Climate and op risk, ORX News top 5 and focus on data management

Steve: Hi. Welcome to the latest edition of the ORX podcast. I'm joined today by John, Natasha and Esther to discuss climate and operational risk. Part of this will provide an update on the work we have underway to support members understand this relationship as well as how we're enhancing our data to create more climate-related information for members. We're also going to be using examples from ORX News to demonstrate how climate is impacting the industry.

After we've had the discussion on climate, Natasha and the ORX News team will be taking us through the top five losses from last month in ORX News. And, we'll be kicking off the news team series looking at data management. I know this is something that many of our members report they're starting to grapple with and interestingly has just entered the top five risks members are managing and there'll be more about that in the Top Risk Report that will be published mid-July.

So, coming back to the main topic for today, I don't think you need me to tell you that the impact of climate change is increasing, and this obviously doesn't miss financial services firms. We've seen significant activity over recent years as firms come to grips with this and really try and understand what it means for that, for their strategy, for this are the types of business they're in, the types of products they sell. What it means for their risk profile, what it means for their operations, and what it means for their customers.

And unsurprisingly, we've seen quite a lot of activity from regulators across the globe on climate. We've seen new regulation around disclosures, as well as stress testing requirements that have been set. And then just this last month, in June, we've seen the Basel Committee on Banking Supervision publish principles for the effective management and supervision of climate-related financial risks that, I think we are pleased to say for operational risk, aligned to the approach that we've published to our members.

So, turning to the group we've got with this today, I think John's going to kick us off. I think you're going to talk to us about how at ORX we're viewing climate and operational risk. And I think Natasha is going to bring some of that to life with ORX News stories. So John, over to you.

John: Yep. Thank you very much, Steve. Yes, we've been working in ORX putting together a working paper on risks associated with climate change, and that's been driven by members contacting us. And in part, that's because of increasing regulatory requirements. As Steve mentioned, we've seen initiatives like the climate biannual exploratory scenario from the PRA in the United Kingdom and the European Central Bank doing a climate risk stress test this year. In the states, the Securities and Exchange Commission looking at climate disclosures.

Natasha: That's really interesting to hear what the regulators are doing in the climate change space John, and how is ORX considering climate change and operational risk?

John: Yes. So the ORX Definitions Working Group has put out a working paper earlier this year and as Steve said, that's treating climate risk in line with the approach taken in the Basel Committee's recent Principles paper - seeing climate as a driver of risk rather than as a separate, discrete event type.

And we've broken that down into the physical and transition risks that come from climate change. Obviously, there are massive firmwide implications of climate change across credit risk, investments and the firm's own use of energy. But we focus very much on the operational risk aspects and what operational risk managers need to do to manage this.

Natasha: Yeah, absolutely. John, you mentioned the physical risks. Could you explain how ORX is defining climate change related physical risk events?

John: Yes. So climate change physical risk events relate to losses resulting from a changing climate, and that could be more frequent extreme weather events as well as gradual changes in climate or environmental degradation, which might mean air, water or land pollution, and also things like water stress, biodiversity loss or deforestation.

And in terms of the extreme weather events, we're looking at events falling outside the normal or expected frequency of event occurrence. So for example, we could see destruction of property or assets or the failure of staff to get to places of employment to perform services. We could also see failure of utilities, infrastructure or even third party vendors and suppliers failing to provide critical services.

And that feeds into a focus from supervisors around ensuring resilience of critical operations. One of the big challenges around the physical risk piece is determining whether an event fits into the normal pattern or is something out of the ordinary and caused by climate change? I think it's fair to say that the industry as a whole, including supervisors, is working on that question.

And to work with members and support members ORX has launched two climate-related scenario categories. One relates to physical risk, one to transition risk, and we've also introduced a climate industry loss event for loss data in the global banking and global insurance services. So that would enable members to tag events related to these climate risks.

Natasha: So ORX News has actually retrospectively implemented these categories for stories from the 1st of January 2020 onwards to highlight relevant external events.

So firstly, in February 2021, bank branches in Texas had to close due to snow and power outages during Storm Uri. The freezing temperatures had locked up many of the state's power plants and a surge in demand for electricity stressed the state's power supply. So rolling power outages were implemented. As a result, at least six banks closed over 300 of their branches and suffered interrupted services for several days.

