Академический Документы
Профессиональный Документы
Культура Документы
Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next
Dear Member,
Page |2
One day they take a walk in the woods while their porridge cools.
An old woman (who is described at various points in the story as impudent, bad, foul-mouthed, ugly, dirty and a vagrant deserving of a stint in the House of Correction) discovers the bears' dwelling. She looks through a window, peeps through the keyhole, and lifts the latch. Assured that no one is home, she walks in. The old woman eats the Wee Bear's porridge, then settles into his chair and breaks it. Prowling about, she finds the bears' beds and falls asleep in Wee Bear's bed. The climax of the tale is reached when the bears return. Wee Bear finds the old woman in his bed and cries, "Somebody has been lying in my bed, and here she is!" The old woman starts up, jumps from the window, and runs away never to be seen again.
Page |3
Twelve years after the publication of Southey's tale, Joseph Cundall transformed the antagonist from an ugly old woman to a pretty little girl in his Treasury of Pleasure Books for Young Children.
The little girl saw a succession of names, including Goldilocks. Here is where Basel iii comes in, when the old ugly lady (Basel 2) becomes a pretty girl (Basel 3) Disclaimer: This is how I understood it But yes, Wayne Byres, Secretary General of the Basel Committee on Banking Supervision said: Goldilocks explored the bears house, testing the porridge, the chairs and the beds until she found things that she thought were just right.
Page |4
Page |5
Page |6
PCAOB Issues Report on 2007-2010 Inspections of Domestic Firms that Audit 100 or Fewer Public Companies
Washington, D.C. The Public Company Accounting Oversight Board today released a report summarizing inspection observations identified in the 2007 through 2010 inspections of U.S. firms that audited 100 or fewer public companies.
NIST Solicits Views, Ideas from Stakeholders for Cybersecurity Framework for Critical Infrastructure
The National I nstitute of Standards and Technology (NIST) issued a Request for Information (RFI) in the Federal Register as its first step in the process to develop a Cybersecurity Framework, a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that support critical infrastructure vital to the nation's economy, security and daily life.
Page |7
Page |8
Page |9
It will have close working relationships with other parts of the Bank, including the Financial Policy Committee and the Special Resolution Unit.
The PRA will work alongside the Financial Conduct Authority (FCA) creating a twin peaks regulatory structure in the UK. The FCA will be a separate institution and not part of the Bank of England. The FCA will be responsible for promoting effective competition, ensuring that relevant markets function well, and for the conduct regulation of all financial services firms. This includes acting to prevent market abuse and ensuring that consumers get a fair deal from financial firms. The FCA will operate the prudential regulation of those financial services firms not supervised by the PRA, such as asset managers and independent financial advisers. Prior to 1 April 2013, the Financial Services Authority (FSA) will continue to be responsible for prudential and conduct regulation in the UK. The Bank of England will have a responsibility for financial stability, based on an amended statutory objective to protect and enhance the stability of the financial system of the United Kingdom. And, in support of this objective, the Financial Policy Committee (FPC) will be established within the Bank, charged with identifying, monitoring and taking action to remove or reduce systemic risks.
The FPC, which already exists in interim form, will be able to make recommendations and give directions to the PRA and the FCA on specific actions that should be taken in order to achieve the FPCs objectives.
P a g e | 10
Sourse: Andrew Bailey, Executive Director of the Bank of England and Managing Director of the Financial Services Authoritys Prudential Business Unit, and Sarah Breeden and Gregory Stevens of the Banks PRA Transition Unit
P a g e | 11
P a g e | 12
The letter
Dear
- The PRA will have two statutory objectives to promote the safety and soundness of firms and specific to insurers, to contribute to securing an appropriate degree of protection for policyholders.
A stable financial system, that is resilient in providing the critical financial services the economy needs, is a necessary condition for a healthy and successful economy. - The PRA will not operate a zero-failure regime. The PRA will, however, seek as far as possible with resolution arrangements in place, to ensure that any firms that fail do so in a way that avoids significant disruption to the supply of critical financial services, including an acceptable degree of continuity of cover for policyholders; and
P a g e | 13
- The PRAs approach to supervision will be clearly based on judgement rather than narrowly rules-based, Supervisory judgements will be forward-looking, taking into account a wide range of possible risks to the PRAs objectives.
The approach documents can be accessed via the FSA website: Banking http:/ / www.fsa.gov.uk /static/ pubs/other/pra-approach-banking.pdf Insurance http:/ / www.fsa.gov.uk /static/ pubs/other/pra-approach-insurance.pdf In December 2012, I gave a short interview entitled A new approach to financial supervision: the Prudential Regulation Authority which can be viewed here: http:/ / www.youtube.com/ watch?v=yJDp1XY3DJM The following is an update on certain aspects of the transition where we can now provide greater clarity.
P a g e | 14
The following four categories of individual guidance will be automatically transitioned at LCO:
1.Individual Capital Requirements Guidance, including capital planning buffers for banks and capital guidance issued to insurers 2. Individual Liquidity Guidance 3.Individual guidance given by the FSA that enables a firm to move from a higher proportionality tier to a lower proportionality tier as provided for in the FSAs General Guidance on Proportionality: The Remuneration Code (SYSC 19a) & Pillar 3 disclosures on remuneration (BIPRU 1 1) 4. Guidance on the completion and submission of Regulatory Returns
Other Guidance
Firms should review all individual guidance and their associated behaviour in accordance with such guidance and assess the appropriateness of that behaviour in line with the PRAs statutory objectives. Firms should in many cases be able to do this by exercising judgement and without consulting the PRA. Firms should document this review. In certain cases, firms may wish to request that the PRA (FSA until LCO) review items of FSA individual guidance which are: 1.Not included in the categories identified above; and
2.Where the firm wishes the PRA to explicitly consider and confirm whether behaviour or actions in line with that guidance will remain appropriate in the PRA.
This is not an opportunity to request that all previously issued individual guidance should be retained.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 15
Between now and 30 September 2013, firms may submit a list of those items of individual guidance which they wish the PRA to review, together with their own assessment of whether the behaviour or actions set out in the guidance would contribute towards the advancement of the PRAs objectives.
Relationship managed firms should submit requests for review to their supervisor, and non-relationship managed firms should submit them to the Customer Contact Centre at email address fcc@fsa.gov.uk until 2 April 2013 and the PRA firm enquiries at email address PRA.Firmenquiries@bankofengland.co.uk from 2 April 2013 onwards. Firms will be able to continue to rely on guidance referred for review until the PRA reaches a decision on whether the guidance remains appropriate or otherwise. Supervisors will confirm the timetable for the review following the submission of the firms list; reviews will be completed no more than 18 months after LCO. Our judgement and any resulting response that we give to a firm will focus on the advancement of the PRAs objectives. Any guidance that is not referred to the PRA for review will cease to have any status as formal PRA individual guidance from 30 September 2013. This does not mean that firms should automatically change their behaviour. If firms deem that their behaviour is appropriate, they should continue to act in that way.
If firms decide to alter their behaviour, now or in the future, they should discuss this with their supervisor, in line with Principle 1 1.
This approach to individual guidance does not change recent assessments of the risks that we see as being posed by a firms business.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 16
In particular, we still expect Risk Mitigation Plan points (reflecting the FSAs objectives) outlined in previous ARROW letters to be concluded, where we judge that they will contribute to advancing the PRAs objective.
Existing waivers will also be automatically transitioned to the PRA.
Threshold Conditions
The existing FSA Threshold Conditions will be replaced in their entirety by the Threshold Conditions being introduced by HM T via secondary legislation pursuant to the Financial Services Act 2012. The Threshold Conditions in the order that has been laid before parliament are essentially in the form H MT consulted on in October 2012. The new conditions will take effect at the same time as the rest of the amendments to FSMA are introduced, on 1 April 2013, for both existing authorised firms and all in-flight cases. The Financial Services and Markets Act (Threshold Conditions) Order 2013, as laid before parliament, can be viewed at: http:/ / www.legislation.gov.uk /ukdsi/ 2013/97801 1 1533802/ pdfs/ ukdsi_ 978011 1533802_en.pdf
P a g e | 17
Corporate information About the PRA will be added and pages on policy and PRA news and events will be published.
The core operational information on authorisations and supervision will be published at LCO.
Firms are welcome to send feedback including comments and ideas about the PRA web presence to pra.webcontent@bankofengland.co.uk.
Firm Enquiries
The October 2012 approach documents explained that firms who do not have a dedicated supervision team should use the Firm Enquires Function as their first point of contact with the PRA. The PRA Firm Enquiries will be operational from 2 April 2013 and its contact details are: Telephone number 020 3461 7000 (operating hours 9:00 17:00) Email PRA.Firmenquiries@bankofengland.co.uk The FSA contact centre must be used for all enquiries up to 2 April 2013. However, during March some calls to the contact centre will be transferred to the PRAs Firm Enquiries, in preparation for taking firms enquiries at LCO.
P a g e | 18
4. Enforcement Consultation
We published the consultation on the PRA's approach to enforcement, including proposed statutory statements of policy and procedure, on 20 December 2012. The consultation is on the FSA website, we welcome any comments on the proposals by 28 February 2013. http:/ / www.fsa.gov.uk/library/policy/cp/ 2012/12-39.shtml Attached is a set of updated FAQs and additional information. Yours sincerely
P a g e | 19
The orders detailing the new Threshold Conditions, allocating responsibility for making rules in relation to FSCS between the FCA and the PRA, amending certain mutuals legislation, determining which types of holding company the regulators new powers over qualifying parent undertakings apply to and specifying which regulated activities will be subject to the PRAs regulation have already been laid before Parliament and are expected to be approved by both houses by mid-March.
http:/ / www.legislation.gov.uk /ukdsi/ 2013/9780111533802/ pdfs/ ukdsi_ 978011 1533802_en.pdf
How will the PRA determine which investment firms should be designated for prudential regulation by the PRA?
