Banking and Financial Services Internal Audit Group ... · PDF fileBanking and Financial...

Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)

© 2014 Deloitte LLP. All rights reserved.

Banking and Financial Services Internal Audit Group Lunchtime Seminar Implications of CRD IV for Internal Audit

24th September 2014



Introduction CRD IV implements Basel III in the European Union and prescribes rules covering capital,

leverage, liquidity, corporate governance and regulatory reporting

2

• In the wake of the financial crisis, new regulations have been developed to promote the stability of financial institutions.

One such regulation is CRD IV, the EU implementation of Basel III

• Alongside other recent guidance, CRD IV has led to increased expectations on the Internal Audit function. Key guidance

includes:

Basel Committee - The Internal Audit function in banks (2012)

Chartered Institute of Internal Auditors - Guidelines on Effective Internal Audit in Financial Services (2013)

Bank of England Discussion Paper – A framework for stress testing the UK banking system (2013)

• This seminar aims to give an overview of the implications of CRD IV on Internal Audit

• Key discussion points to be addressed in this seminar are:

Overview of CRD IV requirements

Evolution of expectations of the Internal Audit function in light of CRD IV

Implications for Internal Audit as a result of CRD IV, including, resourcing, sophistication/expertise and approach

Internal Audit response to CRD IV

• Questions from the audience

Summary

Agenda

CRD IV Implications for Internal Audit



CRD IV overview (1/4)

3 CRD IV Implications for Internal Audit

• CRD IV is an EU legislative package covering prudential rules for banks, building societies and investment firms

• The aim of CRD IV is to:

Improve the banking sector’s ability to absorb shocks arising from financial and economic stress

Improve risk management and governance

Strengthen banks’ transparency and disclosures

• The ‘CRD IV package’ consists of the Capital Requirements Regulation (CRR) and the Capital Requirements

Directive (CRD)

• New rules were applicable from 1 January 2014, subject to a number of transition provisions

• Implementation for some of the capital and liquidity requirements on a phased basis through to 2019 and beyond

Purpose & Scope

The CRD IV package consists of the Capital Requirements Regulation and the Capital

Requirements Directive

Directly applicable to firms across the EU

CRD IV

Package

CRR

Must be Implemented through National law CRD



CRD IV overview (2/4)


Key provisions of CRD IV have major consequences for capital, funding, liquidity and overall

“shape” of the balance sheet

Tightens capital eligibility

Increases capital requirements

Capital

Balance

Sheet

Liquidity

Capital

Ratios

Leverage

Ratio

Restricts B/S size relative to

capital

Liquidity

Coverage

Ratio

Funding Net Stable

Funding

Ratio

Long-term assets matched by

“stable funding”

Restricts banks’ ability to “fund

short-lend long”

Cash and liquid assets must cover

30-day outflows on stressed basis

Restricts short-term liquidity

mismatches

Higher capital

levels

+

Higher holdings of

liquidity

+

Longer term

funding

=

Higher cost of

capital, liquidity

and funding

• Reduced

Flexibility

• Systems, data

and process

implication

Financial impact

Wider impact



CRD IV package

Capital Eligibility

• Tier 1 capital eligibility

tightened

• Increased minimum capital

ratios

• New deductions and stricter

deduction criteria

• Restrictions on capital

instruments for Tier 2 capital

• Tier 3 capital abolished

Liquidity

• Liquidity Coverage Ratio

(LCR) = short-term 30 day

stress

• Net Stable Funding Ratio

(NSFR) = longer term 1 year

funding measure

Leverage

• Non risk-based ratio which

includes off balance sheet

exposures

• Leverage Ratio = Capital /

Total exposure

• Target level ≥ 3%

Capital Buffers

• Capital Conservation buffer

• Countercyclical Capital buffer

• Systemic Risk buffer

• G – SIIB and O – SIIB buffers

Capital Requirements

• Key requirements for calculation of capital to

cover key risks:

