INDUSTRY VIEWS the journal - PwC · PDF fileINDUSTRY VIEWS the journal ... and Shyam Venkat in...

INDUSTRY VIEWS

the journalTackling the key issues in banking and capital markets*June 2006

1

The Markets in Financial Instruments Directive: European regulation with global impact

Editor’s comments

Does identity theft affect your organisation?

Confident in compliance?

Securitisation – an exotic option or a necessity?

The practical application of Pillar 2: Understanding whatsupervisors are looking for in a bank’s capital assessment

Russia’s banking sector: Huge growth potential for aggressive players

4

2

Page

10

16

40

24

32

Contents

2

the journal • Tackling the key issues in banking and capital markets

by Chris Lucas

Editor’s comments

3


Chris LucasChairman, Global Banking & Capital Markets Executive Team

Tel: 44 20 7804 9652Email: [email protected]

Welcome to the June 2006 edition of thejournal. The past few months have seensome challenging new developmentswithin the global banking and capitalmarkets industry.

The potential impact of the Markets inFinancial Instruments Directive (MiFID)on the financial services sector is of suchsignificance that all firms should alreadybe assessing the impact of the proposedrequirements on their business. Not only does it present wide-rangingorganisational challenges, affecting keyareas of the business, but it will alsoimpact the way markets operate. Firmsneed to consider changes to theirinternal procedures and systems, and to the procedures by which, and thesystems through which, they will interfacewith the new market structure and othermarket participants. In our opening articleentitled, ‘MiFID: European regulation withglobal impact’, Graham O’Connell andMatthew Oswald assess some of the key requirements of the Directive and its impact on business strategy andoperations within the banking industry.

The Russian banking sector potentiallyoffers a vast and largely untappedopportunity. With a population of 144 million, increasingly wealthy citizens

and over 1,200 commercial banks, it seems Russia’s banking sector has a huge potential for profitable growth.Economic growth, higher real incomesand more purchasing power, as well as increasing transparency and marketopenness are generating significantinterest in this country’s financial servicessector. In our country profile ‘Russia’sbanking sector: Huge growth potentialfor aggressive players’, Rick Munn,Evgeniy Kriventsev and Oleg Mosyazhprovide an in-depth analysis of thesector and the potential opportunities,and risks, that exist there.

‘Regulators across the world face a rangeof unenviable challenges in seeking to interpret and supervise Pillar 2, write Richard Barfield, Chris Matten and Shyam Venkat in ‘The practicalapplication of Pillar 2: Understandingwhat supervisors are looking for in abank’s capital assessment’. Regulators’expectations, the views and concerns of industry participants, and the manypractical considerations are some of the areas tackled in this article.

Effective compliance reporting isreceiving increasing focus within bankinginstitutions, reflecting the profile ofcompliance risks and issues in recent

months. In ‘Confident in compliance’,Martin Hislop, Jan Willem Kaptein andAlex Shapland explore the principalobjectives and management ofcompliance reporting within a financialservices organisation, as well assuggesting the key elements needed in a well-structured and effectivecompliance-reporting framework.

In 2003, the US Federal TradeCommission found that 215,000 reportsof identity theft and fraud had costAmericans at least US$437 million. As identity theft attacks becomeincreasingly more frequent and diverseacross the globe, in ‘Does identity theftaffect your organisation?’, Mark Vos, Jan Schreuder and Philip Riley look at how identity theft is threatening thebanking industry and explore practicalmeasures organisations can take now to protect themselves against the risks.

I hope you find this edition of the journalof interest. Please do continue to provideus with feedback on the topics you wouldlike to see addressed in future editions.

The Markets in Financial Instruments Directive:European regulation with global impact

4


by

4


by by Graham O’Connell and Matthew Oswald

5


5


Graham O’ConnellDirector, Financial Services Regulatory Practice, UK


Matthew OswaldSenior Consultant, Financial Services, UK

Tel: 44 20 7804 4230 Email: [email protected]

Why is MiFID important?

The Markets in Financial InstrumentsDirective (MiFID) is one of the mostsignificant pieces of Financial Serviceslegislation to be enacted by the EuropeanParliament to date. It will result in aradical change to market dynamics in all investment sectors and will requiremarket participants to take fundamentalstrategic decisions in order to establishan effective operating model in the post-MiFID world. Wholesale and retailmarkets will both be significantly affectedand for individual firms the impact will be felt in Trading, Research, FundManagement, Operations, Settlementsand Compliance. Above all, theeffectiveness of a firm’s approach toassessing the impact of MiFID andimplementing the required changes willhave a direct effect on the firm’s futureeffectiveness and profitability.

The objective behind the regulation

MiFID is a cornerstone of the EuropeanUnion’s aim to develop a single Europeansecurities market with common standards.MiFID itself is a harmonised set ofConduct of Business requirements which covers all investment products

(see Figure 1) and services (see Figure 2)and establishes rules around governance,trading, risk, compliance, operations,systems, customer documentation andoutsourcing (see Figure 3). The mainobjectives are increasing pricetransparency in the markets; increasingawareness of risk amongst customers;and promoting greater competitionamongst execution venues. The EU hasdeliberately set out to create a frameworkwhich will affect the way that business isconducted and change the dynamic of

investment markets. It is for this reasonthat MiFID should not be considered as a ‘compliance’ issue, but as a far morefundamental driver for business changein investment firms and markets.

A new equity market structure

In equity markets, MiFID will sweep awaythe current concentration rules thatrequire trading to be carried out overnational exchanges, and will further openup cross-border trading. In order to

Figure 1: Investment products covered

Source: PricewaterhouseCoopers

• Transferable securities

• Money market instruments

• Units in collective investments

• Options, futures, swaps and any other derivative contracts related tosecurities, interest rates or yields

• Options, futures, swaps and any other derivative contracts related tocommodities that may be settled in cash

• Options, futures, swaps and any other derivative contracts related tocommodities that may be settled physically and are traded on a regulatedmarket or MTF

• Options, futures, swaps and any other derivative contracts related to climaticvariables, freight rates, emission allowances or inflation rates that may besettled in cash

• Financial contracts for difference

• Derivative instruments for the transfer of Credit risk

maintain a transparent market for endusers, MiFID will require those firms thatcurrently match customer orders withintheir own organisation, to publish pre-trade prices and then publish post-tradedata. The firms that currently do this on a systematic basis with staff and systemsthat are dedicated to this activity will beknown as Systematic Internalisers (SI)and will begin to be treated in a similarway to Recognised InvestmentExchanges and their on-line counterpartsMultilateral Trading Facilities (MTFs).

Multilateral Trading Facilities(MTF) and SystematicInternalisers (SI)

These changes mean that execution willno longer be centred around nationalexchanges but will gravitate to the mostprice efficient execution venues with thegreatest liquidity. As well as the inevitablecompetition between exchanges andinvestment banks, the role of the ordermatching systems (MTFs) will becomemore prominent. It is already clear that a number of investment banks willestablish their own MTFs to reduce costs and increase efficiency for theirown clients. As a result of the increasednumber of execution venues, pricepublication is likely to become far morefragmented. In order to address this,MiFID itself anticipates that there

The Markets in Financial Instruments Directive: continued

6


Figure 2: Core investment services covered


• Reception and transmission of orders

• Execution of orders on behalf of clients

• Dealing on own account

• Portfolio management

• Investment advice

• Underwriting and/or placing of financial instruments

• Operation of Multilateral Trading Facilities

Figure 3: Some key requirements of MiFID


• All customers must be reclassified

• New customer agreements required

• Determine ‘Best Execution’ for all investment products

• Some firms required to provide public quotes for order-matching

• Firms to establish a Compliance function and effective complianceprocedures

• Firms to establish Risk and Internal Audit functions based on complexity of business

• Document and assess the quality of ‘Execution Venues’

• Obtain customer agreement to Execution policy

• Establish effective Conflicts of Interest procedures

• Carry out revised transaction reporting to regulators

• Inclusion of derivatives within EU legislation for the first time

• Inclusion of investment advice within EU legislation for the first time

• More stringent outsourcing requirements inside and outside the EU

• Rules established for ‘Multilateral Trading Facilities’

will be a market-led solution to theconsolidation of price reporting.Consequently, there will be increasedcompetition amongst data vendors,MTFs, exchanges and investment banksto establish themselves as the acceptedsource of centralised price publicationand trade data.

How to demonstrate BestExecution

Another significant issue in trading allinvestment products under MiFID will be the need to demonstrate ‘BestExecution’. Even in equity markets, the need to consider price, cost, speed,reliability and likelihood of execution inrelation to the nature of the order and thenature of the client will prove challenging.To do so in illiquid or open outcrymarkets will be extremely difficult andthis is an area that will require aneffective market solution which bringsregulators along with it. There is also a concern that there may not be aconsistent approach in the application of this requirement for all jurisdictions.Whilst some regulators may take a broadapproach to this issue based on ageneric policy issued by the firm, othersmay require firms to demonstrateadherence on a trade-by-trade basis,which will prove costly and unwieldy.

The effect of MiFID on BuySide firms

A key objective of MiFID is to increaseawareness of risk and improvetransparency in the trading and adviceprocess. Consequently, all investmentfirms dealing with customers will need to retain more customer documentationincluding revised customer agreements,enhanced ‘Know Your Customer’ data,more information on trading costs andpost-transaction reporting. Customerswill be asked to agree to the firm’sexecution policy and must also beadvised where a firm is not ‘reasonablyconfident’ that its conflict managementprocess will be effective in a specificinstance. In addition, firms will be requiredto reclassify all their customers and mustgive those customers the option ofchanging their classification in specificcircumstances. Whilst this is intended toempower customers to a greater extent,many firms feel that customers will takea negative view of the additionalpaperwork and data requests.

