• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Monday June 4 2012 - Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next

Monday June 4 2012 - Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next



Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next

Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next



Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.linkedin.com 1


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Monday June 4 2012 - Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next Monday June 4 2012 - Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next Document Transcript

    • Page |1 International Association of Risk and Compliance Professionals (IARCP) 1200 G Street NW Suite 800 Washington, DC 20005-6705 USA Tel: 202-449-9750 www.risk-compliance-association.com Top 10 risk and compliance management related news storiesand world events that (for better or for worse) shaped the weeks agenda, and what is next George Lekatis President of the IARCPDear Member,Today we can start from No. 10 of the list, where we discusscyber-attacks. According to Mark G. Clancy, Managing Director andCorporate Information Security Officer, The Depository Trust & ClearingCorporation:“Cyber-attacks on the financial services sector represent a significant risknot just to industry participants but to the stability and integrity of theglobal financial system itself.”“The global financial system is an enormous, interconnected system ofsystems.In other words, while individual institutions operate different parts of thecritical infrastructure, the financial system itself is a product of theinteractions of all these discrete actions.”It is an interesting speech, you must read it.Welcome to the Top 10 list. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |2The Relevance of Audits and the Needs of InvestorsMay 31, 2012James R. Doty, Chairman, 31st Annual SEC andFinancial Reporting Institute Conference, Pasadena, CAMay 30, 2012The Federal Reserve Board announced theapproval of a final rule outlining the proceduresfor securities holding companies (SHCs) to electto be supervised by the Federal Reserve.An SHC is a nonbank company that owns at least one registered broker ordealer.Last year, the UK financial services industry facedregulatory change on a sweeping scale.At the national level the last UK governmentintroduced the Financial Services Act 2010, whichresulted in a number of changes.Interview with Gabriel Bernardino, Chairman ofEIOPA, conducted by Jan Wagner,Versicherungsmagazin (Germany) _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |3Hearing on the ESRB beforethe Committee on Economicand Monetary Affairs of theEuropean ParliamentIntroductory statement by Mario Draghi, Chair of the ESRBBrussels, 31 May 2012Meeting of the Financial Stability Board in HongKong on 29-30 MayAt its meeting in Hong Kong, the Financial Stability Board (FSB)discussed vulnerabilities currently affecting the global financial systemand the progress in authorities’ ongoing work to strengthen globalfinancial regulation.Publication of the first regulatory technicalstandards on credit rating agencies (CRAs) -30/05/2012Four European Commission DelegatedRegulations establishing regulatory technical standards for credit ratingagencies have been published in the Official Journal of the EuropeanUnion. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |4Commodity Futures Trading Commission(CFTC)“Smart Regulatory Reform and the Perils ofHigh-Frequency Regulation” –Remarks by Commissioner Scott D. O’MaliaMay 31, 2012Commodity Futures Trading Commission(CFTC)Statement Regarding Public Roundtable toDiscuss the Proposed Volcker Rule,Chairman Gary Gensler,May 31, 2012Hearing entitled “Cyber Threats toCapital Markets and CorporateAccounts”Friday, June 1, 2012House Committee on Financial Services, Subcommittee on CapitalMarkets and Government Sponsored Enterprises Hearing on “CyberThreats to Capital Markets and Corporate Accounts”Mark G. Clancy, Managing Director and Corporate Information SecurityOfficer, The Depository Trust & Clearing Corporation _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |5NUMBER 1The Relevance of Audits and the Needs of InvestorsMay 31, 2012James R. Doty, Chairman, 31st Annual SEC and FinancialReporting Institute Conference, Pasadena, CAGood Afternoon,I am pleased to be back this year to join you in this conference again. Imust tell you that the views I express today are my own and do notnecessarily reflect the views of the Board, any other Board member, or thestaff of the PCAOB.This is a special year in many respects. We have our own concerns athome. But those of us who find our work on financial terrain have oursights trained east, toward Europe, and west, toward China, more than inpast years.In the broader population, there is new apprehension for effects we dontknow but must nevertheless judge.Will European states muster a defense to the behavioral contagion offinancial panic?Will they find a way to use their inter-dependence to make Europefinancially stronger?Or will they find that too many divergent interests must agree to save theEuropean experiment? _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |6How will the U.S. be affected?Looking toward China, many say that that nations economic growthcannot continue without structural changes.Can China instill its new, investing middle-class with confidence thatfinancial markets will provide for its future?From our larger companies to our smaller entrepreneurs, we are doingbusiness in China.Can we have confidence that China isnt the latest iteration of — pickyour era — the Tulip Scandal, the silver-mine frauds of the Old West, theS&L bust? And how should we deal with these risks in a global economy?These are questions that require that admirable quality we often callvision. When we speak of vision, we speak of visionaries.That is, people who have stepped out from the crowd and revealedsomething that the rest of us could not see.There are false visionaries, who inspire us to act based on what we or theywish might be. But the true ones give us honesty, and invaluableleadership.I. Ken Leventhal Exemplified the Expertise and Integrity that isNeeded to Make Accounting and Auditing Relevant to the 21stCentury.Earlier this month, the University of Southern California, the accountingprofession and the public more generally lost a true visionary.I refer to the passing from our scene of Kenneth Leventhal earlier thismonth, at the age of 90.Ken Leventhal, throughout his career, gave us clear ideas about how thepractice of accounting can and should give society the tools necessary toreduce complicated circumstances to simple, actionable facts. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |7And he was a good Trojan. Although a graduate of UCLA, he became anactive and generous USC supporter after UCLA ended its accountingmajor.He believed in the future of the accounting profession.He wanted to train the new generation of accountants to use the tools hehad developed in practice to help the profession thrive as a vital force forsocial good.He helped build and maintain a first-rate accounting program at USC,which among other things brings the faculty, policy-makers inaccounting, auditing and securities regulation, as well as leaders in theprofession together each year at this first-rate conference.Beyond his work here at USC, his professional life leaves a great a legacyand, if we heed his lessons, perhaps a chance to see our confusingfinancial world with his clarity.He was born in 1921.As he told his own story, he got the idea for his career when he was apaper boy for the Herald-Express newspaper.His boss was planning to take a correspondence accounting course andgo into business for himself, because — as many faculty members willlikely recall Mr. Leventhal recounting — "all it took to get started inaccounting was a pencil."Mr. Leventhal said that "for a nickel," he figured he could be his ownboss, and he never changed his mind.Mr. Leventhals plan was interrupted in 1939, after high school, by WWII.When he returned from the war, he enrolled at UCLA on the GI Bill. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |8That is where he met his wife and future business partner, Elaine OtterLeventhal. After they finished school in 1949, they started the accountingfirm Kenneth Leventhal & Co. in Los Angeles.They focused on real estate accounting, and grew the firm into thepremier real estate specialty firm in the country, at one point the ninthlargest firm in the country.Their clients included the top real estate developers in the post-warperiod — Ray Watt, Trammell Crow, Donald Trump, and Donald Bren toname a few. Mr. Leventhal made his mark guiding those clients "throughtimes of expansion and financial distress."To give you a sense of that mark, let me read a passage from aWashington Post article in 1990.It said, "When Donald J. Trump, the flamboyant real estate tycoon, foundhis business empire in disarray, he could have called on any of WallStreets top investment bankers to help him out of his troubles.Instead, he turned to an accountant in Los Angeles," Kenneth Leventhal.The Post called him "no run-of-the-mill" accountant. Rather, it reported,"[a]t a time when the world of accountants and their firms is undergoingwrenching changes, besieged by government lawsuits and cutthroatcompetition for clients" — sound familiar? — "the 70-year-old Leventhalis running ahead of the pack and, so far, ahead of his professionsproblems."The Post went on to explain the source of his worth: his skill and integrity.As one person put it at the time, "If Trump said his properties were worthsuch and such, the bankers might not believe him. But if Ken Leventhalsays they were worth it, nobody would challenge his word."For decades, the firm had enjoyed high regard in accounting and realestate circles. Forbes magazine noted in a 1979 article on the firm that,through its expertise, "Leventhal . . . made a name for itself by helpingover a score of troubled real estate companies keep out of the courts. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • Page |9The Leventhal firm specialized and trained its professionals in being ableto discern, in simple terms, the economics of transactions.In putting together a debt-restructuring plan, for example, the firm "firsthad to cut through what Leventhal call[ed] ‘the accounting hogwash."As a long-time partner explained it: "What we do is analyze theunderlying real estate in terms of a range of values, under differenteconomic circumstances. And we look at the probable streams of cashflow."In other words, he eschewed over-reliance on manuals and complexprograms that tried to anticipate everything, but, in the end, could beused to excuse a failure to find the proverbial needle in a haystack.This is not to say that the global audit firm can do without structure andmanuals, or that our economy can dispense with the global audit firm.But Mr. Leventhals career exemplifies confidence in a guiding principle— one that encourages staff to simplify, to understand the economics of atransaction before attempting to apply the accounting requirements.Doing so requires a deep understanding of the prevailing circumstances,awareness of trends, acute sensitivity to the fact that even the bestmanagements have an inherent bias toward self-protection.As he said, it can be done with a pencil, and the will to be skeptical of falsevisions. That is, the will to get it right.The approach an accountant chooses makes an enormous difference, tothe investors that rely on his work, to his firms integrity and reputation,and even his own career.One of the most exciting things about a career in the accountingprofession is that, no matter where you are in the country, your work —and your choices in how to perform that work — can make an immensedifference to an enormous number of people. Thats also, of course, adaunting responsibility. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 10II. An Audit Establishes Its Relevance on a Foundation ofSkeptical Inquiry.An audit that is merely confirmatory, that supports managements visionwithout sufficiently testing it, promotes commoditization of the audit,and it does worse.From the halls of the great marble buildings in Washington, from theskyscrapers of Manhattan, from the sunny gardens here in Pasadena, onehears the same refrain: the complexity of financial reporting makes itdifficult for management to report, auditors to audit, and investors tounderstand the economic substance of a transaction or event.This tropism — our inexorable tendency toward the complex — threatensto crush auditor, preparer and investor alike.But the truth is that, by their conduct, auditors may encouragecomplexity by failing to simplify transactions to their economics, byapproaching their task as steps in a corroboration, by failing to speak tothe realities and relying on the formalities.Leventhals accountants saw this first hand in a classic instance of Mr.Leventhals so-called "hogwash."This example started out in a little known savings and loan association inIrvine, California, which was acquired by a hungry and ambitious realestate investor in Phoenix.It burst onto the public stage when the Leventhal firms work was pittedagainst the work of three major accounting firms.Leventhal had been engaged by the federal government to examinetransactions in which thrift regulators paid certain bankers to take onailing institutions in exchange for more than $50 billion in federalsubsidies.The firm helped the government determine which transactions shouldhave been reopened or renegotiated to win better terms for taxpayers. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 11In July 1989, the firm produced a report for the Federal Home Loan BankBoard of San Francisco on Irvine-based Lincoln Savings and LoanAssociation.The Leventhal report studied 15 transactions undertaken by Lincoln in1986 and 1987.The report stated that —The transactions . . . analyzed were accounting-driven "deals" created forthe appearance of profits.In economic reality the transactions provided no profit, but insteadexposed the Association to huge economic losses from other linkedtransactions or side deals, which the Association entered into for noapparent reason other than to induce purchases of its real estate at pricesfar in excess of appraised value.The report concluded, Lincoln was manufacturing profits by giving itsmoney away.The report ignited a political and public firestorm.It was the basis for federal regulators decision to put Lincoln intoreceivership in August 1989, costing taxpayers more than $2 billion — stilla large sum today.It was also submitted to the House Banking Committee, which hadcommenced an investigation of Lincoln, its parent American Continental,and Charles Keating, who headed them.At the Banking Committees hearing on the matter, representatives fromone of the three national accounting firms that had audited and signed offon Lincolns accounts in recent years challenged the conclusions of theLeventhal report — _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 12These matters were complex, and judgmental decisions were sometimesnecessary to determine which accounting rules applied and how to applythem.We strongly disagree with Kenneth Leventhals sweeping generalizationthat we elevated form over substance. In its review of just 15 Lincoln andAmerican Continental transactions, out of hundreds of transactions,Kenneth Leventhal has made some serious mistakes.The Leventhal representative responded that "by properly reversing [thefifteen transactions they studied], over half of Lincolns reported profitssince Mr. Keating acquired the association disappeared."Many of the deals included related party transactions, in which Lincoln orits parent, American Continental, provided the needed cash downpayment to purchasers of Lincoln real estate either through a circuitousloan or by buying other real estate from the purchaser.The arrangements allowed Lincoln to report taxable income thatexceeded the consolidated taxable income of the parent, allowing Lincolnto make cash payments to the parent, American Continental, in the guiseof the subsidiarys portion of American Continentals tax obligation.To keep all this going, Keating exerted extreme pressure on Lincolns andAmerican Continentals auditors, the banking regulators, and even theCongress, which produced its own scandal in the Keating Five.Meanwhile, Lincoln, the regulated savings and loan, was drained.Contrast the paradigm offered by the Lincoln auditor —complexities andthe need for "judgmental decisions" — with the Leventhal approach:relevance achieved not by accepting complexity but by pursuing clarity,for its unwillingness to accept form over substance.The Leventhal approach made accountants work useful for clients,pertinent to the economic environment, and beneficial to the public. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 13Based on what the Leventhal firm had uncovered, in 1989 the Chairman ofthe FDIC said that the government should have moved three years soonerto take disciplinary action against Lincoln.III. Indications of Future Challenges and a Path ForwardUntil his death, Ken Leventhal exhorted the profession to excel in quality,integrity and expertise.He believed those are the ingredients that, if championed, will make theprofession vibrant and successful in the 21st century.In 2010, after the most recent financial crisis, he said, "The thing thatbothers me nowadays is reading about all these accounting problems and‘irregularities. Im worried about the standards of our profession thatwould allow all these ‘irregularities to occur.I think we need to teach accounting students and younger staff a greaterobligation to integrity."A. Inspections Continue to Reveal an Unacceptable Number ofDeficiencies.Ken Leventhal was right to recognize that, notwithstanding his optimismfor the new generation of accountants and his belief in the importance ofaccountants work to the success of our capital markets, there isunfinished business to resolve the contradiction between the audit as aconfirming exercise and the audit as an inquiry to arrive at the truth — thecontradiction between the corporate client the auditor sees (and whoseview may determine the success of the individuals career) and theinvestor client (whose view determines the success and continuedrelevance of the profession as a whole).The PCAOB has conducted annual inspections of the largest firms for thelast nine years. We also conduct inspections at least once every threeyears of other firms that audit, or play a substantial role in auditing,companies that are considered issuers in the United States. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 14This includes some very large non-U.S. firms that are affiliated with thelarge U.S. firms, as well as many smaller firms, both U.S. and non-U.S.Each year, we have deepened our understanding of the firms issuer auditpractices. From the beginning, inspectors have identified numerousdeficiencies.These are situations where inspectors believe, after considerable dialoguewith the firm to agree on the facts, that the firm has failed to obtainsufficient audit evidence to provide a basis for an audit opinion.In such cases, the financial statements may well be fairly presented inconformity with GAAP, but the audit work was not sufficient to obtainreasonable assurance that they are.I believe the rigor of inspections has improved the quality of auditing.Our inspectors have noted some significant improvements, such as morecare in certain areas and clearer thought-processes as reflected in auditplans and audit conclusion memos.Yet, in recent years, we have seen an equally significant spike indeficiencies.Year in, year out, inspectors find deference to management in keyreporting areas.For example, in the critical area of fair value reporting of financialinstruments, instead of skeptically testing the reasonableness ofmanagements assumptions and resulting assertions, one firms methodinvolved obtaining valuations from a number of external parties andpicking the one that is, "closest to the pin" — the pin beingmanagements claimed value.The work and expense to obtain the various outside valuations may havecreated an appearance of rigor. