RegTech Intelligence

What happens if nobody owns regulation?

This summer, we found that the industry could face up to three Eiffel Towers high worth of paper from the G20.  Curious about the risks inherent in managing that many documents, we asked Meredith Gibson, Head of Legal Risk at Santander UK, and Helen Pykhova, Director of The Op Risk Company and Chair, Operational Risk Committee at the Association of Foreign Banks, for their thoughts on who owns regulation.

One of the ‘top operational risks’ – that appears on the banks’ risk registers, gets talked about at operational risk conferences and is cited in various top and emerging risk reports – relates to the sheer volume and complexity of regulation.  This can be characterised as legal risk or regulatory risk but both are within the scope of operational risk.

The volume and complexity of regulation are usually compounded by the lack of clarity in the ownership and accountability for ensuring that new regulatory requirements are timely captured and implemented within the organisation.

And when there are inconsistencies and deficiencies in regulation due to the failure to engage with the right subject matter experts (SMEs), this makes the accountability and the implementation even more testing.  If the ‘experts’ are confused, then how can ‘the business’ – as owner of these risks – ever hope to get it right?

Let’s examine two new legislative initiatives as examples:

  • MiFID II/MiFIR, which contain operational risk requirements but clearly have not been drafted in cooperation with operational risk practitioner
  • The European Banking Authority (EBA) Draft RTS under CRD IV, on assessment methodologies for the use of Advanced Measurement Approaches for operational risk, which is quite obviously directed at operational risk practitioners but labelled obscurely and defines legal risk for the first time without reference to the legal community.


A lengthy and complex document, with 95 draft technical standards expected for consultation this year.  Hidden within the 800+ pages of the Consultation and Discussion papers issued in May 2014 are operational risk requirements, which are not clearly labelled as such and that may not yet have been picked up by the operational risk community.

We have written a separate article on operational risk considerations in MiFID, where we highlight a requirement for trading venues to conduct a ‘self-assessment’ which, in fact, sounds very much like an operational risk RCSA (risk and control self-assessment), with prescriptive frequency that may go against existing operational risk practices, emergence of the somewhat new profile of the ‘risk and control’ function and other points.

Lack of consultation with operational risk practitioners when drafting the document may lead to discrepancies with existing practices, which will create difficulties during implementation.

The new RTS, the consultation for which ends in February 2015, will require revised systems and processes with very little time to implement them (MiFID II goes live in January 2017) – this will lead to the creation of more operational risk at a time we are trying to reduce it.

EBA draft RTS[2]

The title of the document, ‘Draft RTS on assessment methodologies for the use of Advanced Measurement Approaches for operational risk’ implies that only firms applying AMA (very few in the UK) should examine the document, which is somewhat misleading.

In addition to modelling (which is indeed relevant to AMA), the RTS contains important definitions and concepts – amongst those, the scope of operational risk, the scope of operational risk loss, the ‘use test’ and the definition of legal risk.

Are we really saying that the regulators will not expect the TSA and BIA (or, in future, ‘SA’[3]) banks to consider the definition and the scope of operational risk and legal risk as outlined in the document?  And do we agree with the intent to almost create two operational risk ‘camps’ in the industry – an AMA-camp that uses certain operational risk definitions and concepts and an SA-camp applying other, inconsistent, definitions?

Legal risk – new definition

The definition of legal risk is worth a separate mention.  Many firms adopt or adapt the International Bar Association (IBA) definition of legal risk, being a risk of loss to an institution that is primarily caused by:

  1. a defective transaction
  2. a claim (including a defence to a claim or counterclaim) being made or some other event occurring that results in a liability for the institution or other loss (for example as a result of the termination of the contract)
  3. failing to take appropriate measures to protect assets (for example intellectual property) owned by the institution
  4. a change in law[4].

The EBA defines ‘legal risk’ as “the risk of being sued or being the subject of a claim or proceedings due to non-compliance with legal or statutory responsibilities and/or to inaccurately drafted contracts.  It also includes the exposure to newly enacted laws as well as to changes in interpretations of existing laws.”

