The FSC s Revised Risk-based Approach to Supervision Assessing the risk of financial loss to the public presented by each regulated firm 1 What made us change? Need to identify the risks to the system more holistically Addressing the human failings of the previous methodology Lessons learnt from use of previous system Independent review post Gibland/Marrache Concentration towards lowest risk profile due to previous scoring Wanting greater differentiation to identify higher risk firms 3 1
Reducing the burden of being regulated Risk Management Compliance Monitoring 4 The Risk Assessment Process Off-site Interfacing & Risk Mitigation Initial Profile Final Profiling On-Site 5 2
Off-site 6 Initial Profile 7 3
The FSC s Regulatory Objectives 8 Risks to Objectives 9 4
What risks does a firm present to the FSC s Regulatory Objectives? 10 Prudential Type of Firm Combination Conduct of Business 11 5
What firm type are you? Division\Type Prudential Conduct of Business Combined approach Auditors Audit Firms Auditors Banking & Investment Services Banks E-Money MSBs MiFID Firms Banks - MiFID Fiduciary Company Managers Trustees Funds and Pensions Pension Schemes CIS Managers (operators) Funds 12 Insurance General Insurance Companies IMD firms Insurance Managers Life Insurance Companies Prudential Risk Assessment Capital, Solvency, Liquidity, Financial Performance Returns, Audited Financial Statements, MIS Prudential Requirements 13 6
Conduct of Business Risk Assessment Mifid & IMD Obligations, AML/CFT, Advice & Services On-site testing/file Reviews Conduct of Business Requirements 14 Combined Risk Assessment Prudential Requirements Conduct of Business Requirements Combination Approach 15 7
Scoring Objective OBJECTIVE : To determine the adequacy of the capital, funding and insurance cover in light of the current and future business plans of the firm. 16 Business Risks Financial To determine the adequacy of the capital, funding and insurance cover in light of the current and future business plans of the firm. Environment To determine what operational and other market risks the firm is subjecting itself in carrying out its business plan. Business To determine where the current and future risks lie in a firm s business plan, products and strategy. 17 8
Business Risks Financial Capital Liquidity Earnings Insurance Environment Group Legal Operational Market Underwriting Credit Business Strategy Customers Sources & Distribution Products & Services 18 Control Risks Controls To determine the control environment of a firm and management s ability to put into place proper oversight procedures. Organisation To determine if the legal ownership structure and/or passporting of services of the firm provides any impediments to the supervision of the firm. Management To determine if the firm s corporate governance arrangements and management are adequate for the nature, size and complexity of the firm. 19 9
Control Risks Controls Compliance, Audit & Risk Management Conduct of Business Operations Control Environment Organisation Multiple Activity Groups Branches & Subsidiaries Ownership Management Quality of Management Corporate Governance 20 Risks to Objectives Financial Failure (FF) Misconduct and /or mismanagement (MM) Consumer understanding (CU) Fraud or dishonesty (F) Market Abuse (MA) Money laundering/ Terrorist Financing (ML) 21 The risk to the market confidence, systemic risk, protection of the good reputation of Gibraltar and protection of consumers objectives arising from the insolvency or illiquidity of a firm. For high impact firms this may also include financial losses that, whilst short of causing failure, can still adversely affect market confidence. This can also lead to direct financial loss to the public. The risk to the protection of the good reputation of Gibraltar, protection of consumers and market confidence objectives of mis-selling or mishandling of products/services by firms, of inappropriate behaviour by firms or mismanagement of their operations. This can also lead to direct financial loss to the public. The risk to the protection of consumers and public awareness objectives arising from possible lack of understanding by consumers of products/services bought from or provided by firms. This can also lead to direct financial loss to the public. The risk to the protection of the good reputation of Gibraltar, reduction of financial crime and market confidence objectives of the incidence of fraud or dishonesty either within firms, or by external parties defrauding firms. This can also lead to direct financial loss to the public. The risk to the protection of the good reputation of Gibraltar, reduction of financial crime, protection of consumers and market confidence objectives of market abuse conducted by firms or by clients through firms. The risk to the protection of the good reputation of Gibraltar, reduction of financial crime and market confidence objectives of money laundering/terrorist financing conducted through firms. 10
