Efficient Basel III compliance
Basel, Switzerland (circa 1493): The arguable modern source of many problems
in the global banking industry … and their solutions.
Banking regulations have been changing rapidly and are becoming increasingly complex over the last 15 years, primarily those stemming from the Basel Accords. Continuing changes and complexity are making regulatory compliance increasingly difficult and costly to banks (and regulators too, in my view). But it is quite possible to substantially reduce compliance costs by properly understanding the fundamental nature of the regulatory requirements and carefully designing systems that integrate compliance with risk management. Let’s see how …
This article is based closely on presentations to members of the Associação Brasileira de Bancos Internacionais in São Paulo, Brazil in late 2015, and is intended for banking industry CFOs, CIOs, controllers, risk managers, treasury managers, and audit directors. Others are cautioned to avoid this article because of the technical–perhaps uninteresting–content.
It will be helpful for the intended reader to consider the words of the father of modern educational psychology, E.L. Thorndike: “ … we have such tools as the equation or formula which enable [us] to learn in a few hours fundamental and pervasive features of … things which [we] could otherwise learn only imperfectly with great labor or not at all.” É verdade! MMc
1. A simplified history of Basel Accords
The Basel Accords on banking supervision are basically unenforceable agreements emanating from the neo-brutalist headquarters of the Basel Committee on Banking Supervision (“BCBS”) (photo credit here) comprised of banking regulators from the world’s major economies and banking centers. Although unenforceable per se, provisions of the accords become enforceable if, when, and to the extent adopted into law and regulation within individual countries.
Interestingly, however, because the accords are developed into regulations by regulators from economies with major banking centers, they become de facto global banking regulations because non-complying banking systems are unable to do business on their own account directly in the global money centers; they must run the business through correspondent banks who comply and, hence, have the necessary banking licenses. This results in banking systems characterized by having mainly large and small banks with few mid-size banks, and has arguably contributed to the too big to fail phenomenon in banking.
What’s most important for our purposes, however, is to develop an intuition about how and why the Basel Accords have developed over time. With this intuition, it will become evident that the very common ad hoc, incremental approach to Basel regulatory compliance is destined to either fail or be unnecessarily costly.
Basel I accord requirements, originated in 1988 and in effect until 2004, can be summarized fairly simply in an expression for a risk-weighted capital ratio …
… with fixed risk-weightings for different broad asset classes; required to meet or exceed 8%. Without getting into details it can roughly be seen in the risk-weightings in the denominator of the equation that the regulatory focus in the Basel I regime was mainly on capital adequacy relative to credit risk. Along with financial innovation came the realization that market risk and operational risk also posed significant threats to capital adequacy, which led banking regulators to …
Basel II accord requirements were issued in 2004 and have been the effective global banking regulatory scheme until quite recently when a new accord, Basel III, which is being introduced in incremental phases between 2013 and 2019 (more on this later). Basel II requirements can be best summarized, understood, and compared to Basel I by looking at the following risk-weighted capital expression:
Roughly speaking, CRED, SEC, and GP denote the net financial statement values of a bank’s credit portfolios, securities portfolios, and gross operating profits, respectively. As suggested by the annotations, the intent and belief of the BCBS was that total banking risk could be largely managed and controlled by requiring banks to hold capital in a particular relationship to (imperfect) proxy variables for credit risk, market risk, and operational risk.
The particular risk weights, denoted w, specified by Basel II depend on the nature of the bank’s operations, management systems, etc. but–similar to Basel I–are essentially fixed proportions of the imperfect risk proxies based on data from a bank’s information systems and financial reports. Because data is an existing fact, this means the Basel II risk-weighted capital ratio is also an historical fact and–so–might not be highly predictive of expected, future effects of risk realizations on a bank’s capital.
The known weaknesses of what is, in effect, a retrospective focus on risk management led the BCBS to label such capital requirements “Pillar 1” of the regulatory scheme, and develop two more “pillars” to support and balance the scheme. The terminology seems to have been selected based on the idea that pillars are needed to support multidimensional structures. But the Greeks tended to use many pillars, not three; see photo at right (photo credit). Sorry for the digression, but pictures of architectural antiquities tend to liven up otherwise boring articles. :- )
The so-called Pillars 2 and 3 of Basel II were labelled “Supervisory review” and “Market discipline” requirements by the BCBS, but can be much more easily and simply understood as follows:
- Pillar 2 basically requires bank regulators to review and evaluate a bank’s comprehensive risk management system, including what BCBS called residual risk: any significant risk other than credit, market, or operational risk.
