Warning signs not enough for Regulators

Warning signs like the failure of Enron, Arthur Andersen and others that occurred during and after the dot.com boom in the late 1990’s, were not internalised by banks or the financial market. Regulators took steps to prevent these conditions from arising again but these measures were not effective enough.

In general, regulators took several key steps. They included the introduction of Sarbanes-Oxley in the USA. There was also an enforced improvement of global risk management standards and tools. Additionally, the Basel II capital requirements were revised. 

The world adopted a belief in beefed up Financial Regulators. They would act as the ‘new’ watchdogs. These watchdogs would ensure that the financial community stayed within acceptable bounds. This created the impression that the twenty-first Century would be the golden hour. Regulation and risk management had advanced significantly. Most believed that the risks banks were exposed to had become known. They also believed these risks were manageable, and being managed.

There were warning signs but they were ignored

The exuberant confidence in risk management did not work out as planned.  When in 2006 the warning signs became impossible to ignore, it was essentially to late.

The markets unraveled. Participants began to believe that the collapse of the USA sub-prime mortgage market caused the financial markets crisis. It was certainly part of the problem but not as important as many believe.

Far more important is the evidence that banks had leverage ratios of between 30 and 40 times their capital.  These borrowings were used to support assets on their balance sheets that they believed would continue to increase in value.   These assets were held,

• either directly by the banks on their balance sheet carrying regulatory capital against the risk exposure, or
• through arrangement off-balance sheet through special purpose vehicles that were set up specifically for securitisation purposes.  While the assets were off-balance sheet, the risk and exposure never was.

Securitisation’s employed by banks removed the assets from their balance sheet and housed it outside the regulatory ambit of regulators.  Banks assumed the risk of default on the asset would transfer to the special purpose vehicle.  Therefore, they did not need to hold regulatory capital against the risk.  This meant that once the assets was securitised the regulatory capital was freed to be used once more.  This scheme enabled banks to take on more and more dubious loans.  It became like a conveyer belt. Assets moved on and then off the banks balance sheet continually. The same amount of capital was made available each time but the risk remained mostly with the bank.  Risks were building up in banks without an increase in levels of capital to match the increase in risk.

Banks and regulators seemed to be surprised when these assets began to decrease in value due to high default levels.  Banks applied their own lax credit risk standards when granting the loans. Regulators sanctioned these practices during their oversight of banks.  To understand the cause of the increase in defaults, examine the credit risk policies in these banks.   Today, no bank would grant a loan to a client who had No Income, No Job or Assets (NINJA). This was once common credit risk management policy in banks before the financial crises.  Banks held the mistaken belief that credit risk was not a problem anymore and that anyone could have a loan.  Modern risk mitigation tools like securitisation had completely replaced credit risk. Both the banks and regulators believed this change.

It seemed to escape banks, especially that the application of very poor credit risk management policies, led to market failure. These policies were applied at the point of granting the loans. Confidence eventually began to erode in banks’ ability to absorb the losses arising from these loans. This occurred whether the loans were housed on or off-balance sheet.  Lenders called for the repayment of their loans. Banks had used these loans to acquire now questionable assets. When banks tried to realise these on or off-balance sheet assets, they found that the value had just evaporated.

Bankers and regulators had forgotten fundamental risk principles. They chose to ignore them on the premise that advanced models and risk management tools were effective. They also believed the financial market had become self-regulating.  They were wrong in their view. They were shocked when the financial system, which world economies rely on, broke down.

Paul Moore, the former head of Group Regulatory Risk at HBOS said of the financial crisis that it felt like they were in a rowing boat trying to stop a tanker. They should have been the pilot employed to steer the boat through a challenging course.  Professional risk management is all about doing the right thing for the right reason. It should never become an ineffective tick the box exercise.

Laws and regulations are generic. They only define the basic standards needed to be implemented by banks. Regulators oversee these standards.  A key role of regulatory risk management in banks is to maximize opportunities. This is done within a strict regulatory framework. It also minimizes any potential downside that banks are exposed to within this regulatory framework.  In situations where it is imperative to stop certain activities or practices in banks due to excessive risk taking, regulatory authorities should insist they use an approved risk management framework. Risk avoidance is key. Regulatory authorities must concentrate on sound risk management framework implementation.  

Risk management must be effective. This framework must include the conduct of every employee. It should also encompass the bank’s culture toward risk appetite. Additionally, risk managers must have the ability to voice concerns in statutory forums like board meetings. These forums should be grounded on feedback from business.

