At the same time, international regulatory organisations are increasingly seeking to regulate the banking and financial services industry. The two drivers of risk and regulation are provoking a serious review of existing IT systems. One change of major impact will be Basel II. The final version of the Basel II Accord was published on 26 June 2004.
So what is Basel II?
Basel II is an international Accord developed by the Basel Committee on Banking Supervision. It is set to create a new global standard for how banks and certain other financial institutions measure risk and allocate capital. Estimates vary but the cost of compliance for the global industry is likely to be above £100 billion. However, the majority of banks and financial institutions are behind schedule in their preparations and are having to face numerous obstacles in order to meet this latest regulatory challenge.
How has it come about?
The original 1988 Basel Capital Accord (Basel I) sets out regulatory capital requirements to ensure that banks and certain other financial institutions have enough money to cover potential losses from their transactions. It sets out rules for calculating a risk-weighted capital ratio. As a general rule, an organisation's total capital should never fall below 8% of the sum of its risk-weighted assets. This basic concept remains under the new Accord (Basel II) but the calculation of risk-weighted assets has been changed in order to make the resulting capital ratios more meaningful to the different sizes and levels of sophistication of each of the "Basel" regulated entities.
Basel II has developed a more advanced system that will make banks' and other financial institutions' assessments of their own investments and loans more sensitive to credit and market related risks. There is now a choice of two different approaches to assessing credit risk, the Standardised Approach and the Internal Ratings-Based Approach (which is further sub-divided into Foundation and Advanced approaches). The Accord also, for the first time, deals explicitly with operational risk ("the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events" e.g. including, without limitation, human error, systems failure or fraud, but appears to exclude, for example, such risks as strategic or reputational risk) and requires organisations to hold capital expressly related to these risks.
The three pillars
Basel II includes three mutually reinforcing pillars, which together should contribute to safety and soundness in the financial system:
Pillar 1: Minimum Capital Requirement
This covers market, credit and operational risk.
Pillar 2: Supervisory Review Process
This sets the framework for supervision. Supervisors will be able to hold additional capital against risks not covered by pillar 1.
Pillar 3: Market Discipline
This sets out the framework for market disclosures by banks and financial institutions.
Basel II will be implemented in the EU by way of the Risk Based Capital Directive (also known as The Capital Requirements Directive or CAD 3). The UK will then implement this, with the FSA being the supervisory authority.
While the Accord is not mandatory and national regulators are free to choose how to apply it, the EU is taking a very rigid stance and is proposing to apply the new rules to most investment firms as well as banks. The US Federal Reserve, however, has indicated that it will expect only the top 11 US banks to comply - although a further 10 or more are expected to opt in. India and China have stated that they do not intend to implement the Accord.
Although it is not possible to state with certainty when the Risk Based Capital Directive will be finalised, the Dutch Presidency has expressed a desire to secure agreement on the Directive by the end of 2004. The proposed Directive sets out staggered implementation dates from the end of 2006 to the end of 2007. The UK is pushing for a single implementation date of end 2007 to allow more time for preparation and uniform implementation.
So what are the main concerns for your organisation?
The bottom line requirement is that data capture, which enables operational risk factors to be identified and analysed, needs to be fully operational by the end of 2004 if the target for implementation at the end of 2006 is to be met. If Basel II takes effect at the start of 2007, two full years' data will be required.
Yet a recent study by KPMG of 294 banks in 38 countries revealed that many banks are falling behind schedule on their projects to prepare for Basel II - 10% of banks worldwide are still establishing their Basel teams and around half of banks are still only in the pre-study or assessment phase.
The cost of compliance is proving to be the biggest barrier. The major banks will spend up to £85 million but recent surveys claim that many banks have a total Basel budget of less than £670,000.
The other significant challenges banks are having to face include lack of time, lack of data for operational losses, inflexibility of existing IT systems and a shortage of Basel experts (particularly in the Asia Pacific region).
The demands of data management under Basel II are also a concern for banks and other financial institutions - including identifying the correct data, integrating and managing the data, carrying out sophisticated analysis and creating the required reports.
But why comply?
There is a certain amount of concern in the UK banking and financial services industry about the approach that the FSA will take towards supervisory review. While the FSA is in the process of consulting with the industry on its implementation strategy, it is unclear at the moment exactly how the FSA will assess the robustness of the systems developed by the banks and other financial institutions it regulates. However, aside from the various penalties that the FSA will be able to apply (likely to include revocation of authorisation and substantial fines), there will be substantial costs from adverse PR if organisations fail to comply.
At the same time, there may be benefits to be had from proper compliance with the provisions of Basel II.
If banks and financial institutions develop sophisticated internal risk-measurement processes and can show them to be sufficiently accurate, they will be allowed to use these to calculate the capital they must hold against their exposures. This is likely to lead to a reduction in capital requirements.
Improved credit rating systems and improved management of operational risk will also be of benefit. Organisations that address compliance effectively will see the up-side to Basel II to be significant improvements in customer service, risk management, decision-making, operational efficiency and cost reduction. All such improvements build consumer confidence and enhance brand and reputation.
