A Supervision Model for Small Stock Market

A Risk‐based Supervision Model for Small and Underdeveloped Securities Markets

by Lorena Dueñas1

Jun 2009

1 Lorena Dueñas works as a Chief of the Market Regulation and Disclosure Department at the El Salvador Securities Commission – [email protected] ‐

This research is derived from the author's experience participating in her Humphrey Fellowship Program’s professional affiliation with the U.S. Financial Industry Regulatory Authority (FINRA). FINRA’s International Affairs & Services Department offers advisory services to different countries on matters related to securities market regulation. Recently, FINRA has been performing different projects related to the introduction of the risk‐based approach to market and participant oversight in emerging stock markets, either for the entire market, or just for the broker/dealer industry or mutual fund operators.

As part of her studies at Boston University as a visiting student in the Humphrey Fellowship Program, the author performed an internship at FINRA, where she participated in a searching project and discussed with the International Affair’s staff the different nuances of the risk‐based approach. She also studied the different methodologies established in several diverse countries to introduce the risk‐based approach.

ACKNOWLEDGEMENT

Merritt Helfferich and April Crosby, Jeanne Balcom, Scott Birdwell, Kofi Boateng, Sahr Johnny, Brian Hanrahan, Bruce Kaser, Dean Miller, Isabel Pastor, Steve Polansky, Becky Snow, FINRA’s International Affairs & Services Department, and other great people for their assistance in contributing to enrich and edit this document. Thanks for encouraging me in the process of

researching and writing this paper.

Content

I. Introduction .................................................................................................................................... 6 II. Supervision Approaches ................................................................................................................. 8

1. Compliance‐based Supervision ....................................................................................................... 9 2. Risk‐based Supervision.................................................................................................................. 11

a) Concept.............................................................................................................................. 11 b) The origin of the Risk‐base approach ................................................................................ 12 c) Adaptation of the model in different countries and industries......................................... 13 d) Advantages and Disadvantages of the Risk‐based Supervision Model.............................. 16

III. International Experience using Risk‐Based Approach in the Securities Industry.......................... 19 1. The United Kingdom Risk‐based Supervision Model................................................................ 19

a) Lessons from the United Kingdom Model ......................................................................... 26 2. The Federal Reserve System approach .................................................................................... 29 3. The Canada Risk‐based Model ................................................................................................. 32 4. Experiences applying Risk‐based Supervision in the Securities Market................................... 34 5. Important Similarities among the FED, OCC, OSFI & FSA’s Supervision Approach .................. 42

IV. Developing a Compliance and Risk Supervision Model for Small and Underdeveloped Securities Markets ........................................................................................................................ 44

1. Guidelines of the International Standards for Securities Markets ........................................... 44 a) The Compliance System..................................................................................................... 45 b) The Inspection and Surveillance Program ......................................................................... 45 c) The IOSCO Risk Approach .................................................................................................. 46

2. Rational for Using a Compliance and Risk‐based Supervision Approach in Small Markets ..... 48 3. Enterprise Risk Management ................................................................................................... 50 4. The Supervision Model: Designing, Introduction and Implementation. .................................. 52

a) The Design of the Compliance and Risk‐based Supervision Model ................................... 52 b) The Introduction of the Compliance and Risk‐based Supervision Model.......................... 59 c) The Implementation of the Compliance and Risk‐based Supervision Model .................... 60

V. Conclusions ................................................................................................................................... 61 VI. Bibliography.................................................................................................................................. 64

4

List of Tables

Table 1. FSA Base Metric for Firm Activity ........................................................................................ 21 Table 2. FSA Current Boundaries among Impact Categories ............................................................ 22 Table 3. FSA Risk Groups with its corresponding Risk Elements....................................................... 23 Table 4. FED Entity Risk Matrix.......................................................................................................... 31 Table 5. FED Composite Risk for significant activities ....................................................................... 31 Table 6. OSFI Supervision Steps and Products .................................................................................. 33 Table 7. OSFI Risk Matrix................................................................................................................... 33 Table 8. Categories of Assessment.................................................................................................... 37 Table 9. Risk Group Assessment ....................................................................................................... 37 Table 10. General Information about the Firm ABC broker house (hypothetical example)............. 38 Table 11. Numerical Score to Represent Different Levels of Risk..................................................... 38 Table 12. Firm & Industry Risk Matrix for the Dealing License ......................................................... 39 Table 13. Firm & Industry Risk Matrix for the Investment License................................................... 40 Table 14. Firm Risk Profile................................................................................................................. 40 Table 15. Risk Score Calculation........................................................................................................ 41 Table 16. Distribution of the Score to Rate the Firm’s Risk .............................................................. 41 Table 17. Categorization of the Firm Risk Score ............................................................................... 41 Table 18. Risk Ranking Assignment ................................................................................................... 42 Table 19. Methodology Steps of the FED, OSFI and FSA................................................................... 42 Table 20. Risk evaluated by FED, OCC, OSFI and FSA........................................................................ 43 Table 21. The Risk Management Factors by the FED, the OSFI and the FSA .................................... 43 Table 22. Proposal of Steps, Products and Responsible ................................................................... 56

List of Figures

Figure 1. ARROW FSA: Firm and Thematic Framework.................................................................... 20 Figure 2. FSA Structural probability assessment model.................................................................... 23 Figure 3. The Compliance Supervision and the Risk‐based Approach: Role of the regulatory

authority and the market participants. ............................................................................ 49 Figure 4. Steps to Introduce the Risk‐Supervision Model ................................................................. 52 Figure 5. Proposal of Compliance and Risk Supervision Model ........................................................ 56

5

List of Abbreviations

ARROW : Advanced Risk‐Responsive Operating Framework Basel I : Accord I issue by Basel Committee on Banking Supervision (BCBS) Basel II : Accord II issue by Basel Committee on Banking Supervision (BCBS) COSO : US Committee on Sponsoring Organization of the Tradeway Commission (COSO) FINRA : The US Financial Industry Regulatory Authority FED : The US Federal Reserve Bank

FSA : The United Kingdom Financial Services Authority. It is an independent non‐governmental body, given statutory powers by the Financial Services and Markets Act of 2000.

US GAO United States Government Accountability Office IOSCO‐OICV: International Organization for Securities Commission.

OSFI : Office of the Superintendent of Financial Institutions

RMP : Risk Mitigation Program

SRO : Self‐Regulatory Organizations

UK : United Kingdom

US‐SEC : The United State Securities and Exchange Commission

6

A Risk‐Based Supervision Model for Small and Underdeveloped Securities Markets

I. Introduction

A fair and efficient securities market depends on many factors, such as adequate regulations, effective compliance procedures, a credible enforcement program, stable and credible institutions, and an efficient judicial system, IOSCO (1998); therefore, regulatory authorities around the world face the challenge of keeping securities markets sound, preserving their integrity and ensuring appropriate investment protection for the public.

Traditionally, it has been the regulator’s responsibility to ensure the observance of the law by the market participants; however the methods currently used such as inspections, surveillance, and enforcement programs have not been sufficient to avoid breakdowns in the market and appropriately address the systematic risk that can jeopardize regulatory objectives.

In addition, the expansion of local markets to the regional or global level and the rise of the Internet as a venue for trading, have introduced new financial products, regulations, and participants that generate additional risk to the market. In this way, the market is dynamic and constantly evolving, hence it becomes necessary for regulators to explore new methods of achieving their supervisory goals that allowed them to avoid supervision methods based on rigid regulation which it is not able to keep pace with these changes.

There is a broadening international consensus around two regulatory philosophies2 for the regulation of securities markets, a principles‐based and a rules‐based approach. In the first one, the government establishes the desired high‐level principle for regulated entities, and then provides guidance on how the entities can follow these principles. This approach is applied, in part, in the United Kingdom (UK), where the regulatory agency, the Financial Service Authority (FSA), has established the following: “Principles‐based regulation means placing greater reliance on principles and outcome‐focused, high‐level rules as a means to drive at the regulatory aims we want to achieve, and less reliance on prescriptive rules” (2007). On the other hand many countries follow a more rules‐based approach to regulation, in which the government imposes many more prescriptive rules about to what is required or prohibited in particular circumstances. The US stock market supervision system is broadly considered to be a more rules‐based system, but this is not the case in the US banking industry, whose regulators have broadly developed a risk‐focused supervision.

2 John H. Walsh, Associate Director and Chief Counsel in the Office of Compliance Inspections and Examinations of the United States Securities and Exchange Commission, suggests in the article “Institution-Based Financial Regulation: A Third Paradigm”, a third approach, which according to Walsh could be called “institution-based” regulation.

7

Traditionally the securities regulatory authorities have used a method of supervision, which is compliance‐based, primarily focused on inspections to verify compliance with a comprehensive set of rules, which oftentimes has resulted in a checklist approach to inspection. The compliance‐based approach is also referred to the Compliance‐based approach. However a new approach – Risk based supervision – was introduced in the last decade, primarily in the area of bank regulations.

The other approach to assess the safety and soundness of regulated financial institution is Risk‐based supervision, which requires that the firm itself identify, assess, control, measure, and perform actions to mitigate the risks to their operations, finances and customers. The role of the regulator under this approach is to assess how well the firm defines and mitigates the risk it faces rather than merely verifying its compliance with a set of rules. This is a significant departure from the compliance‐based (or rules‐based) approach, which requires a significant change in the way an inspection program is conducted, designed and performed by regulators, as well the actions taken by the regulatory authorities with the exam’s results.

Many securities regulators around the world are exploring the possibility of moving from a more compliance‐based model to a more risk‐based approach for supervision in their respective markets. Risk‐based supervision has recently been introduced to other financial industries, such as securities markets since its original application in the banking industry. The introduction of Basel II, according to Brunner, Hinz and Rocha (2008), was “an important step in the path towards Risk‐based supervision”. Since Risk‐based supervision is relatively new to securities markets, particularly in smaller markets, there is a little understanding about its implications for securities markets and the consequences of this approach in small and underdeveloped markets, which are characterized by non‐sophisticated participants and regulators with small operating budgets. Regulatory authorities in these markets are particularly concerned how to apply and introduce it to their markets.

When searching for the answer to these questions the author explores the different approaches to supervision in the securities markets: what is the Risk‐based supervision model and the differences or similarities between the Risk‐based and the compliance ‐based approach; the role of the participants in the market for each model; the advantages and disadvantages of each model, and the experiences in other industries and countries that have introduced Risk‐based supervision. The risk‐based supervision model developed in some countries, such us Canada, United State and United Kingdom are then analyzed more deeply in order to explore its lessons and the ways to define the risk‐focused approach, as well the implication for its introduction in small and underdeveloped markets. Following the analysis of both approaches, the author proposes guidelines for the introduction of a risk‐based supervision model for small and underdeveloped securities markets. Finally, she raises several issues and offers conclusions based on her research.

8

II. Supervision Approaches

The powers typically granted to the securities regulator in the existing legal framework include the capacity to give licenses, perform inspections, conduct investigations and enact and, to carry out enforcement programs in order to ensure that the market participants are appropriately adhering to the regulations and rules. All of these functions have the objective of preserving the integrity of the securities market and protecting investors, particularly small investors.

As part of developing and implementing its functions, the regulator defines a supervision plan, which establishes: the goal and scope of the oversight for each type of market participant; the preparation process before the examination of participant organizations; the periodicity of the inspections; the type of inspection (routine inspections for cause or for special oversight); the scheduling on and off‐site work; and the actions it will take with the outcomes of the exams; etc.

In some countries one institution performed the oversight in the securities markets, in others these functions are divided among more than one institution. The allocation of functions depends on the legal framework in place. For instance, in the U.S.A., the Securities and Exchange Commission (SEC) regulates and enforces the federal securities laws, but the CFTC oversees the commodities and futures markets. On the other hand, in countries such the United Kingdom, the supervision the supervision securities markets, and the insurance and banking industries, is performed by one institution.

The approaches to conduct oversight vary from one regulator to other, as a result of the fact that jurisdictions have differing regulations, expertise and skills within the regulatory authority staff, resources, market size, sophistication of the participants, etc. However, an important challenge for all supervisors is how to establish an effective and reliable supervision plan, which takes into account ensuring a fair, efficient and transparent market, while avoiding systemic risk.

The most effective and reliable supervision programs will depend largely upon the power and recourses of the regulatory authority, its competent staff and a known deterrent strategy, but from its determination and clear attitude to enforce the law, in order to gain respect of the industry and establish investor confidence. With a strong enforcement program in place people are discouraged from committing financial fraud due to the high probability they will be sanctioned by the regulator.

In general, the supervision program should be established based on the supervision approach defined by the regulatory authority, either a Risk‐based or compliance‐based, or a combination of both. The chosen approach will affect the way the supervisor prepares and performs inspections and how it addresses further actions based on the examination process.

9

1. Compliance‐based Supervision

The regulatory authority plays a role in the securities market that is defined by its statutory objectives, such as ensuring fair, efficient and transparent markets. These securities law, regulation, and rules prohibit many activities that can make markets unfair. It is difficult, however, for the jurisdiction to issue rules to keep pace with changes in the market and therefore the supervisor authority, which has adopted a compliance‐based supervision approach, is continuously challenged when trying to address risks to its statutory objectives.

The regulatory authorities in the securities market, traditionally, have focused their oversight programs using procedures that allow them to ensure that the market participants are complying with the laws and regulations. This focus is due to the expectation that the law, regulations, and rules prohibit all bad practices that would pose risks to the regulators statutory objectives: such as unfair trading, market manipulation and other different type of frauds. The prohibition of these conducts in the law and regulations is aimed at supporting the objectives of the regulatory authority which, according to the International Organization for Securities Commission, include protecting the investor, establishing fair, efficient and transparent markets and avoiding systemic risk.

Effectiveness of one oversight program over the others can be substantially different, which vary and depend but are not limited to the supervision plan itself, the skills and expertise of the personal in charge to perform it, the regulation of the securities markets, how effectively the regulator is in conducting disciplinary action and the judicial system is in upholding these decisions and directly enforcing the law.

Compliance‐based supervision consists of a set of procedures defined by supervisors that are performed on‐site and off‐site at securities firms or other market participants, in order to verify compliance with the law and rules in the market. The inspection or oversight program is based on procedures to detect fraudulent conduct, market manipulations and other behavior defined as illegal by the law and regulations. At times the set of compliance‐based procedures aimed at validating compliance with rules and regulations can evolve into more of a “checklist” approach if too narrowly implemented. In other words, regulators end up making a list of rules and checking off the firm’s compliance with each rule. By implementing this approach too narrowly, the inspectors may not take the time to drill down to the underlying causes of a violation, may not distinguish between significant and minor breaches, and may miss irregularities that are not fully spelled out in the procedures.

According to McDonald the ruled‐based approach is predicated on “numerous detailed rules” for the purpose of monitoring visits or off‐site monitoring, and the examination of financial and other reports is focused on finding contraventions of laws and regulations, regardless of the relevance of these breaches to the ability of the company to meet all its obligations, including solvency

10

requirements. The Compliance‐based approach may also involve a detailed examination of information submitted to the regulatory authority, but the focus may well be on reconciling data, or perhaps counting the number of securities or being concerned with the lateness of the financial report rather than seeing that the report indicates that the company may be heading for serious financial difficulties”. McDonald pointed out that the philosophy behind the exam performed by the regulatory authority and the scope of it in the Compliance‐based approach, is drawing out important considerations about the criteria to determine and discover significant breaches and unsound financial performance that can lead the company into a financial crisis, affecting not just its operation but affecting other market participants even, at worst, the whole financial system.

The compliance approach can introduce a misconception if the supervisor thinks that the law has been designed to prevent all possible risks to the market. A misconception will arise if the supervisor thinks that the law will avoid practices than can jeopardize the supervisor’s objectives, so that, if the supervisor has in place an efficient and effective inspection program and strongly monitors the market participant’s compliance with the law, there should not be any risk to the market. This belief is only partially true, since there is no possible way to achieve perfect regulation that can be equally perfect in efficiency or that will prevent all the possible risks in the market. Also, even if the regulation legislates a definition of every potential risk, there are no regulators that can perform a 100% effective examination of the market participant’s activities because it’s always limited by the factor of scarce resources that lead it to utilize sampling techniques. The Risk‐based supervision method, the approach discussed in the next section, will help the regulator deal with the weaknesses of regulation and with the problems created using sampling techniques, and let the regulator allocate its scarce resources to monitor the riskiest areas of the market.

In terms of the disadvantages of the compliance‐based approach, the regulatory authority has the commitment to ensure compliance with the law, regulations, and rules. Its statutory objectives are established by law and the regulator applies a set of review procedures for each type of participant it oversees. The industry must follow what is in the law but may have more latitude in areas that are not explicitly covered in it. With those markets/products not defined by law, there still is the possibility that firms can engage in risky areas of the business that are not under the jurisdiction of the regulator and therefore may not be evaluated as part of the exams. If the regulator is implementing a narrow check‐list approach to examination, it may not be aware of any improper or risky activities and therefore would not be able to conduct any type of preventive action. Moreover, depending on the legal/regulatory framework may not be able to discipline firms for this activity.

It is also very difficult to develop prescriptive rules for areas that do not lend themselves to a one‐size fits all approach, for example the development of a risk management system. What is appropriate for risk management in large, complex firms would be overkill in a small firm. Therefore it must be left open to the firm to decide what is appropriate. To assess the adequacy of

11

such as system, poses challenges for the compliance‐based examiner who can not rely on a prescriptive rule.

