Banking and Financial Services Internal Audit Group ... · PDF fileBanking and Financial...
Transcript of Banking and Financial Services Internal Audit Group ... · PDF fileBanking and Financial...
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Banking and Financial Services Internal Audit Group Lunchtime Seminar Implications of CRD IV for Internal Audit
24th September 2014
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Introduction CRD IV implements Basel III in the European Union and prescribes rules covering capital,
leverage, liquidity, corporate governance and regulatory reporting
2
• In the wake of the financial crisis, new regulations have been developed to promote the stability of financial institutions.
One such regulation is CRD IV, the EU implementation of Basel III
• Alongside other recent guidance, CRD IV has led to increased expectations on the Internal Audit function. Key guidance
includes:
Basel Committee - The Internal Audit function in banks (2012)
Chartered Institute of Internal Auditors - Guidelines on Effective Internal Audit in Financial Services (2013)
Bank of England Discussion Paper – A framework for stress testing the UK banking system (2013)
• This seminar aims to give an overview of the implications of CRD IV on Internal Audit
• Key discussion points to be addressed in this seminar are:
Overview of CRD IV requirements
Evolution of expectations of the Internal Audit function in light of CRD IV
Implications for Internal Audit as a result of CRD IV, including, resourcing, sophistication/expertise and approach
Internal Audit response to CRD IV
• Questions from the audience
Summary
Agenda
CRD IV Implications for Internal Audit
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
CRD IV overview (1/4)
3 CRD IV Implications for Internal Audit
• CRD IV is an EU legislative package covering prudential rules for banks, building societies and investment firms
• The aim of CRD IV is to:
Improve the banking sector’s ability to absorb shocks arising from financial and economic stress
Improve risk management and governance
Strengthen banks’ transparency and disclosures
• The ‘CRD IV package’ consists of the Capital Requirements Regulation (CRR) and the Capital Requirements
Directive (CRD)
• New rules were applicable from 1 January 2014, subject to a number of transition provisions
• Implementation for some of the capital and liquidity requirements on a phased basis through to 2019 and beyond
Purpose & Scope
The CRD IV package consists of the Capital Requirements Regulation and the Capital
Requirements Directive
Directly applicable to firms across the EU
CRD IV
Package
CRR
Must be Implemented through National law CRD
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
CRD IV overview (2/4)
4 CRD IV Implications for Internal Audit
Key provisions of CRD IV have major consequences for capital, funding, liquidity and overall
“shape” of the balance sheet
Tightens capital eligibility
Increases capital requirements
Capital
Balance
Sheet
Liquidity
Capital
Ratios
Leverage
Ratio
Restricts B/S size relative to
capital
Liquidity
Coverage
Ratio
Funding Net Stable
Funding
Ratio
Long-term assets matched by
“stable funding”
Restricts banks’ ability to “fund
short-lend long”
Cash and liquid assets must cover
30-day outflows on stressed basis
Restricts short-term liquidity
mismatches
Higher capital
levels
+
Higher holdings of
liquidity
+
Longer term
funding
=
Higher cost of
capital, liquidity
and funding
• Reduced
Flexibility
• Systems, data
and process
implication
Financial impact
Wider impact
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
CRD IV package
Capital Eligibility
• Tier 1 capital eligibility
tightened
• Increased minimum capital
ratios
• New deductions and stricter
deduction criteria
• Restrictions on capital
instruments for Tier 2 capital
• Tier 3 capital abolished
Liquidity
• Liquidity Coverage Ratio
(LCR) = short-term 30 day
stress
• Net Stable Funding Ratio
(NSFR) = longer term 1 year
funding measure
Leverage
• Non risk-based ratio which
includes off balance sheet
exposures
• Leverage Ratio = Capital /
Total exposure
• Target level ≥ 3%
Capital Buffers
• Capital Conservation buffer
• Countercyclical Capital buffer
• Systemic Risk buffer
• G – SIIB and O – SIIB buffers
Capital Requirements
• Key requirements for calculation of capital to
cover key risks:
Credit
Market
Counterparty Credit
Operational
Settlement
Large Exposures
• Key changes:
Higher capital requirements (new CVA charge)
for OTC derivative exposures
More stringent requirements for model-based
approaches to calculation of capital
Stronger incentive to use CCPs
Corporate Governance
• Remuneration
• Risk management
• Board accountability / suitability / diversity
Regulation – CRR (directly applicable)
+
Directive – CRD (transposition to national law)
Regulatory Reporting
• COREP / FINREP
• Other reporting and disclosure requirements
CRD IV overview (3/4) Key components of the CRD IV package
