprehensive branch audit team, and controlled self assessment is usually scattered throughout their operations however one is left with the feeling that many staff in banks don’t actually know why they are doing something when it is operational risk in nature. They simply tick the box and most data in operational risk sits in silos and is used to calculate capital reserves.
Risk and reliability assessment techniques in other industries tend to be put into two classes, quantified or heuristic. Quantified assessment techniques in these industries use specific algorithms to calculate the actual likelihood and consequence of a failure by proceeding to a solution from an explicit and complete step analysis such as FMEA or Fault modes and Effects Analysis. FMECA is a popular set of methodologies employed by heavy industry for understanding the critical nature of a fault, the pathogens that drive the fault and what the consequences are. Banks on the other hand don’t seem to become tied up with FMECA and I would beg to wonder whether the typical operational risk analyst in a bank would be up on FMECA at all. Yet outside the world of finance FMECA has such a following that some industry regulated bodies have published failure modes for specific systems and structures they know their regulated companies use. These publication notes of course can be used by any company for a plan for managing the predictability of outages in specific cycles of operation.
Here is the list of such cycles taken from the MIL-SD-1629A US Military Standard:
# Premature operation
# Failure to operate at a prescribed time
# Intermittent operation
# Failure to cease operation at the prescribed time
# Loss of output or failure during operation
# Degraded output or operational capability
# Other unique failure condition based on system characteristics and operational requirements or constraints
Looking at risk this way has some distinct advantages, primarily understanding the probability of a systems up time we are able to plan business continuity programs. We are also able to understand what processes need to be carried out by staff during each cycle of operation. Another advantage of course is being able to describe the Mean Time to Repair for each component and this leads to a good threat analysis for change management staff and that is where operational risk is often featured yet not factored into capital.
Posted by CausalEvents at 06:24 PM
| Comments (0)
May 02, 2006
Recent trends in regulation
One of the less talked about risk categories in operational risk is yet the most featured in news and would have to be “regulation risk”. It certainly is a constituent in several places of the Basel accord and can be found either entirely or in part in event classifications such as Suitability, Disclosure and Fiduciary, Improper Business & Market Practices, Advisor Services, Monitoring and Reporting as well as in employment practices where discrimination and relations can be enforced. It has even been found in fraud as we shall shortly see.
What is interesting with regulation risk is that it is invitingly and intrinsically intertwined with behavior modification and that seems to be the approach the Financial Services Authority (FSA) is taking at present. Without doubt they are adamant to create an effective enforcement process as a method to achieve this behavioral change and Margaret Coles’ the head of enforcement at the FSA has recently delivered a speech that was also picked up by the Financial Times on this subject. She stated in particular, the FSA expects management to take responsibility for ensuring firms identify risks and increasingly individual managers are going to be held accountable for their inappropriate actions and their negligence. Now the FSA has never really been known as a regulatory animal who’s bark is louder than its bite and only last month they filed a case against Capita Financial, for £300,000 for failure to prevent actual and attempted frauds with the ominous quip “a failing that may be shared by most regulated firms”. What is interesting with this case is that it is quite a new angle for enforcement with regulators and they do not often place internal fraud at the top of the agenda list for punishment handouts however the regulatory landscape is changing.
If Capita Financial thought they were alone in edge regulatory risk they are also joined by Citicorp who have been tripped for alleged “institutional insider trading” and again the root cause appears to be an internal oversight. In Citicorp’s case the bank was supposedly not managing information flow between internal departments that operate in adjacent business functions and which benefit symbiotically from occasional good communication. Knowledge sharing is generally a good business practice and ensures the company takes advantage of potential opportunities but in some circumstances it crosses a boarder of law and in the eyes of the regulator, this case has conflicting goals with some potential downsides.
SMH News Article
Then back to Europe and Detusche who is again in the spotlight with a fine of £6.3 million for misconduct over a block trade and its former head of equities has received the largest personal penalty imposed by the FSA however, if that wasn’t enough for this bank, they are also under scrutiny for possible market abuse both in the Spain and France.
What appears to be the common thread, is that management are being held accountable for their lack of insight in their business controls or managing how these controls interact in the complex framework of products, value chains and policy. Certainly where there is sloppy execution the regulators appear to be tightening what they might classify as ‘a case’ and if trends continue they are more than likely to become virulent in pursuing such breeches.
Perhaps in the situations above, it is outmoded policies that exist and persist in these complex organizations. Such policies were once accepted yesterday but today take these institutions into questionable activity spaces. Whether these events are due to lack of regulatory knowledge, diligence of staff to detect and correct weak controls or in some instances simple risk taking “do and hope”; what seems apparent is that with regulation exposure an increasing hole of certainty for those who chose to skirt the law as well as those who fail to enforce it, efforts industry wide are going to have to improve for the hall of fame to slow on its tally.
Posted by CausalEvents at 12:09 AM
| Comments (0)