The effect outside the EU region

Many of the firms that will be mostaffected by these changes are globalbusinesses with 24 hour trading booksand worldwide systems and processes.

The introduction of MiFID will requirethese firms to either change globalsystems and controls to addressEuropean regulation, or else they willneed to decouple their global processesand establish stand-alone systems andprocedures for their European operations.In addition, there are certain aspects ofthe new rules that may be seen as‘extraterritorial’, requiring the MiFID rulesto be addressed outside the EU region.In particular, the outsourcing rules willmean that EU investment firms thatoutsource any ‘critical or importantoperational functions’ to a serviceprovider in a ‘third country’ may only doso if the service provider is regulated inthat country and is subject to prudentialregulation. Even then there will need tobe a co-operation agreement betweenthe investment firm’s regulator and theservice provider’s regulator.

Implementing a commonstandard

In order to create a level playing field,much of this Directive will beimplemented as ‘regulation’, meaningthat national regulators will have verylittle opportunity to interpret the EUrequirements to fit their local marketconditions. Therefore, even in territorieswhere many of the MiFID conceptsalready exist, the local regulator will

7


largely have to replace existing rules withthe MiFID rules. The result will be thatinvestment firms in all EU territories willhave to carry out a significant amount ofwork across the business to demonstratethat they meet these new requirements.

The key stakeholders in thebusiness

The MiFID requirements are wide-rangingand will require input from most areas ofthe organisation. Typically, effectivesteering groups within investment firmsinclude Heads of Compliance, IT, Tradingand Operations as a minimum, withrepresentation at Board level. As MiFIDprojects develop, firms will need todevelop a broader awareness-raisingprocess to ensure that all businessheads understand the effect that thisDirective may have on their day-to-dayprocesses. The ultimate objective will beto turn MiFID from a detached projectinto an embedded part of the ‘businessas usual’ process.

The timetable forimplementation

The known dates at present are that theoriginal Directive was ratified in April2004 and the final implementation date is still intended to be 31st October 2007.The EU implementation documents (the‘Level 2’ documents) were published

on 6th February 2006 and are still beingratified by Parliament. Thereafter it isexpected that national regulators in EUMember States will translate the EUrequirements into national rulebooksduring 2006. The scale of the changesrequired, particularly in relation tosystems and in obtaining customerdocumentation and legal agreements,means that the final implementation datedoes not give investment firms muchtime to become fully compliant.

An effective approach to MiFID

Given the resource intensive nature of MiFID, there is clearly a ‘first mover’advantage, with those firms that identifykey issues for their business at an earlystage likely to emerge as the best placedto minimise disruptions and maximiseopportunities. Therefore firms shouldnow be assessing what impact the MiFID requirements will have on theirbusiness and on the markets they tradein, and putting in place an effectiveimplementation plan, prioritising thoseareas of greatest strategic advantage.

The Markets in Financial Instruments Directive: continued

8


April 2004 Level 1

February 2006 Draft Level 2

July 2006 Final Level 2

October 2006 FSA draft changes to COB rules

3 months

January 2007 Implementation of CRD

November 2007 Implementation of MiFID

FS

A C

onsultatio

n Pap

ersFigure 4: Timetable for implementation


9


Russia’s banking sector: Huge growthpotential for aggressive players

10


by Rick Munn, Evgeniy Kriventsev and Oleg Mosyazh

The Russian economy has been growingover the last six years by more than 6%a year, faster than not only developedcountries, but also most other emergingmarkets. Individuals’ income is alsogrowing, stimulating a boom in consumerdemand. Undoubtedly, this growthrequires a corresponding improvement in the country’s financial sector. In thisarticle we review the Russian bankingsector, analyse current trends and focuson the key factors affecting itsdevelopment.

The Russian banking sector

Russia has just over 1,200 commercialbanks. At the end of 2005, total assets of the banking system exceeded $300 billion, and share capitalapproximated $40 billion. The Russianbanking sector is highly consolidated,with the 100 largest banks accounting for over 80% of total assets and 70% of capital (see Figure 1).

State banks traditionally hold a strongposition, owning over half of all assets.The largest (by asset volume) privatelyowned Russian bank, Alfa-Bank, is onlythe fifth largest in the country.

The dominant bank is state-ownedSberbank, founded in 1841 and previouslythe monopoly retail bank during theSoviet era. Sberbank is the largestfinancial institution in central and easternEurope, accounting for over 25% of allthe assets and capital in Russia’sbanking system. Sberbank dominatesthe retail banking market, holding around

60% of all retail deposits and issuingover 40% of all retail loans. Thedominating presence of Sberbank is due to a long-standing association withthe state, historical general public loyalty,and over 20,000 branches located notjust in every city of the country, but alsoin many villages where there are simplyno other banks.

11


Rick MunnIndustry Leader, Financial Services,Russia


Oleg MosyazhManager, Financial Services Marketing,Russia


Evgeniy KriventsevSenior Manager, Financial Services,Russia


Sberbank (state)

Assets, USD bn

Vneshtorgbank (state)

Gazprombank (state)

Alfa-Bank (private)

Bank of Moscow (municipal)

Uralsib (private)

Rosbank (private)

International Moscow Bank (foreign investment)

MDM-Bank (private)

Promstroybank (private)

78.1

18.6

13.9

8.4

7.5

7.1

5.7

5.2

4.4

4.1

0 10 20 30 40 50 60 70 80

Figure 1: Top 10 Russian banks by assets

Source: Interfax, PricewaterhouseCoopers

The Central Bank

The Central Bank of the RussianFederation is the main regulator of the banking sector. In addition to itssupervisory and licensing role, theCentral Bank also sets out the rules andprocedures for making bank transactions,the reporting requirements for banks and rules for making settlements inRussia. It is also responsible for manyaspects of monetary policy of theRussian Federation.

Growth potential

Even though the Russian banking sectorhas seen rapid growth in retail lending,the retail lending share in GDP in Russiaat the beginning of 2006 was only 5% –far behind that in developed countries(around 50% in Eurozone countries, over 65% in the USA and over 70% inthe UK). To further illustrate, the share of mortgage lending in GDP in Russia is as low as 1% (55% in the USA and over30% in Eurozone countries). Given thecurrent boom in retail banking, this gapbetween Russia and developed countrieswill clearly shorten (see Figure 2).

Another growth area for the bankingsector is the introduction of new bankingproducts and services. For example,despite the relative popularity of plasticdebit cards, of which there were 47.2 million by the third quarter of 2005,

banks only began offering credit cards to individual customers in 2005. Overall,plastic in Russia has limited use: 94% of operations are used for cashwithdrawals, while in European countries50% of plastic card operations are topay for goods and services.

Retail banking boom

Economic growth, higher real incomesand, consequently, more purchasingpower are having a positive effect onretail banking in Russia. Close to $100 billion worth of retail deposits wasrecorded by the end of 2005 – equal toaround one third of total liabilities in the

Russian banking system. While the shareof retail deposits as a percentage of totalliabilities of Russian banks has remainedrelatively stable since the beginning of 2003, the share of retail loans ascompared to total assets grew almostthree times over the same period from6.6% to 17.5%. In monetary terms, the growth of retail lending is even moreimpressive: from $3.6 billion outstandingin early 2003 to $40 billion outstanding inearly 2006. In the third quarter of 2005,growth of retail loans outgrew growth ofretail deposits for the first time and thistrend will most likely continue over thenext couple of years.

Russia’s banking sector continued

12


Russia Hungary Poland SouthKorea

Japan Germany Switzerland UK US

5.4%

12.1%

19.5%

53.8%56.9%

45.0%

60.7%

70.5%65.6%

%

0

10

20

30

40

50

60

70

80

Figure 2: Retail loans to GDP ratio (%): Russia vs. selected economies

Source: EIU, ECB, CEIC, CBR

PricewaterhouseCoopers estimates thatover 1.7 million cars were sold in Russiain 2005, totalling $22 billion in value.Although in unit terms this was only a 7% rise on the figures for 2004, thecost of the cars bought grew by 21%.One factor for this growth was better car loans. According to differentestimates for 2004, 15–20% of car saleswith, total value of $2.7–3.7 billion weremade on credit, while in 2005 the shareof cars sold on credit grew to 25–28%and reached $5-6 billion. Motor industryfigures and analysts forecast that up to 60% of cars will be sold on credit in 2008–2009.

Experts estimate that Russian mortgagelending is more than doubling each year.If, at the beginning of 2005, mortgageloans totalled $2 billion, experts believethat the $20 billion threshold will bebroken by 2008. The main factorspreventing faster development of thistype of lending are relatively high interestrates at between 9% and 14%, and ahigh initial own investment requirementof at least 20% of the property value.

An explosive growth of retail lending mayaffect the quality of credit portfolios ofthe banks. Currently, relatively high-loanlosses on retail loans are compensatedby high interest rates. Banks generallyobtain above the market margin onlending to individuals.