The compliance‐based provides greater certainty to the industry regarding how to comply with the rules and regulations. The rules that the firm must comply with are spelled out and additional guidance is often provided in the form of interpretations. Under the Risk‐based approach the regulator must evaluate the actions carried out by the industry in order to manage its own risk. Furthermore, under the compliance‐based approach the responsibility of the regulatory authority is to ensure that the participants apply the law, which can be verify through a checklist review of all the details defined by law. In this sense, the inspection process is fairly straightforward and does not require as much judgment on the part of the inspectors. . The rules can consider risk areas; however the scope of the exam is limited by the regulation.

There can be situation when the risk is clear for the participant, investor or for the market, and the regulatory authority cannot go beyond the rules established by law or regulation. In general the compliance‐based approach is reactive. It only identifies violations once they have occurred. This can be prejudicial for the market when the situation requires a more active behavior by the regulatory authority, in terms of timing and taking measures, which go beyond the rules.

Finally, in countries where no Self Regulatory Organization (SRO) scheme exists, oversight responsibility is fully assumed by the regulatory authority, which sometimes has not enough knowledge about securities market and for not understanding the impact of regulation on the industry. This may lead to a tendency to try to regulate every aspect of the industry that would stifle market growth and innovation.

2. Risk‐based Supervision

a) Concept

The concept of utilizing assessment of risk to regulate and monitor the activities in the financial system has been present in each regulatory framework around the world where policy makers have tried to introduce regulation concepts that protect the system from potential risks not covered in the existing rules such as those institutions with inadequate capital and poorly trained staff who wish to establish banks or when conflict of interest or insider trading is threatening securities markets. Additionally, this risk concept leads policy makers to define rules, create regulatory and supervisory agencies, and to take other measures to avoid the risk of not having or being able to keep the soundness and stability of the banking system or a fair and efficient securities market.

The Risk‐based or risk‐focused supervision is a systematic and dynamic process carries out by regulatory authorities to identify, assess, measure and monitor the risk faced by supervised entities, but also to evaluate the entity’s internal risk management in order to establish its risk profile and to tailor its supervision plan and its risk mitigation program that better fit to its

12

business model, size, complexity, risk management, etc. allowing the regulatory authority both improving the resources allocation and achieving the supervising objectives.

According to the Federal Reserve Bank of San Francisco, “risk‐focused supervision is a process by which the risks facing each supervised institution are analyzed and an appropriate supervisory strategy is developed. The supervisory strategy is unique to each institution, thereby avoiding the rigid structures long associated with examination and other supervisory processes. Risk‐focused supervision relies heavily on internal risk management processes. Those institutions with a demonstrated ability to identify, measure, monitor and control the risk of financial loss will receive a reduced level of regulatory scrutiny during onsite examination and application review. Reduced regulatory scrutiny may include infrequent examinations and minimal or no transaction testing and reduced application information and processing time requirements.”

Not far from different is the next definition of risk‐focused supervision given by McDonald, which is as followed: “It is a structured process aimed at identifying the most critical risks that face each financial services company and through a focused review by the supervisor to assess the company’s management of those risks and the company’s financial vulnerability to severe constraints on its business and ultimately to the collapse of the company. The focus is on risk profiles and risk management capabilities of individual financial services companies so that supervisors have an early warning system of any rapid changes in the company’s financial position”.

In this approach, there is, as it was mentioned, a special focus on risk, in the ability of regulators to identify and assess the most risky activities in a financial corporation; which means, to identify and monitor the areas that can introduce high‐levels of risk to the company’s financial position or operation. Each industry in the financial system has some risks related to its operations, such as, in the case of banks, credit, market, liquidity, operational, legal and reputational risk (Federal Reserve System, 1997). For the stock market, the risks upon depends on the licenses or operation authorized in a specific market, but in general, intermediaries deal with management risk, legal and reputational risk, operational, counterparty risk, but portfolio investment –mutual funds and other collective investment schemes as individual investment portfolios ‐ face market risk, credit risk, liquidity risk, legal and reputation risk, counterparty risk, interest rate risk, exchange rate risk, operational risk and country risk. Additional to these risks, system risk from the industry or from the economy should be taking into account.

b) The origin of the Risk‐base approach

The concept of using the level of risk as a measure of financial system participant problems developed with the creation of some applications of the process in different countries. All of them focus on measuring the risk in their banking system, with the idea of receiving early warnings which could help the regulatory agency deal with the banks with signs of sickness in their accounts. For example, the risk rating system created in the 80s by the US federal banking

13

supervisors is called CAMELS that is an acronym standing for the six components of a bank that is assessed: Capital adequacy, Asset quality, Management, Earnings, Liquidity and Sensitivity to

market risk3.

Nevertheless, the risk supervision model really started to take shape with the Basel Accord issued

by the Basel Committee on Banking Supervision (BCBS)4, which requested the assessment of the

banks’ capital adequacy positions relative to their credit risk (Basel I, 1988) and their market risk (modification to Basel I, 1996). Additionally, in 2004 the Basel Committee on Banking Supervision issued a new Accord (Basel II), establishing an assessment of banks’ capital adequacy in relation to their overall risks, and for supervisors to review and take appropriate actions in response to those assessments. In this way, the minimum capital required for a bank is more sensitive to an institution’s risk profile, improving risk measurement and promoting incentives for fostering risk management by establishing a link between the required capital and the risk taken by the banks. The implementation of the Basel II, according to Brunner, Hinz and Rocha, was “an important step in the path towards Risk‐based supervision”.

The relationship between capital and risk gives a certain complexity to the application of the Basel Accord, due to the increasing intricacy of the bank services, in addition to the large range of new financial instruments with different risk‐reward ratios. That complexity was not only for the banking industry but for their supervisors, which started to define a new model for adequate supervision techniques appropriate to the new Accord request.

c) Adaptation of the model in different countries and industries

Nowadays there are many countries in which their bank supervisory agencies are working on or trying to develop the Risk‐based approach. The model that some countries are following is that of the integrated supervision of the United Kingdom and its Risk‐based supervision model. From that model, there are many different approaches as countries try to apply it. The model has not been uniformly applied from one country to another, which gives a country the flexibility to adapt the Risk‐based approach concept to the different realities of their markets, as Balcom (2008), said: “Various models for Risk‐based supervision exist around the world, but they all share the same basic elements”.

The experience of countries trying to introduce the model in their regulatory system shows that they need to improve the model over a continued time frame and it will thus take several years to become an effective system that will give confidence not only to the regulatory agency but also to

3 The last of these components was added in 1997.

4 The Basel Committee on Banking Supervision, which is integrated by representatives from central banks and regulatory authorities of the Group of Ten (economic) countries, plus others (specifically Luxembourg and Spain), provides a forum for regular cooperation on banking supervisory matters.

14

the financial industry. In terms of supervision, the regulatory agency needs to update its procedures in the market and the Risk approach is a part of it, since it is flexible enough to lead to changes in the supervision process. Each regulatory authority studied showed that a large period of time was used trying to introduce and implement the risk approach. For example, The Office of the Superintendent of Financial Institution (OSFI), according to Bruce, took 5 years to develop the model from the introduction /consultation to the supervisory guides. In 2008, the OSFI still has the benchmarking methodology in an on‐going process. In the case of the FSA, it has made several changes to its Risk model supervision in an attempt to help the user understand what is expected from the regulatory authority, as is expressed in the official update document which released a new stage of the approach. In the FSA’s Risk‐Assessment Framework (2006), the FSA had expressed the changes suffered by the supervision approach, “This paper explains some important changes we have made to ARROW as a part of continuing program of making the FSA easier to do business with”. The US GAO release (2000) described the challenges for large complex banking supervision that “the Federal Reserve and OCC's risk‐focused approaches to supervising large, complex banking organizations are evolving with changes intended to strengthen oversight of these entities”.

The Risk‐based approach has been applied not only to investment banks in the securities market but also in other participants in this industry. The regulatory authorities try to produce a supervision process not as simple as a check list of the legal frameworks, but with one that takes into account the risks facing the different groups of market participants, such as broker‐dealers, mutual fund managers, market operators, etc. Recently, different single securities market regulatory authorities in emerging market have started to introduce the concept, however, it still necessary to work in drafting the supervisory process, the risk assessment and the risk matrix. Measuring the risk in each participant’s operations and at the aggregate level is not an easy task in the securities market, since some of the objectives of the regulatory authority cannot be measured as easily as is the establishment of investor protection. The investors are better protected when there is more accurate and timely information about the market, however it is impossible to measure the amount of information that the market should demand. Instead, the adequacy of the amount of capital or other financial data is easy to define and it, at least, can be expressed numerically.

On the other hand, the pension fund industry uses the guidelines of the Risk‐based approach of the banking industry. The pension supervisory leaders applying the Risk‐based approach are in Australia, Denmark, Mexico, and the Netherlands and, according to Stewart, the supervisory authorities in these countries have developed sophisticated Risk‐based supervision models, with quantitative and qualitative analysis of the financial and operational risks applicable to their pension systems. That is not the exception for banks any more, where regulators are now improving their original model by adding more sophistication in terms of information resulting from new financial products and activities of the banks and also in terms of the measures of risk associated with these new financial operations. Brunner, Hinz and Rocha (2008) analyze the different motivations to introduce Risk‐based supervision in the four countries mentioned above, which are, among others: (a) Supervisory Structure ‐ Countries shifting to integrate institutions move on to the new risk approach (with the exception of Mexico, which remains alone in its effort

15

to implement the Risk‐based approach.); (b) Efficiency – In order to use efficiently the scarce resources of the regulatory authority, maintain a proactive attitude to face financial crisis, and promote confidence in the financial system as a whole, while simultaneously promoting competition among the participants by applying different supervision criteria depending on the complexity and the size of the participants. (c) Market Risk ‐ Improving risk‐management for pension funds and the proactive reaction stance of the supervisory body with regards to the movement of asset prices. d) Others ‐ The high complexity of the financial instruments and the markets, which make it difficult to assess and measure the risk associated to them.

The movement towards focusing on greater risks is also being reflected in the insurance industry. The International Association of Insurance Supervisors (IAIS) is currently working to develop a common international framework for assessing the solvency of insurers.

Some lessons from the Pension Fund supervisors, when introducing the Risk‐based approach in South Africa, Kenya, Germany, United Kingdom –pension fund supervisory‐ and Croatia, drawn by Stewart , are as follows:

(i) Adaptation of Models. Look at a range of available models – consult widely and adapt carefully, allow flexibility when applying a standardized model to various financial products, build in flexibility to upgrade models and systems on a regular basis, use pilot schemes and avoid a big bang� roll out across the pension industry at the same time and consider adapting models created for the insurance sector for pension funds with guarantees; (ii) Reorganization of Supervisory Authority. Allow plenty of lead time and do not underestimate the amount of change in the authority; move to a RBS whilst the supervisory authority has capacity, and before the growth of the pension industry accelerates; build any new administrative structures gradually and allow flexibility/ time to adapt; begin to build Risk‐based methodology into existing rules‐based systems; if possible, introduce RBS at the same time as other pension reforms to create synergy; suggest structures at the level of cross‐sector evaluation and separate departments analyzing and leading interventions on different risk categories; (iii) Data Collection. Make sure data collection is given a proper place in the planning process to work with the RBS and the supervisor has enough power to obtain it from pension funds (using persuasion rather than fines and sanctions); use existing data when possible to minimize costs and slim‐line reporting for small funds; data collection process in stages (e.g. larger funds first) and electronic submissions where possible; Explain clearly why the data is requested and to what use to which it will be put; (iv) Staff. Training for all staff – covering the philosophy as well as the process of Risk‐based supervision; rearrange existing staff where possible to minimize costs; use international expertise / ask for international training assistance; hire or secure some experts from risk‐aware sectors in the supervisory or private sector; use lead‐teams to drive the reform process; leverage internal expertise for training where possible; make training an on‐going regular process so that staff understand how the approach and models are adapting, how they are fitting with industry developments etc.; and leave plenty of lead time and flexibility and do not neglect basic management during the reform process; provide training for trustees, fiduciaries or other key stakeholders; (v) Industry. Explain the Risk‐based supervision process externally to other constituents and to a wide group of stakeholders; use

16

informal discussion groups / road‐shows to enlist feedback, take views from the board and ensure their buy‐in with the new process; ensure that good internal communication is on‐going, and with pension funds understanding the new relationship with the supervisor, as well as just the requirements for supplying information; ; work closely with other professional bodies such as accountants and actuaries; make sure that the whistleblowers understand their role in the process (both what they should and should not tell the supervisor); and finally communicate with the public to avoid major repercussions when future problems occur; and (vi) Powers. Legal powers are in place to enforce the new Risk‐based supervisory system; the powers are flexible and framed in such as way as to allow for a proportionate response; use persuasion / build non‐compliance into Risk‐based score leading to a supervisory response; charge risk‐based levies; fines/sanctions should be imposed on the responsible parties (clarify role of the administrator); and explain what funds should do to avoid a heavy supervisory response in order to build a lasting culture of compliance.

As we can see, the model can be applied to different industries because the concept of risk assessment and the actions to be taken for the regulatory authority and for the industry is translated for each industry’s specifics.

d) Advantages and Disadvantages of the Risk‐based Supervision Model

The regulator, on an ongoing basis, faces the evolution of the market resulting in new products and new practices, market and participant innovations, differing levels of risk‐tolerance, etc. All of these aspects sometimes are not in keeping with the regulations then in place, but also the regulations are fixed and do not allow flexibility for the regulators to take actions to match the reality of the situation. In this way, the new Risk‐based supervision approach helps the regulator to match the evolution of the market with its actions, which are aimed at protecting its own regulatory objectives.

The Risk‐based approach consists of both the risk assessment performed by each entity in the market and the regulator’s tasks regarding its supervising activities which include an assessment of each entities´ risk management performance. In order to do so, the regulator needs, if it is possible, to reproduce the same risk identification and measurement activities performed by the market entity, in order to clearly understand the entity’s most risky areas and, from them, be able to design appropriate Risk‐based monitoring and inspection programs. This is a different approach that requires the regulator to develop a clear understanding of the businesses to be regulated as well as developing knowledge of useful tools, which, with a series of review techniques and the broad information from the whole industry, helps the regulator conduct this Risk‐based supervision.

The Risk‐based approach helps the regulator to take initiatives and request actions from the industry, in order to manage the risk according to the condition of the market. This focus does not help the regulator to discover breaches of the law, but it is a way to help the regulator preserve the integrity of the market and forces it to have a better understanding of the industry. An important percentage of the responsibility in this approach, however, is on the side of the market

17

participants, because they have a better understanding of their business than the regulator and consequently, a better understanding of the risk they are taking on a daily basis and in intra‐day operations.

The advantage of this approach is the use of scarce supervisory authority resources in a very direct way to observe activities and participants in the market which present a high probability of putting themselves at risk through its operations, hazarding the investor’s objectives and the integrity of the market. In this way the regulator optimizes the use of the market’s resources treating each securities firm or market participant differently, which will depend on their demonstrated ability to assess and manage their risks.

The focus of the regulator is the achievement of its objectives. It develops several risk‐measurements in order to evaluate the business model and the control of the market participant, in order to assess the level of a potential risk of not achieving the regulator’s objectives.

In a general sense, the Risk‐based approach looks for an effective operation of the participant’s stock market business as well as to ensure regulatory compliance. Hence, Risk‐based supervision is more dynamic than the Rules‐based supervision due to its flexibility in adapting the regulator’s actions to the trend of the market. The regulatory authorities take a more pro‐active supervision, attempting to avoid potential problems before they occur. This logic generates a preventive supervision, which is desirable to avoid instability in the market that could evolve into a financial crisis.

According to Balcon (2008), the senior executive of FINRA: “The most important aspect of risk‐based supervision is remediation”, which stands for “detecting deficiencies in risk management and to require intermediaries to do something about it before a major problem occurs”. Nevertheless, the “remediation” factor can make uncertainty for the regulatory agency in a market with little understanding about the model and the objectives of the industry participation in the establishment of sound and transparent markets. This raises the question about what is the limit between remediation in contrast to enforcement. In the case of the FSA, the regulatory judgment is in place ready to use at the moment where it is necessary to use it, and the industry is aware of it. For instance, one of the five main elements in the FSA´s relationship with firms consists in the “work undertaken after particular risks have escalated or crystallized. Once the FSA has identified an issue, it will need to use its regulatory judgment to determine how it should respond, if at all.”(2002)

On the other hand, the resources of the regulator entities, according to the Compliance‐based approach, are focused in routine inspections, a focus in which active regulation is required, without taking into account the risky areas developing in the business of the market participants. In this way, the Risk‐based approach is more effective and covers areas such as operational risk and internal control procedures, which sometimes are not covered by the law. In general, some regulatory agencies rely on internal auditors to assess the effectiveness of internal control of the firm, even though there are many constraints about maintaining their independence and, as a consequence, about the independence and accuracy of their assessment.

18

Since, the assessment of risk is an issue considered in each regulation, some questions come to the regulatory staff in charge of the supervision process, such as: is the Risk‐based supervision more of the same, but with another fancy name?; are the regulators applying a risk‐model without realizing it?; what is necessary to have in place to call it: Risk‐based supervision? Definitely, the model is completely different from the Compliance‐based approach, since it includes the very active participation of the industry. The risk measurement for the regulator is focused not on the risk facing the participant but on the risk of not achieving its own objectives. Additionally Risk‐based supervision is a systematic process focused on uncovering risky areas in the market participants’ actions and taking action themselves in advance so that the risk left only a potential, but does not become a reality, so that it is not necessary to conduct an enforcement process.