This EBA definition is somewhat different from the more generally accepted IBA version, and appears to have been drafted without reference to it.  There is no mention of protection of assets, for example.  A number of responses to the consultation note both this and the unworkability of the claims language.

Where regulators have been careful to avoid defining conduct risk, we now have a definition of legal risk in these standards – presumably because legal risk already is a part of the Basel terminology where conduct risk is not.  (A point to note on conduct risk: while it has not been formally defined, it has been mentioned as an ‘increasingly materialising concern’ classified as an operational risk in the recent EBA’s Risks and Vulnerabilities report[5]).

Interestingly, in the EBA draft RTS, ‘aggressive selling’ has been considered part of legal risk.  In short, the drafting is far from clear but the intent is to include legal risk, at any rate, within the “scope of operational risk”, whatever that may mean in practice.  Practitioners still have to understand how this translates into the workable organisational structure – will operational risk departments step up and formally look after both legal and conduct risks?  (Usually not the case and a point of contention in many firms).  While the operational risk department is now, more or less, functioning within a common organisational structure across the industry, having moved under the Chief Risk Officer’s umbrella, there is still no standard in the organisation and accountability for the management of legal and conduct risks.

Regulatory risk is not mentioned at all – possibly because “the exposure to newly-enacted laws” clearly covers it as part of legal risk.

Failure to engage with SMEs

Regardless of the niceties of the drafting, it is evident that the drafters in the examples of both MiFID II and EBA draft RTS, have failed to consult the relevant SMEs.  In MiFID II, the operational risk practitioners could have provided a methodology for including the new requirements in existing practices; in the EBA draft RTS, lawyers may have been able to mesh the desired outcome with the IBA definition.

This would have permitted firms to continue and improve upon their existing practices, rather than having to stop their existing rollouts in order to accommodate new – and sometimes conflicting – requirements.


Accountability for ensuring regulation is examined and timely implemented remains a challenge within organisations.  There is usually a lack of a clear ‘owner’, which has been mentioned as follows in the recent FCA thematic review[6]: “it was often unclear who had responsibility and ultimate accountability for ensuring that execution arrangements and policies met our requirements.

And, if regulation has deficiencies and inconsistencies, it will make it more challenging to assign responsibility for particular requirements to particular roles.  This will, in turn, result in a lack of accountability – the complete opposite, one would think, of the desired outcome.

For example, in MiFID II, the ‘risk control’ role set out in the Consultation Paper is differentiated from Compliance, but it is not described in terms that existing operational risk practitioners would recognise as part of their remit.

Under the EBA RTS, due in final form at the end of December 2014, to what extent are operational risk practitioners now responsible for legal risk?  In many organisations, legal risk does not exist as a separate unit or key risk type.  Should this now change?  Or should operational risk practitioners now form closer links with the legal department?

The new legislative initiatives bring with them an enormous amount of change – in particular, they bring specific operational requirements which will change the infrastructure of firms’ business, all in very short order and in addition to existing projects and change requirements.

If, in addition to volume and complexity, the accountability is unclear, how will firms continue to control the operational risk?  Without clear guidance as to what regulators expect when they draft these pieces of legislation, firms are going to find it very difficult to construct adequate systems and controls in the time available.

The risk related to volume, complexity and accountability of ensuring that regulatory requirements are timely captured and implemented, should be the ‘top operational risk’ on the banks’ risk register for the foreseeable future.

[1]  MiFID II is the Directive revising and replacing the original Markets in Financial Instruments Directive; MiFIR is the new Regulation.  We have used MiFID II to embrace both the Directive and the Regulation except where there is a need to be specific.


[3] One revised Standardised Approach (SA) is proposed to replace BIA and TSA




To promote global dialogue on how to deliver regulatory change JWG post hundreds of focused articles a year to thousands of subscribers. Get involved and join the mail list.

By hitting the subscribe button you agree to our Privacy Policy