RegTech Intelligence 
How many types of risk are there to a financial institution? In recent years the list has grown from patently quantifiable risks – market, credit, liquidity – into more nuanced forms of risk, such as conduct risk and systemic risk. However, increasingly ambitious regulation and certain key legal decisions have brought with them a new form of risk: so-called ‘legal risk’. And whatever doubts remain about the concept, it is clear that managing the risk of legal uncertainty is now a key part of compliance.
The concept itself is difficult to define. We are all aware that ‘ignorance of the law is no excuse’, but what about where the law is ‘unknowable’? The FSA, in a guidance note for insurers, once defined legal risk as: ‘The risk that the law is proved to operate in a way adverse to the interests or objectives of the insurer where the insurer: (a) did not consider the law’s effect; (b) believed its effect to be different; or (c) operated with uncertainty as to its effect.’ This definition is not perfect, for instance (a) in this case seems to be more an example of ‘ignorance’ than of a managed risk, but (b) and (c) are certainly cases that FS professionals will be all too familiar with right now.
This will likely resonate with many currently working on implementing aspects of European regulation without knowing what shape any potential technical standards will take (e.g. ETD reporting under EMIR) or for those trying to decide whether or not they are US persons for Dodd-Frank purposes. However, the new European Benchmark Regulation, currently in draft form, is a prime example of the types of uncertainty that firms have to deal with when tackling regulation, and the risks that result from each of them.
First of all, as it is in draft form we clearly have uncertainty over what the final set of rules on benchmarks will look like. In the original draft of the Regulation, there was a recital imposing unlimited liability on the administrator of a benchmark to all end users of that benchmark for improper performance of its legal obligations. This has (fortunately) been removed, but makes clear the point that other sections may be added or removed in the future. Whether or not this uncertainty is legal risk, it is certainly a risk that firms now have to deal with on a daily basis.
Linked with this is uncertainty over the timing of the passing of the Regulation and its enforcement. On this point, we know that the Commission is treating benchmarks as a priority and wants to see the Regulation finalised before the European Parliament election in May next year. However, the UK Treasury is taking a contrasting stance on this issue on the basis that the Regulation is too divisive and the Government may plan to challenge certain aspects of it as currently drafted.
Dealing with these issues requires firms to closely follow the development of legislation, which can be difficult for those without an in-house government affairs department or even, in some cases, a dedicated compliance function. However, what can be said for certain is that simply waiting until the regulation is finalised is more of a case of ‘ignorance of the law’ than it is of effectively managing risk, and is becoming less-and-less of an option for firms looking to remain compliant.
Should the Regulation be passed in anything resembling its current form, a big source or legal risk will be the uncertainty surrounding who or what is in scope. Roger McCormick, the academic who (literally) wrote the book on legal risk identifies ‘over-ambitious legislation’ as one of the key examples of legal risk, and the Commission’s definition of benchmarks certainly seems to fit that description (emphases added):
(1) ‘index’ means any figure:
(a) that is published or made available to the public;
(b) that is regularly determined, entirely or partially, by the application of a formula or any other method of calculation, or by an assessment;
(c) where this determination is made on the basis of the value of one or more underlying assets, or prices, including estimated prices, or other values.
(2) ‘benchmark’ means any index by reference to which the amount payable under a financial instrument or a financial contract, or the value of a financial instrument is determined or an index that is used to measure the performance of an investment fund.
Together this means that almost anything over and above a snapshot market price, even where it only references a single instrument or is only shared bilaterally, could be in scope of the Regulation.
Why is this a problem? Firstly, because this goes far beyond the –IBORs; there are thousands of eligible numbers that could come into scope, and institutions will have to run an assessment for each one to decide whether it is in scope or not. And, secondly, because if any of them are in scope, then anyone who ‘controls’ the determination or calculation of the benchmark, or even the collection, analysis or processing of the input data, is an ‘administrator’ of a benchmark, and must submit to the attendant authorisation, governance, data and transparency requirements. This means many institutions, especially larger ones that provide a range of services to multiple markets, will have to make significant preparations for all eventualities in the benchmarks debate.
To conclude, legal uncertainty places institutions in a Schrödinger’s cat-style paradox, where they are simultaneously both compliant and non-compliant, depending on how the rules play out. Only when enforcement action occurs or a court makes a decision is the uncertainty resolved, and even then it may be too late to make any changes, or the decision may introduce yet further uncertainty. Managing the risk produced by this uncertainty then becomes a function in itself, and many larger institutions are already tackling this head on with the hiring of new dedicated staff. Fortunately, many of the same principles for managing other areas of risk apply here too: identification and monitoring of risks to avoid ‘ignorance of the law’; simulation of ‘what if’ scenarios to enable contingency planning; assessment and quantification of risk to allow conscientious decisions to be taken at senior level; and, finally, control and mitigation of known risks. Ultimately, it is easy to look at the now daily presence of legal risk as an insurmountable problem, however institutions are already pioneering methods of coping with it and this may soon become a differentiator when enforcement time comes around.