Credit

Market

Counterparty Credit

Operational

Settlement

Large Exposures

• Key changes:

Higher capital requirements (new CVA charge)

for OTC derivative exposures

More stringent requirements for model-based

approaches to calculation of capital

Stronger incentive to use CCPs

Corporate Governance

• Remuneration

• Risk management

• Board accountability / suitability / diversity

Regulation – CRR (directly applicable)

+

Directive – CRD (transposition to national law)

Regulatory Reporting

• COREP / FINREP

• Other reporting and disclosure requirements

CRD IV overview (3/4) Key components of the CRD IV package




Leverage

Common Equity

Conservation Buffer

Countercyclical Buffer (if applied

by national regulator)

Tier 1

Phase-out of

capital instruments

LIQUIDITY 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

LCR

NSFR

Supervisory monitoring

Parallel run

Disclosure

4.0%

4.5%

0.625% 1.25%

1.875% 2.5%

5.5%

6.0%

Begin 2014 until 31 December 2021

Observation period Introduce minimum requirement of 60% rising to 100% by 2018

Observation period Introduce minimum standard

1. As proposed in PRA CP 5/13, all CRR deductions are expected to be introduced with immediate effect, except for own funds instruments issued by financial sector

entities subject to consolidated supervision. FCA proposal is to retain CRR transitional timetable.

CRD IV overview (4/4) CRD IV package timetable (as applied by PRA)

CAPITAL 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

Introduce minimum standard

6

0.625% 1.25%

1.875% 2.5%



CRD IV – what is the current implementation state? CRD IV was implemented within short timeframes and many institutions are still developing

the infrastructure to comply without excessive reliance on manual processes

Areas of immediate focus

• Remediation of areas of non-compliance

• Replacement of tactical solutions with

strategic ones

• Successful delivery of in-flight programmes

• High degree of (but not necessarily full) compliance

with the rules that are in force today

• Continued reliance on tactical solutions and manual

processes put in place to help achieve compliance in a

short timeframe

• Strategic architecture programmes established and

in-flight to meet forthcoming requirements, particularly on

liquidity

• Broader assessments of business impacts and

strategic responses are underway

Summary of current state

7

• Failure to understand fully the

regulatory requirements and

expectations

• Project delivery risks

• High operational risks in BAU whilst

manual processes and tactical solutions

remain

What is Internal Audit doing to provide assurance that these risks are adequately mitigated

and controlled ?

Key risks



Requirements and expectations for Internal Audit (1/4) CRD IV is not just a new set of capital and liquidity rules. The regulatory context has also

changed

Many of the previous regulations were just as complex as CRD IV and CRD IV does not change the

mandate or role of Internal Audit. So why does CRD IV have an impact on Internal Audit?

8

• Regulatory response to the crisis

• Criticism that “laissez faire” global regulatory policy played a

significant role in creating the crisis

• Increasing regulatory expectations about the

extent and depth of review and challenge by

all the control functions

• Zero/low tolerance for non-compliance

• Stronger regulatory challenge to senior

management

Higher demands on Internal Audit

More intrusive regulatory approach

Increasing regulatory expectations especially around capital,

liquidity, stress testing, models

Regulatory context of CRD IV

increased

demands on the

Internal Audit

function by

senior

management

• Basel Committee 2012 - scope of IA activities should include

“matters of regulatory interest”, including risk management,

capital and liquidity and stress testing

• Bank of England 2013 - Internal Audit should attest to

adequacy of processes and controls for regulatory stress tests

• CIIA Guidelines 2013 - IA should include within its plan capital

and liquidity risks – “welcomed” by BoE and FCA

Regulatory pronouncements on IA




Requirements and expectations for Internal Audit (2/4)

9 CRDIV Implications for Internal Audit

Counterparty Credit Risk **

Internal Ratings Based Approach **

Definition and inclusion of

positions in the Trading Book (CRR Art. 104)