There are some disadvantages that the model can generate. For instance, the regulator may be tempted to not have a good compliance‐enforcement program to discourage the market participant from breaching the law, instead focusing more on just measuring risk and translating the responsibility to the industry. Additionally, conflicts of interest can arise when the firm performs its own risk assessment, but moreover when defining the limits of the risks it can take, or being in the position of defining and implementing, appropriate measures for its mitigation if this occurs.

Risk‐based supervision relies much more on sound professional judgment and critical analysis, and less on Rules‐based compliance criteria, in order to make proper risk assessments (Watanagase). The OSFI (1999) engaged to define the significant activities: “Sound judgment is applied in determining the significance or materiality of any activity in which an institution engages” and also to define the exercise of sound judgment by concluding that identifying and evaluating risks in an institution is central to the effectiveness of the process, as a key principle of the Supervision Framework. At the same time the US GAO, set that “this approach relies on examiner judgment and results in certain bank operations receiving less scrutiny than others”. This feature can become a weakness if the regulator does not provide skilled staff to perform the supervision.

The supervision approaches have two different components; in Risk‐based supervision, the oversight process will have an individual risk assessment but there will also be a relative risk established with respect to peers or to a special segment of the market. On the other hand, the Rules‐based approach is focused on the compliance of the firm just with respect to itself.

19

III. International Experience using Risk‐Based Approach in the Securities Industry

In this section, the US, Canada, and the United Kingdom’s Risk‐based approach and that of other’s stock markets risk based approach experiences are reviewed.

1. The United Kingdom Risk‐based Supervision Model

The Financial Services Authority, whose responsibilities include the securities, insurance and bank industries, performs supervision of the financial market in the United Kingdom. Pension funds are regulated by another institution. The Handbook sets out all the FSA's rules, which include over 7000 rules and include high‐level standards, prudential and business standards, regulatory processes and redress, and specialist sourcebooks. However, the firms are not requested to apply every rule. The FSA supervises over 29,000 firms, where most of them (94.91% in 2006) pose little impact individually on the systemic risk and a very small number (0.33% in 2006) have a high systemic impact. The FAS, as does each regulator around the world, supervises the market with the limited resources available. In this scenario the FSA adopted the risk‐based regulation and the Advanced Risk‐Responsive Operating framework (ARROW), making this approach operational. In other words, the “ARROW” is used by the FSA to perform its risk approach.

The ARROW establishes a supervision process providing a link between the FSA’s statutory objectives and its regulatory activities. The objectives are: (a) maintaining confidence in the financial system, (b) promoting public understanding of the financial system, (c) securing the appropriate degree of protection for consumers and (d) reducing the incidence of financial crime.

The first step in the model is to create a risk map, that “starts with an environmental assessment,” which is “a forward‐looking view of the key issues in the external environment (e.g. governmental and European Union (EU) policy initiatives and economic, financial, legal, social and demographic developments)” FSA, 2002. The environmental assessment is published periodically in the FSA Financial Risk Outlook.

The model includes 4 different stages, which are part of a dynamic circle in an on‐going process. They are (i) Risk Identification. Identify the main risks to FSA objectives as they arise. (ii) Risk Measurement. Measure the importance of those risks. (iii) Risk Mitigation. Mitigate those risks where their size justifies this, and (iv) Risk Monitoring and Reporting. Monitor and report on the progress of FSA’s risk management.

The FSA considers something a risk if it has the potential to cause harm to one or more of its four statutory objectives that are set out by law: “Because we are interested in the effect of issues or events on our statutory objectives, this is a different perspective of risk than that normally managed by a firm”(2002).The work of ARROW consists of identifying the firms that pose the largest risk to regulatory authority objectives, close and continuous supervision of high‐risk firms, and less frequent contact with low‐risk firms. The approach is applied across all firms/industry sectors that the FSA regulates.

20

The ARROW system, which included both the risk metrics used to assess risk and the processes of the supervision, has two components:

(a) The firm framework used when assessing risks in individual firms is called “vertical” supervision. Following the next figure, the evaluation of Firm 1, which is a bank, will generate the assessment of the risks associated to it, and

(b) The thematic framework used when assessing cross‐cutting risks is called the “horizontal” work. When analyzing a potential market abuse or any other deceptive conduct, the FSA will assess the level of risk in all the firms of one group. The FSA assess the different firms that belong to a holding firm as a group, with independence for a firm if that individual firm has individual legal status. For large groups, operating in different industry sectors, the group may break the assessment down into “Material Business Units”, in addition to the consolidated assessment for the group as a whole. The next figure exemplifies the two components.

Figure 1. ARROW FSA: Firm and Thematic Framework

Periodically (usually every 1‐4 years), the group that conducts the assessment will conduct a complete re‐assessment of the risks that each firm / group poses to the regulatory authorities objectives.

To measure the risk of the firm, the model takes into account two variables:

1. The Impact of the problem if it occurs (I). Factors may include the size of the firm and the perceived importance of it. It measures how important the firm is in the market to which its activities can jeopardize the objectives of the regulatory authority.

2. The Probability of a problem occurring (P). Factors may include: the inherent business risk and level of Internal Control of the firm. It measures the probability of an occurrence of the risk, in other words, the likelihood that the risk will occur.

The result of combining these two variables is the weight assigned to the firm, in other words, R= I (x) P. Where R=Firm’s risk, I=Impact of the problem, and P=Probability of occurrence. The rating assigned in this stage will determine the overall approach and the intensity of the FSA’s response.

Using simple a four point scale, the firms are classified in 4 categories:

• Small firms. Small businesses, dominated by advisory business, but also most credit unions • Medium Low. Medium‐sized businesses or businesses where the FSA supervisory task is

relatively narrow – e.g. firms from European Economic Area (EEA). • Medium high. Medium‐sized businesses with a high risk profile. • High. Significant business normally formed into groups.

Firm 1 (bank)

Firm 2 (securities)

Firm 4 (fund)

Firm 3 (insurer)

Theme 1 (insider trading)

Theme 2 (Misleading information to the

21

The supervision approach will depend on which category the firm falls into, as was mentioned above. The impact of a firm largely determines which approach the FSA will use:

• Small firm approach: No relationship manager – contact centre – and remote monitoring only – no routine on‐site work.

• ARROW Light approach: Reduced scope periodic assessment (focus on “core areas”) and normally only around 1‐2 days on‐site visit.

• Full ARROW approach: Full scope risk periodic assessment and On‐site visit may be 3 days – 2 weeks.

• Close & continuous approach: Full scope periodic risk assessment – may take several months and on‐site work conducted throughout FSA supervisory period

Impact metrics. The FSA has developed a score which ranks the impact of regulated firms requiring an order‐of‐magnitude assessment of the firm’s potential to affect its objectives and proportional to the level of financial services the firm conducts, in other words, its size. The data used for this calculation varies by sector and it’s weighted for the industry sub‐sector. “The type of data used is driven by the activities that the firm undertakes. A specific denominator is applied to the raw data to arrive at a basic impact score” FSA, 2006.

Examples of the data used and denominators applied for various stock market firms are given in the table below.

Table 1. FSA Base Metric for Firm Activity Source: FSA, 2006

The information used to calculate these metrics is obtained though GABRIEL, which stands for GAthering Better Regulatory Information ELectronically, the new FSA regulatory reporting system for the collection, validation and storage of

regulatory data.

The basic impact scores calculated as described in the table are then subject to a weighting multiplier, which depends on the industry sub‐sector to which the firm belongs. This produces a final impact score for the firm in question.

An example of how to calculate the impact score:

Firm Activity Base Metric(s) Total assets or liabilities

= £180,000,000 Daily trade volume

= 125 trades Daily trade value

Advising, arranging and dealing as an agent (equities and derivatives)

= £75,000,000 Annual turnover Advising, arranging and dealings as

an agent (pensions and other products)

= £1,250,000

Funds under management Investment management firms (holding client money) =

£400,000,000

22

Impact (hedge fund) = 200% (weighting) x [£20,000,000,000 (funds under management) ÷ £400,000,000(standard divisor)]

This final impact score is then translated into an impact category: high, medium high, medium‐low or low. The boundaries between each category are set in terms of the numerical impact scores, as is showed in the following table.

Table 2. FSA Current Boundaries among Impact Categories The FSA’s senior management from time to time sets out the values of the sub‐sector multipliers and the impact category boundaries, in order to ensure that the risk model continues to reflect their current priorities and risk appetite.

Source: FSA, 2006

Probability of an event occurring: To measure the probability for individual issues, which is the “simple rating of the likelihood of the events described by the issue occurring”, the issues are classified according to the underlying risk element and each risk group. To do this, key units of risk are identified under the following risk categories, which allow classifying probability under ten high‐level risk groups that are divided into risk elements.

As was mentioned above, to establish the score for each of the ten risk groups, the model segregates each of them into risk elements. For example, to obtain the level of the Environmental Risk, it will necessary to evaluate the economic environment, the legislative/political environment, the competitive environment and the capital market efficiency. But, in the Financial & Operation Controls, the model assesses the Clearing and settlement arrangements, the financial controls, the IT security and controls, the policies, procedures and controls, the human resources controls, the security of client assets or money and the business continuity planning.

To establish the probability of an occurrence of the risk, the FSA uses a model of the above 10 high‐level risk group, defined in 4 different risk categories: (a). Business Risk: Environmental, Customers, Products and Markets, Business Processes and Prudential; (b) Control. Customer, Product & Market Controls, Financial & Operating Controls and Prudential Risk Controls; (c)Oversight & Governance. Control Functions, Management, Governance & Culture, and (d)Financial soundness Capital & Liquidity.

Impact category Impact score (after sub‐sector

weighting)

Low <5

Medium‐low ≥5 <20

Medium‐high ≥20 <300

High ≥300

23

Table 3. FSA Risk Groups with its corresponding Risk Elements

Assessing the risk probability at the level of the firm as a whole, consists in separating each of the ten risk groups, but takes into account any of the issues that have been found during the risk assessment. The risk’s aggregation model combines the inherent business risks, the specific front‐line controls, with the oversight & governance risks and the capital & liquidity risk of financial failure, leading to an overall assessment of net risk. The following box schematizes the different risk‐group and each of the risk components.

Source: FSA, 2006

Figure 2. FSA Structural probability assessment model

Risk Groups Risk Elements 1 Economic Environment

2 Legislative/Political Environment 3 Competitive Environment

1 Environmental Risks

4 Capital Market Efficiency 5 Institutional Client/Counterparty Characteristics 6 Retail Customer Characteristics 7 Institutional Product/Market Characteristics 8 Retail Product Characteristics

9 Distribution Channels

2 Customers, Products & Markets

10 Conflicts of Interest11 Litigation/Legal Risk 12 People Risk 13 IT Systems

14 Other Business Process Risks

3 Business Process Risks

15 Structure & Ownership16 Credit Risk 17 Market Risk 18 Operational Risk

19 Liquidity Risk 20 Insurance Underwriting Risk 21 Element 2 Risks 22 Element 3 Risks

4 Prudential Risks

23 Element 4 Risks

21 Accepting Customers 22 Sales Process & Product Development 23 Post Sale Handling of Customers/Counterparties 24 Market Conduct Controls 25 Membership Arrangements for RIEs

5 Customers, Products & Markets Controls

26 Conflict of Interest Management27 Clearing and Settlement Arrangements 28 Financial Controls 29 IT Security and Controls 30 Policies, Procedures and Controls 31 Human Resources Controls 32 Security of Client Assets or Client Money

6 Financial and Operating Controls

33 Business Continuity Planning34 Credit Risk Controls 35 Market Risk Controls 36 Operational Risk Controls 37 Liquidity Risk Controls 38 Insurance Risk Controls 39 Element 2 Controls

7 Prudential Risk Controls

40 Element 3 Controls/41 Element 4 Controls42 Compliance 43 Internal Audit

8 Control Functions

44 Enterprise‐wide Risk Management45 Culture & Management 46 Corporate Governance 47 Relationship with Regulators 48 Strategic Planning

9 Management, Governance and Culture

49 Relationship with Rest of Group 50 Adequacy of Capital

51 Adequacy of Liquidity

10 Capital & Liquidity

52 Adequacy of PII

24

After obtaining the score for each of the 10 risk groups, the model aggregates the scores across rows to give a net probability (See Net Probability Column on the right) and vertically, to generate an average under the three categories to obtain summary scores

The vertical categories are the driving factors that determine the nature of the relationship the firm will have with the overall supervision process with the FSA. Horizontally, as was explained,, the risk is aggregated into three net probability scores, using a multiplicative process where the weaknesses will compound and the strengths will reduce risks: customer treatment and market conduct, business/operating risk and prudential risk. The aggregation process generates a multiplicative score across rows to give the net risk, but vertically, come out with an average of the risk summary score.

For example if a firm has a Medium High level of average business risks, poor controls, poor oversight & governance and neutral environment and capital / liquidity position; the outcome summary scores will be Medium‐High and the net probability scores will be High. But, if instead the firm presents a very high risk appetite, excellent controls, excellent oversight & governance with neutral environment and capital/liquidity position, the summary scores will be High for business risk and Low for controls and oversight & governance. In this case, the firm will finish with a net probability score equal to Medium low, which is considered a risk acceptably controlled.

The probability assessment involves the development of a risk map that will be the basis for the risk mitigation program.

As a part of the process, the FSA performs an on‐site visit. The purpose of the FSA’s visit is to check and assess the information they are analyzing ahead of time. The FSA (2006) “normally seek to interview the senior management, of both the ‘front‐line’ businesses and the key control functions – e.g. the heads of internal audit, compliance and risk management”. Additionally, due to the importance and weight the FSA places on management, governance and culture, it interviews the non‐executives.

The areas covered in the interviews vary from assessment to assessment but the main purpose of

the interviews are defining for the FSA in a public document, named “A guide for Non‐Executive Directors” , the risk types that they want addressed but also the outcome, and the typical areas of

Customers, Products

& Markets Business

Process

Prudential

Customer, Product

& Market Controls Financial &

Operating Controls

Prudential Risk

Controls

Customer

Treatment &

Operating

Financial

Soundness

Business Risks Controls Oversight & Governance

Environment Business Model Controls Oversight & Governance Other Mitigants

Net Probability

Environmenta

Management,

Governance &

Control Functi

Customers, Products

& Markets Business

Process

Prudential

Environmental Risk

Customer, Product

& Market Controls Financial &

Operating Controls

Prudential Risk

Controls

Manage-ment,

Governance

& Culture

Control Functions

Capital & Liquidity

25

focus. For instance in the RISK ASSESSMENT & PLANNING, which is one of the risk types identified, the outcome is “Well thought out, and clearly articulated plans and objectives are an important part of managing the business. A risk assessment should help the firm identify what might prevent it from achieving those objectives, how this should be managed and what controls are needed.” (FSA, 2006).

The typical of areas of interest include, among others: Is there a process for tracking implementation (Management Information, etc.? What is the experience of management in implementing strategic changes? Are the effects of the control structures / operational infrastructure taken into account when developing the strategic plan?”, the goal of the examiner is to know the perception of the firm’s staff and “what steps they take to satisfy themselves that risks are identified, measured, monitored and controlled. After the visit, the tasks of the FSA’s examiner include completing the firm evaluation and designing a Risk Mitigation Program (RMP) for the firm. “The RMP is driven from the assessment and is targeted towards issues that have been identified and which need resolution. We typically describe these issues to the firm and agree with them on a desired outcome that we wish to achieve. In all cases, we aim for a solution that is proportionate to the risks identified”. The risk profile of the firm is established in The Risk Mitigation Program, which has become “a mechanism shared with the firm to design, highlight, pursue, and track risk issues using a common framework”. (FSA, 2006)

Before the completed RMP is sent to the firm, the team provides some preliminary feedback in a close‐out meeting. After receiving the RMP, “the firm’s management will have had two weeks to comment on the factual accuracy of the draft letter”. In this stage, the FSA evaluates the comments of the firm, which can include correction of any errors in the FSA assessment but not its judgment decisions. The final letter is sent to the firm’s Board of Directors or any equivalent body. (FSA, 2006)

There are some actions that the FSA expects to be conducted by the firm, such as to present the findings of its assessment to the Board of Directors, allocating responsibilities and monitoring further actions to show a risk management of those aspects as defined in the RMP.

Following up the risk assessment work, “the FSA will be carrying out ‘baseline monitoring’, which is designed to identify emerging risks and changes to those we have already identified”. In the case of high‐impact firms, the FSA carries out ‘close and continuous’ monitoring, which allowed them to maintain an up‐to‐date assessment on the firm’s senior management and control functions. (FSA, 2006).

26

a) Lessons from the United Kingdom Model The FSA had contributed significantly to understanding the risk‐based approach in the assessment of the Internal Audit Division of the Northern Rock bank, as related in the document “The supervision of Northern Rock: a lesson learned review”, where it showed important findings about the effectiveness of the ARROW model and also about the problems faced by the FSA in its implementation of the approach.

The United Kingdom’s fifth‐largest mortgage lender bank went into a process of nationalization in February 2008.

Northern Rock’s operations in mortgage‐securitization represented 43% of its assets, which when compared with other banks in England, showed it had the highest national percentage of mortgage securitization (Bradford & Bingley was at 28%, HBOS 11%, and LLoyds TSB 5%). Seriously affected by problems in credit markets caused by the US sub‐prime mortgage financial crisis, Northern Rock received emergency financial support

from the Bank of England in Sept. 2007.

This case initiated attention to the FSA activities and its risk‐based approach, which motivated FSA staff to review their supervision process in order to assess its weaknesses and its inefficiencies, since it was evident that based on the experience with Northern Rock, it was not adequately in the risk radar of the British Regulatory Authority.