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 15But the explicit acknowledgement that the test was designed to supportmanagements number — the "pin" — calls into question whether theauditor approached the audit with appropriate skepticism.What about evaluating managements estimate in light of theenvironment and prevailing trends? What about looking for the value thatis probable in light of those trends?It is the rare case in which an auditor knowingly acknowledges ordocuments the conflict between maintaining objectivity and maintaininga good client relationship.Indeed, the auditors who explicitly aimed for the number closest tomanagements claimed value may not have consciously sought to obscurevaluation errors.Nor am I suggesting that Lincolns auditors colluded with managementto mislead. But they did allow themselves to be mere corroborators of astory that became thinner with each transaction.Lincoln stands as a vivid reminder that auditors who merely confirmmanagements estimates and dont challenge them with the basic tools attheir disposal may have squandered a chance to avert later investor ruin:they run the risk that the companys estimate was unreasonable whenmade.Auditors have clients to keep and practices to grow. Recall the pitchessome auditors have made to win audit clients.For example, commitments by the engagement team to "support thedesired outcome" when matters need to be vetted with the firmsNational Office. Or to offer "a reduced footprint in the organization,lessening audit fatigue."Recall, also, the troubling notes in some auditors personnel files, inwhich the reviewed auditors claim to have advanced cross-selling ofnon-audit services, raising the question whether firms cultures stillimpliedly encourage auditors to sell services to their audit clients and, if _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 16so, legal or illegal, whether such goals undermine the appropriate state ofmind for auditors.This is the unfinished business that occupies the PCAOB, and occupiesaudit regulators around the world who have also identified a gap betweenthe purpose of the audit and its fulfillment.These concerns have been expressed by regulators in Canada, Germany,the U.K., the Netherlands, Australia and elsewhere.The gap threatens the future relevance of the professions work, as well aspublic confidence in its credibility.B. The PCAOBs Initiatives Aim to Help the Profession RealizeIts Potential by Enhancing the Relevance, Credibility andTransparency of the Audit for the Sake of Investor Protection.The PCAOB is deeply engaged in examining ways to enhance therelevance, credibility and transparency of the audit to better serveinvestors.Our projects include improvements in basic auditing areas, such as whatto look for in transactions involving related parties, including corporateexecutives.The PCAOB proposed a new auditing standard on related partytransactions on February 28. Comments are requested by today.This standard describes basic tools that good auditors have used for yearsto identify financial reporting risks.Among other things, it requires auditors to understand managementscompensation as a way to understand managements motivations.Indeed, changes in performance metrics may well be an important clue tounderstand areas where managements story is weak.They offer the auditor insights that may not be gleaned otherwise. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 17The PCAOB has also recently proposed, for a second exposure, a newauditing standard on what the auditor should communicate to auditcommittees in order to protect the publics interest in keeping auditcommittees informed of important audit matters.In addition to receiving written comment, the Board has held aproductive public roundtable discussion on auditors responsibilities toaudit committees.I expect the Board soon to adopt a final standard that reflects the publicadvice and comment.The PCAOB standards-setting work also includes more broad-rangingprojects, commenced not with concrete proposals but with conceptreleases, to examine ways to enhance the relevance, reliability andindependence of audits in todays world, and in light of lessons bothauditors and investors have learned in the recent financial crisis, not tomention past crises that like Banquos ghost haunt us still.These projects involve consideration of changes to the form and contentof the standard audit report, as well as a deep examination of thebehavioral patterns that the current audit model imposes.I am not here today to tell you where the PCAOB should come out on thequestion of what is the most relevant information auditors should providethe investing public. But I do believe that the investing public can andshould benefit from the wisdom of auditors like Ken Leventhal.I am interested in a better, more transparent reporting model, that willalign auditors with investors, that will make the audit more relevant,de-commoditized, and that will function to more consistently requireauditors to demonstrate the requisite skepticism and provide true insight.The project on independence invites discussion on ways to relieveauditors of the pressure both to foster and maintain a long-termrelationship with the audit client when making tough decisions on anaudit — to relieve auditors of the tie between their engagements and theircareers. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 18In this regard, as with the revisions of the auditors reporting model, thefocus of the European Union and its member states becomes a factor inour own process.There, the perception grows that something is likely to change.The EU and its member states are engaged in a process that, I suspect,will take them through 2013 and into 2014.What we are learning through roundtables and public meetings on ourconcept releases is highly relevant to their process.How we internalize, how we digest, what we hear in our debate, willinform the debate and process of policy development in Europe.This is not an easy subject. Some form of term limits may or may notprovide more independence: but I believe we must explore the possibilitythat they would help and the feasibility of the range of approachesavailable to free the auditor to think and act more independently.C. The Global Nature of Auditing Today Requires EnhancedAttention to Address Risks to Investor Protection.I could not close a discussion on the future of auditing without reflectingon some other aspects of the international dimension.All of the challenges and initiatives I have described must be understoodagainst the backdrop that auditing today is a global endeavor.Firms large and small have chased, and then fled, the plethora of potentialChinese and other non-U.S. clients seeking to draw from the wellspring ofU.S. capital markets.There are lessons that could be learned, that should have been learned,from the S&L crisis and the internet bubble.Auditors choices are the same, but the outcome could be even worse. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 19In the S&L crisis, the U.S. government turned to the profession to sort outthe facts and provide reliable valuations of assets.Who will be the Ken Leventhals of today?Last week, faced with a similar task, the Spanish government announcedthat it had chosen a different path.It has eschewed the work of auditors in favor of a different kind of analyst.The financial statements the government questioned were audited. Is theauditors work not relevant today?The only thing worse for the profession than being involved in the nextbanking crisis may be not being involved in it.Through their networks, audit firms reach everywhere. Localenvironments and trends are within their long reach. Engagementpartners supervise audits that span continents and oceans.But the reader of an audit report may not know how much of the actualwork was done by the firm signing the report.Participating audit firms practice in markets that exhibit markedlydifferent business cultures, with divergent patterns of transparency.Small U.S. firms around the country are also engaged in audits of foreignprivate issuers, or U.S. companies that operate, in Asia, Latin America,Africa and elsewhere.The PCAOB is focusing on the effect of these various business models onthe protection of investors.In any given week, PCAOB inspectors are working in numerouscountries, often side-by-side with local audit oversight authorities in jointinspections. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 20We are drawing as broad and as clear a picture as we can about howauditors meet the challenges of understanding different environmentsand coordinating with other auditors to obtain a full grasp of a companystrue results and financial position.We have identified a number of deficiencies in multi-nationalengagements.Some of the auditing issues have been related to particular areas such asrevenue and fair value.Others seem to be attributed to a failure to adhere to the instructionsprovided by the principal auditor.The director of our inspection force is here today to discuss them.I am also concerned that the public knows little about how audits areconducted.In this regard, the PCAOB proposed last fall new requirements to discloseto investors how a multi-firm audit was accomplished.I expect to ask the Board to act on it in the near future.With sunlight on how the audits are done, they may improve incoordination and quality as well.If darkness persists, I fear some auditors will find themselves on thewrong side of the debate when the lights go on and they are called toaccount for how a fraud could have eluded a vast network of soldiers inwhat is supposed to be a fight for truth.These are choices we make today, but will need to explain tomorrow.* * *I want to thank the Leventhal School for inviting me again. Theeducational opportunities you provide to students, and the conferences _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 21like this one that you provide professionals, will make a difference as tothe choices your progeny make. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 22NUMBER 2May 30, 2012The Federal Reserve Board on Wednesday announced the approval of afinal rule outlining the procedures for securities holding companies(SHCs) to elect to be supervised by the Federal Reserve.An SHC is a nonbank company that owns at least one registered broker ordealer.The Dodd-Frank Wall Street Reform and Consumer Protection Acteliminated the previous supervision framework that applied to SHCsunder the Securities and Exchange Commission and permitted SHCs tobe supervised by the Federal Reserve.An SHC may seek supervision by the Federal Reserve to meetrequirements by a regulator in another country that the firm be subject tocomprehensive, consolidated supervision in the United States in order tooperate in the country. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 23The final rule specifies the information that an SHC will need to provideto the Board as part of registration for supervision, including informationrelated to organizational structure, capital, and financial condition.Under the final rule, an SHCs registration becomes effective no later than45 days from the date the Board receives all required information.The final rule provides that upon an effective registration, an SHC wouldbe supervised and regulated as if it were a bank holding company.However, consistent with the Dodd-Frank Act, the restrictions onnonbanking activities in the Bank Holding Company Act would not applyto a supervised SHC.FEDERAL RESERVE SYSTEM12 CFR Part 241Regulation OO; Docket No. R-1430RIN 7100 –AD 81Supervised Securities Holding Company RegistrationAGENCY: Board of Governors of the Federal Reserve System (“Board”).ACTION: Final RuleSUMMARY: The Board is adopting this final rule to implement section618 of the Dodd-Frank Wall Street Reform and Consumer Protection Act(“Dodd-Frank Act” or “Act”), which permits nonbank companies thatown at least one registered securities broker or dealer, and that arerequired by a foreign regulator or provision of foreign law to be subject tocomprehensive consolidated supervision, to register with the Board andsubject themselves to supervision by the Board.The final rule outlines the requirements that a securities holdingcompany must satisfy to make an effective election, including filing theappropriate form with the responsible Reserve Bank, providing alladditional required information, and satisfying the statutory waitingperiod of 45 days or such shorter period the Board determinesappropriate. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 24DATES: The rule is effective [30 days after date of publication in theFederal Register].Important partsSUPPLEMENTARY INFORMATION:I. BackgroundSection 618 of the Dodd-Frank Act permits a company that owns at leastone registered securities broker or dealer (a “nonbank securitiescompany”), and that is required by a foreign regulator or provision offoreign law to be subject to comprehensive consolidated supervision, toregister with the Board as a securities holding company and becomesubject to supervision and regulation by the Board.A securities holding company that registers with the Board under section618 is subject to the full examination, supervision, and enforcementregime applicable to a registered bank holding company, includingcapital requirements set by the Board (although the statute allows theBoard to modify its capital rules to account for differences in activitiesand structure of securities holding companies and bank holdingcompanies).The primary difference in regulatory frameworks between securitiesholding companies and bank holding companies is that the restrictionson nonbanking activities that apply to bank holding companies do notapply to securities holding companies.Under section 618 of the Act, a securities holding company that elects tobe subject to supervision by the Board must submit a registration formthat includes all such information and documents the Board, byregulation, deems necessary or appropriate.The statute also specifies that registration as a supervised securitiesholding company becomes effective 45 days after the date the Boardreceives all required information, or within such shorter period as theBoard, by rule or order, may determine. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 25Section 618 makes a registered securities holding company subject to allof the provisions of the Bank Holding Company Act of 1956 (12 U.S.C.1841 et seq.) (“BHC Act”) in the same manner as a bank holdingcompany, other than the restrictions on nonbanking activities containedin section 4 of the BHC Act.Consistent with the Dodd-Frank Act, the Board anticipates applying thesame supervisory program, including examination procedures, reportingrequirements, supervisory guidance, and capital standards, to supervisedsecurities holding companies that the Board currently applies to bankholding companies.However, the Board may, based on experience gained during thesupervision of supervised securities holding companies, modify theserequirements as appropriate and consistent with section 618.II. Notice of Proposed Rulemaking: Summary of Comments.On September 2, 2011, the Board invited public comment on a proposedrule implementing the registration requirements and procedures forsecurities holding companies pursuant to section 618 of the Act.The Board received three comments, none of which addressed anysubstantive aspect of the proposed rule.One commenter expressed the view that firms should not elect to besupervised by the Federal Reserve because of a “lack of leadership at theFED Districts.”Another commenter included the phrase “supervised securities holdingcompanies registration” in the subject line of the comment letter butprovided no comment.The third commenter mistakenly believed that section 618 of theDodd-Frank Act and the Board’s proposed Regulation OO apply toforeign companies that own national banks in the United States. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 26This commenter argued that such foreign companies should be subject tosupervision by the Board as supervised securities holding companies ifthey wish to operate in the United States by owning national banks.The Board is finalizing the rule with only technical modifications.III. Description of Final Rule.The final rule permits securities holding companies to elect to becomesupervised securities holding companies by registering with the Board.The final rule outlines the requirements that a securities holdingcompany must satisfy to make an effective registration, including filingthe appropriate form with the responsible Reserve Bank, providing alladditional information requested by the Board, and satisfying thestatutory waiting period of 45 days or such shorter period the Boarddetermines appropriate.Section 241.1 of the final rule outlines the authority under which the Boardis issuing the rule.Section 241.2 of the final rule changes the proposed definition of the term“securities holding company” in order to more closely reflect thestatutory language.The revised definition contains additional language, which makes clearthat to become a securities holding company, a company must, amongother things, be “required by a foreign regulator or a provision of foreignlaw to be subject to comprehensive consolidated supervision.”Under the Dodd-Frank Act and final rule, a company that is currentlysubject to comprehensive consolidated supervision by a foreign regulator,a nonbank financial company supervised by the Board, a bank holdingcompany, a savings and loan holding company, an insured bank, asavings association, or a foreign banking organization with U.S. bankingoperations would not qualify for registration as a supervised securitiesholding company. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 27Under the final rule, terms such as “affiliate,” “bank,” “bank holdingcompany,” “control,” and “subsidiary” are defined to have the samemeaning as in section 225.2 of the Board’s Regulation Y.Section 241.3 of the final rule requires a securities holding company thatelects to register to become a supervised securities holding company tofile the proper form with the responsible Reserve Bank.The Board is creating a new form for this purpose.The form, which is similar to the Board’s current form Application for aForeign Organization to Acquire a U.S. Bank or Bank Holding Company(FR Y-3F; OMB No. 7100-0119), used by a company registering tobecome a bank holding company, includes a number of questionsrelating to the organizational structure of the securities holding company,its capital structure, and its financial condition.Specifically, the form requires a securities holding company electing to besupervised to submit:1. An organization chart for the securities holding company showing allsubsidiaries.2. The name, asset size, general activities, place of incorporation, andownership share held by the securities holding company for each of thesecurities holding company’s direct and indirect subsidiaries thatcomprise 1 percent or more of the securities holding company’sworldwide consolidated assets.3. A list of all persons (natural as well as legal) in the upstream chain ofownership of the securities holding company who, directly or indirectly,own 5 percent or more of the voting shares of the securities holdingcompany.In addition, the Board would request information concerning any votingagreements or other mechanisms that exist among shareholders for theexercise of control over the securities holding company. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 284. For the senior officers and directors with decision-making authority forthe securities holding company, the biographical information requestedin the Interagency Biographical and Financial Report FR 2081c (theFinancial Report need not be provided).5. Copies of the most recent quarterly and annual reports prepared forshareholders, if any, for the securities holding company and certainsubsidiaries.6. Income statements, balance sheets, and audited GAAP statements, aswell as any other financial statements submitted to the securities holdingcompany’s current consolidated supervisor, if any, each on a parent-onlyand consolidated basis, showing separately each principal source ofrevenue and expense, through the end of the most recent fiscal quarterand for the past two (2) fiscal years.7. A description of the methods used by the securities holding company tomonitor and control its operations, including those of its domestic andforeign subsidiaries and offices (e.g., through internal reports andinternal audits).8. A description of the bank regulatory system that exists in the homecountry of any of the securities holding company’s foreign banksubsidiaries.The description also should include a discussion of each of the following:a. The scope and frequency of on-site examinations by the home countrysupervisor;b. Off-site monitoring by the home country supervisor;c. The role of external auditors;d. Transactions with affiliates;e. Other applicable prudential requirements; _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 29f. Remedial authority of the home country supervisor;g. Prior approval requirements; and,h. Any applicable regulatory capital framework.9. A description of any other regulatory capital framework to which thesecurities holding company is subject.The final rule further provides that the Board may at any time requestadditional information that it believes is necessary to complete theregistration.Under the rule, the registration is considered filed when all informationrequired by the Board is received.Section 241.3 of the final rule also states that a registration filed by asecurities holding company becomes effective and supervision by theBoard begins on the 45th calendar day after the date that a complete filingis received.Under the final rule, the Board also reserves the right to shorten the45-day waiting period and begin consolidated supervision at such earlierdate as the Board specifies to the securities holding company in writing.The final rule provides that, upon an effective registration, a supervisedsecurities holding company would be supervised and regulated as if itwere a bank holding company, and that the nonbanking restrictionscontained in section 4 of the BHC Act will not apply to a supervisedsecurities holding company.This treatment will generally mean that supervised securities holdingcompanies will, among other things, be required to submit the samereports and be subject to the same examination procedures, supervisoryguidance, and capital standards that currently apply to bank holdingcompanies. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 30The final rule provides the Board with flexibility to adjust theserequirements as appropriate to ensure that securities holding companiesoperate in a manner that is consistent with safety and soundness and thataddresses the risks they pose to financial stability.IV. Administrative Law MattersA. Paperwork Reduction Act AnalysisIn accordance with the requirements of the Paperwork Reduction Act of1995 (44 U.S.C. 3501 et seq.) (“PRA”), the Board may not conduct orsponsor, and the respondent is not required to respond to, an informationcollection unless it displays a currently valid Office of Management andBudget (OMB) control number.The OMB control numbers for the existing information collections areprovided below.The OMB control number will be assigned for the new informationcollection related to registrations described below.The Board reviewed the final rule under the authority delegated to theBoard by OMB.Title of Existing Information Collections:  The Annual Report of Bank Holding Companies (FR Y-6),  The Report of Foreign Banking Organizations (FR Y-7),  The Consolidated Financial Statements for Bank Holding Companies (FR Y-9C),  The Parent Company Only Financial Statements for Large Bank Holding Companies (FRY-9LP),  The Parent Company Only Financial Statements for Small Bank Holding Companies (FRY-9SP),  The Financial Statements for Employee Stock Ownership Plan Bank Holding Companies (FR Y-9ES), _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 31  The Supplement to the Consolidated Financial Statements for Bank Holding Companies (FR Y-9CS),  The Financial Statements of U.S. Nonbank Subsidiaries of U.S. Bank Holding Companies (FR Y-11 and FR Y-11S),  The Financial Statements of Foreign Subsidiaries of U.S. Banking Organizations (FR2314 and FR 2314S),  The Bank Holding Company Report of Insured Depository Institutions’ Section 23A Transactions with Affiliates (FR Y-8),  The Consolidated Bank Holding Company Report of Equity Investments in Nonfinancial Companies (FR Y-12) and the Annual Report of Merchant Banking Investments Held for an Extended Period (FR Y-12A), and  The Capital and Asset Report of Foreign Banking Organizations (FR Y-7Q), and the Financial Statements of U.S. Nonbank Subsidiaries Held by Foreign Banking Organizations (FR Y-7N and FR Y-7NS).Frequency of Response: Annually, semi-annually, quarterly,event-generated.Affected Public: Nonbank companies. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 32NUMBER 3IntroductionLast year, the UK financial services industry faced regulatory change on asweeping scale.At the national level the last UK government introduced the FinancialServices Act 2010, which resulted in a number of changes to ourobjectives, powers and duties, in particular giving us a new financialstability objective and additional enforcement powers.In June 2010, the current UK coalition government announced that theFSA will be split up.The prudential supervision of banks and insurers will be moved to a newoperationally independent subsidiary of the Bank of England: thePrudential Regulation Authority (PRA).The FSA will be renamed the Financial Conduct Authority (FCA) and willfocus on consumer protection and markets oversight.The government also established a new committee of the Bank ofEngland with responsibility for delivering financial stability: the FinancialPolicy Committee (FPC). _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 33The European Union (EU), meanwhile, created three pan-Europeanagencies to address the risk of regulatory arbitrage and improve thequality of national supervision of banks, securities markets and theinsurance industry.The EU also created a new advisory body, the European Systemic RiskBoard (ESRB), to identify systemic risks and make recommendations formitigating them.Europe’s new regulatory architecture became operational in January 2011and will fundamentally change the way in which national supervisoryauthorities operate.A significant majority of regulatory requirements will be determinedsolely at the EU level and national supervisors will play a key role innegotiating and agreeing these, but their role as decision makers willcentre on their function as supervisors of firms and markets.The Financial Services Act 2010The Financial Services Act 2010 (the Act), which received royal assent on8 April 2010, resulted in a number of changes:Consumer protectionThe Act removed the FSA’s public awareness objective and required us toset up an independent body to take forward consumer education work.The Act also provides for more funding to be made available forconsumer education work.The Act gave us additional powers for the FSA to require consumerredress.This allows us to make sure that consumers receive redress in casesinvolving large-scale consumer mis-selling or other failures.Financial stability _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 34The Act gave us a new financial stability objective to contribute toprotecting and enhancing UK financial stability.We are required to cooperate appropriately with the Treasury, the Bank ofEngland and other relevant bodies in pursuing this objective.The Act requires us to have and keep under review a financial stabilitystrategy.It enables us to gather information from entities, including unregulatedentities for financial stability purposes.It also requires us to consider the impact that international events andcircumstances could have on financial stability in the UK.Enhanced powersThe Act extends the scope of our key regulatory powers to make rules andto alter authorised firms’ regulatory permissions, so we may use thepowers in pursuit of any of our regulatory objectives, including the newfinancial stability objective.We have new rule-making powers for:• Remuneration: we now have the power to specify that remunerationagreements in breach of our rules are void;• Recovery and resolution plans;• Short selling; and• Consumer redress schemes.We have new enforcement powers to:• restrict or suspend the carrying on of regulated activities for up to 12months; _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 35• suspend or impose restrictions on an approved person for up to twoyears;• impose a financial penalty at the same time as cancelling a firm’spermission;• penalise any person who performs a controlled function4 withoutapproval; and• issue a warning notice against an individual three years from the timewe first became aware of the misconduct (increased from two years).Financial Services Compensation Scheme (FSCS)The Act contains provisions that will enable the FSCS to act as a singlepoint of contact and to pay redress to consumers where redress is due tothem under other schemes, such as schemes established outside the UK.UK regulatory reformOver the past nine months, the FSA has begun the process of aligning theorganisation to ensure it is ready to cut over to the new regulatorystructure.As a result, we incurred approximately £1m of direct costs last financialyear:• Programme management support £0.33m;• Regulatory design £0.10m;• IT design £0.33m; and• Other (e.g. HR and other central functions) £0.24m.Shortly after the end of our financial year in April 2011, we replaced ourRisk and Supervision business units with two new ones: the ConductBusiness Unit, which broadly aligns with the regulatory activities to beundertaken by the FCA, other than enforcement; and the Prudential _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 36Business Unit, which broadly aligns with the regulatory activities of thePRA, other than enforcement. Central services will continue for thelifetime of the FSA to be structured on an unitary basis.We are confident that our programme remains on track and furtherprogress will be made during 2011/12.A new European supervisory structureEuropean Supervisory Authorities (ESAs) and the EuropeanSystemic Risk Board (ESRB)The creation of ESRB and the three new ESAs marks a significant changeto the way in which financial services regulation will be developed anddelivered across Europe.The ESRB will undertake macro-prudential analysis at EU level toidentify risks to EU financial stability and will make recommendations toaddress these risks.European Supervisory Authorities (ESAs)The ESAs became operational in January 2011.They are:• The European Banking Authority (EBA);• The European Insurance and Occupational Pensions Authority(EIOPA); and• The European Securities and Markets Authority (ESMA).They replace:• The Committee of European Banking Supervisors (CEBS);• The Committee of European Insurance and Occupational PensionsSupervisors (CEIOPS); and _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 37• The Committee of European Securities Regulators (CESR).The ESAs are responsible for developing a large proportion of the rulesthat apply to the financial services sector in the UK.These will be issued as EU regulations, so will be directly applicableacross the EU.As well as developing binding rules, the ESAs have powers to:• impose a temporary ban on financial activities;• investigate alleged breaches of EU rules;• take binding decisions in emergencies;• arbitrate in disputes between national supervisors;• play a coordinating role within colleges of supervisors;• undertake peer review;• directly supervise credit rating agencies (ESMA only); and• require information to be passed to them that is necessary fordischarging their responsibilities.In 2010/11, we devoted significant resource during the negotiation of theESA legislation to ensure that the ESA package as a whole secured thekey objectives of:• protecting the single market;• addressing the risks arising from regulatory arbitrage;• raising standards of supervision among national supervisors; while _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 38• retaining responsibility for day-to-day supervision at the national level.Once the ESA legislative package was agreed in the Autumn of 2010, ourfocus shifted to preparing for the new European order. During 2010/11,we:• influenced the ESAs regulatory framework and operating model;• adapted our operating model to work effectively with the ESAs;• enhanced our secondments strategy and identified trainingrequirements; and• developed systems to handle ESA data requests.Financial stabilityIntroductionDuring 2010/11 the FSA’s mandate was significantly extended.From April 2010, we were given a new statutory objective, which mademore explicit the responsibilities for promoting financial stability that wehad been exercising under the ‘market confidence’ objective mandatedunder FSMA.At the same time, our supervisory approach continued to progress towardintensive supervision and proactive challenge, laying the groundwork forthe preventative interaction framework that will guide the PRA.We continued to embed the organisational and cultural change needed toimplement intensive supervision, moving our regulatory approach fromretrospective intervention to proactive challenge.Our supervisors made judgements on firms’ business models; interveningearly if they anticipated any risks that might arise from firms’ businessstrategies and approaches to funding and capital. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 39This approach has demanded quality staff, industry knowledge and thewill to challenge the industry robustly where potential threats wereidentified.We contributed significantly to the development of a robust policy reformprogramme, driven by the initiatives and issues identified in The TurnerReview and the wider policy agenda mandated by the EU.And the FSA continued to play a leading role in influencing regulatoryreform on the global stage, while ensuring that the UK arrangements on,for example, key issues of capital and liquidity were consistent with thedirection of international standards.This section describes the work we accomplished in these areas, underthese headings:• The Financial Services Act – our new financial stability objective;• FSA supervision – a major intensification of approach;• Progress on reforming the international and European regulatoryframework – policy and practice; and• Specific measures to strengthen firms’ resilience.We also include the principal metrics we use to assess our supervisoryeffectiveness in relation to our financial stability objective and to gaugefinancial stability generally.These are:Supervisory effectivenessChart 1: Supervisory issues closedChart 2: Firm feedback on the quality of FSA supervisory risk assessmentsMeasures of financial stability _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 40Chart 3: Cost of creditChart 4: FSA firm cancellationsChart 5: Major UK banks – CDS spreads, five-year senior debtA central tool in supervision is identifying the risk mitigation actionsfirms must take.Looking at the quantity identified and speed which with these are closedgives a perspective on the intensity and effectiveness of our supervision.The number of issues closed in Q4 2010/11 is 439 (from 303 in Q32010/11); this represents 17% (12% in Q3 2010/11) of the population ofopen issues.This shows an absolute and proportional increase in the number of issuesclosed than previously reported. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 41The proportion of high-risk issues closed was slightly higher than otherissues at 18%, reflecting us prioritising issues with the most risk.Also, about 40% of the issues (recorded and closed) were in respect ofhigh-impact firms, reflecting the enhanced focus of our risk assessmentand mitigation work on these firms.From our regulated firms’ perspective, the quality of our risk assessmentin the last six months has reduced slightly from 5.2 down to 4.9, with themost significant reductions in our Major Retail Groups Division andRetail Division.Risk mitigation is scored more positively at 5.3, but again this representsa fall against the 5.6 recorded for the six months to June.However, scores remain positive in the context of a 1-7 scoring system,where 4 is neutral.The deterioration may have been driven by the amount and pace ofregulatory change, which has continued to put pressure on both sides ofthe firm-supervisory relationship. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 42The current cost of interbank borrowing (measured by the Libor-OISspread) – in a context and relative to the extremes of 2008 – is notexcessive.However, spreads have recently entered a slightly more volatile period,driven by movement in the OIS swap rate.In part, this reflects uncertainty about the short-term outlook for the bankrate, amid persistent above target inflation and variable information aboutthe performance of the economy. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 43This chart shows the number of authorised firms this year that havecancelled their authorisation with the FSA.Not all cancellations are necessarily failures and not all failures areregulatory failures.Nevertheless, this chart gives some indication of the level of distress inthe system.During 2010/11, there was a significant reduction in thecancellation rate among significant impact firms. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 44UK banks’ credit default swaps (CDS) spreads are a measure of howinvestors perceive the default risk posed by these firms.UK banks’ CDS spreads rose in November, as the Irish sovereign crisispushed up CDS spreads for Eurozone sovereigns.Spreads for some of the banks fell back after the EU and IMF bailout wasannounced.HSBC and Standard Chartered have seen swap rates rise in early 2011 dueto concerns in the aftermath of the Japanese earthquake.Nevertheless, using absolute CDS as an indicator, they remain the bankswith the lowest perceived credit risk, driven in part by their strength inemerging market economies. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 45Solvency IIAs we said in our Business Plan for 2010/11, Solvency II is a fundamentalchange of the prudential regime for the European insurance industry.It aims to establish a revised set of EU-wide risk management standardsand capital requirements that will replace and harmonise the currentarrangements.Policy in this area continues to be developed in Europe.There have been delays to the timeline that have affected our ownconsultation and shortened the window for implementation.As a result, we are looking for ways to manage this uncertainty.At the same time, we have continued to contribute to the development ofthe Directive, such as through our involvement in the work of EuropeanInsurance and Occupational Pensions Authority (EIOPA).We continue to lead some of the working groups, and Hector Sants wasappointed to the EIOPA Management Board in January 2011.Our work with the UK industryWe have maintained close contact with the UK insurance industry onboth policy and implementation issues.We continued in 2010 to engage with firms to understand how thedeveloping requirements affect them and inform our contributions toEIOPA.We also had ongoing discussions with firms about how prepared they arefor the new regime.The fifth quantitative impact study (QIS5) helped us increase ourdialogue with firms on both fronts. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 46We gave briefings and ran workshops to educate firms about theimportance of taking part in QIS5.We encouraged firms of all sizes and types to participate in the exercise toprovide a robust evidence base to inform the ongoing development of theSolvency II landscape.During the exercise, we answered over 600 queries, and the UK report toEIOPA was compiled with submissions from 267 solo firms and 35groups, representing over 70% of the market.We also had discussions with firms about the practical implications forthem and we will continue to do so in the run up to implementation.We have continued to make progress with the internal model approvalprocess (IMAP).We published an update in April 2010 setting out the pre-applicationprocess for firms, and the findings of the thematic review in February2011.At the end of March 2011, started the next phase of IMAP as we endeavourto give as many firms as possible a decision on their model for day one.We further detailed our approach at our Solvency II Conference in April2011 – more information about this is available on the dedicatedSolvency II pages of the FSA website.As stated above, we had started to prepare our consultations; however, thepublication of the Omnibus II proposals to amend the Solvency IIDirective to bring it in line with the new European regulatory structureand allow for transitional provisions has meant that our consultationtimetable has been affected.Our consultation process will relate to the transposition of the level 1 textof the Directive and consequential changes to the Handbook.We expect to publish the first Consultation Paper later this year. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 47We will review the European policy timelines regularly, and publish ourown consultation timeline on our website in due course.Internally, we developed and delivered technical training for supervisorsand other specialists working on Solvency II.At the end of March, we had trained over 450 people.To deliver Solvency II we have increased our resources significantly, withrecruitment ongoing to provide the skills and processes to support anddeliver the implementation of the Directive.Most recently, we shared our current thinking on the policy issues andimplementation approach, with approximately 550 people from the UKinsurance industry at our Solvency II Conference on 18 April 2011.• We outlined our two-tier approach to the way we would allocateresources to firms in the pre-application phase of IMAP.• We discussed the main policy uncertainties, which we also set out in theaccompanying conference document Delivering Solvency II, April 2011.• We outlined the key dates, including our assumptions that fullimplementation will be on 1 January 2013, and that we would be open toreceive applications on the provisions of the Directive that require ourapproval.• We underlined the importance of the UK industry’s continuedinvolvement in developing the approach to implementation in Europeand the UK.We will do this through a number of different fora, including the existingInsurance Standing Group and its sub-groups, which has over 100 peopleregistered to receive information.We will also create new ones as needed. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 48We published an overall update on Solvency II in June 2010 on all pillarsof the Directive to inform and motivate firms to take action as needed.We have tailored our information for smaller insurers through our eventsand our website, including things for firms to consider when creatingtheir implementation plans.We also gave briefings to market analysts and ratings agencies (February2011), and to non-executive directors of insurance and reinsurance firms(January and April 2011) as part of our educational programme.2011/12 is critical in our preparations for implementing Solvency II, inEurope and the UK.We are confident that our implementation approach will help us deliverour Solvency II programme and carry out our obligations fully. