Concern over "potential" overlap in new EU laws
Operational risk managers fear key directives may clash. EU securities and banking bodies make hurried cross-checks
Concern about possible overlaps and inconsistencies between two of the European Union's flagship financial directives are prompting a belated scrutiny of their proposed requirements relating to operational risk. The EU's specialist advisory bodies for the securities and banking industries are hurriedly "mapping" across the technical advice and guidance supporting the two directives in an effort to minimise any overlaps and establish a common understanding for the concepts and definitions that are used.
However, both directives are preceding under considerable time pressure. And, any delay caused by this reconciliation exercise would be unwelcome. Operational risk managers, and representatives of the banking industry and investment firms are bemused that potential difficulties have emerged so late in the day.
The two directives concerned are the Capital Requirements Directive (CRD) and the Markets in Financial Instruments Directive (MiFID). The CRD will transpose the new Basel rules (Basel II) governing bank capital, into EU law. It specifies alternative approaches for measuring credit and operational risks, and calculating the regulatory capital required to meet such risks. This directive, which covers all banks and investment firms in the 25-country EU bloc, is currently being considered by the European Parliament, and is expected to become law later this year or early in 2006, depending on whether it is subject to a second reading.
MiFID, which covers investment firms, derivatives firms and the securities arms of banks, will provide an effective "single passport" allowing such firms to operate throughout the EU on the basis of authorisation of their home country. It is also intended to give investors a high level of protection from abusive practices, setting standards for the operations of investment firms, the conduct of business, best execution and the resolution of conflicts of interest. This directive revises the existing Investment Services Directive.
A crucial part of the European Commission's Financial Services Action Plan, MiFID was formally adopted in April 2004, as a framework (or Level 1) measure, establishing only high-level principles and obligations of EU member countries. More detailed implementing measures are being worked out under the Lamfalussy (Level 2) process, in consultation with market participants.
Grey areas
The Paris-based Committee of European Securities Regulators (CESR), has got the task of consulting the market and providing technical advice to the EU Commission on two sets of mandates - or implementing measures. It was January's publication of its advice on the first set of mandates that set alarm bells ringing at the Financial Services Authority (FSA), the UK financial watchdog.
This first set of mandates covers 17 separate areas, but it is the sections on systems and procedures, organisational principles and outsourcing that some regulators and operational risk managers are focussed on.
Although no precise inconsistencies or overlaps have yet been identified between these sections and the provisions of the draft CRD or its associated guidance, the possibility has suddenly been recognised. This is because investment firms and banks with securities divisions will be subject to both the prudential requirements of the CRD for addressing operational risk - which are set out as quite broad principles - and the detailed conduct of business provisions that will form a key element of MiFID if its advice on the implementing measures is accepted by the European Commission.
"The only grey areas between the two directives where there may be [some justified concerns] are the organisational requirements, notably risk management policy, internal controls and audit functions, and most particularly, outsourcing of administrative services," says Carlo Comporti, deputy secretary general of CESR. However, there is no more than a "potential" overlap in these areas, he says, and in the end there may prove to be no problem.
The purposes of the two directives are completely different (see feature on page 19), as one is concerned with prudential regulation and the other with investor protection, he notes. And, while those involved with each of the two directives are trying to make them entirely consistent, "they are built upon different perspectives. So, even when [there is collaboration] on an issue, the different perspectives may drive the regulation in different directions," he says.
Outsourcing in CESR's January advice to the European Commission is defined to include accounting, back office, information technology and information systems management, marketing and risk control functions. Firms that outsource (says the technical advice) are obliged to "identify, assess, monitor and manage the risks inherent in outsourcing, and take reasonable steps to mitigate the impact that outsourcing might have on its exposure to operation risk."
Other areas in the CESR advice that investment firms believe may have to be reconciled with their requirements under prudential regulation include organisational principles such as effective internal reporting and documented decision-making processes, as well as record keeping procedures, risk management policy and business continuity. However, the FSA believes the potential overlaps between the directives are probably confined to outsourcing.
Mapping the texts
Comporti and his CESR colleagues are actively discussing the "potential" problems with their counterparts at the Committee of European Banking Supervisors (CEBS), in London, who are trying to ensure that the CRD is applied in a fair and consistent way across the EU. CEBS has already produced its own consultative paper on outsourcing, although this is only intended as guidance for op risk managers and supervisors complying with the CRD requirements, rather than legal text.
The two sets of regulations "are still works-in-progress for each organisation. We are now mapping across from our work on outsourcing, for instance, to CESR's work in that area in order to check whether there are any overlaps and any possible deviations," says Andrea Enria, secretary general of CEBS. If any overlaps or divergencies are revealed, staffs from the two bodies will sit round the table and try to iron them out - "unless the divergencies are needed" in order to satisfy the different intentions of the two directives, he says.
Creating uncertainty
However, market participants speculate that it is CEBS that will have to come into line if discrepancies in the work of the two bodies do have to be reconciled in relation to outsourcing, for example. This is because the CESR draft will be part of the MiFID legal text, and CEBS output takes the form of guidance.
The FSA, which has been alerting British trade associations to the potential problem in recent weeks, is said to be working actively behind the scenes in both CESR and CEBS to resolve it. But the lack of precise information has tended to create uncertainty among market participants. Some in the operational risk field query why it has taken the FSA and the investment firms themselves - many of which were involved in the CESR consultation - so long to recognise a problem may exist. Others are waiting for a clearer picture to emerge. Until the final MiFID implementing measures are known, it is not possible to be sure whether there is a problem for the banks, says Michael McKee, an executive director at the British Bankers' Association. "Many banks are expressing concerns about what might be the outcome of an on-going negotiating process," he says.
The problem underlined by the CRD and MiFID is that "the division we always make between conduct of business and prudential regulation is artificial at the edges when you come to considering systems and controls," says Guy Sears, head of implementation and policy at the London-based Association of Private Client Investment Managers and Stockbrokers (APCIMS). "You can either address controls as a conduct of business regulator, or you can come at it from the direction of a prudential regulator. What is concerning some people is that some of the CESR advice on MiFID is wandering into areas in which we are likely to have advice from those implementing the CRD," Sears says. This will tend to make systems much more complex, he adds.
Some in the investment banking industry are calling for the detailed MiFID measures to be deferred until the final text of CRD is agreed between the European Parliament and the Council, the EU's two legislative arms. The fear is that the CRD, which might not be finalised until next year, will be pre-empted by MiFID. Implementing measures for the latter are due to be in place by the end of this year.
There is unlikely to be much appetite for any such deferment. The strained timetable for implementation of MiFID has already been put back a year, from the original start-date of April 2006, to April 2007.