In March 2008, the FSA Internal Audit Division released the report “The supervision of Northern Rock: a lesson learned review”. This single issue sent a message about the new era of performance among the regulatory authorities. They needed more accountability due to the public assets that they had in their control. This prompted the FSA to release a report where it identified all the internal problems faced by the British regulatory authority regarding oversight on Northern Rock from April 2004 to 2008.

The lessons from the UK model taken into account when designing and applying the Risk‐based supervision model are, among others:

• There was insufficient engagement by the heads of departments responsible for Northern Rock, due to:

o A lack of coordination within the different departments in the FSA, resulting in not detecting areas which could have alerted the supervisory team.

o A lack of continuity. The firm’s oversight team presented high staff turnover. Three different heads of department were in charge of the oversight of Northern Rock, which could cause inadequate understanding by some of them due to the limited time they had to react.

27

o A lack of attention. The FSA’s heads of department in charge of Northern Rock were working with many others issues, on top of normal pressures. In addition to Northern Rock, they had “other significant demands on their time during the period, including covering gaps arising due to manager turnover”. One example of lack of attention is that none of the three heads of department in charge of the firm’s oversight had ever met with Northern Rock. FSA (2008).

• Contrary to the practice in the FSA supervision process, they had formal records of meetings to hold discussions among the team in charge of a company as well as with the company. In the case of Northern Rock, however, there weren’t any such records.

• The firm’s risk profile was not adequate, due to:

o Northern Rock’s supervisory team did not follow the ARROW process by not enacting the Risk Mitigation Program (RMP), but also the ARROW panel agreed with this decision. In the supervision process, Northern Rock was considered a ‘low‐probability’ of risk, despite failing to implement a RMP and it being only one of 38 high‐impact firms without a program.

o The supervision team did not adequately assess the risks and they did not follow the ARROW procedure, so the system did not trigger different alerts considered in the model. For example, the ARROW panel did know about the risk environment that the bank was facing, and the bank’s ARROW risk score did not increase.

o Risk indicators that were checked during the Basel work were omitted. According to the FSA’s Internal Audit Division “This finding, taken together, indicates that the supervisory team did not adequately identify and pursue risks arising in the firm as a whole and in relation to its business model and control framework”. FSA (2008)

Lessons from applying the ARROW approach:

• The ARROW risk framework “provides the appropriate underpinning to support effective risk‐based supervision”. In the case of Northern Rock, “the framework was not used effectively, or as intended, and, in some cases – was not being used as local senior management thought”. FSA (2008).

• The absence of arrangements to filter priorities from FSA’s Financial Risk Outlook through to supervisors.

• The staff of FSA’s oversight had been insufficient to identify some of the key elements of the risk framework.

Other lessons not related to Northern Rock:

The Risk‐based supervision applied in the UK had been developed in the context of a large body of regulation (7,000 rules), a large quantity of securities firms (29,000 entities) and a highly complex market. This is not always the same situation for underdeveloped markets, which deal with much fewer participants, less regulation and less complex products and market participants. Despite the market being small, they face less regulation and inefficient public institutions. The UK Financial Services and Markets Bill was introduced in 1999 and the UK started to change their supervision model with the introduction of a new regulatory authority. Its model was first put in place in

28

1999/2000, when the FSA was formed from the merger of its 11 predecessor organizations. In January 2000 they published the basis for a new supervision framework in the document “A new Regulator for the New Millennium”. It was not until 2003 that they published “The Firm Risk Assessment Framework”, changed later to the ARROW model, which was officially created in 2004 and which had incurred changes with the passage of time. In 2006, the FSA released ARROW II with improvements to the original framework.

In the latest released document of 2006, the FSA defined itself as “a risk‐based regulator and ARROW is the framework we use to make risk‐based regulation operational”. These two issues establish two important lessons, one is that the FSA has taken an important step in its definition of its supervision goals, the other lesson is that the FSA defines a framework on how to work with its supervisory approach in order “to set out what firms can expect of FSA risk assessment process and how FSA plans to work with firms and how it will measure progress against relative service standards”. These two elements should be considered for a regulator when establishing the ways to achieve its regulatory goals, which are, the method and how to implement it. ARROW is a public document in which the FSA explains to the market its objectives and the way it conducts its surveillance activities in the market.

In the securities market, as in other industries, one model, as much evidence shows, cannot be applied to other countries, which are facing a different reality. The copy‐paste method of translating regulation systems had always resulted in poor outcomes by regulators or by international institutions with disastrous consequences for the market, where the medicine was worse than the disease.

Nowadays markets are experiencing their own internationalization to a regional or global sphere, with the consistent importation of practices in the local market. Even though this is happening there are still some features which make a market unique, with its own regulation, size, and sophistication of the participants that are different with respect to the others; hence trying to apply a model universally because it worked for one country can result in spending huge amounts of money and effort in adjusting it to another context. Each country has its own particularities; therefore a formula that works well in one country does not mean that it will be successful in others.

Thusly, the task for countries, whether they have developed or underdeveloped securities markets, is to be aware of this new approach for conducting market supervision, and to take its most useful and best fitting elements for their own unique market environment. The risk‐based approach as a concept can easily be applied in different countries when it is appropriately modified to fit local conditions, resulting in a model of risk assessment with the features necessary to make it more applicable to the size and complexity of the firms’ operations.

This approach implies treating the market participants differently, hence the concept, as is applied in developed markets, generates its parallel application in non‐developed markets, where the small‐sized participant can fit in with the medium or large participant in the other market. However, the nuances of the application vary when assessing the risks.

Before performing an on‐site visit, the examiners need to carry out a working‐assessment of the firm, where the examiner accumulates a thorough knowledge of the firm’s business and the risk

29

areas defined for past evaluations. The visit is not for large presentations where the top executives give the regulatory agency the information they deem fit or wasting time waiting for information. Instead, the visit becomes a truly dynamic interview where the examiner performs an inquisitor role in order to become completely aware of the business model, its operations, the existing controls, etc. which can lead him/her to more accurately evaluate the different risks facing the firm. Instead of performing a long‐term examination to corroborate operations, the on‐site visit consists in a high level interview to assess the management, business and culture of the market participant.

One important step in the UK Risk‐Based model is the design of a Risk Mitigation Program for the firm that has been evaluated, which gives the FSA’s team another proactive role rather than simply a passive role as an investigator administering an examination of the firm and reporting back with what they found; The traits and activities that are good or bad for the market, and whether it is operating in conflict with the law. The objective of the Risk Mitigation Program is to describe the risky areas of the firm’s operations and the desire of the FSA with respect to what area the firm needs to work on in order to avoid realization of the risk identified in the assessment process. In this way, the FSA team becomes a useful consultant team helping the FSA to achieve their goals, rather than just a tough compliance enforcer.

2. The Federal Reserve System approach

The Federal Reserve System (FED), which is the entity in charge of supervising and regulating banking the US nation's banking and financial system, has broadly settled its framework of risk‐focused supervision by large complex institutions and community banks, which “rely on understanding of the institution, the performance of risk assessments, development of a supervisory plan, and examination procedures tailored to the risk profile”.

The key elements of the risk‐focused supervision of large complex institutions are as followed (i) Designation of a central point of contact, to facilitate coordination among regulators and other areas. (ii) Review of functional activities. (iii) Focus on risk management processes, (iv) Tailoring of supervisory activities and (v) Emphasis on ongoing supervision.

In order to understand the functional approach as the banks are organized, the FED has adopted “some of the same functional business line approaches to supervision, including examination process”.

The off‐site planning activities include: (i) the direct off‐site and on‐site work (ii) reviewing in‐house information, (iii) requesting information from the institution, and (iv) discussions with management. In this stage, the FED also examines the internal factors ‐ management changes or operational changes ‐ and external influences of the entity – economy, competition or legal changes that can greatly affect the bank performance.

The risk assessment task includes identifying, quantifying, monitoring and controlling the risk of the entity. From here on many activities will be planned to perform on and off‐site to finish in a following up activity that continues the monitoring process.

30

The supervision methodology includes 6 steps that are part of the previous general scheme, which are: understanding the entity, assessing the entity, planning and scheduling supervisory activities, defining examination activities, performing the examination process and reporting the findings. Each stage is revised with a general description of the products associated with it. Due to this continuous and dynamic process, each product, of which the content and format is flexible, “should be revised as new information is received”. Step 1: Understanding the entity. The aim is to completely understand the bank and its risk areas, through the analysis of prior reports of examinations, surveillance data and general information about the entities´ financial statement, auditor reports, press releases, and information from other regulators, etc.

The product from this step is the Institutional Overview, which consists in “an executive summary of the entity’s present and its current and prospective risk profiles as well as highlights key issues and past supervisory findings” (FED). Some information to take into account that should be important in this report, includes: a brief description of the organizational structure, legal and business units, merger, acquisition, divestitures, consolidations; organization´s business strategies, key business lines, product mix, marketing emphasis, board oversight, leadership strengths or weaknesses; consolidation financial conditions and trends, external and internal audit, supervisory activity performed since the last review, etc.

Step 2: Assessing the entity, that process highlights both strengths and vulnerabilities of an entity and provides a foundation for determining the supervisory activities to be conducted , has the aim to define the score which will determine the entity’s risk‐rating. The products of this step are the Risk Matrix and the Risk Assessment. The credit, market, liquidity, operational, legal and reputation risks are assessed in each entity whose activities present various combination and concentration of these risks depending on the nature and scope of the particular activity . It is important to assess, in this stage, the entity’s overall risk environment – risk tolerance and management’s perception of the entity’s strengths and weaknesses, ‐ the reliability of its internal risk management – internal and external audit, loan review and compliance functions ‐ and the adequacy of its information systems (FED).

The inherent risks of the entity’s significant activities is calculated using a risk matrix (See Table 1) and adjusted by the risk management regulators about these activities, in order to establish the

composite risk assessment. From here, each function or activity is identified as a high, moderate or low risk for each type of risk assessed.

31

Table 4. FED Entity Risk Matrix Inherent Risk Risk Management System Functional

Activities

Volume or relative weight

cred

it

Market

Liqu

idity

Ope

ratio

nal

Legal

Repu

tatio

nal

Other

Board and Management oversight

Policies, procedures and limits

Risk management, monitoring and MIS

Internal Controls

Composite Risk

Lending ‐ comercial ‐ personal

Mod 30% Low 15% Mod Low Low Mod Low Low Low

Treasury and Investment

Retail Operation

OVERALL COMPOSITE RISK

Table 5. FED Composite Risk for significant activities The scale for inherent risk is defined as a Low, Moderate or High. Low inherent risk exists where the volume, size or nature of the activity is such that even if the internal controls have weaknesses, the risk of loss is remote.

Moderate inherent risk exists when there is a potential risk, but such risk can be absorbed by the organization in the normal course of business. High inherent risk is defined as when the event is significant or positions are large in relation to the entity’s resources or to its peer group. The realization of the event occurring could result in a significant loss to the bank.

The composite risk for each significant activity is established by considering the overall level of inherent risk of the event in comparison with the overall strength of risk management systems for that event. For example if there is a product or service that is defined as of a high inherent risk ‐sub‐prime loans‐, the probability and the magnitude of the loss will depend upon the quality of the processes in place for the management to overcome the risk (approving sub‐prime lending based on the payment capacity of the client, appropriate leverage limits of Collateralized Debt Obligations –CDOs,‐ strict disclosure requirements, etc.)

The matrix (Table 2) shows the inverse relationship between the inherent risk of the activity and the risk management system, therefore, when the first one is low but the risk management system is strong, the composite e risk will be low, on the contrary, when the inherent risk is high and the risk management is weak, the composite risk is high, as well as when the first is high and the risk management is acceptable.

Inherent risk of the activity

Low Moderate High

Risk Management System

Composite Risk Assessment

Weak Low or Moderate Moderate or High High

Acceptable Low Moderate High

Strong Low Low or Moderate Moderate or High

32

Step 3. Planning and Scheduling Supervisory Activities. As a result of this step, the Supervisory Plan and the Examination Program will be defined.

Step 4. Defining Examination Activities. The product of this step is the Scope Memorandum and the Entry Letter. This stage is aimed to define the scope of internal system appropriateness through the on‐site transaction testing, included in the Scope Memorandum. The Entry Letter will describe “the information necessary for the successful execution of the on‐site examination procedures” (FED, 1997.)

Step 5. Performing Examination Procedures. The Functional examination modules will be the product this step. Functional key areas are identified to be included in the procedures.

Step 6. Reporting the findings. The content of the report should be clearly and concisely communicate to the entity’s management or any problem, concern and the supervisory rating, as well as, comments regarding deficiencies in the entity’s risk management system. The Examination report(s) will be drawn in this step.

3. The Canada Risk‐based Model

The Office of the Superintendent of Financial Institutions (OSFI), a unified supervisor of banks, insurance companies, cooperatives, trust and loan companies and pensions plan industry, defined its risk approach in 1999, through the establishment of benefits of the revised supervisory framework, which are: (a) better evaluation of risks through separate assessment of inherent risks and risk management processes (b) greater emphasis on early identification of emerging risks and system‐wide issues (c) cost effective use of resources through a sharper focus on risk, and (d) reporting of risk focused assessment to institutions.

The supervisory process defined by the OSFI includes 6 steps as are depicted in Table 6. OSFI Supervision Steps and Products The steps are logically organized and have some particularities with respect to other experiences. For example, the analysis, which is the first step, is performed at least once every three months for an entity rated Stage 1 or better, and on a monthly basis for entities rated Stage 2 or worse. The supervisory groups are responsible for ongoing analysis and monitoring of the entities.

The Supervision Plan, based on the Risk Assessment Summary (RAS), is elaborated on annually and establishes the work planned and resources required. In addition to the discovery presented in the RAS, the Supervision Plan, includes the industry risks, concerns or issues raised by OSFI´s Specialist Support or Regulatory Sectors, concerns or issues raised by OSFI´s executives, and planning for benchmarking, peer reviews or other special studies. The steps of the supervisory process and the products are depicted in the next table.

33

Table 6. OSFI Supervision Steps and Products The supervision plan is a dynamic tool which is subject to revision if unforeseen events alter the entity’s risk profile, but for those changes intended, instead to broaden the scope of the exam, priorities are established.

In the step 3, the relationship manager coordinates the different on‐site

activities and the requisition of information as well as the on‐going relationship with the entity’s management.

Documentation, in step 4, defines the documentation and the standards for files and other information used by the supervisory groups. For example, the Supervise File structure includes an updated copy of the Risk Assessment Summary; a copy of the Management Report and related correspondence, working papers, and copies of varies section notes. This last type of documentation, “section note”, is prepared in a standard format for each significant activity or risk management control function identified for review.

Communication of the finding –reporting‐ is addressed annually to the entity, describing the results of the supervisory actions. When the supervisory group has performed an on‐site visit, three different verbal and written reports are released, including previous discussions with the entity’s senior manager – or responsible manager ‐ to the OSFI management, (updated RAS, summary of findings and section notes), the entity’s management and to the external stakeholders.

The management report in the step 7, is the key written document sent to the entity’s management, which includes the findings, recommendations and follow‐up on previous findings. Finally in the “Follow‐up” step, an on‐going monitoring of findings and recommendations is performed.

Table 7. OSFI Risk Matrix The components of the OSFI Risk Matrix, which record the assessment of an entity’s risk, are:

(a) Significant Activities can include any significant line of business, unit or process. Sound judgment is applied in determining the significance or materiality of any activity.

STEPS OUTPUT 1. Analysis 1. Risk Matrix 2. Risk Assessment Summary (RAS) 2. Planning 3. Supervisory Plans 3. Action 4. Information requests 4. Documentation 5. Section Notes 5. Reporting 6. Working papers 7. Management Report 8. Updated RAS 6. Follow‐up. 9. Updated RAS

34

(b) Inherent Risks: The inherent risks are divided into three levels: low, moderate and high. The first one is a risk lower than the average probability of an adverse impact on an entity’s capital or earnings due to negative exposure and uncertainty from potential future events. A moderate inherent risk is related to an event in which the average probability of occurrence will have an adverse impact on the entity’s capital or earnings. The last one, is related to the event which has a higher than average provability of an adverse impact.

©Quality of Risk Management: In the table 4 are depicted the six risk management control functions that, according to the OSFI, may exist in an institution. The quality of risk management processes is assessed as strong, acceptable or weak.

(d) Net Risk: The net risk, which is rated as low, moderate or high, is offset by the quality of the institution’s risk management. The aggregate levels are based on the judgments of the supervision group, with respect to the inherent risk and risk management.

(e) Direction of Risk: is the tendency of the risk that can be assessed as decreasing, stable or increasing considering an appropriate time horizon for the institution.

The philosophy of the approach is in establishing the degree to which an entity’s management controls for a given activity need to be reviewed and depends on the assessment of the effectiveness of the entity’s risk management controls.

4. Experiences applying Risk‐based Supervision in the Securities Market

In the “Objectives and Principles for Securities Markets” release in 1998, the International Organization of Securities Commissions (IOSCO), have addressed the risk‐base approach in the supervision of securities markets, as is shown in this section, but in some countries with a small and underdeveloped stock market, there are not capital requirements associated with the level of the risk taken by market participants. But also in those regulators who have such a requirement, it has only been recently, that the regulators have started to discuss how to introduce systematic procedures for identifying and assessing the risk of the participants.

