Publication
COP29 – half-way update
COP29 began this week in Baku, Azerbaijan with momentum.
Global | Publication | April 2023
The collapse of Silicon Valley Bank (SVB), Signature Bank and Silvergate Bank, and the sale of Credit Suisse to UBS – each of which have involved a combination of deposit guarantees, bail outs and bail ins under statutory bank resolution processes – have led to questions about contagion risk for other banks across the world and a deep analysis of the causes of the current banking crisis.
SVB’s collapse can, in part, be attributed to banking regulatory failure – with concessions provided to banks with assets under US$250bn, SVB was subject to more relaxed capital, liquidity and stress testing requirements. Ultimately, however, what we have seen with SVB, and other banks involved in the current crisis, is a failure of risk management – in SVB’s case, a failure to diversify its asset base beyond bond holdings that were subject to significant reductions in value as interest rates increased, and a failure to diversify its customer base beyond the highly risky tech and venture capital sector.
But these economic-based risks are only some of the serious systemic risks faced by banks globally. The purpose of this article is to explore the other ‘big 3’ risks that could pose similar threats to the stability of banks and the broader financial system if they are not managed effectively: those relating to financial crime, cybersecurity and climate change.
In a rapidly transitioning economy driven by technological and digital change, and alignment with a net zero emissions future, these risks are among the defining issues confronting the financial system. Effective monitoring, mitigation and management of these risks is essential to ensure financial stability in a time of volatility and continuous change.
The SVB collapse reflects a failure of risk management – specifically, the failure to diversify substantial risks arising from the composition of SVB’s assets and customers.
Regulatory failures certainly played their part. Notably, following the global financial crisis, the Dodd-Frank Act applied enhanced prudential standards to all banks with assets of US$50bn or more. These standards included risk-based and leverage capital requirements, liquidity standards, requirements for overall risk management (including establishing a risk committee) and both liquidity and capital stress testing.
Following heavy lobbying in the banking sector which argued that concessions ought to be given to small and medium-sized (SME) banks to stimulate access to credit, investment and growth in the United States economy, the Dodd-Frank thresholds were raised to US$250bn.
The concessions were confirmed in the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, as well as in the tailoring rules released by the Federal Reserve Board in 2019. Among other things, since these concessions were made, Category IV banks – with total consolidated assets of US$100bn to US$250bn:
Nevertheless, SVB’s particular issue was that 75% of its investments were held in United States Treasury bonds and mortgage-backed securities. While safe investments from the standpoint of credit risk, these investments posed significant interest rate risk. As interest rates increased, the value of the bonds declined. SVB (as was also the case with many other SME banks) also did not hedge against these market risks.
SVB’s failure was not so much about the quality of its assets – but rather its failure to diversify its asset risk to account for economic fluctuations. Yet prudent risk management would have revealed the interest rate risk through a sensitivity analysis and stress test on bond holdings, which in turn would have revealed a need for hedging through interest rate swaps.
Further, SVB’s concentration of depositors within the tech and venture capital sector that was under such substantial financial pressure in the current economic downturn led to a foreseeable risk of a significant bank run on deposits. The fact that 90% of SVB’s deposits were above the US$250,000 maximum insured amount also created a foreseeable risk of a bank run as panic set in amidst mass withdrawals.
As the Basel Committee on Banking Supervision notes in its Guidelines on the Sound Management of Risks Related to Money Laundering and Financing of Terrorism, comprehensive money laundering and financing of terrorism risk management has ‘particular relevance to the overall safety and soundness of banks and of the banking system.’ Deficient risk management processes in these areas ‘expose banks to serious risks, especially reputational, operation, compliance and concentration risks.’
Indeed, given the substantial volume of transactions they facilitate each day, banks are at much higher risk of being exposed to financial crime activity than other entities.
The Financial Action Task Force (FATF) – the global money laundering and terrorist financing watchdog – sets international standards designed to mitigate financial crime risks. The FATF Recommendations set out a framework (consisting of 40 recommendations) designed to assist countries tackle financial crime. One of the core recommendations is that countries should require financial institutions to identify, assess and take effective action to mitigate their money laundering, terrorist financing and proliferation financing risks. This principally requires:
Regulatory standards have been implemented in many jurisdictions to address these issues – such as the Anti-Money Laundering and Counter-Terrorism Financing Act in Australia overseen by the Australian Transaction Reports and Analysis Centre (AUSTRAC), the Bank Secrecy Act, the Patriot Act, the Money Laundering Control Act and the Suppression of the Financing of Terrorism Convention Implementation Act in the United States under the supervision of the Financial Crimes Enforcement Network (FinCEN), and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations in the United Kingdom overseen by the Financial Conduct Authority.
However, in February 2023, the FATF published an update on jurisdictions identified to have strategic deficiencies in their financial crime regulatory regimes and that pose a risk to the international financial system. High-risk jurisdictions – often referred to as ‘black list’ jurisdictions – were identified as the Democratic People’s Republic of Korea, Iran and Myanmar. Jurisdictions under ‘increased monitoring’, and which are actively working with the FATF to address the strategic deficiencies in their regulatory regimes – commonly referred to as the ‘grey list’ - were identified as Albania, Barbados, Burkina Faso, the Cayman Islands, Gibraltar, Haiti, Jamaica, Jordan, Mali, Panama, Philippines, Senegal, South Sudan, Türkiye, the UAE, Uganda, the Democratic Republic of the Congo, Mozambique and Tanzania.