5 CRD IV Implications for Internal Audit
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Leverage
Common Equity
Conservation Buffer
Countercyclical Buffer (if applied
by national regulator)
Tier 1
Phase-out of
capital instruments
LIQUIDITY 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
LCR
NSFR
Supervisory monitoring
Parallel run
Disclosure
4.0%
4.5%
0.625% 1.25%
1.875% 2.5%
5.5%
6.0%
Begin 2014 until 31 December 2021
Observation period Introduce minimum requirement of 60% rising to 100% by 2018
Observation period Introduce minimum standard
1. As proposed in PRA CP 5/13, all CRR deductions are expected to be introduced with immediate effect, except for own funds instruments issued by financial sector
entities subject to consolidated supervision. FCA proposal is to retain CRR transitional timetable.
CRD IV overview (4/4) CRD IV package timetable (as applied by PRA)
CAPITAL 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
Introduce minimum standard
6
0.625% 1.25%
1.875% 2.5%
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
CRD IV – what is the current implementation state? CRD IV was implemented within short timeframes and many institutions are still developing
the infrastructure to comply without excessive reliance on manual processes
Areas of immediate focus
• Remediation of areas of non-compliance
• Replacement of tactical solutions with
strategic ones
• Successful delivery of in-flight programmes
• High degree of (but not necessarily full) compliance
with the rules that are in force today
• Continued reliance on tactical solutions and manual
processes put in place to help achieve compliance in a
short timeframe
• Strategic architecture programmes established and
in-flight to meet forthcoming requirements, particularly on
liquidity
• Broader assessments of business impacts and
strategic responses are underway
Summary of current state
7
• Failure to understand fully the
regulatory requirements and
expectations
• Project delivery risks
• High operational risks in BAU whilst
manual processes and tactical solutions
remain
What is Internal Audit doing to provide assurance that these risks are adequately mitigated
and controlled ?
Key risks
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Requirements and expectations for Internal Audit (1/4) CRD IV is not just a new set of capital and liquidity rules. The regulatory context has also
changed
Many of the previous regulations were just as complex as CRD IV and CRD IV does not change the
mandate or role of Internal Audit. So why does CRD IV have an impact on Internal Audit?
8
• Regulatory response to the crisis
• Criticism that “laissez faire” global regulatory policy played a
significant role in creating the crisis
• Increasing regulatory expectations about the
extent and depth of review and challenge by
all the control functions
• Zero/low tolerance for non-compliance
• Stronger regulatory challenge to senior
management
Higher demands on Internal Audit
More intrusive regulatory approach
Increasing regulatory expectations especially around capital,
liquidity, stress testing, models
Regulatory context of CRD IV
increased
demands on the
Internal Audit
function by
senior
management
• Basel Committee 2012 - scope of IA activities should include
“matters of regulatory interest”, including risk management,
capital and liquidity and stress testing
• Bank of England 2013 - Internal Audit should attest to
adequacy of processes and controls for regulatory stress tests
• CIIA Guidelines 2013 - IA should include within its plan capital
and liquidity risks – “welcomed” by BoE and FCA
Regulatory pronouncements on IA
CRD IV Implications for Internal Audit
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Requirements and expectations for Internal Audit (2/4)
9 CRDIV Implications for Internal Audit
Counterparty Credit Risk **
Internal Ratings Based Approach **
Definition and inclusion of
positions in the Trading Book (CRR Art. 104)
There are some explicit requirements relating to Internal Audit in CRD IV – most of these
relate to institutions that calculate regulatory capital using internal models, particularly in
the Trading Book
Market Risk **
• Requires annual review (at a minimum)
• Review should cover both business units/trading business and Risk Control, including:
Risk measurement (quantitative requirements), including models and modelling
processes
Risk management (qualitative requirements)
Area High level scope of Internal Audit review
• Periodic internal review of Trading Book policies and procedures and compliance with
them
• Review should include the definition of the Trading Book and positions to include in the
Trading Book
Prudential Valuation (CRR Art. 105 (14))*
• Regular, comprehensive internal review of valuation processes and controls for fair
value positions
Tra
din
g B
oo
k o
nly
* Internal Audit requirements derive from Regulatory Technical Standard linked to CRR Article 105 (14)