The experience related in this section comes from some regulators that have recently started to introduce the approach and from those with an integrated regulator, which the unified supervisor has introduced in the last decade; those risk assessment procedures in the securities markets, as in the case of England.

Each country has applied the concept of the risk‐based approach but has developed, among others, its own risk matrix and supervision process. They assessed their own main activities/licenses/business lines, have required specific data from the market through specific procedures and forms, have developed their own electronic processing information systems and risk‐score software, and have different experienced personnel who apply their criteria to develop the firm’s risk score. That again demonstrates that that a risk‐based supervision model can not be directly copied from that of one country to another because each model responds to the market size, regulation framework, sophistication of the market participants, and other nuances of the country, regulator and participants. However, important guidelines can be drawn from the

35

experiences of other countries in applying risk based supervision in the securities market, as is developed in the following elements:

Compliance‐based and Risk‐based supervision. Compliance‐based supervision processes are performed in order for surveillance of the law’s application to the market participants. Some regulators have started to develop the risk‐based focused supervision, but still, there isn’t a connection between their risk assessment and the regulator activities. Hence, the Annual Supervision Plan of the regulator and the entity’s inspection plan do not take into account the risk profile of the firm, in order to establish the objectives, scope or frequency of the exams.

Inherent Risk. The regulatory authority defines the inherent risk score of each market participant and classifies the business lines as high, medium or low risk. This measure of inherent risk is the result of the risk‐assessment conducted by the specialists and supervisory group, which consists in an evaluation of the impact of a negative event if happening and the probability that the event will occur. The inherent risk is the consequence of the business model or business process defined by the firm. According to OSFI (1999), “inherent risk is the intrinsic risk to a business activity and arises from exposure and uncertainty from potential future events. Inherent Risk is evaluated by considering the degree of probability and the potential size of an adverse impact on an institution’s capital or earnings.”

Firm Risk Profile. To establish the firm risk profile, the supervision team evaluates each area of the firm’s activities or business segments and assesses their controls, the quality of the organization’s management, the legal compliance, and other parameters that will indicate the ability of the firm to manage their own risks. A final score is calculating with the assessment of the firm risk management.

Other countries have established the firm’s final risk score as a weighted average of the firm’s inherent risk but combining with the number of licenses or other relevant firm information, which are common parameters for the industry.

Risk assessment. The countries define the types of risk associated with an area or business segment of the firm, which is assessed in order to establish a score that allows it to be compared with other firms in the market. For example, a firm authorized to offer advising services is associated with risks such as financial, legal and operational. To assess the level of risk in each area or business segment (advising, arranging, etc), there is certain information that is analyzed and combined together in order to establish the firm’s risk score. For example, in the case of financial risk, the amount of trading activity and volume, gross revenue, the number of clients, and the level of the firm’s capital adequacy relative to the required capital could be useful in this way: In a company where the trading activity is between 1 and 1000 trades weekly the score is equal to 1, Gross Revenue (<10 thousand US$) =1, Number of clients (From 1 to 100 clients) =1, Net capital to required capital (100%=1.75). The score derived from measuring the financial risk in brokerage activity will be determined by: Trading activity (1 to 1000 trades weekly =1) [plus] Gross Revenue (<10 thousand US$=1) [plus] Number of clients (From 1 to 100 clients =1) [times] Net capital to required capital (100%=1.75).

36

Risk Assessment Model. The system for assessing the risk varies from sophisticated formulas integrated in an electronic system to an Excel Matrix. Both methods combine objective and subjective data to measure the risk of the participants. The level of risk by the participants’ business lines or the participants’ activities is assessed, using some criteria, which include, among others, the size of the participants, their sophistication in managing the risks, the number of employees and the number of clients. Some countries have developed questionnaires to address regulatory and operational concerns so as to establish the firm’s risk score, in order to support the assessment. However, when the regulator obtains well‐defined measures with specific numbers, the risk score ultimately assigned to an activity or business line will be based on the judgment of the supervision team, as is mentioned in the “adjusting risk score”.

Assessing Non‐numerical Data. In the case of assessing non‐numerical data, such as the quality of the staff or the competitiveness of the management, different categories of quality are defined. For example, these can include good, middle and low or minimal, moderate and significant. These categories then receive a risk score for the firm, as followed: 1, 2, 3 from minimal to significant. In this way, the model can process both different numeral and non‐numerical variables that affect the business activity of the firm or market participant. The quality of the firm’s control, which is not a numerical variable, is determined using a defined scale of adequate, inadequate or material deficiency. This variable is assessed in each of the license/business lines of the firm.

Industry Intrinsic Risk. Some countries have defined an “Industry Intrinsic Risk”, so as to have a common indicator in which each firm/activity will be assessed. The measure of the industry intrinsic risk is defined on the basis of the experience and knowledge of the assessment team.

Adjusting the risk score. The risk score can be adjusted for the level of intrinsic risk allowing regulators (1) to establish different levels of risk in each activity/services/product of the firm and (2) to rank the market participants, identifying the more risky institutions. When the IT system model or the Excel model results in a numerical score, advice for the regulator is not firmly chained to this number. In this early stage it is important for the quality of the process, that senior supervisory personnel validate the risk score with adjusting consequences if their knowledge and experience, current news, and personal judgment, etc. permits them to readdress the assessment of the firm.

Risk Assessment for Holding Companies. More sophisticated methods establish the risk to each firm that belongs to a holding company, defining a risk score as a group and individually. It is necessary, however, that either the supervision is integrated in only one regulatory agency or there is in existence good coordination among the regulatory authorities in the financial market. In this case, intra‐agency teams work together to develop a risk score for the different companies of the group.

The Inspection Plan. With the final assessment (inherent risk and risk management), the regulatory authority will be ready by resources allocation, to focus on the most risky entities of the industry and most risky entity activities. The Inspection Plan will be the document tailored by the regulatory authority for each market participant that will be taking into account its risk position in the market.

37

Examiners profile. The difficult part for the regulatory authority is to develop a group of skilled examiners who will become investigators of securities businesses. For instance, the examiners, instead of passing on a procedure to the broker‐dealer, will talk with the compliance manager, the director of trading or even with the person in the back office in order to understand the broker‐dealer business model and its risk assessment process. Only with this knowledge in hand will the examiner be able to identify the risk‐areas on which he or she should concentrate his/her attention when performing on‐site visits. The ultimate achievement for the regulator will be to develop research from current auditors, moving them away from a controlling or rule‐compliance based system to a sophisticated risk‐finder.

The supervisory group and other specialist teams will need to be multidisciplinary, in order to bring different backgrounds and skills to the risk supervision approach.

Firm Risk Matrix. The Firm Risk Matrix is a table that helps to organize the assessment of the market participant. The next table shows the different categories of licenses or product lines which will assessed.

Table 8. Categories of Assessment

Each license/product line receives an assessment, which is on the basis of the criteria/judgment of the team in charge of the process. In order to use this information to define the firm’s risk score, each category of the assessment is converted into numbers using the points defined previously for each category of market participants, as is shown in the final column “points”.

The next table shows how each business line is assessed regarding each risk group, using the rate scale (bottom of the table).

Table 9. Risk Group Assessment

From this point, a general score will be established in order to calculate the firm risk score that will define the composite risk assessment and

from there the supervisory answer (frequency and scope) to the firm.

License/Product lines Assessment Points

License 1, brokerage Inadequate 0.5

License 2, IPO Adequate 1.25

License 3, Internet trading Adequate 1.5

License 4, Custodian Material deficiency 0

License 5, International trading N/A N/A

Business Line Risk Groups

Licensed Activity Financial Operations Legal/ Compliance

Technology /Systems

Clearance/ Settlement

Advising 2 6 6 7 2

Internet trading 4 8 8 8 3

Margin/Short Sales 6 8 8 8 3

Brokerage 3 4 6 4 0

Foreign Markets 5 7 7 7 6

Scale: 1 = Low Risk; 5 = Moderate Risk; 9 = High Risk; 0 = Risk Group; Not Applicable

38

Using hypothetical information, the next example establishes a firm composite risk score, which is another way to calculate the firm score, assessing the different licenses (dealing, advising, etc.) and different business segments (products) in each license.

Table 10. General Information about the Firm ABC broker house (hypothetical example)

There are 5 different licenses that broker‐dealer agent can obtain from the Securities Commission, which are, for this example, dealing, advising, portfolio management, arranging and International brokerage (foreign markets). The Firm ABC has authorization to carry out financial activities in three of them. Under the licenses for dealing and portfolio management the firm offers 6 different

business segments for each license and 3 business segments under the licenses for advising. The business segment had been named as “product 1”, product 2”, etc, that can represent, for example, a category of arrangement. The business segment could be for initial public offerings, secondary offerings, corporate advisory, etc. Licenses, business segments, etc. will depend on each market.

Each business segment will be analyzed in order to assess how well the firm is able to supervise, manage, or control each aspect of its business. In doing that, each of them will be scored in order to define the level of risk they represent for the firm. In the example below, 6 different risk categories have been selected; however this will depend on which kind of market participant this will be. These risks are legal, financial, operations risk, technology, clearance and settlement risk.

Each segment’s business/product will be assessed resulting in a numeral score, with 1 representing the lowest risk and 9 the highest risk, as is represented in the next table.

Table 11. Numerical Score to Represent Different Levels of Risk The goal of using a numerical score is to generate a risk score as well as a risk ranking of High, Medium or Low for each brokerage house in the market. This largely will determine the inspection scheduling and focus of the inspection processes.

The risk group is evaluated in order to establish the potential risk that it poses in each business segment; hence, higher scores represent a combination of higher potential adverse impacts on the regulatory authority objectives and less effective internal procedures and controls. For some risk groups, the internal procedure and controls will represent a cushion to reducing the impact of the overall risk score.

Licenses Firm ABC broker house

Products/Business Lines

1 Dealing X 6

2 Advising X 3

3 Portfolio Management X 6

4 Arranging

5 Foreign markets

Totals 5 3 15

Score 1 2 3 4 5 6 7 8 9

Categorization Low Risk Middle Risk High Level Risk

39

Table 12. Firm & Industry Risk Matrix for the Dealing License

Using the Score Matrix the first step is assigning a firm a risk score for each business segment. This Firm & Industry Risk Matrix is the input worksheet to establish the Firm’s Composite Risk Score, which leads the supervision team to establish the level of risk that the firm poses to the regulator’s objectives. The supervision staff will enter scores for each business segment

relative to each of the risk groups (operational, financial, compliance, legal, systems and technology risk).

The inspection staff will base the assessment of the firm’s risk on an evaluation of each business segment relative to a set of measures and information that can help the staff to evaluate the level of commitment in compliance and risk management of the firm. For example, in the case of an Initial Public Offering (IPOs) in the arranging license, the information can vary, from the number of IPOs arranged or advised, revenue earned from this business segment, experience of the legal department in the IPO process, number of failures in the IPOs due to inefficiencies by the firm, complaints from clients respecting previous processes of IPOs, past inspection exams, how the IPO services have managed compliance problems, overall assessment of the experience of the chief in charge of this area, etc.

The score of the firm’s risk level can be the result, either from sophisticated formulas using data from periodic information submitted by the market participants, from previous exams, from news, etc. or based on the experience of the inspection team. Also some countries developed questionnaires to support their scores.

Firm: ABC, Inv

License: Dealing

Product/Business segments

Legal Risk

Financial Risk

Operatio‐nal Risk

Techn. Risk

Clearing Risk

Cumulative Risk Score

Average Total Avg. Segm.

FIRM RISK

Product 1 2 3 8 2 4 19 3.8

Product 2 3 4 7 4 5 23 4.6

Product 3 4 5 6 6 6 27 5.4

Product 4 5 6 6 7 24 6

Product 5 4 7 5 2 6 24 4.8 BUSINES SEG

MEN

TS

Product 6 3 8 5 3 4 23 4.6 4.83 INDUSTRY RISK

Product 1 8 5 7 9 4 33 6.6

Product 2 2 5 8 6 4 25 5

Product 3 8 5 4 9 26 6.5

Product 4 2 5 4 8 19 4.75

Product 5 2 5 4 7 5 23 4.6 BUSINES SEG

MEN

TS

Product 6 4 5 5 9 4 27 5.4 5.46

40

Table 13. Firm & Industry Risk Matrix for the Investment License

The industry risk measures the risk that the firm takes from the whole market, not just for its own operation, which is also called the intrinsic risk. The intrinsic risk of each business segment

is the average (2.93) of all of the scores filled in the matrix from external information of the market. The industry risk score is defined by the inspection team after a deep analysis of the whole market and the external factors that can affect the industry in general.

Table 14. Firm Risk Profile This composite score is the result of combining the firm risk and the industry risk score for each business segment/product.

The firm’s risk score, which is weighted with respect to the industry risk, is defined as: Firm Risk Profile = (Firm Risk Score)*(Industry Risk Score)

Firm: ABC, Inv Matrix: Firm Risk & Industry Risk License: Investment Product/Business

segments Legal Risk

Finan‐cial Risk

Opera‐tional Risk

Tech. Risk

Clearing Risk


Ave‐rage

Total Avg Segment

FIRM RISK

Product 1 4 4 5 3 3 19 3.8 Product 2 4 6 5 3 3 21 4.2 Product 3 4 5 5 3 3 20 4 Product 4 Product 5

BUSINES

SEGMEN

TS

Product 6 4.00 INDUSTRY RISK

Product 1 3 3 3 3 3 15 3 Product 2 3 3 3 3 3 15 3 Product 3 2 3 3 3 3 14 2.8 Product 4 Product 5

BUSINES

SEGMEN

TS

Product 6 2.93

Product/Busines segments

Legal Risk

Financial Risk

Operational Risk

Technology Risk

Clearing Risk


Ave‐rage

Total Avg Business Segment

License: Dealing Product 1 16 15 56 18 16 121 24.2 Product 2 6 20 56 24 20 126 25.2 Product 3 32 25 24 54 0 135 27 Product 4 10 30 24 56 0 120 24 Product 5 8 35 20 14 30 107 21.4 BU

SINES SEG

MEN

TS

Product 6 12 40 25 27 16 120 24 24.30

License: Advising

Product 1 12 12 15 9 9 57 11.4 Product 2 12 18 15 9 9 63 12.6 Product 3 8 15 15 9 9 56 11.2 Product 4 0 0 0 0 0 0 0 Product 5 0 0 0 0 0 0 0 BU

SINES SEG

MEN

TS

Product 6 0 0 0 0 0 0 0 5.87

License: Portfolio Management Product 1 16 16 81 81 0 194 38.8 Product 2 4 16 81 81 0 182 36.4 Product 3 16 16 81 81 2 196 39.2 Product 4 4 16 81 81 0 182 36.4 Product 5 4 16 81 81 20 202 40.4

BUSINES SEG

MEN

TS

Product 6 8 10 81 81 2 182 36.4 37.93

License: Arranging Product 1

BUSINES

SEGMEN

TS

Product 2

License: International Product 1

Product 2

BUSINES

SEGMEN

TS

Product 3

41

Table 15. Risk Score Calculation

The average of the weighted scores is established using the Firm and Industry Risk Matrix. (Average Dealing Firm Risk * Average Industry Risk Matrix).

For Example, in the case of “Dealing”, it will be: [(4.83)*(5.46)]= 26.37

This score is the aggregate of the all of the licenses scores. The result (71.45) is divided by

the number of licenses of this firm, which is 3, as is shown in the general information of the brokerage house (License 1 Dealing, License 2 Advising and License 3 Portfolio Management).

Table 16. Distribution of the Score to Rate the Firm’s Risk

In order to establish the maximum possible score, the risk scores of the firm are tested with the maximum level of risk, which is 9.

The Firm Composite Risk Score is based on the results of the firm’s risk score adjusted for the intrinsic risks applicable to each business segment. This score will define the Firm Risk Rating which is measured against a floating scale based on the number of authorized licenses for which the firm has been approved and the scope of its business within those authorized categories. The weighted average risk score for each license is calculated adding both firm and industry risk and dividing the result by the number of authorized licenses. This score helps the examiners to assess the level of risk among the different licenses.

Table 17. Categorization of the Firm Risk Score

The maximum possible score is divided in 3 parts in order to establish the different levels

that categorize a firm, which can be low, middle or high risk. The firm risk categorization will be the basis for the regulation approach that the regulatory authority will perform in each firm.

License Score

License 1 Dealing 26.3793103License 2 Advising 11.7333333License 3 Portfolio Management 33.3399015License 4 Arranging 0

License 5 International 0Sum of weighted scores 71.4525452Average of weighted scores (71.45/3 licenses) 23.8175151

Description ScoreMinimum Score 1Middle Score 22.53Maximum Possible Score 45.055% for each licenses 2.2533% of the maximum score 14.8766% of the maximum score 29.74Firm Composite Risk Score 23.82

Categorization of the Firm Low Risk From 1 points To 22.53 points

Middle Risk From 23.53 points To 45.05 points High Risk Up to 45.05 points

42

Table 18. Risk Ranking Assignment

Score 1 2 3 4 5 6 7 8 9

Categorization Low Risk Middle Risk High Level Risk

Using the above Risk Ranking Assignation table, the composite risk assessment of the firm is “middle risk”, due to the fact that the Firm Composite Risk Score is 23.83. From here the regulatory authority will define the scope of the Supervision Plan.

5. Important Similarities among the FED, OCC, OSFI & FSA’s Supervision Approach

Three of the models analyzed, from the OSFI, the Federal Reserve, and the FSA, defined the risk as a combination of the impact and probability of actions. The impact is the harm produce by the event if it occurs and the probability it will happen. .

