June 8, 2023
The Canadian wildfires that turned New York-area skies yellow and created dangerous, unhealthy breathing conditions throughout the region, reaching all the way down to Washington, D.C., where my office is located, are a great reminder on far-reaching consequences.
Take crypto industry regulation and oversight, for example. Is it really all that surprising that the biggest crypto players have been in the news headlines this week when the lack of clear supervision has been there for all to see from the outset? Perhaps unlike the wildfires, which came suddenly and will dissipate over the coming days, challenges in the crypto industry are not going anywhere.
We will have more to say on the current crypto situation in the coming weeks. What do you think? You can reach out to me here.
Daniel Meade
Partner and Editor, Cabinet News and Views
On May 30, 2023, the Division of Clearing and Risk (“DCR”) of the Commodity Futures Trading Commission (“CFTC”) issued an advisory (“05/30/23 DCO Advisory”) relating to registered, or those seeking to register as, derivatives clearing organizations (“DCOs”) that offer clearing services involving contracts for digital assets. This advisory follows DCR’s May 17, 2023 advisory to DCOs in connection with prime brokerage (“PB”) arrangements and trading on swap execution facilities (“SEFs”) (covered previously here).
Both advisories are short one-page documents that remind DCOs and entities that have not been registered as DCOs to focus on risks associated with novel business arrangements (i.e., PBs on SEFs and clearing for digital assets) and note that the DCR will be “placing emphasis on potential risks … related to system safeguards, physical settlement procedures, and conflicts of interest.” More specifically, the 05/30/23 DCO Advisory addresses potential conflicts of interest issues related to DCOs’ affiliated entities and the “dual-hatted” executives.
Concurrently with the publication of the 05/30/23 DCO Advisory, CFTC Commissioner Kristin Johnson issued a statement encouraging the staff of the CFTC to work on drafting a proposed federal rule to address unique issues associated with clearing digital assets and focus on the following four areas: “conflicts of interest arising from vertical integration of activities and functions; custody and client asset protection; operational and technological risk, specifically cyber-risks; and market manipulation and fraud.” Commissioner Johnson noted that many of these concerns were highlighted by LedgerX DCO’s submission to the CFTC for disintermediated clearing of contracts on digital assets, which was subsequently withdrawn following the collapse of FTX in the fall of 2022.
As we had noted previously in connection with the CFTC’s September 29, 2021 SEF advisory, this is a way of CFTC staff messaging the industry that it is watching that specific conduct, it has found deficiencies and that an enforcement action may be forthcoming. Also, as Commissioner Johnson has alluded in her statement, the 05/30/23 DCO Advisory could be attempting to accomplish more than it can, and a proper federal rulemaking would be more appropriate given that it would involve public comments.
Further, considering that during its June 7 meeting the CFTC finalized its DCO governance rule and has proposed the DCO winddown rule and implemented amendments to CBOE Clear Digital, LLC order of registration, the CFTC is looking at broad revision of its regulatory approach to risk management generally and in connection with DCOs specifically.
On June 6, the three Federal bank regulatory agencies (the Federal Reserve Board (“FRB”), Federal Deposit Insurance Corporation (“FDIC”) and Office of the Comptroller of the Currency (“OCC”)), issued final interagency guidance on risk management associated with third-party relationships (the “Guidance”). The Guidance is effective immediately.
The Guidance replaces and supersedes each agency’s existing third-party guidance “and promotes consistency in the agencies’ supervisory approaches toward third-party risk management,” and incorporates changes based on comments on the July 2021 proposed guidance.
In comparison to the July 2021 proposed guidance, the Guidance emphasizes a tailored approach to third-party risk management and a banking organization’s size, level of risk, complexity, and the nature of risks presented by each third-party relationship. In reviewing each banking organization’s third-party risk management risk framework, the agencies stated that they would also be instituting similar tailoring.
The Guidance also explicitly notes the benefits and risks in bank-fintech partnerships. The Guidance especially noted the heightened risk that may be present in arrangements where the fintech interacts directly with the end customer.
FRB Governor Michelle Bowman was the sole dissenting vote on issuing the guidance at the FRB. In her statement, Gov. Bowman stated that she did not think the Guidance went far enough in mitigating regulatory burden on smaller institutions, calling it “a troubling pattern of the agencies' deviation from the risk-based, tailored approach to supervising and regulating banks.”
Against a background of increasing reliance on models and scenario analysis to assess future risks, the UK’s bank regulator, the Prudential Regulation Authority (“PRA”), has published a supervisory statement on “Model risk management principles for banks” (“SS1/23”). SS1/23 applies to UK banks, building societies and larger PRA-designated investment firms that use internal models to arrive at regulatory capital requirements for credit, market or counterparty credit risk. The PRA considers that other firms, including third-country firms operating in the UK through a branch, may find the contents “useful” and invites their participation.
SS1/23 sets out the five key principles that underpin a robust model risk management (“MRM”) framework and associated policies, procedures and practices, including at board level:
1. Model identification and model risk clarification
Firms should adopt the definition of a model set out in SS1/23 to give a basis for determining their MRM framework, maintain a comprehensive model inventory that facilitates the provision of necessary management information for reporting model risk and helps identify model inter-dependencies. Models should be tiered on a risk-based materiality and complexity basis that is subject to periodic validation.
2. Governance
Strong governance oversight should promote a top-down MRM culture through setting clear model risk appetite, and the MRM policy should be board-approved with an accountable individual assuming responsibility in the form of a designated senior management function.