** Internal Capital Models
• Requires annual review (at a minimum)
• Review should cover both business units/trading business and Risk Control, including:
Risk measurement (quantitative requirements), including models and modelling
processes
Risk management (qualitative requirements)
Tra
din
g B
oo
k &
No
n-T
rad
ing
Bo
ok
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Requirements and expectations for Internal Audit (3/4)
10 CRDIV Implications for Internal Audit
Counterparty Credit Risk
Internal Ratings Based Approach
For institutions with regulatory capital models, the rules impose a requirement on Internal
Audit to assess compliance with all the applicable regulations, not just those that reference
Internal Audit – these regulations are numerous and often highly technical
Market Risk
• Article 191: “Internal audit…shall review at least
annually the institution’s rating systems and its
operations…Areas of review shall include
adherence to all applicable requirements.” Internal Audit needs to
assess whether the
business units and risk
control units comply with
the relevant regulatory
requirements
• Article 288 (o): “That [Internal audit] review shall
specifically address, as a minimum:…the
compliance of the CCR control unit and
collateral management unit with the relevant
regulatory requirements.”
• Articles 368 (1) (h) and 368 (2) specify the work that Internal should undertake in relation
to the Market Risk models and framework
• These articles do not explicitly mandate that Internal Audit should assess compliance with
he underlying rules but by inference the same standards that apply to IRB and CCR also
apply to Market Risk
• Experience shows that the regulator expects Internal Audit to have assessed compliance
with the applicable rules
Area Requirements
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Requirements and expectations for Internal Audit (4/4)
CRD IV projects are on track
Manual processes and tactical tools
are well controlled
Institution complies with CRD IV rules
Strategic implementation is robust
• Regulatory Self Assessment process
• Remediation plans to ensure CRD IV compliance
• Data quality and accuracy for regulatory reporting
• Regulatory stress testing
• Capital and liquidity forecasts and plans
• Completeness and accuracy of regulatory reports
Key regulatory
priorities
Areas of Internal Audit review
Regulatory reports are accurate
11
For all firms, both regulators and senior management look to Internal Audit to provide
assurance that the key risks around CRD IV are being mitigated and controlled.
Management
priorities
Internal capital and liquidity MI is
accurate
Institution is adequately capitalised and
has adequate liquidity
• Controls to mitigate key risks
• Data quality and accuracy for internal reporting
• Capital and liquidity forecasts and plans
• Quality of Management Information
• Management stress testing
• Project governance and plans
• System implementation
• Controls of manual processes and tactical
solutions for use in BAU
CRD IV Implications for Internal Audit
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Implications for Internal Audit
12 CRD IV Implications for Internal Audit
Resultant implications for Internal Audit
Costs
Level of sophistication/ expertise of function
‘Role Model’ Internal Audit as a promoter
of good controls practice
Audit approach Breadth and depth of Internal
Audit coverage
Timeliness of reporting
Resourcing/size of function
Increased expectations on Internal Audit from both the regulator and senior management
have a number of implications for the Internal Audit function
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
The Internal Audit response
13 CRD IV Implications for Internal Audit
A number of levers are available to Internal Audit in order to provide assurance over CRD IV
– most are not new but greater use of these levers is likely to be required going forwards
Interaction with other functions
Increased expertise/
Sophistication
Flexible audit approaches and methodologies
• Staff training and development tailored to CRD IV (capital, liquidity, models, data)
• Recruitment of specialists (internal and external)
• Increased internal mobility (e.g. secondments to/from Risk, Treasury and Regulatory
Reporting functions)
• Use of professional services firms to fill gaps (e.g. co-/out- sourcing arrangements;
secondments)
• Use of other external parties (e.g. academia) for highly technical areas such as
sophisticated internal capital models
• “Change Assurance” - provision of assurance over projects and project delivery
• “Focused Controls Testing” - include shorter, sharper audits focusing on critical
controls in order to expand breadth of coverage and provide timely reporting
• Data interrogation /Computer Assisted Auditing - check data flows through systems
• In-depth review of capital models and methodologies better to challenge model
validation functions
• Auditing strategy/”business response”?
