Monday, November 9, 2009

SEC Chair Seeks Funding Plan That Doesn't Rely On Congress

By Fawn Johnson for DOW JONES NEWSWIRES, November 6, 2009

Securities and Exchange Commission Chairman Mary Schapiro said Thursday that the SEC needs "sufficient, stable long-term funding" that doesn't rely on the congressional funding process.

"I think it is important that Congress address the issue of self funding, allowing the SEC to retain the regulatory fees it collects," Schapiro told a group of students at Harvard University's John F. Kennedy School of Government.

According to the text of her speech, Schapiro said, "We have to have the resources to hire the people we need" and noted that the agency's staff size and technology investments are less than they were in 2005.

Sen. Charles Schumer (D, N.Y.) has introduced legislation that would allow the SEC to fund itself based on the fees collected from financial institutions, claiming it would boost the agency's resources. In 2007 the SEC was granted a budget of $880 million by Congress, but the SEC took in about $1.5 billion in fees collected from financial institutions.

Other independent agencies, such as the Federal Reserve and the Federal Deposit Insurance Corp., fund themselves from fees collected from the industries they oversee.

Critics of giving the SEC the same authority are likely to say that it could cause the agency to go unmonitored.

The SEC has faced harsh criticism for its years-long failure to detect wrongdoing of the convicted Ponzi-scheme operator Bernard Madoff.

Schapiro said the SEC is trying to get out from under the bad name it inherited from of the Madoff debacle. She said she wants the staff to learn from the past, and she sent the inspector general's report about the SEC's behavior to all employees and encouraged them to read it.

In September, Schapiro also created a new unit aimed at identifying market trends and new financial products and brought in law professor Henry Hu to run it.

The unit combines two existing groups, the agency's office of economic analysis and risk assessment division, and take on new responsibilities to look for trends in the market, conduct research and train staff.

Separately Thursday, the SEC announced that three financial hotshots would be joining that division. Schapiro said the new hires have "modern capital markets expertise," something badly needed at the SEC.

Richard Bookstaber will be the senior policy advisor to Hu. He served as the managing director in charge of firm-wide risk management at Salomon Brothers, director of risk management at Moore Capital Management, and Morgan Stanley's ( MS) first market risk manager.

Adam Glass and Bruce Kraus will each will serve as counsel to the director. Glass comes from Linklaters LLP, where he founded its Structured Finance and Derivatives Practice. Kraus comes from Willkie Farr & Gallagher LLP, where he practiced corporate and securities law for more than 20 years.

Tuesday, November 3, 2009

Too Big to Fail: Closing the Barn Door to Late

Without exception, each of the regulators with responsibility for monitoring financial markets has spoken in favor of strong enforcement of financial regulation and policing market players. Unfortunately, little has actually changed in the past year since the collapse of Lehman Brothers and it appears that whatever regulatory regime gets passed by Congress will be a watered down version.

The debate of "Too Big to Fail" feels a little like closing and locking the barn door after the cows have escaped. Too little to late! The current debate surrounding the principle of Too Big to Fail has been interesting. Without taking sides, I find it interesting that much of what has occurred could have been prevented with simple enforcement of existing regulation. See posting by the FTC (http://www.justice.gov/atr/public/speeches/245711.htm).

Lax enforcement suggests that the regulatory markets; like politics, has become influenced by campaign finance. The conflicts of interest may be too great and may require new thinking altogether! To tackle this issue head on one could envision the creation of an independent oversight board that is funded through industry fees and enforcement revenues and staffed by professionals with multi-disciplinary expertise in financial services. This board would not be funded by Congress but would be accountable through legislative oversight committees. The members of the board would serve as the "Risk Regulator" and would provide market data on trends in emerging risks in banking, finance, and industry in general. The mandate of the board could include ensuring that regulators are sufficiently engaged in oversight, mitigate gaps in regulatory oversight, and draft policy recommendations to improve systemic risks.

One important service that this board could provide is an "early warning" on products that are high risk or not in the best interest of the public. The "early warning" reports should be available to investors and the public in general. The transparency of public disclosure of high risk behavior would serve to curtail or "chill" excessive risk taking for fear of "making the list" of bad actors. In the future, market participants would promote their risk management expertise by exclusion of their presence in the report. This strikes me as more effective than tying risk management to compensation given the challenges in calibrating compensation to risk taking.

