By Philip J. Weights MD of Enhanced Banking Governance GmbH in Zurich
The world witnessed the devastating effect of the global financial crisis which began in 2007-2008. This evolved into a Sovereign Debt Crisis by 2010, and caused the loss of millions of jobs worldwide. The effect is still being felt today.
So what was learned about the causes of the financial crisis, and what are the emerging trends in the banking industry and the audit profession? The sensational headlines post-crisis routinely discussed “Corporate Greed”, “Market Abuse”, Banks “Too Big to Fail”, and bankers “Too Big to Jail”. Public outrage led to the birth of the “Occupy Wall Street” protest movement in 2011. The main issues were social and economic inequality, greed, corruption and the perceived undue influence of corporations on government, particularly from the financial services sector.
A report by the U.S. Financial Crisis Inquiry Commission concluded that the crisis was avoidable and was caused by widespread failures in financial regulation and supervision; dramatic failures of corporate governance and risk management at systemically important financial institutions; a combination of excessive borrowing, risky investments, and lack of transparency by financial institutions; a systemic breakdown in accountability and ethics; collapsing mortgage-lending standards; deregulation of over-the-counter derivatives, especially credit default swaps; and failure of credit rating agencies to correctly price risk. Subsequently there have been on-going investigations, prosecutions, billions of dollars of fines and enforcement actions.
Such increasingly aggressive pursuit of Banks and bankers has led to a restructuring of the regulatory agencies in many jurisdictions, with increased legislation being introduced, such as the Dodd-Frank (Wall Street Reform and Consumer Protection Act). A comprehensive set of reform measures was developed by the Basel Committee on Banking Supervision to strengthen the regulation, supervision, capital adequacy and risk management of the banking sector. These measures aim to improve the banking sector’s ability to absorb shocks arising from financial and economic stress, improve risk management and governance, and strengthen bank transparency and disclosures.
Taking into consideration these developments, a list of Auditing Trends was compiled. The research to produce the list not only analyzed the financial crisis and the measures to reform the regulatory framework, it also took into account studies conducted by major auditing and consulting firms, and new guidance for banking governance. These documents are: PwC’s “Key Considerations for Board and Audit Committee Members” 2014–2015 edition; KPMG’s Audit Committee Institute “2015 Global Audit Committee Survey”: Deloitte’s “2015 Planning Priorities for Internal Audit in Financial Services” and “Directors’ Alert – Through the Eyes of the Board: Key Governance Issues for 2015”; the 2014 Basel Committee on Banking Supervision revised “Corporate Governance Principles for Banks”, and Protiviti’s “Setting the 2015 Audit Committee Agenda”.
Revised guidance from the Institute of Internal Auditors regarding the Financial Services sector requires the audit scope to include information presented to the Board and Executive Management, together with the associated processes and controls, supporting the strategic and operational decision making. Internal Audit should assess whether the information presented to the Board and Executive Management fairly represents the benefits, risks and assumptions associated with the strategy and corresponding business model.
Regulatory Compliance, Fines, Sanctions
In 2014, BNP Paribas was criminally charged by the SEC, and paid US$ 8.97 billion in fines, a record for a global sanctions case. Credit Suisse pleaded guilty to a criminal charge for its role in helping Americans avoid taxes, and paid more than $2.5 billion as part of an agreement with U.S. authorities. The massive scale of regulatory breaches, criminal activities, greed and unethical behavior have led the regulators to introduce the concept of accountability for senior bankers. This is a shock wake up call for Directors and Executives. In the UK, the Prudential Regulation Authority and the Financial Conduct Authority are introducing a new conduct rules regime. Bankers may be held criminally responsible and prosecuted for taking a decision that causes an institution to fail. The rules include a concept of “presumption of responsibility” following the establishment of a regulatory breach. This will significantly increase the personal regulatory exposure of senior managers. Auditors will need to focus on: Assessing that standards of conduct are being raised to meet the higher regulatory rules; and considering what records they should themselves maintain to evidence their own actions.
Clients – TCF, MiFID, KYC, AML, Tax Transparency, Risk Appetite Profiling
The primary role of internal audit is to help protect the assets, reputation and sustainability of the organization. Clients are the key asset of the bank, the wrong clients can damage the reputation of the Bank, and the business is not sustainable without the client base. The increase in the regulatory standards is primarily driven by the bank-client relationship. In the UK “Treating Customers Fairly (TCF”) remains central to the FSA’s expectations of firms’ conduct. Banks must put the well-being of customers at the heart of their business.
