A Banking Supervisor’s Perspective on Control Issues in Financial Institutions

Speeches

25 May 1998

A Banking Supervisor’s Perspective on Control Issues in Financial Institutions

David Carse, Deputy Chief Executive, Hong Kong Monetary Authority

(Speech at BanComp '98, Hong Kong)

Ladies and gentlemen,

1. I am pleased to be here this morning to speak to you at the start of this conference on internal controls and anti-money laundering. The advertised title of my speech is "Understanding the role and needs of the regulator in all authorised financial institutions". This is a very broad subject and I have therefore narrowed it down to focus on the banking supervisor's perspective on control issues in financial institutions. I am sure there are many compliance and audit professionals in the
audience today, so I trust I should not have too hard a hard job persuading you that good internal controls are not only important, but crucial to the success of financial institutions. Just consider, for example, what poor internal controls did for BCCI, Daiwa Bank and Barings.

2. So what advice can I offer you today to help you ensure that your institution will not meet the same fate? Well, what I will do is to share with you my thoughts on the key elements of a financial institution's control systems, and highlight some of the areas where other institutions have gone horribly wrong. I will also talk about one of the key areas of a financial institution's controls its controls against being used for money laundering.

3. So let me start by giving you a banking supervisor's view of internal controls. But first, what exactly do we mean by "internal controls"? The definition I would suggest, which is borrowed from the Basle Committee on Banking Supervision, is that internal controls refers to the ongoing process by which the Board of Directors and management of an institution ensure that the institution meets three key sets of objectives. First, operational objectives - the efficiency and effectiveness of the institution in using its assets and other resources and in protecting the institution from loss. Second, information objectives - the reliability and completeness of financial and management information needed for decision-making within the institution and for regulatory and other external uses. Third, compliance objectives - compliance with applicable laws and regulations, supervisory requirements, and internal policies and procedures, in order to protect the institution's franchise and reputation.

4. What, then, are the main elements of the sort of control systems needed to achieve these objectives? Basically, there are five inter-related elements: management oversight and the control culture; risk assessment; control activities; information and communication; and monitoring activities. The Basle Committee on Banking Supervision has recently put all this together into a set of fourteen principles for regulators to use in evaluating institution's internal control systems. I do not propose to run through these one by one, but I would like to pick out one or two points so as to give you an idea of what I, as a regulator, see as the key ideas.

5. First, on management oversight and the control culture, the starting point is that the Board of Directors need to understand the risks run by the institution, to set the acceptable limits on these risks, and to ensure that senior management takes the steps necessary to identify, monitor and control these risks. Senior management must then take the responsibility to implement the strategies approved by the Board, to set appropriate internal control procedures, and to monitor the effectiveness of these procedures.

6. This makes it quite clear where the main responsibility for controls rests - and that is fairly and squarely on the shoulders of the institution's Board of Directors and its senior management, not just on its compliance and audit departments. However, having said that, everyone in an institution shares the responsibility to some extent. A key task for the Board and senior management is to establish the right culture within the institution, a culture in which the importance of internal controls is stressed, and high ethical and integrity standards are promoted. This culture will be determined not simply by what the top levels of management say but what they do. For example, do the institution's remuneration policies reward risk-taking at the expense of prudence? Does senior management display a casual attitude towards breaches of limits? Do they encourage the right attitude towards regulatory compliance? Is there backing and respect at senior levels for the internal audit and compliance functions? The response of the senior levels of the organisation to these kind of issues will determine how personnel lower down actually behave in practice, including their attitude to control issues.

7. Moving on to risk assessment, the important thing is to identify and evaluate every factor that could adversely affect the achievement of the institution's objectives. This means not just the familiar risks of credit risk and liquidity risk, but also risks such as operational risk, interest rate risk, market risk, country and transfer risk, legal risk and reputational risk. And this needs to be an ongoing process, continually re-evaluating the risks and reviewing the control systems to address these risks.

8. Regarding control activities, the point I would stress is that control activities need to be an integral part of the daily operations of an institution. Examples of this include: top level reviews of performance and risk exposure; appropriate activity controls that monitor performance and exceptions at the departmental or divisional level; segregation of duties; physical controls on access to assets; periodic checking for compliance with exposure limits; a system of approvals and authorisations for transactions over certain limits; and a system of verification and reconciliation of transaction details and activities. The objective should be to ensure that all areas of the institution are continually in compliance with established policies and procedures.

9. On information and communication, it should be self-evident that an institution needs comprehensive and timely financial, operational and compliance data, and so needs to have good information systems. But having the information is only the first step. Equally important is the second step, that the information should get to the right people at the right time.