Thin capitalisation

Thin capitalisation of Russian banks is a key problem, which could slow downthe further development of the bankingsector and its growth rate. The CentralBank requires strong compliance with itsregulatory requirements, including capitaladequacy ratios. From time to time thisimposes certain limitations on thebusiness of even large Russian financialinstitutions. At the same time, large localinvestors are often relatively relaxedabout making significant investments inthe banking business since investmentsin natural resources extraction, retail andconsumer sector, currently provides themwith higher returns. Foreign investmentsinto the Russian banking are still quitelimited. Therefore, Russian banks areactively looking for alternative solutionsto capitalisation problems, includinginternational placements of subordinatedloan participation notes.

International financing

Increased transparency and stability ofthe Russian banking system has allowedRussian banks some access to longer andless expensive international financing.

Eurobonds are still the most popularmechanism among Russian banks forattracting funds, bringing tens of billionsof dollars at 7–8% into the Russianbanking system, in 2005. Generally,

Eurobond issues were for between $150 and $500 million, but several largebanks, such as Sberbank, Gazprombankand Vneshtorgbank, had a range of bondissues worth over $1 billion.

Asset securitisation is still relatively new for Russian banks, and due toundeveloped related legislation in Russia,market players have to issue asset-backedsecurities on foreign exchanges. Forexample, Bank Soyuz, which in 2005made the first Russian securitisation of its car loans for $50 million and HomeCredit & Finance Bank (HCFB), whichmade the first Russian securitisation ofrouble-denominated consumer loans.Both these transactions were placedabroad, on the Irish Stock Exchange.

Even though a lot of activity was seen fromRussian companies in 2005, attractingmore than $10 billion through publicfloatations, so far no Russian bank hasmade an initial public offering (IPO). Yetmany banks have already announced theirplans to float shares in 2006, including thelarge Vneshtorgbank and Rosbank.

Foreign capital

With 89 federal regions, 144 millioncitizens with growing incomes, 13 citieswith a population of over 1 million and168 cities of over 100,000 people, Russia is an attractive market for foreign players.

13


There are 133 credit organisations with foreign participation in Russia.International credit organisations areincreasingly interested in the Russianbanking sector. In 2005, the number of banks with 100% foreign capital rosefrom 33 to 42. Simultaneously, the shareof foreign capital in the Russian bankingsector also grew. If in early 2005 foreignbanks’ share was less than 8%, inJanuary 2006 it was over 11%,according to the Central Bank statistics.However, banks with foreign participationare not among the leaders in Russia atthe moment. Only three banks withforeign capital featured in the top 20Russian banks, by assets, as at 1 November 2005: International MoscowBank, Raiffeisenbank Austria andCitibank, occupying eighth, eleventh and fifteenth places, respectively.

Recently, foreign banks have stepped upacquisitions of stakes in Russian banks.The most visible recent deals were; GE Consumer Finance’s acquisition of Deltabank for $100 million in 2004;Banca Intesa’s (Italy’s No. 1 bank byassets) purchase of a controlling stake(75% minus one share stake) in KMB-Bank for $90 million in 2005; Société Générale’s purchase ofDeltaCredit for $100 million in 2005;Dresdner Bank’s purchase of 33% ofGazprombank for $800 million in early2006; and Raiffeisenbank’s acquisition

of Impexbank for $550 million, announcedin February 2006. We are sure to seeseveral more such deals in the near future.

One of the most active investors in theRussian banking sector is the EuropeanBank for Reconstruction andDevelopment (EBRD). It currently hasholdings in 23 Russian banks, mainlyinvesting in the share capital of regionalbanks. Its investment level in 2004–2005was around $500 million per year andaccording to statements by the bank’srepresentatives, it will stay around thatlevel in 2006.

Consolidation and regional expansion

More regulation, tougher competitionand increased capital requirements in the financial services market havesteadily cut down the number of banksin Russia over several years. In 1996,Russia had 2,538 banks; 1,253 banksheld licences for banking operations in 2006 (see Figure 3).

Along with foreign banks purchasingstakes in Russian banks, Russian banksare also active in the mergers and

Russia’s banking sector continued

14


Number

1996 1997 1998 1999 2000 2001

Year

2002 2003 2004 2005 2006

2530

2029

1697

14761349 1311 1319 1329 1329 1299 1253

0

500

1000

1500

2000

2500

3000

Figure 3: Number of banks in Russia: 1996–2006

Source: CBR

acquisitions (M&A) market. Mainly, theseare national banks, which buy regionalbanks to enter local markets. However,there is an opposite trend: severalregional banks that have outgrown their initial markets, strive to reach a nationwide status via organic growthand through M&A.

Transparency

In late 2005, the international ratingagency, Standard & Poors, made asurvey of transparency in 30 of thelargest Russian banks, mainly on thebasis of publicly available information.The study showed a low level of publiclyavailable information, when comparedwith similar foreign credit institutions.The average level of disclosure byRussian banks in the study was only36% (85% for the largest foreign banks).To raise the confidence of depositors,investors and the public, in general,Russian banks need to make significantprogress on information disclosure in thenext few years.

Russia’s entry to the WTO

By 2006, Russia had reached agreementwith almost all WTO member countrieson its entry to the WTO. As it stands, inearly 2006, Russia is still negotiating withthree countries: the US, Australia andColumbia. The main point of debate in

negotiations with the US is foreigncommercial banks opening branches inRussia. Russia does not want to lift itsban on foreign bank branches and is‘sticking to its guns’, arguing that the riskof losing control of monetary flows in thecountry is too high. At the same time,there are currently no formal obstaclesfor foreign banks to operate in Russiathrough resident subsidiaries.

Conclusion

In the current conditions of an emergingeconomy and growing wealth of citizens,Russia’s banking sector has a greatpotential for profitable growth. Retail andregional expansion, higher capitalisation,new banking products and services,more transparency and implementationof new technologies are the key successfactors for the financial institutionslooking for dynamic profitable growth inRussia. Who will win? What are therisks? What are the returns? Only thefuture will show. However, as withvirtually everything in Russia – thegrowth potential is huge, but one has tobe aggressive to make a decent return.

15


The practical application of Pillar 2:Understanding what supervisors are looking for ina bank’s capital assessment

16


by Richard Barfield, Chris Matten and Shyam Venkat

The fog enveloping the practicalapplication of Pillar 2 of the Basel IIframework is beginning to clear. Over thelast few months, regulators including theUK Financial Services Authority (FSA)have been developing their approach to assessing a bank’s process for linking its capital to its risk profile. The FSA isarguably one of the most advanced in itsthinking on this issue and the FSA’s leadprovides banks with useful insights intowhat other supervisors may expect underPillar 2.

Spare a thought for the regulators.Regulators across the world face a rangeof unenviable challenges in seeking tointerpret and supervise Pillar 2. Theseinclude the translation of qualitative riskassessments into quantitative capitalrequirements. More broadly, they mustdecide how to strike the right balancebetween providing appropriate guidanceand being suitably non-prescriptive inkeeping with what is a principles- ratherthan a rules-based framework. Suchhurdles need to be overcome in order to oversee an industry that ranges fromlarge, international banks to small mutualsocieties, stockbrokers and assetmanagers, and whose firms have diverseapproaches to managing risk and capital.

The regulators’ approach matters forbanks because the supervisor’s role is to form a view on an appropriate Pillar 2 buffer above the Pillar 1 capitalminimum. For some institutions this islikely to be a significant amount ofadditional capital. The key input to thisassessment will be the bank’s InternalCapital Adequacy Assessment Process –the ICAAP1. In developing its approach to Pillar 2, the UK FSA has expressedcertain expectations regarding a firm’s ICAAP.

For many institutions, economic capitalwill have a role to play. A survey of morethan 200 banks and other financialservices firms from around the world,which was carried out for the recentPricewaterhouseCoopers/EconomistIntelligence Unit (EIU) briefing oneconomic capital, found that 44% of the participants already use it and afurther 13% plan to implement it in thenext year2. The same report noted that50% of the world’s top 50 banks alreadyinclude economic capital disclosures intheir annual reports (this is up from justover 20%, four years ago).

What the FSA expects

The key principles underpinning theFSA’s approach are that supervisoryguidance will be kept to a minimum and that the ICAAP should reflect whatthe firm does for its own purposes (seeFigure 1 overleaf). These same principlesapply in the CEBS guidance tosupervisors in the European Union (EU).As such, the FSA does not makeeconomic capital a specific requirement.However, it does insist that the ICAAPshould be a core management tool andtherefore a firm is likely to come unstuckif it treats its ICAAP as purely aregulatory exercise.

The onus will be on the institution toconvince regulators that it holdssufficient capital for the risks that it runswithin the context of its strategy and theexternal environment. To decide whetherthey are convinced, regulators willundertake desk reviews and site visitsand engage in dialogue withmanagement. While the numbers will ofcourse be important, the demonstrablerigour of the ICAAP process in its ownright and its integration into themanagement of the institution are likelyto be equally of interest to the regulators.

17


Richard BarfieldDirector, Valuation & Strategy,UK


Shyam VenkatPartner, Advisory, Financial Risk Management, US


Chris MattenPartner, Banking and CapitalMarkets Industry Group, Singapore

Tel: 65 6236 3878Email: [email protected]

1 This is the acronym adopted by the Committee of European Banking Supervisors (CEBS) to describe this part of Basel II2 ‘Effective capital management: Economic capital as an industry standard?’ (www.pwc.com/financialservices)

Lingering challenges

One challenge for regulators will be to decide how to make valid peercomparisons when risk capitalframeworks vary so much betweenparticular institutions. The difficulty in establishing comparable figuresmeans that judgement will inevitably play a major role in benchmarking capital levels. An analysis of the publicdisclosures of economic capital by theworld’s largest 50 banks brings homethis point as well.