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 49NUMBER 4Interview with Gabriel Bernardino,Chairman of EIOPA, conducted by JanWagner, Versicherungsmagazin(Germany)The EU’s new regulatory regime for insurers,known as Solvency II, will take effect from 2014.Although hailed by EU regulators as aninnovation, the regime has come under sharpcriticism from smaller insurers, including severalin Germany.They complain that the scheme favors biggerinsurers who have the resources to easily adjustto the new regime.Wrong says Gabriel Bernardino, who as chairman of the EU insuranceand pension regulator EIOPA will be Solvency II’s chief enforcer.Versicherungsmagazin spoke to him at length.Why is Solvency II needed? Has not Solvency I ensured for awell (functioning insurance industry? I know of no cases inGermany where the insured lost their money when an insurerwent under.The idea was never that Solvency II would fix the market becauseSolvency I failed, or because insurers needed more capital.The idea was rather a move toward a risk_based system.The problem is that there is misallocation of capital among companies.Some have more capital than they need, and some have less. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 50This has negative consequences for protection and pricing.To illustrate this, let us take two insurance firms with the same liabilitiesbut two different investment strategies.One is based on shares and the other is based on bonds.From a market perspective, you would conclude that the firm with a sharedriven strategy would need to hold more capital than the one with a bonddriven one.But the current regime doesn’t require this! The risks on the asset side arenot taken into account, and that’s what Solvency II aims to resolve.Are European insurers prepared for the transition to Solvency II?When Solvency II begins in 2014, there will be no ‘Big Bang.’That’s because some of its elements are already in the system.In Germany for example, incentives for better risk management andgovernance are embedded in MaRisk, which is already in force.The objective is not to force insurers to have more capital. It is rather tohave capital better aligned with the risks.You will have companies that have more capital than they need under arisk based system and others that do have less than they need.For those who have less, it’s fair to ask them to raise more capital.But even in the latter situation, Solvency II is accommodating.You don’t need to apply it immediately from 2014, so you have time toraise the capital you need.Another example is the life business where a transition period applies tocalculations of the liabilities according to Solvency II. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 51Isn’t it true though that big listed insurers have an advantageover mutuals, as they will be able to raise the capital they needunder Solvency II more easily?If you look at mutuals around Europe, they collectively have much morecapital than public companies.I therefore don’t think Solvency II will be a big burden for them.Moreover: If they can demonstrate to the regulator that they effectivelymanage the risks on their investments, they may deviate from thestandard model with its set of risk charges and use an internal one whichis more flexible.So smaller insurers have nothing to fear from Solvency II?I’m not saying that the introduction of Solvency II will have no effect onthe market.Something like this always does.One possible consequence of Solvency II is that there will be someconcentration in certain markets. But we’re seeing this already!Some insurers complain that Solvency II will compel them toinvest in safe, but low yielding instruments like bonds, as theycarry no risk charge.Clearly that’s not what we have seen and that’s not what we will see.The US asset manager Black Rock did a survey some months ago inwhich it asked European insurers what asset classes they would targeteven under Solvency II.They replied that they would invest more in alternative investments likehedge funds, venture capital and project finance.And why? _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 52In a low interest rate environment insurers have to find ways of boostingreturns.No one is saying that with Solvency II you have to invest more in this orthat asset class.We’re merely saying that if you have more risk, you should have morecapital.Given the European debt crisis, does it still make sense torequire no risk charge for sovereign bonds. Greek bonds canhardly be considered safe instruments…Although there is a zero risk charge for sovereign bonds, Solvency II dealswith the specificity of the various asset classes in that market valuationsare used.This is different than in the banking sector.If sovereign debt in the portfolios of insurers were to be assessed underSolvency II, it would need to be rated according to the risk that themarkets perceive nowadays.And that perception has definitely changed with the debt crisis, noquestion.So if say German Bunds decrease in value, this is immediately reflectedon the portfolios of the insurers, and this is the figure you take intoaccount in order to calculate the difference between your assets andliabilities.If therefore an insurer has a 100 percent solvency requirement, but themarkets penalize some bonds on the portfolio, then the assets diminishvalue and your solvency diminishes.So you see, Solvency II does take the risk associated with sovereign bondsinto account. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 53For assets which are more volatile like shares and real estate, a further riskcharge applies.Will the reporting requirements under Solvency II be a burdenfor smaller insurers?The requirements are harmonized around Europe, so this makes thingseasier for cross border companies.But this is also good for medium sized ones with business in two or threecountries.Having one system of reporting provides a huge cost benefit for allinsurers doing cross border business.The idea is to bring more commonality to supervision.Secondly, we’ve got the principle of proportionality applied to theultimate extent.There will be of course more complexity for those insurers who areinvested in say structured products or use derivatives.But if you don’t invest in these kinds of instruments your reporting will beless complex.There will be annual reporting, which is more comprehensive, as well asquarterly reporting on the most important elements.But for smaller companies whose risk profile doesn’t really change, theregulators have the option of waiving the quarterly reporting requirement.Will Solvency II be applied to pension funds?As I have always said, this is not a copy_paste exercise. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 54There are elements of Solvency II that make lots of sense for pensionfunds, such as governance, transparency and risk management.These are known as the second and third pillars of Solvency II.In terms of the capital requirements, or the first pillar of the regime, weconcluded that there is great diversity among pension plans in Europe.There are plans that are basically insurance type contracts, and in thoseyou should have a regime like Solvency II.But there are also employer sponsored plans where the risk is nottransferred to the insured.This is a different type of system than the insurance type, and it makeslittle sense to apply exactly the same capital requirements. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 55NUMBER 5Hearing on the ESRB before the Committee on Economic andMonetary Affairs of the European ParliamentIntroductory statement by Mario Draghi, Chair of the ESRBBrussels, 31 May 2012Dear Madam Chair,Dear Honourable Members,I am very pleased to appear before this Committee today to present thefirst annual report on the activities of the European Systemic Risk Board(ESRB) – of which you have all received a copy and which is beingpublished as I speak.In my remarks today, I will refrain from repeating the content of thereport and will instead focus on three key areas of the ESRB’s work overthe past year, which will also keep us busy for the foreseeable future.These are:i) The assessment of systemic risks;ii) The establishment of a sound macro-prudential framework in the EU;andiii) Medium-term structural developments in the EU financial system.I will then be at your disposal for questions.1. Assessment of systemic risks in the EU financial systemIt is less than a year since the ESRB cautioned that the risks to the EUfinancial system had become systemic. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 56After a period of stabilisation on the back of actions by central banks andother institutions earlier this year, more recently there have been renewedbouts of volatility and uncertainty, although not at the same levelsreached in November 2011.Fundamental challenges persist. In my view, these include:i) Limiting contagion between Member States across the EU; andii) Promoting a macroeconomic strategy that, together with fiscalconsolidation, supports growth and furthers the competivenessadjustments needed to tackle the economic imbalances within the EU.Addressing these challenges in a decisive and sustainable manner is aprerequisite for the success of measures to ensure a more resilientfinancial system capable of supplying, on a sustainable basis, thefinancial services necessary to support economic activity.From a macro-prudential point of view, such measures include:i) Implementing credible mechanisms for the recapitalisation andrestructuring of banks, where needed; andii) Improving banking supervision and resolution at the European level.In the past, the ESRB has underlined the need for all national andEuropean authorities to act, and to do so in unison, with speed, ambitionand a total commitment to safeguard financial stability.Today, I reiterate this call, while acknowledging the efforts undertaken sofar.Within the broader economic and financial context, the financial systemcontinues to face the challenge of adjustment in order to addressimbalances accumulated in the past.For banks, progress has already been made on some fronts, but more isneeded. For other financial sectors, it is important that international and _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 57EU reforms, designed to improve their resilience, are fully implementedand adhered to – an issue that I will return to later.The ESRB is concerned with two aspects of banks’ adjustment.First, it should be carried out in an orderly way to support economicgrowth to the full extent necessary, without exacerbating market fragilityand the positions of others in the financial system.Second, the degree of adjustment planned by the EU banking sector overthe coming years must be sufficient to restore confidence in the strengthof banks’ balance sheets.With regard to the first point, official data and surveys from manycountries across the EU indicate some overall stabilisation in financialconditions in the early part of this year.However, the recent turbulence highlights the uncertainty surroundingthe outlook for these financial conditions, given their link to thesoundness of EU banks’ balance sheets and, in turn, the direct or indirectconnections between those balance sheets and sovereign vulnerabilities.Concerning the second point, close monitoring and a systemicassessment of the feasibility and nature of the adjustment by banks, aswell as within the financial system more broadly, is crucial.In this regard, the ESRB has called upon its partners within the EuropeanSystem of Financial Supervision – supervisory authorities at the nationaland EU level – to regularly collect detailed, ex ante information frombanks and other key players in the system, and report it to the ESRB.The General Board will review the latest developments – and theirimplications – at its meeting in June.2. A sound macro-prudential framework for the EULet me now turn to the work undertaken to establish a framework capableof addressing the deficiencies of the pre-crisis framework in preventingand mitigating systemic risks in the EU. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 58While the launch of the ESRB was a first, and necessary, step in thisrespect, it is vital to develop a sound and comprehensivemacro-prudential framework for both the EU as a whole and theindividual Member States.As indicated in the Annual Report, this has been one of the ESRB’spriorities since its inception.First, in order to create a solid foundation for pre-emptive action againstsystemic risks, it is essential to develop macro-prudential mandates andtools.In its recommendation published in January, the ESRB highlighted theneed for well-defined macro-prudential mandates for national authoritiesto act either on their own initiative, or in response to the ESRB’s advice.In accordance with the ESRB’s duty to follow up on itsrecommendations, the first reports from the Member States outliningtheir progress thus far are expected by the end of June under the ESRB’s“comply or explain” mechanism.A key lesson from the past is that financial or systemic stability mandatesmust be accompanied by the means to act.Macro-prudential authorities will need to be equipped with effectivepolicy tools to respond, in a pre-emptive way, to the complex andever-changing variety of systemic risks.The ESRB is currently working on identifying the minimum set of toolsnecessary for conducting macro-prudential policies throughout the EU.Second, it is crucial to ensure that macro-prudential issues are taken intoconsideration when developing EU legislation for the financial sector,given the impact that such regulations could have on incentives withinthe financial system.In this regard, I would like to touch on a number of important pieces ofEU legislation that the ESRB has been following: _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 59i) A draft directive and regulation on capital requirements for creditinstitutions (the “CRD/CRR”);ii) The proposal for a regulation on OTC derivatives, centralcounterparties and trade repositories (“EMIR”); andiii) The part of the proposal for the Omnibus II directive that concerns theregulation of the insurance sector.With regard to the CRD/CRR, I very much welcome the recent progressmade by this Committee, as well as by the EU Council, on advancing theproposals put forth by the Commission less than a year ago.Your work together with the Council provides a promising basis for theestablishment of important macro-prudential instruments for addressingsystemic risks in the banking sector.To assist you, and the Council, in your work on the CRD/CRR, the ESRBwrote to you in March outlining a number of macro-prudential principles.I urge you to consider these principles in order to ensure thatmacro-prudential authorities, at both the EU and national level, are fullyequipped with a flexible set of policy tools and sufficient scope to act earlyand effectively to prevent the build-up of systemic risks in the future.Obviously, discretion to pursue macro-prudential policies requiresefficient coordination as a safeguard against potential negativeexternalities or unintended consequences.The ESRB is ready to play a central role in this respect, and work is underway to establish a general framework for the coordination of nationalmacro-prudential policies by the ESRB, where such policies give rise tomaterial spillovers across borders.The agreement on EMIR was also an important step forward inimplementing lessons from the crisis, and it includes a number of usefulelements to safeguard financial stability in the EU. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 60The ESRB has started preparations for performing the tasks assigned to itunder EMIR.From a macro-prudential perspective, however, I should point out that, inthe view of the ESRB, EMIR does not address the issues raised by thepossible pro-cyclical effects of either easing or tightening of collateraleligibility and of requirements for transactions subject to centralcounterparty clearing.In accordance with its responsibilities, the ESRB continues to examinewhether and how collateral requirements could be applied as amacro-prudential tool at a later stage.The new regulatory framework for insurance activities is currently beingfinalised.Some important aspects of this framework – such as those related to thetreatment of long-term guarantees – are being discussed over the next fewdays as part of the “Omnibus II trialogue” discussions, in which thisCommittee is actively involved.The ESRB is aware that several of the issues at stake are potentiallyrelevant from a macro-prudential point of view.In particular, the new regulatory framework (Solvency II) may amplify theprocyclicality of insurers’ balance sheets and, in particular, capital levels.This has been recognised by the legislator, which is designing severalpolicy instruments (including some of a macro-prudential nature) tomitigate procyclicality and other factors.It is crucial that such instruments are designed to deliver a clear andcredible objective and that their interaction is duly considered to ensurethat the use of these instruments has the intended effect.3. Structural developments in the EU financial systemFinally, I would like to highlight some medium-term, structuraldevelopments that the ESRB is currently looking at, with a view to _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 61gaining a better understanding of their implications for systemic risk andto identifying appropriate policy responses for delivering a more resilientfinancial system.The ESRB is devoting particular attention to structural aspects of boththe traditional banking sector and the shadow banking sector.Before commenting on developments in these sectors, I would like tobriefly say a few words on the whole financial system, which is currentlyundergoing a regulatory reform in all its segments.An important goal of such reforms is to ensure a sustainable supply offinancial services from the system to the rest of the economy.In Europe, the financial sector has traditionally been centred aroundbanks.However, some activities may shift to other – maybe less regulated – partsof the system in the years to come, perhaps as a direct consequence of thecurrent crisis or as a result of the overhaul of standards for regulatedactivities and entities.While such developments can, in principle, be of benefit to the system,they must be monitored closely in order to limit the emergence of newvulnerabilities, for example those stemming from shifts driven byregulatory arbitrage.Turning to the banking sector, the onset of the financial crisis revealedsignificant shortcomings in banks’ funding structures – part of thenecessary adjustment I referred to earlier involves a transition to moresustainable funding structures.However, banks’ ability to manage this adjustment is being hampered byconditions in European interbank and unsecured credit markets.As a result, there has been a rise in banks’ recourse to secured fundingmarkets and innovative funding instruments. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 62The ESRB is analysing these shifts in funding behaviour carefully from amacro-prudential perspective, to ensure that unintended consequences ornew systemic vulnerabilities associated with such behaviour do not goundetected.The increased reliance on secured funding raises concerns about theextent to which banks’ assets become encumbered.If taken too far, insufficient amounts of unencumbered bank assets in thefuture could reduce the stability of funding within the system and, in aself-fulfilling manner, reinforce the lack of access to private unsecuredmarkets today.Furthermore, innovative sources of private funding for banks – such asliquidity swaps between banks and other parts of the financial system –could have implications for the level of interconnectedness in the system,as well as the durability of funding during future downturns or stressperiods.Turning to the shadow banking sector, the instabilities that can arisefrom a highly interconnected system were exposed by the financial crisis.Shadow banking activities were a major contributor to thatinterconnectedness, in particular given the interlinkages between theregular banking sector and the complex, and opaque chains of financialintermediation that emerged within the system.They also, directly and indirectly, helped to facilitate the substantial risesin leverage in some economies.As indicated in the Annual Report, the ESRB has already begun work inthis area.This has involved, for example, identifying and assessing potentialsystemic risks associated with European money market funds, on which areport is soon to be published as an ESRB Occasional Paper. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 63The ESRB is also finalising its reply to the consultation launched by theEuropean Commission through its Green Paper on Shadow Banking,which was published earlier this year.Looking ahead, from a policy perspective, measures to tackle systemicrisks associated with the shadow banking system will need to be tailoredto the specific risks stemming from the different activities conductedunder the shadow banking umbrella.It is important that horizontal focus be placed on the economic nature offinancial activities, i.e. on ensuring that activities carried out within thesystem, and which involve maturity and liquidity mismatches, leverageand/or incomplete risk transfer, fulfil the appropriate prudentialrequirements, irrespective of where they are carried out or by whom.Finally, it will be important to ensure global consistency and therefore thefull and consistent transposition in the EU of policy initiatives agreed atthe international level, notably those due to be announced by theFinancial Stability Board.In this regard, the ESRB stands ready to work together with the relevantinternational and EU institutions and bodies.***Let me now conclude by stressing that all the ESRB activities that I havepresented here today have been carried out with the full involvement andsupport of all ESRB member institutions and bodies – notably theAdvisory Scientific Committee and Advisory Technical Committee – andin close cooperation with the three European Supervisory Authorities.For this we are grateful and look forward to a continued fruitfulcooperation in the future. Thank you very much for your attention. I amnow at your disposal for questions. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 64NUMBER 630 May 2012Meeting of the Financial Stability Board in Hong Kong on 29-30MayAt its meeting in Hong Kong, the Financial Stability Board (FSB)discussed vulnerabilities currently affecting the global financial systemand the progress in authorities’ ongoing work to strengthen globalfinancial regulation.Vulnerabilities in the financial systemAfter a period of calm in financial markets earlier this year, tensions haveincreased more recently and risk aversion has returned to elevated levels.In the euro area, the adverse feedback loop between sovereign debtstrains, weak economic growth and fragile banking systems hasintensified.There has been a pull-back in cross-border financial activity.Against this background, risks of adverse spillovers to global financialmarkets and economies have increased.The FSB supports the work of European and national authorities to lowershort-term risks and foster lasting confidence and stability, includingcompleting the repair and restructuring of some banks as required.In addition, authorities agreed to work together to minimise thedownside risks from the ongoing process of bank deleveraging.All FSB members remain committed to strong cooperation to supportmarket functioning. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 65Central banks, supervisors and treasuries are maintaining close dialogueand cooperation during this period of heightened uncertainty.Addressing systemically important financial institutions (SIFIs)The FSB reviewed the ongoing work to develop further the SIFIframework, including extending it to domestic systemically importantbanks and establishing a process to ensure consistent implementation ofthe policy measures, in particular for resolvability, that apply to globalSIFIs (G-SIFIs).The FSB endorsed the International Association of Insurance Supervisors(IAIS) consultation paper that sets out a proposed methodology forassessing the global systemic importance of insurance companies.The paper will be published ahead of the Los Cabos G20 Summit.The FSB evaluated progress in implementing its Key Attributes ofEffective Resolution Regimes for Financial Institutions.Authorities are in the process of putting in place recovery and resolutionplans, resolvability assessments and institution-specific cross-bordercooperation agreements for G-SIFIs, and home authorities of G-SIFIswill prioritise the development of high-level resolution strategies to guidethese processes.FSB members reaffirmed the need for further work to establishinternational guidance on common terms for information sharing and onthe handling of client assets in resolution.FSB members will begin in July the first of an iterative series of peerreviews on the implementation of the Key Attributes.The FSB also welcomed progress of its Data Gaps Initiative, which willcollect and share among authorities information on the commonexposures and financial interlinkages of global systemically importantbanks. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 66It supported operational preparations in close interaction with the banksto implement the initial phase of the project from March 2013.Over-the-counter (OTC) derivativesThe FSB reviewed the steps being taken to implement OTC derivativesreforms, on which it will shortly issue its third progress report.Members noted that encouraging progress has been made in settinginternational standards, in advancing legislation and regulation by anumber of jurisdictions and in practical implementation of reforms tomarket infrastructure and activities.They recognised, however, that the current momentum must bemaintained as much work remains to be done to complete the reforms bythe end-2012 deadline agreed by the G20.The FSB noted in particular the substantial progress that has been madein the four safeguards for a resilient and efficient global framework forcentral clearing.In addition, the Committee for Payment and Settlement Systems and theInternational Organization of Securities Commissions published in Aprilthe Principles for Financial Market Infrastructures.These actions will ensure the robustness of financial marketinfrastructures and allow national authorities to decide on the appropriateform of CCPs to meet the G20 commitment to centrally clear allstandardised OTC derivatives by the end of 2012.In the coming weeks, standard setters will issue consultation papers onmargining requirements for bilaterally-cleared derivatives transactionsand on resolution of central counterparties (CCPs) and other financialmarket infrastructures. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 67Shadow bankingMembers reviewed the ongoing workstreams to strengthen the oversightand regulation of shadow banking.Members looked forward to policy recommendations by IOSCO by theautumn on potential measures that would mitigate the susceptibility ofmoney market funds to runs and other systemic risks.The FSB will publish by end-2012 an initial integrated set of policyrecommendations to strengthen regulation of shadow banking.The FSB also launched its second annual monitoring exercise of theglobal shadow banking system, which includes all FSB memberjurisdictions.The FSB will report its findings to the G20 Finance Ministers and CentralBank Governors in November.Legal entity identifier (LEI)The FSB approved recommendations to support the establishment of aglobal LEI system that will provide a unique global identifier for partiesto financial transactions, as requested at the Cannes Summit.The recommendations will be submitted to the Los Cabos Summit.The proposals set out a governance framework to protect the publicinterest, while promoting active coordination between the globalregulatory community and the private sector in the implementation of thesystem.The proposals for the initial reference data and LEI code are in line withthe ISO 17442:2012 standard published today.The recommended implementation plan targets launch of the global LEIsystem on a self-standing basis by March 2013. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 68FSB capacity, resources and governanceFSB members welcomed the draft report of the High-Level Group that itset up in response to a call by the G20 Leaders at the Cannes Summit tostrengthen the FSB’s capacity, resources and governance.They agreed to submit, for endorsement at the G20 Los Cabos Summit,the recommendations set out in the report to place the FSB on anenduring organisational footing with institutional standing, legalpersonality and greater financial autonomy, while maintaining theexisting strong links with the Bank for International Settlements.Implementation monitoring and adherence to standardsAs the global financial reform process has progressed, the focus of theFSB and its members is increasingly turning from global policydevelopment to timely and consistent implementation.The FSB reviewed progress in the implementation of G20 reforms underits Coordination Framework for Implementation Monitoring, on which itwill report to the Los Cabos Summit.In addition to the progress report on OTC derivatives market reforms,members approved progress reports in two other priority areas: Basel IIIand compensation practices.These reports will be published around the time of the Los CabosSummit.Basel III.The interim report prepared by the Basel Committee on BankingSupervision (BCBS) will describe the progress made and issues identifiedin implementing the Basel III framework (including Basel II and II.5).The BCBS, in coordination with the FSB, will continue to closely monitorand promote the full, consistent and timely implementation of Basel III. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 69Compensation practices.The report will describe the progress made by FSB member jurisdictionsand firms in implementing the FSB Principles and Standards for SoundCompensation Practices since the FSB’s October 2011 thematic peerreview.The FSB will continue its ongoing monitoring of actions taken andidentification of remaining gaps and impediments to full implementation.The Bilateral Complaint Handling Process launched in April will be animportant input to this process.Members agreed to publish on the FSB’s website summary informationon their actions to meet their commitments to undergo and publish theresults of assessments under the IMF/World Bank Financial SectorAssessment Programme and FSB peer reviews under the FSB Frameworkfor Strengthening Adherence to International Standards.Study on the effects of agreed regulatory reforms on emergingmarket and developing economies (EMDEs)The FSB reviewed a study, which has been prepared in coordination withthe IMF and the World Bank, identifying the extent to which agreedregulatory reforms may have unintended consequences for EMDEs.The study will be submitted to the Los Cabos Summit.Regional consultative groupsIn 2011 the FSB established six regional consultative groups (RCGs) toexpand upon and formalise its outreach.The six RCGs include 112 institutions from 65 jurisdictions beyond theFSB’s membership.Members heard reports from the co-chairs of each of the RCGs on theirmeetings in the first half of 2012. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 70Notes to editorsThe FSB has been established to coordinate at the international level thework of national financial authorities and international standard settingbodies and to develop and promote the implementation of effectiveregulatory, supervisory and other financial sector policies in the interest offinancial stability.It brings together national authorities responsible for financial stability in24 countries and jurisdictions, international financial institutions,sector-specific international groupings of regulators and supervisors, andcommittees of central bank experts.The FSB is chaired by Mark Carney, Governor of the Bank of Canada.Its Secretariat is located in Basel, Switzerland, and hosted by the Bank forInternational Settlements. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 71 NUMBER 7 Publication of the first regulatory technical standards on credit rating agencies (CRAs) - 30/05/2012 Today, four European Commission Delegated Regulations establishing regulatory technical standards for credit rating agencies have been published in the Official Journal of the European Union. These technical standards set out:1. The information to be provided by a credit rating agency in its application for registration to the European Securities and Markets Authority (ESMA);2. The presentation of the information to be disclosed by credit rating agencies in a central repository (CEREP) so investors can compare the performance of different CRAs in different rating segments;3. How ESMA will assess rating methodologies; and4. The information CRAs have to submit to ESMA and at what time intervals in order to supervise compliance. The four standards, which complement the current European regulatory framework for credit rating agencies, were developed by the European Securities and Markets Authority (ESMA) and endorsed by the European Commission on 21 March. The regulatory technical standards will ensure a level playing field, transparency and adequate protection of investors across the Union and contribute to the creation of a single rulebook for financial services. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 72The first 3 regulations will come into force 20 days after their publicationtoday on 20 June 2012.While the fourth RTS will come into force 6 months after its publication inthe Official Journal on 30 November 2012. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 73NUMBER 8Commodity Futures Trading Commission (CFTC)“Smart Regulatory Reform and the Perils of High-FrequencyRegulation” - Remarks by Commissioner Scott D. O’MaliaMay 31, 2012Good afternoon and thank you Armins for the warm introduction and forthe opportunity to speak at MarkitSERV’s 2012 Outlook for OTC Marketsevent.In light of the significant regulatory reform efforts that are currentlyunderway at the Commodity Futures Trading Commission (the “CFTC”or the “Commission”) and elsewhere, events like this one are essential formarket participants seeking clarity and guidance in navigating the arrayof new financial regulations that are coming down the pike whilecontinuing to grow and innovate.As a technology company, MarkitSERV provides critical solutions to itscustomers in connection with their over-the-counter (“OTC”) derivativetransactions in order to streamline workflows and simplify tasks.Technology has always been near and dear to my heart, and I understandthe challenges of integrating the newest and best products without havingto put the brakes on.As chairman of the Commission’s Technology Advisory Committee(“TAC”), I similarly have pushed the Commission to upgrade itstechnology infrastructure for the purpose of automating and expandingthe Commission’s market surveillance and oversight of both the futuresand swaps markets while fostering innovation. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 74I also have utilized the TAC to inform the Commission as to the costs andimpacts of its regulatory and policy decisions, as well as to provide acontext for future choices.Most recently, I established the TAC Subcommittee on Automated andHigh Frequency Trading.This subcommittee’s only focus is developing consensus regarding thedefinition of high-frequency trading (“HFT”) in the context of the largeruniverse of automated trading.The definition of HFT will serve as an initial step towards assessing theimpact of HFT in the CFTC’s regulated markets.We will use this definition in considering appropriate regulatoryresponses.While it is tempting to rush to regulate automated trading andHF—especially in light of its proliferation in our markets and the realityof events like the Flash Crash of 2010—I realized at the outset that there iscurrently no consensus among market regulators or even marketparticipants as to the definition of HFT.Every debate begins by clearly defining the issue, and that is what I amdoing right now.Today, my remarks cover what I call “smart regulatory reform” and thebenefits of avoiding that temptation to engage in rapid regulatory leapsbefore clearly defining the issues and, more importantly, the objectives. Iwill focus on three topics.First, I plan to discuss the process by which the Commission isimplementing its final rules.The pace has been frenetic.We have not spent enough time thinking through all of the potentialissues. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 75The Commission is engaged in its version of “high-frequencyregulation.”Similar to high-frequency trading, the market is unfamiliar with the exactgoals and objectives of the Commission’s rulemaking and can only react.Without a schedule of rules and clear compliance dates, the market is leftguessing as to whom the rules apply, when they must comply and whatvenue they must connect.Second, I plan to discuss the extraterritorial application of theDodd-Frank Act and our rules.Defining our own jurisdiction should have been one of our first stepsdown this regulatory rabbit hole. It is now almost two years since theDodd-Frank Wall Street Reform and Consumer Protection Act(“Dodd-Frank Act”) passed and I have not even seen or reviewed ourdraft guidance.Third and finally, I want to provide a general update on the Commission’supcoming rules, customer reforms and technology.Before touching on the three topics of my speech, I would like to starttoday by providing a little background and context.Financial Markets in CrisisAs you all know, the 2008-2009 global financial crisis resulted in thecollapse of large financial institutions and significant governmentintervention in the form of bailouts.In response, Congress passed the Dodd-Frank Act, which was directedat reducing risk, increasing transparency and promoting marketintegrity.In particular, Title VII of the Dodd-Frank Act significantlytransformed the Commodity Exchange Act (the “CEA”) and requiredthe Commission to prescribe over 50 final rules within 360 days afterthe date of enactment of the Dodd-Frank Act. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 76The Perils of High-Frequency RegulationFor those of you who are unfamiliar with the typical Washingtonrulemaking process, it is generally a long and all-consuming one.Before the enactment of the Dodd-Frank Act, the Commissionissued three or four rules a year at best.My friend and former Commissioner Mike Dunn would always saythat most of the Commission’s rules normally take anywhere from 15to 18 months to finalize.In order to complete the Herculean task of finalizing over 50 rules,the Commission also has established over 30 multi-disciplinary,rule-writing teams.Essentially, we are engaging in what amounts to high-frequencyregulation.Notwithstanding the Commission’s tighter timeframes and staffrestructuring, the Commission is charged with understanding andoverseeing markets with which it does not have prior expertise.Swaps and futures markets are different.I believe that the Commission must spend an appropriate amount oftime understanding swaps markets and the ramifications of theserules, including the cost and benefits of each and every rule beforethey are finalized, not after.Some of you may know that I have been very critical of theCommission’s cost-benefit analyses.The Commission previously minimized the role of performingcomplete cost-benefit analyses by turning the process into anadministrative, check-the-box exercise.The good news is the Commission has reversed course and thechairman recently signed a Memorandum of Understanding withthe Office of Information and Regulatory Affairs (“OIRA”) within _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 77the White House to provide technical expertise in order to develop amore thorough process for conducting the Commission’scost-benefit analyses during the implementation of the Dodd-FrankAct.In my view, there are three critical areas where the Commission canand must improve its cost-benefit analysis.First, the Commission should develop a realistic and status quo antebaseline.Second, the Commission should develop replicable quantitativeanalysis, which will allow it to make informed decisions about themarket.Finally, the Commission should develop a range of policyalternatives for consideration. All three of these standards are bestpractices recommended in the Office of Management and BudgetCircular A-4, Regulatory Analysis.As a result of our high-frequency regulatory approach, several of ourfinal rules have created significant regulatory uncertainty andunnecessary angst; much like the uncertainty and angst surroundingthe HFT activity during the Flash Crash of 2010.As you peel back the layers of some of these final rules, the problemsof our high-frequency regulatory approach becomes apparent.I will briefly highlight several examples.The poster-child for high-frequency regulation is the recentlyfinalized swap dealer definition rule.This final rule includes an overly complex definition that wouldrequire several commercial firms and cooperative banks to registeras swap dealers if it were not for a generous and temporary deminimis threshold for swap dealing activities at set $8 billion. