Speech by Ed Sibley, Director of Credit Institutions Supervision, to the Association of Compliance Officers of Ireland 

14 March 2017

Introduction

Good afternoon ladies and gentleman.  I am delighted to be speaking to you all today, particularly given your importance in the safe functioning of the financial services system, and I am grateful to the ACOI for the invitation.

I plan to cover a broad agenda today.   My main focus will be on the banking system, but not exclusively so. I will start with some reflections on the supervisory role of the Central Bank, move on to consider the banking landscape today, and then outline our key priorities for the next year to 18 months.  Given my audience, I will finish up with some comments about the role and importance of compliance officers.

The role of prudential supervisors

Prudential supervisors seek to both safeguard financial stability and protect consumers.  These outcomes are completely entwined rather being than mutually exclusive, as is sometimes suggested.  As the Governor of the Central Bank has stated[2] "Measures applied to protect consumers range from working to ensure financial stability, through prudential and macro prudential regulation, supervision and enforcement to personal financial information and education.” But this does not mean that we can or indeed should seek to remove financial stability and consumer protection risks from the system altogether. 

In order to consider why, we need to reflect on why credit institutions exist and the purposes they serve. As I have said, I will focus today on banks, although there are obvious parallels with credit unions, which are also under my remit, and other financial services firms. 

At their core, banks undertake financial intermediation - by attracting deposits and using them to finance the needs of households, businesses, and other economic agents in the form of credit. Most banks do much more than this, whether it be capital markets operations, leasing, trade finance, custody, currency exchange, and so on.  But their core function is financial intermediation. This is not only important from an economic perspective, but also from a societal one - through, for example, providing members of the public secure and safe means to deposit and access their income.  Imagine Irish society without this basic function.

In other words, banks exist to service both the economy and wider society.  But in an open, market-based economy such as Ireland (and indeed across the European Union), banks typically are profit driven - and in order to maximise profits, they need to take on risk.  Indeed, without risk, there would be no profit, and without profit, activity would be severely curtailed or cease altogether.  In other words, the banking system is underpinned by risk-taking, but as we know all too well in Ireland, this risk-taking activity can be poorly managed, overly aggressive, excessive and, ultimately, catastrophic for financial stability and consumer protection. 

So, when I outline the supervisory objectives and desired outcomes for banks operating in Ireland, this is done in the context of what the banking system is for.  The ultimate outcome we are seeking is that banks operating in Ireland are serving the economy and society in Ireland and across Europe and in a way that is in the long term public interest - i.e., not taking excessive risk, which leaves the tax payer at risk of losses. I believe the best way to achieve this is for the banks (and indeed non-banks) operating in Ireland to:

  • have sufficient financial resources to meet both capital and liquidity requirements today and under a severe but plausible stress;
  • have sustainable, capital-accretive business models through the economic cycle;
  • be governed appropriately with clear and embedded risk appetites, which drive an appropriate risk culture and control framework; and
  • be able to recover if they get into difficulty and be resolvable if they fail, without recourse to the tax payer.

These are obviously not separate objectives, but complementary and connected and they drive all that we do.

And all that we do from a banking supervision perspective, is done within the context of the wider European Central Bank's overarching responsibility for banking supervision in the Eurozone.  This is discharged through the Single Supervisory Mechanism (SSM), which the Central Bank is a very active, and committed member of.  And in this context as Daniele Nouy[3], Chair of the Supervisory Board of the SSM has said, “European banking supervision enhances the stability of the banking sector and makes future crises less likely. It is therefore an innovation that creates value for all citizens in the euro area.”

In other words, not only do prudential supervisors have an endlessly interesting and challenging role, they have a critically important one too.  By this same logic, and extending it into other sectors, the compliance officers of Ireland also have a crucially important role in ensuring the safe and smooth running of the financial services system, and I will return to this theme shortly.

The banking landscape today

One of the challenges of supervision is that it can sometimes be difficult to measure success.  Failure on the other hand is much more obvious, and public!  That is why, I strongly believe in a forward-looking, assertive and outcomes focused approach to supervision.  By being clear on the outcomes we are seeking to achieve, we can be clear on our success, effectiveness and progress in achieving these desired outcomes. 