- Pillar 3 basically requires a bank to provide disclosures sufficient for money and capital market participants to assess all of a bank’s significant risks and capital adequacy.
Risk managers will easily recognize that Pillars 2 and 3 turn out to be substantially more powerful tools for controlling banking risk because they fully subsume the Pillar 1 requirement and–in effect–allow both bank regulators and market participants to influence the risk management and behavior of banks. This idea is more succinctly captured in a Venn diagram of banking risk exposures:
Unfortunately, the Basel II regulatory scheme seemingly failed to prevent the banking system’s role in the 2007-2008 global financial crisis, as well as banks’ general inability to cope with the crisis. I recall the well-respected money market and banking industry expert Marcia Stigum once writing that in a bank crisis no amount of capital is enough to save a bank because the problem is not a capital shortage; it is a liquidity shortage. The BCBS also seems to have recalled Stigum’s writings when, in 2010, reached a new (and much more complex) accord that specifically addressed liquidity risk as I will discuss next.
Basel III accord requirements, as discussed, were developed in 2010 for implementation in phases between 2013 and 2019. The seemingly large increase in the complexity of the Basel III requirements in relation to Basel II can be easily seen in the following expressions representing Pillar 1 requirements:
Again I will avoid discussing the details of the expressions other than to note that under Basel III banks are now required to meet minimum risk-weighted capital, and short- and long-run liquidity requirements on a prospective basis (the T + 1, … notation represents future time periods), which in some respects seems a revolutionary change. But it’s not: Recall Pillar 2 under Basel II. In fact, Pillars 2 and 3 remain essentially unchanged under Basel III.
The implication of all this for our purposes (i.e, understanding efficient compliance) is that perhaps the only important changes in Basel III is that (i) banks must now forecast compliance or non-compliance, as the case may be, and (ii) several things that were previously implicit in Pillars 2 and 3 have now become explicit in Pillar 1 compliance reporting requirements:
What we can see is that the aggregate risk management requirements have basically not changed under Basel Accord regulatory requirements since 2004; only risk exposure reporting via imperfect “adequacy ratios”, etc. continue to change. Now think about how much Basel-related regulatory compliance costs have increased in banks since 2004:
But this is not to say that the Basel III changes are trivial. It is not exactly easy to forecast (non-)compliance under a wide variety of risk exposures, and the information systems and compliance staff requirements are generally quite significant and costly. More on these things later … .
2. A managerial perspective on regulatory compliance
For some largely unexplained reason (to my knowledge), banks have generally solved regulatory compliance problems through what I consider somewhat ad hoc solutions characterized by roughly autonomous compliance departments and professionals that are not well integrated into risk management and governance systems. Consider the following representation of a complete management and governance system:
If this is truly a complete representation (but you can trust me that it is), then the natural questions that follow in the context of Basel III compliance are, Where is regulatory compliance explicitly addressed in the risk management and management control systems? and, How can Basel III regulatory compliance be incorporated into the systems? This leads us directly to the next topic …
3. The fundamental problem of regulatory compliance
Tracing the historical development of Basel Accords, we can easily see that Basel-related regulatory compliance requirements are increasingly …
- complex and influential to local bank regulation;
- constraining with respect to management decisions; and
- lead to increased compliance costs via increased demand for IT resources, compliance staff and training, and information relevant for compliance and decisions.
It follows that the direct implications of Basel Accords are …
- Reacting with ad hoc compliance methods likely results in continually increasing compliance costs.
- Minimizing compliance costs requires designing systems that anticipate Basel-related regulations.
- At the most basic level, Basel-related regulations simply
require effective, comprehensive risk management.
We can now state very simply the fundamental problem of Basel III regulatory compliance:
Basel III-related regulatory compliance costs are minimized when compliance and risk management methods are efficiently and effectively merged.
So, how do we do this? To answer the question, we basically need to understand a number of risk management concepts at a somewhat deeper level than would be required under a less complex regulatory scheme.
4. Risk identification and measurement
If we are to manage all significant banking risks, it’s necessary to be clear on how “all significant risks” can be identified and measured. Also, as the 2007-2008 crisis showed, we need to recognize that in banking very few risks are actually independent of each other; most risks are correlated with each other–i.e., risks depend on each other–at least in times of financial crisis, which is what we should perhaps be most worried about.