There are some explicit requirements relating to Internal Audit in CRD IV – most of these

relate to institutions that calculate regulatory capital using internal models, particularly in

the Trading Book

Market Risk **

• Requires annual review (at a minimum)

• Review should cover both business units/trading business and Risk Control, including:

Risk measurement (quantitative requirements), including models and modelling

processes

Risk management (qualitative requirements)

Area High level scope of Internal Audit review

• Periodic internal review of Trading Book policies and procedures and compliance with

them

• Review should include the definition of the Trading Book and positions to include in the

Trading Book

Prudential Valuation (CRR Art. 105 (14))*

• Regular, comprehensive internal review of valuation processes and controls for fair

value positions

Tra

din

g B

oo

k o

nly

* Internal Audit requirements derive from Regulatory Technical Standard linked to CRR Article 105 (14)

** Internal Capital Models

• Requires annual review (at a minimum)

• Review should cover both business units/trading business and Risk Control, including:

Risk measurement (quantitative requirements), including models and modelling

processes

Risk management (qualitative requirements)

Tra

din

g B

oo

k &

No

n-T

rad

ing

Bo

ok




10 CRDIV Implications for Internal Audit

Counterparty Credit Risk

Internal Ratings Based Approach

For institutions with regulatory capital models, the rules impose a requirement on Internal

Audit to assess compliance with all the applicable regulations, not just those that reference

Internal Audit – these regulations are numerous and often highly technical

Market Risk

• Article 191: “Internal audit…shall review at least

annually the institution’s rating systems and its

operations…Areas of review shall include

adherence to all applicable requirements.” Internal Audit needs to

assess whether the

business units and risk

control units comply with

the relevant regulatory

requirements

• Article 288 (o): “That [Internal audit] review shall

specifically address, as a minimum:…the

compliance of the CCR control unit and

collateral management unit with the relevant

regulatory requirements.”

• Articles 368 (1) (h) and 368 (2) specify the work that Internal should undertake in relation

to the Market Risk models and framework

• These articles do not explicitly mandate that Internal Audit should assess compliance with

he underlying rules but by inference the same standards that apply to IRB and CCR also

apply to Market Risk

• Experience shows that the regulator expects Internal Audit to have assessed compliance

with the applicable rules

Area Requirements




CRD IV projects are on track

Manual processes and tactical tools

are well controlled

Institution complies with CRD IV rules

Strategic implementation is robust

• Regulatory Self Assessment process

• Remediation plans to ensure CRD IV compliance

• Data quality and accuracy for regulatory reporting

• Regulatory stress testing

• Capital and liquidity forecasts and plans

• Completeness and accuracy of regulatory reports

Key regulatory

priorities

Areas of Internal Audit review

Regulatory reports are accurate

11

For all firms, both regulators and senior management look to Internal Audit to provide

assurance that the key risks around CRD IV are being mitigated and controlled.

Management

priorities

Internal capital and liquidity MI is

accurate

Institution is adequately capitalised and

has adequate liquidity

• Controls to mitigate key risks

• Data quality and accuracy for internal reporting

• Capital and liquidity forecasts and plans

• Quality of Management Information

• Management stress testing

• Project governance and plans

• System implementation

• Controls of manual processes and tactical

solutions for use in BAU




Implications for Internal Audit


Resultant implications for Internal Audit

Costs

Level of sophistication/ expertise of function

‘Role Model’ Internal Audit as a promoter

of good controls practice

Audit approach Breadth and depth of Internal

Audit coverage

Timeliness of reporting

Resourcing/size of function

Increased expectations on Internal Audit from both the regulator and senior management

have a number of implications for the Internal Audit function



The Internal Audit response


A number of levers are available to Internal Audit in order to provide assurance over CRD IV

– most are not new but greater use of these levers is likely to be required going forwards