There, no doubt, will be many variations on this theme. However, the reality is that the financial markets' ability to innovate new and potentially risky products exceeds regulators ability to keep pace. An independent Risk Regulator would be able to set a strategic agenda without the influence of industry or congressional mood shifts.

Too Big To Fail assumes "failure" is inevitable. Failure does and will happen however American taxpayers should not be expected to assume this risk. We should focus on getting back to the Prudent Man Rule of investing and overseeing one of our most important means to securing our future, the financial and economic markets.

Thursday, July 23, 2009

Cloud Computing Controls


If you spend any time eavesdropping on your CIO’s conversations these days,you’re likely to hear him or her talk about “virtualization.”

As technology goes, virtualization is a nifty idea: software programs out on the Internet somewhere serving the same function as hardware typically housed in your company’s data center. It travels under multiple names—cloud computing, software-as-a-service, or utility computing, to name a few—but essentially the idea is to cut costs and improve data management by letting a vendor handle the maintenance.

We can leave CIOs to separate the hype from the real value in cloud computing, and that will take some time. Compliance officers, meanwhile, should educate themselves on exactly what cloud computing would mean for their organization and maintaining an effective control environment—because it can pose quite a few new questions for you.

Let’s first explore what’s behind the drive for these services. Businesses increasingly want to leverage scalable technology in cost efficient ways; the ability to scale and provision computing power dynamically is one powerful lure for these services. Second, today’s younger, mobile workforce and customers expect and want constant connectivity to the online world. In fact, the demand for these services can be measured by the vendors who have entered the market lately: IBM, Microsoft, Amazon.com, Google, Oracle, SAP and more. This isn’t a fad, clearly. Many people expect cloud computing to be a powerful force for years to come.

So what is a “cloud,” exactly? Industry experts debate the precise definition, and therein lies one of the real challenges with the technology. We can say cloud computing is really a culmination of many technologies that have developed for more than a decade. The cloud architecture can be private (hosted within a company’s firewall) or public (hosted on the internet).

There does not, however, appear to be a common taxonomy for cloud computing. Most attempts to develop standards for it have been met with concerns that have prevented a consistent application of offerings. Attempts at an “Open Cloud Manifesto” or a “Cloud Bill of Rights” have been met with skepticism over the intent and feasibility of standards when the technology of cloud computing is still so immature. (I’ll explore these core challenges later.) Additionally, the regulatory environment for protecting and securing confidential data is complex and requires a comprehensive compliance program. Pinning that comprehensive program to a cloud, so to speak, is neither easy nor repeatable from one company to another.


Above all, however, understand that cloud computing—regardless of its specific name or design—is the outsourcing of potentially critical applications or data. Outsourcing does not mean that compliance can be delegated to the vendor. Management is responsible for selecting and developing controls that ensure that the vendor(s) chosen has appropriate controls in place and will be monitored on a continuous basis. Compliance professionals and senior management must know and assess the cloud provider, and oversee the provider’s controls using techniques that maintain compliance with the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, various state data privacy regulations, and in some cases country-specific regulatory limitations.

Yes, given the concerns raised by business customers and the ever-changing regulatory scene, some cloud vendors have begun to promote cloud-compliant services. All I can say is: Let the buyer beware! Companies should always perform their own due diligence on cloud providers, and develop comprehensive service level agreements that document who is responsible for what and how these services will be provided.

Sarbanes-Oxley requires a standard framework for evaluating internal controls. Typically, a COSO framework is used to assess internal controls, however, regulators haven’t provided much guidance nor has the industry agreed on consistent application standards complicating the development and implementation of a common set of controls. Therefore, compliance pros must develop a defendable set of criteria for assessing the controls of cloud providers. Following is a starting point for developing a matrix of controls to consider as part of your cloud control toolset.

Security. Unauthorized access to sensitive business and customer data leaves organizations exposed to financial and regulatory risks. Assessing and monitoring storage capacity, location, and physical as well as application access is a critical first step in assessing the control environment of cloud providers.