Even for countries that do have strong regulatory regimes requiring banks to assess, mitigate and report financial crime risks, regulation is one thing. Compliance - and the underlying vulnerability of the banking sector to financial crime risks - are other matters entirely.
In September 2021, AUSTRAC released a money laundering and terrorism financing risk assessment in relation to Australia’s major banks. AUSTRAC assessed the overall risk to be high, with factors most exposing the banking sector to money laundering and financial crime said to be banks:
AUSTRAC also identified the implications of financial crime for banks. It was said that, given their size, major banks are likely to be able to absorb the financial impacts of criminal activities. However, reputational damage because of systemic criminal exploitation of a major bank may have serious consequences on a bank’s ability to attract and retain customers. This could in turn cause major damage to Australia’s international economic reputation by undermining the security and safety of Australia’s financial sector.
Risk management failures within banks in relation to financial crime could therefore have the potential to have a substantial shock impact on individual banks and the broader financial system – beyond the economic-specific context of the current banking crisis.
The risk of cyber attacks in the financial system has increased due to a rapid rise in the digitalisation of services and the use of third party providers. The increased use of technology and digital records in banking, such as the introduction of open banking, could raise additional cyber risks. The scale of cyber threats is also becoming more substantial, with state-based and private actors now leveraging digital and technological advancements to enhance the sophistication of cyber attacks and the level of intrusion from malicious activities.
A limited number of jurisdictions have specific regulatory measures for managing cyber risks within banks, including Singapore, the United Kingdom and the United States. In Australia, the Australian Prudential Regulation Authority (APRA) largely regulates cyber security for banks (and other regulated entities) through its prudential standard, CPS 234: Information Security.
Under CPS 234, boards of regulated entities must ensure their entity maintains information security in a manner commensurate with the size and extent of the threats to its information assets, and which enables the continued sound operation of the entity. Further, a regulated entity must test the effectiveness of its information security controls through a systematic testing program. Where the entity’s information assets are managed by a service provider, it must ensure that the relevant information security controls are appropriately tested based on the rate of change in vulnerabilities and threats, and the materiality and changes of the information assets.
The direct financial costs from a cyber attack – such as a ransom demand or stolen data – would not have a substantial impact on the capital position of a major bank. However, liability for privacy and data breaches could have a greater impact. Further, reputational consequences could, as with a financial crime breach, lead to a loss of confidence in a bank among the community, as this could lead to instability and liquidity issues if customers withdrew funds at a significant scale. This could indeed have broader implications for financial sector stability as a whole.
Given the growing sophistication and organised nature of cyber criminals, and their vulnerability to attacks in a digital era, banks need to implement thorough and effective risk management processes relating to cybersecurity – matched by an investment in the required expertise. Internal reporting and risk escalation systems, and disaster contingency planning, should all be required to identify, monitor and deter cyber threats as well as mitigate any cyber breach – as a core component of resiliency and financial stability.
Climate change can pose significant financial risks to banks and the broader financial system if left unmanaged. These risks will initially be derivative, and depend on a bank’s exposure to heavy-emitting borrowers and projects, as well as other carbon-intensive investments a bank may have.
The risks may manifest as physical risks or transition risks – to use the risk categories adopted by the G20 Financial Stability Board’s Taskforce on Climate-Related Financial Disclosures (TCFD) in its June 2017 report. The TCFD climate risk and assessment framework is the most widely accepted, among regulators and industry, across the world.
Physical risks are those an entity faces from the physical impact of a changing climate, for example supply chain disruption due to damage to assets located in areas of the world susceptible to increased severe weather events such as drought, bushfires, floods, rising sea levels and cyclones. Transition risks are all non-physical risks that arise from the current global transition towards a lower-carbon economy, such as increased costs expected from possible government adoption of carbon taxes, renewable energy targets and investments and greenhouse gas offset measures. These risks also include the projected lower demand for non-renewable energy sources due to changing consumer attitudes and greater government investment in clean energy technology.
If borrowers subject to major physical and transition risks comprise a significant portion of a bank’s debt portfolios, banks face their own measurable and quantifiable climate risks due to impairment to security values and underlying debts.
These risks have the potential to create substantial pressure on individual banks and broader financial system security and stability. The impetus towards a net zero emissions future is growing due to:
The compelling movement towards net zero emissions, matched by continually evolving regulatory and prudential standards, means that banks must be conscious of the substantial risk to their own stability - and the ramifications for the global financial system - if climate risks are not proactively managed and mitigated.
It is critical for banks to monitor the economic headwinds we are currently experiencing to ensure robust risk management standards that take into account asset and customer losses arising from a perfect storm of high interest rates, inflation and declining business and consumer confidence - and that actively monitor and implement processes for capital security, liquidity, hedging and portfolio diversification.
Beyond the economic risks, banks are exposed to a range of other risks in an age of technological and digital disruption and a rapid transition to environmental sustainability and net zero emissions. The failure to monitor and mitigate risks relating to financial crime, cyber attacks and climate change could lead to major losses for banks and pose systemic threats to the financial system as a whole. That could make the current crisis a dress rehearsal for even more substantial shocks that will have widespread ramifications for the global financial system.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023