Under current conditions capitaladequacy does not appear to be anissue. PricewaterhouseCoopers analysisof the disclosures from the nine users of economic capital in the top 20 globalbanks show that at the end of 2004 they held significantly more Tier 1 bookcapital than economic (risk) capital – see Figure 2. Three of the nine carriedpractically double their economic capital in terms of Tier 1 (a proxy forshareholders’ funds). Their economiccapital was also significantly less thanminimum regulatory capital under thecruder measure of 8% of Basel I riskweighted assets. (For smaller institutionsthe gap may be narrower because theytend to be less diversified and thereforemore risky).

The practical application of Pillar 2: continued

18


Figure 1: FSA expectations of a firm’s ICAAP

Source: FSA presentations November 2005

• Clearly described and evidenced ICAAP process

• Comprehensive coverage of material risks

• Quality of management and track record of delivery

• Business as usual capital

– Conservatism in Pillar 1 and Pillar 2

– Perspective of how it will behave through a cycle

• ‘Simple and intuitive presentation’

– Clear top-down view

– Clear statement of assumptions

– Differences between Basel II and risk capital for Pillar 1 risks

ABN Fortis BoABarclaysDeutscheCitigroupHVBJPM ChaseCSG

Index

Economic capital (indexed to 100)

0

50

100

150

200

250

Minimum regulatory capital (8% of RWA) Tier 1 capital

Figure 2: Relative capital levels

Source: 2004 company accounts, analyst presentations and PwC analysis Note: The Bank of America comparator figures appear low due to high economic capital at year-end 2004 as a result of

the merger with Fleet First Boston.

However, there is no standardisedapproach to economic capitalcalculations. So even though around halfof the world’s largest banks now discloseeconomic capital figures in their annualreports, the numbers are more useful inassessing the trends in individualinstitutions than in making benchmarkcomparisons. The problem is illustratedby the difficulties in making comparisonsusing the longer established Value-at-Riskdisclosures. Differing holding periods,confidence levels, modelling approachesand correlation effects all conspire tomislead the unwary. Depending on themodel and assumptions used, the sameportfolio can give quite different butequally valid results. This is compoundedin the case of economic capital as it isnot always clear what this should becompared with – should requiredeconomic capital be compared withavailable Tier 1 capital? Or shareholders’funds? Or tangible common equity, or any other definition of capital?

A second major challenge for regulatorswill be linking the qualitative measurementof risks, controls, governance andmitigants (which the UK FSA assessesthrough its Arrow process) to capitaladequacy assessments. Figure 3 showsschematically how the FSA expects thisto operate. If the score is high (that is,bad from a firm’s perspective), this willbe reflected in the size of the buffer over

Pillar 1. As mathematicians will remember,if you examine a curve in magnifieddetail, it actually appears as a series of very small steps. It will be interesting to see how marked the steps turn out to be in practice. At another extreme,one other non–EU national regulator isrumoured to be considering a simple flat percentage add-on to Pillar 1 as the way to estimate the capital buffer –independent of risk assessment. Althoughsimplicity is appealing, how would suchan approach allow the regulator toreward firms with superior riskmanagement? And how does it providean incentive for firms to make a rigorousassessment of their own capital needs?

Industry perspectives

The FSA and the UK banking industry have been engaged in dialogue for a whileover the right approach to Pillar 2. Thismeans that both the FSA and the industryshould have a good understanding of eachothers’ perspectives – even if they do notalways agree.

Banks hold capital for many reasons and risk capital is just one component.(Figure 4 overleaf shows the keycomponents). The capital managementprocess in an institution will address allof these elements. A bank also needs to consider, for example, rating agency

19


Final ICG = Base Capital x X%

Pillar 1 minimum capital

Base Capital

Low ML HighMedian Arrow Score MH

Adjustment can be less than 100% but cannot fall below Pillar 1

Figure 3: Linking the qualitative assessment to capital estimation

Source: FSA presentations November 2005

requirements; how much safety buffer itwishes to hold to protect its reputation;capital for acquisitions, and so on.

The expectations and concerns ofindustry participants regarding Pillar 2will of course vary depending on wherethey stand. One could reasonably expectbanks whose economic capital is lowerthan Pillar 1 capital to argue strongly thattheir regulatory capital under Basel IIshould be less than Pillar 1. This isbecause most economic capital modelscover many additional risks other thanthe three covered by Pillar 1: market,credit and operational. However, under

the new Basel accord, Pillar 1 is aminimum capital requirement. Animportant counter-argument fromregulators will be that the models arerelatively new – many have not be testedthrough sharp economic changes – andthat a degree of conservatism is needed,particularly when the comparativeeconomic capital results are predicatedupon correlation assumptions that arenot easily observable.

At a high level, common industryexpectations are that the FSA’sassessment of an ICAAP shouldincorporate:

• a ‘business-as-usual’ view of capitalcalculations and managementprocesses (that is, not forcedunnecessarily to fit doomsdayregulatory scenarios);

• a sensible allowance for diversificationbenefits (these can be between 20-40% of capital for a diversifiedinstitution); and

• consideration of total capital and notjust core equity (there is often atendency to focus on Tier 1 capitalwhereas other forms of capital areimportant ingredients in the capitalstructure of sophisticated institutions).

Concerns will also vary from institution to institution. At a high level, the mainindustry misgivings over the FSA’sapproach include a reluctance to see:

• a requirement for one-off ad hocexercises prepared largely for theregulator;

• conservatism for its own sake incapital estimation (many believe thatthe Basel II formulae already includeadequate conservatism in thecalculation of Pillar 1 capital); and

• stress tests used to determineadditive capital estimates (the viewbeing that stress tests test theresilience of capital).


20


Netcashflow

Riskcapital

£bn

FSApremium

Contingentcapital

Physicalcapital

next year

Physicalcapital this year

Acquisitionwar chest

Reputationbuffer

Ratingagency

premium

Figure 4: The business perspective on capital management is much widerthan regulation


The main underlying concern, however,is that the banks are unsure how theywill meet the FSA’s requirements whenthese have not been fully spelt out.Unfortunately, they are unlikely to bespelt out – as Pillar 2 is principles-based,detailed guidance cannot be expected.Desire on management’s part for detailedrules is unlikely to be satisfied.

One non–EU supervisor used a ‘DearCEO’ letter last year to suggest to itsmajor banks that they should adopteconomic capital and described in somedetail how it should be applied.Understandably there was strongindustry push-back. In their view, theregulator had strayed too far into internalmanagement matters. Within the UnitedStates, regulatory agencies such as theFederal Reserve have led the way insuggesting the adoption of economiccapital programmes to constituent banks.However, such encouragement hasstopped short of prescriptive guidance.

Our advice to clients is to adopt aprinciples-based approach themselvesand focus on addressing the followingpractical issues. Are all material riskscovered? Is there clear ownership of risks?Is it clear which risks are best addressedthrough capital (e.g. interest rate risk inthe banking book) or through controls andmitigation (for most banks this wouldinclude reputational risk)? Are controls

appropriate and adequate? Figure 5illustrates how a range of approaches isessential. Are risk and capital sufficientlyinter-linked? One of the bigger challengesfacing firms that have traditionally used a regulatory capital model to underpininternal capital management is the switchto determining their own internally derivedrisk capital levels, rather than reading offBasel I formulae.

Once the risk capital framework hasbeen validated there is plenty of detailwith lots of devils lurking therein. One

particular area that will be of increasingimportance is stress testing, given thejudgements that are necessary toestimate risk capital figures. The designand application of effective stress teststo demonstrate the resilience of capital inadverse circumstances will be essentialto inform the intuitive top-downassessment that most regulators will be seeking to apply.

21


Figure 5: Risk and capital approaches


Risk type Capital model Controls/mitigants Stress testsmanagement action

Market ✔✔✔ ✔ ✔

Credit ✔✔✔ ✔✔ ✔

Operational ✔✔ ✔✔ ✔

Business ✔✔ ✔ ✔✔

Reputation – ✔✔✔ ✔

Liquidity ✔ ✔✔ ✔✔

Interest rate risk ✔✔✔ ✔ ✔

Onus on firms

The move from a formulaic capitalcalculation to risk- and principles-basedprudential regulation marks a sea changefor banks. Pillar 2 of Basel II puts theburden of proof firmly on firms themselvesto convince the regulator that they holdsufficient capital. A key part of the‘evidence’ will come from demonstratingthe thoroughness of the process andensuring that capital calculations areseen through the eyes of management,and reflect its thinking.

Clearly this is a challenge, even in somelarger institutions that have been slow toembark on economic capital initiatives.However, it also provides an opportunityto integrate regulatory compliance into abroader and more sophisticated risk-basedcapital framework, capable of supportingenhanced decision-making and assuringstakeholders that the institution is robustand properly managed.

In response to the challenge, a globalteam at PricewaterhouseCoopers hasdeveloped a comprehensive new serviceoffering called ‘Risk-based CapitalManagement’3 to assist clients to linkrisk and capital. Our approach supportsclients from design through to detailed

implementation and validation. Figure 6describes the principal components ofour service offering which is supportedby detailed, practical methodologies. Italso provides a useful checklist of keystages to consider in complementingrisk-based capital management.

Our focus, as we are sure yours is, isabout creating business benefits for ourclients. There is much more to risk-based capital management than models.