The Markets in Financial Instruments Directive (MiFID) provides harmonized regulation for investment services with the objective of increasing competition and consumer protection. MiFID requires firms to categorize clients as “eligible counterparties”, professional clients or retail clients (these have increasing levels of protection). The Directive requires Client Investment Risk Profiles to ensure suitability of investments.
Anti-Money Laundering and Know Your Customer (AML-KYC) standards have been raised, in particular when banks deal with Higher Risk and Politically Exposed clients. Evidence of source of wealth is mandatory. Tax transparency is firmly on the radar, and “Tax optimization schemes” are now under scrutiny. Auditors should consider taking a holistic view of clients, client services, client related regulations, and client-asset transparency in assessing the business model and culture.
Corporate Governance & Key Corporate Events
Post-crisis analysis by the World Bank and the IFC identified Corporate Governance failures as one of the main contributing factors. The failures identified are in 4 areas: “Risk Governance”, “Remuneration and alignment of incentive structures”, “Board independence, qualifications and composition”, and “Shareholder engagement”. These are all areas in which the auditors need to focus. Remuneration Governance is one of the key challenges to ensure the correct balance between risk and reward, and ensure that compensation is equitable to all parties and stakeholders. The trend is to enhance the Remuneration Governance. Many countries now have regulations for Banks to include the remuneration for top executives and directors in their annual financial report, along with shareholder votes on boardroom remuneration.
There is a trend for audit involvement in “Key Corporate Events”, a concept introduced by the UK CIIA in their revised guidance for: “Effective Internal Audit in the Financial Services Sector”. Key corporate events could include significant business process changes, introduction of new products and services, outsourcing decisions and acquisitions or divestments. Internal Audit should evaluate whether the key risks are being adequately addressed and reported, and also whether the information being used in key decision making is fair, balanced and reasonable, and whether the related procedures and controls have been followed.
Risk Management Framework
Risk oversight continues to be a top priority for directors. Boards typically focus on overseeing the Bank’s most critical risks and agreeing on the overall risk appetite. Recent surveys of Boards and Audit Committees indicate they are increasingly challenged by amount of time and technical competence required to effectively provide risk oversight. More time needs to be spent on operational risk, cyber security, the pace of technology change, and 3rd party risks. Companies need to have appropriate risk management practices that address third-party risk, and directors will want to ask about them. One way to help manage such risks is to conduct independent audit or verification procedures. Regulatory compliance risk continues to occupy Board attention.
Cyber Security, Emerging Technology, Data Theft
A major incident at JP Morgan bank affected 76 million households. In the wake of such data breaches the NY Department of Financial Services announced a new cybersecurity examination process for banks under its jurisdiction. This may lead to enforcement actions against regulated entities failing to implement adequate cybersecurity programs. Auditors should evaluate the banks’ cybersecurity framework, preferably using the 5 Core Functions approach developed by the US National Institute of Standards and Technology in their “Framework for Improving Critical Infrastructure Cybersecurity”. Emerging technologies require more attention in the Boardroom. The U.S. Securities and Exchange Commission uses “Big Data” tools to analyze massive amounts of trading data to understand market behavior and detect potential illegal trading and other misconduct. Auditors should follow this trend by expanding their IT Audit resources and technology capabilities. Audit considerations include: discussing with management how the bank keeps up with technological change; understanding how the company uses emerging technologies to drive growth and how the risks are managed; and assessing board oversight of emerging technologies.
Data Theft is of concern to private banks, and here the threat can be internal. Client data theft by employees of HSBC Private Bank and Julius Baer caused immense damage to the reputation of Switzerland and private bankers. Therefore auditors will continue to assess the internal risk of client data theft, and the quality of the client data protection framework.
Fraud, Bribery & Corruption
Fraud is a key risk in banking, and fraud schemes continually evolve. Recent UK reports suggest that on-line banking fraud increased by 70% in 2014. Updated guidance on fraud risk was provided by the Committee of Sponsoring Organizations (COSO) in their updated “Internal Control – Integrated Framework”. Auditors routinely perform sample transaction testing to gain assurance of the robustness of the internal control system to prevent and detect errors and fraud. The trend will be to re-examine the nature and causes of fraud, design new audit sampling techniques, and embed audit software in on-line systems.