The ISO 31000 risk management standard was released in early 2009. It proposes principles that should be adhered to for effective risk management in organizations.  These principles include among others, the following:

• Create value
• Be an integral part of organisational processes
• Be part of decision-making
• Be systematic, structured and prompt
• Be tailored to the context
• Be dynamic and responsive to change

The regulation of financial markets has changed, whether one examines it from a self-regulating perspective i.e. the ISO 31000 standard or by increased regulatory vigilance and intensity applied by regulators across all markets.  For risk management to be effective, risk managers should have a clear mandate. They must have authority from both the board of banks and regulators. They must work within an agreed proactive risk management framework.  Risk managers need the authority to do more than tick boxes. They must report proactively. Otherwise, risk management practice will always be overtaken by the principle of profit maximisation.

Regulators were surprised, what’s the policy?

Some insightful indicators of potential future regulatory policy are highlighted. These indicators come from the factors that took regulators by surprise during the recent financial crisis.  This can be inferred simply because regulators do not like being caught by surprise.  Regulators will implement measures to avoid surprises. This will happen if banks prove incapable of managing themselves or the risks they face.  The measures that regulators bring to financial markets originate in the promulgation of legislation.

Legislation has a significant long-term impact on markets. While regulators do not take it lightly, it is their main policy tool used to effect change.  Regulators have always let their policy be guided by the activity conducted within financial markets. They have reacted to changes in market conditions rather than proactively responding.  A paradigm shift has occurred as regulators globally have become more proactive in their approach to the application of regulations.   We will thus increasingly see proactive engagement from regulators. They will show less tolerance to any deviation by banks in what they consider to be acceptable risk management practices.

So, what were these surprises?

• Regulators were surprised by the speed at which banks were drawn into the financial crisis. They were also surprised by how quickly it spread severely to all parts of the globe.  This phenomenon reinforces linkages and the global nature of business. It introduces fragility to the market that must be catered for in future.
• The role of securitisation as a risk mitigation tool was underestimated.  It is unlikely that financially engineered products will be embraced again to the same extent soon.
• The weakness of capital buffers.  The data used in models to decide capital buffers was insufficient so the predicted capital requirements were inaccurate.

Accordingly, the expected changes to the regulatory environment include some or all the next changes.

• Internal risk rating approaches used to assess counterpart risk by banks, supported by market credit rating agencies will be overhauled.  The Basil capital accord will in future accommodate this and allow banks some discretion on the techniques employed.
• Securitisations will be monitored more closely. Evidence will be provided to regulators. This ensures that all the associated risks are being managed effectively.
• Regulators will demand that increased prescribed capital and liquidity buffers be built up during the ‘good times’. This will guarantee better cushions in the ‘bad times’.  This is common sense practise but it will have significant implications to the cost of capital for banks.
• Risk management will have to become more transparent.  Regulators will need that all products marketed by banks undergo a rigorous risk analysis. This analysis must be completed before the products are offered to the market or public.
• Increased public disclosure and peer review processes are prescribed by regulators and implemented by banks.  Banks are custodians of public funds. Regulators believe the public has a right to know when their money is being placed at increased risk.

What can we conclude from this?

Banks work within a global financial system. They can choose where to conduct business. Thus, they can choose how severely they are regulated.  Not all jurisdictions have regulatory equivalence or apply the same standards of supervision over banks.  This is nevertheless changing as regulators respond to the financial crisis and tackle regulatory deficiencies across jurisdictions.  Banks, too, should consider where they are registered and supervised. They should avoid practising regulatory arbitrage. This can damage their reputation and erode public confidence.  Being free of regulation today can’t go down well with their customers tomorrow.  Depositors need their banks to be well-managed and protected by effective regulation.

There are increasing signs that common global regulatory practises are being adopted in jurisdictions that were formerly lax.  This is a positive development for financial market stability.  Care should be taken. It is important to make sure that regulatory practise does not become so harsh. Otherwise, banks might be incapable of developing the creative solutions for which they have become renowned.

Today, the public consensus acknowledges that banks are custodians of public wealth. They have an obligation toward society to protect this entrusted wealth.  Regulators have a duty to make sure banks uphold and respect this principle of trust. They must impose themselves firmly on the financial market system when banks ignore this principle.  Regulators are maintaining focused oversight. This oversight will not change in the foreseeable future. Regardless of what jurisdiction banks choose, regulation will be there.