You are on page 1of 10


An initiative of Eva Joly, Member of the Greens/EFA group in the European Parliament

by Jon Thorisson. 30.11 2015

In January 2016 new Basel III principles for bank risk data aggregation
will take effect, but according to a survey conducted by the Basel Committee on
Banking Supervision earlier this year, 30 globally important banks believe they
will fail to comply with the new principles while 50% said they will not be able to
comply with all the principles and some will barely scrape by.
The problem has two sides, on the one hand it raises question about the security
of the financial data banks hold, on the other there is the question of the accuracy
of the financial data banks have at hand both for their own risk operations and
the reliability of the financial data made available to regulators.
Is it possible that seven years after the financial crisis started to unfold that no
real improvements have been made?
Breaches of data security regularly make headlines, exposing the vulnerability of
databases to increasingly sophisticated cyber attacks.
In Europe, reports on cyber attacks and data breaches in the financial sector
appear regularly; HSBC, Deutsche Bank, RBS and other major banks have all
made headlines in recent months exposing large scale data leaks and mistakes in
financial transactions caused by out-dated and peace-meal computer systems. 1
The FT reports, that “only 6 per cent of the directors overseeing the world’s biggest
banks have any technology experience even though issues ranging from cyber
security to digital challengers have shot up their boardroom agenda”.2
An example of the scale of the problems with the banking world´s approach to IT
was clearly exposed when the American bank Lehman Brothers went bankrupt
in September 2008.
In the wake of the bankruptcy of Lehman, the US courts appointed an Examiner
to investigate the events leading to the failure of the bank.
The bank did not completely ceased its operations but was in part taken over by
the British bank Barcleys, which kept most of the banks computer systems and
other infrastructure intact.
The examiner, Anton R. Valukas issued a nine volume, 2200 page report on
Lehman in March 20103 where the state of the banks IT infrastructure is
described and the available data that was reviewed in the investigation was


estimated “at three petabytes of data – roughly the equivalent of 350 billion
pages of documents”.
Investigating and reviewing Lehman’s operating, trading, valuation, financial,
accounting and other data systems proved challenging, according to the report,
partly because most of the Lehman IT systems had been transferred to Barcley’s
and the bank had already integrated some of it’s own confidential data into the
systems and was therefore unwilling to grant direct access but also because the
complexity of the software system, “a patchwork of over 2.600 software
systems and applications”. The examiner decided that it was beyond the
capacity and budget of the investigation to learn and access each of these 2.600
systems, concluding in his report that;
“The Examiner’s financial advisors ultimately requested access to 96 of the most
relevant systems. The process of identifying those presented it own challenges.
Many of Lehman’s systems were arcane, outdated or non‐standard. Becoming
proficient enough to use the systems required training in some cases, study in
others, and trial and error experimentation in others. In numerous instances, the
Examiner’s professionals would request access to a particular system, expend the
time necessary to learn how to use the system and only then discover that access to
two or three additional systems was required to answer the necessary questions.
Lehman’s systems were highly interdependent, but their relationships were difficult
to decipher and not well documented. It took extraordinary effort to untangle these
systems to obtain the necessary information.
Because some systems were in current use by Barclays in its operations, Barclays
limited access to 79 of the requested 96 systems to “read‐only.” Read‐only access
made the review and organization of data more difficult. And in some cases, read‐
only access was severely restricted. For some systems, the ability to query the data
and search for a particular transaction was limited to certain parameters. For
others, the Examiner was denied direct access altogether, requiring the need to
request that searches be done by Barclays’s technology personnel, who would then
forward findings to the Examiner.”4
The exposure of the state of Lehman´s IT systems is, through the work of the
Valukas investigation and report, public. It is another story that the CEO of
Lehman, Dick Fuld, who was paid $485 million in salary and bonuses between
200 and 2007, blamed the downfall of the bank on “regulatory failings” adding;