Data Segregation. Data segregation should be understood. Does your data share a “virtual locker” with other customers? How does the vendor prevent unauthorized access from other customers?

Records Management. Are records retention and records destruction standards consistent with your industry? Does your cloud vendor know this, and know what those standards are? Are there multiple backups of your data in multiple locations?

Vulnerability Scanning. Are network or vulnerability scans allowed? Are there formalized protocols in place to perform scans? What limitations (if any) exist? And how are vulnerabilities disclosed to you, the customer, and then mitigated?

Audit Trails. How can the company demonstrate the effectiveness of its controls for authorization, authentication, segregation of duties, program development and program changes? (Because in the event of a regulatory probe or litigation, you can bet that other parties will expect that you’re able to do so.) How robust are the cloud provider’s controls such as firewalls, encryption, monitoring reports, and denial-of-service software?

Interoperability and Portability. Few standards exist yet to assess different cloud providers’ interoperability of services and portability of data, but such compatibility is critical if a company needs to recall the data or move the data from one vendor to another. Performing this analysis in advance will save you money and business disruptions down the road.

Seeking Help

If you still are uncomfortable with your own assessment, you can rely on a few industry standards to help ease your fears. First consider a SAS 70 SysTrust audit, which evaluates whether or not a specific system is reliable when measured against four essential principles: availability, security, integrity, and maintainability.

Additionally, ask whether the provider complies with the ISO 27001 or ISO 27002 standards, which govern information security. ISO standards aren’t formal assurance, but they do imply that the vendor uses a formal method of practice and a summary of controls that may be evaluated as part of the due diligence process.

Outsourcing to a cloud computing vendor is a business decision with far-ranging implications, not the least of which is compliance with Sarbanes-Oxley and Gramm-Leach-Bliley regulations. Businesses should consider all of the risks and rewards to pursuing this path. Cloud computing is continuing to grow and expand as the dynamics of business drive companies to reconsider the cost of maintaining in-house data centers. Compliance professionals should be included in the evaluation of this critical business decision, to ensure the strategic plan includes no surprises down the road.

Responsibility for compliance can not be delegated to the vendor. If you decide that outsourcing to a cloud vendor gives your business the operational benefits you need, developing the internal controls between your firm and the cloud provider is still largely your job and your problem. SOX holds management responsible for ensuring and assessing that their internal controls are adequate and effective, even when those controls reach into the clouds.

Thursday, April 16, 2009

Preparing a Road Map for the coming regulatory change

During a time of financial crisis survival is typically the priority of the day for most organizations as well it should be. However, examples have begun to emerge through all of the dire economic news of success stories of banks and other institutions surviving quite well and yes thriving in this tough economic environment! The question is what has prepared these firms to do more than just survive and how are they preparing for the coming changes in regulation that may impact the future of their organization?

I offer, as an example, a family-owned regional bank in Missouri with an affiliate bank in Colorado whose assets have grown by one-third. This bank has increased loans by 40% while maintaining a nonperforming loan ratio of 0.2% compared to an average of 1.17% for similar sized banks. The bank’s revenues are up and they are expanding and taking market share while others are retrenching.

When asked how they are doing so well the Chief Executive stated, “Its basic blocking and tackling, in my opinion, and it has paid off for us”. Why has United Missouri Bank thrived where others have not? The simple answer from the CEO is that “If conservative means [being] responsible or prudent, we are conservative.” UMB practiced strong risk management during a time when sound operating principles were not in vogue.

Much has been made of the failure of complex quantitative risk models, alternative products, and over leverage. However, all quantitative risk professionals understand the inherent weaknesses in their mathematical models. There should be no surprise that these models could not predict all possible outcomes across an unlimited risk spectrum. The worse case scenarios seem highly unlikely when the incentives for profit, bonus enhancement, and share growth take precedent. It is very difficult for the risk officer to say no when everyone else in the room want to move forward.

What lessons can be learned in preparing a road map for significant change in regulations, tough economic times and competition? What is the role of the Chief Executive, Boards of Trustees and the Chief Compliance and Chief Risk Officers in navigating risks and opportunities facing all organizations?