We published a draft statement of policy on the designation of investment firms by the PRA in October 2012: http:/ / www.fsa.gov.uk /static/ pubs/cp/ boe-pra-cp.pdf
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 20
The policy statement and the firms to be designated by the PRA will be finalised ahead of legal cutover.
If, after LCO, you are unsure where to report data, please firstly check the PRAs internet site under the section on regulatory data or contact PRAs Firm Enquiries.
Contact details will be: Telephone number 020 3461 7000
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 21
Email PRA.Firmenquiries@bankofengland.co.uk
When will the PRA release further contact details/ new address?
Moves to 20 Moorgate are taking place in stages, having started in early January 2013. Below is a table listing the move dates for each division:
Supervisors will confirm outstanding contact details such as telephone numbers, email addresses and email addresses around their move dates. For firms with PGP encrypted keys, communication on new access codes will also be included.
P a g e | 22
What happens if we are applying for a new or varied permission or waivers over the period including LCO?
The PRA will ensure that applications to the FSA that are made before legal cutover but not determined until after legal cutover are transitioned to the appropriate regulator and made against the appropriate statutory tests. Exact details of in-flight authorisation arrangements will be finalised once secondary legislation has been published.
When will we know the final changes being made to the Approved Persons regime?
There is more detail on our approved person regime in our Approach Documents and in the consultation paper (CP12 /26) covering changes to the approved persons Handbook sections.
P a g e | 23
This paper can be accessed here: http:/ / www.fsa.gov.uk/library/policy/cp/ 2012/12-26.shtml Consultation for CP 12/26 closed on 7 December 2012, we are currently reviewing the proposals in light of responses to the consultation and expect the final PRA rules on approved persons to be made by the PRA Board at or around LCO, when other substantive changes to the Handbook will also be made, and accompanying Policy Statements issued.
Please see section 4 Policy Material below for more detail on finalising the PRA H andbook.
We also published more detail on transitional arrangements for approved persons on 25th January in CP13/3 http:/ / www.fsa.gov.uk/library/policy/cp/ 2013/13-03.shtml
Will authorisation and the different approval processes take more or less time with the PRA?
The statutory time limit on authorisations in FSMA will remain unchanged after legal cutover. The PRA will report against statutory time limits.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 24
Will firms still be required to disclose who they are authorised and regulated by?
Yes. We have consulted on revised wording of this status disclosure and a proposed transitional, as part of consultation on Handbook changes. The paper can be accessed here: http:/ / www.fsa.gov.uk/library/policy/cp/ 2012/12-24.shtml
Will I be required to resubmit any information or notifications that are submitted just before LCO?
No. Any submissions or information received prior to LCO will not need to be resubmitted.
3. Supervision
What is the PRA's approach to supervision?
P a g e | 25
The PRAs approach to supervision was outlined in the two PRA approach documents one for deposit-takers and investment firms, one for insurers initially published in October 2012 to facilitate scrutiny of the PRAs proposed approach as the Financial Services Bill passed through Parliament.
The documents also set out some key policy material for firms. We will publish updated versions at legal cutover, and thereafter the documents will act as standing references for firms on the PRAs supervisory approach, key PRA policies, and the PRAs statutory objectives.
P a g e | 26
Will my firm still be required to comply with FSA Risk Mitigation Programme (RMP) items? What will happen to RMP?
We have streamlined the number of actions in the RMP and split them into conduct and prudential actions. Your supervisor will have communicated with your firm to confirm the outstanding RMP actions, and your firm is accountable to the relevant regulator for their resolution.
Will individual capital guidance and individual liquidity guidance still apply?
Both the individual capital guidance and individual liquidity guidance issued by the FSA to PRA-regulated firms will continue to apply.
How will European and other policy initiatives such as Solvency I I and CRD IV affect the PRAs supervision model?
Information about how the interaction of such initiatives will affect the PRAs approach will be made available as part of the implementation of these policies.
P a g e | 27
4. Policy material
How will the PRA issue policy material after LCO?
The PRA Approach Documents set out that the PRA will establish and maintain published policy material which is consistent with its objectives, clear in intent, straightforward in presentation and as concise as possible. As set out in our December letter, only a limited amount of FSA non Handbook guidance will be transferred to the PRA. In addition, the letter accompanying these FAQs sets out in detail our approach to FSA Individual Guidance and the action required by firms.
P a g e | 28
Both the FCA and PRA are visiting us next year, how do you intend to separate the two areas?
The FCA and PRA are two different regulators looking at different aspects of the business, although there is a requirement to share information. Detail of the FCA and the PRAs assessments and expectations of firms are set out in the respective Approach Documents
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 29
P a g e | 30
P a g e | 31
P a g e | 32
Available information suggests that economic growth has picked up again this year.
Consistent with the moderate pace of economic growth, conditions in the labor market have been improving gradually. Since July, nonfarm payroll employment has increased by 175,000 jobs per month on average, and the unemployment rate declined 0.3 percentage point to 7.9 percent over the same period. Cumulatively, private-sector payrolls have now grown by about 6.1 million jobs since their low point in early 2010, and the unemployment rate has fallen a bit more than 2 percentage points since its cyclical peak in late 2009. Despite these gains, however, the job market remains generally weak, with the unemployment rate well above its longer-run normal level. About 4.7 million of the unemployed have been without a job for six months or more, and millions more would like full-time employment but are able to find only part-time work. High unemployment has substantial costs, including not only the hardship faced by the unemployed and their families, but also the harm done to the vitality and productive potential of our economy as a whole. Lengthy periods of unemployment and underemployment can erode workers' skills and attachment to the labor force or prevent young people from gaining skills and experience in the first place developments that could significantly reduce their productivity and earnings in the longer term.
The loss of output and earnings associated with high unemployment also reduces government revenues and increases spending, thereby leading to larger deficits and higher levels of debt.
The recent increase in gasoline prices, which reflects both higher crude oil prices and wider refining margins, is hitting family budgets.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 33
Monetary policy
With unemployment well above normal levels and inflation subdued, progress toward the Federal Reserves mandated objectives of maximum employment and price stability has required a highly accommodative monetary policy. Under normal circumstances, policy accommodation would be provided through reductions in the FOMCs target for the federal funds rate the interest rate on overnight loans between banks. However, as this rate has been close to zero since December 2008, the Federal Reserve has had to use alternative policy tools. These alternative tools have fallen into two categories. The first is forward guidance regarding the FOMCs anticipated path for the federal funds rate.
Since longer-term interest rates reflect market expectations for shorter-term rates over time, our guidance influences longer-term rates and thus supports a stronger recovery.
The formulation of this guidance has evolved over time.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 34
Between August 2011 and December 2012, the Committee used calendar dates to indicate how long it expected economic conditions to warrant exceptionally low levels for the federal funds rate.
At its December 2012 meeting, the FOMC agreed to shift to providing more explicit guidance on how it expects the policy rate to respond to economic developments. Specifically, the December postmeeting statement indicated that the current exceptionally low range for the federal funds rate will be appropriate at least as long as the unemployment rate remains above 6-1/2 percent, inflation between one and two years ahead is projected to be no more than a half percentage point above the Committees 2 percent longer-run goal, and longer-term inflation expectations continue to be well anchored. An advantage of the new formulation, relative to the previous date-based guidance, is that it allows market participants and the public to update their monetary policy expectations more accurately in response to new information about the economic outlook. The new guidance also serves to underscore the Committees intention to maintain accommodation as long as needed to promote a stronger economic recovery with stable prices. The second type of nontraditional policy tool employed by the FOMC is large-scale purchases of longer-term securities, which, like our forward guidance, are intended to support economic growth by putting downward pressure on longer-term interest rates. The Federal Reserve has engaged in several rounds of such purchases since late 2008. Last September the FOMC announced that it would purchase agency mortgage-backed securities at a pace of $40 billion per month, and in December the Committee stated that, in addition, beginning in January it would purchase longer-term Treasury securities at an initial pace of $45 billion per month.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 35
These additional purchases of longer-term Treasury securities replace the purchases we were conducting under our now-completed maturity extension program, which lengthened the maturity of our securities portfolio without increasing its size.
The FOMC has indicated that it will continue purchases until it observes a substantial improvement in the outlook for the labor market in a context of price stability. The Committee also stated that in determining the size, pace, and composition of its asset purchases, it will take appropriate account of their likely efficacy and costs. In other words, as with all of its policy decisions, the Committee continues to assess its program of asset purchases within a cost-benefit framework. In the current economic environment, the benefits of asset purchases, and of policy accommodation more generally, are clear: Monetary policy is providing important support to the recovery while keeping inflation close to the FOMCs 2 percent objective. Notably, keeping longer-term interest rates low has helped spark recovery in the housing market and led to increased sales and production of automobiles and other durable goods. By raising employment and household wealth for example, through higher home prices these developments have in turn supported consumer sentiment and spending. Highly accommodative monetary policy also has several potential costs and risks, which the Committee is monitoring closely. For example, if further expansion of the Federal Reserves balance sheet were to undermine public confidence in our ability to exit smoothly from our accommodative policies at the appropriate time, inflation
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 36
P a g e | 37
increased risk-taking in some financial markets as outweighing the benefits of promoting a stronger economic recovery and more-rapid job creation.
Another aspect of the Federal Reserves policies that has been discussed is their implications for the federal budget. The Federal Reserve earns substantial interest on the assets it holds in its portfolio, and, other than the amount needed to fund our cost of operations, all net income is remitted to the Treasury.