Non-independent risks. Conceptually, we can think of relationships between risks by looking at the diagram …
… which shows that there are certain conditions–corresponding to areas in the diagram–where the risks are, and are not, dependent or coincident with each other. Understanding the conditional cross-dependencies among risks and their likely effects on profits, cash flows, and capital is, of course, critical to bank risk management. The question is how do we estimate the marginal effects of risks on profits, cash flows and capital? The only good answer that I’m aware of is, By using econometric methods.
Identifying and measuring risk factor effects. Although a discussion of econometric methods per se is beyond the intended scope of this article, those roughly familiar with regression analysis can think of it like this: Ignoring risk factor inter-dependencies (cross-correlations) for simplicity, the marginal effects of known and hypothesized risk factors denoted by the Xs can be estimated using regression analysis on an equation similar to …
… where the Xs generally should have a statistically significant and stationary relationship to Y. So, we can say that we have identified and measured a significant risk factor if we have developed an econometric estimate of the relationship between the risk factor and profit, cash flow, or capital that is generally both stable, statistically significant.
How do we determine if we have identified and measured all significant risks? To answer the question, those familiar with regression analysis will recall that the R–squared statistic measures the proportion (between 0 and 1) of the variation in the dependent variable (Y) explained by variation in the independent variables (Xs). It follows that if the Xs represent variations in risk realizations, then the R-squared statistic is measuring the proportion of risk factors effects on the dependent variable. This means that 1 minus R-squared is the unexplained proportion of variation in Y, which is directly related to how much of the variation is Y is attributable to unobserved (or un-modeled) risk factors:
It follows that we have identified all significant risks when the R-squared statistic of the econometric model is high enough (e.g., perhaps over .90) to suggest there are no unobserved, un-modeled risks that have a substantial influence on Y. If the R-squared statistic is sufficiently high, then there are substantially no risk factors that, in aggregate, have a significant effect on Y.
I’ve omitted a lot of econometric issues in the above discussion, but in my view this captures the main concepts and methods of risk identification and measurement both in the context of Basel III compliance and risk management in general.
5. Risk-based forecasting and decisions
With stable, reliable estimates of the effects of risk factors on profits, cash flows, and capital (or related variables), it’s reasonably straightforward to develop prospective financial statements and prospective regulatory compliance under substantially any risk realization scenario. To conceptually understand what is required under Basel III (in contrast to prior Basel requirements), consider the following graph of expected future profit, cash flow, or capital versus the related forecast conditional a particular risk realization; often associated with what is termed stress testing as generally required under Basel III – Pillar 2:
As can be seen, the prospective risk-based forecasts allow banks and banking regulators to more carefully evaluate the extent to which risk exposure can result in future problems. This, of course, allows bank executives and regulators to guide banks towards decisions likely to result in adequate liquidity, profitability, and capital levels.
6. Management risk (and other “qualitative” risks)
At least under stable economic and asset market conditions, most banks adequately manage risks for which there is relevant market data on, and can be replicated through, holding marketable asset portfolios. But a common criticism of risk management methods is that they fail to adequately address so-called qualitative risks. But this term is actually a misnomer: any significant risk has a potential quantitative effect on relevant outcomes. When people speak of qualitative risks, they are usually referring to risks for which there is little or no data on the likely effects of risk realizations on outcomes. One prominent example is management risk, which an examination of bank failures and crises would reasonably lead one to conclude that it is perhaps the primary risk facing banks.
So, in the context of Basel III, how would we measure the likely effects of management risk? The answer is not simple and involves an understanding of how risks are managed, in general. Under a comprehensive system of risk management, risks can alternatively be (i) priced, referring to purchase or sale of risk (e.g., buying insurance against a risk is equivalent to selling the risk); (ii) hedged, by holding an asset/liability whose payoffs are correlated with a risk exposure that’s being retained; or, (iii) diversified, by holding a portfolio of assets whose payoffs are uncorrelated with a risk exposure being retained.
With this risk management framework we can now see how to address management risk effects in the context of Basel III compliance. If a bank has implemented and is adequately monitoring an effective management governance system, comprised of the following well-aligned components…
… then contract theory suggests it is safe for us to assume that management risk per se has been adequately mitigated; and this is substantially equivalent to pricing the risk: By maintaining an effective management governance system, the bank has substantially sold the risk to the management by employing professionals with the necessary knowledge, skills, and experience (and character); inducing them to give their full effort in using their abilities to achieve the bank’s objectives; and, monitoring their performance to ensure these things are actually occurring.