So, if I look at the banking landscape today, how does it measure against these four desired outcomes and the progress made since the failure of the domestic banking system nearly a decade ago.

1.    Financial Strength

It is clear that very material, tangible and quantitative progress has been made.  While comparisons are tricky given the fundamental restructuring of the banking sector, the tier 1 capital ratios for the domestically owned banks have more than doubled since 2007[4] at a time when the definitions of capital have been significantly tightened (i.e. not only is there much more capital to absorb losses, it is of significantly higher quality). The domestic banks are far more resilient to future losses than before the crisis, and that resilience has continued to increase in recent years.

Similarly, the funding models of the domestic banks are materially more robust.  Again, with the same caveats as the comparison for capital, reliance on the more volatile wholesale markets has reduced to less than 10% of balance sheets[5], compared to more than 40% in 2007. 

This improved capital and liquidity robustness has been achieved through, inter alia, a significant reduction in leverage, capital raises, a return to sectoral profitability and increased reliance on retail deposits.   The international banks are also well capitalised and funded - although are typically reliant on their parents to a large extent.

However, issues clearly remain.  Domestically owned banks are still rebuilding their capital bases, still have significant state ownership, and their balance sheets still have significant weaknesses (as evidenced by the continued high level of non-performing and restructured loans) and, therefore, remain vulnerable to shocks.

2.    Business model

International banks' business models are more heterogeneous than the domestic banks and typically more dependent on the group business models.  The domestic banks' business models are definitely less inherently risky than before, as is evidenced by their funding mix.  Net interest income is increasing, costs to income ratios are falling.  The economic recovery in Ireland has clearly helped, given the domestic banks retrenchment.

However, short term and longer term risks remain. Legacy risks remain elevated, as evidenced by the high levels of non-performing loans, the high numbers of restructured (and vulnerable) borrowers and the continued presence of tracker mortgages – particularly in the context of today’s low interest rate environment.  Brexit is highly likely to have a negative impact on the Irish economy overall, and hence impact the domestic facing banks, some of which also have significant exposures and connections to the UK.  Longer term, there are significant risks - be it from the costs of raising bail-inable debt, potentially increased bank and non-bank competition (notably from Fintech disruption) and capital markets union, to name but a few.

3.    Governance and risk management

Clearly and evidently, governance and risk management arrangements in place in the banks operating in Ireland have materially improved.  Regulatory requirements and supervisory expectations have also changed materially.   A little over two years ago, we created an onsite inspections division (which has now been replicated in other parts of the Central Bank), further enhancing the intensity and intrusiveness of our supervision, particularly for the international banks, and particularly in the last year or so.

Unsurprisingly perhaps, we have identified more issues through deepening our engagement. What has surprised me to some extent has been the materiality and pervasiveness of these issues - particularly in the international banks. So, I will spend a few moments on the key inspection findings for international banks, as they are worth discussing in their own right - particularly given the audience I have today, and also as they give a good indication of our expectations from a practical perspective for banks that are operating in Ireland today, and those that might come in the future. 

Consistently we have identified issues related to governance and risk management, strategy implementation with respect to mind and management and operational and IT risks. In particular, inspectors have identified that the governance and risk management frameworks were not always at the level of the licensed bank - evidencing an unsatisfactorily addressed tension between licensed entity, geographic footprint, business lines and governance arrangements.

Weaknesses have consistently been observed regarding board oversight over key matters, including the approval of risk, compliance and internal audit plans.  We have also identified fundamental weaknesses in risk appetite statements and the embedding thereof. In addition, we have seen notable weaknesses in risk reporting to the board, including the absence of key risk indicators, and holistic reporting on all risks facing the institution.  There still appears to be an over-reliance on group policies and processes, with inadequate review by local management and the second line of defence to ensure that these policies and processes are fit for purpose for the local entity. 

The inspection teams also identified weaknesses with the second line of defence across all risk areas.  Some local risk functions were immature, particularly in relation to operational and IT risk, with an over-reliance on group entities for operational support. In some instances not all of these were supported by formal and effective outsourcing arrangements, or robust governance in terms of local oversight, monitoring and reporting.  In addition, there was insufficient quality assurance or control testing being performed or overseen from the second line function in Dublin, to provide assurance to the board that risks to the local entity are being adequately managed.