With the expansion of the Federal Reserves balance sheet, yearly remittances have roughly tripled in recent years, with payments to the Treasury totaling approximately $290 billion between 2009 and 2012.
However, if the economy continues to strengthen, as we anticipate, and policy accommodation is accordingly reduced, these remittances would likely decline in coming years. Federal Reserve analysis shows that remittances to the Treasury could be quite low for a time in some scenarios, particularly if interest rates were to rise quickly. However, even in such scenarios, it is highly likely that average annual remittances over the period affected by the Federal Reserves purchases will remain higher than the pre-crisis norm, perhaps substantially so. Moreover, to the extent that monetary policy promotes growth and job creation, the resulting reduction in the federal deficit would dwarf any variation in the Federal Reserves remittances to the Treasury.
P a g e | 38
The economys performance both over the near term and in the longer run will depend importantly on the course of fiscal policy.
The challenge for the Congress and the Administration is to put the federal budget on a sustainable long-run path that promotes economic growth and stability without unnecessarily impeding the current recovery. Significant progress has been made recently toward reducing the federal budget deficit over the next few years. The projections released earlier this month by the Congressional Budget Office (CBO) indicate that, under current law, the federal deficit will narrow from 7 percent of GDP last year to 2-1/2 percent in fiscal year 2015. As a result, the federal debt held by the public (including that held by the Federal Reserve) is projected to remain roughly 75 per cent of GDP through much of the current decade. However, a substantial portion of the recent progress in lowering the deficit has been concentrated in near-term budget changes, which, taken together, could create a significant headwind for the economic recovery. The CBO estimates that deficit-reduction policies in current law will slow the pace of real GDP growth by about 1-1/2 percentage points this year, relative to what it would have been otherwise. A significant portion of this effect is related to the automatic spending sequestration that is scheduled to begin on March 1, which, according to the CBOs estimates, will contribute about 0.6 percentage point to the fiscal drag on economic growth this year. Given the still-moderate underlying pace of economic growth, this additional near-term burden on the recovery is significant. Moreover, besides having adverse effects on jobs and incomes, a slower recovery would lead to less actual deficit reduction in the short run for any given set of fiscal actions.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 39
At the same time, and despite progress in reducing near-term budget deficits, the difficult process of addressing longer-term fiscal imbalances has only begun.
Indeed, the CBO projects that the federal deficit and debt as a percentage of GDP will begin rising again in the latter part of this decade, reflecting in large part the aging of the population and fast-rising health-care costs. To promote economic growth in the longer term, and to preserve economic and financial stability, fiscal policymakers will have to put the federal budget on a sustainable long-run path that first stabilizes the ratio of federal debt to GDP and, given the current elevated level of debt, eventually places that ratio on a downward trajectory. Between 1960 and the onset of the financial crisis, federal debt averaged less than 40 percent of GDP. This relatively low level of debt provided the nation much-needed flexibility to meet the economic challenges of the past few years. Replenishing this fiscal capacity will give future Congresses and Administrations greater scope to deal with unforeseen events. To address both the near- and longer-term issues, the Congress and the Administration should consider replacing the sharp, frontloaded spending cuts required by the sequestration with policies that reduce the federal deficit more gradually in the near term but more substantially in the longer run. Such an approach could lessen the near-term fiscal headwinds facing the recovery while more effectively addressing the longer-term imbalances in the federal budget. The sizes of deficits and debt matter, of course, but not all tax and spending programs are created equal with respect to their effects on the economy.
P a g e | 40
To the greatest extent possible, in their efforts to achieve sound public finances, fiscal policymakers should not lose sight of the need for federal tax and spending policies that increase incentives to work and save, encourage investments in workforce skills, advance private capital formation, promote research and development, and provide necessary and productive public infrastructure.
Although economic growth alone cannot eliminate federal budget imbalances, in either the short or longer term, a more rapidly expanding economic pie will ease the difficult choices we face.
P a g e | 41
The region has benefited from the development of strong banking systems supported by strong regulatory regimes.
Furthermore, many of you have recognised Basel I I I as a minimum, and have adopted local practices that impose additional requirements to deal with local risks. The result is healthy banking systems that are well equipped to support economic growth, not least by stepping into the gap created by the constraints faced by many banks in other parts of the world.
P a g e | 42
P a g e | 43
not so much that banks could not perform their important economic functions.
The Committee also needed to improve the way that the adequacy of capital was measured so that it appropriately recognises the materially different magnitudes of risk within individual bank balance sheets, but at the same time provides an overall measure of soundness that investors can compare across banks. And, recognising that the Basel framework is the global standard for bank capital, the Committee needed something that was suitable for internationally active banks our core constituency but could also be applied more broadly.
P a g e | 44
the regulatory capital base included capital instruments that were not truly loss-absorbing financial markets increasingly discounted these;
the regulatory capital base in some countries filtered out (ie ignored) some unrealised losses that banks had incurred financial markets wanted to account for these; and risk-weighted asset calculations had become complex and opaque, making them difficult for external investors to understand financial markets became confused by these.
In other words, questions were legitimately being asked about whether capital was both adequate and comparable.
The questions related to both the numerator and the denominator of the regulatory measure. The reforms contained in Basel I I I largely deal with these first two items. Basel I I I raises the minimum quantity of truly loss-absorbing capital by many multiples. It also improves the quality of that capital by eliminating quasi-capital instruments, and certain other assets, that proved of limited value in times of stress (indeed, investors in some of these instruments, rather than providing a source of support, had to be bailed out themselves!). In addition, by removing prudential filters and forcing banks to recognise unrealised losses on fair value assets, capital ratios will be more credible by better reflecting the true capacity of a bank to absorb further losses at any given point in time.
Having substantially simplified and improved the numerator of the capital ratio, the Committees attention is now turning to concerns about the risk-weighting framework:
it is said by some to be too complex and difficult to understand, and that something simpler (indeed, some say simple) would be better; and
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 45
it is said by some to provide too much flexibility on how risk should be measured, making it difficult to compare reported capital ratios.
These concerns are closely related although that does not mean less complexity and less flexibility always lead to more comparability.
P a g e | 46
In this respect, Basel I I s goal can be thought of as promoting both capital adequacy and capital efficiency.
Properly applied, banks capital requirements could be much more responsive to the underlying risks they were taking; low-risk banks would benefit by not being burdened with unnecessary capital requirements, and those with higher risk profiles would need to hold additional capital commensurate with the risks they are exposed to. To put it another way, Basel I I sought to better distinguish between highand low-risk banks, and it required higher-risk banks to operate with lower levels of leverage than their low-risk peers. But as anyone knows who has built, supervised or just tried to understand internal risk models within a bank, they are not simple. They are, of course, a simplification of the real world, but that is not much of a consolation since the real world is extremely complex. The difficulty is that, if models are oversimplified, they do not produce risk measures that reflect reality. But if made too complex, hardly anyone can say whether they produce realistic risk measures or not! And by allowing a degree of flexibility for banks to model risks as they see them, we make it more difficult to achieve comparability. Getting it just right therefore requires careful judgement.
Comparability
Basel I I was undoubtedly a major improvement in the conceptual soundness of the capital measurement process. It also created important incentives for banks to refine and improve their risk models, and to avoid high correlations between risk management methods which could have detrimental implications for financial stability.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 47
These benefits should not be lightly dismissed, but there are now concerns that the way in which models are currently used hinders comparability, since users of information cannot understand the impact that modelling choices have on the resulting capital requirements.
The Committee therefore needs to ensure that this additional risk sensitivity is not, as a result of its complexity, undermining the overall regime by making comparison too difficult for all but supervisory experts (and maybe even for the experts too!). But before we revert to a simpler measurement methodology, we need to be sure that it would really be more comparable. Comparability has two basic dimensions: between banks at a given point in time; and for a given bank, over a period of time. Any standardised approach will necessarily be blunt. It will be simpler to understand than an internal model, but that is because it will necessarily make many assumptions. These assumptions will mean risk can be incorrectly measured. They will also mean that changes in a banks risk profile can go undetected. Take the example of the leverage ratio. It will not distinguish between two similarly sized banks even if one holds a large portfolio of high-quality sovereign exposures, and the other a large portfolio of highly leveraged loans for property development. Nor will it show any response if a bank switches its balance sheet from one of those portfolios to the other over time.
P a g e | 48
A leverage ratio measures exactly what it says the degree of leverage on a banks balance sheet.
For this purpose, it is perfectly suited. That does not necessarily make the most useful measure for judging the adequacy of a banks capital base. Risk-based regimes seek to respond to this problem by introducing greater risk sensitivity.
But even with the standardised approaches in the Basel framework, there are limits to what can be achieved.
The risk-based framework would respond, via changes in the reported capital ratio, to the situations I have mentioned above. It would not, however, necessarily respond at a more detailed level for example, it does not meaningfully distinguish between portfolios of low loan-to-value ratio (LVR), full documentation, amortising mortgage loans, and high LVR, interest-only, self-certified mortgage loans. Only with additional complexity can we take greater account of the multifaceted risks within a banks loan book. However, as the framework becomes more and more risk-sensitive in judging capital adequacy, it may no longer be the best means of monitoring, comparing and controlling overall leverage. For these reasons, Basel I I I utilises both a risk-based capital ratio and a non-risk-based leverage ratio to provide complementary measures of capital adequacy and leverage. Both ratios serve their individual purposes: one a measure of capital relative to risk; the other a measure of overall leverage.
P a g e | 49
The two measures can also be compared with each other, providing additional information that would not be readily available from either measure on its own.
