Bangladesh Bank fraud is a comedy of op risk errors
Megan van Ooyen from SAS rounds up the top five operational risk losses for March 2016
Megan van Ooyen is a senior associate business operations specialist in the OpRisk Global Data group at SAS in North Carolina
The 2008 crisis left the global market reeling for years, and regulators punished banks heavily as a result. But, since mid-2014, the volume of regulatory penalties has settled down and evened out. In the absence of massive settlements involving banks, the spotlight has turned towards other financial firms – those that typically experience lower losses.
In March, three of the top five operational risk loss events involved the insurance industry. This compares with 2015, when only one month saw an insurance event in the top five. Although multi-billion-dollar settlements make for splashy news headlines, the smaller figures at stake emphasise the importance of strong day-to-day risk management systems.
Occasionally, though, those systems fail in a spectacular fashion and an op risk event quickly becomes a reputational risk. Bangladesh Bank, this month's third-highest op risk loss, is a case in point.
On February 4, hackers breached the central bank's computer systems and used its Swift messaging system to submit 35 payment requests to the Federal Reserve Bank of New York. The New York Fed transferred $101 million to fictitious accounts at Rizal Commercial Banking Corporation (RCBC) in the Philippines and another bank in Sri Lanka before it became suspicious and denied the remaining 30 requests. Bangladesh Bank recovered the funds from Sri Lanka, but RCBC released $81 million to a foreign exchange broker. Criminals smuggled some of the money out of the country, and laundered the rest through local casinos. Philippine anti-money laundering (AML) laws do not cover casinos, making it difficult for Bangladesh Bank to recover the money.
The incident is a comedy of op risk errors. Bangladesh Bank had insufficient computer security, the New York Fed processed suspicious transfer requests in the middle of a Saturday night, and RCBC accepted payments and released them to a foreign exchange broker without question. Somewhere, somehow, the internal controls and systems at these institutions failed. Were they inadequate, or just unenforced? Was this only the work of skilled hackers, or were bank employees involved?
Authorities are continuing to investigate the case, and it could be months before we learn the details. Meanwhile, these op risk failures threaten the reputations of the organisations involved. Who can customers trust with their money if large central banks, such as Bangladesh Bank and the New York Fed, cannot keep their money safe? Will the global financial community continue to do business in the Philippines if its AML laws are so weak?
Topping the list of op risk losses for March is Genworth Financial, which had to pay $219 million for misleading investors about its continued profitability. The Virginia-based firm specialises in long-term care insurance, so its financial health depends on the success of that business. In October 2013, Genworth released third-quarter results stating it had adequate long-term care reserves. However, the company had to increase its reserves by $531 million a year later. The announcement led to a sharp drop in its share price, followed by a shareholder lawsuit.
In another insurance industry case, Pennsylvania-based Lincoln National paid an estimated $196.23 million to variable life insurance policyholders, the second largest op risk loss. A 2009 lawsuit accused it of considering non-mortality factors, such as expenses and profit, when calculating variable life insurance charges. Lincoln National also refused to revise its charges when policyholders demonstrated improved mortality rates. After years of appeals, the firm agreed to issue term life insurance certificates to 77,000 policyholders. The certificates had a face value of $2.25 billion, but their estimated market value was $171.8 million. Lincoln National also paid $24.43 million toward plaintiffs' legal costs.
The fourth largest op risk loss event in March involved ACE INA Holdings, Arch Insurance and Factory Mutual Insurance. Together with National Union, these insurance companies provided coverage for physical and business interruption losses to energy firm TransCanada.
In 2008, TransCanada acquired the Ravenswood Generating Station, a power plant in New York City, and added the facility to its insurance policies. Days later, it discovered large cracks around the rotor and had to close the generator for nine months. TransCanada filed insurance claims to recover $57.8 million in damages and business interruption losses. The insurance companies refused to pay because the cracks occurred before TransCanada added the facility to its policies. National Union reached an undisclosed settlement with TransCanada in late 2015. The remaining companies challenged the claim in New York's Supreme Court, where a judge ordered them to pay the claim in full.
Some post-crisis penalties still linger for banks. The fifth-highest op risk loss for March was triggered by the US National Credit Union Administration (NCUA), which is pursuing banks that sold mortgage-backed securities to five corporate credit unions in 2006 and 2007. The securities became worthless after the housing market collapsed in 2008, forcing the NCUA to liquidate the credit unions due to their exposures. The regulator filed two lawsuits against Credit Suisse in 2013, accusing it of misleading the credit unions about the risks associated with the investments.
Credit Suisse is one of the last banks to settle with the NCUA. Its $29 million settlement covered securities it sold to Members United Credit Union and Southwest Corporate Credit Union. The settlement did not affect the NCUA's ongoing lawsuit against Credit Suisse on behalf of the other failed institutions.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Operational risk
Integrated GRC solutions 2024: market update and vendor landscape
In the face of persistent digitisation challenges and the attendant transformation in business practices, many firms have been struggling to maintain governance and business continuity
Vendor spotlight: Dixtior AML transaction monitoring solutions
The Chartis Research report, AML transaction monitoring solutions, considers how, by working together, financial institutions, vendors and regulators can create more effective anti-money laundering (AML) systems.
Financial crime and compliance50 2024
The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector
Automating regulatory compliance and reporting
Flaws in the regulation of the banking sector have been addressed initially by Basel III, implemented last year. Financial institutions can comply with capital and liquidity requirements in a natively integrated yet modular environment by utilising…
Investment banks: the future of risk control
This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control
Op risk outlook 2022: the legal perspective
Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…
Emerging trends in op risk
Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…
Moving targets: the new rules of conduct risk
How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…