On strategy and mind and management, the Central Bank’s corporate governance code is very clear that the board is responsible for setting and overseeing the business strategy. Yet, insight from inspections would indicate there is not always sufficient and robust discussion at local board regarding strategic initiatives developed at group level but conducted from Dublin. This increases the risk of the Irish subsidiary's business running ahead of its control and risk management arrangements. We expect boards to provide effective challenge to proposed strategies and to ensure that local governance, risk management and control arrangements are commensurate with the scale, complexity and risk of the business being undertaken.

This is not to give the domestically focused banks a free pass - there is still more to be done by all. And as well as the structures and frameworks in place, we are increasingly considering effectiveness and the behaviours and culture in banks. As I highlighted last week, there is strong and growing evidence that diversity has a role to play in better decision-making, sounder risk management, and the long term stability of firms.   There are exemplars here in showing the way (indeed I am hopeful that the Central Bank can learn from these for our own internal diversity and inclusion programmes), but there is also an inexcusable imbalance in gender and other diversity aspects at senior levels operating in most banks in Ireland - notwithstanding the much better balance in compliance.

4.    Recovery and Resolution

From a recovery planning perspective, my glass is half-full. All banks operating in Ireland have recovery plans in place, and are typically on at least their second or third iteration.  While there is still much to be done, and some recovery plans continue to have material weaknesses, the exercise of contemplating failure and the associated need to recover is creating a useful discipline.

I am less sanguine from a resolution planning perspective. Resolution strategies have been determined for all banks, and we have a clear desired destination.  However, for the large domestic banks, major impediments remain - be they the amount and location of bail-inable debt or operational impediments.  These are being worked on, but will take years to address.

In summary across these four high-level, desired outcomes, the efforts of the banks, the legislators, and the supervisors have been effective, but there continues to be much to be done.  Risks have been materially reduced, banks are stronger, more robust, better run and have more sustainable business models.  But this is all relative to where they were.  Risks are still very sizeable and need continued efforts and vigilance.  The restoration is partially complete, the building is protected from the elements but I am not convinced it is storm proof.

So what are we doing? (i.e. Supervisory Priorities)

I cannot over emphasise the importance of the core work of day to day supervision, onsite inspections, deep and impactful analysis, policy enhancement, etc.. Working within the SSM it is this core supervisory work - including the Supervisory Risk and Evaluation Process (SREP) - which has delivered the meaningful change, which I have referred to and drives the embedding of the necessary controls. As time passes and the proximity to failure reduces, it is this core work that ensures that lessons are not forgotten, that standards do not slip, that changes are made safely, that new and existing risks are managed effectively.   It is the backbone, the foundation of our approach and our delivery against our raison d'étre.

Again, there are analogies that can be drawn with each of your roles - the importance of focusing on the core work and not becoming distracted by the new and the shiny.  And through this core work, seeking to ensure that the risk-taking that financial services firms must take is done so in a considered, understood and sustainable fashion.

Nonetheless, on top of this core business as usual agenda, there will always be additional work priorities - there are new shiny things that we have to pay attention to.   I will touch on some of these areas now:

Brexit

As the Central Bank Governor and Deputy Governors and my Insurance, Asset Management and Policy colleagues have outlined, Brexit is changing the financial services landscape across Europe.  It has created massive uncertainty and consequently significant risk.  In Ireland it is likely to change the banking landscape considerably.  There have long been two distinct and separate aspects to the Irish banking system - a domestically focused part, and an internationally focused part.  The size, reach and complexity of the domestic banks has reduced significantly.  The size, reach and complexity of the international banks is increasing again, and we can expect that it will outgrow the domestic banking system over the next couple of years.

Together with our colleagues in Frankfurt and in other Central Banks and regulators we are working hard to ensure that there is a consistency of regulatory approach across Europe, and that there is no regulatory race to the bottom in the search for the crumbs of comfort that are falling from the Brexit plate - which as you know is a potentially sizeable blow for Ireland.  