3. Model development, implementation and use
The model development process should be robust, with appropriate standards for design, implementation, selection and performance measurement. Regular testing should lead to remediation of any limitations and weaknesses.
4. Independent model validation
Ongoing, independent and effective validation processes should provide effective challenge to model development and use.
5. Model risk mitigants
Firms should establish policies and procedures for the use of model risk mitigants to remedy under-performance and use independent reviews to ensure the adequacy of post-model adjustment.
Before SS1/23 came into effect on 17 May 2023, firms were expected to conduct a self-assessment of their MRM frameworks and remediate any shortcomings. These self-assessments should be updated at least annually and remediation plans reviewed and updated regularly, with board updates on remediation progress. The holder of the senior management function accountable for MRM is responsible for the actioning of remediation plans, and while routine sharing of the plans and self-assessments with the PRA is not expected, firms should be in a position to provide these upon request.
In April 2023, the European Central Bank (“ECB”) published its 2022 assessment of climate-related and environmental risk disclosures of EU-based banks, finding that while most “significant institutions” “now disclose at least basic information” in most climate-related categories, an improvement relative to the ECB’s 2021 assessment, the quality of information remains “low and is unlikely to provide market participants with insights on which they can act.” The report is the third such assessment carried out by the ECB as part of its wider objective to ensure that the European banking sector discloses climate and environmental risk effectively and comprehensively. The ECB’s 2022 assessment examined 103 significant banks, all under direct supervision of the ECB itself, as well as 28 “less significant institutions.” The ECB also examined the disclosures of 12 banks from its list of global systematically-important banks based outside the EU in order to provide an international benchmark.
The ECB observed considerable progress against previous years: the percentage of significant institutions that disclosed material exposure to climate and environmental risks was 86%, up from 36% a year ago. Approximately 85% of banks examined reported on their board of directors’ and senior management’s oversight of climate risks, up from about 70% in the previous review. More than 90% of institutions provided basic descriptions of their identification and management of environmental and climate risks. However, “banks still need to close remaining gaps to disclose all relevant [climate] risk information as only 34% of the banks disclose information on all categories,” and the information disclosed remains “qualitative and often generic.” Even where “metrics and targets are disclosed, banks often provide limited information on portfolio coverage and definitions and methodologies used to produce the respective information.” With respect to governance disclosure in particular, the ECB identified as an area for improvement the need to provide “more detailed disclosures providing more precise information regarding the interface between the respective committees, the flow of information among the three lines of [defense], the bottom-up and top-down provision of information, the frequency of reporting and the transversal nature of climate-related risks as embedded in the risk management spectrum of the institutions.”
Scope 3 financed emissions were an area of shift. Traditionally, Scopes 1 and 2 emissions have been mandatory to report, whereas Scope 3 has been voluntary, as they are the hardest to monitor. As Deloitte has observed, Scope 3 emissions are nearly always the major factor in corporate climate impact, often accounting for 70% or more of a business’ carbon footprint. With the advance of both technology and regulatory oversight, companies are increasingly able to report all three types of emissions with greater accuracy. The most recent ECB report indicates that 50% of banks are now reporting Scope 3 financed emissions, however “in 85% of cases these are not (broadly) adequate. Overall, a mere 5% of banks made adequate or somewhat adequate disclosure on” all Scope 3 criteria.
The ECB also reported that banks, on the whole, are unprepared to comply with the European Banking Authority’s (EBA) imminent Implementing Technical Standards (ITS) on Basel III Pillar 3 ESG risks. Pillar 3 requires a variety of ESG-related disclosures, including qualitative and quantitative information on transition and physical risks, exposure to at-risk sectors and green lending. In line with the final draft ITS, large institutions that have issued securities that are admitted to trading on a regulated market of any Member State will be required to make their first disclosures in June 2023.
Taking the Temperature: We have previously reported on the Basel III Pillar 3 requirements. Bank regulators globally are, like the ECB, demanding increasing ESG-related risk assessment and/or disclosure from financial institutions, with regulators in Canada, Switzerland, the U.S. and the UK, among others, weighing in with guidance. We also have reported on efforts by financial institutions to develop and disclose GhG emissions financing targets and ESG-related governance procedures.
With respect to its most recent assessment, the ECB is already taking action in relation to poor performers identified by its report. Six of the 15% of banks whose disclosures were considered insufficient overall were determined to be unsatisfactory in all disclosure categories. After publication, the ECB sent individual feedback letters to banks informing them of the outcome of the ECB’s analysis of the shortcomings. The ECB observed that it had also sent requests to several banks to provide plans for how they will address their highlighted shortcomings in order to meet the EBA reporting requirements triggered by ITS in the near future.
The ECB has warned that non-compliance with these standards, having now come into effect for institutions listed in the EU, would constitute a violation of EU law. Frank Elderson, Vice-Chair of the ECB’s Supervisory Board, told banks that “stricter disclosure rules are taking effect this year. If necessary, we will take the appropriate supervisory actions to ensure that banks comply.” In anticipation of incoming obligation, banks and other financial market participants are already spending significant time and resources on compliance with new regulatory requirements. Financial institutions operating in the EU will want to ensure that they are closely monitoring and expanding their climate-related disclosure practices to keep step with changing expectations from the ECB and other national regulators.
(This article originally appeared in Cadwalader Climate, a twice-weekly newsletter on the ESG market.)