The 1LoD may be growing in maturity but many issues remain up for debate, from where to set responsibilities to how to stay within tighter budgets. Here are the questions keeping the industry up at night.
Which line does what?
The 1LOD function is becoming clearer and better defined, but there are still many unresolved issues that it grapples with and probably will continue to grapple with for some time to come. The art and science of non-financial risk management is a bit like painting the Forth Bridge: it’s never done. Or, as Todd Sullivan, Managing Director and Head of Risk Management for Fixed Income, Americas, for Morgan Stanley in New York, puts it: “This is a job in which you can never get an A plus.”
There is still a lot of discussion in the industry about where the boundaries of responsibility lie between, say, the 1st line of defence and the 2nd. The proper division of labour has not yet been nailed down, and one bank will often entrust monitoring a certain risk to a different function than one of its peers.
The same could also be said about control assurance across the 3LOD. Rupert Jolley, Managing Director and Global Banking and Markets Chief Control Officer for HSBC in London, tends to agree. “Historically, control officers in the 1st line have focused on ex-post facto testing of static controls, but there is a trend to move to a more front-to-back perspective, isolate the key controls and figure out smart ways to monitor those controls,” he says. In this way, it is hoped, potential problems will be identified and dealt with before they arise.
But, says Ruth Kemmer, Managing Director of Front Office Supervision, Conduct and Control, for Nomura in London, these high-level discussions can become overly theoretical and time-consuming. While there is merit in trying to solve these bigger questions, this should not be at the expense of looking at the key risks front-to-back and progressing key remediation initiatives.
“I prefer to look at it in terms of ‘here we have this risk, this is what we need to remediate, where do we have gaps or duplication and how can we make it work better’, rather than focusing on the more general questions of what the 1st line does or what the 2nd line does,” she says.
This means risk has to be looked at from the perspective of how it affects the firm in toto rather than from the more narrow perspective of divisional responsibilities. In a phrase much-loved by bankers, non-financial risk functions need to learn to think more strategically.
How do we cut costs without cutting controls?
Of course, this is no easy attainment and it is made even harder by the budgetary constraints under which most 1st line functions must now operate. For the first few years of their existence, front office control functions largely got what they needed. Budget was waved through without much demur as banks were in a bit of a panic to get these things right, under pressure from global regulators.
But those days are over. Budget is not approved as freely as hitherto, and, in some cases, the 1st line has been asked to cut costs as well. Not only are sales and trading businesses suffering losses in headcount, the front office control function that supports those businesses is being challenged to perform that support more efficiently and more cheaply.
The trick is to trim the fat without trimming the controls. “Reducing duplication and inefficiencies in controls is extremely challenging, since any misperception that you are ‘dialling back’ or removing controls is the wrong message. It’s not about saying we don’t want to do this anymore, but we must establish whether we can do it better and more efficiently,” explains Nomura’s Kemmer.
Rajeev Mehta, who is Chief Controls Officer, Wholesale Banking Activities, London and EMEA, at Société Générale, agrees that costs and efficiency, in addition to control, are the new watchwords in control functions. “As an industry, we’re not making a lot of money, and the costs of remediation and protection are increasing day by day. There are more people, more IT, more costs, more everything in a declining market so we have to work smarter and more efficiently,” he says.
Various ways of reducing spending are under the microscope. Training, for example, could be done in a more consolidated manner that takes in more people rather than having continual piecemeal sessions involving only a few people in a certain area.
Centralisation of information, so that all relevant data can be collated in one place and then disseminated to different areas according to need, is also being examined. This would be more efficient and certainly less expensive for the bank than each unit building its own bespoke platform.
How do we solve the cloud conundrum?
Banks have eschewed the use of the cloud for data storage purposes in the last few years for fear of giving up command of that data to a third party and because of the possibility of leaks. But the arguments in favour of the cloud’s vast storage capabilities and protean flexibility are becoming harder to ignore.
The problem is that in many jurisdictions there are privacy laws that forbid storage of banking data in the cloud. Some jurisdictions, for example, say that all data that pertains to the institution within that jurisdiction should remain in the jurisdiction.
“This is a complex problem and the reality is the regulators and government agencies need to move. We’ve not solved it and in the medium term people are going to have to use multiple clouds to respect domestic privacy laws,” says Jolley.
One of the only positive aspects of the conundrum is that this it is not unique to banking. Other types of global operation face the same hurdles. This suggests that there might be a greater chance for a favourable and speedy decision by regulators than if it were simply unloved banks pleading for an exemption.
Nearshore / Offshore
Lower cost locations, where, for example, all communications surveillance could be conducted, are also being used increasingly. In some banks, these have become so proficient that their services are now used across the organisation and not just by the front office control team. But there is, of course, a danger that banks will delegate too many duties to individuals in lower cost locations to the extent that supervisors are not truly supervising any more. As with other areas of potential cost cutting, the downside has to be watched very closely.
Are we using the tech we’re investing in?
One area in which spending is to be scrutinised over the coming year is technology. Banks have spent millions on better automated controls, more comprehensive dashboards, better surveillance systems and much more over the past five years, and clearly many have now decided to review the process. They can’t continue to throw money at technology.
Apart from the obvious reason that it’s very expensive, there is another, lurking sub-text in the reluctance to spend more and more money on systems: front office control professionals are beginning to wonder if it’s worth it. This is not necessarily because the tools don’t work but because they aren’t being used properly.
Thus, senior control officers at some banks now stress there won’t be any more enormous sums of money spent buying supervisory workflow systems to make the life of a supervisor easier and are instead reminding supervisors that their job is to use existing systems properly and diligently.
In essence, this is about underlining the fact to supervisors that responsibility for conduct risk within their business lies with them and not with a large piece of complicated technology.
“This year, we’re going back to basics,” says one senior control officer, “rather than saying ‘don’t worry, we’re going to make it even easier for you by spending x million dollars to build another workflow you won’t look at or use properly.”
The message that the buck stops with them is being reinforced with meetings with ex-offenders and those that were involved in litigation at some stage in their career. Supervisors need to learn that to avoid being dragged through morale-sapping and potentially calamitous dispositions, some of which might result from merely being in the wrong place at the wrong time, the correct procedures have to be followed.
So this year it’s about stressing the procedures rather than building systems to make compliance with those procedures less burdensome. “It doesn’t matter how many clever bits of analysis you have and how many dashboards you build,” one senior control officer adds, “If you have a supervisor that doesn’t like doing it and is always the last person to do it, sooner or later they will run out of excuses and be caught on the wrong side of an issue.”
Are the regional branches doing everything they should?
For the big global banks at the forefront of the debate, there is, perhaps, one issue above all others that keeps them awake at night: do you have confidence that the regional branches are doing everything they should? Process and controls might have been carefully installed but there is still the nagging doubt that they aren’t being followed as religiously as they should. Indeed according to the 1LoD 2019 Benchmark Report & Survey, over 40% of those surveyed rated global roll out of conduct risk controls as high priority.