Compliance in Europe; the Brussels perspective
Intervention by Wim Mijs, Chief Executive Officer of the European Banking Federation, at the European Compliance Conference in Warsaw, 20 April 2018
CHECK AGAINST DELIVERY
Good morning ladies and gentlemen,
Not so long ago, a group of criminals decided to rob a bank. They figured that plotting an assault on an actual branch would be too risky. So instead they planned a virtual attack. A fake email was sent to targeted bank employees attached with a malware file that provided access to the internal networks of banks. The Carbanak malware was designed in such a way that it could infect the servers that controlled ATMs, after this successful penetration the hackers could do their work and program the ATMs to dispense cash on a chosen moment of the day. The only thing that the gang had to do, was to be on time to pick up the cash. Their time management proved to be excellent and the gang managed to steal $1 billion across 40 countries hitting more than 100 financial institutions. A pretty nifty scheme if I may say so.
This may sound like a movie script from Ocean’s 11 but it turned out to to be real for all of us. Together with Europol and international police forces, the EBF helped operationally to track the money, which was laundered with money mules and cryptocurrencies. Eventually contributed to the arrest of the mastermind behind the heist. His name was Denis K., a 34-year old computer engineer with a Ukrainian passport, living on the Spanish Costa.
For us as EBF this arrest was a major new development. We were looking at our first operational result of after our partnership with Europol, and we achieved this by sharing the right information between different authorities, across different jurisdictions.
Why am I telling you this? This is the story of your security office. Of your IT department. Of all of your staff using computers. And that is everybody in your organisation. It is today’s reality for both you and me. It’s another reminder of the risks that our industry is facing. Let’s not forget this this just happened by opening the wrong email. But it also shows that incidents can be prevent and dealt with.
New developments in regulation and technology are keeping us busy. While new risks are emerging, the work of compliance departments is getting essential for business continuity. You are an important part of the line of defence. The front office comes first. But you help maintain a delicate balance. You make the rules work. A tiny mistake can have unexpected consequences.
That was also clear more than ten years, ago when the global financial crisis hit. We all remember the stressful days we had to endure. The European financial sector was dealing with significant liquidity problems, followed by insolvency and even reaching the heights of systemic risk.
I’m pleased to say that our banking sector has clearly recovered. The numbers continue to confirm this. Even though you are not risk managers, you might want to know that we have a core equity capital ratio of 13,8% in Europe, with a leverage ratio of 5%.
Now that the crisis is behind us, the real work can continue and intensify.
In the years before crisis hit there was little interest in making more rules. The appetite for financial regulation was almost non-existent, But after the crisis the scale turned the other way, and regulators produced a tsunami of new rules.
Post-crisis rules and procedures have come into force and have influenced the way we work. You have been here at the European Compliance Conference for two days now and you probably discussed the impact of almost all of this.
Luckily – at least for us as lobbyists, to put it ironically – financial regulation is never finished and policy makers in Europe have not stopped working to keep up with a transforming industry. There is a lot more coming your way and that will continue to keep us busy.
We see that maintaining financial stability still is a core objective of upcoming legislation. But many recent proposals also show a growing desire to improve efficiency, competitiveness and to reorder the market.
Together with the fast expanding digital transformation, this policy mindset decides how our jobs and our banks will look like in the future.
Let’s take a look at the current EU ambitions on financial regulation and the role of regulators, some plans that require, in my perspective, extra attention from the industry.
A main EU priority in financial regulation is the completion of an integrated Financial Union, consisting of the Banking Union and the Capital Markets Union. These are very different animals.
Capital Markets Union is a way to stimulate more integrated financial markets. Banking Union is about addressing omissions.
The Banking Union is deemed to function as a supporting foundation necessary for an single currency union. It has the four pillars:
- The SSM, Single Supervisory Mechanism for the biggest banks
- The Single Rulebook
- Thirdly, there is a single body to resolve banks, the Single Resolution Board – Elke König in Brussels – Gone Concern.
- The fourth and final pillar is known as EDIS, the European Deposit Insurance System. As you know, this system is currently being discussed and expected to be put into place during the coming years. EDIS is a highly contentious proposal. It’s a sensitive political dossier, with clear lines between North and South, and between risk reduction and solidarity. Both sides are right. And I believe that eventually we will see EDIS agreed.
On Capital Markets Union: the European Commission has not delivered. Brexit led to the departure of my good friend Commissioner Jonathan Hill, and that effectively meant the end of CMU in the Juncker Commission. CMU was supposed to facilitate further integration of the EU capital markets. We now wait to see what will happen after the 2019 elections for the European Parliament.
What’s left for now in terms of coming financial regulation is the Risk Reduction Package, which is currently considered by the EU Parliament. It’s also known as CRR2 and CRD5. Despite thousands of amendments that have been tabled on the original Commission proposal, we see many elements that are still unclear and that need even more revisions.
The current review of Risk Reduction Measures presents an opportunity, at least on paper, to introduce a more calibrated approach of banking rules, an approach that supports business activities, not burden them.
But as you know well such a review of existing regulation does not necessarily mean more clarity and more certainty. Any of you will recognize that this is something that happened with the MIFID package, the most pressing area that is widely discussed by many compliance departments.
