Address by Gerry Cross, Director, Policy and Risk, Central Bank of Ireland to the ACOI Annual Conference

12 November 2015 Speech

Good morning, It is a pleasure to be here with you this morning at your annual conference to speak about the regulatory challenges over the next five years. I would like to thank Melanie Blake, Chair, and Evelyn Cregan, CEO, of the ACOI for the opportunity to speak to you.

Compliance and the compliance community has always been important. Perhaps the recognition of this has not always been what it should be in all quarters. But there can be no doubt, post-crisis, that the discipline of compliance is high-intensity, resource-significant, and centrally important.

I would like to break my comments into a few sections. Firstly let me say a few words about Capital Markets Union. I will follow that with a few words about the broad area of governance, risk and trust as continued areas of focus for the coming period. I will say something about shadow banking. And finally I will say a few words about technology and cyber-risk.

I won’t cover everything. For example there will be significant ongoing work to implement European legislation – MiFID, MAD/MAR, UCITS V, etc – but for today I will leave this out.

I also won’t spend time on the implementation of Solvency II, which is a major focus of our current and continuing efforts. However, I must mention the very welcome fact that the Department of Finance published the Statutory Instrument transposing the Solvency II Directive earlier this week (SI 485 of 2015 European Union (Insurance and Reinsurance) Regulations 2015).  This is a key milestone for the implementation of Solvency II in Ireland from both the perspective of insurance undertakings and the Central Bank.

Capital Markets Union

John has spoken in some detail about CMU, and has said much more than I can usefully say. But from a regulator’s perspective: essentially Capital Markets Union is about three things: (1) diversity of funding sources for businesses and projects; (2) enhancement of investment opportunities for savings; and (3) breaking down barriers and frictions within the single market. As national regulators we tend to like all these three things.

We, of course, like to regulate in the context of well-functioning, sustainably growing economies. If this is not the case, we are either in a period of unsustainable growth( and we know how that can end) or we are in a period of stagnation, where, sooner or later people begin to blame over-regulation. So we like what Capital Markets Union is trying to achieve in general – a well-funded, well-functioning economy for Europe.

More specifically, regulators like diversity and diversification (assuming that it is true diversification and not just the appearance). So we like the idea of an enhanced range of effective sources of funding and we like diversity of deployment opportunities for investment.

As highly committed members of the SSM, EBA, ESMA, EIOPA and the ESRB (to mention a few) we welcome all initiatives designed to improve the functioning of the single market in the financial services and markets sphere.

Overall, the Action Plan suggests a shift by the European Commission from intense rule-making to a more step-by-step approach. This builds on the existing legal framework, judiciously identifying the need for legislative or regulatory proposals, and, where possible, promoting market-based solutions and best practice examples. There is much merit in such an approach.

Call for evidence on regulatory impact

Let me now mention the Commission’s call for evidence in respect of the cumulative impact or unintended consequences of the post-crisis regulatory reform.

It is important and necessary that work is carried out to assess the outcomes of new regulation. This is particularly the case when the regulatory change has been as far-reaching and comprehensive as that which we have witnessed over the past few years.

It is important that the context for such assessment is appropriately set. What is in question is the extent to which the effects sought to be achieved by the regulation in question are being achieved in practice. They may in practice be falling short, or they may be overshooting, or they may be producing unforeseen and undesired consequences, or they may be just about right. Ex ante, we cannot know.

What we do know is that we have made a series of reforms that were necessary to restore stability and confidence and to maintain it. And that the work to produce those reforms has been hugely resource consuming for all concerned.

We start then from the position that all of this has brought us to more or less the right place. And that we are now in a period of comparative regulatory certainty. We can then take the opportunity presented by this to set about monitoring and assessing how well the legislation and regulation introduced is achieving its objectives.

It should not, and must not, be a question of ‘well, there are bits we don’t like, let’s have another go to get rid of them’. Apart from anything else, the regulatory uncertainty that would result from rubbing that particular lamp would be anything but welcome.