They also establish for large and complex firms or holding companies a relationship contact person (relationship manager or central point of contact) in order to coordinate the different regulatory actions with the staff of the regulatory authority and with other regulators. This person is in charge of leading on‐site visits and other activities regarding the firm’s supervision process.

The three models studied introduce along with the risk‐focused supervision approach, the concept of specialists who support the supervisory groups. The specialists are in charge of knowing different risk areas of the firm.

Table 19. Methodology Steps of the FED, OSFI and FSA Federal Reserve System

(FED) OSFI FSA

Understanding the entity (1) Analysis, understanding the entity and developing a risk profile (2) Planning (scheduling and planning activities for the supervisory period) (3)Action. Conducting on‐site reviews and on‐going monitoring.

Planning, (preliminary assessment and scoping activities). Planning validation. Discovery (on‐site visit to the firm).

Assessing the entity’s risk (4)Documentation. Preparing and filing information to support findings.

Evaluation (risk identification and measurement): finalizing and recording the assessment. Preliminary RMP. Preliminary feedback (close out meeting). Final validation (Risk Mitigation Program). Communication of the firm´s assessment result (including ARROW approach and definition of the regulatory period)*

43

Federal Reserve System (FED)

OSFI FSA

Planning and Scheduling supervisory activities

Defining examination activities

Performing examination procedures

Performing ARROW approach

Reporting finding (5) Reporting of finding and recommendations (6) follow up of finding and recommendation

Communicating the results of major thematic work Follow up (Baseline and Close and continuous monitoring)

*Full ARROW, ARROW light and Small Firms

Table 20. Risk evaluated by FED, OCC, OSFI and FSA Federal Reserve System (FED)

OCC OSFI FSA

Credit Credit Credit Market Price, Interest Rate, Foreign

Exchange Market

Liquidity Liquidity Liquidity Reputational Reputational Legal Compliance Legal &Regulatory Insurance

Prudential Risk1/ Credit Market Liquidity Operational Insurance underwriting risk

Strategic Strategic 1/ The FSA have defined 10 risk groups. See Table 3.

Table 21. The Risk Management Factors by the FED, the OSFI and the FSA FED OSFI FSA

Prudential Risk Control (Credit, market, operational, liquidity, insurance, etc risk controls)

Active board and senior management oversight

Board Oversight

Senior Management

Management, Corporate Governance Culture & Management

Adequate risk management, monitoring, and management information system

Risk Management

Enterprise‐wide risk management

Comprehensive internal controls Internal Audit Internal Audit

Compliance Compliance

Financial Analysis

Adequacy of Capital/Liquidity/Pilar II

44

IV. Developing a Compliance and Risk Supervision Model

This section analyzes the international standards for securities markets regarding market oversight, the rationality behind the compliance and risk‐based approaches, and guidelines to design a risk supervision model for a small and underdeveloped securities market.

The approach suggested in this research to implement market supervision in a two‐fold manner, the compliance component with its enforcement consequences, and the risk‐based supervision with its risk mitigation philosophy. The full integration of the risk‐based method could take years and would need to be accompanied by dialogue with the market participants in order to increase their understanding. Special attention would need to be paid to investor protections, self‐regulatory schemes, and other aspects that, in some cases, are not present in underdeveloped countries or are not appropriately established in order to keep a sufficiently efficient, fair and transparent market.

1. Guidelines of the International Standards for Securities Markets

The International Organization for Securities Commissions (IOSCO), which is the institution in charge of defining the best practices for securities markets, is based in Madrid, Spain; It currently has more than 181 members from more than one hundred jurisdictions. The IOSCO had defined 30 principles for the securities markets, including those that are related to the compliance program. The international standards dictated by IOSCO have helped regulatory authorities by providing a guide for identifying future actions, such as legal changes, and has become a benchmark for assessing markets on a global scale with the best practices.

There are many critics of the use of international standards in small stock securities markets, due to the fact that they had been defined on the basis of large and developed securities markets. However, these standards have been used for underdeveloped markets as a benchmark to assess and introduce legal changes. Also, the steadily increasing internationalization of financial activities and the globalization of the markets make necessary to establish a common set of requirements for good practices among different jurisdictions. For this reason, regulatory authorities in small markets can negotiate with the industry for a timetable to comply with international standards, but cannot give up on their mission to introduce good practices in their local markets.

Three of its 30 IOSCO´ standards (2003) are related to inspection and surveillance, which are: (1) the regulator should have comprehensive inspection, investigation and surveillance powers, (2) the regulator should have comprehensive enforcement powers, and (3) the regulatory system should ensure an effective and credible use of inspection, investigation, surveillance and enforcement powers and implement an effective compliance program.

Thus the regulatory authority which has been granted with certain powers that are exercised through the actions it carries out in order to ensure that the market participants are complying with securities laws. In this way, “the regulator should be able to demonstrate and explain how its powers are exercised by the regulatory actions undertaken in the jurisdiction and the compliance programs in place, and the type of on‐going and ad hoc monitoring activities performed in the jurisdiction”.

45

a) The Compliance System

According to IOSCO, the compliance system includes: (a) the inspections performed using instruments and techniques which are adequate, but which may vary from jurisdiction to jurisdiction, and (b) Other monitoring or surveillance techniques. In this way, the “Supervision of market intermediaries conducted through inspection and surveillance helps to ensure the maintenance of high standards and the protection of investors, which are preventive programs complementing the investigation and enforcement programs” (1998‐2003).

The Compliance System has a broad scope established and is supervised by the regulatory authority; however, some of the activities are performed by the industry. IOSCO has established, as part of this system, that the regulator should require the market participants to have in place supervisory and compliance procedures reasonably designed to prevent securities law violations. It will be a regulator role to inspect periodically these procedures in order to check how well it is executed and communicated to its employees, but also take measures against, discipline, or sanction intermediaries for their failure to effectively supervise subordinate personnel which activities may violate the securities laws; require market surveillance mechanisms that permit an audit of the execution and trading of all transactions in authorized exchanges and regulated trading systems; and have, either itself or another competent authority, an effective enforcement program in place to enforce regulatory requirements (2003).

b) The Inspection and Surveillance Program

The inspection and surveillance programs, which are designed for the regulatory authority, should contain the examiner’s goals for each market participant, the necessary resources, and effective coordination with other areas of the regulatory authority or other institutions; determine the type of appropriate exams (cause exam, risk‐targeted examination sweeps, etc.); the objectives and scope of the exam, the scheduling for on and off site visits, and written procedures for actions before, during and after the exam.

According to IOSCO (2003), the regulator should carry out inspections by itself or with another competent authority and might consider delegating such authority to a Self‐Regulatory Organization. Also, the regulator can use properly supervised third parties “to carry out some of this inspection work on its behalf. These third parties should also be subject to disclosure and confidentiality requirements. Such inspections must be carried out with adequate instruments and techniques, and these may vary between jurisdictions”.

The inspection system, which is a portion of the activities established for the regulator to carry out to detect breaches, will include inspection on a routine and periodic basis, upon a risk assessment, and upon a complaint associated with an inspected entity. The regulator should have the capacity to perform the inspection program according to a well structured inspection plan, combining routine visits to perform pre‐established procedures for each category of market participants, cause inspections to investigate specific risks driven by the profile of market risk and the profile of each institution, and special inspections, in the case of complaints, news, information from the automatic monitoring system that identifies unusual transactions, etc.

Following the design and implementation of an effective system to detect breaches, the regulator should create “adequate mechanisms and procedures to detect and investigate market and/or

46

price manipulation, insider trading, failure of compliance with other regulatory requirements ‐ for instance, conduction of the business, capital adequacy, disclosure or segregation of client assets”. Additionally, it will be necessary to create and implement “an adequate system to receive and respond to investor complaints”. In some areas, for example in the scrutiny of trading at an exchange, the use of information technology will be necessary for effective regulation. In other areas, including the inspection of broker conduct, consideration needs to be given to the balance between on‐site inspection and interviews and the requirement for the brokers to provide information from time to time that can be reviewed off‐site. IOSCO (2003).

As part of the effective system to detect breaches of the law, the regulatory authority should gather and use information from the inspection reports and follow up with action where the report “indicates that the regulator is competently discharging inspection responsibilities and the regulator is adequately addressing unusual market activity”. IOSCO (2003)

Additionally, IOSCO has established (2003) the necessity to “have an effective and credible enforcement system”, which is impossible to accomplish with only the powers listed above being given to the authority. To achieve this goal, “The regulator should be able to: a) Detect suspected breaches of the law in an effective and timely manner. b) Gather the relevant information necessary for investigating such potential breaches. c) Be able to use such information to take action where a breach of the law is identified”.

c) The IOSCO Risk Approach

The introduction of the risk assessment process is addressed by IOSCO in order to establish the way in which inspection visits can be triggered. In doing so it establishes that “Inspection visits may be rotational or driven by risk assessment or complaint. In making decisions on the efficient use of resources, the regulator must consider both the need for wide market coverage and the importance of adequate inspection in areas of high risk to investors or which threaten systemic stability” (1998). This statement is also referring to the efficient use of the regulatory authority’s resources.

One of the IOSCO’S Principles, ‐Number 22, ‐establishes that “There should be initial and ongoing capital and other prudential requirements for market intermediaries that reflect the risks that the intermediaries undertake”. This principle shows the necessity to assess the risk of the market participant in order to establish regulations appropriate to the level of risk taken. IOSCO also requires, in Principle number 23, compliance by the market intermediaries with the “standards for internal organization and operational conduct that aim to protect the interests of clients, ensure proper management of risk, and under which management of the intermediary accepts primary responsibility for these matters” (1998). In this way, IOSCO is establishing the importance of risk management by market intermediaries, but moreover establishing their obligation to ensure its proper management.

IOSCO is aware that regulators cannot be expected to prevent the financial failure of market intermediaries, however, it establishes that the “regulation should aim to reduce the risk of failure, including through capital and internal control requirements. Where financial failure nonetheless does occur, regulation should seek to reduce the impact of that failure, and, in

47

particular, attempt to isolate the risk to the failing institution. In this line of ideas, Market intermediaries should, therefore, be subject to adequate and ongoing capital and other prudential requirements. IOSCO continues drawing a line between the intermediary’s business and counterparties and the customer’s assets; by establishing that “if necessary, an intermediary should be able to wind down its business without loss to its customers and counterparties or systemic damage”.

IOSCO also has introduced the risk approach for the surveillance of other markets activities. For instance, the clearing and settlement process, which is an important systemic issue for countries due to the impact it can cause in financial system failure. This approach establishes that “an efficient and accurate clearing and settlement process must be “properly supervised and utilize effective risk management tools” (1998).

An important caveat to the periodic or risk‐based inspections is mentioned by IOSCO (2003) when it establishes principles and guidelines for an Investment Adviser: “If the adviser does not deal, but is permitted to have custody of client assets, regulation should provide for the protection of client assets, including segregation and periodic or risk‐based inspections ‐ either by the regulator or an independent third party ‐”.

When assessing the degree of IOSCO’s principle 10’s application that relates to the market intermediaries, IOSCO (2003) gives an explanatory note to assess a risk‐based inspection program. In such cases, “the assessor should determine how priorities are set and how they are adjusted or updated, for example, by use of review of periodic financial reports or other mechanisms. It is sufficient that a system for the redress of complaints under the regulatory framework be addressed through an ombudsman, external dispute‐resolution provision or other third party scheme or through oversight of individual firm arrangements”. Again, IOSCO assumes the existence of a risk‐based inspection program performed by the regulatory authority.

According to the above analysis, IOSCO does not establish guidelines in favor of one supervision approach or the other; however, it has defined the necessary elements for a successful compliance and enforcement system to detect suspected breaches of the law in an effective and timely manner. It also defined a dual supervision system in two areas:

1. Compliance and enforcement action and the risk assessment approach to establish (a) the prudential request to the market intermediaries, related to the level of risk they take in the market, and (b) the resource allocation of the regulatory authority, triggered by risk assessment of the market participants.

The risk‐based approach has been established as an important strategy to be followed as a prudential regulation system for the market intermediaries, but also in the actions to be taken by the regulator when designing its Compliance System and its Inspection Program.

2. The inspection and surveillance activities of the regulatory authority and the compliance approach by the market participants.

48

An important issue from the guidelines established in the IOSCO principles is the necessity to create a compliance system that includes high participation by the industry involved. Additionally, IOSCO establishes an important approach to risk taking by the market from the regulator’s point of view, in which regulation “should not unnecessarily stifle legitimate risk taking”. But, at the same time, it should promote an adequate level of risk management by the industry: “Rather, regulators should promote and allow for the effective management of risk and ensure that capital and other prudential requirements are sufficient to address appropriate risk taking, allow the absorption of some losses and check excessive risk taking” IOSCO, 1998.

This analysis shows the IOSCO has not been out of the risk‐based supervision approach discussion and it has taken a very important role in establishing guidelines for regulators around the world.

2. Rational for Using a Compliance and Risk‐based Supervision Approach in Small Markets

The rational for the use of both the compliance and the Risk‐based approach comes from IOSCO, which pointed out the necessity for the regulator to have an effective compliance system focused on detecting and deterring securities law violations but, at the same time, introducing the Risk‐based approach, in order to establish prudential regulations, which will be in accordance with the level of risk that each firm poses to the system. Moreover, the Risk approach to compliance will play an important role when the regulator defines the oversight activities for each market participant. Following the recommendations of IOSCO, a combination of Rule‐based compliance and Risk‐based approaches is suggested in order to establish the basis for effective market oversight and to give certainty to the market in terms of clear rules compliance requirements, but at the same time introducing the Risk approach so that the scarce resources of the regulator can be utilized more efficiently.

Compliance and Risk‐based supervision rely on two components, the regulatory authorities and the market participants, due to the fact that the responsibilities are shared by both of these entities. The rational behind that dual responsibility is that an information asymmetry exists between the regulators and the private entities that could be suitably addressed in such a way that certain portions of the compliance tasks could be given to the side where the information is produced, which is the market participants.

Since the two approaches are not mutually exclusive, they can co‐exist and provide more certainty to the regulator that sound practices are being applied that will ensure fair, efficient and transparent markets in which the investor is protected and the systemic risk is reduced. The outcome of one type of supervision approach can help the other to achieve its goals and vice versa. In the end, both approaches help the regulator to achieve the ultimate objective of market supervision, protection of the investors.

The Risk‐based approach helps to identify risk areas allowing the regulator to prioritize its resources and take actions to prevent the occurrence of systemic risk. This approach also broadens the power of the regulatory authority, which can react promptly without waiting for changes in the legal framework. The Rule‐based component of compliance allows the regulator to

49

Regulatory Authority Market Participants

continue being rigorous concerning the law, and meanwhile the regulatory authority creates a compliance culture within the industry. Also, after the lessons from the sub‐prime mortgage crisis in the US financial system, it will be necessary to work with other oversight elements such as ethical and corporate governance rules in order to develop a fair and reliable business person who contributes to develop a market with high ethical standards. Meanwhile, the compliance and enforcement procedures cannot be eliminated from the framework of an effective regulatory system.

In small markets, the participants are focused on growing and developing their particular market, which can create tension with the regulator’s objectives. Nevertheless, the regulator should look for an equilibrium position where any market disruption will not jeopardize the whole financial system. In this way, the Risk‐based approach could be an enormous and permanent information source for the authorities in order to assess the market participant’s behaviors and their implications for the whole market.

In countries that have developed the risk approach, the legal and compliance element has been incorporated as a risk component to be assessed as in other more risky elements such as credit market, etc. However the importance of introducing the supervision approach, with the name of Compliance and Risk‐based supervision, is due to the fact that the change in the supervision approach can confuse the market participants about the compliance supervision role performed by the regulatory authority.

The following scheme shows the different roles for both regulators and market participants, in both supervision approaches.

Figure 3. The Compliance Supervision and the Risk‐based Approach: Role of the regulatory authority and the market participants.

Compliance‐based

Approach

Inspection to detect breaches of the law: - Performance of regular exams (cycle inspection plan)

- Special exams

Compliance with the regulation in place, which is evaluated for the regulatory authority.

Self‐assessment of any risk taking by each market participant

- Identification - Measuring - Controlling - Reporting - Corrective actions

Self‐compliance: - Monitoring - Reporting - Corrective actions

Measure the risk of each firm Measure the risk of the market Risk Assessment with respect to the regulatory objectives Development of a Risk Mitigation Program Coordination with the industry to evaluate the firm risk profiles Ongoing Risk evaluation

Risk‐based Approach

50

The figure above shows the differences between the Risk‐based and Compliance‐based approaches with regard to the roles of the regulatory authority and the market participants. In this new Risk‐based model, the regulatory authority adopts a more active role in understanding the risk that each firm poses in its regulatory objectives. For the industry a more active participation by the regulator results in measuring, controlling, reporting and corrective actions in order to establish and keep an adequate level of risk‐management in their business.

In a small and underdeveloped market, the number of participants is a relatively small quantity and the regulator, even though it only has limited resources, has the ability to keep track of all of the participants on a cyclical basis through its routine examinations to assess each firm’s compliance with the regulatory requirements. Additionally the markets are not as vast and the financial products are not as sophisticated as are found in developed markets, so it can be easier to develop supervision oversight for these small markets using some elements and tools of the developed markets.

In order to gain the benefits of both approaches, the next section analyzes the design of a supervision program combining elements of the Risk‐based supervision process with the traditional compliance approach.