I am confident that the decision as to whether to locate elements of European business in Ireland or elsewhere will not be driven by different approaches to booking practices, treatment of internal models, expectations re substance and mind & management, and so on. Instead, it will rightly be decided by other factors, be they infrastructure, skills, legal framework, cultural and so on.  We are working collegiately within the SSM, and the other European supervisory bodies and in bilateral discussions with other competent authorities to make sure that is the case, and not just for banking where it is more hardwired through the SSM.

IT Risk, Data and Fintech

In the interests of being brief, I will deliberately conflate three separate but related issues.

While banks in Ireland and the euro area aspire to be digitally innovative, dreaming of the promise of tomorrow, the reality is that we are still seeing far too many issues and risks with the technology in use today.  Notably, legacy issues and infrastructure, poor risk management practices, IT risk governance weaknesses, and a lack of automation resulting in weak manual workarounds, still pervade. 

Our small team of IT inspectors have consistently found that IT risk management practices are less mature and less effective than the banks themselves believe them to be. Significant improvements are required in IT security and resilience, and we continue to see weaknesses in the management of outsourcing arrangements, including those that are intra-group. Moreover, in many cases we have have seen limited monitoring and inadequate reporting of IT risks to the Board and senior management. 

I do ask myself why a team of six or seven inspectors covering the entire banking system can find such failings and whether enough attention is being paid within the banks themselves to such a serious and pervasive risk. Of all the risks facing the banking system in Ireland today, this is the one that concerns me most.  Threats abound and are increasing in complexity and the potential impacts are massive - and could impact on the banking system's ability to deliver its core functions. 

To move away from the (hopefully) lower probability but higher impact resilience and security risks, it is illustrative of the challenges that banks face today to consider data and reporting for a moment - again something I would expect many of you to have a high degree of familiarity with. Why is this important? If a bank cannot accurately measure and monitor these risks over time, then it cannot credibly demonstrate to its own board or supervisor that it is managing these risks appropriately and complying with regulations.

To take some specific examples, we have found a pronounced over-reliance on manual processes and multiple systems in various types of regulatory reporting, and resulting in an inability to aggregate the same risk across the firm. We will shortly publish the outcome of a thematic review on regulatory reporting, which identified very serious issues and regulatory breaches regarding accuracy, oversight, procedures, resourcing and quality assurance. 

We also observe delays in meeting the most basic requests for information, when it should be produced as part of the normal course of business.  This may require both retooling to produce this information, and rethinking. This rethinking may be required in institutions because they need to understand their ability to produce credible information is an essential part of how their supervisor views them. Using this ‘outbound’ information should also provide this insight for banks' management. The fact that it is not being used, in a meaningful way, is perhaps an indication of how far institutions have to go.

Turning to fintech itself, as Mark Carney[6], Governor of the Bank of England has stated "FinTech’s true promise springs from its potential to unbundle banking into its core functions”. The threats and the opportunities are enormous.

Looking ahead, as the financial services landscape evolves, the Central Bank itself must develop its thinking further regarding how financial services activities may become separated from banks facilitated by technology. Our own frameworks (consumer, prudential, and financial stability) must change as the geometry of the regulatory perimeter changes. 

Targeted Review of Internal Models (TRIM)

TRIM is a three-year program to review the credibility, adequacy and appropriateness of all credit, market and counterparty credit risk Pillar 1 internal models within SSM. It is of fundamental importance to the consistency of capital calculations across the Eurozone, and hence transparency and market confidence in the European banking system. It is of comparable importance, perhaps of even greater importance, to the comprehensive assessment that was undertaken before the commencement of the SSM.  The objective of the project is to harmonise approaches to risk modelling and ultimately reduce unwarranted non-risk-based risk weighted asset (RWA) variability through the remediation of misalignments identified. It is a major undertaking that is going to consume supervisory, bank and third party resources this year and next. 

Credit risk

While neither new nor shiny, credit risk continues to be a high supervisory priority.  Non-performing loans remain very high in Ireland in absolute terms and relative to European peers, notwithstanding the very significant progress made in the last few years.  We have identified issues in governance and control for front book lending and so will remain focused in this area, and we will also be considering preparedness for IFRS9 - which is a material change in the accounting treatment of credit risk.

Our expectations of Compliance officers

Given my audience today, I thought it worth closing by outlining our expectations of compliance officers.  As with other second and third line control functions, our expectations are high.  You play an important role in financial stability and consumer protection. 

