Heating up: The pace of regulation for PSPs/EMIs

Do we really learn from and act on history?

In 1974, Germany’s 35th largest bank’s operations were suspended by its regulator due to insolvency triggered by excessive losses incurred in the FX market. At the moment this occurred, there were live FX trades in play which never settled as a result. This was referred to initially as “Herstatt Risk” but is now commonly referred to as settlement risk.  But did the financial world promptly respond to Herstatt’s lessons learned? It wasn’t until the mid-90s that banks (not regulators) drove initiatives to combat settlement risk started to formalise including the widespread adoption of real-time gross settlement systems, the development of bilateral and multilateral netting arrangements, and finally the establishment of the Continuous Linked Settlement Bank in 1996[1]. It took 22 years for a sustainable solution to be realised but, in 2020, that kind of response rate unlikely would be acceptable.

Did Herstatt contribute to a shift to a more heavily regulated financial services industry?

Herstatt’s collapse likely was one of the several triggers that contributed to a change in how financial regulators approached their work as well. Key papers including The Principles for the Supervision of Banks’ Foreign Establishments[2] and the initial Basel Capital Accord (i.e., Basel I)[3], published in 1983 and 1988 respectively, are great examples.  

Back in the beginning expectations were simple -- the Basel Capital Accord was only 30 pages long.  Credit risk was measured but market and liquidity risks were managed without any real sophistication. Operational risk had not yet surfaced as a regulatory concept. Resilience was not on anyone’s radar. Technology played a key, but smaller, role than now where it is pervasive in all things. Events that grabbed headlines tended to be followed eventually by a government inquiry rather than specific regulatory guidance or legislation. It was not a laissez faire approach; it was simply a less mature environment than today. For that era, this approach was considered a proportionate response.

In the 1990s, the world started to see events that had the potential to or did leave scars on the financial services landscape. Figure 1 highlights some of the key historical events whose impact on the global or UK economies were substantial. Similar to 1974, these events prompted questions like “How could this have happened? How can we prevent this from happening again?” Advancing complexities of financial markets (i.e., the proliferation of derivatives, electronic trading and cross-border trading) made oversight more challenging. The lack of focus on operational controls (which often led to fraud) over these new areas often led to major events (eg. Barings, Daiwa, National Australia Bank). Macroeconomic events (e.g. the Asian Financial Crisis) further complicated matters.

These events undoubtedly influenced global regulators to explore the underlying causes including better risk management practices and reflect on the most appropriate response. In Europe, the Basel Committee on Banking Standards (“BCBS”) began releasing minimum standards publications. In the US, the Committee of Sponsoring Organisations of the Treadway Commission (“COSO”), comprised of five US private sector accounting/auditing bodies, examined internal controls and integrated risk frameworks. Enron, the giant US energy trader, then collapsed due to “off-the-books” accounting (caused by an underlying lack of internal controls and adequate governance)[4]. This was the catalyst that spurred US lawmakers to enact the Sarbanes-Oxley Act (“SOX”) in 2002 – the global game changer in operational risk management. SOX compliance was born and operational risk managers started to emerge. BCBS was also trying to improve banking standards and implemented Basel II in 2006. Basel II triggered the measurement of operational risks, increased capital requirements and generally resulted in more complex regulation. It included the requirement to maintain an Individual Capital Adequacy Assessment Process (“ICAAP”) and the Individual Liquidity Adequacy Assessment Process (“ILAAP”).

The Global Financial Crisis (“GFC”) seems to have been the catalyst for an explosion of new regulatory approaches and legislation. The GFC led to a prolonged focus on financial resilience. The US Congress enacted the Dodd-Frank Act in 2010 which ultimately led to the Comprehensive Capital Analysis and Review (“CCAR”) and the Dodd-Frank Act Stress Test (“DFAST”).  Basel III and BCBS 239 were also announced and implemented following the GFC.

These macroeconomic events were followed by a series of “financial misconduct” events (e.g. LIBOR rigging, rogue trader events). Post GFC, the response to such events was more comprehensive and swifter than back in 1974. In 2015, the UK regulators started a campaign to improve conduct and restore trust in the financial services sector. In 2016, the FCA released its “5 Conduct Questions”[5], which guides the expected conduct for all UK financial institutions. In the same year, it launched the Senior Managers & Certification Regime (“SMCR”) for banks. However, its applicability is creeping outwards as it now incorporates insurance companies and soon will encapsulate benchmark administrators. What will follow thereafter?

Maybe we are learning some lessons but are there areas to watch for?