22


Design

• Business case

• Selection of approach, methodologies and models

• Policy and framework development

• Management awareness

• High level programme plan/roadmap

Build

• Risk appetite

• Technical guidance

• Model selection

• Process design

– Strategy budgeting performance reporting

– Risk adjusted performance measures

– Compensation

– External communication plan

• Prototype economic capital model

• IT and data architecture

• Capital planning

• Integration plan

Integrate

• Embed in management processes

– Strategic planning and budgeting

– Performance measurement

– Data quality

– Pricing

– Portfolio management

– Compensation

– External communications

• Internal communication and change

management

• Benefits realisation

Validate

• Business case

• Selection of approach, methodologies and models

• Policy and framework development

• Management awareness

• High level programme plan/roadmap

Figure 6: Risk-based capital management – key stages through the process

Source: PricewaterhouseCoopers RBCM service offer

3 ‘Risk-based capital management’, an overview guide published by PricewaterhouseCoopers. To download a copy please visit www.pwc.com/banking

23



24


by Peter Jeffrey, Frank Serravalli, David Lukach and Michael Codling

An expanding market

Mention ‘securitisation’ and one often thinks of on-off balance sheet,manipulation, Enron and Parmalat; othersthink of smart investment bankers,obscure language and high fees.

It is undoubtedly true that securitisationis complex, but equally true that it is an increasingly important tool for manycompanies, both within and outside thefinancial services sector. We believe

there are also good reasons as to whythis trend is set to continue, and they will be addressed later in this article.

Securitisation techniques were developedin the US in the 1980s, and has become amature and significant sector of the capitalmarkets. In Europe, a few securitisationtransactions were undertaken in the1980s, but it was not until the late 1990sthat the market exploded. As can beseen from Figure 1 below, it has beengrowing ever since at an increasing rate.

In other parts of the world, Australia has a mature mortgage securitisation marketand is just beginning to develop otherasset classes. Japan has a domesticmarket, and some other Asian countrieshave experimented with securitisation.We have recently seen the first deals inRussia and the Middle East.

Many types of receivables and assets,that will generate future receivables, have been securitised. Some of these are listed in Figure 2.

25


Peter JeffreyHead of PricewaterhouseCoopersEuropean Securitisation Group


Michael CodlingBanking Leader, Australia & Head ofPricewaterhouseCoopers AustralianSecuritisation Group


Frank Serravalli & David LukachCo-Heads of PricewaterhouseCoopers USSecuritisation Group

1 646 471 2669 – [email protected] 646 471 3150 – [email protected]

€ Billions150

120

90

60

30

0Q1 Q2

2005Q3 Q4Q1 Q2

2004Q3 Q4Q1 Q2

2003Q3 Q4Q1 Q2

2002Q3 Q4Q1 Q2

2001Q3 Q4

Figure 1: European securitisation insurance

Source: Dealogic, Thornson Financial, J.P. Morgan Securities Inc., Structured Finance International-Compiled by European securitisation Forum

So how does securitisationwork?

A company (the originator) wanting to securitise will transfer current or future receivables to a Special-PurposeEntity (SPE). This transfer needs to bewhat is known as a ‘sale/true sale,’meaning that in the event of theoriginators’ bankruptcy, the assets will remain the property of the SPE and will not be available to theoriginators’ creditors.

The SPE pays for the assets by raisingfunds through the issuance of securitiesin the marketplace, either public orprivate. Conduits are a popular vehicleutilised to fund short-term assets. The sponsoring bank may consolidate a conduit. It is a particularly usefulstructure for smaller transactions andshorter-term assets.

Before arranging this funding, the SPEshould consider currency and interest-rate hedges, as well as creditenhancement for the assets.

Credit enhancement means that in theevent of losses, often three or four timesexpected losses, the originator or a thirdparty (e.g. an insurance company) willabsorb the losses.

Securitisation – an exotic option or a necessity? continued

26


Figure 2: Securitisation issuance by asset type


Funders• Public or private bond issue• Bank conduit• Bilateral bank loan

Originator SPV

Credit enhancement• Subordinated loan• Insurance• Guarantee

Interest rate swap

Sell receivables

Cash plus deferred consideration

Figure 3: How can you use securitisation to access the capital markets?


Retail mortgages Champagne and whiskey stocks

Credit cards Pop artists back catalogue

Auto loans Ferry and road tolls

Commercial mortgages Account receivable

Insurance premiums Tax receipts

Non-performing loans Corporate loans

Credit enhancement can take manyforms, including a subordinated loan from the originator, credit insurance andcash reserve funds (being cash built up of cash in the SPE). This creditenhancement allows the SPE to behighly rated, thus enabling it to raisefunds at highly competitive rates.

Any excess income in the SPE, afterpaying the funding costs, hedging costsand other expenses, is usually passedback to the originator as deferredconsideration. Usually, the originator willcontinue to service and administer thereceivables on behalf of the SPE. It isthus more attractive than an outright saleof the receivables, because it providesfunding, and a limited amount ofdownside protection (in respect of lossesincurred above the credit enhancement),while maintaining all the upside potentialof the assets. It also maintains theongoing relationships with customers,and usually, they may never know thattheir receivables have been securitised.

A key to making a securitisation effectiveis to ensure that it is ‘tax neutral’ as far aspossible both from a direct and indirecttax perspective. In some jurisdictions, thisis relatively easy whilst in others ‘offshore’SPEs are required. Tax opinions will beproduced to show there is no significanttax cost as a result of the securitisation.

The net result of the structuring is thatthe originator has raised funding whilstmaintaining the right to the profit on the receivables.

So why is securitisationattractive to companies?

It enables a company to raise fundingnot linked to its credit rating. Thisenables companies to raise funds fromsources that would not normally considerfunding such a company. It also does notutilise existing funding lines or limits.

Because of the high credit rating of theSPE, overall funding may be reduced.This will become particularly importantas banks adopt Basel II and will havehigher capital changes for lending tounrated and lower rated companies.

In addition to being an effective fundingtechnique, securitisation may provideother benefits. It may be used as a riskmitigation tool, for catastrophic risk. The originator bears the cost or pays for protection in respect of three or fourtimes expected losses. If losses aregreater than this, the note holders bearthese losses. Thus, for regulated entities,it will usually reduce the regulatorycapital requirement they have on thesecuritised assets.

Depending on your accountingprogramme, which will be discussedlater, securitisation may result in earningswhen assets are securitised.

27


Case study:

A Scandinavian privately owned company manages a number of retail outletsand has its own in-house store card. It is unrated, because its owners do notwant to submit to the intrusive rating process. Traditionally, it has funded itselfthrough bank loans. The rate on these were good, because of the company’strack record and reputation. The company was told that in anticipation of Basel II its funding cost would rise up to 100bp. The company developed a securitisation programme for its store card receivables and obtained fundingaround 30bp above its historic level, thus saving 70bp.

A frequent comment from first-timeissuers is that the process enables themto understand their receivables betterand enhance their origination andprocessing systems giving them a furthercompetitive advantage.

For companies in developing countries,where traditionally international lendershave been unwilling to lend due to thepolitical and country risk, securitisation canbe particularly beneficial. By having theSPE outside the originators country and inan established financial centre, much of thepolitical and country risks can be removed.

Many people associate securitisationswith off-balance sheet accounting andsome of the recent scandals mentionedearlier. Undertaking a securitisationpurely to ‘massage’ the balance sheet is never a good reason for undertakingsuch a transaction. Equity and creditanalysts are increasingly penalisingcompanies where it is not clear whysecuritisations have been executed.

On the other hand, the same analysts givesignificant credit to companies which usesecuritisations in a strategic manner andcan articulate the reasons for doing so.

Those who combine this with good andclear financial and disclosure risks on the securitisations have nothing to fear.

In any event, in practice ‘off-balance’sheet accounting is getting more difficult.US GAAP is relatively friendly tosecuritisations with its qualifying specialpurpose entity (QSPE) regime, but inrecent years the FASB has tightened the rules for qualifying as a QSPE andnew rules likely will be stricter.

Under IFRS, most traditionalsecuritisations fail to achieve off-balancesheet treatment (although there is somepossibility of partial derecognition)consequently, the securitised assetsremain on the balance sheet with theoriginator bringing on to its balancesheet the funding obtained. Since nosale has taken place, no upfront incomerecognition is allowed.

Currently, there is an intention toconverge US GAAP and IFRS, which inthe case of securitisations will not beeasy. The securitisation industry world-wide is currently working to develop an accounting approach that will bestaccount for the complex economics of a securitisation. This is an initiative of the European, Australian and USsecuritisation forums, which have to


28


Case study:

A US mortgage company generatesvalue from originating mortgagesthrough its ‘state-of-the-art’ ITsystems and extensive brokernetwork. The company has littleinterest in holding or servicingmortgages long-term. By securitisingits mortgages and passing theservicing to a specialist mortgageservicing company, the mortgagecompany can realise funds to financenew loans and at the same time,under US GAAP, generate a gain on sale, thus realising the inherentvalue of the origination process.

Case study:

A Caribbean company with a majorexport business wants to raisefunding for expansion. This fundingcannot be sourced from the limiteddomestic markets, and internationalfunders are reluctant to lend in theregion. The company sets up theSPE in Delaware and sells its exportreceivables to the SPE. The SPEthen arranges funding from a USand EURO Medium-Term Note(MTN) programme. This is possiblebecause the funds from thereceivables are kept offshore, whilethe MTNs are outstanding.

date, undertaken a worldwide survey of the accounting needs of securitisationand how current accounting regimesmeet these needs. The results of thissurvey have been discussed with IASB,FASB and other regulators. We wouldencourage all securitisers to get involvedwith this initiative and to provide theirideas for the future. The authors wouldbe pleased to receive your comments.