Improving comparability
The inclusion of the leverage ratio in Basel I I I does not remove the need to further review the comparability of the risk-based regime. To borrow from Winston Churchill, however beautiful the strategy, you should occasionally look at the results. The Committee has been conscious of this issue for some time, and over the past year it has been exploring the issue from both a bottom-up and top-down perspective. With regard to the concerns about the comparability of model-based risk-weighted asset calculations, the Committee has established two workstreams; one to look at the consistency of calculations in relation to the trading book and another parallel stream for the banking book.
This work has examined publicly available data for a selection of large banks across multiple jurisdictions, as well as asking a number of banks to provide risk measures for a series of hypothetical portfolios.
The outcome of this work has been supplemented with a series of meetings with individual banks by an international team of supervisory experts, with the aim of providing greater understanding of the reasons behind different results. The trading book review was published at the end of January , and I will focus my comments on it today. The results of the banking book work will be released in the coming months.
P a g e | 50
The trading book review found that it is reasonable for investors to complain that they find current risk disclosures opaque the Committees analysis found the same thing!
Current disclosures were not adequate for external parties to be able to judge whether movements in modelled risk-weighted assets over time, or between banks, were due to underlying differences in risk, or for other reasons. That there is variability in results between banks should not surprise.
It is inevitable, and indeed desirable, in any model-based framework that there be some.
What was possibly surprising, however, was that regulatory and supervisory decisions were producing a non-trivial proportion of the variability: contrary to the initial hypothesis of many, it did not arise solely from giving banks too much freedom to model risk. Around a quarter of the variability was due to one single factor: the use of supervisory multipliers, which are applied as an incentive for banks to improve their models and risk management systems. There are two other points worth noting from the trading book analysis: The variability driven by supervisors (due to the use of multipliers, or by restricting modelling choices) will almost invariably increase capital requirements relative to what they might otherwise be. In other words, some of the variability is due to some banks being held to a higher standard than the Basel minimum requires.
This improves the adequacy of capital resulting from internal models but, due to the fact that some supervisory discretion is not disclosed, reduces comparability.
The outcomes produced by banks were benchmarked to a risk model produced by the team of supervisory experts conducting the analysis.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 51
The output of this model was broadly consistent with the average of the results being produced by banks.
Although the analysis is necessarily limited to the sample of banks and by the simple portfolios used, there was no evidence to suggest that the banks modelling efforts systematically under-estimated risk (and hence the adequacy of capital requirements) across the group as a whole. Nonetheless, even after allowing for supervisory decisions, bank modelling practices were the primary driver of variability, and that variability makes comparability more difficult to achieve. Thankfully, the analysis showed that the bulk of this could be attributed to a relatively small set of modelling choices, giving the Committee some obvious areas to look at if it decides that variability should be reduced. I will say more about this shortly. In parallel with this detailed analysis, the Committee has appointed a task force to look into the question of the simplicity and comparability of the regulatory framework from a top-down perspective. This task force has not been looking at specific issues of detail, but instead is approaching the issue from a more conceptual perspective: what is the optimal trade-off between simplicity, risk-sensitivity and comparability? The task force found that there are many drivers of complexity in the regulatory framework, and that the greater focus on the risk sensitivity of capital measures is just one of them. Others include the need to reflect developments in financial markets, integrate modern risk management practices, and respond to innovation. Nevertheless, the task force has highlighted a number of areas the Committee could consider if it wanted to rebalance the current framework to promote greater simplicity.
P a g e | 52
P a g e | 53
Developing supplementary measures: Basel I I I already requires banks to disclose a risk-based ratio and a leverage ratio.
Following this approach, additional benchmarks could also be disclosed. For example, the current review of the trading book framework is currently considering industry feedback on a proposal to require banks to disclose capital requirements using both internal models and the standardised approach. All of these options have costs, and the Committee will need to consider them carefully. But the costs of a lack of confidence in bank capital ratios are likely to be substantial, so cost should not be a reason to immediately dismiss any ideas out of hand. Industry feedback on the merits of different solutions will be welcome.
Concluding remarks
In the post-crisis period, we have substantially strengthened the regulatory framework.
This is an important investment in the financial systems future resilience. While there have been complaints about the burden of reform, many studies show the cost-benefit trade-offs to be overwhelmingly positive. Much of this debate is now winding down: indeed, many countries including here in Asia now have the Basel I I I capital reforms in place, and their banking systems continue to perform well. It is important we press ahead to complete the reform agenda, particularly as there are signs that the banking industry is again shedding its inhibitions in its keenness to take advantage of improved market conditions.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 54
P a g e | 55
P a g e | 56
enforcement, and standards. And as part of that discussion, I will detail the Board's progress in the areas of broker-dealer audits and international inspections.
PCAOB-registered public accounting firms have been given an important role in the capital markets to provide assurance to investors and others that the audited financial statements fairly present the companies' or broker-dealers' financial results in conformity with applicable accounting and disclosure standards and rules. Registration is a significant oversight area for the Board.
Currently, about 2,360 firms are registered with the PCAOB, including about 910 non-U.S. firms located in 84 countries.
Not all PCAOB-registered firms regularly issue audit reports for issuers, but we inspect those approximately 750 firms, including more than 240 non-U.S. firms that do.
Additionally, approximately 90 registered firms do not regularly issue audit reports for issuers; however, they report that they play a substantial role in the audits of issuers. Together, these firms audit or play a substantial role in the audits of more than 9,700 U.S. issuer companies that have approximately $26.4 trillion in market capitalization. Furthermore, approximately 800 registered firms report that they audit brokers and dealers, including approximately 480 that report that they do not audit issuers.
P a g e | 57
Clearly, reliable financial statements play a key role in the financial markets, which are integral to the success and well-being of American households and businesses, the U.S. economy, and participants and stakeholders from around the world.
We also completed 167 domestic firm triennial inspections and 77 non-U.S. firm triennial inspections.
For annually inspected firms, the PCAOB generally issued most of its completed 2011 inspection reports during the latter part of 2012, with some being issued in early 2013. The timing of our inspections reporting has been a challenge, and the Board is currently working to improve the timeliness of these reports. In terms of trends in findings, the number of serious audit performance deficiencies we reported spiked in our 2010 inspections, and remained high overall for the large firms in the 2011 inspections. Common areas where we found audit deficiencies included auditing revenue recognition, auditing fair value of hard-to-value financial
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 58
instruments, testing and evaluating internal controls, and the auditor's assessment of and response to fraud risk, among others.
On Feb. 25, 2013, the Board released a report summarizing observations identified in the 2007 through 2010 inspections of U.S.-based triennial firms. For these firms in particular, audit areas with frequent inspection findings included auditing related party transactions and auditing share-based payments and equity financing instruments, among others. The findings are serious, and represent deficiencies that are of such significance that it appeared that a firm, at the time it issued its audit report, had failed to obtain sufficient, appropriate audit evidence to support its audit opinion on the financial statements and/ or the opinion on internal control over financial reporting. These findings are reported in the public version of firms' inspection reports, which are available on the Board's website. A second category of inspection findings deal with criticisms identified in the firm's quality control system that, due to statutory restrictions, are not initially included in the public portion of the report. Quality control findings focus on issues that may have caused the audit performance deficiencies, as well as other aspects of the firm's management of its audit practice that could negatively impact audit quality. Some examples of areas of specific concern regarding quality control that appear in inspection reports include problems in the areas of professional skepticism, tone at the top of firm management, internal inspections, and firms' quality control processes related to specific aspects of auditing, such as testing and evaluating internal control over financial reporting, fair value, and other areas.
P a g e | 59
As the Sarbanes-Oxley Act provides, if a firm does not take satisfactory action to remediate quality control criticisms within 12 months of the inspection report, that portion of the report is also made public.
Remediation is a very important part of the process. It is through these actions that firms correct their quality control criticisms and drive improvements in audit quality. The Board encourages firms to initiate a dialogue with the Board's Inspections staff about how the firm intends to address the quality control issues. Based on the timing of the related remediation periods and the firms' efforts in those areas, it is reasonable to expect that firms should start to achieve significant improvements in their 2013 inspection results for those areas identified as problems during the 2010 and 2011 inspections. I think we will also see improvements in some firms' 2012 inspection reports, which will be issued this year.
The law leaves to the Board, subject to the approval of the SEC, important implementation decisions concerning the scope of the program and the frequency of inspections, including whether to differentiate among categories of brokers and dealers, and whether to exclude from the inspection program any categories of auditors.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 60
There are approximately 4,400 brokers and dealers that filed audited financial statements with the SEC for fiscal periods ending during 2011.
The Board is currently conducting an interim broker-dealer audit inspection program, which has been in place for about 18 months, that will help us design a permanent broker-dealer audit inspection program. The Board issued its first report on the interim inspection program for audits of SEC-registered brokers and dealers on Aug. 20, 2012. The report, which is available on our website, details the findings from inspections of 10 audit firms and portions of 23 audits of securities brokers and dealers. PCAOB inspectors identified deficiencies in all of the audits inspected. Even with this small group of audits, the inspection results are disturbing. The deficiencies fell into three broad categories: (1)audit procedures over customer protection and net capital requirements, (2) audits of the financial statements, and (3) auditor independence. We inspected another 43 firms and portions of 60 audits during 2012, and will issue another report on those results in 2013. Unfortunately, we continue to find significant issues in this second batch of inspections. The Board's approach to establishing an inspection program for audits of brokers and dealers is focused on (1) how best to promote investor protection and
P a g e | 61
(2) how to create an efficient and effective regulatory scheme that appropriately addresses the diversity of audits of broker-dealers, weighing the differences in their risk profiles, and the costs and benefits involved.
In 2013, we will begin to work on the design for a permanent program of inspections of auditors of SEC-registered brokers and dealers. The interim inspection program will continue beyond 2013, until rules for a permanent inspection program take effect.
