David Carse, Deputy Chief Executive, Hong Kong Monetary Authority
(Speech at BanComp '98, Hong Kong)Ladies and gentlemen,
1. I am pleased to be here this morning to speak to you at the
start of this conference on internal controls and anti-money
laundering. The advertised title of my speech is "Understanding the
role and needs of the regulator in all authorised financial
institutions". This is a very broad subject and I have therefore
narrowed it down to focus on the banking supervisor's perspective
on control issues in financial institutions. I am sure there are
many compliance and audit professionals in the
audience today, so I trust I should not have too hard a hard job
persuading you that good internal controls are not only important,
but crucial to the success of financial institutions. Just
consider, for example, what poor internal controls did for BCCI,
Daiwa Bank and Barings.
2. So what advice can I offer you today to help you ensure that
your institution will not meet the same fate? Well, what I will do
is to share with you my thoughts on the key elements of a financial
institution's control systems, and highlight some of the areas
where other institutions have gone horribly wrong. I will also talk
about one of the key areas of a financial institution's controls
its controls against being used for money laundering.
3. So let me start by giving you a banking supervisor's view of
internal controls. But first, what exactly do we mean by "internal
controls"? The definition I would suggest, which is borrowed from
the Basle Committee on Banking Supervision, is that internal
controls refers to the ongoing process by which the Board of
Directors and management of an institution ensure that the
institution meets three key sets of objectives. First, operational
objectives - the efficiency and effectiveness of the institution in
using its assets and other resources and in protecting the
institution from loss. Second, information objectives - the
reliability and completeness of financial and management
information needed for decision-making within the institution and
for regulatory and other external uses. Third, compliance
objectives - compliance with applicable laws and regulations,
supervisory requirements, and internal policies and procedures, in
order to protect the institution's franchise and reputation.
4. What, then, are the main elements of the sort of control
systems needed to achieve these objectives? Basically, there are
five inter-related elements: management oversight and the control
culture; risk assessment; control activities; information and
communication; and monitoring activities. The Basle Committee on
Banking Supervision has recently put all this together into a set
of fourteen principles for regulators to use in evaluating
institution's internal control systems. I do not propose to run
through these one by one, but I would like to pick out one or two
points so as to give you an idea of what I, as a regulator, see as
the key ideas.
5. First, on management oversight and the control culture, the
starting point is that the Board of Directors need to understand
the risks run by the institution, to set the acceptable limits on
these risks, and to ensure that senior management takes the steps
necessary to identify, monitor and control these risks. Senior
management must then take the responsibility to implement the
strategies approved by the Board, to set appropriate internal
control procedures, and to monitor the effectiveness of these
procedures.
6. This makes it quite clear where the main responsibility for
controls rests - and that is fairly and squarely on the shoulders
of the institution's Board of Directors and its senior management,
not just on its compliance and audit departments. However, having
said that, everyone in an institution shares the responsibility to
some extent. A key task for the Board and senior management is to
establish the right culture within the institution, a culture in
which the importance of internal controls is stressed, and high
ethical and integrity standards are promoted. This culture will be
determined not simply by what the top levels of management say but
what they do. For example, do the institution's remuneration
policies reward risk-taking at the expense of prudence? Does senior
management display a casual attitude towards breaches of limits? Do
they encourage the right attitude towards regulatory compliance? Is
there backing and respect at senior levels for the internal audit
and compliance functions? The response of the senior levels of the
organisation to these kind of issues will determine how personnel
lower down actually behave in practice, including their attitude to
control issues.
7. Moving on to risk assessment, the important thing is to
identify and evaluate every factor that could adversely affect the
achievement of the institution's objectives. This means not just
the familiar risks of credit risk and liquidity risk, but also
risks such as operational risk, interest rate risk, market risk,
country and transfer risk, legal risk and reputational risk. And
this needs to be an ongoing process, continually re-evaluating the
risks and reviewing the control systems to address these
risks.
8. Regarding control activities, the point I would stress is that
control activities need to be an integral part of the daily
operations of an institution. Examples of this include: top level
reviews of performance and risk exposure; appropriate activity
controls that monitor performance and exceptions at the
departmental or divisional level; segregation of duties; physical
controls on access to assets; periodic checking for compliance with
exposure limits; a system of approvals and authorisations for
transactions over certain limits; and a system of verification and
reconciliation of transaction details and activities. The objective
should be to ensure that all areas of the institution are
continually in compliance with established policies and
procedures.
9. On information and communication, it should be self-evident
that an institution needs comprehensive and timely financial,
operational and compliance data, and so needs to have good
information systems. But having the information is only the first
step. Equally important is the second step, that the information
should get to the right people at the right time.
10. Finally, on monitoring, it cannot be overstressed that that
monitoring of the
effectiveness of an institution's internal controls should be a
continual and ongoing process, and that monitoring of key risks
should be an integral part of the daily operations of the
institution. Effective and independent internal audit and
compliance functions have an important role to play here. This
requires these functions to have direct access to senior levels of
the organisation so that potential criticisms of systems or
transactions cannot be blocked by the line management
concerned.