Accounting has, however, become lessimportant in many parts of the world(outside the US) as regulators havedeveloped their own rules for determiningregulatory capital requirements, and thisis also the approach Basel II takes.

So what do you need to do toundertake a securitisation?

The first step is to undertake a feasibilitystudy, which would include asking thefollowing questions:

• What strategic imperative does it solve?

• Do the likely economics make sense?

• Do we have suitable receivables;– that can be legally transferred?– that have a verifiable track record?

• Do we have systems that cansegregate and manage the receivables?

• Are there any other issues oradvantages to be gained?

• Will there be investor demand?

• Is there anything that will make a securitisation impossible?

Only after these key questions have beenanswered should you proceed to committo investment bankers and lawyers todevelop a detailed plan and structure.

Conclusion

Undertaking a securitisation is a complexbusiness decision requiring manyfunctional areas of a company and a number of external professionals. It can be achieved with good projectmanagement. While securitisationprofessionals have a unique language,the fundamentals can be made simplified.

Securitisation is a technique that willbecome relevant and helpful to more andmore companies. It can be complex toundertake, but with careful planning andproject management, is achievable formost companies. In the future, weforesee it being a necessary fundingtechnique for many companies ratherthan an exotic option.

It is for this reason that atPricewaterhouseCoopers we havedeveloped a global securitisationpractice, which helps clients makecomplex business decisions in

29


Case study

An Australian bank needs to reduceits regulatory capital requirement asa result of an acquisition. It has abig credit card portfolio and wantsto explore if securitisation of itscredit cards will solve the problem.PricewaterhouseCoopers has beenappointed to undertake a feasibilitystudy. This study takes four weeksand concludes that a credit cardsecuritisation is feasible, but thatcertain systems enhancements are required. These systemenhancements have been started.together with detailed planning.PricewaterhouseCoopers has beenappointed Project Manager. To speed up the process, an initialsecuritisation is undertaken, using a US bank conduit with plans for a public bond land issuance as asecond step.

undertaking a securitisation as easy aspossible. Our practice with major centresin the US, Europe and Australia, and wework with both the largest securitisors inthe world, as well as those undertakingtheir first securitisations. Our globalpractice takes the best experience and knowledge from around the worldand helps clients develop a securitisationprocess to enhance their businesses.The authors of this article are significantmembers of the various securitisationtrade bodies, that continue to influencemajor market developments.

The global practice has written ‘A Guideto Global Securitisation Transactions’ and‘The Practioners Guide to Securitisation’(on behalf of City and Financial), whichwhile written from a UK perspective, willbe of value to all first-time securitisors.


30


31



32


by Martin Hislop, Jan Willem Kaptein and Alex Shapland

Recent changes in laws and regulations,together with scrutiny of key supervisorsin the US and EU are driving an increasedfocus on the compliance function.Boards and CEOs seeking to dischargetheir accountabilities1 increasingly placecompliance on their agendas. But whatdoes it take for the organisation torespond to such scrutiny with confidence?

This responsibility falls primarily on the Head of Compliance, for whom a keyobligation is to provide informationregarding compliance of the businesswith relevant laws and regulations – a complex, and often arduous, task when the business spans severalterritories and regulatory jurisdictions. In turn, Heads of Compliance areseeking more assurance and a higherlevel of confidence about:

• How effective business processes are at managing compliance risks;

• The performance of the compliance function;

• The escalation and communication of compliance matters.

Many organisations that have identifiedlimitations in their current compliancemonitoring and reporting capabilities arenow seeking to improve their complianceintelligence through new or enhancedreporting processes. This article exploreswhat it takes to establish a leading edgecompliance reporting framework thatbetter informs the Board, challenges thecompliance network and more effectivelyengages the business on matters of compliance.

Benefits of an enhancedreporting framework

Effective management informationenhances the governance structure by increasing the ability of key recipientsto execute their duties by informing,facilitating discussion across layers ofmanagement and supporting decisionmaking. In addition, accountabilities canbe more effectively allocated and issuescan be more formally addressed.

A good compliance managementinformation (MI) framework benefitspreparers (e.g. opportunity to highlightobstacles and seek support in resolvingthese, report achievements) andrecipients (e.g. better informed decisionmaking, confidence in understanding the business).

If risk based, rather than being drivenwholly off of detailed regulatoryrequirements, the compliance frameworkcan be applied effectively across manyregulatory jurisdictions, while the focus ofinformation generated is better alignedwith risk-based ambitions of the business.

33


Martin HislopSenior Manager, Risk AssuranceServices, UK


Alex ShaplandDirector, Financial Services Regulatory Practice, UK


Jan Willem KapteinManager, FS RegulatoryCompliance, The Netherlands


How confident is management inunderstanding the:

• Impact of compliance on theorganisations reputation;

• Relationships held with key regulators;

• Effectiveness of compliancesystems and controls; and

• Direct costs arising fromcompliance-related incidents?

1 Compliance and the compliance function in banks (p. 9), Basel Committee on Banking Supervision, April 2005. (http://www.bis.org/publ/bcbs113.pdf)

Defining the objectives ofcompliance reporting

The principal purpose of compliancereporting is to allow senior managementto exercise their duties in overseeing and challenging the management ofcompliance risks. Ideally, the samereporting structure will also supportdiscussion and informed decisionmaking needs at other levels of theorganisation (see Figure 1).

Ultimately, compliance reporting shouldprovide senior management with a regularand reliable view on responses to issuesand incidents arising, and how theseimpact the:

• Current profile of compliance riskacross the organisation;

• Organisation’s reputation;

• Quality of relationships held with key regulators;

• Effectiveness of compliance systemsand controls; and

• Costs incurred as a result ofcompliance related incidents.

The ability to effectively assess thesematters relies on the way in which anorganisation identifies, validates andreports on compliance matters that areultimately regarded as significant atgroup (or regional) level.

Content of managementinformation

In order to provide recipients withinformation and increased confidencethat compliance risks are being identified and properly managed, reports shouldpresent a picture that encapsulates what has occurred to date, but in thecontext of what might follow in thefuture. There are three key elements toconsider (see Figure 2):

Historical incidents – taking ownershipof and responding to incidents thatcrystallise is an aspect reasonably welladdressed in most organisations. A viewof past track record is essential tomaintain support for remediation effortsand to respond to lessons learned.

Emerging issues – it is essential toknow when new matters arise thatimpact the compliance environment, and how these are being responded to.This principally relies on the businessadvisory/support role of compliance, to understand what is happening withinthe business, and the outside world.Emerging issues may include changes in the business (e.g. new products, M&A, new territories / markets) anddevelopments in the market (e.g.supervisory hot topics, peer organisationinvestigations; announcement of newregulations/directives).

Confident in compliance? continued

34


Profile ofcompliance risks

Compliance ofthe business

Managementregulator

relationships

Impact onreputation

Decisionsupport

Level ofcompliance-

related losses

Learning anddevelopment

Transparency

Clarity ofaccountability

Demonstrateachievements

Performance ofcompliance

1.Support discharging

of oversightresponsibility

2.To enable objectivediscussion between

layers of management

Maintain oversightand challenge

Figure 1: Objectives of compliance reporting


Systems and controls – to complete the picture, and understand how well the business is placed to respond to the emerging issues, a view of thecompliance control environment isnecessary. A profile of residualcompliance risk (from the riskassessment conducted by compliance or risk management) is invaluable,especially if reinforced with results ofcompliance monitoring (includingmonitoring conducted by the business,compliance, internal audit and theregulator as appropriate). Other mattersthat should be incorporated into theongoing assessment of the controlenvironment include: the high risk

internal and external audit issues relatedto compliance matters, status of trainingprovided to the business and the natureand status of requests from regulators.

The other important aspect of effectivecompliance reporting is measuring theperformance of the compliance function.The management style of the compliancefunction will determine what is relevantto report in the way of performance. Theprincipal angles to address here include:

• Annual plan and objectives: assessingthe degree to which financials,compliance training plans, complianceprojects are performing against target;

• Operational level agreements / internalcontracts: identifying how compliancehas worked with or delivered to thebusiness against operational targets.

Data sources

The key data sources that support the enhanced compliance reportingenvisioned in this article are exploredbelow. Some are not traditionally ownedor maintained by compliance, whichpresents challenges such as negotiatingaccess and ensuring quality andsuitability of data.

However sourced, owned or maintained,information gathered should beauditable, and therefore is dependent onadequate records being kept (whethermanual, or supported by an IT solution).

Compliance managed data sources

On the basis that compliance typicallycarries out three broad roles, it would beexpected that there is relevant data thatcan be accessed from the records keptwithin compliance, providing the core for reporting:

• Compliance risk assessment: May beconducted by the risk function but willbe key in providing the overall profileof compliance risk, e.g. by business

35


MIHis

toric

al in

cid

ents

How well we are placed

Emerging issues

Wha

t w

e m

ust r

emediate What we are exposed

to

Systems and controls

Figure 2: Components of compliance information


segment and by category of risk. This orientates users of the MI reportwith the overall context against whichspecifics are reported;

• Compliance monitoring: May beconducted in part by Internal Audit, or the business, but the coverage and results will highlight exceptions.Some exceptions may be of sufficientimpact, or drive themes of weakness,to report; and

• Business advice and support: Theday-to-day value added role ofcompliance gives exposure to thechanging business environment. Assuch, an overview of areas such assignificant business changes, resultsof regulator visits and outcomes ofbusiness monitoring, can be obtained.