MIFID was initially designed as a small tweak to Art. 11 of the ISD.
And then, in 2011, came MIFID 2;
What really is the objective? Was it to improve Mifid 1? Or was it because the Brussels sausage factory had to keep on turning?
Mifid 1 was seven years in the making. 30.000 pages. 1.4 million paragraphs. if you stack them up it’s well above your knees.
Some banks spending more than 40 million euros each on compliance; total costs of 2.5 billion euro in compliance. That’s a rather expensive sausage.
Mifid 2 was designed as radical shake-up. We saw it both as an opportunity to create more transparency, but also as a threat. It certainly means a step-change for fund managers, and for banks.
- I know well that Mifid II is a headache for many of you. But you really should be pleased. After all, the real added value is that it comes with a guarantee for life-time employment for all of you.
As European Banking Federation of course welcomed the review of Mifid 1 that was announced in 2011. Did we really have a choice?
The discussions took place at an incredible level of details. We could have continued these discussions for many more years, but the Commission in the end wanted no further delays.
If there is one thing the commission can be praised for it is that Commissioner Dombrovskis was keen to create certainty. As long as the discussion were on-going no one really knew how the final package was going to look like. The Commission rushed the Mifid 2 Package. That is clear to everybody involved.
Generally speaking, as EBF, we often ask the Commission and the EU to provide regulatory certainty. But Mifid 2 was a clear example of how not to do it.
We really do need more regulatory certainty for the European banking sector. Rules need to be there early and we need time to implement them properly.
We need to avoid problems as we have seen with MIFID II. Not only to make compliance workable. But also to let the single market function properly, in an integrated way. As EBF we fully support the creation of a true single market for financial services. With Banking Union and Mifid 2 are moving in that direction, albeit slowly.
What is decided in Brussels, and increasingly in Frankfurt, has clearly changed the day-to-day compliance work in our industry. It has changed the role for all of you and your organisations. You all are transforming and adapting to new ways of working.
Modern compliance means dealing with this wide variety of new procedures and requirements. It means dealing with diverse regulating entities. And all that in an environment heavily influenced by digitalisation.
Working with supervisors now means welcoming joint supervisory teams consisting of different cultural backgrounds, sometimes the procedures are familiar, even overlapping with local rules, but sometimes this European dimension brings surprises to your work, surprises in language, etiquette, unexpected demands that require extra resources.
On a more operational level, compliance has to adapt to different organisational structures, interaction between front and back offices is being pressured. Compliance departments need to proactively advocate towards the front office, more than in the past.
Not only internal work is affected, also the external actors can feel the change. They are often getting lost in the patchwork of procedures. Improved communication is key.
Clients, partners and consumers will all need more guidance with all these new rules. Compliance professionals should get used to not only enforce the rules but also explain them.
Let me address a number of specific developments, which we are also addressing as European Banking Federation:
- Data: there is an urgent need to maintain oversight and control over the increasing pile of data. We need to get used to work with large and complex amounts. Also, make use of the available regtech solutions.
- GDPR is here to let us monitor and control all the nodes of data that go in and out the system, also the role and responsibility of end-users is essential here.
- PSD2 is here and will enable banks to adjust to a more open system, by keep on building secure APIs. But cybersecurity dangers, such as with screen scraping are just around the corner.
- Outsourcing and fintech use are being part of the value chain and require more careful assessment in terms of security & risk for the rest of the system. Banks acquiring or investing in Fintechs will be exposed to new ecosystems, new data and new users.
Cloud computing is providing a safe solution for the storage of data and the outsourcing of computer power. We welcome this. But banks and cloud service providers need a clear set of rules that support secure cloud adoption in finance.
Artificial Intelligence is leading to automated solutions such as robo-advice and smart algorithms that get more out of data. These tools certainly are making AML and KYC protocols more efficient. They play a key role in reducing fraudulent activity.
Let me close:
Risks are more diverse than ever. Cybercrime, with examples such as the Carbanak case, is just one of them. Fraud is getting more sophisticated. I just mention CEO fraud.
Derisking becomes a more difficult exercise, as we have seen in Latvia.
Geopolitical uncertainty brings even more spice to the table. Just think about the tense connections with Iran and the case of fraud in Latvia.
Being ‘from compliance’ is a tough job. More rules mean more work. Last week it was revealed that on a global scale financial regulation costs 780 billion dollars per year. (BIAC-OECD number)
Regulatory inconsistencies across different jurisdictions cost financial institutions between 5 to 10% of their annual revenues. You can easily Imagine the material impact and in-proportionate burden on smaller banks, with relatively small compliance departments.
Regulation will always need an extra pair of eyes, that is why I am very glad to be invited here. Together we can find the right balance, making improvements where necessary. We need your input, and that is also the role of the EBF, to take your concerns and address them with the right institutions.
Compliance is about directing the lines of defence. This has become absolutely critical amid the growing complexity of financial organisations, especially in a fast-moving digital economy. But remember: like in the cybercrime case, if a criminal can use the benefits of a transforming society to do his job well, then so can you.
Thank you for your attention.