FSA consults on remunerationguidelines

Anti-bribery cases on theincreaseFollowing the campaigns against bribery,including bribery outside of their immediatejurisdiction (see Metric 5), regulators havebrought in a number of high profile cases. Lastmonth we reported on the first Australianforeign bribery over a bank note printingcompany, half owned by the Australiancentral bank, bribing officials in Indonesia,Malaysia and Vietnam. Last monththe UK reported settlement ofbribery charges against the insurancebroker, Willis, and MacmillanPublishing. The Willis fine of £6.9Mwas not for any specific briberysituation but for inadequate controlsover third parties who helped themsecure business in jurisdictions withperceived. Macmillan were chargedby London's Serious Fraud Office(SFO) regarding illegal payments for contractsin its education business in Africa and werefined £11.3M. In addition, Macmillan havebeen banned from World Bank tenders forthe next three years.

In the US, global drinks company Diageo haspaid a fine of over $16M for charges ofcorrupt practices in India, Thailand and SouthKorea. Diageo was charges under the USForeign Corrupt Practices Act by the USregulator, the SEC who say they are nowtaking corrupt practices "seriously". Diageo, asalso in the case of Willis and McMillan,escaped higher penalties by cooperating withthe regulators and committing to implementstrengthened systems and controls to preventsuch incidents in the future.

The UK's Financial Services Authority has consulted financial institutions on the implementationof its Remuneration Code (which came into force on 1 January 2011), This rules on compliancewith the remuneration requirements laid down in the EU Capital Requirements Directive(CRD3). The January policy statement applies the rules with a rigour dependent on the size andactivity of the firm under regulation. The top tier is banks (including building societies) with cap-ital resources exceeding £1 Bn or, for investment firms, £750 M. The bottom tier is for smallerlimited activity investment firms.

The new proposed guidance is in the form of a "Dear CEO" letter whichsets out, for top tier firms, a detailed approach to monitoring their imple-mentation of the Remuneration Code, including the need for firms to sub-mit a policy statement by a given date and provides a template for this.The version for firms in tiers 2, 3 and 4 is less onerous and it is plannedthat the implementation will be tailored taking account of business mod-els and risk profiles.

The consultation also includes proposals ondefinitions of impacted staff, the format ofthe required long-term incentive plans and,for firms that do not wish to remunerate in

part in shares, the definition of the alternative instruments. Re-sponses to the above are due in by the 2nd of September

metric

7

CHASE COOPER

IN THIS ISSUE OF metric

● Managing People Risk & ORM

● Escaping capital surcharges

● Dodd-Frank Act fine

● Latest Regulatory News

ISSU

E

Join Our

metric Group

Click here

m

FERMA against greater risk appetite disclosureIn its response to the EU corporate governance framework consultation (responses had to be inby late July), the Federation of European Risk Management Associations (FERMA) has told theEuropean Commission that it considers no more corporate governance rulesare needed and that they should concentrate on the implementation androbust enforcement of existing EU corporate governance rules on riskmanagement rather than creating new ones. They say that there is anoverlap in the area of board duties on risk management and risk disclosure with the EU 8thCompany Law Directive, itself not yet fully implemented. As a result, application of theseexisting rules may not be equally stringent across the EU.

FERMA also opposes any requirement to publish additional information ontheir risk appetite to what is already required. They say "… it may harmcompanies' competitive position; will not improve their riskmanagement culture; and will not provide more assurance tostakeholders that risks are under control".

m

m

2

Managing people risk is the essence ofoperational risk

'Our people are our greatest asset', the Chairman or CEO writes inthe annual report and accounts. That is undoubtedly true, but thecorollary is also true, that our people are potentially our greatestliability in a service industry. People failures, whether throughincompetence, poor training or, importantly, poor behaviours, lie atthe heart of so many of the risks to which financial servicescompanies are exposed and suffer.

When the Financial Crisis Inquiry Commission, set up by the USCongress, delivered its report in January this year, it saw thefundamental causes of the crisis as 'dramatic failures of corporategovernance and risk management' and a 'systemic breakdown inaccountability and ethics'. All are failures of behaviour andtherefore incidences of people risk, one of the four legs of thecommon definition of operational risk. In fact, people risk, part ofoperational risk, is a major component of risks which we classify ascredit or market. Yet how often is people risk management treatedwith the seriousness it deserves, either as part of operational riskmanagement, or at all?