Further, assessing the effectiveness of such regulation is not something that can be done over three months, maybe not even three years. To be done properly it requires a lengthy time horizon, a well-developed and rigorous methodology (one that remains to be developed), and a neutral and scientific demeanour. This should be underpinned by empirical evidence and verified by market intelligence.

This is not to say that there may not be a small number of items which are clearly not working the way they should. Any such aspects should clearly be identified and thought through. But this must not be interpreted as a wish list for a new wave of changes.

We must avoid at all costs embarking on an unpicking exercise or a new swing of the pendulum.

Governance, risk, and trust

You might say that a great deal of the focus in the years since 2008 has been on fixing the risk mechanics of the financial system - capital, liquidity, resolution, interconnectedness, risk management, etc.

Running alongside that has been work, going beyond the mechanics, to change in important ways the manner in which financial services firms operate and therefore the manner in which the financial system works. Essentially this is an effort, which has still a way to run, to restore enhanced levels of trust in the financial system.

Supervisors are now interacting more frequently and more intensively than ever before with the board and senior management of regulated firms and they will continue to scrutinise governance structures and arrangements to ensure the highest standards are being adhered to.

Culture

The culture that exists within a firm or a group may well be the single most determinative cause of outcomes - at least over time. You only have to look at the areas where risks exploded over the past number of years to see that in one way or another where culture becomes weak or distorted, problems emerge. This is something I think compliance officers understand well - trying to do your job when a culture is fighting you is an uphill struggle, but when the organisation is culturally committed to good standards, the compliance officer is much better placed to achieve strong results.

I believe that this issue of culture within firms will be an important part of our agenda and that of other regulators over the coming period. The challenge is that culture is a difficult phenomenon to get a firm grasp of.

In April 2014, the Financial Stability Board  published Guidance on Supervisory Interaction with Financial Institutions on Risk Culture which forms a basis for supervisors and firms to promote and develop a shared understanding of the firm's risk culture and facilitate an earlier intervention by supervisors to prevent a weak risk culture from becoming more prevalent.

Amongst the indicators of a sound (or unsound) risk culture are :

  • The actions and behaviours of boards and senior management;
  • Demanding and enforced expectations in respect of behaviours and actions throughout the firm;
  • Effective assessment of implementation of values
  • Accountability
  • Consequences
  • Incentives and remuneration

We are also aware that other regulators have made advances in assessing, including the use of organisational and behavioural psychologists, the behaviour and cultures in banks and insurance companies.  We believe we can learn from this work in our own regulatory approach, and enhancing how we assess,among other things, board effectiveness, risk culture, change effectiveness and root cause analysis (in the event of issues). 

Further work in this area needs to consider our own expectations and communication of them and further enhancing our own capabilities to improve our own assessments. We already consider board effectiveness, but culture is more difficult to regulate / supervise.

So progress has been made. However it remains an area where our approach will continue to evolve. 

Consumers

At the heart of the Central Bank’s mission are two imperatives: safeguarding stability and protecting consumers. We can see as we engage with firms across the different sectors that achieving an appropriate culture leads to more positive outcomes for consumers (as well as a more constructive engagement with the regulator).

Earlier this year, we published our first Consumer Protection Outlook Report in which we identified a number of priority areas of focus over the coming period. We will continue to build on our engagement with firms’ boards and senior management on these matters. We will continue to monitor and challenge firms on how they are developing their internal consumer protection risk frameworks, including governance arrangements. And how they are implementing and monitoring performance metrics based on a comprehensive understanding of their customers’ experiences, behaviours and needs.

A related priority area is our monitoring of firms’ incentive structures, which can be a significant driver of individuals’ behaviour and can also reflect the inherent culture within a firm. We will therefore continue our supervisory work in this area to ensure that firms have implemented the guidance we issued in 2014 on appropriate variable remuneration arrangements for sales staff.

Our work to protect consumers includes ensuring the fair treatment of tracker mortgage borrowers. This has been a key supervisory and policy focus for the Central Bank over the past number of years. Last month we announced publicly that we had commenced a broad examination of tracker mortgage related issues including, amongst other things, transparency of communications with and contractual rights of tracker mortgage borrowers.