If a bank has essentially sold its management risk by buying insurance against that risk in the form of an effective management governance system, then how is management risk incorporated into prospective Basel III compliance forecasts? Not to be glib, but in exactly the same way a risk which has been sold through purchase of an insurance contract: not at all unless there is a reasonable expectation of counterparty non-performance under the contract.
It would be interesting to discuss this further, particularly how we might be able to reasonably estimate the effects of management contract non-performance risk, but I think this is sufficient to give a general idea how (the most) “qualitative risk” influences risk management and, hence, Basel III compliance.
7. Integrating risk management and compliance
All the concepts and methods needed to integrate risk management and Basel III-related regulatory compliance have now been introduced. At the same time, it’s probably not clear how such an integrated management and compliance system can actually be implemented. Because Basel III compliance only becomes a requirement when associated banking laws and regulations are implemented within a specific country, it will be easiest to use an country-specific example.
Consider the following list of banking industry regulations promulgated by Brazil’s central bank and banking system regulator, Banco Central do Brasil:
There are actually many more regulations Brazilian banks must comply with, but these are the primary regulations paralleling the main Basel III requirements.
Notice all but the first two or three regulations are explicitly related to specific risks addressed in the Basel III regulatory scheme. The first two regulations, nominally addressing internal control and auditing (BCB 2554) and management compensation (BCB 3921), essentially address what Basel II termed residual risk and, generally, Basel III Pillar 2 and 3 requirements. But as we’ve already seen what we call a risk doesn’t really matter; banks are responsible for managing all risks under Pillars 1, 2, and 3, whether specifically addressed in Pillar 1 or not.
Many banks attempt to comply with Basel III and BCB requirements on an ad hoc, regulation-by-regulation basis. For example, I’ve seen banks with individual statistical models for substantially all “quantitative” risks; and they tend to have a risk modeling specialist assigned to each model. In principle, there would be nothing wrong with this approach if the specific risks were independent of each other. Unfortunately, they are not. Because the risks are largely non-independent of each other, this approach at once increases compliance costs with each new regulation and risk while failing to address risk inter-dependencies and, therefore, generally failing to adequately fulfill the compliance requirements. Ouch:
So, how can a bank implement an integrated risk management and Basel III compliance system? At the risk of being a bit too abstract, I will simply say that because (i) Basel III requirements are nothing more (or less) that risk management and disclosure requirements, (ii) relevant risks are inherently quantitative (any relevant risk has a quantitative effect), and (iii) mathematics and statistics are the optimal methods for quantitative problem-solving and decision-making, then it follows that risk management models that integrate the fundamental risk factors with relevant outcomes (e.g., profit, cash flows, capital) via reliable, stable estimates of the those relationships are superior to non-integrated, ad hoc compliance and risk management methods:
As but one example, one major and otherwise extremely well-managed bank I’m generally familiar with has over 120 risk models but no clear way to aggregate the marginal effects of all the risks on bank profits, cash flows, and capital. This means that the implications of over 120 risk models must be integrated mentally by the bank’s risk managers. This may or may not ultimately result in poor risk management, but it does make providing clear, explicit evidence of compliance with Basel III-related requirements problematic. And, as we all know, without this evidence both the bank and the bank regulators are both left in difficult positions. So, any reasonable view on the topic would likely conclude with the necessity to integrate risk management and regulatory compliance in a manner similar to that described here.
At a somewhat simpler conceptual level, integrate risk management and regulatory compliance into a single system involves nothing more (and, again, nothing less) than incorporating the marginal effects of all significant risk factors into financial planning and control models, which in turn are integrated into the bank’s management governance system:
So, there we have it, all in one place so to speak. Obviously, solving real world problems like that posed by integrating bank risk management and regulatory compliance systems require careful thinking and implementation. But starting with the proper conception of the problem and solution makes these things substantially easier and more likely to succeed.
I think the main points of this article are likely to be quite clear to the reader, so I will simply end by saying that, if you–as an experienced banking professional–thinks carefully about the ideas presented here, I would guess you would agree that full Basel III regulatory compliance can be achieved at much lower cost than banks are presently experiencing … through careful design of integrated compliance and risk management systems.
Caveats. Please note: (i) views presented above are my own and do not reflect those of others; (ii) like anyone, I’m not infallible and am responsible for any errors; (iii) I greatly appreciate being informed of any significant errors in facts, logic, or inferences and am happy to give credit to anyone doing so; (iv) the above article is subject to revision and correction; and, (v) the article cannot be construed as investment or financial advice and is intended merely for educational purposes.