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 78Due to the complexity of this 600+ page final rule, some commercialfirms will be confused as to whether they will be considered a swapdealer or not.The final rule also adds two new definitions of the term “bona fidehedging” to our existing two definitions (Regulation 1.3(z) andPosition Limits Rule).As a result, the Commission is now up to four separate definitionsand counting.Another example of high-frequency regulation can be seen in theinconsistencies among the Commission’s various reportingrulemakings.For instance, since final passage of the large trader reportingrules, the Commission has been forced to delay implementation andissue a 160+ page guidebook on compliance reporting.The license approval process for swap data repositories (“SDRs”)and swap execution facilities (“SEFs”) has also been problematic.Thus far, the Commission has received four SDR applications, buthas approved none.Since no two SDRs will be the same, the Commission is challengedwith approving different models within the same regulatoryframework.This problem will only be compounded when we receive dozens ofSEF applications.Due to the compressed schedule, we do not have the luxury ofdelaying license approvals to make sure that they meet aone-size-fits-all standard.The delayed license approval process makes a strong case forpreserving the principles-based regulation the Commission was _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 79known for versus the more specific rule-based regulation theCommission has adopted since the passage of the Dodd-Frank Act.The Elements of Smart Regulatory ReformTo avoid the perils of high-frequency regulation, the Commissionneeds to engage in what I call “smart regulatory reform.”Right now, you may be asking yourself, “What does he mean by‘smart regulatory reform?’”In my view, smart regulatory reform consists of three key elements.First, smart regulatory reform is based on facts that are uncoveredthrough comprehensive research and robust and frequentdiscussions with industry.Second, smart regulatory reform reflects thorough economicanalysis.Put differently, the Commission cannot ignore the importance of itscost-benefit analyses when prescribing regulations.Finally, smart regulatory reform should provide market participantsand other affected persons with regulatory certainty.Our rules should not be unnecessarily complex, confusing, and insome cases redundant.The Commission’s primary objective in implementing theDodd-Frank Act should be to encourage compliance—not toincrease its enforcement docket.Firms utilizing swaps and futures markets to mitigate and managecommercial risks should be focused on just that and not on the riskthat they will take a misstep into a regulatory trap. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 80Ultimately, I believe that smart regulatory reform will reducesystemic and counterparty risk, encourage liquidity formation,promote price discovery, and enhance market efficiency andcompetition in our financial markets.Enforcement is one of the Commission’s many functions. It is notthe Commission’s only function.The Swaps Market Is GlobalIn September 2010, the G-20 leaders met in Pittsburgh, Pennsylvaniaand agreed to implement comprehensive financial reform and theclearing of OTC derivative contracts by no later than 2012.Based on the work completed thus far, I believe it is possible forCommission to implement clearing in the fourth quarter of 2012 formajor banks. I believe that the Commission will not requiremanaged money and end users to clear until early-to-mid2013.What I cannot predict is when Europe will require their registrantsand market participants to meet a similar deadline. I am notconfident based on recent press accounts that European OTCderivatives rules will be ready until sometime next year.Although the futures and swaps markets developed as parallelmarkets, the swaps market is a more globalized market.It is very typical that swaps market participants are domiciled insideand outside of the United States and engage in a variety ofcross-border swap activities such as marketing to foreign customersand making OTC markets in foreign jurisdictions.These activities could be subject to both U.S. and non-U.S.regulatory oversight.J.P. Morgan’s recent trading loss highlights the global nature of thisbusiness and the importance of a coordinated global regulatoryapproach. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 81The Commission’s Cross-Border Proposed InterpretativeGuidanceWhen I accepted this speaking engagement, I expected theCommission would have released guidance on the extraterritorialapplication of the Dodd-Frank Act and its rules.That has not happened and I have not even reviewed a draft.However, let me share with you what I expect to see and the principlesthat I hope will be included in the guidance.I expect the Commission will propose:(1) Which foreign persons will have to register as swap dealers andmajor swap participants (“MSPs”);(2) What Dodd-Frank Act requirements will apply to those swapdealers and MSPs;(3) When the Commission will defer to comparable foreign regulatoryregimes and permit swap dealers and MSPs to satisfy theirrequirements under the Dodd-Frank Act through substitutedcompliance; and(4) How the clearing mandate, trade execution, and certain reportingprovisions will apply to cross-border swap transactions involvingnon-swap dealer and non-MSP counterparties.The Commission’s cross-border guidance will turn on a smallprovision that quietly made its way into the CEA through theDodd-Frank Act—new Section 2(i) of the CEA.Many people are unfamiliar with new Section 2(i).This section contains only 101 words—enough words that could fit intoa Twitter feed. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 82Specifically, Section 2(i) provides that the Commission’s swapauthority shall not apply to foreign activities unless those activities“have a direct and significant connection with activities in, or effect on,commerce of the United States . . . .”The important thing for you all to remember is that this language givesthe Commission broad authority over the swaps market that goes wellbeyond other areas of law.For that reason, I believe that the Commission’s cross-borderguidance, once issued, should take into account the following fourprinciples and considerations.First, the CFTC’s cross-border guidance should be based on principlesof international comity.In other words, the guidance should not overreach or step on the toesof sovereign nations.We would not want these nations to retaliate by re-characterizing asforeign, market participants who we typically think of as “U.S.persons.”Second, and in some way related to the first point, the CFTC’sguidance should be based on principles of internationalharmonization.That is, the CFTC needs to coordinate its efforts with the Securitiesand Exchange Commission (the “SEC”), as well as the efforts offoreign regulators.As far as I am aware, the CFTC and SEC will release separateextraterritorial guidance, which can only create inconsistency andadded compliance challenges and costs.Additionally, our cross-border guidance needs an appropriate phase-into match global regulatory efforts relating to swaps. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 83Third, I believe that the Commission’s guidance should in some waydemonstrate the costs and benefits of setting its jurisdiction toobroadly.The CEA only requires the Commission to consider the costs andbenefits of its regulations and orders.It does not require that the Commission consider the costs and benefitsof interpretative guidance, which the Commission will propose.In my view, however, the Commission should do the right thing andconduct a thorough analysis of the costs and benefits of its guidance.That way, the Commission will be able to adequately understand theimplications of its guidance and make an informed decision regardingpolicy alternatives.Finally, the Commission should ensure that its registrants andregistered entities remain competitive in global financial markets.Understandably, U.S. registrants and registered entities would besubject to all of the provisions of the Dodd-Frank Act.Nevertheless, the Commission’s policies should not put them at adisadvantage vis-à-vis their foreign competitors.Current OutlookWithout a doubt, the Commission will be busy this summer. I estimatethat the next handful of Commission rules and guidance to be issuedwill include:(1) The definition of “swap;”(2) The Commission’s cross-border guidance;(3) Mandatory clearing determinations; and(4) The Commission’s final implementation timetable for clearing. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 84In July, I believe that the Commission will vote on rules regarding tradeexecution, including the final rules for SEFs, as well as Core Principle 9for Designated Contract Markets.These are my best guesses.There are also a number of significant developments at theCommission on the customer protection front.These developments are very important to me.The failure of MF Global exposed material gaps in our regulatoryoversight.Our reporting methods and disclosure timetables enabled MF Globalto move customer money without detection.On Tuesday of this week, the National Futures Association(“NFA”)—working with the Commission—made several importantrule changes to improve transparency and promote further protectionsfor customer funds.Another action taken by NFA in coordination with the Commissionhas been dubbed the “Corzine Rule.”This rule will require CEOs and CFOs to sign-off before a futurescommission merchant (“FCM”) can transfer or otherwise movecustomer funds.I support this rule as well as other rule improvements in FCMtransparency—something I call “know-your-FCM rules.”The Commission and the NFA plan to work together on theknow-your-FCM rules this summer.These rules will help customers make informed decisions about thesafety and security of their FCM. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 85Our challenge is to improve FCM disclosures in such a way to makethem useful and relevant.Broadly, deterrence, transparency, and technology are the three keyelements to improving the Commission’s oversight over not onlyFCMs, but over all CFTC registrants and registered entities.Deterrence speaks for itself.Transparency offers market participants and regulators a window intobusiness transactions and operations, in addition to exposing possiblerisks.Lastly, technology provides the Commission with the ability to catchrisks and nefarious behavior before it is too late.Brave New World of Technology: Swaps MarketInfrastructureWhen I became a commissioner two-and-a-half years ago, I was awareof the modern trading and matching engines used to trade equities andfutures and the explosion in trade volumes across the globe.However, I was amazed by the lack of sophistication of theCommission’s surveillance and automation capabilities. In my view,the Commission was not organized to appropriately oversee the futuresand swaps markets.I have made correcting this problem among my top priorities while atthe Commission.The good news is that we have addressed this problem by creating anew office of data and technology.This new office is deploying state-of-the-art technologies to expand theCommission’s oversight functionality. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 86ConclusionI appreciate the opportunity to speak with you all today and hope thatyou have found my insights to be useful.The Commission’s reform efforts must not only provide the neededguidance to ensure that swaps markets are transparent and promoteintegrity.Our regulatory reform efforts must also be smart, make sense in termsof their sequencing and implementation, and most importantly notemploy a high-frequency regulatory approach.Again, I would like to thank you all for your participation today. Iwould also like to thank MarkitSERV for organizing such a timely andconstructive event. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 87NUMBER 9Commodity Futures Trading Commission (CFTC)Statement Regarding Public Roundtable to Discuss theProposed Volcker Rule, Chairman Gary Gensler, May 31, 2012Welcome to the Commodity Futures Trading Commission (CFTC)roundtable on the proposed Volcker Rule.Thank you, Dan, for that introduction, and thank you for working withthe rest of the team, particularly Steven Seitz from your office and SteveKane from the Office of the Chief Economist, to put together thisimportant roundtable.I’d like to thank the Treasury Department staff and the staff of thefinancial regulators tasked with implementing the Volcker Rule forjoining us for this roundtable and for your efforts in coordinating with theCFTC on the rule.I’d also like to thank Sheila Bair, the former Chair of the Federal DepositInsurance Corporation, for participating today.Former Federal Reserve Chairman Paul Volcker was unfortunately oninternational travel today, but I’d like to acknowledge his many years ofpublic service.In 2008, the financial system and the financial regulatory system failed.The crisis – caused in part by the unregulated swaps market -- plungedthe United States into the worst recession since the Great Depression with _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 88eight million Americans losing their jobs, millions of families losing theirhomes and thousands of small businesses closing their doors.The financial storms continue to reverberate with the debt crisis inEurope affecting the economic prospects of people around the globe.In 2010, Congress and the President came together to pass the historicDodd-Frank Wall Street Reform and Consumer Protection Act(Dodd-Frank Act), to promote transparency in the markets and to lowerrisk to the public from large, complex financial institutions.Amongst these protections is the Volcker Rule, which prohibits bankingentities from proprietary trading, an activity that may put taxpayers atrisk.This is the CFTC’s 17th roundtable on important topics related toDodd-Frank reforms.These roundtables are an additional opportunity – beyond the 30,000comments we’ve received and 1,600 meetings with the public we’ve held --for dialogue and helpful input from market participants and the public.Our 18th roundtable related to promoting the price discovery function ondesignated contract markets and related issues of swap executionfacilities will be on June 5.In adopting the Volcker rule, Congress prohibited banking entities fromproprietary trading while at the same time permitting banking entities toengage in certain activities, such as market making and risk mitigatinghedging.One of the challenges in finalizing this rule is achieving these multipleobjectives.I’m looking forward to a lively discussion. I’d like to highlight three mainissues that I’m particularly interested in getting feedback on today. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 89First, as prescribed by Congress, the Volcker rule prohibits proprietarytrading while permitting risk-mitigating hedging.These two provisions are consistent with each other in that they are bothmeant to lower the risks of banking entities to the broader public.The question is how we as regulators achieve both of these risk-loweringprovisions in a balanced way.Some commenters have said if we’re too prohibitive in one area, we maylimit banking entities ability to engage in risk-mitigating hedging.On the other hand, if we follow comments of some of the banking entities,then the rule’s allowance for permitted hedging might swallow upCongress’ intent to limit the risk of proprietary trading.Specifically, under the statute, banking entities may engage in“risk-mitigating hedging activities in connection with and related toindividual or aggregated positions, contracts, or other holdings.”To qualify as hedging, these activities must be “designed to reduce thespecific risks to the banking entity in connection with and related to suchpositions, contracts, or other holdings.”The criteria for the hedging exemption as included in the proposedVolcker Rule are the following: hedges must mitigate one or morespecific risks on either individual positions or aggregated positions, theycannot generate significant new exposures, they must be subject tocontinuous monitoring and management, compensation for hedgingcannot reward proprietary trading, and the hedges must be reasonablycorrelated to the specific risks of the positions.A further question about hedging activity that was asked by the agencies(question 109 of the CFTC’s proposal) is whether “certain hedgingstrategies or techniques that involve hedging the risk of aggregatedpositions (e.g. portfolio hedging) create the potential for abuse of thehedging exemption.” _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 90A related question on which it would be helpful to hear from the panel: isit possible, and if so how, could a separate trading desk with its own profitand loss statement engage in risk-mitigating hedges?The further removed hedging activities are from the specific positions thebanking entity intends to hedge, is it not more likely that such tradingactivity is prone to express something other than hedging?As Dan will explain in a moment, we’re not going to be speaking aboutthe specifics of the credit derivative product trading of JPMorgan Chase’sChief Investment Office. I do think, though, it may be instructive forregulators as we finalize key reforms.Second, in addition to hedging, Dodd-Frank permits market making,which is important to well-functioning markets as well as to the economy.The question for regulators once again is finding a balance, but this timebetween prohibiting proprietary trading and permitting market making.The agencies ask in the proposal (question 89 in the CFTC’s proposal):“Is the proposed exemption overly broad or narrow? For example, wouldit encompass activity that should be considered proprietary trading underthe proposed rule?”The criteria for market making in the proposed rule included sevenrequirements.A number of commenters suggested that these requirements may bemore applicable to the listed securities markets than to the swaps market.During the second panel today, we are looking for your input on thisissue.If some of these requirements are not appropriate, what would be moreappropriate with regard to market making in swaps? _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 91Third, I’m particularly interested in hearing about how the prohibition onproprietary trading should best be applied to banking entities transactingin futures and swaps.The CFTC’s role with regard to the Volcker Rule and banking entities isprimarily with regard to these derivatives traded by swap dealers andfutures commission merchants within the banking entity.In particular, banking entities’ market making in swaps is likely to leavethem with significant open positions for many years in customized swaps.When would a banking entity’s decision not to hedge or to only partiallyhedge open swaps positions be considered prohibited proprietarytrading?We at the CFTC will benefit from your input on how the Volcker Rule canbest protect the public against risk in the swaps and futures markets.Thank you again for coming, and I’ll turn it back to Dan. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 92NUMBER 10Hearing entitled “Cyber Threats to Capital Markets andCorporate Accounts”Friday, June 1, 2012 9:30 AM in 2128 Rayburn HOBCapital Markets and Government Sponsored EnterprisesHouse Committee on Financial Services, Subcommittee onCapital Markets and Government Sponsored EnterprisesHearing on “Cyber Threats to Capital Markets and CorporateAccounts”Mark G. Clancy, Managing Director and Corporate Information SecurityOfficer, The Depository Trust & Clearing Corporation, June 1, 2012Important PartsChairman Garrett and Ranking Member Waters,Thank you for scheduling today’s hearing on the important issue of cybersecurity and the U.S. capital markets.The Committee’s strong leadership on this issue has been critical inhelping to raise awareness of the serious threats posed by cyber-attackson the financial system and fostering dialogue among the private andpublic sectors on effective strategies to minimize these risks.My name is Mark Clancy, and I am the Corporate Information SecurityOfficer at The Depository Trust & Clearing Corporation (“DTCC”). _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 93DTCC is a participant-owned and governed cooperative that serves as thecritical infrastructure for the U.S. capital markets as well as financialmarkets globally.Through its subsidiaries and affiliates, DTCC provides clearing,settlement and information services for virtually all U.S. transactions inequities, corporate and municipal bonds, U.S. government securities andmortgage-backed securities and money market instruments, mutualfunds and annuities.DTCC also provides services for a significant portion of the globalover-the-counter (“OTC”) derivatives market.To provide insight into the criticality of DTCC’s role in the safe andefficient operation of the U.S. capital markets, in 2010, the DepositoryTrust Company (“DTC”) settled more than $1.66 quadrillion in securitiestransactions.Furthermore, three DTCC subsidiaries last month received notificationsfrom the Financial Stability Oversight Council (“FSOC”) of proposeddeterminations to designate them as systemically important financialmarket utilities.The subsidiaries are National Securities Clearing Corporation (“NSCC”),the clearing and settlement subsidiary for equities and corporate andmunicipal fixed income securities, Fixed Income Clearing Corporation(“FICC”), the clearing and settlement subsidiary for U.S. Treasury,Agency and Government-Sponsored Enterprise mortgage-backedsecurities, and DTC, the depository subsidiary. DTCC itself, as the parentand holding company of these subsidiaries, did not receive a letter, and itdoes not expect one.As the primary infrastructure responsible for the clearance and settlementof nearly all securities traded in the US cash markets, these DTCCsubsidiaries play critical roles in mitigating risk and ensuring the safe andseamless operation of the U.S. capital markets. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 94I am going to focus my testimony today on providing an overview ofDTCC’s approach to managing the cyber risk environment.Then I will highlight the nature of the cyber-threats DTCC faces as anorganization, how DTCC and the industry plan for and respond to thesepotential attacks on the infrastructure and opportunities for the privatesector and government to work collaboratively to enhance cooperationand information-sharing to protect the safety and soundness of the capitalmarkets.Understanding the Risk EnvironmentDue to DTCC’s unique role standing at the center of the financial servicesindustry, the organization brings a dual perspective to its view of the riskenvironment.First, DTCC must examine and plan for cyber-attacks that could impactits ability to perform clearance and settlement and other criticalpost-trade processes that underpin the global financial marketplace.While these operational risks have long defined the risk landscape forDTCC, in recent years the organization has expanded its focal point toalso include liquidity and market risks related to cyber-threats.Second, because of the interconnectedness of the financial system, DTCCmust also take into account the broader systemic risks that could resultfrom a cyber-attack on its systems.To understand the nature and extent of the threats faced by DTCC, theorganization regularly conducts enterprise-wide risk assessments,including a thorough analysis of business functions and the facilities,systems, applications, business processes and people that perform them.Next vulnerabilities that might exist within those assets and the controlsin place to mitigate them are examined.Finally, the threats that exist to those assets are analyzed. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 95The combinations of those factors determine the level of residual risk inthe organization – that is, the risk that remains despite efforts atmitigating it.Armed with this data, DTCC assesses whether the residual risk is above,below or consistent with the level of risk that DTCC considers acceptable(known as risk tolerance).This data informs the organization’s business planning and helps guidedecision-making on the need for additional investments to further reducerisk or a readjustment of risk tolerance.As these questions are considered, DTCC must also weigh the cost ofachieving a tighter risk tolerance against the risk of not acting at all.Risk assessment is a dynamic process, but certain aspects of it are moredynamic than others – and the area that is most volatile are changes inthreats and vulnerabilities.On a practical level, virtually no organization has the capability to reducethreats on a daily basis. Rather, organizations must focus their efforts onmitigation of vulnerabilities and/or strengthening of controls.Vulnerabilities take many forms, and while some can be addressedrelatively quickly and easily, others require complex and lengthysolutions.DTCC has numerous systems and processes in place to identify newvulnerabilities that could threaten the infrastructure, but the reality is thatthe organization does not control the timing of their discovery.Indeed, the only variable DTCC, or for that matter, any corporation,fundamentally controls is the tempo at which those vulnerabilities aremitigated.Through continuous analysis and review, DTCC makes decisions oninvestment levels in response to this rapidly-changing risk environment. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 96The Systemic Impact of Cyber Attacks on DTCCThe global financial system is an enormous, interconnected “system ofsystems.”In other words, while individual institutions operate different parts of thecritical infrastructure, the financial system itself is a product of theinteractions of all these discrete actions.Because DTCC is connected to thousands of different marketparticipants spanning the entire financial services industry globally, theorganization must look beyond how a cyber-attack could harm its ownoperations to the systemic impact on its members and the broaderfinancial community.As mentioned earlier, DTCC serves as the critical infrastructure for globalfinancial markets and, in this capacity, DTCC acts as an integration pointthat connects a wide range of industry participants.If DTCC is unable to complete clearance and settlement due to systemsdisruptions or outages, buyers and sellers of securities would not know iftheir trades had completed and, therefore, what securities they own orhow much capital they have.DTCC’s financial risk and operational assessments must take intoaccount these essential functions and determine how non-performancewould impact the markets it serves as well as the firms that utilize itsproducts and services, the investing public and the U.S. economy.In other words, if a cyber-attack directed at DTCC rendered its systemsnon-operational, what would that do to the overall functioning of thefinancial system?If the financial markets could not operate, how would that affect liquidityand access to capital?This systemic view of cyber risk has driven DTCC to broaden itsperspective to include consideration of ways to mitigate low frequency _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 97but potentially high-impact scenarios that a monoplane risk assessmentwould have ignored.Threat Actors: Criminals, Hackivists, Espionage and War(CHEW)It is easy to overgeneralize the threat actors who engage in cyber-crimesas identity thieves who infiltrate computer systems to steal personal dataor cyber terrorists who want to declare “war” on a particular nation or theworld by disrupting the efficient operation of the financial system.Richard Clarke, the counter-terrorism expert who worked as an adviser toPresidents George W. Bush and Bill Clinton, developed a simple way toclassify the different “threat actors” into four distinct categories – Crime,Hacktivism, Espionage and War (CHEW).In some cases, I have modified Clarke’s definitions to reflect my ownviews on and experiences with these subjects.CrimeThe motivation of this group is financial gain and, according to the U.S.Treasury, they have been successful.A study by the agency found that cyber-crime accounts for more revenuethan international cartel drug income, running into the hundreds ofbillions of dollars annually.The threat intensity of this group varies based on two factors: thecapabilities of the actors and the vulnerabilities of the targets.While organizations are continually assessing and addressing potentialweak links in their systems, criminals are just as quickly acquiring newtechnical skills and capabilities through a sophisticated cyber blackmarket. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 98HacktivismThe term hacktivism is applied to groups or individuals who usecomputer intrusion or “hacking” techniques to promote and publicize anoften radical political point of view.The most prominent example of hacktivism is the group Anonymous,which supports efforts of the website WikiLeaks to publish private,confidential information of governments and corporations to expose whatit believes are injustices or other perceived wrongs.When members of the U.S. financial sector stopped accepting paymenttransactions for merchant accounts from WikiLeaks, Anonymous lashedout by initiating denial of service attacks (attacks designed to make asystem or network unavailable for use) against a number of thosefinancial firms, including MasterCard, Visa and PayPal.This group, like virtually all hacktivists, is not motivated by financial gain– it wants to make a high-profile political statement.The capabilities hacktivists vary greatly, although it is common to find afew highly-skilled individuals operating in loose confederation withlesser-skilled but highly-motivated actors.The attacks from hacktivists are more difficult to predict because theirtarget selection is often done by consensus online and sometimes in realtime.EspionageThe term cyber espionage was coined to reflect the “spy vs. spy” activitythat has occurred between nations for millennia.However, cyber espionage has expanded in recent years beyond attemptsto steal national secrets to now include cyber theft of proprietaryinformation from corporations in an effort to gain an economic andcompetitive advantage over the commercial interests of that country. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 99The U.S. Office of the National Counterintelligence Executive released areport to Congress in 2011 highlighting the nature of the problem. “In 2010, the FBI prosecuted more Chinese espionage cases than at anytime in our nations history.Although cyber intrusions linked to China have received considerablemedia attention, some of the most damaging transfers of U.S.technologies to foreign entities have been conducted by insiders.For example, a DuPont chemist in October 2010 pled guilty to stealingresearch from the company on organic light-emitting diodes, which thechemist intended to commercialize in China with financial help from theChinese Government.Similarly, the unmasking of the network of 10 Russian "illegals"implanted on American soil indicated that these spies had been tasked tocollect on economic as well as political and military issues.China and Russia are not the only perpetrators of espionage againstsensitive US economic information and technology.Some US allies abuse the access they have been granted to try toclandestinely collect critical information that they can use for their owneconomic or political advantage.”WarThis is the cyber age equivalent of Carl von Clausewitz’s 19th centurydefinition that “war is the continuation of politics by other means.”In this regard, war generally refers to the launch of a cyber-missile orsome other cyber weapon of mass destruction to devastate the capabilitiesof a government or corporation by causing a physical system to fail or togain control over that system.Today, as many as 30 countries have cyber war units to protect anddefend against such an attack, according to Secretary of Defense Leon _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 100Panetta, who also oversees a cyber-command center comprised of Army,Navy, and Air Force personnel.There is another aspect of war thinking that attempts to undermine theintegrity of and reduce confidence in the capabilities of a particulartechnology system(s) to the point that it is rendered too unreliable or errorprone to be used for mission critical functions.An example would be cyber criminals tampering with the system(s) of anelectronic exchange to the extent that investors lacked confidence in itsability to provide accurate prices or efficient matching of buyers andsellers.Cyber Threats to the Capital MarketsThe universe of threat actors, regardless of which category they fall into,pose a significant and growing number of dangers to the U.S. capitalmarkets, ranging from the theft of confidential data to preventing thecritical infrastructure from performing key market functions to damagingthe integrity of market data and information. Let’s look at each of those inmore detail.Loss of Confidentiality of DataThe loss of confidentiality of personally-identifiable information, whetherthe result of neglect by employees of a firm or by malicious acts ofexternal individuals, has the potential to put the investing public inharm’s way for fraud and identity theft.If the frequency of these cyber-crimes occurs are regular, it could erodeinvestor confidence in the capital markets.The theft of a customer’s access credentials when stolen via malicioussoftware installed on the individual’s computer is particularly dangerousbecause that customer faces the potential loss of his or her funds.When this type of theft occurs on a grander scale involving thousands,tens of thousands or even millions of individual account holders, cyber _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 101criminals have the power to engage in market manipulation via “pump &dump” scams.In this example, the thieves can run up the price of a thinly-tradedsecurity they own by creating buy and sell orders in the accounts theyhave taken over.Their goal is to move the market in that stock by biding againstthemselves and anyone else they can lure into the scam.More sophisticated criminal groups sometimes target high-value victims,including institutional clients and prime brokerage accounts, which tendto hold larger balances and normally transact with international locations,for the same purposes.The international nature of these crimes makes detection difficult.Finally, DTCC has seen in recent years attacks using highly sophisticatedsocial engineering techniques that target corporate deal-makinginformation, particularly in the commodities and mergers and acquisitionspaces.While this information cannot be easily converted into cash, the crimesare indicative of economic espionage and attempts to give foreigncorporation or nations an advantage in competitive negotiations, such asthose related to winning bids for natural resources or beating the offeringprice for an acquisition of a company.Loss of Ability to Perform Market FunctionsThe National Market System (NMS) in the United States, which allowsfor the structured electronic transmission of securities transactions inreal-time, is a prime target for threat actors who want to disrupt theorderly and efficient operation of the capital markets.While there are no public reports of the NMS being directly impacted by acyber-attack that compromised the availability of key market services inthe U.S., there have been instances of such crimes overseas. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 102For example, in August 2011 the Hong Kong Stock Exchange3 had to suspend trading in certain securities following a denial of serviceattack that made corporate filing information unavailable.As a result, the securities effectively became illiquid after trading washalted, which negatively impacted both individual and institutionalinvestors in that market.In 2012, hacktivist groups perpetrated a series of denial of service attacksdirected against the public web sites of several U.S.-based stockexchanges.These attacks, while successful in blocking the availability of these onlineresources for brief periods of time, did not impact the operation of theNMS, but it reinforced the determination of hacktivists to shock thepublic and disrupt market activity.If an attack on the NMS were to occur, particularly one that targetscritical market infrastructure(s), it could pose serious consequences forthe U.S. capital markets and the broader U.S. economy.The systems in the U.S. that perform these core processing functions arelargely attached to private, interconnected networks.Although the Internet is not a core component of the NMS, it iscommonly used to connect market participants to various systems as aback-up to dedicated telecommunications lines or as a direct connectionfor smaller market participants.While this minimizes the likelihood of such an attack, mainly because itwould need to be conducted from inside the infrastructure or the privatenetworks of market participants, the issue is serious enough that itremains a primary area of concern for the financial services industry.Loss of Integrity of InformationMaintaining the integrity of financial data is a top priority of the industrybecause most financial assets in today’s capital markets existoverwhelmingly in digital form. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 103The transition from a paper-based environment to an electronic one wasthe result of a multi-year initiative to “dematerialize” securities or“immobilize” them in centralized depositories such as DTC.Today, for example, roughly 90% of the $36.5 trillion in securities held atDTC exist only in digital form.Similarly, at the beneficial ownership level, a significant percentage ofbroker/dealers have digital records detailing which retail andinstitutional customers own which securities while custodian banksmaintain that information for other institutional clients, such as pensionsand mutual funds.Financial firms take extreme precautions to guard against three maintypes of incidences that could impact the integrity of this data.The first incidence is loss of integrity due to accident.The digital nature of the books and records of the financial system makesit critical that this information is secure.As a result, the industry has developed an elaborate set of check andbalances when changes are made to these records to protect the accuracyof data and minimize occurrences of accidental errors.The second incidence is loss of integrity due to malicious acts.In March 2011, for example, a service provider used by both the LondonStock Exchange and Italian Borsa was hosting malicious banner ads4 on the public web sites of these exchanges.While this was not a compromise of the exchanges trading systems, itrepresented vulnerabilities in the supplier processes for vetting paidadvertisement content.The implication of this attack is that customers who normally interactwith these exchanges could have been targeted in what would have _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 104otherwise appeared to have been a normal valid business request to theweb site.Another example worth mentioning occurred in January 2011, when theEuropean market for carbon credit trading was temporarily shut down bycyber criminals who changed the ownership information of individualcarbon credit owners.According to public reports, this scheme resulted in the theft of 30 millioneuros worth of credits from the Czech Republic, Austria, Greece, Estoniaand Poland emissions market and the closure of the EU EmissionsTrading System for more than a week.The third incidence I’d like to mention is loss of integrity due to conflictbetween nations, terrorists and/or proxies.This type of cyber-crime involves threat actors infiltrating andmaintaining access inside a system or systems of a government orcorporation for the purposes of launching an attack at an undeterminedpoint in the future.While it is somewhat difficult for a corporation to assess the likelihood ofsuch an attack given the uncertainty in motivation of the threat actors,this has the potential to be the most catastrophic attack of the three I’vementioned today and the number of incidences has risen sharply in recentyears.It is interesting to note that the more highly-skilled groups or individualswho could plan and execute such an attack tend to be more heavilyinvested in the orderly operation of the U.S. capital markets and, thereforeunlikely to engage in this activity.However, those with less technical skills, most of whom are not asinvested in the U.S. capital markets, are more likely to launch this type ofattack and are working diligently to acquire the necessary capabilities. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 105DTCC’s Approach to Protecting Against Cyber ThreatsDTCC maintains an elaborate and sophisticated information securityprogram to protect against the types of cyber-attacks mentioned above.While DTCC corporate policy calls for maintaining strict confidentialityof this information to prevent cyber criminals from knowing the full rangeof resources and capabilities we possess, we can share certain generalinformation and protocols with the Committee as a way to provide insightinto how DTCC safeguards its systems and the data we hold on behalf ofcustomers and the financial services industry.DTCC has established robust policies and procedures that provide theframework for information security within the organization.These policies cover both physical and logical security, are standardsbased (ISO 27001 and ISO 27002) and are routinely refreshed to ensure thehighest degree of protection against cyber-attack.DTCC’s Information Security team carries out a series of processes,including preventative controls such as firewalls and appropriateencryption technology and authentication methods as well asvulnerability scanning to identify high risks, to protect the organizationand its members in the cost-effective and comprehensive mannerpossible.Public and Private Sector Collaboration Helps Protect AgainstCyber ThreatsThe financial services industry is engaged in a variety of public-privatepartnerships with the federal government to protect against cyber threatsand safeguard the nation’s critical market infrastructure.A prime example of this collaborative relationship is the FinancialServices Sector Coordinating Council for Critical InfrastructureProtection and Homeland Security (FSSCC). _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 106The FSSCC was established in 2002 in response to the September 11, 2001,terrorist attacks and at the request of the U.S. Treasury Department inharmony with Presidential Decision Directive 63 (PDD63) of 1998.PDD63 required sector-specific federal departments and agencies toidentify, prioritize and protect United States critical infrastructure andkey resources and to establish partnerships with the private sector.The FSSCC has 52 member associations and financial institutionsrepresenting clearinghouses, commercial banks, credit rating agencies,exchanges/electronic communication networks, financial advisoryservices, insurance companies, financial utilities, government sponsoredenterprises, investment banks, merchants, retail banks and electronicpayment firms.FSSCC members dedicate a significant amount of time and resources tothis partnership for critical infrastructure protection and homelandsecurity.The FSSCC does not collect dues and its success as a volunteerorganization relies heavily on the time members contribute and to theexpertise and leadership roles members play within their respectivefinancial institutions and associations.The FSSCC is charged with “strengthen[ing] the resiliency of thefinancial services sector against attacks and other threats to the nation’scritical infrastructure by proactively identifying threats and promotingprotection, driving preparedness, collaborating with the U. S. Federalgovernment, and coordinating crisis response – for the benefit of theFinancial Services sector (the "Sector"), consumers and the U.S.A.”The FSSCC has achieved a number of successes at overseeing cybersecurity efforts within the sector and has played a vital role in helping toidentify strategic issues and coordinate a response with federalcounterparts. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 107One particular effort was the launch of a “threat and vulnerability matrix”to gather detailed information to perform an assessment at thesector-wide level, with the goal of identifying areas of common concern.In addition, the FSSCC has served as the coordinating entity in the privatesector, working with the U.S. Department of Homeland Security (DHS),U.S. Treasury and other federal agencies, in getting cleared sectorpersonal briefed at the classified level on contextual information aboutcyber and physical threats.DTCC has been actively involved with FSSCC since its inception.From May 2004 to June 2006, DTCC’s current President and ChiefExecutive Officer, Donald F. Donahue, served under an appointment bythe U.S. Secretary of the Treasury as Sector Coordinator; he later served asChair of FSSCC from April 2005 to April 2006.Currently, DTCC officials serve on various FSSCC committees,sub-committees and working groups, including the ExecutiveCommittee, Policy Committee and Sector Wide Activities Committee.Financial Services–Information Sharing and Analysis Centerand Information SharingThe Financial Services–Information Sharing and Analysis Center(FS-ISAC) is the primary group for information sharing between thefederal government and the financial sector.It was created in 1999 in response to the 1998 PDD63, which called for thepublic and private sector to work together to address cyber threats to thenation’s critical infrastructures.After the terrorist attacks of 9/11, and in response to Homeland SecurityPresidential Directive 7 (HSPD7) and the Homeland Security Act, theFS-ISAC expanded its role to include physical threats to the financialsector. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 108The FS-ISAC is a 501(c)6 non-profit organization and is funded entirelyby its member firms and sponsors.In 2004, there were only 68 members of the FS-ISAC, mostly largerfinancial services firms.Since that time, the membership has expanded to over 4,200organizations, including commercial banks and credit unions of all sizes,brokerage firms, insurance companies, payments processors and over 30trade associations representing the majority of the U.S. financial servicessector.The FS-ISAC has implemented a number of programs in partnership withthe Department of Homeland Security (DHS) and other governmentagencies to encourage and expand information sharing.In 2011, for example, the FS-ISAC, in partnership with DHS, became thethird ISAC to participate in the National Cyber Security CommunicationsIntegration Center (NCCIC) watch floor.FS-ISAC representatives, cleared at the Top Secret/SensitiveCompartmented Information (TS/SCI) level, attend the daily briefs andother NCCIC meetings to share information on threats, vulnerabilities,incidents and potential or known impacts to the financial services sector.This program has been extremely beneficial in providing situationalawareness to the financial sector while also allowing the industry toprovide feedback on threats to DHS.DTCC was a founding member of the FS-ISAC in 1999 and continues toparticipate in the group’s information-sharing mission.I currently serve on the Board of Directors for the FS-ISAC and as amember of the Threat Intelligence Committee (TIC).Team members are also active in the TIC, the Security AutomationWorking Group, Products & Services Committee, Audit and Compliance _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 109Working Group, Clearing House and Exchange Forum (CHEF) andCrisis Management team.FSSCC & FS-ISAC: A Partnership to Combat Cyber-ThreatsWhile the FSSCC operates at a strategy and policy level, the FS-ISACengages with its members on operational issues.Together, the two bodies work in partnership to bring a morecomprehensive approach to cyber security.For example, the FSSCC and the FS-ISAC have been successful inpartnering with DHS and the United States Treasury to obtain securityclearances for over 250 individuals in the financial sector who supportcritical infrastructure protection.The FS-ISAC serves as the hub of activity to coordinate informationsharing on threats between financial institutions and the federalgovernment, law enforcement and other critical infrastructureorganizations.A sub-community within the FS-ISAC, CHEF was established in 2011.This sub-group played a critical role coordinating information sharing inresponse to a series of denial of service attacks on the public websites ofU.S. stock exchanges.CHEF pooled intelligence, aggregated information about thecharacteristics of the attacks and shared strategies and techniques tomitigate them in near real-time.This information was shared with CHEF members and, more broadly,within the FS-ISAC and by the FS-ISAC with other ISACs, lawenforcement and DHS.In addition, FS-ISAC members provided the CHEF with informationabout their approaches to mitigating attacks of this kind, whichtraditionally have not centered on the capital markets infrastructure. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 110The key to success in managing these denial of service attacks was thelevel of trust that accompanied the information sharing between financialinstitutions themselves and these institutions and the federalgovernment.The FS-ISAC provides a host of additional resources for its members,including access to a library of threat information and alerts on new cyberthreats and attacks.This enables the industry to more effectively monitor its own systems todetermine if similar activity is occurring in their networks or to betteralign defenses to counter an attack before it occurs.Using the internationally recognized traffic light protocol (TLP), theFS-ISAC designates the sensitivity of unclassified information as green(can be shared with the widest audience), yellow (a somewhat narroweraudience) and red (the most restricted audience) to ensure the widest butalso most secure distribution of data.The Department of Homeland Security’s United StatesComputer Emergency Readiness Team (US-CERT)There are two programs I’d like to highlight today because they areexcellent examples of the enormous benefits that can be derived througha collaborative approach to information sharing between the federalgovernment and the financial sector.The United States Computer Emergency Readiness Team (US-CERT)leads the federal government’s efforts to “improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactivelymanage cyber risks…while protecting the constitutional rights ofAmericans.”The US-CERT, using the traffic light protocol, provides alerts to thefinancial sector on observable data and indicator information, includingtactics, techniques or procedures used by cyber criminals or details aboutthe threat actors. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 111The two most effective reports the industry receives are the CyberInformation Sharing and Collaboration Program (CISCP) alerts, whichcombine a range of sources and provide normalized post-analysisreporting on threat intelligence, and the Early Warning and IndicatorNotice (EWIN), which provides less refined but timelier information.The quality and quantity of information the financial sector receives fromDHS’s National Cyber Security Division (NCSD) and US-CERT hasbeen greatly improved in the last three years and has been essential inhelping to protect the nation’s critical infrastructure at a time of increasedthreats.The financial services sector also has the ability to leverage other federalcapabilities provided by DHS and/or National Institute of Standards andTechnology (NIST), including the National Vulnerability Database(NVD), which holds information on over 50,000 software vulnerabilities incommercial and open source software products.Additionally, the financial sector has increasingly adopted use of theNIST Security Content Automation Protocol (SCAP) suite, whichincludes the Common Platform Enumeration (CPE) to identify types ofsystems and software in use and the Open Vulnerability AssertionLanguage (OVAL) to describe the technical characteristics of a system todetermine if a specific software vulnerability is present.DTCC employs SCAP to automate internal processes for theidentification and eradication of known vulnerabilities within its ITinfrastructure.This offers the organization a cost effective and proven way to efficientlymanage vulnerabilities.To further enhance information sharing, DTCC and FS-ISAC arecollaborating with DHS and other groups to develop a protocol toautomate the machine-to-machine sharing of threat reportinginformation to reduce inefficiencies and latency. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 112Opportunities to Enhance Public-Private Cyber SecurityCollaborationIn May 2010, FS-ISAC and federal agencies took an important stepforward in partnering to counter suspected state-sponsored acts of cyberespionage by creating a pilot program, known as the GovernmentInformation Sharing Framework (GISF).This pilot program allowed for the sharing of advanced threat and attackdata between the federal government and about a dozen financial servicesfirms that were deemed capable of protecting highly sensitiveinformation.The program operated successfully from May 2010 through December2011 and was expanded to include the sharing of classified technical andanalytical data on threat identification and mitigation techniques.Unfortunately, the program was effectively terminated by the Departmentof Defense (DoD) in December 2011 for reasons that were unclear to pilotparticipants.However, while information sharing was expected to continue throughDHS, this, too, was ceased in December 2011, eliminating an importantsource of threat data and analysis for the financial sector.Since the termination of GISF, more than 5 organizations in the financialsector have experienced threat assessment by FS-ISAC indicates thatthese threats will continue to increase in the years ahead.There were four primary benefits and insights that DTCC and the otherpilot participants gained from GISF:1. The receipt of actionable information in a format that allowed industryparticipants to search for similar threat activity in their own networks.2. The receipt of contextual information on that actionable information tobetter understand the risk implications of observing that threat activity. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 1133. The ability to adjust assessments of cyber espionage using quantifiableinformation on the level of malicious activity being observed, which waspreviously invisible to members of the financial sector.This information greatly increased the collective assessment on threatsthat were present from these actors and resulted in the FS-ISACsubstantially escalating its level of commitment and engagement withgovernment and other partners to identify and mitigate these potentialcyber-crimes.4. An enhanced understanding that previous threat managementprocesses, teams and tools had insufficient capacity to consume threatdata due to its raw state and the level of inefficiencies in how thisinformation was communicated.Today, the financial sector and DHS are actively collaborating on thedevelopment of standards to support the automation of sharing andconsuming threat data.GISF was responsible for driving innovative new programs in the industryto reshape the sector’s approach to assessing the multitude of risksassociated with cyber espionage.This prompted many of the pilot firms, including DTCC, to revise theirviews on best practices for managing threat information, to expandexisting information sharing activities with peers and with the FS-ISACand to make significant additional investments in threat mitigation anddetection capabilities that otherwise could not have been easily justifieddue the lack of understanding of the risk to the sector.Limitations of Classified Information to Protect AgainstCyber-ThreatsWhile DHS has been able to offer security clearance to more than 250financial sector personnel for the purposes of giving them access toclassified briefings, this is not sufficient on a practicable level because thedata cannot be shared broadly due to its classified nature. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 114Furthermore, the financial industry lacks the infrastructure andprocessing capabilities to handle such information, which typicallyprovides additional context on non-financially motivated threat actorsand their capabilities.Next Steps: Expanding Information Sharing Between the Publicand Private SectorsInformation sharing like that which occurred under the GISF programrepresents the most critical line of defense in managing and mitigatingcyber security risk today because it:• Provides actionable information for the industry to protect itself fromcyber criminals;• Drives innovation and improvement in defense strategies and programs,and• Provides a vehicle for making risk-based decisions on investments andpriorities.While GISF was successful in many aspects, its reach and impact werelimited because it did not scale to the depth and breadth of the sector.As a result, it is impossible to gauge the broader benefits of the programbecause only 16 financial institutions served as pilot participants.However, what is abundantly clear is that information sharing todayoccurs at “human” speed while cyber-threats occur at warp speed.Now more than ever, an investment in standards, protocols and methodsfor the industry to rapidly share and consume threat and observable datais needed.In addition, information sharing is most valuable when there is a highdegree of trust among and between the financial sector and federalagencies. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 115The more trust that exists between these institutions, the moreinformation sharing occurs – and the better equipped each organizationis to mitigate the risk of cyber-attack and safeguard its systems and datafrom threats.Also, there is a need for government to invest in additional staffing, toolsand repositories to strengthen the nation’s defenses against cyber-attack.Based on DTCC’s experience and the increased need for collaborationbetween industry and government in this capacity, DTCC stronglysupports restarting GISF, removing its pilot status and expanding itsreach within the financial sector and to other members of the CriticalInfrastructure and Key Resources (CIKR) community who face thesetypes of threats.This program, in combination with supporting enhancement forstandards and normalization (with an eye toward automation), willgreatly improve the efficiency of threat detection.A potential remedy that I’d like to share regarding the lack of classifiedprocessing capability within the financial industry is to enable the criticalinfrastructure community to engage service providers to provide thenecessary capabilities.For example, telecommunications providers could filter the criticalinfrastructure firm’s in-bound network circuits to remove threats inreal-time based upon classified threat data that could not otherwise beprocessed at the firm.In addition, the federal government could allow the critical infrastructurefirm to build and procure needed capabilities in their own infrastructureby allowing the accreditation of classified facilities to occur fornon-government contractors.Much of the depth of the U.S. government’s understanding of cybersecurity threats is highly classified, and the CIKR community outside ofthe defense arena has limited personnel with the necessary securityclearances. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 116DHS has, at present, very limited ability to “hold” clearances for CIKRpersonnel. For example, recently-hired veterans at DTCC who heldTS/SCI clearance from their military service saw those credentials lapsewhen they came to the private sector.As the sophistication and technological means of threat actors increases,the financial sector and government need to move from a staticone-size-fits-all framework to a risk-based one that incorporates thedynamic nature of the cyber security threat landscape, the individualfirms in the financial sector and the global nature of the capital markets.Cyber-attacks on the financial services sector represent a significant risknot just to industry participants but to the stability and integrity of theglobal financial system itself.There are no shortage of threat actors who, for a variety of financial andpolitical reasons, dedicate themselves to wreaking havoc on the systemsthat underpin the U.S. and global economies.While the public and private sectors have taken important steps forwardin recent years to enhance collaboration, a greater degree of trust andinformation sharing is needed to ensure that all resources are working inconcert to protect and defend the financial sector for cyber-attack.There is much progress to build on in the years ahead in these areas.DTCC stands ready to work in partnership with this Committee, theCongress and Administration and federal agencies to harden the sector’sdefenses against cyber-crimes.On behalf of DTCC, I would like to thank you again for holding today’shearing to raise awareness of these issues and for allowing us to testifythis morning. I would be happy to answer any questions you may have. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 117Certified Risk and Compliance Management Professional(CRCMP) Distance learning and online certification program.Companies like IBM, Accenture etc.consider the CRCMP a preferredcertificate. You may find more if yousearch (CRCMP preferred certificate)using any search engine.The all-inclusive cost is $297.What is included in the price:A. The official presentations we use in our instructor-led classes(3285 slides)The 2309 slides are needed for the exam, as all the questions are based onthese slides. The remaining 976 slides are for reference.You can find the course synopsis at:www.risk-compliance-association.com/Certified_Risk_Compliance_Training.htmB. Up to 3 Online ExamsYou have to pass one exam.If you fail, you must study the official presentations and try again, but youdo not need to spend money. Up to 3 exams are included in the price.To learn more you may visit:www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdfwww.risk-compliance-association.com/CRCMP_Certification_Steps_1.pdf _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 118C. Personalized Certificate printed in full color.Processing, printing, packing and posting to your office or home.D. The Dodd Frank Act and the newRisk Management Standards (976slides, included in the 3285 slides)The US Dodd-Frank Wall Street Reformand Consumer Protection Act is the mostsignificant piece of legislation concerningthe financial services industry in about 80years.What does it mean for risk andcompliance management professionals? Itmeans new challenges, new jobs, newcareers, and new opportunities.The bill establishes new risk management and corporate governanceprinciples, sets up an early warning system to protect the economy fromfuture threats, and brings more transparency and accountability.It also amends important sections of the Sarbanes Oxley Act. Forexample, it significantly expands whistleblower protections under theSarbanes Oxley Act and creates additional anti-retaliation requirements.You will find more information at:www.risk-compliance-association.com/Distance_Learning_and_Certification.htm _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 119Visit our Risk and Compliance Management Speakers BureauThe International Association of Risk and Compliance Professionals(IARCP) has established the Speakers Bureau for firms and organizationsthat want to access the expertise of Certified Risk and ComplianceManagement Professionals (CRCPMs) and Certified InformationSystems Risk and Compliance Professionals (CISRCPs).The IARCP will be the liaison between our certified professionals andthese organizations, at no cost. We strongly believe that this can be agreat opportunity for both, our certified professionals and the organizers.To learn more:www.risk-compliance-association.com/Risk_Management_Compliance_Speakers_Bureau.html _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com
    • P a g e | 120 _____________________________________________________________International Association of Risk and Compliance Professionals (IARCP) www.risk-compliance-association.com