Exposures: Fall 2014
Less Than Reasonable Doubts, This Year In Data Breaches, Shoring Up the Middlemen
Less Than Reasonable Doubts
All that famous watch-like regularity, and yet switzerland still has shocks now and then for the banks. Last month, its Financial Market Supervisory Authority, or FINMA, grabbed the Swiss unit of BNP Paribas by the scruff of its neck and told it to knock off certain shenanigans.
For years, says FINMA, the bank ignored U.S. sanctions and did business with customers in Cuba, Iran and Sudan; BNP Paribas had “persistently and seriously violated its duty to identify, limit and monitor the inherent risks.” This meant some highly questionable practices, especially regarding Sudan, which is ruled by the genocidal Omar Al-Bashir. Clients in Sudan and Iran had basically asked BNP Suisse, “If it’s not too much trouble, could you avoid referring to our country? And while you’re at it, could you not mention who we are when handling transfers?”
BNP Paribas Suisse had been happy to comply. “For its part,” says FINMA, “the BNP Suisse believed that U.S. sanction law did not apply to foreign banks…” Then, with deadpan incredulity, it notes that the bank had “grave doubt” over this practice and that “no fewer than 20 legal opinions were sought concerning this matter.”
FINMA has ordered BNP to keep additional capital for operational risks and banned it from doing business with companies and persons subject to U.S. or E.U. sanctions for two years. BNP Paribas already pled guilty in a U.S. court over breaking the sanctions and was fined $8.97 billion (U.S.).
Corporate Risk Canada asked FINMA whether its order reflects a tougher stance in the future over risk. “No, you can’t say so,” spokesperson Tobias Lux answered in an email. “That’s no new or tougher stance, but the consequent continuation of our policy: FINMA has pointed out for years now that financial institutions must analyze, reduce and adequately control their legal and reputational risks emanating from foreign law. (This also applies to the handling of respective political sanctions.) And FINMA made very clear that it would enforce financial institutions that don’t manage their respective risks adequately. That’s what we did in several occasions in the last years.”
One wonders then if FINMA is looking hard at other Swiss banks for these kinds of violations. “We have reiterated the potential risks based on the violation of international political sanctions,” replied Lux. “How banks manage that risk will stay a topic of our supervisory activities.”
This Year In Data Breaches
We’re feeling nostalgic here at Corporate Risk Canada. We laugh, we cry. We recall old times. Like you, we freak out over the ruthless invasion of our privacy. Hey, remember when Target got hacked in a big way? The breach saw credit and debit card data for almost 110 million customers compromised. It wasn’t the only one, though. Here are seven breaches that have been announced so far in 2014.
March 28: Canada Revenue Agency reveals more than 2,200 people were affected by data breaches between April 2013 and January 2014.
April 14: Canada Revenue Agency announces that someone exploiting the “Heartbleed” bug skimmed 900 Social Insurance Numbers from its system. A 19-year-old from London, Ont., was charged with “Mischief in Relation to Data.” The bug also prompted countless users to change passwords, muttering epithets over combinations of special characters and numbers they won’t remember.
April 17: Michaels, the artsand-crafts giant, announces a data breach may have affected up to 2.6 million customers’ payment card info.
May 21: Online auction site eBay asks its users to change their passwords because of “unauthorized access.” Though eBay says no financial data was compromised, it’s facing a class-action suit in the U.S. for not telling customers about it for three months. Going once, going twice…
June 13: American chain P.F. Chang’s says 33 of its restaurants were breached, and credit card data was probably lifted. Please tip your server.
July 31: Online gambling giant Paddy Power’s luck ran out as it announced that the personal information of nearly 650,000 people had been lifted from its virtual vault. The breach happened in 2010, at least two disappointing U2 singles ago.
August – September: Oh, for crying out loud, now what?!
Sources | global news, cp, ap
Shoring Up the Middlemen
Canada’s rolling out new risk management standards for the country’s financial market infrastructures. The takeaway from the latest policy guidance? Keep more cash on hand. A lot of cash.
The guidance on liquidity risk, issued by the Bank of Canada in July, tells the country’s FMIs—the people who make transactions happen—to have enough cash or equivalents available to ensure that, if a buyer defaults, the seller won’t see the ground fall out from under his feet.
The new regulations aren’t meant to penalize FMIs, which include the Large Value Transfer System. In fact, as deputy Bank governor Agathe CÃ´tÃ© said in a March 2013 speech, the collapse of Lehman Brothers “would have been even worse if the London Clearing House [a British FMI]… had not managed the default as well as it did.”
And in its most recent system review, the Bank wrote, “Canadian banks are well capitalized, financial markets are functioning well and financial market infrastructures are supporting core financial market activities.”
But the Bank can’t assume that it will always be so, and the world can’t hope that every FMI will act as well as London Clearing House did. If the fire next time is hotter, and the fire hose weaker, the past six years of reforms could all be moot.
So in 2010, the Committee on Payment and Settlement Systems (representing central banks) and the International Organization of Security Commissions undertook a thorough review of their risk management standards, producing its new “Principles for Financial Market Infrastructures.” The principles say, albeit in muted tones, that FMIs could be the first in a row of dominoes, especially if liquidity problems hit them when the markets are closed.
The Bank of Canada has released two policy guidances on the principles so far: the one on liquidity risk, and one reminding FMIs they don’t play bit parts in the financial melodrama. As the principles put it, an FMI needs to “place a high priority on the safety and efficiency of its operations and explicitly support financial stability.”
Choke point’s breaking point
In its role as sheriff to the banks, one regulator may have gotten a little trigger-happy.
The U.S. Federal Deposit Insurance Corporation recently found itself in trouble for issuing guidelines that some thought were too restrictive. The FDIC handed down an advisory last September as part of “Operation Choke Point,” which warned banks off doing transactions with certain “high-risk” businesses like payday lenders, telemarketers and get-rich, “As Seen on TV” businesses. Oh, and escort services—whose risks, you’d think, would appear to be obvious.
Even though the advisory wasn’t an outright ban, some fought it. Not so fast, they argued. This cracks down on legit businesses. The corporation tried to smooth things over with Congress last month, but backed down and removed the list of risky merchants a few weeks later.
Up here, all is still serene. We seem to like our banks drama-free, though they’re expected to do their homework. The Office of the Superintendent of Financial Institutions issues warnings about risky activity, but they’re rare and less broad than the FDIC’s.
Banks also have an ongoing duty, to the Financial Transaction and Reports Analysis Centre of Canada, to flag any transaction that “raises questions or gives rise to discomfort, apprehension or mistrust.”
So it seems there won’t be a northern “Operation Choke Point” for now.
1.2 billion, with a “b”
August 5: Milwaukee-based Hold Security announced that a Russian crime ring had stolen 1.2 billion username and password combinations, from 420,000 websites.
Source | new york times
Copyright 2014 Rogers Publishing Ltd. This article first appeared in the August 2014 edition of Corporate Risk Canada magazine