P a g e | 62
In the other jurisdictions where we inspect but do not have cooperative agreements, we do so because the local authorities have no objection to our conducting PCAOB-only inspections in their jurisdictions.
Unfortunately, PCAOB is currently blocked from inspecting - due to asserted legal conflicts or sovereignty issues - in 15 jurisdictions that have issuers whose securities trade in the U.S. These jurisdictions include China and certain countries in the European Union.
While we have not yet reached cooperative agreements with audit regulators in those jurisdictions, we continue to negotiate with them.
Our ongoing difficulties with inspecting audit work conducted in China, in particular, has received a lot of attention in the financial press due to the significance of the Chinese economy and the numerous financial reporting problems that have surfaced with respect to some Chinese companies listed on the U.S. markets, among other reasons. In particular, significant problems have surfaced regarding the financial statements of some Chinese companies that were audited by firms in China that the PCAOB has been blocked from inspecting. This has generated significant concern in the investor community about the quality of the audit practices and the accuracy of public disclosures of Chinese companies accessing the U.S. capital markets. Beginning in the latter part of 2010, approximately 67 China-based issuers have had their auditor resign, and 126 issuers have either been delisted from U.S. securities exchanges or "gone dark" meaning that they are no longer filing current reports with the SEC. Billions of dollars of market capitalization of such companies have been lost in U.S. securities markets, and it is fair to say that all China-based companies listed here have suffered serious losses of both market value and investor confidence as a result of the problems of other companies.
P a g e | 63
The PCAOB's inability to inspect the work of PCAOB-registered firms in China continues to create a gaping hole in investor protection.
Lately, however, we have been somewhat encouraged by some incremental progress in our negotiations with the Chinese authorities, including an agreement last year on guidelines that enabled us to send an inspection team to observe part of an inspection carried out by the Chinese audit regulator. We are continuing our efforts to establish a set of protocols that would provide for further cross-border cooperation with China in a manner consistent with our statutory mandate. If we are unable to reach agreement, we will have to make some important decisions about how best to protect investors.
To that end, the Board has been developing a robust, active enforcement program that seeks to identify potential cases of serious auditor misconduct, investigate them thoroughly and promptly, and litigate the resulting disciplinary actions.
The overriding goal is to ensure that auditors who commit serious violations of our audit standards face appropriate and real remedial or disciplinary consequences. The Division of Enforcement and I nvestigations carries out the Board's investigative and disciplinary authority. Under the Sarbanes-Oxley Act, the Board is authorized to investigate auditor conduct that may violate the laws, rules, or standards within the Board's jurisdiction.
P a g e | 64
The Board is further empowered to impose a range of remedial and disciplinary sanctions against registered accounting firms and associated persons who violate those laws, rules, or standards.
The Enforcement Division focuses its efforts on high-priority investigations involving significant investor protection considerations. Its matters arise from a number of sources, including Board inspections of registered firms, analysis conducted by the Board's Office of Research and Analysis, other regulators, public disclosures of restatements and auditor changes, news reports, and confidential tips. Our website has information on how to provide enforcement tips, referrals, and information on potential violations of law or PCAOB rules. PCAOB has been building its enforcement program since 2004 when the Board hired a director and started the tips and complaints center. In 2005, the Board announced its first four settlements and opened 17 formal investigations.
Since then, we have continued to build a fully functioning enforcement and investigations function.
The first adjudicated orders were publicly disclosed in 2009 and 2010. Then in 2011, the Board settled its largest case to date at that time, imposing censures and a $1.5 million penalty on PwC's I ndia affiliates for their audit failures concerning Satyam Computer Services. The Board coordinated its actions with the SEC's Division of Enforcement, which brought a parallel case against PwC's I ndia affiliate firms. During 2012, the Board issued eight settled disciplinary orders imposing sanctions on auditors ranging from censures to monetary penalties to bars against their association with registered accounting firms. Those sanctions covered four registered accounting firms and 1 1 associated persons.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 65
In addition, the Board issued three adjudicated disciplinary orders after completing the administrative hearing process.
On Feb. 8, 2012, the Board issued a notable settled order regarding E&Y's audits of Medicis Pharmaceutical Corp. over three years and a related accounting consultation. The Board imposed a $2 million penalty against E&Y the largest monetary penalty imposed by the Board to date and imposed sanctions on four partners, including barring two from associating with registered accounting firms. Another significant aspect of this matter is that it started with a Board inspection finding about the same audit deficiencies that led to the enforcement order. To date, the Board has issued 56 publicly announced disciplinary orders in proceedings brought by the Enforcement Division. In these proceedings, the Board has imposed 42 sanctions on firms (including 27 revocations of registration) and 59 sanctions on individuals (including 50 bars or suspension). The Enforcement Division currently has more than 80 open informal inquiries, formal investigations, and non-public litigated proceedings in process. As I mentioned, the Board's disciplinary proceedings are, by law, non-public unless each party consents to public hearings. In the PCAOB's history, no respondent has ever consented to public proceedings. The confidential nature of our proceedings results in a number of unfortunate consequences for investor protection and the public interest. Among other things, we are unable to discuss the nature of our active disciplinary proceedings except in the most general of terms.
P a g e | 66
This process is not sufficiently informative to investors, audit committees, auditors, or others interested in understanding audit risks and challenges.
The non-public nature of our proceedings also provides an incentive for respondents to litigate matters regardless of whether they believe they ultimately will prevail, in order to delay public disclosure. Legislation, which I support, was introduced in the last Congress to make our proceedings open to the public, but it did not move forward.
I am hopeful that Congress will act to improve the transparency and efficiency of the Board's proceedings.
In addition to the other crucial functions of the Board's enforcement program, the Sarbanes-Oxley Act provides that penalties the Board collects in disciplinary proceedings are to be used to fund merit scholarships for students in accounting programs. The program was inaugurated in 2011.
Since then, the Board has used penalty funds collected in enforcement matters to award 95 scholarships of $10,000 each, for a total of almost $1 million in scholarships.
Auditing Standards
The PCAOB is uniquely positioned to use its insight from inspection and other oversight activities to improve existing auditing standards to support high quality audits to protect investors and the public interest. As we look to what the PCAOB has accomplished through its fourth oversight area, standard setting, and what still needs to be done, we have taken on an ambitious project to broadly reexamine our standard-setting approach. I won't go through our entire standards-setting agenda today, but it and related information can be found on the PCAOB website.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 67
We currently have the following projects on our agenda for the first half of 2013:
1. Related parties (adoption or re-proposal) 2. Reorganization of PCAOB standards (proposal) 3. Auditor's reporting model (proposal) 4. Auditor's responsibilities with respect to other accounting firms, individual accountants, and specialists (proposal) 5. Audit transparency: identification of the engagement partner (adoption or re-proposal) We are also continuing to develop a long-term view and framework for setting standards beyond the current project list. This is a substantive workload, and it is something to watch throughout the coming year.
***
Every aspect of the PCAOB's mission registration, inspections, enforcement and standard setting points to the significant role high quality audits play in the effective functioning of our capital markets.
At the PCAOB, we have taken on an ambitious agenda dealing with numerous significant issues to help ensure high quality audits for the benefit of investors and the public interest now and for the long term. Accounting and business educators, professionals and students also need to have a mindset of working in the public interest with the highest level of ethical conduct and objectivity. The academic community can do its part by focusing students on these principles, so that they enter the profession mindful of their responsibilities to protect investors.
P a g e | 68
This, in turn, will help maintain confidence in the capital markets and will help ensure that we can continue to pass along opportunity and prosperity to future generations of Americans.
A paper that examines George R. Husband's life and accomplishments in research, service and teaching, states that Husband's students characterized his teaching principles in the following three basic positions: 1. ethical behavior is of utmost importance; 2. teachers are empowering the future leaders of the accounting profession; and 3. teachers should stretch students' thinking to the limits. I trust that the educators and students here at Wayne State University are continuing to embody these principles.
P a g e | 69
P a g e | 70
This overhaul of EU banking rules will make sure that banks in the future have enough capital, both in terms of quality and quantity, to withstand shocks.
This will ensure that taxpayers across Europe are protected into the future. In these negotiations, as Presidency, we have had to balance many different interests: the desire to limit bankers pay while maintaining a competitive European banking sector; the need to provide a single but sufficiently flexible rule book across Europe. This agreement will have to be approved by EU Member States before it is final. There will also be significant further technical work to complete the details of the legislation. The Minister said I believe that the compromise package that we have reached tonight is well balanced. I will be presenting this package to Finance Ministers when we meet in Brussels next Tuesday and I hope they will endorse it.
Background
During the financial crisis, European taxpayers recapitalised banks who found themselves with insufficient capital to absorb losses. This overhaul of EU banking rules will make sure that banks in the future have enough capital, both in quality and quantity.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 71
These standards have been agreed at G20 level in what is known as the Basel I I I agreement. The new EU rules are set out in a Regulation and a Directive, making up the Capital Requirements package. These new rules will apply to financial institutions across Europe, including the 8,000 banks currently operating in Europe. The package sets out rules for the amount of capital that banks need to hold, as well as the quality of those funds. It introduces a new liquidity coverage ratio as well as a leverage ratio to limit an excessive build up of leverage on banks balance sheets. There are new enhanced governance arrangements for banks, aimed at improving risk management. The package also introduces capital buffers on top of the minimum capital requirements. The provisional deal reached with the European Parliament also includes limits on the size of bankers bonuses. This package is a vital part of the single European banking rulebook, a fundamental building block for EU banking union. Completing banking union is an I rish Presidency priority.
As Presidency we are working to reach agreement with the European Parliament on the setting up of a single European banking supervisor.
We are also working on getting member state agreement on bank resolution and recovery and well as deposit guarantee schemes, important elements in completing banking union.