“Regardless of what you think of Lehman Brothers’ risk management, I had
27,000 risk managers, because they all owned a piece of the firm” 5.
That the state of Lehman’s IT systems is not unique in the banking world has
become apparent from recent news reports about several major banks, including
Deutsche Bank, RBS, UBS, Industrial Bank of China, JPMorgan Chase and others
where the processing of large sums have gone wrong only to be discovered days
later, customer payments and salary accounts have been temporarily lost and so
The malfunctioning IT systems have been called “a ticking time bomb” by
What is surprising is the absence of reports on how the banking world’s ancient
IT systems might influence the reliability of the financial sector’s oversight and
management of their systems as a whole, including risk management, rather
than, as most news reports have focused on - the mishaps in single transactions,
mismanagement of salary accounts and breaches of customer privacy.
In that respect the above mentioned report from the Basel Committee on
Banking Supervision does not do much to boost confidence in the banking
sector’s ability to mend its ways.
In 2013 the Basel Committee issued “The Principles for effective risk data
aggregation and risk reporting (the “Principles”)6;
“aiming to strengthen risk data aggregation and risk reporting practices at banks
to improve risk management practices. In addition, improving banks´ ability to
rapidly provide comprehensive risk data by legal entity and business line is
expected to enhance both their decision-making processes and their resolvability”
The “Principles”, a list of eleven in all are: Governance, Data Architecture & IT
Infrastructure, Accuracy and Integrity, Completeness, Timeliness, Adaptability,
Accuracy, Comprehensiveness, Clarity and Usefulness, Frequency, Distribution.
The latest report from the committee, “Progress in adopting the principles for
effective risk data aggregation and risk reporting” issued in January 2015 sums
up the results of a survey conducted for “global systematically important
banks”(G-SIBs) and “systematically important banks” (SIBs).
The survey itself is a simplified version of the 2013 survey, “taking into
consideration the results of the 2013 stocktaking exercise, discussions with the
industry, and national supervisor’s continuous monitoring of banks”. So this new


survey is a “light” version of the earlier one, having been slimmed down from 87
detailed requirements in 2013 to include 35 in the 2014 version.
The survey is intended to establish how G-SIB’s (globally systematically
important banks) view their current compliance status with the PRINCIPLES and
monitor progress towards full compliance by the January 1 st 2016 deadline and
“to help identify and remedy any implementation issues.”
In 2014 thirty one G-SIB’s and six other large banks participated in the self
assessment exercise, rating on a scale from 1 – 4, their current level of
compliance with the 11 Principles and 21 specific requirements under the
Principles (see Annex 2 in the January 2015report)7.
In short, according to the reports conclusions, “the three Principles with the
lowest reported compliance were Principle 2 (data architecture/IT infrastructure),
Principle 6 (adaptability) and Principle 3 (accuracy/integrity) as nearly half of
banks reported material non-compliance on these Principles.”
The report goes on to comment; “Compared to the 2013 results, many banks
continue to encounter difficulties in establishing strong data aggregation
governance, architecture and processes. Banks reported that they often rely on
manual workarounds. Similar to the results of the 2013 stocktaking, many firms
failed to recognize that governance/infrastructure Principles are important
prerequisites for facilitating compliance with the other Principles. Compliance with
Principle 2 (data architecture/IT infrastructure) was rated lowest while Principle
11 (report distribution) was rated highest”.
Delays are reported by several banks in initiating or implementing IT
infrastructure projects and in comparison with the 2013 survey “execution risks
appear to have increased” and 14 G-SIBs (globally systematically important
banks) report that they will not be fully compliant with at least one Principle by
the deadline, compared with 10 banks in the 2013 survey.
The report further notes that;
”however, given the complexity of ongoing, large-scale data infrastructure projects
and noted issues in complying with some of the more fundamental Principles, it
appears that banks still have considerable work ahead of them. On a positive note,
three banks, which expected in 2013 to miss the compliance deadline, have now
indicated that they expect to meet the deadline. Two additional banks did not
report any corresponding rating changes from the 2013 stocktaking to the 2014
The results of the 2014 questionnaire raise some concern that self-assessments of
compliance dates may be overly ambitious. Several G-SIBs that rated themselves as
materially non-compliant with several Principles still expected to be compliant by
the deadline. For example, 15 G-SIBs rated themselves as materially non-compliant
with Principle 3 (data accuracy and integrity), but 10 of those G-SIBs still expected