People riskmanagement startswith governance andembedding the rightrisk culture. Whilst weoften talk about the'tone at the top', I

follow Professor Mervyn King, who chairs the King Committee oncorporate governance in South Africa. His view is that you can talkabout the tone at the top, but the key thing is to listen to the tunein the middle, the sounds which tell you that a particular riskculture is fully embedded throughout the firm. It doesn't matterwhere the risk culture lies on the spectrum from entrepreneurial toconservative. The important thing is that risk controls will be inplace which accord with the risk culture and that the culture iscommunicated throughout the firm.

But first, to embed a risk culture, a firm should articulate and thencommunicate its strategy and objectives. Too often the strategyand objectives are expressed in a three-yearly document presentedby the CEO to the Board, which is as far as it goes. But thoseobjectives should be communicated to all staff and inform their

behaviours, their approach to risk and to the firm's appetite for riskat all levels.

The strategy and objectives form the basis for risk appetite, butalso for the key controls involved with people risk management:selection, appraisal, training and personal development, andremuneration. For instance, with selection, if the overall aim is todevelop a firm with common values, then it makes sense to use,especially at a senior level, a specialist cohort of interviewers, aswell as the relevant line manager. They will be looking forcandidates who embrace the firm's values and behaviours.

Strategy and objectivesinform the excellentbehaviours which formthe basis forperformancemeasurement.Performance is not justabout meeting sales orprofit targets. It shouldalso be about embracing shared values and behaviours - what wemean by excellence around here. If team-working is a core value ofthe firm, it should be in the performance measurement criteria foreverybody from the Chairman down. After all, if the board isn'tworking as a team, that very quickly becomes apparent both toinsiders and outsiders. Actions speak louder than policy statements.

Excellent behaviours are also fundamental to customer relations, akey element of reputation risk and a source of competitiveadvantage. If we can articulate what we mean by excellent oracceptable behaviour when it comes to dealing with customers, wecan review and appraise accordingly. The benefits in performance,risk mitigation and profit will be considerable.

The same applies to training and personal developmentprogrammes and, perhaps most visibly of all, including to thepublic, to approaches to remuneration. Is the systemtransparent? Does it reward good risk behaviour, which is inline with the firm's stated risk appetite and its objectives, ordoes it encourage unacceptable risk-taking? If the firm's objectivesare clearly communicated and, from them, excellent behaviours areclearly identified, the rest should take care of itself.

But any consideration of managing people risk must include a wordabout the HR function. If people are potentially a firm's biggestliability or risk, then HR should be a key risk oversight department.Much risk is managed by good human relations, but how much ismanaged by a good HR department? To what extent is the HRDirector merely somebody engaged in 'transactional' HR -organising the appraisal system and training programmes orcollating personnel data - rather than acting as a good riskmanager?

We put in place risk management frameworks, but do we ask theHR Director to put in place a 'people risk management framework'?

John Thirlwell, a past Directorof the British Bankers’Association, is an independentadviser on risk management toboards in financial services,and is co-author, with TonyBlunden of Chase Cooper, ofMastering Operational Risk,

published by Prentice Hall in 2010.

…you can talk about the

tone at the top, but the key

thing is to listen to the tune

in the middle… met

ricPerformance is not just

about meeting sales or

profit targets. It should

also be about embracing

shared values and

behaviours…

met

ric

continued on page 3

3

Insurers may escape capital surchargesUnlike their banking colleagues, large significantlyimportant global insurers may escape the additioncapital levies planned for their banking equivalents,the G-SIBs (see last month's ASYMmetricAL). Asinstructed by the G-20, The InternationalAssociation of Insurance Supervisors (IAIS),together with the Financial Stability Board, isdrawing up plans for capital requirementsdesigned to prevent the problems experienced during the pastcrisis by AIG - who had to be rescued by the US government. AReuters source has indicated that the IAIS is not convinced that acapital surcharge is needed in the case of insurers as these are notrequired to pay out until some specific event has taken place - anaccident, death, or financial incident. Yoshihiro Kawai, SecretaryGeneral of the IAIS, told Reuters, said that no decision has yet beenmade, but that the IAIS

CFTC fine firm forinfringing Dodd-Frank ActThe US's Commodity Futures TradingCommission (CFTC), the independent agencyresponsible for regulating, together with theNational Futures Association, the US retailspot forex market, has fined London-based

Forex Capital MarketsLtd. (FXCM) forinfringing the Dodd-Frank Act derived regulations by acting as aretail forex dealer and conducting leveragedforeign exchange transactions with US retailcustomers ("non-Eligible ContractParticipants", i.e. other financial institutions,corporate, funds, etc) without havingpreviously registering with the CFTC.

