How do banks investigate unauthorized transactions?

Unauthorized transactions in trade


1 FINMA notification 31 (2011), December 13, 2011 Unauthorized retail transactions Banks Einsteinstrasse 2, 3003 Bern Tel. +41 (0), Fax +41 (0) A143616 / 00010 /

2 Contents 1 Introduction Corporate management and control Internal controls Internal reporting Outsourcing ... 7 A143616 / 00010 / / 8

3 1 Introduction Based on the latest experience with unauthorized trading activities, FINMA has decided to describe in more detail the application of existing regulations to risk management to protect against unauthorized trading transactions. However, the latest incidents at UBS are deliberately not commented on in this press release. Operational risks in trading are often related to unreported or unauthorized transactions, incorrect recording of transactions, complex financial instruments, new products or a rapid increase in trading volumes. These risks repeatedly resulted in material losses in the trading business of investment banks. With regard to regulatory requirements for operational risks, FINMA refers to FINMA Circular 2008/21 “Operational Risks - Banks”, FINMA Circular 2008/24 “Supervision and Internal Control Banks”, FINMA Circular 2008/7 “Outsourcing Banks »And FINMA circular 2010/1« Remuneration systems ». In order to describe the application of the existing regulations in more detail, FINMA previously identified various areas that are essential for effective and appropriate control of trading activities to protect against unauthorized transactions. These include corporate management and control at the highest level, the internal control system and reporting as well as the outsourcing of control functions. The risk of unauthorized trading transactions is not concentrated on individual business areas, products or systems, but basically affects all trading activities. Different institutes carry out different trading activities and therefore have different front office and risk systems as well as control organizations. Financial products and the business areas of banks are also constantly changing. For these reasons, the following list of requirements is not exhaustive. However, it does summarize FINMA's current expectations for the management of risks from unauthorized trading transactions. 2 Corporate governance and control The top management should adequately prioritize the risks from unauthorized transactions in retail. This means that the identification, measurement and control of these risks must be given appropriate attention and management capacity. In particular, the organization of trading activities must be designed in such a way that risks from unauthorized transactions can be effectively and adequately localized, measured and controlled. 1. The scope, content and intensity of supervision of trading desks must be determined by guidelines. The control processes should be clearly separated between the front office and downstream control units. In particular, this includes defining clear responsibilities and reporting lines. A143616 / 00010 / / 8

4 2. The effectiveness of the controls is just as important as compliance with profit targets. With regard to the assessment of individual persons, individual trading desks or business units, this means that indicators for control activities and their quality should be part of the performance measurement and the remuneration derived therefrom. Furthermore, when setting annual targets, a balance must be struck between profitability and the risks taken. Material rule violations must trigger disciplinary processes. If there are such rule violations, this must have an impact on control intensity and competencies. 3. In view of the continuous further development of the financial markets, the further development of the control system should be given appropriate priority in addition to ongoing controls. 3 Internal controls According to the principles and guidelines of the top management, the internal controls for the management of risks from unauthorized trading activities are of great importance. Internal control system 4. The internal control system and the management information systems must fully record indicators for unauthorized transactions, alert the relevant control units in the event that predetermined thresholds are exceeded and demand and enable a timely, appropriate and effective response. Sufficient human and technical resources must be made available for this purpose. The escalation of warning messages must be clearly regulated. 5. Every trader should have a trading mandate that defines which products may be traded and which strategies may be pursued. Compliance with the mandate must be monitored continuously by an independent body. In particular, the control and approval of trading activities by the trader himself is not permitted. 6. Indicators for the risk of unauthorized transactions should be defined, monitored and appropriately aggregated escalated to the front office management at the merchant level in order to ensure a comprehensive assessment of the merchant performance. The development of these indicators is to be continuously monitored by downstream control units. 7. A culture should prevail in the front office and in the downstream control units that promotes a critical attitude as well as professional and responsible action. It is essential that all control units have sufficient staff and that the employees are appropriately trained so that they have an adequate understanding of the trading activities of the institute they are monitoring and that they know exactly the purpose of each individual control. In the event of abnormalities, this is supported by a targeted, persistent A143616 / 00010 / / 8

5 and critical questioning of trading activities. In this context, it is also important that retailers and control units are in close proximity. In international banks, this aspect is particularly important when organizing trade. 8. The recommended practice is to set up a control dashboard in which the information from all control functions of a desk or business area (front office, operations, finance, risk, compliance, treasury, human resources, etc.) is regularly recorded. The use of this control dashboard is to be regulated in such a way that unusual developments in individual indicators are recorded, assessed and appropriately escalated. 9. The regular analysis of the effectiveness of the control systems themselves is of particular importance. When carrying out the controls, a high quality must be ensured and checked continuously. An annual review of the effectiveness of the controls is not sufficient. It must also be ensured that controls are carried out to the intended extent and at the specified frequency. Any incomplete performance of individual controls must be escalated immediately. Supporting instruments for uncovering weak points could, for example, be scenario analyzes, regular reviews and realistic tests of the trading environment with regard to password abuse, unauthorized use of user profiles or the creation of fictitious documents or bookings. The existing controls are to be adapted based on the results of such tests. The measures to remedy the weak points should be the subject of a strict quality check. 10. There is a particular challenge when changing employees, reorganizing or implementing a new IT system. Even in phases of transition from the old to the new organization or IT infrastructure, it must be ensured that all controls are carried out with the required frequency and quality. If necessary, additional control measures are to be taken temporarily. This also applies in the case of outsourced control activities (see Section 5). 11. Employees changing jobs between the front office, middle office and back office must be regulated separately so that the risk of unauthorized transactions is minimized. If such job changes are not prohibited, they must be recorded and continuously monitored. A minimum vacation absence per year must be observed. The relationships between traders and their trading partners are to be monitored appropriately. 12. The traders' access rights to stock exchange, booking and settlement systems must be checked regularly to ensure that they are in accordance with the assigned trading mandate. Operational controls 13. In principle, the nominal amounts of trading positions, gross and net, are to be monitored and limited. This also applies if ultimately only the net position is economically relevant. A143616 / 00010 / / 8