P a g e | 72
Getting the single supervisor in place will be key to allowing the European Stability Mechanism (ESM) to directly recapitalise banks across Europe. European Parliament
Bonus cap
To curb excessive risk-taking, the basic salary-to-bonus ratio will be 1:1 but could be raised to a maximum of 1:2 with the approval of shareholders. This higher ratio would require the votes of at least 65% of shareholders owning half the shares represented, or of 75% of votes if there is no quorum.
P a g e | 73
To encourage bankers to take a long-term view, if the bonus is increased above 1:1, then a quarter of the whole bonus would be deferred for at least five years.
Quality capital
The rules will raise minimum thresholds of high quality capital to be retained. Banks will be required to hold a minimum of 8% good quality capital (mostly Tier 1, the lowest-risk form).
Transparency
The legislation would require banks to disclose profits made, taxes paid and subsidies received country by country, as well as turnover and number of employees. From 2014 these should be reported to the Commission and from 2015 made fully public.
Next Steps
The political agreement must be approved by member states and the European Parliament plenary, in which a vote is expected at the 15-18 April session. Once approved, member states would need to include the rules in their national laws by 1 January 2014.
P a g e | 74
P a g e | 75
discrepancies and the varying conventions used to compile trade statistics among countries.
This includes time lag, variations in valuation and exclusion of certain types of goods. The situation is further complicated by the treatment of goods that are exported via re-export hubs. Exports by Malaysia to a specific trading partner may for example not give rise to a similar number recorded as total imports from Malaysia by that country. This discrepancy arises as the imports are recorded based on country of origin that also includes those exports that are via other countries. After taking into account Malaysias trade that is exported via Singapore and H ong Kong (re-export hubs), the estimate of trade mispricing between Malaysia and its top 10 trading partners were reduced significantly by about 70%. Since the estimates in the report of trade mispricing do not take into consideration such discrepancies in trade statistics, the estimates of illicit flows are overstated. The report also estimated that 20% of illicit outflows were accounted for by unrecorded transfer of proceeds via informal channels that is captured by the Errors and Omissions (E&O) of the Balance of Payments (BoP) of the country. It should be noted that not the entire E&O figure is attributable to illicit activities, as it also includes genuine statistical errors from the compilation of statistics of external trade and cross-border financial transactions. Since Malaysia is a very open economy with total trade in goods and services amounting to an average of 192% of GDP during this period, such discrepancies are bound to be large in absolute amount.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 76
It is recognised, however, that a portion of the E&O could arise from the transfer of funds obtained from illegal activities, organised crime and tax and custom duties evasion.
Importantly, the E&O has averaged at 2% of total trade, which is well below the 5% benchmark threshold prescribed by the International Monetary Fund (IM F). These ratios have also been on a moderating trend since 2010.
P a g e | 77
the development of a more dynamic and competitive money services business industry (comprising the money changing, remittance and wholesale currency businesses).
The relicensing exercise of all money services businesses was completed in 2012, resulting in the number of money changers being reduced from 839 to 511. This exercise has enhanced the capacity of the money services business industry to be more professional and prevent the players from becoming a conduit to illegal fund transfer activities. In addition, the exercise also resulted in the approval of qualified money changers as remittance agents. This is expected to facilitate the migration of remittances, especially by foreign workers, from informal to formal channels. The Money Services Business Act 2011 further complements the measures that have been put in place and actions taken under the Anti-Money Laundering & Anti-Terrorism Financing Act 2001 (AMLATFA 2001). The AMLATFA 2001 which came into force on 15 January 2002 criminalises money laundering of proceeds from serious crimes. Malaysia is now well supported by robust legislation to combat illegal financial flows. In addition, Malaysias efforts to strengthen the legislation and implementation of Anti Money Laundering/ Counter Financing of Terrorism measures have been recognised by the I MF and the World Bank during the recent Financial Sector Assessment Programme (FSAP), where Malaysia was accorded a Compliant rating for the Basel Core Principles (Principle 18) and Observed for the I nsurance Core Principles (ICP 22). Greater collaboration among local agencies as well as with their international counterparts through the sharing of databases, information
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 78
and intelligence and joint enforcement actions, with some of them facilitated by the Task Force had yielded positive results in combating illegal activities.
The I nland Revenue Board of Malaysia has taken actions on entities and individuals who have evaded corporate taxes. The Board had also conducted tax audit on firms and strengthened its enforcement to minimise tax evasion. The Customs have also intensified its enforcement efforts. These efforts have produced results shown by the significant rise in tax and duties collections. Moving forward, the trade mispricing issue will also be mitigated with the introduction of Goods and Services Tax (GST) which requires reporting of value-added at various stages of production. Recognising the importance of addressing illicit financial flows, continued concrete and coordinated efforts between various enforcement agencies including across borders will continue to be pursued to ensure the integrity and stability of the Malaysian financial system.
P a g e | 79
PCAOB Issues Report on 2007-2010 Inspections of Domestic Firms that Audit 100 or Fewer Public Companies Washington, D.C., Feb. 25, 2013
The Public Company Accounting Oversight Board today released a report summarizing inspection observations identified in the 2007 through 2010 inspections of U.S. firms that audited 100 or fewer public companies.
Such firms must be inspected at least once every three years (triennially inspected firms).
Overall, the results show a reduced rate of reported "significant audit performance deficiencies" when compared to a 2007 report the Board issued addressing observations from inspections of triennially inspected firms from 2004 through 2006. Significant audit performance deficiencies are those that result in the audit firm lacking sufficient evidence to support its audit opinion. The report notes lower rates of significant audit performance deficiencies overall in the group of firms that had second inspections during the 2007-2010 period. Of firms that had a second inspection during that period, 36 percent had at least one such deficiency in their second inspection, compared to 55 percent in their initial inspection. Despite the decrease in the rate of significant audit performance deficiencies noted in second inspections, the persistence of such deficiencies in audits performed by a large number of domestic triennial firms is of concern to the Board.
P a g e | 80
"The Board has issued this report to highlight areas where audit firms can focus their attention to enhance the quality of their audits," said James R. Doty, PCAOB Chairman.
"We also encourage firms to identify and address the root causes of any audit performance deficiencies identified during the inspections process." According to the report, 44 percent of the audit firms inspected during the 2007-2010 period had at least one "significant audit performance deficiency" compared to 61 percent in the 2004 2006 period . Of the individual audits inspected between 2007 and 2010, 28 percent had at least one significant audit performance deficiency compared to 36 percent of the audits inspected between 2004 and 2006. Audit areas with frequent inspection findings in the 2007-2010 period related to: - auditing revenue recognition; - auditing share-based payments and equity financing instruments; - auditing convertible debt instruments; - auditing fair value measurements; - auditing business combinations and impairment of intangible and long-lived assets; - auditing accounting estimates;
P a g e | 81
The "Report on 2007-2010 I nspections of Domestic Firms that Audit 100 or Fewer Public Companies" includes observations from 748 inspections of 578 domestic triennial firms conducted in the 20072010 period, and encompasses Inspection staff reviews of aspects of 1,801 audits.
Executive Summary
The Public Company Accounting Oversight Board (the "PCAOB" or the "Board") is issuing this report to provide a summary of observations from its inspection program.
This report covers domestic audit firms that audit the financial statements of issuers, and that regularly issue 100 or fewer audit reports each year.
Such firms must be inspected at least once every three years ("triennially inspected firms"). This report describes inspection findings from 578 firms and 1,801 individual audits that were inspected in 2007-2010.
The PCAOB has previously issued similar reports describing inspectionrelated observations for triennially inspected firms and other firms, which are available on the PCAOB's website at
http:/ / pcaobus.org/ Inspections/ Pages/ PublicReports.aspx
PCAOB Inspections
PCAOB inspections assess auditors' compliance with certain laws, rules, and professional standards in connection with audits of issuers. A PCAOB inspection of an audit firm examines in depth certain aspects of a limited number of audits performed by the audit firm as well as certain elements of the firm's system of quality control over its audit processes.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 82
Individual audits and areas of inspection focus within those audits are generally selected on a risk-weighted basis and not randomly.
Areas of focus vary among selected audits, but often involve audit work on the areas of financial statements with the highest risk of material misstatement. In connection with their inspection of individual audits, PCAOB inspectors may identify significant audit performance deficiencies where the auditor did not obtain sufficient audit evidence to support its audit opinion. In addition, inspectors may identify deficiencies in the firm's overall system of quality control that increase the risk that the firm's system will not provide reasonable assurance that its personnel comply with professional standards.
P a g e | 83
compared to 36 percent of the 1,589 audits inspected between 2004 and 2006.
- For the 455 firms that had a second inspection in the 2007- 2010 period, 36 percent had at least one significant audit performance deficiency in their second inspection, compared with a rate of 55 percent in their first inspection. While reported significant audit performance deficiencies have decreased, the continued identification of these deficiencies in audits performed by a large number of triennially inspected firms is of concern. The Board and I nspections staff take a number of actions to encourage the firms to address these deficiencies. In each inspection, the staff discusses the findings with the firm to make sure that all of the facts are considered and to help the staff and firm understand the deficiency identified. Based on this understanding, the firms should design and implement any necessary changes to their quality control procedures. The Board encourages firms to initiate a dialogue with the Board's Inspections staff early on about how the firm intends to address quality control criticisms, including those identified as a result of these significant audit performance deficiencies. The Board encourages this dialogue so that a firm can receive timely feedback from the I nspections staff and enhance its efforts, if necessary, during the twelve-month remediation period. In addition, for a number of years, the Board has held a series of forums for auditors of smaller companies to share inspection results, remediation observations, and information about recently issued auditing standards. As described in more detail in the report, the Board also encourages firms to identify and address the root causes of any audit performance deficiencies identified during the inspections process.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 84
The causes of these deficiencies are typically complex and are often the result of a combination of factors, including, among others:
- a lack of technical competence in a particular audit area; - a lack of due professional care, including professional skepticism; - ineffective or insufficient supervision, which at times may have been due to heavy partner and professional staff workloads; - ineffective client acceptance and continuance practices that fail to consider technical knowledge called for in particular audits; or - ineffective engagement quality reviews. With respect to the inspections conducted from 2007 through 2010 that are the subject of this report, firms have remediated quality control deficiencies described in Part I I of the inspection report to the Board's satisfaction in approximately 90 percent of those cases in which the Board has concluded on the firm's efforts. Firms' remediation activities to address specific quality control deficiencies have encompassed a range of actions, including enhancements of quality control policies and procedures, developing technical guidance targeted to specific issues, developing and requiring training targeted to specific issues, developing new audit tools, and requiring additional audit procedures.