The fine of $14K was relatively light asFXCM's violation was only for 11 days following the enactment ofthe CFTC rules in October 18th 2010 but emphasises the need fornon-US market traders to carry out due diligence on theircustomers following the increased requirements brought about byDodd-Frank.

m

Yoshihiro KawaiSecretary General

of the IAIS

Christopher Dodd,Previously US Senator

for Connecticut

Barney FrankCongressman of the Fourth

Congressional District ofMassachusetts

m

Free Risk & Compliance BriefingsChase Cooper run two regular breakfast briefings for Risk andCompliance in the City of London. The briefings are free toattend although due to space being limited they are open onlyto senior risk, business and compliance staff working in FSAauthorised firms.

Registration for the September briefings is now open. Details asfollows:

Risk Breakfast BriefingMaking the Most of your KRI Data

This will be the third in a series of threeBreakfasts focusing on using your data toassist your business, the previous two being‘Making the most of your RCA data’ held in May and ‘Making themost of your Event data’ held in June. The first two breakfastsattracted a considerable number of attendees from a wide varietyof financial institutions.

Many firms are collecting significant numbers of operational riskindicators and yet are barely using them for the benefit of thebusiness. This Risk Breakfast will look at the ways in whichindicators of key risks and key controls can be used in order tobenefit the firm to which the indicators belong. We will consider avariety of approaches and uses.

As well as a participative discussion, we will use an anonymousvoting tool to find out the state of use of KRIs by firms in the room.Both methods will give attendees useful knowledge which can beimmediately applied at their firms.

This Risk Breakfast briefing is being held at Chase Cooper’s offices inFinsbury Square at 8.30 a.m. on Thursday 22nd September 2011.

Risk Breakfast Briefings are provided by Tony Blunden, Director ofour Consultancy division. Tony has worked in the city for over 30years primarily within risk management and related areas infinancial services organisations. He is also co-author ofMastering Operational Risk.

To register for this Risk Breakfast Briefing, please click here…

Strategic ComplianceBreakfast BriefingThe next Chase Cooper Strategic ComplianceBreakfast briefing for 2011 is to be held atChase Cooper’s offices in Finsbury Square at8.45 a.m. on Wednesday 28th September2011. Further details of this briefing will be published shortly.

Strategic Compliance Breakfast briefings are provided by NickGibson, Director of our Compliance Solutions division. Nick has 25years’ senior experience within regulation and compliance.

To register for this Strategic Compliance Breakfast Briefing, pleaseclick here… m

Next month…The keynote article next month will be brought toyou by Nick Gibson, Chase Cooper’s Director ofCompliance. Nick will write on” the InternationalMonetary Fund report on the future of UKregulation - sense and sensibility”

We develop a risk register and assess the risks it catalogues, but dowe also pass those risks through the lens of people risk and assessthem accordingly? People risk management is an essential part ofoperational risk management. Ignoring it will do serious harm toyour profits. m

4

US and Chinese regulators met in Beijing in

July to thrash out principles for the cross-

border audit of firms active in both countries.

In late July, the European Banking Authority

(EBA) published two consultation papers (CP46

and CP47) on guidelines for data collection on

bank remuneration practices. This is as part of

the greater disclosure of remuneration

information contained in CRD III and which

came into force on 1st January 2011.

Following the down-grading of US sovereign

debt from triple-A, the US SEC has announced

that it will be investigating Standard & Poor's

(S&P) to ensure that correct procedures were

followed. In a separate case, the SEC and the

US Justice Department are both investigating

S&P to see if improperly issued mortgage

securities credit ratings to its own benefit,

In August the Securities and Futures

Commission of Hong Kong charged SC Woo

with intraday shortselling of shares that he did

not own. This is the SFC's first case brought on

a charge of naked short selling.