Certainly, the UK regulators’ focus on resilience seems to have paid off. Despite facing challenging economic times in 2020, UK banks have demonstrated their stability and have arguably muted concerns about the likelihood of failure for those previously considered “too big to fail”. Resilience testing has forced firms to consider future risks. Perhaps that is why UK regulators are ahead of the game in pressing for all firms to get on top of their third party risk management (“TPRM”) and operational resilience – possibly these risks raised their heads during resilience exercises and began to be flagged as real vulnerabilities.

Established banks gradually developed comprehensive risk management frameworks (“RMF”) because of the rise in legislation and regulatory guidance since 1988. There are minimum risk management standards for new UK banks that must be in place prior to being granted a banking licence (i.e., basic RMF, ICAAP, ILAAP among others)[6]. But these same standards are not required for payment services providers (“PSPs”) and e-money institutions (“EMIs”) presumably to encourage entrepreneurial spirit, new growth and market competition. That is because regulation is not intended to squeeze out new market entrants. In fact, the Payment Services Directive (“PSD”), both the first and second versions, is intended to promote competition. But does the lack of checks and balances in the form of a comprehensive RMF constitute a risk for PSPs/EMIs? for the stability of the financial services landscape? That is not clear. Anecdotally, it seems that risk management for some of these firms may be embryonic and are influenced heavily by budgetary concerns.

Is some sort of regulatory convergence coming?

Creating RMFs out of nothing is not an easy feat and certainly is not possible in the short term. If the FCA expected this, it is unlikely that PSPs/EMIs (or any firm) would have all the financial, technological or human resources available to update their controls quickly. Such requirements would have a large impact on business strategy and priorities.

It is one view that UK regulators are starting to become more proactive in terms of guidance on potential risks (i.e. consultations for TPRM and operational resilience preceded the FCA temporarily suspending Wirecard’s UK operations in June 2020[7]). On the other hand, history may be repeating itself in that UK regulators are reacting to historical events. Supercapital, a PSP that went into administration last year[8], may have been a push for the FCA when setting its 2020/2021 regulatory agenda[9].  Either way, the path seems to be for more regulation rather than the status quo.

What have we learned? What do we need to do?

While risk and resilience frameworks seem relatively mature for banks and insurance companies, the FCA is now clearly signalling to PSPs/EMIs that they would like their risk houses in order too. They have noted that there is an air of non-compliance (in the risk management space) through the industry[10] although this could just be a case of differences in legislative interpretation or regulatory expectation. The FCA are also concerned about resilience – both operational (to ensure customers continue to have access to their business services) and financial (to avoid disorderly failures). For those of us around during the GFC, the rhetoric seems strangely familiar. It is encouraging that the narrative suggests that regulators are sticking with a well-trodden “risk framework/resilience” path rather than inventing a new one for PSPs/EMIs. The FCA also appears to recognise that it will take time to put these measures in place – although not the 32 years it took banks to get to this position. But the message is clear: PSPs/EMIs should have a documented plan soon to answer resilience questions, establish robust RMFs, and have adequate resources in place to support these changes. Now the next question is how to achieve that? What is the time frame? How to prioritise the risk agenda and the individual components within? Undoubtedly, there are a few firms out there that will require a bit of learned experience and assistance.

About the Author

Allison Strachan is a Treasury Risk professional with more than 12 years of experience in the financial services industry. Her focus is on prudential and enterprise-wide risk management.

[1] Bank of International Settlements (“BIS”) Quarterly Review, “Settlement risk in foreign exchange markets and CLS Bank”, December 2002.

[2] BIS, Principles for the Supervision of Banks’ Foreign Establishments, May 1983.

[3] BCBS, International Convergence of Capital Measurement and Capital Standards, July 1988.  

[4] Investopedia, “Enron Scandal: Fall of a Wall Street Darling”, updated September 2020.

[5] FCA, “5 Conduct Questions Programme”, 12 April 2017 (first publication), 3 September 2020 (latest update).

[6] PRA, “New Bank Start-Up Unit Guide: What You Need to Know from the UK’s Financial Regulators”, January 2020.

[7] BBC, “Wirecard: Cardholders’ money locked as FCA freezes UK subsidiary”, 26 June 2020.

[8] FCA, “Supercapital has entered administration”, 1 October 2019

[9] FCA, Business Plan 2020/2021, Chapter 4 (Our 5 key priorities over the next 1-3 years).

[10] FCA, Dear CEO Letter, 9 July 2020.