Similarly, the Cayman Islands Monetary Authority closed its offices on two separate occasions in August 2021 due to tropical storms Grace and Ida. We also have two stories where banks have been affected by heavy flooding. Firstly, CBA closed nine of its branches in areas affected by flooding in New South Wales following extreme rain and wind in March 2021. CBA provided emergency assistance to customers affected by these floods by offering waived fees, temporary overdrafts, additional loans and emergency credit limit increases.

And lastly, and more recently in April this year, Standard Bank closed 34 branches and support facilities due to heavy flooding in KwaZulu-Natal Province in South Africa. Staff were not able to commute to work and the flooding restricted electricity and communication services, which caused power and phone signal outages. The authorities were actually calling for a state of disaster to be declared as some areas saw several months’ worth of rain fall in just one day.

John: Thank you very much, Natasha. There's some interesting examples there of the impact on firms operations showing why supervisors are so interested in the resilience aspects of climate change and extreme weather. Now let's move on to climate change related transition risk events. Those events include losses resulting from failures in the firm's processes to implement adjustments to a lower carbon and more environmentally sustainable economy.

Typically, these might be triggered by a relatively abrupt adoption of climate and environmental policies. So, for example, that could encompass failures in a firm's product design process that fails to take climate change into account or misconduct in the selling of - or financing of - environmentally controversial products or activities, so-called greenwashing. And that could potentially lead to liability risks and or reputational damage.

And of course, in the future, we may see failures to comply with climate or environment-related regulatory guidance. Greenwashing is the most widely discussed of these events from an operational risk perspective. Perhaps you could give us some examples of stories published on ORX News that used the climate-related transition risk scenario, please, Natasha.

Natasha: Yeah, absolutely. So as of this month, we have one story tagged with the climate-related transition risk scenario. In April 2022, the SEC charged the Brazilian mining company Vale with misleading investors in the USA. Between 2016 and 2018, Vale had falsely stated that its dams had been audited to address previous issues. However, the Brumadinho dam collapsed in January 2019, which killed about 300 people and caused vast environmental and social damage.

This event did not happen to a financial firm. However, ORX News decided to cover it as an interesting and early example of climate-related transition risk, specifically relating to the risks of misleading new investors about a firm's environmental risk management.

John: Thanks. And you mentioned social damage there Natasha, which brings us onto the topic of environmental, social and governance risk and reporting. ESG is a fast-moving area and ORX is working in this space in 2022 to understand member requirements. Is there any other work ORX News is doing to support subscribers in the ESG space?

Natasha: Yes. So we have a couple of pieces. ORX News has published editorial content on heightened climate-related risks that currently fall outside of the ORX News reporting thresholds, but that are still pertinent to firms. So for example, the team published an In-Focus piece on ESG, which discusses the 2021 greenwashing case between the US Department of Justice and Deutsche Bank.

And lastly, ORX News has started to publish ESG-related stories as they emerge. For example, in May this year, the SEC announced its first fine for ESG-related violations against BNY Mellon. The bank agreed to pay $1.5 million for misrepresenting the extent to which it applied ESG principles when making investment decisions between 2018 and 2021.

In short, it was not a requirement that all investments in certain funds had to be researched by its ESG team prior to investment. And in total, almost 40% of certain fund investments lacked an ESG quality review score. This and other ESG related stories are discussed during last month's episode of the ORX podcast.

John: Thank you very much. That's actually some good examples of what ORX News is seeing in the publicly reported events. I'll now hand over to Esther, who will summarise what ORX is doing in this space.

Esther: Thanks, John. So as you've just heard, climate is a major focus for risk managers across the globe. And given both the environmental changes we are witnessing and the understandable regulatory focus and societal response, organisations have been grappling with how to integrate climate into their management approach. As a result, and with discussions with our members ORX is helping to address this challenge during 2022 and beyond.

So what are we doing to support our members and our subscribers in the space? As John and Natasha have set out, we have defined an approach to climate following discussions with members. We have set out how we currently believe the industry is considering climate and operational risk, as well as how we will enhance our existing data and services to support members.