Now is not the time to take a bunker style approach! Pro-active steps now will pay dividends when the economy and markets recover.

Practical actions that can be taken now include:

• Assess gaps in risk systems and analytical models, such as, liquidity risks
• Make an object evaluation of internal controls given current resource constraints
• Use the current market environment to hire new skills that complement existing staff
• Communicate with customers, vendors and clients about the actions you are taking to enhance controls and evaluate their controls, as appropriate
• Review risk and compliance policies to clarify and strengthen awareness of expectations on risk management
• Engage senior executives on their expectations about managing risks
• Evaluate systems resource capability to support new regulatory requirements
• Develop budgetary flexibility to respond to rapid and unexpected change

Longer term:

The road map begins with a well defined and strategic framework for the core operating principles of the organization. These core operating principles define fiduciary responsibility, sound risk management and prudent business practices that are consistent with the long-term viability of the firm and accrue to the benefit of all stakeholders.

The Board of Trustees and the Chief Executive Officer should be responsible and accountable for the risk profile and appetite of the firm. Risk management should not be delegated to functional staff. Just as the financial performance of the organization is the responsibility of the CEO yet managed by the Chief Financial Officer the Chief Risk Officer should manage risk while overall risk performance is the responsibility of the Chief Executive Officer. The Board should base merit or demerits for senior management on financial as well as risk management performance.

The Chief Risk Officer, therefore, should not be a siloed C-Suite position but an active member of the corporate strategy responsible for anticipating changes in systemic and regulatory risks for the firm. Sarbanes-Oxley elevated the Chief Compliance Officer to a Board level position responsible for managing internal controls for financial disclosure and required trustees to have audit expertise. The role of risk management should be elevated to the top of the organization with Board level ownership for risk management.

While it is too early to tell the final outcome of regulatory change or predict the direction of economic recovery firms like United Missouri Bank have hewed to conservative risk management practices throughout its 95 year history. This is not to say that firms should not take on risks. However, the fundamentals of conservative risk management practices…..understanding who you do business with, the risks you are taking, and aligning these practices with the core principles and the long-term growth of the firm are the basic blocking and tackling needed with so much change in the offing.

http://www.businessweek.com/managing/content/apr2009/ca20090415_665225.htm

Tuesday, March 10, 2009

The “Conflicts of Interests” in Financial Services

No doubt, there will be many articles and commentary on the both the cause and the cure of the current financial crisis. These articles will explore the root cause from many angles and take the perspective of the author’s view based on their insights and participation in the solutions applied.

The purpose of this article is to take a step back and look at the current financial problems as a physician would a patient to diagnose the events as symptoms that led to the eventual financial health failures. What did the patient present as possible leading indicators to the catastrophic event?

First, the title, “Conflicts of Interests”, is a play on words. It is intended to be a little provocative and explain how the current problems can be traced back to separate and subtle symptoms of conflicts that were either not addressed or ignored by congress, regulators, board of trustees, shareholders, external auditors, investment bankers and senior management.

I will trace back to the early 1990’s and use one business case that encapsulates the historical symptoms presented by the patient, in this case Enron. During the early 1990’s the American economy was enjoying one of the longest economic booms in history. Enron was billed by Fortune magazine as “America’s Most Innovative Company” for six straight years from 1996 to 2001. In 2001 Enron became one of the largest corporate bankruptcies in U.S. history! What went wrong?

Enron’s entire financial structure became the road map or the “playbook” for many of the financial issues that have surfaced in the forefront of the financial money center banks today. While today's new products and issues are different the similarities are striking as examples of the systemic risks reverberating across markets today. Here are but a few examples:

(1) By the late 1990’s Enron effectively controlled almost 25% of all electricity and natural gas contracts traded worldwide through the use of derivatives and other forward contracts. This massive concentration of control was a huge red flag!

(2) Special Purpose Entities (SPE’s) – SPE’s are legitimate structures when set up properly and independently of the parent company to limit risk. Enron effectively maintained control and used these vehicles to hide massive debt that eventually had to be brought onto the parent company’s financial statements. Second red flag!