Perhaps most importantly, but in some ways less tangibly than other aspects, a key expectation we have of the role is for compliance officers to be fostering and encouraging a culture of compliance throughout the organisation. In other words, compliance is not simply about ticking a box, it is ensuring regulated firms are doing the right thing in the right way, and considering the spirit as well as the letter of the requirements.  

We do continue to see gaps between prudential and conduct compliance.  Compliance oversight within many banks typically does not encompass the full range of prudential compliance matters they face.  Often prudential compliance is the remit of the first line of defence, with the second line function focused primarily on conduct issues.  As a result, compliance plans often do not provide full coverage of all compliance issues facing banks and contain insufficient detail in respect of objectives, timelines and resource needs to monitor and assess the full suite of compliance issues. 

Compliance mandates need to contain information on, for example:

  1. measures to ensure the compliance function’s independence;
  2. the relationship of compliance with the risk and internal audit functions;
  3. the right to obtain access to information from staff; and
  4. the right to conduct investigations of possible breaches of compliance policy and appoint external experts. 

We expect banks to have a centralised compliance function that has oversight responsibilities for all compliance issues, including quality assurance of the prudential compliance activities conducted in the first line, and sufficient authority provided to the compliance officer to oversee and report on all compliance issues. Without this, banks cannot obtain assurance that they are in compliance with all relevant legal requirements and may not discover compliance issues or breaches until it is too late.

I was at a talk recently where the speaker suggested that, in the context of looming fintech disruption, we may be in the era of "peak compliance officer"; that the automation of aspects of compliance (such as know your customer (KYC) and regulatory reporting) will result in threats to compliance officers’ jobs.  To mix metaphors, in the same way that hundreds of engineers that were required to deliver radio and television broadcasts have been displaced by technological innovation, so undoubtedly all of our roles are going to be impacted by the spinning jennies of our time.

We need to be alive to the disruptions that are coming, to be flexible and adaptive and recognise that successful implementation of new technologies can drive significant efficiencies and greater robustness.

It is evident that the compliance officers of Ireland will have much to occupy themselves for many years to come, including with regard to the behaviour and culture of an organisation.  I am not sure that artificial intelligence (AI) is sufficiently advanced to meet our expectations just yet!

And on that note, I will wrap up.

Conclusion

I have deliberately covered a lot of ground today.  Many of the topics covered warrant discussion in their own right, and I plan to do just that through the course of the rest of the year.

In conclusion, it is evident that significant progress continues to be made in enhancing and improving the resilience, governance and risk management in the banks operating in Ireland today.  However, more needs to be done.  As supervisors we continue to pick up both old stones and new ones, and continue to find too many issues that need remediating and too many risks that need to better managed.   You all have a role to play in addressing this, and ensuring that the banking system and the financial services sector more broadly is better aligning its own profit generating motives with the economic and societal functions it serves.


 

[1] Acknowledgements: I thank Trevor Fitzpatrick, Claire Lanigan, Eida Mullins and Jane Woodcock for their inputs to this speech

[2] “The Role of Financial Regulation in Protecting Consumers" on 23 February 2017 (see http://www.centralbank.ie/press-area/speeches/Pages/TheRoleofFinancialRegulationinProtectingConsumers.aspx)

[3] “European banking supervision – a necessary innovation”, 18 January 2017 (see https://www.bankingsupervision.europa.eu/press/speeches/date/2017/html/se170118.en.html)

[4] Based on AIB, BOI and PTSB, end 2007 reporting vs end 2016

[5] Based on AIB, BOI and PTSB, end 2007 reporting vs end 2016

[6] “The Promise of FinTech – Something New Under the Sun?”, “"FinTech’s true promise springs from its potential to unbundle banking into its core functions” of: settling payments, performing maturity transformation, sharing risk and allocating capital. This possibility is being driven by new entrants – payment service providers, aggregators and robo advisors, peer-to-peer lenders, and innovative trading platforms. And it is being influenced by incumbents who are adopting new technologies in an effort to reinforce the economies of scale and scope of their business models" (see http://www.bankofengland.co.uk/publications/Pages/speeches/2017/956.aspx)