P a g e | 85
Audit areas with frequent findings in the 2007-2010 period related to:
- auditing revenue recognition (deficiencies also discussed in prior reports); -auditing share-based payments and equity financing instruments (deficiencies also discussed in prior reports); - auditing convertible debt instruments (new category in this report); - auditing fair value measurements (deficiencies also discussed in prior reports, but re-categorized); - auditing business combinations and impairment of intangible and longlived assets (deficiencies also discussed in prior reports); - auditing accounting estimates (deficiencies also discussed in prior reports, but re-categorized); - auditing related party transactions (deficiencies also discussed in prior reports); - use of analytical procedures as substantive tests (deficiencies also discussed in prior reports, but re-categorized); and - audit procedures to respond to the risk of material misstatement due to fraud (new category in this report, but previously the subject of a separate report). Some categories above are identified as "deficiencies also discussed in prior reports, but re-categorized" from the presentation in our 2007 report. Specifically, auditing fair value measurements and use of analytical procedures as substantive tests were discussed in the equity transactions and revenue categories of the 2007 report, respectively. While auditing accounting estimates is a new category in this report, the
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 86
2007 report addressed auditing allowance for loan losses and allowance for doubtful accounts in the category on loans and accounts receivable.
For fraud procedures, the Board released on January 22, 2007, a report titled "Observations on Auditors' I mplementation of PCAOB Standards Relating to Auditors' Responsibilities with Respect to Fraud," which described observations by I nspections staff relating to procedures relevant to an auditor's consideration of fraud. Categories of more frequent deficiencies in our 2007 report that are not included in this report are: auditors' going concern considerations, auditing loans and accounts receivable, auditors consideration of issuers use of service organizations, use of other auditors, use of the work of specialists, auditor independence, and concurring partner review. These categories are not included due to a lower frequency of these types of deficiencies reported during the 2007-2010 inspections that may have occurred for numerous reasons, including among others, lower frequencies in which certain audit areas were reviewed due to issuer audit selection and related matters, or improvements in auditing. While observations of certain independence violations (e.g., services related to bookkeeping and preparation of financial statements and notes to financial statements, and inclusion of indemnification clauses in engagement letters) have declined, the Board continues to be concerned about, and continues to identify instances in which a firm has not complied with the relevant independence requirements. Although not separately discussed within the report, the Board emphasizes that firms should take steps to comply with the relevant PCAOB and SEC independence requirements.
All registered public accounting firms that participate in audits of issuers should consider whether the audit deficiencies described in this report might be present in audits they are currently performing, and should take appropriate action to reduce the likelihood of recurrence of similar deficiencies in the future.
P a g e | 87
Audit committees may wish to discuss this report with auditors they oversee to better understand whether any of the common deficiencies may be a concern they should consider in connection with the audits of their companies.
4/ The 467 firms that issued audit reports for the year ended December 31, 2011 differ from the 578 domestic triennial firms that were inspected at least once during the 2007-2010 period for numerous reasons, including among others, firms choosing to no longer audit issuers (possibly temporarily) and firm mergers.
P a g e | 88
P a g e | 89
P a g e | 90
In fact, the similarities between our missions and objectives are even more pronounced than that.
While the CFPB is classified as a consumer protection agency and the OCC is viewed as a safety and soundness agency, those jobs go hand in hand. Nothing is more important to a financial institutions viability than its reputation, and that reputation depends heavily upon how well it treats its customers. In fact, reputation is one of the key categories of risk that our examiners monitor. And while the overwhelming majority of the federal banks we supervise understand just how important reputation is, they deserve to know that none of their competitors, especially those that traditionally have operated with little regulation or supervision, can seek a competitive advantage by cutting corners. Thats an area where I think the CFPB will perform an especially vital service to both consumers and lenders. But neither of us can succeed in our missions if we dont work well together or communicate with each other. That requires an extensive amount of cooperation, and toward that end we have spent a good deal of time building a sound working relationship that will facilitate that cooperation. Rich and I talk frequently and meet on a regular basis, and our staffs meet regularly as well. All in all, I think its a good start. Much of what I ve said would also apply to our relationship with the nations Attorneys General.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 91
Its important that we maintain a good working relationship based on honest and open communication and cooperation on issues of common concern.
It is true that we have different missions and different approaches toward meeting our missions, but in the end we have the same kind of common objective I cited with respect to the CFPB: we are all working toward a banking and financial services industry that treats the average person fairly and functions in a way that meets the needs of families, communities, and the national economy.
To achieve that, we have broad powers to act against institutions that engage in abusive acts or engage in unsafe and unsound practices.
Where appropriate, we use those powers to compel financial institutions to change the way they conduct their business. As the chief legal officers for your respective states, your powers to address problems through civil suits or other actions are probably familiar to many people. However, I think our authority as a prudential bank supervisor is not always well understood. In particular, people sometimes ask why enforcement actions are typically done through consent agreements. Thats a reasonable question, and I d like to spend a few minutes today answering it. As a prudential supervisor, we examine banks regularly and seek to identify issues early when they can most easily be fixed. Most often the banks take the necessary corrective action, and those are the cases no one hears about since under law the supervisory process is confidential.
P a g e | 92
But there are times when problems cannot be remedied through the supervisory process, and those are the cases that result in formal enforcement actions that sometimes make headlines.
In those situations, we very often end up taking actions that are aimed in the first instance at fixing the problem and which, depending upon the circumstances, may also include financial penalties or compensation for individuals who suffered harm as a result of improper practices. Theres a reason why I cited remediation as the first goal of an enforcement order. First, unlike actions brought by an Attorney Generals Office, our authority to take enforcement actions is an extension of, and in support of the supervisory process, and so the primary purpose of our actions is remediation to ensure that federal banks and thrifts operate in a safe and sound manner, and in compliance with the law. Under our statutory enforcement scheme, the purpose of our actions is not to punish banks or make examples of anyone. In that respect, we are very different from agencies like the Department of Justice, which is authorized under the law to bring actions for punitive purposes, including criminal actions, against institutions and individuals. By contrast, the OCC has no authority to investigate or prosecute criminal activity. Second, if there is a lapse significant enough to warrant a public action, then the underlying problem is almost certainly one that must be addressed immediately.
This is particularly true in cases involving financial harm to individuals, where we will move as quickly as possible to ensure those customers are compensated in a timely fashion.
While we have authority to impose civil money penalties, those fines often come later, after a remedial document has been put in place.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 93
P a g e | 94
This is a particular problem in consumer cases, where victims could literally be waiting years to obtain relief, if ever.
By contrast, when a case is settled, an enforceable order is immediately put in place that requires banks to take corrective and remedial action. Often the bank has to pay a significant monetary penalty as well. This supports our supervisory goals of getting problems fixed at the banks as timely and efficiently as possible, and ensuring that consumers are made whole. But let me be very clear: while most of our enforcement actions are resolved by settlement, we are prepared to litigate those actions if the bank or thrift refuses to consent. Before initiating an action, we conduct a thorough review of the facts and an analysis of the law, and we do not initiate actions unless we believe they can be successfully litigated. Consequently, we stand prepared to litigate each and every enforcement action that we present to a bank or an individual before an administrative law judge, which is the venue for such actions. Banks and the defense bar are well aware of this and, frankly, we believe it is a big reason why so many of the respondents in our cases are unwilling to challenge our actions and instead consent to our orders. There is a tendency among some to automatically dismiss any enforcement action we take against a large institution as insufficiently severe, but that criticism misses the mark on several points.
First, the actions we bring require banks to adopt or change policies and procedures, adjust systems and controls, and require other significant operational changes that are taken very seriously by the affected banks.
In the case of cease and desist orders, which are the most severe remedial action we can take under our enforcement scheme, the individual
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 95
directors sign the orders, committing themselves to ensuring that the terms of the order are effectively implemented and knowing that if they fail, they may be personally subject to additional action, including penalties.
Where appropriate, we have also imposed fines commensurate with the nature of the infraction, and those fines have sometimes been very substantial. For example, not only was the recent $500 million dollar penalty we assessed against H SBC the largest penalty the OCC has ever assessed, but it is by far the largest penalty that any federal banking agency has ever assessed, exceeding by a wide margin all of the banks cost savings for its deficient BSA compliance program. And as I noted a moment ago, we have no authority to prosecute criminal cases. However, we regularly make referrals directly to the Department of Justice, and we work closely with them as they develop cases. On occasion, we have found ourselves working on parallel tracks, investigating the same institution, and were able to provide support to Justice. While we dont disclose referrals, once they are made or once the Justice Department gets involved for any reason, it is solely up to Justice to decide whether to prosecute a financial institution. That isnt an easy call, and I think theyve done a very good job in exercising appropriate judgments. I would add that, in my time as Comptroller, weve worked with Justice on a number of cases, and both my legal staff and I have been extremely impressed with the professionalism and collegiality of the departments lawyers. Of course, that leaves open the question of whether more financial institutions should be brought into court more often.