to meet the deadline. Regardless of how the banks rated themselves, anecdotal
evidence gathered via the questionnaire suggests that it will be difficult for a
number of firms to fully comply with the Principles by 2016”.
Again, it is worth remembering that all of this is based on self-assessments (even
though the report emphasizes that it is conducted on a “best-effort basis” –
whatever that may mean) and that neither national supervisors nor any other
independent authority has validated the accuracy of the bank´s own evaluations
of their situation – nor is there any assessment of the potential differences in the
rigour applied by each bank or the differences in supervisory approaches.
The report concludes that;
“While the banks may have adequate processes and procedures in place for report
distribution, they may be overstating their level of compliance. This is particularly
true given their continued reliance on manually produced reports, particularly in
stressed or crisis situations, as well as for assessing emerging risks. It is still
questionable how reliable and useful these banks risk reports can be when the data
within these reports and the procedures and processes to produce them are in need
of improvements.
Results showed that there remain some significant common challenges to full
compliance with the Principles:
• Banks’ dependence on manual processes;
• The need to develop common data dictionaries and data taxonomies; and
• The inability to create accurate and timely risk data reports during stressed or
crisis situations. “
It is clear that under the current circumstances the Basel Committee itself does
not have any legal authority or other measures to enforce any of its
recommendations or “principles”.
The report makes clear “that this is a case for the supervisory authorities in
individual countries who, have indicated that they have a variety of supervisory
tools ranging from information-gathering powers to the enforcement of penalties
and capital add-ons if their regulated G-SIBs or D-SIBs fail to comply with the
Principles. However, a number of supervisory authorities indicated that the
application of specific tools depends on the nature of the issue and its impact on
supervisory objectives. There is no uniform strategy among authorities for applying
any specific tool, and their responses indicated that they are likely to follow a riskbased assessment of compliance with the Principles to determine the most
appropriate supervisory tools to apply”.
In a speech given at the FINANCE WATCH8 conference in Brussels on November
17th 2015, ROBERT JENKINS (a former member of the Bank of England´s financial
stability policy committee) presented a list of 47 banking scandals – a list he

points out is partial – suggesting that governments are ill-advised to give in to the
demands of the financial sector lobby, seeking a return to “business as usual” 9;
“ Mis-selling of payment protection insurance
 Mis-selling interest rate swaps
 Mis-selling credit card theft insurance
 Mis-selling of mortgage-backed securities
 Mis-selling of municipal bond investment strategies
 Mis-selling of structured deposit investments
 Mis-selling of foreign exchange products
 Fraud related to the packaging and selling of mortgage-backed securities that
institutions knew to be “toxic waste”
 Misleading statements to investors involving capital raising rights issue
 Misleading investors in the sale of collateralised debt obligations
 Abusive small business lending practices
 Predatory mortgage practices
 Abusive or in inappropriate foreclosure practices
 Aiding and abetting tax evasion
 Aiding and abetting money laundering for violent drug cartels
 Violations of rogue-regime sanctions
 Manipulation of Euribor
 Manipulation of FX markets
 Manipulation of gold fixing (London)
 Manipulation of commodity markets via metals warehousing practices
 Manipulation of electricity markets (California/JPMorgan)
 Manipulation of the swaps market benchmark index (ISDAfix)
 Collusion relating to credit default swap market dealing in violation of US antitrust laws