11. These, then, are what I would regard as the key elements of a
financial institution's internal controls. As regards how these are
applied to individual institutions, my expectation as a banking
supervisor is that any financial institution, regardless of size,
should have an effective system of internal controls that is
consistent with the nature, complexity, and risk of its activities
and that responds to changes in the institution's environment and
conditions. I am not saying that I expect every institution to be
using state-of-the-art risk management and control techniques.
But
what I do expect is that every institution should have control
systems that adhere to the basic principles I have just discussed,
and which are as state-of-the-art as they need to be given that
particular institution's activities. I also expect these systems to
be kept under review as things change.
12. Let me now move on to discuss some of the things that can go
wrong when controls break down. I will not go into particular case
studies, but will try instead to draw together some of the common
threads of recent problem bank cases. The Basle Committee paper
that I mentioned earlier suggests five such common threads, and I
will draw on this in the following remarks.
13. The first, which I have mentioned already, is lack of adequate
management oversight and accountability, and failure to develop a
strong control culture within the institution. Without exception, a
common feature of recent problem bank cases has been management
inattention to, and laxity in, the control culture of the
institution, insufficient guidance and oversight by the Board of
Directors and senior management, and a lack of clear management
accountability through the assignment of roles and
responsibilities. These cases also reflect insufficient incentives
to carry out strong line supervision and maintain a high level of
control consciousness within business areas.
14. The second thread is inadequate assessment of the risk of
certain banking activities, whether on or off balance sheet. Many
banking organisations that have suffered major losses neglected to
continually assess the risks of new products and activities, or
update their risk assessments when significant changes occurred in
the environment or business conditions. Many recent cases highlight
the fact that control systems that function well for traditional or
simple products are unable to handle more sophisticated or complex
products.
15. The third thread is the absence or failure of key control
activities, such as segregation of duties, approvals,
verifications, reconciliations, and reviews of operating
performance. Lack of segregation of duties in particular has played
a major role in the significant losses that have occurred at
banks.
16. The fourth thread is inadequate communication of information
between levels of management within the bank, especially in the
upward communication of problems. To be effective, policies and
procedures need to be effectively communicated to all personnel
involved in an activity. Some losses in banks occurred because
relevant personnel were not aware of or did not understand the
bank's policies. In several instances, information about
inappropriate activities that should have been reported upward
through organisational levels was not communicated to the Board of
Directors or senior management until the problems became severe. In
other instances, information in management reports was not complete
or accurate, creating a favourable impression of a business
situation that was in fact problematic.
17. The fifth and final thread is inadequate or ineffective audit
programs and other
monitoring activities. In many cases, audits were not sufficiently
rigorous to identify and report the control weaknesses associated
with problem banks. In other cases, even though auditors reported
problems, they were not corrected by management.
18. From these common threads, it should now be clear why, in the
first part of my remarks today, I stressed the things I did -
management oversight and control culture, risk assessment, control
activities and monitoring, and information and communication. These
are the areas that institutions need to focus on to avoid becoming
a "problem bank case" themselves.
19. Let me move on now to consider the role of the banking
supervisor in ensuring that an institution's internal controls are
adequate and effective. This is an area on which there has been
greatly increased emphasis in recent years. Of course supervisors,
like the management of financial institutions, have always been
concerned with the quality of control systems. However, the
approach has been rather piecemeal, and has focused on certain
types of risk which are easily quantifiable, rather than the more
intangible types of risk. What we are trying to do nowadays is to
move towards a more systematic identification and assessment of the
risks facing a bank across the whole range of its activities and
the adequacy of the controls over these risks.
20. This "risk-based" approach is intended to focus our attention
on what we see as the institution's key risk areas. Of course, the
correct identification of the institution's key risk areas is
crucial in this. For most of Hong Kong's local banks, credit risk,
liquidity risk and perhaps reputational risk remain the highest
risk areas, but for individual institutions other forms of risk
such as interest rate risk and market risk also come into the
equation. If an institution engages in types of business that we
regard as being at the higher end of the risk scale, such as share
margin financing or
lending for property development, this will also attract our
attention. Other things that will attract our attention include
major changes in the operating environment, including new
technology; areas or activities which are experiencing rapid
growth; the introduction of new lines of business, products or
activities; and domestic and foreign acquisitions. In each case we
would want to be assured that any necessary enhancements to the
control environment have been made so as to reduce the chance of
adverse and unforeseen effects on the institution.
21. Different risk areas require different approaches, but
essentially our approach is to start by reviewing the written
policies and procedures setting down the controls over a particular
area, and then to look at how the controls work in practice. This
may involve a combination of reviews of documentation, discussions
with staff, and some testing of transactions. The end-result will
be a judgement as to whether we believe the controls are effective
or need improvement. If improvement is needed we will discuss our
recommendations with the management and agree an action plan and
time-scale for the remedial action.
