Assessing the benefits and the way forward
Risk & Compliance Magazine talks to Reshma Khamis, Bloomberg's Compliance Specialist - Vault, Michael G. Tirello, Bloomberg's Global Compliance Product Manager - SSEOMS and Lisa Roitman, Bloomberg's Business Strategist for Regulatory Compliance.
Khamis: Preventative controls have always had a place in the risk and control frameworks, as they provide hard blocks to key risks such as conduct and market abuse. We have seen a rise in these types of controls as financial institutions look for solutions and options to prevent a risk causing potential client reputational damage, as opposed to having to mitigate it once the damage is done.
Roitman: The regulators in the investment management space have been particularly vocal about proactive risk mitigation. Firms are required to complete internal risk assessments and build compliance policies and procedures that are tailored and specific to their individual firm. These risk assessments then go through periodic review, so risk mitigation is an ongoing consideration for every firm. Guarding against trouble before it happens goes a long way to ensuring the longevity of an organisation.
Tirello: Globally, this has become a hot topic with MiFID II. In 2011, the US saw the Market Access Rule come into play to make risk management and mitigation a bit more detailed, but the regulators took a few years to really start to get into the implementation details during audits. Fast forward seven years and it is the top priority for regulators in the US and EU. Basically, firms are now tasked with stopping bad orders getting into the markets and causing market impact and clearing risk from their traders, systems – meaning algorithms or rule engines – and their customers.
First and foremost, these rules are policies and procedure rules. For example, firms should be meeting often to define and document parameters around who can trade and how within the firm, who their customers are and how much they should trade with them, and who their street counterparties are and how much should be traded with them as well. Once parameters are established, they need to be translated into a firm’s trading system and set up for monitoring. If implemented correctly, errors should be reduced and clearing risk should be manageable.
Khamis: Preventative controls are strong and effective to mitigate key risks, and are usually cost efficient in terms of initial implementation as well as ongoing support. Having your front-office staff not trade a restricted security or say something that can lead to potential conduct or client reputation risk is how both the buy and sell side are leveraging preventative controls to stop litigation, investigations and fines – all of which improve the bottom line and protect reputation.
Roitman: Taking a systematic preventative approach to risk mitigation can provide significant breadth and efficiency to a compliance programme – however, it is important to continuously evaluate the context of those rules and validate that the processes being put in place are indeed mitigating concerns, as the impact of even a hint of impropriety can be devastating.
Tirello: We are seeing a large push by firms on two fronts. First, there is a push to adopt real-time surveillance tools to detect issues immediately, so bad behaviour can be stopped in trade. Second, additional tools are being built into a trading platform to stop certain fraudulently identified workflows from even being performed.
Tirello: Internal controls are sometimes different from firm to firm based on their risk departments’ policies. All firms should at least be meeting often to define and document parameters around who can trade and how within the firm, what tools such as algorithms and smart order routing (SOR) a firm is allowed to use, who their customers are and how much they should trade with them daily or up until clearance date, and who their street counterparties are and how much should be traded with them as well.
The controls can differ from situation to situation. By way of example, average daily volume (ADV) checks on orders routing into the markets should be done to make sure one does not send a market order of 50,000 shares out in a security that trades 20,000 a day. Market impact and error with your customer could be huge. Some firms prefer that to be a hard block.
Another example is duplicative order checks, where too many of the same order is going out within a small window. These are sometimes soft blocks where a trader needs to verify that it really wants to send that many orders into the market, instead of accidentally clicking too many times on the mouse.
Yet another example is daily notional value limits on total customer orders received. Most firms here require a risk committee to decide how many orders will be allowed to be taken in, by total value, from each institutional account. Hard blocks are typically in place here and stop orders if the limit is reached. Firms then require a risk department head to increase the limit and let more orders in if they feel comfortable with the risk.
Khamis: Process related controls are related to doing business. You need these processes in place to make money and retain clients. These are very different to a preventative control where the process is not necessarily tied to increasing your footprint, investing in clients or retaining talent. In fact, it is the opposite: you are trying to avoid something from happening in the first place.
Roitman: There is no single right way to develop processes and controls to mitigate risk. The first step, however, has to be to evaluate and understand your firm’s unique issues and, along with risk tolerance, weigh that against legal and regulatory concerns.
Khamis: Firms need to evaluate the risk and reward of the tasks related to their business and the respective tolerance, regulation and resources, and determine which type of control is a best fit, in terms of preventative, rules-based or detective.
Tirello: Firms should be consulting with their seasoned risk departments, their heads of trading, the rules of each region and their clearing firms. They should also look at fines that are posted in this area by regulators and see what mistakes were made by other firms.
Roitman: Training and communication is the key to an effective compliance programme and therefore key to risk mitigation. Training staff to spot anomalies adds extra sets of eyes to help prevent trouble. But the key to effective training is not to just repeat the message, but to make sure you find ways to engage staff. Making sure they understand the derivation and rationale for the rules, along with the consequences of non-compliance, can help make them feel invested in the process. You want staff to be allies, not adversaries.
Tirello: Training and communicating with staff is extremely important. Firms should have meetings once a quarter to review procedures and look at what is and is not effective. Risk and compliance departments should be monitoring systems and exceptions daily.
Roitman: Be smart. Invest in technology that can help automate and create efficiency, but remember to constantly test your control hypothesis against evolving regulations, geopolitical changes and firm-specific risks. Be creative with training to make sure the message sticks and everyone at the firm feels invested in creating an ethical culture of compliance.
Khamis: The culture I would be promoting is: act in the office as you do at home. A firm can continually invest in technology, education and team-building, but this needs to go hand in hand with a culture that builds people up, not down.
Tirello: Look to spend your money wisely. Purchase systems that can provide not just real-time monitoring and blocks, but real-time surveillance. This will allow one person to be more effective as well as give supervisors a workflow to bubble up issues immediately to managers.
Roitman: Risk and compliance professionals help drive the moral compass of an organisation. Preventative controls are simply part of their arsenal. Firms must continually evaluate and adjust policies and procedures in an ever changing world of risk, fraud and corruption, in order to protect their firm’s reputation and livelihood.
Tirello: I believe that, with time, more artificial intelligence (AI) and machine learning will allow firms to identify issues and patterns quicker and enable more specific hard blocks and alert mechanisms where a human would not be able to react or see the trend so easily.