Data sources typicallymaintained outside ofcompliance

Accessing data from sources external to compliance will improve the overallcontext of the messages that can bereported. This can be achieved in twoways: targeting specific compliance riskareas (e.g. in terms of Key Risk Indicators)or to provide a completeness check, orcorroboration, from a source‘independent’ of compliance. Examplesof available data are likely to include:

Identifying and targeting compliance risk:

• In-house legal: summary of litigationcases underway/resolved (respondingto compliance incidents);

• Operational risk: summary of directlosses incurred (as a result ofcompliance incidents);

• Business: Overview of customercomplaints in the context of businessvolumes; results of peer-to-peercontrol reviews (of a compliancenature); and

• External data sources such asregulators, new/data searchorganisations and legal and advisoryfirms: provide useful summaries ofchanging regulatory environment,such as emerging regulation anddirectives, current regulatory hottopics and press announcementaffecting peer organisations.

Corroboration:

• Internal audit: summary of high-riskaudit issues (of compliance nature);

• Operational risk: results of risk/selfassessments (where complianceaspects can be segregated).

Creating information from data – Oncenew reporting processes are established,accessing data becomes routine.

However, an element of value addedediting and formatting will be required totranslate the core data into informationtailored and fit for purpose. This isparticularly relevant when devising theform and content suitable for high profilereports, such as to regional committees orthe group board of global organisations.

Developing the compliancereporting framework

A number of key factors will determinethe overarching design of the reportingframework (see Figure 3):

Recipients of information: The variousstakeholders in the complianceinformation chain who are to receiveinformation (Board, Sub-Committee,Head of Group Compliance, RegionalHeads of Compliance) will drive thenumber of reports to be prepared. The purpose of these reports will drivethe information that should be included,in terms of content, or level ofconsolidation.

Aggregation levels: Fitting the reportingframework to the organisational structurewill drive out the number of aggregationlevels required (country level to regional;regional to group).

Touch points with the business: Ideally,the aggregation levels will align to thekey touch points that compliance has


36


with the business (local management,business unit/divisional committees),allowing information to be consolidatedto support these key businesscommunications.

Manual or automated: The degree ofautomation sought in collating of data andformatting aggregated information willdrive the speed of reporting and amountof effort required to maintain the reportingprocess. The degree of automation andavailable data warehousing depends onthe way the reporting process is run.There is no ‘one size fits all’ solution to

this matter, however, it is crucial thatwhatever approach is taken enablesthose who work with it to pull meaningfuldata in an efficient manner, whilemaintaining a suitable audit trail.

Supporting resources: Determining howmany resources are required to supportthe reporting process (e.g. preparation of meaningful summaries from raw data,editing of reports to top levelmanagement) and where they shouldreside (centrally vs distributed) will shape where ownership sits and how the information flows reside.

Practical Challenges

In our experience, the key practicalchallenges to be addressed include:

Stakeholder management:Stakeholders reside at several levels ofthe organisation, in different businessunits and various geographies drivingdifferent interests.

Obtaining an organisational view:Agreeing a standard for reportingcompliance in a global organisation is problematic as there are varyingregulatory regimes (e.g. principle vs rules based).

Constraints in data collection: Severaldifficulties will be faced initially, such assensitivity of data obtained from otherparts of the organisation, limitations in the format or structure of existingdata, frequency of data updates andconfidence in the quality and integrity of data.

Determining what matters to report:Recipients of MI will generally be seniormanagement, while providers ofinformation will be at the operationallevel. The resulting conflicts in what is considered ‘important’ must beovercome to ensure information reportedis relevant and informative, as wellretaining efficiency.

37


ComplianceCommittee

MICoordinator/

resource

Head of GroupCompliance

BU/RegionalCompliance

HeadTouc

h p

oint

s w

ith t

he b

usin

ess

Con

trol

and

val

idat

ion

poi

nts

Information flows andkey recipients

Aggregation process

Group

Regional

Information

Data

> Aggregation is aimed at providing information required to exercise oversight of compliance risks,

or relevant to support strategic decision-making

> Aggregation focuses on information of high-level impact on a country basis, which is thus relevant at a regional level

Country Country

ExecutiveBoard

Figure 3: Overview, management information framework


Validation and clarification: An amountof effort is required to ensure that datacollected is robust. Here, keeping theprocess efficient and finding sources to validate are the challenge.

Presentation of information: Keyreports may be visible not only to seniormanagement, including independentdirectors, but they may also be madeavailable to supervisors. Consequently,presentation should be reconsideredcarefully. Encouragingly, addressing thepractical challenges outlined above hasusually presented an opportunity todevelop or improve the relationshipbetween compliance and the business.

So what next?

Your organisation may be one of thosealready engaged in creating an enhancedrisk-based compliance reportingframework. If it is not, seniormanagement would do well to considerthe following questions:

• What compliance information iscurrently generated for the Head of Compliance?

• Is that information adequatelyaddressing historical and emergingissues, in a high-risk based manner?

• How much of this is actually digestedand used?

• What level of confidence overbusiness compliance is gained?

• Are business management adequatelychallenging the awareness of andsupport on they get from thecompliance network?

• How well do business managementunderstand evolving compliancepriorities?

• How satisfied are they that theyunderstand and are thus able torespond to such priorities, over time,as they evolve?


38


39



40


by Mark Vos, Jan Schreuder and Philip Riley

Evolving threat

Reputation damage can be fatal to anorganisation. Last year, a company in the United States had to close its doors,due to the reputation fallout from a singleidentity theft incident. Once it wasreported that a number of identities werestolen from the organisation, few wereprepared to do business with it as it couldnot be trusted to secure customer data.

The manipulation, misuse or outrighttheft of identity has long been part of therepertoire of criminals. The advent of

information technology, particularly theInternet, has simply widened the range of opportunities for the identity thief.

The number of reported identity theftincidents has been increasing rapidlyover the past few years (see Figure 1).Banks are no longer the prime target –cyber criminals are attacking an ever-broader range of institutions.

If your organisation processes and/orstores customer or personnel data, the chances are that you too are alreadya target for identity theft. Common

identity information used to identify an individual includes driver’s licencedetails, mother’s maiden name, date ofbirth and home address. Also frequentlyused as identifiers are telephone billsand utility bills.

This information is widely collected andstored by organisations, and in turn oftentargeted in identity theft crimes.

Nola Watson, head of Corporate RiskServices at Insurance Australia Group,says: ‘There is intrinsic value associatedwith identity information, whether itrelates to customers or personnel. Each organisation should be aware of the identity information they store andthe value associated with it, and ensurethat there are adequate controlsprotecting it.’

Cyber criminals use a combination of orthodox methods (such as bribing a call centre staff member to physicallyobtain information) and electronic tools(such as keystroke loggers) to access,manipulate and exploit identityinformation. These range from plantingindividuals as staff in organisations, to launching attacks from the other side of the world via the Internet.

41


Mark VosDirector, Business Assurance,Australia


Philip RileyExecutive, Investigations andForensic Services, Australia


Jan SchreuderPartner, Business Assurance,Australia


2003

260,000

Number of incidents

250,000

240,000

230,000

220,000

210,000

200,000

190,00020052004

Year

Figure 1: Number of reported identity theft incidents in the USA

Source: USA Federal Trade Commission – 2006

A compounding factor in the riskequation is that the range of data stolen and the risk of exposing customerinformation increases as functionalityand product ranges are added tosystems to take an organisation closer to its customer base. Examples of thisare banks providing Internet bankingservices or airlines allowing customers to see their booked flights or theirfrequent flyer points online.

Against this background, organisationsare asking: how much of an issue isidentity theft? What is the best response?And how will it impact their business?

How much of an issue isidentity theft?

Estimates of cost attributable to identitytheft vary around the world, but there is no doubt that it is a serious andgrowing concern.

In 2003, the United States (US) FederalTrade Commission found that 215,000reports of identity theft and fraud hadcost Americans at least US$437 million.By 2005 the number of reports had risento 255,000, representing approximately40% of all complaints filed with thatagency in 2005.

Identity theft occurs by a range ofmeans. It might be an employee walkingout of the office with photocopies of

customer files. At the other end of thespectrum, it may involve cyber criminalsusing the Internet to gather or misuseidentity information. This is a source of greater risk due to the capacity of criminals to steal vast quantities ofdata without geographical boundaries.

In its current state, identity theft viacyber crime is in its early stages, withnetworks of criminals typically exploiting

customer data using orthodox criminaltechniques. However, these groups are becoming more sophisticated byattacking electronic information withouthaving to be in the physical presence of the information.

As organisations strive to aggregatecustomer data to provide onsellingopportunities, this makes it easier forcyber criminals to steal it electronically.Once stolen, the data is then being sold in underground networks so otherscan assume the identity of the victim.The data may also be employed in a new range of crimes across the globe,often without the immediate knowledgeof the victim as the information is stolenelectronically without detection. Theimpact of these new crimes will becompounded by their novelty and theincreasing difficulty in mitigating them.

Does identity theft affect your organisation? continued

42


In the PricewaterhouseCoopers(PwC) Global Economic CrimeSurvey 2005, 54% of companiessurveyed revealed that they hadsuffered from economic crimesinvolving false pretences andmoney laundering, both crimes inwhich the manipulation of identityplays a key part.