3. Enterprise Risk Management

In the last decade, a broad regulation and set of guidelines about risk management have been developed either by public institutions or by professional organizations. Parallel to this, a risk management industry has sprouted up around the world. On the side of banking regulation, Basel Accord II, introduced in 2004, reforms to the 1998 Accord with remarkable changes to risk management, that established: “The Committee believes that the revised Framework will promote the adoption of stronger risk management practices by the banking industry, and views this as one of its major benefits”.

Additionally, risk management has attracted the interest of the public and private arena after several great corporate fraud scandals, such as ENRON5 in the US (2006) and Parmalat6 in Italy (2004). This interest led to a discussion that reached a level where it was determined that the corporate world needed to improve their internal controls, corporate governance and risk management. The three of these are oriented to create a self‐assessment and self‐management of risk.

5 http://www.nytimes.com/2006/05/25/business/25cnd‐enron.html. April 12, 2008

6 http://www.nytimes.com/2004/07/22/business/report‐says‐banks‐helped‐parmalat‐hide‐fraud.html. April 12, 2008

51

From the perspective of government regulation in the US, the Sarbanes Oxley Act was enacted in 2002 and in Germany the Stock Corporation Act in 1998. Meanwhile, regulation in the private sector has risen in the way of corporate governance codes. Some codes had been issued by entities in charge of organizing the trading system, as in the case of stock exchanges, e.g. Final NYSE Corporate Governance Rules and The Combined Code on Corporate Governance both issued in 2003 or by professional affiliation, such as the US Committee on Sponsoring Organization of the Tradeway Commission (COSO), with “the COSO Enterprise Risk Management Framework”, issued in 2004. Public rules include a component of punishment for non‐compliance and private guidelines, issued as recommendations, with an obligation to comply when firms are listed in a stock exchange.

Both types of regulation have received some harsh criticism, with cases of financial fraud being the most discussed, especially now that the current financial crisis has burned out. The outcomes are illuminating the behavior of corporate management, which was not only marked by greedy conduct but also a confirmation that the identification, assessment, mitigation, control, and monitoring of financial risk did not work properly, therefore resulting in corporate failures and bankruptcies.

These experiences cause the question to arise, should the regulatory authority rely on the internal controls, corporate governance and risk management? Surely they cannot. Public policy needs to be clear with respect to the role of the regulatory authority and build a stock market infrastructure and a compliance system where people feel the presence of a strong supervisor that they can count on to control those who wish to take advantage of the market’s imperfections. However, companies should pursue to conduct its businesses in a reliable and sound conditions, for this reason, the risk management should not be a procedure required by the supervisory authority but should be a standard required by the industry because people invest in them, and believe in them as a whole, so the behavior of one can damage the reputation of the system, therefore regulator but the industry should came out together with a prudential supervision.

A new paradigm that respects compliance and commitment culture in the corporate world should be created to bring confidence to the market. Perhaps it will be necessary to create new values in society after thinking about how to create a corporate world that deserves to work, manage, and keep custody of the resources of others. In small countries the compliance culture can be strongly damaged by the lack of institutional respect existing in other developed countries. However, we are still faced with human behavior, where it is necessary to establish checks and balances because corporate management can take advantage of the asymmetric information between principal (shareholders) and agents (corporate directors).

There are some important aspects to take into account when designing a system for risk management in corporations, which are, among others:

a) Strong application of the law to send a message to the industry. Regulators should have an unshakable attitude with the industry, in order to gain respect regarding its implacable role in the market;

(b) Strong regulations about management responsibilities. The regulatory authority should establish guidelines regarding private regulation scope, to require risk self‐assessment and mechanisms dealing with how the private sector should conduct ethical compliance, and

52

(c) The private sector should evaluate its role in protecting confidence of the market and establishing measures to encourage competition among ethical players.

4. The Supervision Model: Designing, Introduction and Implementation.

The methodology to conduct a compliance and risk‐based supervision program is developed in this section, which includes the different steps and actions performed for the supervisory authority, and then to conducting the supervision in the securities market. Figure 4. Steps to Introduce the Risk‐Supervision Model

The two first steps are related to the work needed to be done inside the regulatory authority. They are in the stage of designing the model. The third step is the process of taking it beyond the regulatory authority, in order to introduce the model in the industry. This is the stage that implements the model. The common factor in the three steps is training, which includes training inside the Regulatory Authority in the first step, and training inside and outside to include the market participants for the second and third step. The process for implementing and conducting the new supervision approach includes its design,

introduction and implementation with a guide for the different steps and actions to be performed by the supervisory authority.

a) The Design of the Compliance and Risk‐based Supervision Model

The design of the Compliance and Risk‐based Supervision Model, includes: developing the model inside the regulator organization, that should take into account among others, the training of staff, the organizational structure and studying the regulation necessary to introduce the model, as well as the design of the supervision manual, database and an electronic system to adapt them to the supervision process, the design of the methodology to establish a risk map of the market and the risk profile of each participant, and a list of the resources available, including the profile of the supervision personnel, and the list of necessities to continue with further steps to introduce the model.

STEP II 1. Issue regulation 2. Training 3. Dialogue with the

Industry 4. Trying and adjusting

the model

STEP I- 1. Training 2. Designing the Compliance and Risk-based Supervision model 3. Defining the map of risk per market participant 4. Discussing inside regulatory agency

STEP III - Market

1. Risk assessment 2. Compliance units 3. Feedback

• Between firms • To the supervisor

4. Training

53

Training the staff and the market participants. The regulatory authority should promote training for its personnel (investigation and interview skills, knowledge of the industry, team working, industry best practices, industry and macroeconomic analysis, etc.) and for the market participants (the role of the market participant, the corporative risk management, the supervision process, etc.) Additionally, it is necessary to conduct a continuous dialogue to discuss the new approach with the representatives of industry.

The training component has been deliberately mentioned first, due to its great importance in the whole process. Before starting the new project, the regulatory staff needs to be trained not only about the model but also respect to the new supervision philosophy so that the staff can understand the tools that are required for the new approach, the supervision process, the identification and assessment of the firms as well as the role of the different participants, including how to involve all of them deeply in the process.

Organizational Structure. The regulatory authority needs to adapt its internal structure to the new approach, through an organizational structure that include the staff and divisions to develop effectively and efficiently the new supervision model. The organizational structure should include, at least, the risk assessment group or specialists, entity coordinator, supervisory groups, cross sector team coordinator, and validation or quality control staff.

Organizational Culture. The strongest component of establishing the new model will be to develop an appropriate culture among the examiners; hence it will be necessary to introduce it thoroughly to make the changes that will allow the staff to work in accord with the new approach. Some of the changes include the establishment of team working philosophy instead of an individual behavior culture.

Regulation. The regulatory authority will need to issue internal and external regulations, in order to establish new rules focused on Compliance and Risk‐based supervision.

Internal Rules. The internal rules necessary to introduce the new supervision approach will be related to establishing a new organizational structure, supervision procedure, supervisory goals, profile of examiners, roles and responsibilities necessary to the establishment of the new supervision approach, etc. A comprehensive supervision Manual and other internal documents need to be created in order to define and develop the new supervision approach.

External Rules. Firms and other market intermediaries should formally implement a risk management process. Therefore, regulations need to establish a bar for the minimum amount of work that is requested from the firms regarding risk identification, measuring, controlling and reporting. The general assessment of the firm respects its measures to control and mitigate the potential risk in order to protect its business and the client’s assets.

The risk management process needs to be established in a written document, reviewed and updated on a regular basis by top management executives with ultimately the approval of the board of directors of the firm or market participant, as is the case. To complement the

54

process in the market, the participant should have a self‐compliance system that closes the cycle to avoid gaps in their business activities. The regulator should require these systems to match the sophistication of the participant, but further supervisory actions should be taken in regard to the capacity to control its risks and its level of rule‐compliance.

The rules to be introduced for the regulatory authority should be flexible enough to adapt the concept to the size and complexity of each institution. The focus in the first instance of working with the market is to create a risk assessment culture more than to impose the enforcement rules which can generate tension and a tendency to avoid the objective of creating a basic understanding about the goals of the regulatory authority and the commitment of the private sector to contribute to the generation of a fair, transparent and efficient market.

As has been mentioned, the Risk‐based supervision program has its origin in the banking industry, with the requirement for a minimal level of capital, which is a component of the function of the risk profile of banking institutions. However, universal bank and holding groups lead by banks have transmitted this concept to other financial institutions. Nonetheless, the introduction of the model has not been equally appropriate and conveyed for the entire industry, making it necessary that the regulation establishes some standards and enforces the application of the concept by itself with additional implications for the board of directors, which in the end, bears the responsibility of the companies’ management.

Supervision Manual. The design of the supervision manual should consider the regulatory approach, objectives of the regulator actions, the frequency of the examinations, the scope of each visit and the content of the exam, the type of exam, and the Risk Score Matrix for each market participant category. The Firm/market participant Risk score should be a useful tool to prioritize and allocate resources.

There is also a necessity in small markets to keep all of the institutions monitored. Entities are run by and for human beings; hence their behavior can be analyzed in the context of human behavior. In this way, if the firm knows that it will be ignored by the regulator, employees without concern for ethical standards or without any deterring action can be tempted to act on the margin of the law or beyond it. The risk‐based approach can contribute in creating a relaxed environment for those firms that know that the regulatory authority is dealing with risk‐focused supervision. In the case of ethical behavior one would expect somebody to behave appropriately because of their personal/business values, but in some cases human beings need external checks and balances for monitoring their actions. This is one of the reasons why the market needs regulators and oversight institutions; that can establish a deterring strategy in order to build a sound and strong market structure to keep and develop market confidence.

Planning the year’s schedule for supervision using the Compliance and Risk‐based approach will include having a compliance index and a risk‐map of the market, which ultimately leads to an analysis of the compliance behavior and risk score of each participant. These tools will help the

55

regulator to create a pool list of risky institutions and risky product lines/licenses or activities, which will be the focus of the regulator during the fiscal year. However, the other entities may adopt a morally hazardous behavior if they are able to know for sure that the regulator will not watch them for nearly a year, at least as a target for an on‐site visit. To counteract this behavior, a robust off‐site surveillance program should be implemented in a parallel fashion to the regular annual oversight for those risky market participants.

The supervision manual should have at least the following content:

Introduction. The objectives of the supervision and the general background should be included to introduce the model as well as a broad description of the different steps of the process as part of the introduction to the Supervision Manual. The philosophy of the model, its goals and a general explanation of the Compliance and Risk‐based approach, as well as the role of the examiners, specialists, supervisory groups, market participants, etc.

Supervisory Authority Goals. The authority should identify its objectives that will be pursued in order to protect the investors with the efforts of supervision. The work of the staff will consist in establishing how a participant can jeopardize these objectives.

Regulation Framework. Description of the regulatory framework on which is the new supervision approach is based. In addition, this section will describe the objectives of the rules and their relationship with the compliance and risk‐based approach and with the objectives of the supervisory authority.

The Supervision Process. The objective of the supervision manual is to describe the different stages and products of the supervision process, as well as its components and the resources that the regulator can use to perform the supervision. This should include: the consideration to establish an inspection manual for each category of market participant (broker‐dealer, investment companies, clearance and settlement companies, etc.), the levels of responsibility to design and perform the Inspection Plan for each firm/market participant, the actions or steps that will be taken after the risk assessment, how the regulator will build the risk firm/market participant profile, which reporting will be generated from the process and the information required from the industry, how to establish the cycle of inspections for the different authorized entities, the profile of each examiner/specialist required for each type of market participant, the compliance index, the procedures to address risk areas and compliance issues, the process to monitor and update risk assessment, etc.

The supervision steps will be divided into different dynamic stages, such as the pre‐inspection, ‐ the off‐site work to plan and discover everything about the industry and about the firm ‐ , the risk‐assessment, ‐ which includes all the off‐site work and on‐site visit to establish a firm’s net risk or firm’s total risk ‐ , the validation of the risk‐assessment, the compliance and preparation of the risk report to the firm, monitoring the firm/market

56

participant’s risk, etc. The scope of this stage as well as the role of the supervision staff needs to be addressed in this section. For example, the pre‐inspection process will include a broad review of the systems and controls such as customer identification, monitoring, reporting and training, conduct background, compliance history, etc. The next figure shows a proposal of the stages which could be included in a Compliance and Risk supervision model:

Figure 5. Proposal of Compliance and Risk Supervision Model

Table 22. Proposal of Steps, Products and Responsible

Steps Product Responsible/Participant

1. Data Analysis Update Firm Description and update industry knowledge

Supervisory group / Specialists

2. Risk identifying Developing the Risk Matrix Supervisory group / Specialists 3. Risk assessment

Inherent Risk Supervisory group / Specialists

4. Risk management assessment

Firm´s Risk Profile (On site work) Supervisory group / Specialists

5. Reporting ‐ Definition of the firm’s regulatory approach (resources allocation) ‐ Risk Mitigation Program ‐ Inspection Plan (Memoranda Plan)

Supervisory group coordinator / supervisory group and specialist Validation Committee

6. Performing Examination procedures

Updating Risk Mitigation Program Exam report which can originate sanctioning administrative procedures

(On‐site work) Supervisory group coordinator / supervisory group and specialist Validation Committee

7. Following up Updating firm’s risk profile Supervisory group coordinator and firm management

Repor‐ting

Examination procedures

Following up

R.Manage‐ment Assessment

Data Analysis

Risk Identifi‐cation

Risk Assess‐ment

The supervision process is a dynamic cycle with two components, the risk assessment performed by the regulatory authority and the firm risk management.

57

The organizational structure should include a validation committee in order to ensure the quality of the process and the regulatory authority’s answer to the firm.

Intermediaries Selection Process. The securities commission needs to establish a Risk‐based intermediary selection process for inclusion in its annual inspection plan, that it will thus broadly define the reasons why the market participants are being placed in each risk category – low, middle and high.

Inspection Cycle. The inspection cycle component will allow the supervision staff and the supervision team, using the Risk Score Matrix and the general assessment of the risk market, to categorize each firm/market participant as those who pose the least amount of risk, a moderate amount of risk, and the most amount of risk. The regulatory authority every period will establish for the market (i.e. 1, 2, 3, 4 years) an examination of each authorized person in the market. The period of time will depend upon the market size, resources of the regulator, automation of the process, etc. Hence, the more risky entities will be the object of constant attention by the securities commission; meanwhile the other market participants will be divided in a cycle plan, where, over a set regular period of time, all of the authorized entities will be revised.

The Inspection Plan. The inspection plan that will be designed for each institution will be focused in the areas with the highest risk, but also a compliance rule component will be incorporated in order to perform an examination that clearly reflects the two combined approaches. The risk assessment will be the input for the scope of the Inspection Plan.

Data Base and Electronic System. Designing the market database and electronic systems, which will allow the supervision staff to develop and execute the new model.

The regulatory agency needs to have information about the companies regarding their operations but also about their business group and about the entire industry. In this stage it is necessary to define the information which will feed the model and the way that the information is obtained for the regulatory authority. This information includes, but will also depends on, the specific risk or compliant issue that the regulator wants to be assessed, among others: the number of employees, the experience of the staff and the management team, the company’s financial statements, the quality of the controls in place which help the company avoid operational risks, the volume of activity or number of operations, its gross income history, its customer’s type and customer base, the nature of customer complaints, the external auditor’s report, and reports from other sources such as the stock exchanges, recent press articles, tips, information on a daily basis of the firm’s operation, and others necessary to the investigation according to the regulatory framework or features of the industry including its capital adequacy as a measure with respect to the capital of the participant. In a broader sense the regulator needs to be able to establish data on the business segments/products/areas of the firm and the information linked to the different variables that make it possible to assess the levels of risk associated with them.

58

The regulator should establish a system to match the information from different sources and create a database appropriate to the Compliance and Risk‐based model adopted.

Risk Participant Map and Firm Risk Profile. As an exercise to train the staff, the regulator should begin in this stage to design both a risk participant map and firms’ risk profiles. The Risk map of the participants should include all of the entities authorized to act in the securities market.

As was mentioned above, the design of the model includes the identification of the types of information that will be fed into the electronic system or Excel Matrix in order to produce a firm’s risk score. Three important components to be considered when analyzing the degree of risk of each business segment or firm/participant include the quality of internal control, the results of prior inspections (exam findings) and the firm/participant intermediary’s disciplinary history.

A very important task for the regulator is to create a scored risk‐matrix in order to assess the different participants in each category, such as broker dealers, mutual fund managers, etc., and define the high, middle and low risk participants. The tools used by regulators to identify risky areas and to prioritize resources are, among others, electronic risk assessment and the experience of the examiners. The evaluation will contain both quantitative and qualitative analysis. The experience and knowledge of the examiners about the industry will create a separate score from that obtained from the hard data.

The finance industry has developed many quantitative models that help to analyze investment uncertainties, such as sensitivity analysis, stress testing and other quantitative risk analysis. In the same way, regulator authorities have developed these quantitative applications to model the different entities’ risk scenarios, so that the industry is flooded with software applications that try

to measure the different risks (market risk, credit risk, exchange risk, etc.)7, additional to the

applications developed by the regulators.

Compliance Indexes. In order to rate the market participant for its level of compliance the regulation needs to be analyzed to define different compliance indexes such as, requested information from the regulator, capital adequacy, conduct rules, level of information about the market, information from the investor, procedures and controls, etc. The electronic system should include the creation of a Firm/Market participant compliance matrix that can consider the business’s conduct, the management attitude towards compliance issues, the examination findings, the client compliance, etc.