We are currently engaging closely with a number of lenders on points of concern relating to their ability to demonstrate that they have acted in the best interests of their tracker mortgage customers, with a number of lenders currently undertaking their own internal reviews. We have also been engaging with consumer groups as well as the Financial Services Ombudsman to help inform the scope of the wider examination, which we will communicate to lenders in December.

Risk appetite

Risk appetite is another area which played a material role in the crisis and where there remains important progress still to be made.

I was very pleased to see that when we co-hosted an event with the Institute of Directors on this topic a couple of weeks ago we had more than 350 participants. This suggests to me that this is an area that industry, just as much as regulators, are keen to make strong progress on.

Deputy Governor, Cyril Roux stated in his keynote speech at that event:

One of the key factors underpinning the financial crisis was the weakness of risk culture and the failure of effective risk management in many financial firms. Failures in the area of risk appetite were an important aspect of this. While a good deal of progress has been made across the financial services industry in addressing such issues, we are by no means at the end of the journey. Both risk culture and risk appetite remain areas where there remains much to be learned and done.

In mid-2014 the Central Bank published ‘Risk Appetite – A Discussion Paper’ to generate debate with stakeholders on risk appetite, its link with strategy and its importance for financial institutions.

This was a response concerns about:

  • variable quality of risk appetite methods, cultures, and processes;
  • need to embed of risk appetite throughout the organisation; and
  • varying degrees of skills, experience and knowledge with respect to risk and its management.
  • The responses to the discussion paper, which were summarised in the related feedback statement, provided a useful insight into the practices utilised by financial services firms in Ireland.

The feedback statement set out the intention of the Central Bank to host the Risk Appetite Forum in 2015 in order to generate further discussion on risk appetite, including regarding the role of risk appetite and what constitutes good practice in relation to setting risk appetite and practical experience and challenges of embedding risk appetite in an organisation.

One of the themes that was discussed at the Risk Appetite Forum was how to promote and galvanise improvements in risk management. Amongst participants there was concern that unduly prescriptive guidance from the Central Bank could have a chilling effect on the ongoing development of sound practices in the area.

We see this risk. It is also important that there be continued and enhanced momentum behind firms’ efforts in this area. It will certainly continue to be a key focus of supervisory attention. And we will give consideration to other tools and mechanisms that might helpfully be deployed.

Fund Management Company Boards

In June this year, we consulted on draft guidance for boards of fund management companies with respect to oversight of their delegates. The responses received have been analysed, and the final delegate oversight guidance has now been issued. 

It is located in a document which contains two other pieces of Central Bank guidance for boards of fund management companies – these relate to directors’ time commitments and the organisational effectiveness role.  Together, these three chapters provide clear guidance from the Central Bank on its expectations of fund management company boards. 

In brief, they must approve the investment approach and distribution strategy for each investment fund under management, they must closely oversee their delegates, they must ensure that they have sufficient time available to them to perform their role properly and they must have an independent director in an organisational effectiveness role who has clear sight over the organisation and direction of the fund management company. Boards of fund management companies should obviously pay close heed to this guidance and should ensure that their board minutes document how they are complying with it.

Recently and currently the Central Bank has been focusing considerable attention on the roles of two key actors for fund management companies – directors and designated persons. Having published guidance in respect of the former, we are now looking at designated persons. Designated persons are responsible for managerial functions and sit between the board and the delegates. It is their job to ensure that the directions given by the board are acted upon and to support the Board in ensuring that the delegates are carrying out their activities in accordance with the mandates given to the delegates by the fund management company. We are preparing guidance which will detail how we expect designated persons to carry out their roles. We anticipate consulting on this guidance early next year.

Shadow Banking

Shadow banking is another item that will continue to be on the radar of the Central Bank and policy makers over the period ahead.

The first thing to note is this: the phrase ‘shadow banking’ is used in various references and somehow sounds like it is necessarily a dubious activity. If on the other hand you say ‘market-based financing’ or ‘alternative funding channels’ it sounds positive (and takes us back to CMU).