• Closer dialogue with business management to keep abreast of changes in the
business strategy and risk profile
• More integrated assurance approach with other control functions
• Formal reliance on “2nd line functions” such as model validation, providing IA can
demonstrate rationale for reliance and has verified that adequate controls exist
• Internal Audit as promoter of good controls practice
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
CRD IV – the longer term impacts As the increased capital and liquidity requirements begin to take effect, major strategic
impacts are expected to result and create material risks that need to be managed
Longer terms CRD IV impact?
Consolidation
Product Pricing
Optimisation of booking models
Product development
Risk Appetite
Capital restructuring and optimisation
Legal Entity re-structuring
Arbitraging jurisdictions (EU vs non-EU)
Dividend and distribution policy
Liquidity management strategy and optimisation
Business strategy
How many of these areas are central to the audit plans of Internal Audit functions today?
14 CRD IV Implications for Internal Audit
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Summary
• Wide-ranging and complex
• Effective 1 January 2014 but long implementation periods for some rules and many institutions still running
significant data and IT implementation programmes relating to CRD IV
CRD IV
• No fundamental change in the mandate of IA due to CRD IV but:
Increased regulatory and senior management expectations on
IA
Increasingly onerous regulatory requirements for institutions
with (or seeking) internal model approvals to calculate
regulatory capital
• Implications exist for the degree of expertise/sophistication of
Internal Audit, size of Internal Audit function, audit approach and
methodology and timeliness of reporting
Implications for Internal Audit
• In the medium to longer term, the
increasing capital and liquidity
requirements are expected to:
Have major strategic impacts on
affected institutions
Lead to business model and
Legal Entity changes
Drive the need for capital and
liquidity efficiencies
The future
15
A number of levers are available to Internal Audit functions to:
address gaps in expertise
deploy more flexible and/or timely audit approaches
enhance the degree of interaction with other control
functions
Internal Audit functions will need to
evolve to ensure they play a full part
in allowing management to make
informed decisions and execute the
board’s strategy
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Questions?
CRD IV Implications for Internal Audit 16
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Today’s presenters
17
Albi Morganti
Director - Risk and Regulation
Capital, Liquidity & Market Risk
Telephone: +44 20 7303 6792
E-mail: [email protected]
Paul Day
Partner – Internal Audit
Telephone: +44 20 7007 5064
E-mail: [email protected]
Russell Davis
Partner – Internal Audit
Telephone: +44 20 7007 6755
E-mail: [email protected]
Zeshan Choudhry
Partner – Risk & Regulation
Market & Counterparty Credit Risk
Telephone: +44 20 7303 8572
E-mail: [email protected]
Key Contacts
Hubert Justal
Director – Risk & Regulation
CRD IV
Telephone: +44 20 700 70484
E-mail: [email protected]
CRD IV Implications for Internal Audit
Rajeeta Rajas
Senior Manager - Risk and Regulation
Capital & Liquidity Regulations
Telephone: +44 20 7007 0073
E-mail: [email protected]
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Recent Deloitte Publications
18
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2014 Deloitte LLP. All rights reserved.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the
legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out
will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from
acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this
publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New
Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
© 2014 Deloitte LLP. All rights reserved.