Bribery and Corruption is firmly on agenda. The SEC is investigating Goldman Sachs, Credit Suisse, Morgan Stanley, Citigroup, Bank of New York Mellon and UBS AG for possible violations of the Foreign Corrupt Practices Act (FCPA). Compliance costs for banks continue to increase as more nations enact their own anti-bribery laws. In the UK the 2010 Bribery Act can impose penalties for committing a crime of 10 years’ imprisonment, along with an unlimited fine, and disqualification of directors. Auditors need to review the framework for implementing anti-bribery and corruption processes.
Auditor Rotation, Training, Automation, QA, IA / EA Cooperation
New rules require European-listed banks to rotate the audit firm every 10 years (this can be extended under certain circumstances). Previously, as in the US, Europe followed the rule of audit partner rotation. The Public Company Accounting Oversight Board (PCAOB) is finding mandatory audit firm rotation leads to lower audit fees in Europe, however sparking audit quality concerns. The PCAOB has raised doubts about the adequacy of External Auditor quality control systems to provide assurance that audit work meets applicable standards. Audit Committees should develop a strategy to handle the audit rotation rule, deal with the handover transition, and seek assurance on the quality of work. Internal Audit / External Audit cooperation is another topic to be considered. In the past, there was expectation of interaction and cooperation, with each party sharing views on risk, and providing some reliance on work performed by the other party. The trend now seems to be moving in the other direction.
Financial Products, Approval Process, Mis-selling, Transparency
Learned papers discuss the question: “Did a Mathematical Formula Blow up Wall Street?” Dr. David Li invented the Gaussian Copula formula used to rate Collateralized Debt Obligations by measuring the risk of default. The formula was used to price hundreds of billions of dollars of CDOs filled with mortgage backed securities, many of them sub-prime. It was used by credit rating agencies and the derivatives department of investment banks. Banks rely heavily on quantitative analysis and models. The risks involved in decisions based on models that are incorrect, misused, or modified, should be addressed. According to the “Supervisory Guidance on Model Risk Management” (FedRS/OCC) model risk governance is provided at the highest level by the board of directors and senior management when they establish a bank-wide approach to model risk management. Auditors are responsible for ensuring that an appropriate model risk governance framework is in place.
Banks have been fined for mis-selling complex financial products to unsophisticated clients. Processes concerned with financial product structuring, approval, marketing, valuation and suitability require auditor review.
Regulators are getting tougher on banks that fail to adequately oversee outsourced services. The FDIC imposed a $15 million penalty on the First Bank of Delaware for AML violations due to failures in monitoring third-party payment processors. Discover Bank, Capital One and American Express were fined for failing to supervise outsourced services to telemarketers, debt collection agencies and call centers. Outsourcing does not relieve a bank from responsibility and legal liability. It does reduce direct control over those activities, which increases the risks, endangers the bank’s operations and reputation, and exposes it to liability for compliance failures. Auditors should seek assurance that the bank has rigorous oversight over critical outsourcing activities.
By assessing key risks it is evident that there are challenges on all sides. Banks are under attack, being subject to enforcement actions, fines, penalties and expensive remediation action. Regulators and politicians are under pressure from the public, and sometimes each other, to deal more firmly with the banking sector, the banks, and bankers involved in breaches of regulations, criminal law, public trust and confidence. Auditors have perhaps been too accommodating in allowing bank management and directors to somehow “manage” the audit relationship to their advantage, and in order to mitigate their reputation and regulatory risk. Throughout history, in moments of crisis and challenge, there are great opportunities. As stated in the new Basel Committee “Corporate Governance Principles for Banks”, internal audit provides independent assurance ….in promoting an effective governance process and the long-term soundness of the bank. The audit profession must rise to the challenge, embrace the key audit trends for 2015, and raise the standard of auditing to meet the higher level of Banking Governance now required.
About The Author:
Philip J. Weights is the MD of Enhanced Banking Governance GmbH in Zurich. The firm provides corporate governance services to boards, audit committees and management of banks. Previously Philip was Chief Auditor of a Swiss Private Bank.