Our primary concerns as both international and domestic supervisor and Central Bank is (a) how do we make sure that we have a full picture of  financial activities that are taking place both inside and outside the banking and/or wider regulatory framework? (b) do we understand the risks and whether they give rise to financial stability or other concerns both within and outside any given jurisdiction? And (c) are we well positioned to judge whether further regulation or supervisory intervention is necessary.

Significant work has been underway over recent years to build greater understanding of this complex area. This work is led by the Financial Stability Board together with international standard setters. This is critically important as shadow banking is as much about international linkages as domestic. For example, in respect of Ireland’s shadow banking sector, only a certain amount of the financial linkages will be internal to the Irish economy, the largest part being European and international linkages.

Speaking of shadow banking and the FSB, I cannot omit to mention the FSB’s latest annual Global Shadow Banking Monitoring Report. In this report Ireland is covered for the first time. What emerges is, not unexpectedly, that Ireland’s non-bank financial sector is very large relative to its Irish-resident banking sector.

It is very important to note however that the largest component of these, investment funds and money market funds, are already subject to regulation under AIFMD and UCITS IV.

However it is clear that this is an important area for continuing focus given the Central Bank’s financial stability mandate. The Central Bank for example is closely involved in the work of IOSCO to understand better the issues of liquidity risk in investment funds and the extent to which such risks arise. We will also continue to undertake our own national work to have an up-to-date clear picture of the activities in this space and any potential risks arising and we will continue to work with our international peers with a view to safeguarding financial stability globally.

Finally, the FSB Shadow Banking monitoring exercise of 2015 has increased coverage compared to previous years. This is welcome progress. There is evident scope for the work to become even more comprehensive. We are hopeful that even more jurisdictions will work with the FSB to increase the coverage of its monitoring in future years so that their work gives an even more complete picture.

Technology and Cyber Risk

I would like to share a few thoughts with you finally on technology and cyber risk. Like other regulators we see this area as being a central focus during the coming years.

Technology is at the heart of modern financial services. When it goes wrong it can pose threats to all of the things the Central Bank cares about: consumer protection, financial stability, prudential soundness, the reputation of the Irish financial system.

Cybercrime (in the form of hacks, data theft and disruption of services) are carried out by organised crime groups, but ideological groups, amateur hackers, ideological groups, and in some parts of the world competitors and States also constitute cybercrime threats.

A substantial number of technology incidents are caused or facilitated by inadequate performance by regulated firms: a failure to see technology risk with the importance it has; a lax approach which sees technology risk as being for the IT folks to handle; a lack of senior management and board engagement; underinvestment; herding behaviour; poor security practices; ineffective procedures; outsourcing control failures; etc. There is very often an unwise belief in some smaller firms that they won’t be targeted, but there is also substantial anecdotal evidence that this is not true.

We believe that there is significant weakness in this area and will be seeking change.

We have begun the process to bring about change in this area. To give you a few concrete examples, we issued questionnaires to banks to develop a better understanding of their cybersecurity preparedness and resilience. Our Banking IT risk inspections team is performing inspections to ensure firms have the right countermeasures in place. And we have undertaken a themed review of cybersecurity risk management in investment firms.

One important point is the need for ownership of technology risk and cybersecurity at Board and senior management level. Such is the potential impact of these threats, final responsibility cannot be delegated or outsourced.

The Central Bank is already undertaking a considerable amount of work to strengthen cyber resilience in the sector. Nevertheless, given the increasing number and sophistication of these risks, we are determined to demand significantly increased effectiveness in this area.

We  will publish an initial paper setting out our current thinking and experience of this risk and overall expectations of regulated firms early next year.

Conclusion

In conclusion, let me circle back to where I started: the importance of the compliance discipline and the compliance profession.

The Central Bank is strongly supportive of the role that compliance professionals play in giving direction to the culture of firms, to their treatment of customers, and their management of prudential risks.

Thank you very much for your time and attention.