(3) Deregulation – Energy production in the US was a government-sanctioned monopoly until the late 1980’s. Government regulated power plant construction, the rates to be charged for power, and ultimately the earnings of energy companies. Deregulation required the market to replace the role of government in production, long-range transmission, and local distribution. Enron stepped into this void and created the intermediation activity that led to their dominance of the industry. Poor oversight was the 3rd red flag!

(4) Opaque financial disclosure was a 4th red flag! The off-balance sheet transactions represented huge risks and debt. The failure to follow generally accepted accounting principles led to the formation of the Public Company Accounting Oversight Board and ultimately the collapse of Arthur Andersen.

(5) Financial engineering - In 1993, Goldman Sachs & Co invented a security that was treated like a debt or equity security to cut Enron's federal tax bill. The Monthly Income Preferred Shares, or "MIPS", as they were called was treated as both a fixed income and equity security. Enron set up an offshore subsidiary which sold the preferred shares through Goldman Sachs. The subsidiary then lent the proceeds to the parent, Enron, to be paid back over 50 years or more. Enron deducted the interest payments from its taxable earnings with the IRS. However, to shareholders Enron described the obligation as "preferred stock in subsidiary companies". The Treasury department tried repeatedly to stop this practice to no avail by enlisting the SEC to intervene. This product became a very popular financing tool on Wall Street and gained support in Congress, according to John D. McKinnon and Greg Hitt of the Wall Street Journal.

(6) Easy credit - Enron sued and is currently settling with as many as 175 banks that financed their operations with easy credit. Enron settled with Goldman Sachs, Royal Bank of Scotland, Royal Bank of Canada, Canadian Imperial Bank of Commerce, JPMorgan Chase, Toronto-Dominion Bank, Merrill Lynch 7 Co., Fleet Bank (now owned by BankAmerica), Barclays Plc, and Deutsche Bank Ag to name a few. Much of the lending centered around commercial paper on unsecured, short-term loans issued by Enron.

If these red flags resonate with the problems in today’s market crisis they should. Even with the advent of Sarbanes-Oxley, the Public Company Accounting Oversight Board, and the Investment Company Act and Investment Advisers Act of 1940 (206-4(7) and 38a-1) the patient is still on life-support!

In retrospect, we should have seen this coming. The failure to act as checks and balances on this behavior by outside auditors, internal corporate oversight, experts in federal government, senior management, financial analyst, board of trustees, or investors serves to warn us of the tremendous pressure to remain silent when the rewards are large for all those who participate.

Like the doctor who prescribes a cure that is untenable to the patient. The "conflicts of the collective interests" were too powerful to stop the unfolding financial collapse. The medical prognosis is that the patient will live however her quality of life will be diminished unless a more measured approach is taken.

This should be a warning to the market! Enlightened self-interest operating unchecked can lead to disastrous results unless tempered by a concern for the health of the entire economy.

Sources:
1 – MSN Encarta’s compilation of news articles and public events
2 – Knowledge @ Wharton
3 – Time, In partnership with CNN
4 – Chron.com
5 - The Wall Street Journal

Corporate Ethics: The Road to Recovery

In a new Marist Poll commissioned by the Knights of Columbus, 76% of Americans and 58% of corporate executives graded corporate ethics a failing score of D or worse. It seems that Americans believe that personal financial gain and career advancement is more of a motivator for corporate decisions than concern for the public good or the welfare of employees, shareholders, and customers.

No less than the Chairman of the Financial Services Authority (“FSA”) in the United Kingdom, Lord Turner allegedly accused Britain’s current Prime Minister, Gordon Brown of “political pressure” to apply a light touch to regulatory oversight leading to the collapse of that country’s largest banks. As Chancellor of the Exchequer, Mr. Gordon Brown oversaw the FSA prior to becoming Prime Minister. The now famous Moore Memo, Paul Moore of HBOS, has led to the resignation of Sir James Crosby, the deputy chairman of the FSA.

Similarly, the Securities and Exchange Commission has been accused of regulatory neglect during the tenure of former Chairman Christopher Cox. Chairman Cox allegedly set up hurdles for the agency’s commissioners which hindered their ability to expeditiously bring enforcement cases.