 Filing false statements with the SEC (“London Whale”, JPMorgan)
 Keeping false books and records (“London Whale”, JP Morgan and others)
 Reporting failures relating to Madoff
 Withholding of critical information from Italian regulators
 Bribing civil service employees in Japan
 Mis-reporting related to Barclays emergency capital raising
 Stealing confidential regulatory information by a banker
 Collusion with Greek authorities to mislead EU policy makers on meeting Euro
criteria (Goldman Sachs)
 Financial engineering with the aim of moving Italian debt off-balance sheet
 Manipulation of risk models with the aim of minimizing reported RWA / capital
 Manipulation of precious metals markets (gold/silver/platinum/palladium –
 Manipulation / collusion of the US Treasury Market auction/client sales
 Manipulation of energy markets
 Short changing clients a second time in not paying settlements in full
 Violations connected with emergency fund raisings
 Electronic FX trading related market manipulation (NY DFS investigation)
 Falsifying customer data and records (RBS and others)
 Misleading clients over dark pools (Barclays and others)
 Misleading shareholders ahead of RBS rights issue
 Misleading shareholder information with respect to Lloyds takeover of HBOS
and RBS’s rights issues
 Conspiracy to force small businesses into bankruptcy to the benefit of the
lender (RBS, Lloyds and others)
 Insertion of illegal rate floors in Spanish mortgage lending
 Faking customer files to justify predatory foreclosure practices
 Misleading profit and capital statements based on questionable accounting
Mr. Jenkins is scathing in his comments on the Basel III principles focusing on
capital requirements, leverage ratio and liquidity requirements, saying that they

are insufficient to ensure stability in the financial sector and that “leverage
remains high and accountability low” and that the courage to address either
“seems to be lacking”.
Addressing these three issues, Capital, Accountability and Courage, Jenkins goes
on to point out that the new Basel rules meant to address excessive leverage:
“Take an example. Remember CDOs squared – that mini-masterpiece of financial
engineering that spread panic throughout the market? The instrument still
features on Basel’s roster of risk-weighted assets. And the RWA regime determines
the amount of capital required in support of such risks”.
The new Basel rules require less than 1,4 per cent of equity funding “for a
security that neither banker, regulator, rating agency nor investor was able to
Regarding the total leverage at which banks can operate Basel III introduces new
limits which, according to Jenkins are less than confidence inspiring:
“this “leverage ratio” allows balance sheets to balloon to 33 times their lossabsorbing equity. At that degree of gearing, a three per cent decline in the value of
bank assets wipes out 100 per cent of bank capital. A mere one per cent decline
leaves the institution leveraged 50 times; a two per cent decline – a hundred times”.
Jenkins concludes that the banking system “remains and is set to remain
undercapitalized. Basel III is a busted flush. The many measures to compensate
serve only to confirm this fact – without adequately compensating for its failure”.
Regarding ACCOUNTABILITY, Jenkins points out that banking seems to be an
“ethics-free zone” as despite hearings, investigations, the appointment of
commissions and large fines imposed on banks, no bank has lost its licence, no
management teams, boards or supervising executives have been prosecuted – the
fines have been paid by the shareholders, not by the perpetrators.
A shining exception to Jenkins’ description to this lack of accountability is the ongoing bank investigation in Iceland where numerous senior bankers have been
tried and found guilty, serving maximum jail sentences for fraud, market
manipulation and other financial misdeeds.
According to the dictionary accountability involves not only “the obligation of an
individual or organization to account for its activities, and accept responsibility
for them, but also to disclose the results in a transparent manner”. And here in
lies the problem of dealing with financial wrong doing by imposing fines and
what Jenkins calls “deferred prosecution agreements” which is standard
procedure in the US, allowing the banks to keep the wrong doing that lead to the
agreement with prosecutors out of the public eye.
Jenkins points out that Central Bankers acted courageously in bringing the
banking system back from the brink – at taxpayer expense, it might be added –
but that in reforming the system the authorities have failed in standing up to the
politicians who in turn have been unwilling to stand up to the banking lobby,
concluding that; “unless we address leverage we cannot have confidence in the

resilience of the system. Without better behaviour we cannot have faith in the
market that underpins it. Without penalizing the perpetrators and their seniors we
will not get better behaviour. And without greater courage from policy makers and
regulators, we will get none of the above and more of the same”.