Compliance will be necessary and the trick will be to attain sufficient compliance in a cost effective way. The liability cost of non-compliance will be high, but there is equally a potential cost of attaining compliance in the wrong way, and there are no prizes for over compliance. Instead over compliance can create barriers to your customers and so the key will be to identify best business practice and implement rigorously.
What needs to be done?
Basel compliance should not be seen in isolation and indeed should be combined with the myriad of competing regulatory challenges, which (in the UK at least) can include obligations under the Companies Act, Data Protection legislation, Anti-Discrimination requirements, Competition law, VAT, Health and Safety Regulations and the combined code of corporate governance. Additionally, the FSA has responsibility for regulating mortgage business from 31 October 2004. The new FSA regulations require an adviser, if using point of sale software systems to take a mortgage applicant through the sales process, to use automated software systems which comply with the FSA regulations.
On a global scale, the new international accounting standards (IAS) which are due to be introduced in 2005 will require thousands of companies to record their financial performance in a new way. Furthermore, legislation such as Sarbanes-Oxley, whilst not directly relevant to all UK organisations, will impact upon global organisations operating here, and also on UK and European companies that have securities publicly traded on various US securities exchanges.
We suggest the following as a checklist of potential activities:
What needs to be done? An impact assessment has to be the starting point. What do these new laws and regulations require your organisation to do to its existing IT systems in order to achieve compliance?
Timescales: These projects are time-critical. By when do the changes need to be in place? Where your organisation relies upon third parties to achieve compliance for them, what incentives should be put in place to maximise on-time completion and what should the contractual recourse be for delay?
Contract review: Your organisation should carry out an audit of existing contracts relevant to the IT systems which require change. Such contracts may provide for the allocation of cost - either through one party paying all the costs or making everything subject to a negotiated "change control" arrangement. Many contracts contain 'compliance with law' clauses under which the original supplier of the product or service commits to ensure that it remains compliant with laws and regulations during the term of the agreement. Such clauses have massive legal repercussions, because it means that technically the supplier is responsible for meeting all the costs of its customer changes. It is important that businesses understand the contractual position as a basis for negotiation with their suppliers.
There are implications to consider in systems contracts generallybecause how liability is dealt with will form part of a bank’s or financial institution’s operational risk analysis. Both new and existing contracts will need to be reviewed in respect of system procurement and integration projects, maintenance, disaster recovery relationships and outsourcing arrangements. Matters such as liability, warranties, rights of termination and IPR ownership will need to be addressed.
The information management demands of Basel II will require banks and financial institutions to look closely at the adequacy of their current IT systems. Analysts are predicting a possible $4 billion spend on software and services over the next 2 years in the run up to the implementation of the Accord. IBM have just unveiled a package of software, hardware and consulting services aimed at the Basel II market and there are numerous other software packages and services available from third parties.
Contract review might lead to the need to renegotiate key contracts. As such you will need to assess your ability to renegotiate, be familiar with any change control process and be comfortable with your termination options should the negotiation process fail.
- Who is going to make the changes? Allocating tasks is crucial. Many different entities could be involved: the original supplier of legacy software, support service providers, consultants and the in-house IT team. You need to understand how the team should inter-relate.
- Helping third parties: If a third party is going to make the changes for the company, what information and assistance does the company need to provide to ensure that the programme succeeds? Don't underestimate this - the business ultimately responsible for compliance is yours and the third party cannot deliver a "quick fix solution" for you without your sustained input.
- Cost: The cost projections for these compliance projects are huge. Who is going to pay? Who is legally obliged to pay?
- Advice on risk scenarios and risk management: Investigate local sanctions for non-compliance (FSA for the UK, BaFin for Germany, etc.). Create multi-jurisdictional compliance programmes (could a multi-jurisdictional matrix on the fines/sanctions scenario be developed?)
- Procuring new systems: what does your organisation need to do about procuring new systems in terms of specifications, warranties etc in relation to existing and new integration projects, maintenance and disaster recovery projects and outsourcing projects?
- Reporting and data retention: What reporting and data retention obligations regarding risk management are
applicable to your organisation (to regulators, for instance) and how efficient and effective are your systems and controls in evidencing compliance?
- What happens if you are not compliant? What are the consequences for your organisation, its officers and stakeholders if the required changes aren't achieved on time?
Basel II is the biggest IT challenge for the banking and financial services industry since Y2K and it is essential for organisations to prepare for it. Unlike Y2K, however, there is no doubt that these changes are on their way. What needs to be realised is that if the challenges are faced up to, and banks and other financial services resource their Basel II projects properly in terms of money, time and people, there will be significant benefits beyond the ability to demonstrate compliance.
Main Authors - Mark O'Conor & Barry Jennings
Contributors - Andrew White, Alexander Duisberg, Anthony Olsen & Fiona Owens
For further information, please contact Mark O'Conor or Barry Jennings at Bird & Bird by email at firstname.lastname@example.org, email@example.com, by telephone on +44 (0)207 415 6000.
Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.