Role of the Industry. The focus of industry is to be profitable and it has a naturally pro‐business behavior. However, a sound and efficient market will produce a valuable product that, in the end, should be in the interest of all market participants to protect. Since the industry is more

7 Portfolio MCS, DPL 7, Cristall Ball, @Risk, ReliaSoft's RENO, Risk Simulator, Real Options SLS & Modeling Toolkit, etc. are some of the software available in the market.

59

knowledgeable about its own business than outsiders, it is easier for them rather than for a regulatory agency to establish tools and policies to measure their risk and define their risk tolerance. In some markets the Self Regulatory Organization plays an important role in coordinating, regulating and supervising the industry’s activities.

This approach is focused on defining a prudent ongoing supervision program for regulatory authorities, which should co‐exist with and not limit the existent of the risk management system defined for each participant in the market. Moreover, the risk management system is a tool every supervisor should ask of the firm, in order to develop a responsibility system to protect the investor and the integrity of the market. The responsibilities placed on the industry itself not only bolster the supervision of the market but also make the market more efficient and sound in terms of the risk management system adopted by each participant. Compliance and risk management units among market participants are common in developed markets, and now‐a‐days these activities have developed into an industry, not only because of regulation requirements but because firms have found this to be a superior method for dealing with compliance requirements and facing the risks that they took in their business activities in an orderly and efficient manner. In underdeveloped markets, this requirement can become an extra burden for most of the participants.

According to the FSA (2995) "A firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems". The risk assessment in a corporation normally includes a mathematical model and stress test for the different areas of the business; however this level of sophistication is not suitable for all market participants. The organizational structure, polices, plans and procedures, risk management and control systems, reporting methods, etc. required by the firm/market participants need to be tailored for each firm/market participant based on its size and the features of its business model.

Partnerships or international holding companies will help the industry to develop effective risk assessment tools; however, the regulatory authority can play an important role promoting the training and sharing of ideas in the market among participants. For example, in the FSA Newsletter of June 2008, the results of the industry participants’ best practices study were published. This information was helpful to the entire industry, allowing market participants to learn from the experiences of others.

b) The Introduction of the Compliance and Risk‐based Supervision Model

Following the elements designed above, in a second stage, the regulatory authority will start the introduction of the model, issuing regulation, performing training, developing the Risk Market and Risk Market Participant Score with a formal dialogue with the industry to introduce the Compliance and Risk‐based Supervision Model.

Regulation. Regulation should be issued in order to establish the Compliance and Risk‐based supervision approach. This body of regulation needs to be effective until the formal

60

implementation of the model (See next stage: “Implementation of the model”), which will depend upon the circumstances of each market and the resources of the regulatory authority.

Training. This step is present in every stage of the process due to the importance of developing a risk‐compliance culture. The regulatory staff and market participants need to be trained in the new regulations that will establish and introduce the new philosophy towards supervision.

Risk Market and Risk Market Participant Score. This stage includes the creation of the Risk Score Matrix for both the market and each individual market participant. Sensitive analysis, stress testing and other risk analysis scenarios can be introduce for measuring the risk of the different market participants. The electronic system or Excel Matrix that will allow the supervision team to generate the Firm Risk Score and Industry Risk assessment need to be developed.

Formal Dialogue with the Industry. In regards to the issue of implementing regulation that would introduce the model, a formal dialogue with the industry would be necessary in order to ensure a strong comprehension of the new approach. This should open a channel of communication between the regulatory authority and the market participants allowing for feedback to be exchanged between the two groups.

In terms of testing and adjusting the model, it should be implemented in such a way as to leave room for assessing the effects that it had on supervision, so that it can be adjusted as necessary in order to prepare for its final implementation.

c) The Implementation of the Compliance and Risk‐based Supervision Model

By this stage, the regulation should be effective and the supervision team will begin to fully implement the new approach following the Compliance and Risk‐based supervision hybrid defined by the regulatory authority and the methodology established in the supervision manual.

The model should be functioning in a dynamic system where training, mutual feedback from both industry and regulator, and adjustment of the model and regulation with regards to new information about problems or awkwardness, help to strengthen the Model and contribute to the development and establishment of a fair, sound and transparent securities market.

61

V. Conclusions

Regulatory authorities, mainly in small and underdeveloped stock markets, are facing inefficiencies

in their compliance procedures and occasionally the enforcement efforts are not enough to

encourage compliance with the law. Because of these problems, regulators who are confronting

small budgets and inadequate coordination with other important actors in their respective

jurisdictions, such as the attorney general and judicial authorities, need to search for the most

efficient way to establish equilibrium between the development of the market and good practices

which sometimes are inadequately enforced by law. The regulatory authority needs to subsist with

this dichotomy but still must find the equilibrium in cases where it is necessary to protect

investor’s rights and ensure fair markets.

The recent financial meltdown around the world has shown the vulnerabilities of the different

supervision models in practice in even the most sophisticated and developed stock markets. In this

case their strategies and market oversight did not pass the ultimate test, as seen in cases such as

with Northern Rock in England and many others in the US. The regulatory authority in the US was

also tested recently, culminating in negative results for investors in several cases. For example,

the Ponzi pyramid schemes by Bernard Madeoff8 and by Allen Stanford9 were two famous

examples where investors were swindled and the regulators did not catch the misconduct.

In many countries, market supervision has traditionally applied the Compliance‐based approach in

which the regulatory authorities enact a set of designed procedures aimed at assessing the level to

which the market participants apply the law and other regulations in place. Both a Compliance‐

based and a Risk‐based supervisory system are important and desirable, but the effectiveness of

supervision does not lie entirely in the approach by itself but in other elements such as the

compliance and enforcement effectiveness of the regulator and the effectiveness and efficacy of a

country’s institutionalism.

Rules establish the terms under which companies and individuals are allowed to function if they

choose to participate as intermediaries in the capital markets. Some rules mandate good behavior

such as those established for disclosures, record‐keeping, investor protections, etc‐, and others

8 http://topics.nytimes.com/top/reference/timestopics/people/m/bernard_l_madoff/index.html

9 http://www.nytimes.com/2009/02/19/business/19stanford.html

62

constrain bad behavior such as those penalizing‐fraud, theft, abuse, etc‐. Regulators can regularly

monitor compliance with these rules and mete out punishment. Risk‐based regulation, on the

contrary, helps to allocate the public’s scarce resources to the more risky market participants

rather than allocating the resources equally. To this point, and due to the features of small and

underdeveloped stock markets, the proposal is to create a combined model of supervision that

mixes elements of both approaches. The introduction of the Risk‐based approach brings to the

table the necessity to engage the industry participants themselves in maintaining part of the risk

management responsibilities as well as other duties in order to make the system work more

efficiently. The confidence of the market is an important asset that should be implicit, not just as a

goal of public policy, but as an objective of private industry itself. For this reason, one of the

strongest points of the Risk‐based approach is the essential role of industry, which must find

equilibrium between achieving successful business results and preserving long‐term market

stability. In this vein, the FSA (2009) has added: “… the delivery of supervision has to be done in

partnership with responsible firms, shareholders and auditors”.

Additionally, a strong enforcement approach should be established in order to send the message

to the market that there is a serious and competent institution overseeing it. Rule‐compliance

techniques should include all possible tools and resources available including: external and

internal auditors, tips, press releases, customer complaints, surprise branch visits, mystery

shopping, etc. for the regulatory authority to monitor the participants in their jurisdiction but also

to enforce the law. Administrative penalties and other measures need to be available in order to

react appropriately to the circumstances of each case of violations. “It is important for chronic

bad actors, or egregious violators, to be permanently barred from the industry. The US used to

follow this line of thinking, but in recent decades has more chosen to impose a financial penalty

rather than banning. Penalties typically are too low relative to the rewards of the crime, and thus

allow crimes to continue. This clearly has led to problems ‐‐ the multi‐billion‐dollar Stanford fraud

could have been prevented had the minor fines been replaced with barring” (Keyser, 2009).

Effective and efficient market supervision requires not only an efficient technical regulatory

authority but also one with the commitment to inspire confidence in the market about its role as a

supervisor. This commitment will be demonstrated not just by law enforcement, which is an

important step, but also by the organization itself and its practice of exerting independence from

other governmental bodies and other social, political and judicial authorities, by demonstrating its

63

determination to accomplish its own objectives. Regulators need to be truly independent from

their charges.

There is a natural tension that must be maintained: regulators must be familiar with the internal

workings of the industry while remaining distant and external in their role as supervisors. This

implies that regulators need to be talented enough to understand the often highly complex

functions and securities of the industry, which often means that direct industry experience is

highly desirable, yet they also must remain distant, independent, and confrontational in cases in

order to assertively enforce rules, constrain bad behavior, and control systemic risks of the

industry.

All of the above, which leads to an effective supervision of the market, will contribute enormously

to the establishment of trustworthy and transparent markets. Trustworthiness and clarity mean

more participants and more volume/liquidity, and thus more competition, and finally, therefore,

to lower costs and better products. A well‐functioning capital market, with low costs, high levels

of trust, and high volumes, brings tremendous benefits to an economy. Its most important benefit

is that it provides attractive financing to growing enterprises, which raises a country's wealth and

creation of jobs. This in turn also provides growing tax revenues to the government, which if

properly utilized, increases the quality of a nation's infrastructure, public safety and defense, and

general public welfare.

64

VI. Bibliography

Balcom, Jeanne. Personal Interview. 12 June 2008.

Birdwell, Scott. Personal Interview. 13 October 2007 & 13 December 2008

Bruce, James. Risk Based Supervision Overview. PFTAC. AFSPC & OSFI International

Advisory Group. 27 October 2008

<http://www.pftac.org/AFSPC_new/conference_papers/

Risk%20Based%20Supervision%20Overview%20‐%20EN.pdf>.

Bank for International Payments. The Basel Committee on Banking Supervision. Basel

Accord I. Basel Committee: International convergence of capital measurement

and capital standards. April 1998. 15 December 2008

<http://www.bis.org/publ/bcbsc111.htm>.

‐‐‐.Basel II: International Convergence of Capital Measurement and Capital Standards:

a Revised Framework‐ Comprehensive Version. June 2006

<http://www.bis.org/publ/bcbs128.htm>.

Basak, Suleyman, and Alexander Shapiro. Value‐at‐Risk‐Based Risk Management:

Optimal Policies and Asset Prices. The Society for Financial Studies. The Review of

Financial Studies Summer 14 (2001): 371‐405

Brunner, Gregory, Richard Hinz, and Roberto Rocha “Risk‐Based Supervision of Pension

Funds: A Review of International Experience and Preliminary Assessment of the

First Outcomes”. The World Bank. 2008. 5 January 2009

<http://econ.worldbank.org/external/default/main?pagePK=64165259&piPK=64

165421&theSitePK=469372&menuPK=64166093&entityID=000158349_2008012

8083737>.

Canada. The Investment Industry Regulatory Organization of Canada (IIROC). Financial

& Operations Compliance Risk Assessment Model. 30 April, 2009

<http://www.iiroc.ca/English/ComplianceSurveillance/FinancialCompliance/Page

s/ FCRiskAssessmentModel.aspx>.

65

Canada. Office of the Superintendent of Financial Institutions (OSFI). Supervisory

Framework. 1999. 3 May 2009 <http://www.osfi‐

bsif.gc.ca/app/DocRepository/1/eng/practices/supervisory/framew_e.pdf>.

Cooper, Kerry, James Kolari, and John Wagster. A note on the Stock Market effects of

the adoption of Risk‐Based capital requirements on international banks in

different countries. Elsevier Science Publishers B.V. 1991

Cordell, Lawrence R, and Kathelen Kuester King. A market evaluation of the Risk‐Based

Capital Standards for the US Financial System. Elsevier Science B.V. Journal of

Banking & Finance 19 (1995): 531‐562

Crawford Lichtenstein, Cynthia. “The FED's New Model of Supervision for 'Large

Complex Banking Organizations': Coordinated Risk‐Based Supervision of Financial

Multinationals for International Financial Stability”. College Law School. 1 March,

2006. SSRN. 30 March 2008

<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=882474>.

International Organization for Securities Commission. IOSCO Objectives and Principles

of Securities Regulation, IOSCO Report. 16 August, 2008

<http://www.iosco.org/library/pubdocs/pdf/IOSCOPD154.pdf>.

‐‐‐.Methodology For Assessing Implementation Of The IOSCO Objectives And Principles

Of Securities Regulation, IOSCO Report. 15 August, 2008

<http://www.iosco.org/library/pubdocs/pdf/IOSCOPD155.pdf>.

Kaser, Bruce. Personal Interview. 1 December, 2007

McDonald, Oonagh. The Prospects for Risk‐Based Supervision in Ukraine. 2006 Savage.

Lawrie. Differences in Risk Based Supervision: Insurance and Banking. 5

December 2008 <http://www.lsacanada.com/diffe.htm>.

Sergeant, Carol. Risk‐based regulation in the Financial Services Authority. Journal of

Finance Regulation and Compliance 14 (2002): 329‐335

66

Singer, David Andrew. Regulation Capital. Setting Standard for the International

Financial System. New York: Cornell University, 2007

Stewart, Fiona. The International Organization of Pension Supervisors. Experiences and

Challenges with the Introduction of Risk‐Based Supervision for Pension Funds.

Working Paper No. 4. The International Organization of Pension Supervisors,

2007. 12 April 2009 <http://www.iopsweb.org/dataoecd/59/27/39210380.pdf>

Straughan, Michael, and Joe Traynor ‐ FSA Approach to Supervision of Firms and Risk

Management.ppt

Superintendencia de Valores y Seguros de Chile. OSFI Supervisory Model 2003. 15 July

2008 <http://www.svs.cl/sitio/publicaciones/doc/assal/

Carl%20Hiralal%20Presentation_Canad%E1.pdf>.

United Kingdom. Financial Service Authority. Building the new regulator. Progress

Report 1 & 2. December 2000/2002. 12 December 2008

<http://www.fsa.gov.uk/pubs/policy/bnr_progress1.pdf>.

‐‐‐.FSA Stress Testing Feedback on DP05/2 & FSA Stress Testing. Discussion Paper.

2005. 15 December 2008

<http://www.fsa.gov.uk/pages/library/policy/dp/2005/05_02.shtml>.

‐‐‐.The FSA’s risk assessment framework. August 2006. 15 December 2008

<http://www.rdec.gov.tw/public/Data/851414194871.pdf>.

‐‐‐.FSA. A guide for Non‐Executive Directors. November 2006. 15 December 2008

<www.fsa.gov.uk/pubs/other/arrowguide.pdf>

‐‐‐.Principles‐based regulation. Focusing on the outcomes that matter. April 2007. 15

December 2008 <http://www.fsa.gov.uk/pubs/other/principles.pdf>.

‐‐‐.The FSA Internal Audit Division released the report “The supervision of Northern

Rock: a lesson learned review” ‐ March 2008. December 2008

<http://www.fsa.gov.uk/pubs/other/nr_report.pdf>.

‐‐‐.FSA’s Business Plan 2009/10. 2 May 2009 < FSA’s Business Plan 2009/10>

67

‐‐‐.FSA Supervision manual. 2 May 2009

<http://www.fsa.gov.uk/Pages/Library/Policy/CP/2000/64.shtml> .

‐‐‐.Speech by Hector Sants, Chief Executive, FSA. The Reuters Newsmakers event.

12 March 2009. 2 May 2009

<http://www.fsa.gov.uk/pages/Library/Communication/Speeches/

2009/0312_hs.shtml>.

United States. Federal Reserve System. Capital Standards for Banks: The Evolving Basel

Accord. Sept. 2003. 11 August 2008

<http://www.federalreserve.gov/pubs/bulletin/2003/0903lead.pdf>.

‐‐‐. Framework for Risk‐Focused Supervision of Large Complex Institutions, 8 August

1997. 5 January 2009.

<http://www.federalreserve.gov/boarddocs/srletters/1997/sr9724a1.pdf>.

United States. Federal Reserve Bank of San Francisco. Banking Information. 2 May

2009 <http://www.frbsf.org/banking/bsr/about.html>.

United States. Government Accountability Office. Risk‐Focused Bank Examinations:

Regulators of Large Banking Organizations Face Challenges. GGD‐00‐48 January

24, 2000. 23 April 2009 <http://www.gao.gov/products/GGD‐00‐48>.

United States. Office of Comptroller of the Currency. OCC BULLETIN OCC 2004‐20. Risk

Management of New, Expanded, or Modified Bank Products and Services. 2004.

12 Feb. 2009 <www.occ.treas.gov/ftp/bulletin/2004‐20.doc>.

Walsh, John H. “Institution‐Based Financial Regulation: A Third Paradigm”, Harvard

International Law Journal, 2008: 49

Watanagase, Tarisa. Risk‐focused supervision and risk assessment. The APEC Financial

Regulators Training Initiative Regional Seminar on Risk‐Focused Supervision and

Risk Assessment, Bangkok 2004. Bank for International Payments. 2004. 12 April

2009 <http://www.bis.org/review/r041013f.pdf>

68

Wolburgh Jenah, Susan . "A Work in Progress: Lessons in Risk‐based Supervision from

the Canadian Marketplace". Brazilian Securities Commission (CVM) International

Seminar Rio de Janeiro, Brazil. Ontario Securities Commission.

<http://www.osc.gov.on.ca/documents/en/News/

sp_20060905_swj‐work‐in‐progress.pdf 2006>

Woods, Margaret, Peter Kajuter, and Philip Linsley. International Risk Management:

Systems, Internal Control and Corporate Governance. Elsevier Ltd. 2008

* * *

A Supervision Model for Small Stock Market

Documents

different projects

riskbased approach

theentire market

content introduction

visiting student

kofib brianhanrahan

humphrey fellowship

boston university