6 is vant. Monitoring gross nominal amounts can help identify unusual patterns and unauthorized transactions. This principle also applies to the risk mass itself, which should be reported, monitored and limited separately for both long and short positions, even if only the net risk is economically significant. 14. In addition to the end-of-day values, nominal amounts and risk measures must also be appropriately collected during the course of the day and restricted within the trading day. 15. In the case of large transaction volumes, IT-supported routines for management should make a preselection of the transactions to be more precisely controlled in order to be able to use the control resources in a risk-oriented manner. In particular, transactions that do not conform to the standard must be subjected to ongoing, detailed controls. These include transactions that were not concluded at market prices, canceled, changed, late booked transactions and those with postponed payment dates. 16. In principle, active confirmations should be obtained for all transactions, i.e. for external and internal. Outstanding confirmations are to be monitored and missing confirmations escalated appropriately. The front office must not intervene in the confirmation process or inappropriately influence it. 17. In addition, an independent and powerful process for reconciling the accounts is central, which completely includes external and internal accounts. This also applies to accounts for special purposes (backup accounts) such as correction entries for profits and losses or entry of fees and remuneration. In the event of discrepancies between two accounts, such a powerful process must include a risk assessment and ensure that corrective postings or the correction of discrepancies are made in a sensible and appropriate manner. 18. Furthermore, the opening and closing of all accounts, including inactive accounts, must be expressly regulated and continuously monitored. 19. As for accounts, there should be an independent and powerful reconciliation process for margin calls related to secured transactions. In the event of discrepancies, such a process must include a risk assessment and ensure that the resolution is carried out in a meaningful and appropriate manner. Explanation of Trading Profits and Losses 20. One of the key controls is to explain the composition of the trading profit and loss. This is used to understand the risks from trading transactions. In particular, with regard to the control of operational risks, it must be ensured that large individual gains and losses are appropriately analyzed. Larger changes in profits and losses over a certain period of time (weeks, months, quarters) should also be examined more closely, questioned persistently and their origin explained. A143616 / 00010 / / 8

7 21. For all transactions that were not concluded at market prices, as well as canceled, changed and late booked transactions, their influence on profit and loss should be integrated into the daily and monthly analyzes. 4 Internal reporting 22. The internal reporting should make it possible to monitor operational risks in the trading area appropriately. In particular, trading management needs timely information on indicators of operational risks. Among other things, this requires high-performance information technology. 23. The operational risk reporting system should automatically generate alerts as soon as selected indicators exceed predetermined thresholds and inform management of significant incidents without delay. This requires, among other things, that material operational losses from trading activities are stored and analyzed. 24. In addition to monitoring and analyzing internal indicators, the reporting system for operational risks should systematically record and evaluate warnings and notices from third parties (employees, stock exchanges, brokers, clearing houses, custodian banks, etc.). 25. The reporting, in particular the control dashboard, must make it possible to analyze profit and loss, liquidity requirements and risks as a whole for a desk or business area. 5 Outsourcing If controls are outsourced to third parties (outsourcing within the meaning of FINMA circular 2008/7 “Outsourcing Banks”, margin numbers 2 and 3), special precautions must be taken to ensure that the outsourced controls are carried out in full and without interruption. 26. In particular, it must be ensured that in the event of changes at the outsourcing partner (e.g. change of staff, reorganization, change of IT system), seamless continuation of the transferred controls is ensured. 27. An annual audit of outsourced controls is not sufficient to ensure their uninterrupted and complete implementation; rather, the services provided by third parties must be continuously monitored and assessed. Without changing the meaning of the other parts of FINMA Circular 2008/7 “Outsourcing Banks”, the following principles must be observed with regard to the outsourcing of control activities: A143616 / 00010 / / 8

8 28. The company must carefully select, instruct and control the service provider (see FINMA circular 2008/7 “Outsourcing banks”, paragraph 21). 29. The decisive criteria and factors for the selection and cooperation with a service provider must be determined before entering into a contractual relationship. The selection of the service provider must be made taking into account and checking his professional skills as well as financial and human resources. The service provider must guarantee that the service will be provided securely and on a long-term basis (see FINMA circular 2008/7 “Outsourcing banks”, paragraph 22). 30. The outsourced business area must be integrated into the company's internal control system. A responsible body must be defined within the company that is responsible for monitoring and controlling the service provider. Its performance must be continuously monitored and assessed so that appropriate measures can be taken immediately if necessary (see FINMA circular 2008/7 “Outsourcing Banks”, paragraph 24). A143616 / 00010 / / 8