22. This may sound to you quite similar in some respects to the
work of an institution's internal audit department and external
auditors. I would agree that there are certainly some common
features, and indeed we would usually review as part of our own
work the work done by the audit department on identifying areas of
potential risk and control problems. Similarly, external auditors'
observations and recommendations are often very useful to us in
coming to a judgement on the effectiveness of an institution's
internal controls. However, to supervise an institution effectively
a supervisor needs, in my opinion, a means of independently
verifying that internal controls are sound and that all substantive
risks have been identified and considered. For this reason, our
ongoing dialogue with institutions, and our periodic on-site
examinations of institutions' activities, are invaluable.
23. I believe this oversight can also be beneficial in a practical
way to the institution itself. For example, we may have insights
that the institution does not. We may be able to give an
institution feedback on how it compares vis-à-vis its peers in
similar areas and to indicate respects in which, from our
experience, its controls and risk management processes are falling
behind the game. I would not want to overplay this "management
consultant" type role, but I think it can be beneficial, perhaps
especially to the smaller, less sophisticated financial
institutions. Of course, this presupposes that we have the
necessary expertise to offer useful advice. This is a constant
challenge in today's environment of rapid technological change and
product innovation. We have therefore tried to develop our own
treasury and securities specialists whose task it is to review and
assess more leading-edge and sophisticated areas such as value at
risk and treasury and derivatives risk management.
24. Let me move on now to the subject of the prevention of money
laundering. This is a key concern for the supervisors of all major
international financial centres, and is something that should be
high on the agenda for the management of every financial
institution.
25. Here in Hong Kong considerable time and effort has been put in
over a period of years into ensuring that the banking system
follows best international practice on the prevention of money
laundering. Principally, this means following the recommendations
of the Basle Committee on Banking Supervision and the Financial
Action Task Force, whose guidance notes on the prevention of money
laundering we have used to develop our own detailed Guidelines to
institutions. The basic thrust of these Guidelines is to provide
that institutions should have in place adequate and
effective policies, procedures and controls to combat money
laundering, covering essential areas such as procedures for account
opening, customer identification and record keeping as well as
proper systems for reporting suspicious transactions and training
of staff.
26. Please be in no doubt as to how seriously we regard adherence
to these Guidelines. The reason for this is simple. To paraphrase
the health warning on a packet of cigarettes, "Money laundering can
seriously damage your health". Being associated with money
laundering can seriously undermine confidence in an individual
financial institution and potentially in a financial system as a
whole. We are presently seeing this demonstrated in the case of the
Mexican banking system, which is embroiled in a money-laundering
scandal.
27. So what steps can a banking supervisor take to ensure that
institutions are doing everything they can to protect themselves
from being used for money laundering? The first thing is to make
sure that the Guidelines issued to institutions are kept up-to-date
as techniques and patterns of money laundering evolve, and to
ensure that institutions revise their own internal guidelines
accordingly. We have recently revised our Guidelines and issued
them as a convenient booklet. I am pleased to say that demand for
this has been high and we have issued over 5000 copies of the
booklet. However, Guidelines need to be put into practice. To
ensure that senior management are focused on the need for this,
money-laundering controls are a regular agenda item for our
prudential meetings with management. They are also a regular topic
for our on-site examinations. During these examinations we review
an institution's policies and procedures, look at their records of
suspicious transactions, and interview staff at random to check
that they have been trained to identify suspicious transactions and
to follow the appropriate procedures for account opening and
customer identification. We may also commission external auditors'
reports if we think it necessary.
28. So how do institutions in Hong Kong rate on combating money
laundering? Perhaps
the best indicator of their vigilance against money laundering is
the number of reports of suspicious transactions made to the Joint
Financial Intelligence Unit (JFIU). These numbers suggest that
institutions are certainly improving, as both the number of
reports, and the number of institutions making reports, has been
increasing over time. The number of reports made to the JFIU rose
from only 264 in 1992 to 4210 in 1997. Our own on-site examinations
also suggest that the level of awareness, and the training of
staff, is improving. So, overall, institutions are doing well.
However, there is always room for improvement, and I would urge
those with responsibility for this area not to relax their
guard.
29. This brings me to my concluding remarks. I started out today
by talking about the important elements of a control system, and
how banking supervisors assess the effectiveness of institutions'
controls. I discussed some of the common threads of recent "problem
bank" cases, and the control issues they highlighted. Finally, I
stressed the importance of controls in the area of money laundering
prevention. While I hope this was of interest to you, and at least
gave you a slightly different perspective on some familiar issues,
I think I should end by saying that I certainly lay no claim to
having all the answers. Please do not sit back and expect the
banking supervisors to issue guidelines telling you exactly what
you need to do. While I hope my advice may be of some help, the
responsibility for ensuring that your institution has the right
controls and the right culture is yours. So I hope this conference
provides you with some useful, practical ideas for improving your
institutions' controls when you return to work.