What does this have to do with ethics? The current banking crisis may be directly linked to a systemic failure of corporate ethics. Mr. Paul Moore described the dilemma in his testimony to the UK’s Treasury Select Committee, “In simple terms this crisis was caused, not because many bright people did not see it coming, but because there has been a completely inadequate “separation” and “balance of powers” between the executive and all those accountable for overseeing their actions and “reining them in” i.e. internal control functions such as finance, risk, compliance and internal audit, non-executive Chairmen and Directors, external auditors, The FSA, shareholders and politicians.”

Restoring fundamental principles of fiduciary responsibility, the prudent man rule, may in fact be the tools that financial institutions and corporations need to repair trust in the marketplace.

Adam Smith wrote in The Wealth of Nations, “In the midst of all the exactions of government, capital has been silently and gradually accumulated by the private frugality and good conduct of individuals, by their universal, continual, and uninterrupted effort to better their own condition. It is this effort, protected by law and allowed by liberty to exert itself in the manner that is most advantageous, which has maintained the progress of England towards opulence and improvement in almost all former times...”

A return to good governance, corporate and private ethics, and appropriate regulation and internal controls may be the remedy needed for this current crisis.

Saturday, October 18, 2008

Politics and Risk Management

The intersection of politics and risk management came together in a big way recently with the crash of the financial markets. Politicians from both parties could not help themselves from using the collapse of the economy to point blame and feed at the trough of public funding. It is clear that there is little consensus in how to address the problem and worst yet little willingness to work together to come to a common framework.

If the past track record of governmental intervention is any prologue for what can be expected the politicians will be more interested in posturing than real systemic remedies. On a recent Sunday morning talk show politicians and the CEO of the US Chamber of Commerce showed that the status quo will be very difficult to change course. Wrapped up in all of the acrimony is a lesson on the very basics of risk management. If we take a step back to look at the role of government how it performs oversight has changed significantly. Depending on your political perspective you may come to different conclusions.

However, by taking an independent view, I would propose that the very essence of government and the role it should play may determine if risk management is part of the responsibility of government. I don't mean to say that government should intervene in ways that restrict the free flow of goods and services or the risk taking that is embedded in the American way of doing business. What I am proposing is that there may be a role for government to play in large systemic risk events. The role of government should be to understand the threats to financial systems and develop mechanisms to mitigate systemic risks that threaten the viability of our economy and financial markets.

Whoa, you say! That sounds like some form of socialism! The government does not understand business and does a terrible job of managing its own resources efficiently, you say! Why would we want government to manage business risks? Let me be clear, I am not advocating for governmental involvement in managing business risks. However, what I am advocating for are policies, legislation, and systemic controls that monitor risks across industries and act on key indicators when threats to markets reach levels that force politicians to mitigate these risks before they occur.

Sounds like a tall order! It is and the consequences of not doing so are playing out in the economy today! Here is how it would work. First, there is no need to change the governance and oversight committees that exist in Washington, D.C. today. What would be different is regular and consistent dialogue about risks in financial markets gathered from existing regulatory bodies or a central regulator who looks across all markets for systemic breaks that threaten individual or linked markets. The difference is that the key risk indicators and the policy and legislation that is promulgated from these reports could not be influenced by lobbyist or political contributions. Risks to our way of life should be free of narrow political interest groups or powerful individuals with the ability to ignore these threats.

What are the mechanics? Setting limits on the level of margin or leverage used, the net capital needed, the efficient operation of markets, such as the settlement of derivative contracts are but a few examples! The arbiters of these key risk metrics would be the regulators themselves and not congress. Congressional committees would simply take the appropriate risk mitigation steps that must be established in advance and acted upon once the thresholds are breached. By setting up prearranged checks and balances and making the actions automatic you begin to pro-active manage systemic risks as they increase in severity.

When there are multiple systemic risks or large scale failures these same committees would have scenario plans in place that would act on their contingency plans for "fat tail" events. This approach does not prevent risk taking it simply acts as a "governor" to reduce the types of large scale systemic failures that we are experiencing today!

Idealistic!? Yes, but why not dream big! Its only our future and the future of our children that we are attempting to fix.