So this would include the ORX Reference Taxonomy. This is providing guidance on applying event, cause and impact taxonomies on climate-risk related events. It will also include the ORX global banking and insurance loss data. And here we are using a climate flag to allow members to begin to share climate-related operational risk loss events.

In our scenarios space, ORX Scenarios have published a paper on current scenario practices for climate, potentially developing a climate-related scenario handbook later on this year. And we are using climate flags in the scenario library to support sharing of relevant data. In news and the ORX News service, as we've heard a climate flag has been added to highlight relevant external event stories, and this flag helps you both filter and potentially get alerts.

And we're continually also monitoring and tracking regulatory developments in this space. And we are potentially looking currently at the EBA consultation on the environmental risks paper, and we will use this to understand potential activities and future work in this space. Over to Steve.

Steve: Thanks, Esther, and thanks to you all. I hope everyone agrees that's a really interesting overview of where we're at with climate, where the industry is at and the types of events that we're already seeing financial services firms suffer. In summary, I think climate is clearly going to be an important factor. It's an important factor now. It's going to be an important factor in the coming years.

Interestingly, we saw a drop in the ranking of climate in a recent Horizon Emerging Risk Report, but actually discussions with our members suggested that was less to do with it being a significant issue and more to do with the fact that they were starting to get their hands around what they needed to do to manage it and focus on it from a financial services perspective.

I think we've got to recognize that this risk is going to continue to evolve. The threats are going to continue to evolve over time. It's going to remain important, and we will continue to monitor what that means from an operational risk perspective and continue to support our members along that journey.

One of the areas that we're going to sort of look at as well is that broader ESG, so environmental, social, governance topic. I think a lot of the work we've done today has been on the environment component of that. But I think there's probably slightly less clarity on the sort of social and governance sides. And that's something we're going to be working on with our various working groups. And we'll look to build into our working papers and guidance and think about what else it means.

One of the other activities we're progressing over the next couple of months as well is we're looking to respond to the European Banking Authority's consultation paper on how climate should be factored into prudential frameworks. And we're doing a survey with members to help identify their thoughts on that. But also I think that should help us to see where people are progressing the integration of climate into their operational risk frameworks, and also understand more where we can help in the future.

So as I say, hopefully a useful overview. Members can find everything on the members-access website. There's also information available to non-members through the public website at www.orx.org. With that, I'd like to say thank you to Esther, Natasha and John, and I'd like to say thank you to you for listening to this section.

Natasha is going to be staying with us and joined now by the ORX News team. And as I said at the beginning, they're going to take us through May's top five losses and kick off their summer series on data management, where they'll be looking at data quality, the sort of monitoring systems that people have in place, regulatory reporting, and I think also touching on one of the sort of emerging or interesting aspects of data, which is this ethical use of data, particularly as we see an increased use of AI etc. in the digitalised workplace. So over to the News team.

Lily: Hello and welcome. My name is Lily Richardson. I'm the ORX News Manager, and in case you haven't heard of ORX News, we're a subscription service from ORX, which covers publicly-reported operational risk loss events in the financial sector from across the globe. Now I'd like to introduce Fern, the ORX News Assistant Manager for Editorial.

Fern: Hi, everyone. In this month's episode we'll take a brief look at the top five largest losses from May 2022, all reported in U.S. dollars. We'll also begin our summer ORX News data management series. The topics we'll discuss in this episode are data quality, monitoring and reporting. For this podcast, I'm joined again by Natasha, our Senior Researcher and News Analyst, who'll kick us off with the top five.

Natasha: Hi. Fern. Yes. So Asian Pacific Bank suffered May's fifth largest loss of over $67 million after being defrauded by its former deputy manager at its Moscow branch.

Fern: In fourth, PNC Bank had to pay over $280 million for breaching at least one of four mobile check deposit technology patents by USAA.

Natasha: In May's third-largest loss. 11 individuals were accused of embezzling $253 million from Rossiysky Kredit Bank in a scheme where fraudulent loans were issued to participants holding positions in commercial firms.

Fern:  And May's first and second largest losses came from Glencore's $1.2 billion settlement with the DOJ and the CFTC over allegations of bribery, corruption and market manipulation. Specifically, Glencore settled the US regulators' bribery and corruption allegations for $701 million on the commodity price benchmark manipulation probe for $486 million.