FF MM CU F MA ML Financial Soundness, Liquidity and Capital Adequacy of Capital Liquidity Earning Insurance Environment Credit Risk Insurance Underwriting Risk Market Risk Operational Risk Legal Risk Group Risk 22 Business Plan Strategy Types of Customer Types of Products/Services Sources of Business & Distribution FF MM CU F MA ML Controls Human Resources IT Management Information Systems Business Continuity Internal Audit Outsourcing Acceptance of and Disclosure to Customers Advising, Dealing and Managing Security of customer monies/assets Compliance Arrangements Anti-Money Laundering Controls Risk Management External Auditors Actuaries Organisation Ownership External Branches & Subsidiaries Multiple Activity Groups 23 Management Quality of Management Corporate Governance 11
Scoring Risk Elements Crystallised Perceptible highly likely in 12 months Probable 50% probability Possible reasonable chance Negligible little likelihood Score 5.0 3.0 1.75 1.0 24 Not Applicable Maxing Out Risk Element Scoring 1.75 5.00 3.00 N/a Max Score = 5.00 25 12
Business Risks Control Risks 28 How risk types are weighted according to type of firm Risk Type\ Firm Type Financial Environment Business Controls Organisation Management Weights are representative of the major risk types applicable to the firm type. Prudential Conduct of Business Combined approach 60% 10% 40% 30% 20% 20% 10% 70% 40% 40% 60% 45% 10% 10% 10% 50% 30% 45% Obtaining a Risk Profile Max Score Weight % Weighted Score Business Risks Financial Environment Business 1.75 10% 0.175 5.0 20% 1.000 3.0 70% 2.100 Impact Total 3.275 X 2.90 = 9.4975 Business Risk Score Max Score Weight % Weighted Score Control Risks Controls Organisation Management 5.0 60% 3.000 1.0 10% 0.100 1.0 30% 0.300 35 Total 4.300 X 2.90 = 12.470 Control Risk Score 13
Impact Impact Weighting 15% 15% 50% 20% 31 Size Experience Product Types Client Monies/Assets Held Impact High (5) Medium High (3) Medium Low (1.75) Low (1) Importance Weighting Value Score Size High Medium High Medium Low Low 50% 3 1.50 Customer Experience General Public Mixed - Professional / Captive / Experienced 20% 1 0.20 Product Types Investment / Banking Fiduciary Fund Administrator Protection / Other 15% 3 0.45 Client Assets / Monies held Controlling - Holding None 15% 5 0.75 34 Impact Score 2.90 14
What we have changed 36 A risk profile Business Risks 10 15 20 25 High Monitoring & Medium Medium Monitoring & Low Low Low Monitoring & Medium Monitoring &/or 12.47 High Monitoring & High Medium Monitoring & High 9.4975 37 10 15 20 25 Control Risks 15
When a risk is crystallised When a risk element is scored as CRYSTALISED, the Total Business or Control Risk is multiplied by 3 and capped to 25 after impact In this example say a Business Risk Element is scored as Crystallised; 9.4975X3=28.4925 Capped = 25 Business Risks 10 15 20 25 High Monitoring & Medium Medium Monitoring & Low Low Low Monitoring & Medium Monitoring &/or High Monitoring & High Medium Monitoring & High 38 10 15 20 25 Control Risks On-site 39 16
Prior to an on-site Determine the expected duration of the on-site visit Arrange with the firm mutually convenient dates for the on-site to take effect Provide the firm with a formal agenda which will: List all the risks that it wishes to discuss Identify any individuals that the FSC wishes to speak with on any of the matters Allow the firm s Senior Management to invite to the meeting any other person it feels would contribute to the on-site Provide a list of any additional document or information that it may wish to review 40 Post on-site Summarise the areas reviewed by the FSC team Invite the Senior Management of the firm to provide input to the team on areas which they wish to add to the risk assessment Invite the firm to provide any feedback on the process 41 17
Final Profiling 42 Risk Mitigation-Fit for Purpose 43 18
Mitigation Tools Control Risk Score Business Risks Supervisory Visit Focused Visit Skilled Persons Branch Visit 44 Control Risks To avoid seeing more of the FSC Business Risks Business Risk Score Frequency of FSC Prudential & Other Interfacing 45 Control Risks 19
Formal Feedback Address the outstanding risks identified in the assessment. Set out the interfacing between the FSC and the firm Including Identify any areas to be covered by a reporting accountants /skilled persons review, and the timescales by which these should be carried out. Provide the firm with its Risk Profile. Establish the length of the supervisory cycle 46 Helping yourselves to an easier life Mitigate the risks most likely to lead to a higher risk score Lower your impact score by changing your profile Avoid having risks that crystallise 47 20
Same firms, new scores 48 New Distribution of Risk Profiles 49 21