10. Finally, on monitoring, it cannot be overstressed that that monitoring of the
effectiveness of an institution's internal controls should be a continual and ongoing process, and that monitoring of key risks should be an integral part of the daily operations of the institution. Effective and independent internal audit and compliance functions have an important role to play here. This requires these functions to have direct access to senior levels of the organisation so that potential criticisms of systems or transactions cannot be blocked by the line management concerned.

11. These, then, are what I would regard as the key elements of a financial institution's internal controls. As regards how these are applied to individual institutions, my expectation as a banking supervisor is that any financial institution, regardless of size, should have an effective system of internal controls that is consistent with the nature, complexity, and risk of its activities and that responds to changes in the institution's environment and conditions. I am not saying that I expect every institution to be using state-of-the-art risk management and control techniques. But
what I do expect is that every institution should have control systems that adhere to the basic principles I have just discussed, and which are as state-of-the-art as they need to be given that particular institution's activities. I also expect these systems to be kept under review as things change.

12. Let me now move on to discuss some of the things that can go wrong when controls break down. I will not go into particular case studies, but will try instead to draw together some of the common threads of recent problem bank cases. The Basle Committee paper that I mentioned earlier suggests five such common threads, and I will draw on this in the following remarks.

13. The first, which I have mentioned already, is lack of adequate management oversight and accountability, and failure to develop a strong control culture within the institution. Without exception, a common feature of recent problem bank cases has been management inattention to, and laxity in, the control culture of the institution, insufficient guidance and oversight by the Board of Directors and senior management, and a lack of clear management accountability through the assignment of roles and responsibilities. These cases also reflect insufficient incentives to carry out strong line supervision and maintain a high level of control consciousness within business areas.

14. The second thread is inadequate assessment of the risk of certain banking activities, whether on or off balance sheet. Many banking organisations that have suffered major losses neglected to continually assess the risks of new products and activities, or update their risk assessments when significant changes occurred in the environment or business conditions. Many recent cases highlight the fact that control systems that function well for traditional or simple products are unable to handle more sophisticated or complex products.

15. The third thread is the absence or failure of key control activities, such as segregation of duties, approvals, verifications, reconciliations, and reviews of operating performance. Lack of segregation of duties in particular has played a major role in the significant losses that have occurred at banks.

16. The fourth thread is inadequate communication of information between levels of management within the bank, especially in the upward communication of problems. To be effective, policies and procedures need to be effectively communicated to all personnel involved in an activity. Some losses in banks occurred because relevant personnel were not aware of or did not understand the bank's policies. In several instances, information about inappropriate activities that should have been reported upward through organisational levels was not communicated to the Board of Directors or senior management until the problems became severe. In other instances, information in management reports was not complete or accurate, creating a favourable impression of a business situation that was in fact problematic.

17. The fifth and final thread is inadequate or ineffective audit programs and other
monitoring activities. In many cases, audits were not sufficiently rigorous to identify and report the control weaknesses associated with problem banks. In other cases, even though auditors reported problems, they were not corrected by management.

18. From these common threads, it should now be clear why, in the first part of my remarks today, I stressed the things I did - management oversight and control culture, risk assessment, control activities and monitoring, and information and communication. These are the areas that institutions need to focus on to avoid becoming a "problem bank case" themselves.

19. Let me move on now to consider the role of the banking supervisor in ensuring that an institution's internal controls are adequate and effective. This is an area on which there has been greatly increased emphasis in recent years. Of course supervisors, like the management of financial institutions, have always been concerned with the quality of control systems. However, the approach has been rather piecemeal, and has focused on certain types of risk which are easily quantifiable, rather than the more intangible types of risk. What we are trying to do nowadays is to move towards a more systematic identification and assessment of the risks facing a bank across the whole range of its activities and the adequacy of the controls over these risks.
20. This "risk-based" approach is intended to focus our attention on what we see as the institution's key risk areas. Of course, the correct identification of the institution's key risk areas is crucial in this. For most of Hong Kong's local banks, credit risk, liquidity risk and perhaps reputational risk remain the highest risk areas, but for individual institutions other forms of risk such as interest rate risk and market risk also come into the equation. If an institution engages in types of business that we regard as being at the higher end of the risk scale, such as share margin financing or
lending for property development, this will also attract our attention. Other things that will attract our attention include major changes in the operating environment, including new technology; areas or activities which are experiencing rapid growth; the introduction of new lines of business, products or activities; and domestic and foreign acquisitions. In each case we would want to be assured that any necessary enhancements to the control environment have been made so as to reduce the chance of adverse and unforeseen effects on the institution.

21. Different risk areas require different approaches, but essentially our approach is to start by reviewing the written policies and procedures setting down the controls over a particular area, and then to look at how the controls work in practice. This may involve a combination of reviews of documentation, discussions with staff, and some testing of transactions. The end-result will be a judgement as to whether we believe the controls are effective or need improvement. If improvement is needed we will discuss our recommendations with the management and agree an action plan and time-scale for the remedial action.