Natasha: Thanks Fern. And now let's kick off our summer ORX News data management series with our first topic - data quality, monitoring and reporting. With financial institutions becoming progressively more data centric and gathering and disposing of increasingly large amounts of data, data management is becoming proportionately more complex and is a growing material risk for most firms. So, this increases the space for operational risk loss events to occur.

Fern: Absolutely, as evidenced by the 2022 Horizon report, many of the emerging technologies that have the potential to unlock strategic benefits - such as AI and machine learning - all rely on high-quality data. Failing to structure and facilitate data in a way that enables strategic objectives could significantly impact future risk profiles. In this podcast, we'll give you some examples from ORX News of data management considerations for firms, including availability and accuracy of data, quality of data to support decision making, consistency and compatibility of data to facilitate data analytics and ethical use of data and protection of data privacy. So Natasha, can you please talk us through the first news story?

Natasha: Yes, of course. So in this month's In Focus article our news researcher, Stanca, described why the SEC hit Wells Fargo with a $7 million fine. In short, the bank's misconfigured AML transaction monitoring systems delayed the broker from filing at least 34 SARs between 2017 and 2019. Part of the issue was that Wells Fargo's system could not process wire transfer data or generate SARs alerts in certain instances.

For example, when there was a bank holiday but not a brokerage holiday. A further issue arose in January 2019, when Wells Fargo implemented a new AML monitoring system that had not been properly tested. It turned out that the new system and wire transfer data were incompatible. The new system used ISO codes while the wire transfer data used different country codes.

As such, the new system could not properly process the data fed into it, leading to the misconfigured AML system and the delayed filings. Fern, I believe we have another recent story on inaccurate data reporting.

Fern: Yes we do. In March this year, the Irish Data Protection Commission fined the Bank of Ireland €463,000 for several GDPR data privacy breaches between 2018 and 2019. The incidents comprised unauthorised disclosures and accidental alterations of customer personal data on the Central Credit Register, which collects and stores information about loans. The technical errors occurred during the manual uploading or altering of data, the application of selection criteria and in reports of loan restructuring.

Overall, the bank didn't have the level of security measures needed for processing customer data. As a result of the technical errors Bank of Ireland submitted inaccurate customer data, which in turn negatively impacted 47,000 customers' credit ratings.

Natasha: Wow. That really shows how a bank's mismanagement of data can be detrimental to customers. This delves into the topic of correct data management and ethical data use as discussed in the 2022 Horizon report. A third recent fine in which comes to mind when discussing ethical data, use and quality, is Westpac's agreement with ASIC to pay at least 59 million AUD in remediation and penalties.

This is because the bank charged 11 million AUD in advance fees to around 12,000 deceased customers and it had continued to do so despite being aware that it shouldn't. Overall, Westpac had systemically failed to have compliance practices to prevent the charging of advance fees to deceased customers or for providing backdated refunds.

Fern: That's really informative. These regulatory settlements and fines are not isolated cases in the US and Australia. Data quality, specifically in relation to reporting, has also been a focus for regulators in Europe. For example, Mutex and Pilatus Bank have been fined in the last year for data quality related issues.

Mutex failed to collect sufficient relevant information about thousands of its policyholders, including yet again about those who were deceased in their subsequent beneficiaries due to inadequate systems. The French regulator ACPR imposed an €8 million penalty on Mutex for these failings in April this year.

Natasha: And in a similar way, Malta's FIAU imposed a €5 million fine on Pilatus Bank in August 2021 for serious and systemic failures in its AML and CTF safeguards. In short, Pilatus did not adequately monitor or update their records on existing customers and consequently 97% of the files reviewed did not accurately reflect customers accounts.

Fern: Thank you. That's a wrap. In the next episode of our data management series, we'll cover data migration failures.

Lily: I hope you enjoyed listening to this month's podcast. If you'd like to know more about the top five losses, then please visit the ORX website, where you can find the top five losses for each month, as well as a range of op risk reports and resources. You can also read the full digest for each of the stories discussed in this episode on the ORX website. Just search for orx.org. Join us next time to hear next month's top five losses. Thank you.