It is interesting to note that only22% of companies reported thatthey perceived false pretences andmoney laundering were prevalent in their business. This highlights asignificant gap between the actualincidence and damage of identitytheft and the actions that manycompanies are taking.

Findings from: Global Economic Crime Survey 2005,PricewaterhouseCoopers and MartinLuther University, Halle, Germany, 2005.

Many experts are concerned aboutthe ‘deferred loss of identity theft’,wherein thieves sit on stolenidentities for months or years untilvictims believe the danger haspassed. It’s hard to put figures on potential outcomes like that.

Findings from: The State of Information Security 2005,A worldwide study by CIO magazine andPricewaterhouseCoopers.

We often read about successful identity theft attacks on organisations.The perception is that such attacks are focused on banks, but the followingheadlines show that the problem extendsfar beyond the finance sector.

‘Virus-infected computer compromisespersonal information for about 2,500’

The Gazette, Feb 2006

‘12,000 notified about names and Social Security numbers on recoveredstolen computer’

Duluth News Tribune, Jan 2006

‘226,000 notified about personal data on stolen laptop’

Wired News, Jan 2006

‘Personal and financial information ofsome university donors may be at risk’

The Observer Online, Jan 2006

‘Estimated 40 million credit cardnumbers possibly compromised’

Security Focus, Oct 2005

‘Personal information for 700 patientspossibly compromised’

post-gazette.com, Jan 2006

What is the best response?

Consistent and cooperative approaches to this intricate and escalating problemwill assist in preparing both thecommunity and organisations for thepotential dangers.

Identity theft threatens all partiesinvolved in Internet or electronictransactions and carries the potential to cause significant damage to groupsthat hold personal information online. In turn, organisations that provide trustedservices on the Internet are dependenton each other for maintaining customerconfidence in this new channel. Forexample, if a major bank was to fallvictim to a successful identity theft crimevia Internet banking, this could affect theentire trust model of Internet banking inthe industry, not just for the bank thatwas victim to the crime, but for any bankproviding Internet banking services.

The problem of identity theft is beyondthe capacity of any one organisation to manage. Moreover, cyber crime tendsto flourish when threats are treateddiscretely, rather than addressed throughuniform, cross-industry solutions. By working together in the cause ofnational and international ‘target-hardening’, organisations can play an effective role in making the Internet a relatively unprofitable place for cyber criminals to do business.

The lack of cooperation amongorganisations on identity theft could alsoincrease the risk of regulators imposingadditional conditions. It is thereforeappropriate for organisations, industrybodies, governments, law-enforcementagencies and the community to worktogether in dealing with identity theft.This might include:

• Sharing threat research about identity theft;

• Industry forums on recommendedstandards for dealing with identity theft;

• Community working groups thatprovide recommended standards for users;

• Development of industry educationand awareness programs; and

• International cooperation acrossgovernments and law-enforcementagencies.

Internally, there are a number of thingsorganisations can do. As identity theftattacks increase and become morediverse, it is important to directly alignthe mitigation approaches to theirassociated risks.

Many organisations are developing risk-based decision analysis processesto enable them to allocate security

43


resources and prioritise security projects.A crucial component of the risk-baseddecision analysis is an organisation’s risk and value map, which compares the expected annualised costs ofsecurity events before and after thesecurity investment.

The risk-based decision analysis must link into an organisation’s riskmanagement life cycle. An example of the identity theft risk management life cycle is shown in Figure 2:

This process is cyclical, and never stops.From development awareness in anorganisation in relation to identity theftcrimes, to responding to an incident, it is important to address the risks ineach phase of the life cycle, and ensurethat they are understood and eitheraccepted or addressed.

Some organisations are extending thisconcept further by establishing securityas a separate profit centre and calculatinga return on security, i.e. the return on thecapital invested in security activities.

To be effective, the security risk analysisprocesses have to be integrated with theorganisation’s overall risk framework.This is vital to ensure buy-in from thebusiness, including senior management.

As organisations open up theirtechnology systems to customers to improve services, their traditionaldefences are broken down. The challengeis to maintain security while moving awayfrom traditional perimeter security modelswhere only employees can accesscompany data. The key to success is to establish robust data classificationmodels, as well as strong identitymanagement processes and systems, as this will allow an organisation to takedifferent mitigation strategies dependingon the value, criticality and sensitivity ofthe information within an organisation,commensurate with the risks.

Does identity theft affect your organisation? continued

44


Tactical

Reactive

Strategic

Proactive

Incident

Awareness

Information Assets

LessonsLearned

Investigate

Response

Monitor

Implement

DesignCounter-measures

AssessRemediate

Figure 2: Identity theft risk management life cycle


The one type of technologyorganisations do seem to beinvesting in is identity management– not surprising as a reaction to theID theft epidemic.

Findings from: The State of Information Security 2005,A worldwide study by CIO magazine andPricewaterhouseCoopers.

Other practical measures organisationscan adopt are to:

• Develop, publish, and implement a privacy policy;

• Only store essential data;

• Do not store customer data that is only required temporarily;

• Ensure call centre customer logs do not hold personal data;

• Limit employee access to data;

• Monitor employees who have accessto personal data (within the parametersof privacy and workplace laws);

• Immediately report security breaches; and

• Request only customer informationthat is required for the transaction.

How will it impact the business?

It is critical to strike the right balancebetween keeping the bad guys out andnot impacting the business so much thatyour competitive edge suffers.

In an increasingly virtual businessenvironment where Internet-basedapplications are deployed by customers,

employees, suppliers and other businesspartners, security is as much aboutappropriate inclusion – allowing access to the right people – as it is about prevention.

Identity theft requires a whole-of-business solution, tailored to theparticular risks an organisation faces.There is little point having the mostsophisticated firewall available if thebusiness faces a greater risk fromsomeone removing a box of files fromthe premises.

What can you do next?

If you have not already done so, the firststep is to conduct a risk assessment todetermine what identity theft risks youface. This will allow you to take a risk-based approach, ensuring a cost-effective, business-focused actionplan that balances the cost of mitigatingthe risks against acceptance of risk. It is recommended that you use yourorganisation’s existing risk managementframework to perform this assessment, as that will provide the results in the sameway as other risks to your organisation.

Once risks are determined, it is importantthat the business units take ownership ofthese, rather than assigning them to theinformation technology team. It shouldbe up to the business units to make the

initial assessment as to whether the risksshould be accepted or mitigated, as theyare the ones who own the information.

When the organisation makes a decisionon how the risks are to be treated, it should be both the business units (for business processes-related issues)and the information technology team (for technology related issues)responsibility to mitigate these risks.

45



Contact details

Editor-in-chief Editor

Chris LucasChairman, Global Banking & Capital Markets Executive Team


Darren MeekPartner, Banking & Capital Markets, UK


The Markets in Financial Instruments Directive: European regulation with global impact

Graham O’ConnellDirector, Financial Services Regulatory Practice


Matthew OswaldSenior Consultant, Financial Services, UK


Russia’s banking sector: Huge growth potential for aggressive players

Rick MunnIndustry Leader, Financial Services, Russia


Oleg MosyazhManager, Financial Services Marketing, Russia


Evgeniy KriventsevSenior Manager, Financial Services, Russia



Frank SerravalliCo-Head of PricewaterhouseCoopersUS Securitisation Group



Michael CodlingBanking Leader, Australia & Head ofPricewaterhouseCoopers AustralianSecuritisation Group


David LukachCo-Head of PricewaterhouseCoopersUS Securitisation Group


Peter JeffreyHead of PricewaterhouseCoopersEuropean Securitisation Group


Chris MattenPartner, Banking and Capital MarketsIndustry Group, Singapore


The practical application of Pillar 2

Shyam VenkatPartner, Advisory, Financial Risk Management, US


Richard BarfieldDirector, Valuation & Strategy, UK


Jan Willem KapteinManager, FS Regulatory Compliance, The Netherlands



Alex ShaplandDirector, Financial Services RegulatoryPractice, UK


Martin HislopSenior Manager, Risk AssuranceServices, UK


the journal • Tackling the key issues in banking and capital marketsthe journal • Tackling the key issues in banking and capital markets

The journal is supported by the Global Banking and Capital Markets Executive Team

Chris LucasChairman, Global Banking and Capital Markets Executive Team, UK


Richard Collier


Rahoul Chowdry


Nigel Vooght



Mark VosDirector, Business Assurance, Australia


Philip RileyExecutive, Investigations and ForensicServices, Australia


Jan SchreuderPartner, Business Assurance, Australia


Contact details continued


PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 130,000 people in 148 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders.

‘PricewaterhouseCoopers’ refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

The banking and capital markets journal is produced to address key issues affecting the banking and capital markets industry. If you would like any of your colleaguesadded to the mailing list, or if you do not wish to receive further editions, please write, fax or e-mail: Carly Taylor, PricewaterhouseCoopers, Southwark Towers,32 London Bridge Street, London SE1 9SY. Fax number: (44) 20 7212 4152 E-mail: [email protected]

© 2006 PricewaterhouseCoopers LLP. All rights reserved. ‘PricewaterhouseCoopers’ refers to PricewaterhouseCoopers LLP (a limited liability partnership in the UnitedKingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.Designed by studioec4 18018 (06/06)

www.pwc.com

INDUSTRY VIEWS the journal - PwC · PDF fileINDUSTRY VIEWS the journal ... and Shyam Venkat in...

Documents

Transcript of INDUSTRY VIEWS the journal - PwC · PDF fileINDUSTRY VIEWS the journal ... and Shyam Venkat in...