22. This may sound to you quite similar in some respects to the work of an institution's internal audit department and external auditors. I would agree that there are certainly some common features, and indeed we would usually review as part of our own work the work done by the audit department on identifying areas of potential risk and control problems. Similarly, external auditors' observations and recommendations are often very useful to us in coming to a judgement on the effectiveness of an institution's internal controls. However, to supervise an institution effectively a supervisor needs, in my opinion, a means of independently verifying that internal controls are sound and that all substantive risks have been identified and considered. For this reason, our ongoing dialogue with institutions, and our periodic on-site examinations of institutions' activities, are invaluable.

23. I believe this oversight can also be beneficial in a practical way to the institution itself. For example, we may have insights that the institution does not. We may be able to give an institution feedback on how it compares vis-à-vis its peers in similar areas and to indicate respects in which, from our experience, its controls and risk management processes are falling behind the game. I would not want to overplay this "management consultant" type role, but I think it can be beneficial, perhaps especially to the smaller, less sophisticated financial institutions. Of course, this presupposes that we have the necessary expertise to offer useful advice. This is a constant challenge in today's environment of rapid technological change and product innovation. We have therefore tried to develop our own treasury and securities specialists whose task it is to review and assess more leading-edge and sophisticated areas such as value at risk and treasury and derivatives risk management.

24. Let me move on now to the subject of the prevention of money laundering. This is a key concern for the supervisors of all major international financial centres, and is something that should be high on the agenda for the management of every financial institution.

25. Here in Hong Kong considerable time and effort has been put in over a period of years into ensuring that the banking system follows best international practice on the prevention of money laundering. Principally, this means following the recommendations of the Basle Committee on Banking Supervision and the Financial Action Task Force, whose guidance notes on the prevention of money laundering we have used to develop our own detailed Guidelines to institutions. The basic thrust of these Guidelines is to provide that institutions should have in place adequate and
effective policies, procedures and controls to combat money laundering, covering essential areas such as procedures for account opening, customer identification and record keeping as well as proper systems for reporting suspicious transactions and training of staff.

26. Please be in no doubt as to how seriously we regard adherence to these Guidelines. The reason for this is simple. To paraphrase the health warning on a packet of cigarettes, "Money laundering can seriously damage your health". Being associated with money laundering can seriously undermine confidence in an individual financial institution and potentially in a financial system as a whole. We are presently seeing this demonstrated in the case of the Mexican banking system, which is embroiled in a money-laundering scandal.

27. So what steps can a banking supervisor take to ensure that institutions are doing everything they can to protect themselves from being used for money laundering? The first thing is to make sure that the Guidelines issued to institutions are kept up-to-date as techniques and patterns of money laundering evolve, and to ensure that institutions revise their own internal guidelines accordingly. We have recently revised our Guidelines and issued them as a convenient booklet. I am pleased to say that demand for this has been high and we have issued over 5000 copies of the
booklet. However, Guidelines need to be put into practice. To ensure that senior management are focused on the need for this, money-laundering controls are a regular agenda item for our prudential meetings with management. They are also a regular topic for our on-site examinations. During these examinations we review an institution's policies and procedures, look at their records of suspicious transactions, and interview staff at random to check that they have been trained to identify suspicious transactions and to follow the appropriate procedures for account opening and customer identification. We may also commission external auditors' reports if we think it necessary.

28. So how do institutions in Hong Kong rate on combating money laundering? Perhaps
the best indicator of their vigilance against money laundering is the number of reports of suspicious transactions made to the Joint Financial Intelligence Unit (JFIU). These numbers suggest that institutions are certainly improving, as both the number of reports, and the number of institutions making reports, has been increasing over time. The number of reports made to the JFIU rose from only 264 in 1992 to 4210 in 1997. Our own on-site examinations also suggest that the level of awareness, and the training of staff, is improving. So, overall, institutions are doing well. However, there is always room for improvement, and I would urge those with responsibility for this area not to relax their guard.

29. This brings me to my concluding remarks. I started out today by talking about the important elements of a control system, and how banking supervisors assess the effectiveness of institutions' controls. I discussed some of the common threads of recent "problem bank" cases, and the control issues they highlighted. Finally, I stressed the importance of controls in the area of money laundering prevention. While I hope this was of interest to you, and at least gave you a slightly different perspective on some familiar issues, I think I should end by saying that I certainly lay no claim to having all the answers. Please do not sit back and expect the banking supervisors to issue guidelines telling you exactly what you need to do. While I hope my advice may be of some help, the responsibility for ensuring that your institution has the right controls and the right culture is yours. So I hope this conference provides you with some useful, practical ideas for improving your institutions' controls when you return to work.

Latest Speeches
Last revision date : 25 May 1998