P a g e | 96
That is, should we be seeking even more severe penalties that are less likely to result in consent orders and more likely to lead to actions before an administrative law judge?
Or, should more actions be taken by the Department of Justice based on referrals from any of the bank regulatory agencies or the department's own investigative work? I would simply say that, while such decisions should never be made lightly, no one should shrink from such action when necessary.
Banks play a vital role in the economic well-being of families and communities both here and abroad, and they are essential to the health of our national economy. But as important as they are, they should not be considered immune from prosecution when circumstances warrant.
No institution should be viewed as too big to prosecute. Nor should individual employees be considered immune. The OCC has ample authority to take action against culpable individuals and a long history of doing so, including removal and prohibition actions and civil money penalties. In virtually every case where we take an action against an institution, we also conduct a parallel review for possible actions against responsible individuals, and we take such actions where they are warranted and legally supportable. I believe the OCC has an excellent enforcement program that balances these considerations, and it has served us well in meeting our supervisory objectives, by ensuring the safety and soundness of our institutions, and ensuring that individuals harmed by deficient or abusive practices receive compensation. We stand ready to work with you and other federal and state regulatory and law enforcement agencies to help meet our common goals.
P a g e | 97
P a g e | 98
NIST Solicits Views, Ideas from Stakeholders for Cybersecurity Framework for Critical Infrastructure
The National I nstitute of Standards and Technology (NIST) issued a Request for Information (RFI) in the Federal Register as its first step in the process to develop a Cybersecurity Framework, a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that support critical infrastructure vital to the nation's economy, security and daily life. Stakeholder meetings are also a part of the framework process, and the first such meeting will be held April 3, 2013, at the NIST headquarters in Gaithersburg, Md. President Obama called for the framework to reduce cyber risks to critical infrastructure such as power plants and financial, transportation and communications systems, in his February 12, 2013, Executive Order on "Improving Critical I nfrastructure Cybersecurity"
NIST requests ideas, recommendations and other input from critical infrastructure owners and operators, federal agencies, state and local governments, standards-setting organizations, and other interested parties about current risk management practices; use of frameworks, standards, guidelines and best practices; specific industry practices and more.
Specific questions are included in the RFI. For more on information about the framework and the process NIST will use to develop the framework within a year, see the February 13, 2013, announcement on the Department of Commerce Web page or the N IST Cybersecurity Framework Web page at: www.nist.gov/ itl/ cyberframework.cfm
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 99
The RFI on the new Cybersecurity Framework is available at https://www.federalregister.gov/ articles/ 2013/ 02/ 26 /2013-04413/devel oping-a-framework-to-improve-critical-infrastructure-cybersecurity
Comments are due by 5 p.m. ET, Monday, April 8, 2013, and should be sent to cyberframework@nist.gov with the subject line: "Developing a Framework to I mprove Critical Infrastructure Cybersecurity."
P a g e | 100
Executive Order
Section 1. Policy
Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.
P a g e | 101
debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
P a g e | 102
The Secretary and the Attorney General, in coordination with the Director of National I ntelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.
(c)To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors.
This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
(d)The Secretary, as the Executive Agent for the Classified National Security I nformation Program created under Executive Order 13549 of August 18, 2010 (Classified National Security I nformation Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order. (e)In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
P a g e | 103
privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency's activities.
(b)The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities. (c)In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB). ( d) I nformation submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.
P a g e | 104
The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National I nstitute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-1 13), and OMB Circular A-1 19, as revised. (b) The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 105
information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework. (c)The Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties. ( d) I n developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process. The Director shall also consult with the Secretary, the National Security Agency, Sector-Specific Agencies and other interested agencies including OMB, owners and operators of critical infrastructure, and other stakeholders through the consultative process established in section 6 of this order. The Secretary, the Director of National I ntelligence, and the heads of other relevant agencies shall provide threat and vulnerability information and technical expertise to inform the development of the Cybersecurity Framework.
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 106
The Secretary shall provide performance goals for the Cybersecurity Framework informed by work under section 9 of this order.
(e)Within 240 days of the date of this order, the Director shall publish a preliminary version of the Cybersecurity Framework (the "preliminary Framework"). Within 1 year of the date of this order, and after coordination with the Secretary to ensure suitability under section 8 of this order, the Director shall publish a final version of the Cybersecurity Framework (the "final Framework"). (f)Consistent with statutory responsibilities, the Director will ensure the Cybersecurity Framework and related guidance is reviewed and updated as necessary, taking into consideration technological changes, changes in cyber risks, operational feedback from owners and operators of critical infrastructure, experience from the implementation of section 8 of this order, and any other relevant factors.
(c)Sector-Specific Agencies shall report annually to the President, through the Secretary, on the extent to which owners and operators notified under section 9 of this order are participating in the Program.
(d)The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 120 days of the
I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 107
date of this order, the Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations separately to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, that shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program.
(e) Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for H omeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.
P a g e | 108
The Secretary shall review and update the list of identified critical infrastructure under this section on an annual basis, and provide such list to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.
(b)Heads of Sector-Specific Agencies and other relevant agencies shall provide the Secretary with information necessary to carry out the responsibilities under this section. The Secretary shall develop a process for other relevant stakeholders to submit information to assist in making the identifications required in subsection (a) of this section. (c)The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination. The Secretary shall establish a process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications under subsection (a) of this section.
P a g e | 109
Within 90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.
(b)If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies identified in subsection (a) of this section shall propose prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and Executive Order 13609 of May 1, 2012 (Promoting International Regulatory Cooperation), to mitigate cyber risk. (c)Within 2 years after publication of the final Framework, consistent with Executive Order 13563 and Executive Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory Burdens), agencies identified in subsection (a) of this section shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements. (d)The Secretary shall coordinate the provision of technical assistance to agencies identified in subsection (a) of this section on the development of their cybersecurity workforce and programs. (e)Independent regulatory agencies with responsibility for regulating the security of critical infrastructure are encouraged to engage in a consultative process with the Secretary, relevant Sector-Specific Agencies,
P a g e | 110
and other affected parties to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.
Sec. 1 1. Definitions
(a)"Agency" means any authority of the United States that is an "agency" under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5). (b)"Critical I nfrastructure Partnership Advisory Council" means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments. (c)"Fair Information Practice Principles" means the eight principles set forth in Appendix A of the National Strategy for Trusted I dentities in Cyberspace. (d)"Independent regulatory agency" has the meaning given the term in 44 U.S.C. 3502(5). (e)"Sector Coordinating Council" means a private sector coordinating council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the N ational Infrastructure Protection Plan or any successor. (f)"Sector-Specific Agency" has the meaning given the term in Presidential Policy Directive-21 of February 12, 2013 (Critical Infrastructure Security and Resilience), or any successor.
P a g e | 111
Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law.
Nothing in this order shall be construed to alter or limit any authority or responsibility of an agency under existing law. (b)Nothing in this order shall be construed to impair or otherwise affect the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.
(c)All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods.
Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence and law enforcement operations. (d)This order shall be implemented consistent with U.S. international obligations. (e)This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person. BARACK OBAMA
P a g e | 112
P a g e | 113
We set out our intended approach to capital transition in a statement in October 2012.
Once finalised legislative text is available at the EU level the FSA intends to publicly consult on changes to FSA rules. The provisions of the Regulation will directly apply to firms. The introduction of Common Reporting, which is incorporated into the requirements in CRD I V, is dependent on delivery of the necessary technical systems and on implementing technical standards to be drafted by the European Banking Authority and adopted by the European Commission. The FSA is proceeding with the necessary preparatory work to be ready to begin collecting data under Common Reporting for the period beginning 1 January 2014, should the legislation and related standards be in force by this date.
P a g e | 114
Disclaimer
The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. I f errors are brought to our attention, we will try to correct them. This information: is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity; should not be relied on in the particular context of enforcement or similar regulatory action; is not necessarily comprehensive, complete, or up to date;
is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); is in no way constitutive of an interpretative document;
does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. I t is our goal to minimize disruption caused by technical errors. H owever some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility with regard to such problems incurred as a result of using this site or any linked external sites. I nternational Association of Risk and Compliance Professionals (I ARCP) www.risk-compliance-association.com
P a g e | 115
Certified Risk and Compliance Management Professional (CRCMP) distance learning and online certification program.
Companies like IBM, Accenture etc. consider the CRCMP a preferred certificate. You may find more if you search (CRCMP preferred certificate) using any search engine. The all-inclusive cost is $297. What is included in the price:
B. Up to 3 Online Exams
You have to pass one exam.
If you fail, you must study the official presentations and try again, but you do not need to spend money. Up to 3 exams are included in the price. To learn more you may visit: www.risk-compliance-association.com/Questions_About_The_Certif ication_And_The_Exams_1.pdf www.risk-compliance-association.com/CRCMP_Certification_Steps_ 1.pdf
P a g e | 116
D. The Dodd Frank Act and the new Risk Management Standards (976 slides, included in the 3285 slides)
The US Dodd-Frank Wall Street Reform and Consumer Protection Act is the most significant piece of legislation concerning the financial services industry in about 80 years. What does it mean for risk and compliance management professionals? It means new challenges, new jobs, new careers, and new opportunities. The bill establishes new risk management and corporate governance principles, sets up an early warning system to protect the economy from future threats, and brings more transparency and accountability. It also amends important sections of the Sarbanes Oxley Act. For example, it significantly expands whistleblower protections under the Sarbanes Oxley Act and creates additional anti-retaliation requirements. You will find more information at: www.risk-compliance-association.com/Distance_Learning_and_Cert ification.htm