On August. 12th the SEC launched its new

whistleblower program officially with a new

webpage to enable people to report any

violation of the Dodd-Frank Act securities

laws and to apply for a financial award for

doing so.

The China Banking Regulatory Commission

(CBRC) and the Monetary Authority of

Singapore (MAS) have signed a Supplemental

Agreement to their existing MoU to include

cooperation on crisis management.

The FSA has published a Consultation Paper

and a Discussion Paper on proposals for the

Recovery and Resolution Plans (RRP, also

known as "living wills") now required of

financial institutions. The G20 has called for

internationally consistent, firm-specific RRPs

and the FSB has set out a timetable for

systemically important firms to be completed

by the end of 2012. Under the Financial

Services Act 2010 all UK deposit-takers are

required to have RRPs in place and this may be

extended to significantly important

investment firms.

ASYMmetricAL

A question I get asked is "what is the demarcation between operational risk and compliance".The answer of course is that there is a huge amount of overlap, with the need for effectivecommunications between the functions. But Compliance Risk is a major concern for any riskmanagement department and should not simply be left to the Compliance Officer.

Compliance failures can have serious financial implications through regulatory fines,suspension of a business and restitutions following court cases, they impact the businessthrough banning certain activities and consequential loss of profits, and they have seriousreputational impact. Compliance risk needs to be monitored and mitigated as for anyoperational risk, and compliance needs to be built into stress testing and the RCSA process.

The role of the Compliance Officer typically is to ensure that there is an awareness ofregulations and that effective compliance procedures are in place. The role of the operationalrisk manager is to evaluate the degree of compliance, the risk of control failure and theimpact of any event. Risk must be balanced against reward, and, in theory, a firm could accepta compliance violation providing the reward was high enough.

Regulations are by definition external impacts and ones over which a firm has very littleinfluence. These are hard enough to monitor when one is operating in a single jurisdiction;when both firms and regulations are operating globally it becomes a serious concern.

In June Metrics looked at the impacts of the UK Bribery Act and, as reported in this issue, manyother countries have similar regulations concerning bribery by employees or agents in foreigncountries. In this way a head office can be prosecuted for activities by its overseas subsidiaries.

More difficult to evaluate is where the regional power in a subsidiary region can prosecutethe firm, even though that firm lies outside its immediate jurisdiction. This has beenhappening with US regulations and compliance officers and operational risk managers need tobe aware of the impact of US regulations.

The first major case of this was with the Sarbanes-Oxley Act (SOX) in 2002 whereby an USexchange quoted firm was liable to onerous rules regarding its financial reporting. Many non-USfirms discovered secondary stock quotations on US exchanges (the best place in the 1990s toraise money) and were dragged into SOX compliance even if they were doing little or no USbusiness. Now two new US acts threaten non-US companies - companies that do business in theUSA or simply have US-based clients. These are, and I give them their full names, the Wall StreetReform and Consumer Protection Act (known as the Dodd-Frank Act after its promoters)and the Foreign Account Tax Compliance Account (simply known as FATCA). And, againas reported in this issue, Dodd-Frank is already impacting London brokers.

Dodd-Frank is an umbrella act which tasks the US regulators with creating new rulesand infrastructures to reduce the likelihood of a financial crisis and its impact of investors. Itfocuses on limiting risk, protecting consumers and regulating those not currently regulatedsuch as the OTC derivatives market. Overseas banks and brokerages with subsidiaries or salesoffices in the USA will have to adhere to Dodd-Frank. This is complicated as many regulationsare still unclear or have not even been formulated. Also intensive lobbying by US investmentbanks and by the Republican Party (who see it as interference in free enterprise) is dilutingmany of the intentions of the act.

FATCA is designed to prevent tax evasion in the US and focuses on high net-worth US taxpayers.It introduces a 30% withholding tax requirement on foreign financial institutions (FFIs) which willbe lifted if they comply with certain reporting requirements. FATCA will impact any FFI whichhas US clients or holds US assets in any form and violation of FATCA could result not only fromUS or EU operations but could result from interaction with any US person regardless of whereresident.

Metric will be looking at the development of both Dodd-Frank and FATCA in future editions and extracting itsoperational risk implications.

The back page, sometimes critical view from the Editor

RegulatoryNEWS

metric is published byChase Cooper.web: www.chasecooper.comemail: editor@chasecooper.comm

etric

m