Interaction with other functions

Increased expertise/

Sophistication

Flexible audit approaches and methodologies

• Staff training and development tailored to CRD IV (capital, liquidity, models, data)

• Recruitment of specialists (internal and external)

• Increased internal mobility (e.g. secondments to/from Risk, Treasury and Regulatory

Reporting functions)

• Use of professional services firms to fill gaps (e.g. co-/out- sourcing arrangements;

secondments)

• Use of other external parties (e.g. academia) for highly technical areas such as

sophisticated internal capital models

• “Change Assurance” - provision of assurance over projects and project delivery

• “Focused Controls Testing” - include shorter, sharper audits focusing on critical

controls in order to expand breadth of coverage and provide timely reporting

• Data interrogation /Computer Assisted Auditing - check data flows through systems

• In-depth review of capital models and methodologies better to challenge model

validation functions

• Auditing strategy/”business response”?

• Closer dialogue with business management to keep abreast of changes in the

business strategy and risk profile

• More integrated assurance approach with other control functions

• Formal reliance on “2nd line functions” such as model validation, providing IA can

demonstrate rationale for reliance and has verified that adequate controls exist

• Internal Audit as promoter of good controls practice



CRD IV – the longer term impacts As the increased capital and liquidity requirements begin to take effect, major strategic

impacts are expected to result and create material risks that need to be managed

Longer terms CRD IV impact?

Consolidation

Product Pricing

Optimisation of booking models

Product development

Risk Appetite

Capital restructuring and optimisation

Legal Entity re-structuring

Arbitraging jurisdictions (EU vs non-EU)

Dividend and distribution policy

Liquidity management strategy and optimisation

Business strategy

How many of these areas are central to the audit plans of Internal Audit functions today?




Summary

• Wide-ranging and complex

• Effective 1 January 2014 but long implementation periods for some rules and many institutions still running

significant data and IT implementation programmes relating to CRD IV

CRD IV

• No fundamental change in the mandate of IA due to CRD IV but:

Increased regulatory and senior management expectations on

IA

Increasingly onerous regulatory requirements for institutions

with (or seeking) internal model approvals to calculate

regulatory capital

• Implications exist for the degree of expertise/sophistication of

Internal Audit, size of Internal Audit function, audit approach and

methodology and timeliness of reporting

Implications for Internal Audit

• In the medium to longer term, the

increasing capital and liquidity

requirements are expected to:

Have major strategic impacts on

affected institutions

Lead to business model and

Legal Entity changes

Drive the need for capital and

liquidity efficiencies

The future

15

A number of levers are available to Internal Audit functions to:

address gaps in expertise

deploy more flexible and/or timely audit approaches

enhance the degree of interaction with other control

functions

Internal Audit functions will need to

evolve to ensure they play a full part

in allowing management to make

informed decisions and execute the

board’s strategy



Questions?

CRD IV Implications for Internal Audit 16



Today’s presenters

17

Albi Morganti

Director - Risk and Regulation

Capital, Liquidity & Market Risk

Telephone: +44 20 7303 6792

E-mail: [email protected]

Paul Day

Partner – Internal Audit

Telephone: +44 20 7007 5064


Russell Davis

Partner – Internal Audit

Telephone: +44 20 7007 6755


Zeshan Choudhry

Partner – Risk & Regulation

Market & Counterparty Credit Risk

Telephone: +44 20 7303 8572


Key Contacts

Hubert Justal

Director – Risk & Regulation

CRD IV

Telephone: +44 20 700 70484



Rajeeta Rajas

Senior Manager - Risk and Regulation

Capital & Liquidity Regulations

Telephone: +44 20 7007 0073




Recent Deloitte Publications

18



Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of

member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the

legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out

will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from

acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this

publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining

from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New

Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.


Banking and Financial Services Internal Audit Group ... · PDF fileBanking and Financial...

Documents

Transcript of Banking and Financial Services Internal Audit Group ... · PDF fileBanking and Financial...