Speech by SEC Staff:
International Financial Institutions Examination Issues: A Regulatory Perspective
Annual Regulatory Examination and Compliance Seminar
Institute of International Bankers

by

Mary Ann Gadziala

Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

New York, New York
October 31, 2006

I am delighted to have the opportunity to address your group again this year. The international environment is extremely important in the current financial markets where so many of the regulatory issues and business operations cross borders making cooperative efforts imperative. While I hope to convey some insights from the regulatory perspective to you, I also invite you to share your ideas and comments. We always welcome views from the international financial markets community.

This morning I would like to discuss three specific areas of significance: consolidated supervised entities; business continuity planning; and complex structured finance transactions.

I. Consolidated Supervised Entities

There are only six consolidated supervised entities (CSEs) - organizations that voluntarily accept SEC consolidated supervision in order to use an alternative regulatory capital computation. This compares with over 6,000 registered broker-dealers. However, the CSEs (including Citigroup) have aggregate assets of $5.0 trillion, while all the registered broker-dealers - including the broker-dealers in CSEs - have total aggregate assets of $5.2 trillion. In addition, much of the examination responsibility for registered broker-dealers has been delegated to the Self Regulatory Organizations, such as the NYSE and the NASD, unlike the examination authority for CSEs, which resides with the SEC. And the activities of the CSEs are significantly more diverse and often more complicated than those of many registered broker-dealers. Therefore, despite the small number of CSEs, the SEC staff devotes a substantial amount of time and resources to supervising and examining these entities.

As you may be aware, the SEC adopted rule amendments on June 8, 2004, effective August 8, 2004, that establish a voluntary alternative method of computing deductions to net capital for certain broker-dealers (CSE Rule).¹ These include the firm's own mathematical model-based risk measurement systems, including value-at-risk (VaR) models.² Under Securities Exchange Act Rule 15c3-4, a broker-dealer that is part of a CSE is required to establish, document, and maintain a system of internal risk management controls to assist it in managing the risks associated with its business activities. These include market, credit, leverage, liquidity, legal and operational risks. Under this section, the broker-dealer's internal risk management system must include an independent risk control unit that reports directly to senior management, separation of duties of those entering transactions and those recording them, periodic and annual reviews of their risk management system, certain definitions, and written guidelines.³

As a condition of a broker-dealer using the alternative method to compute regulatory capital, its ultimate holding company must sign an authorized undertaking to the SEC in which it commits to a number of conditions with respect to the holding company and its affiliates. These include but are not limited to: computing capital consistent with the CSE Rule, a group-wide internal risk management control system, group-wide procedures to detect and prevent money laundering and terrorist financing, SEC examinations, providing financial and operational information, making examinations of other regulators available to SEC, and acknowledging that SEC can impose additional conditions under certain circumstances.⁴ Certain broker-dealers already have a "principal regulator" and therefore would not be subject to many of the requirements otherwise imposed on CSEs. Many of your organizations fall into this category since they may already be regulated by the Federal Reserve, the CFTC, an insurance regulator, or are defined as a qualified foreign bank under Federal Reserve requirements. Where the ultimate holding company is a financial services holding company under the Bank Holding Company Act or otherwise determined by the SEC to be a principal regulator, the primary holding company requirements pertain to reporting, such as: filing consolidating and consolidated balance sheets and income statements for the holding company; reporting capital measurements computed in accordance with Basel standards; and filing an annual audit report. While the examination and risk management requirements of the CSE Rule do not generally apply to a holding company with a principal regulator nor to its non-broker-dealer affiliates, the SEC does maintain full authority over the regulation, supervision, and examination of any registered broker-dealer, regardless of whether it has an ultimate holding company that has a principal regulator. Citigroup is at this time the only broker-dealer with an ultimate holding company with a principal regulator that has been approved by the Commission for authorization to use the alternative method of computing net capital.⁵

Now that the SEC staff has concluded the examinations of the five CSEs (with a focus on the unregulated material affiliates) and one other broker-dealer approved to use the alternative capital calculation under the CSE Rule, we can draw some general conclusions on internal risk management controls. For the most part, the firms had been working on control systems in these areas for some time and had generally well-developed controls. Some key controls or issues that may require attention by CSEs and those contemplating an application under the CSE Rule include the following:

Market Risk

• documentation for limit breaches, limit changes, and limit excess approvals
• appropriate backtesting methodology assessments
• independent assessments for model review and validation.

Credit Risk

• knowing the identification of counterparties and timely and consistent application of review of effective methodologies with respect to counterparties

Operational Risk

• full development and implementation of operational risk controls
• systems to ensure data integrity
• effective reconciliation between front-office trade capture, middle-office, and daily profit and loss accounting systems.

Legal and Compliance

• written documents articulating roles and responsibilities
• formalized and effective monitoring and surveillance systems
• appropriate controls and procedures for activities of unregulated material affiliates
• effective new product approval processes.

Internal Audits

• appropriate scope and frequency of audits as well as coverage, particularly of high and medium risk areas
• adequate resources and qualified personnel
• maintenance of adequate work papers.

Capital

• accurate calculations of net capital, particularly with respect to repos, reverse repos, foreign repos, unlisted warrants, mortgage options, and securities loaned and borrowed
• complete and accurate reconciliations
• developed automated systems for accurate capital calculations.

It is also important to maintain comprehensive and effective written policies and procedures in all areas. Overall, the CSEs and the broker-dealers subject to examination under the CSE Rule were determined by the Commission to be compliant with the rule. Thus, all applications for CSE status and use of the alternative net capital computation were approved. Regular SEC examinations of CSEs will continue, and we expect practices will continue to evolve, with CSEs remaining among the leaders in industry risk management standards. I understand that your group continues to meet with U.S. and EU regulators regarding concerns with Basel II capital computations and that you have also commented on the Basel Committee's consultative documents on core principles for effective bank supervision and methodology. Please be assured that we will continue to monitor any changes in these areas and take them into consideration in our examination process.

II. Business Continuity Planning

The second topic I would like to address is the critical importance of business continuity planning. As with all elements of risk management, business continuity planning should be dynamic and flexible. A number of your institutions are considered firms that play significant roles in critical financial markets. As such, you should look to the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" (Sound Practices White Paper), issued on April 8, 2003.⁶ The sound practices focus on the appropriate back-up capacity with respect to both data and operations necessary for recovery and resumption of clearance and settlement activities for material open transactions in wholesale financial markets.

The Sound Practices White Paper contains specific sound practices with respect to significant firms for: identifying clearing and settlement activities in support of critical financial markets; determining appropriate recovery and resumption objectives (four-hour recovery time); maintaining sufficiently geographically dispersed resources to meet recovery and resumption objectives; and routine use or testing. The Sound Practices White Paper also lists basic business continuity objectives applicable to all firms, including: rapid recovery and timely resumption of critical operations following a wide-scale disruption or the loss or inaccessibility of staff in at least one major operating location; and a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.

While the Sound Practices White Paper does not address the recovery or resumption of trading operations or retail financial services, the SEC issued, on September 25, 2003, a policy statement on "Business Continuity Planning for Trading Markets".⁷ This release stated it was the SEC's belief that Self Regulatory Organizations (SROs) and Electronic Communications Networks (ECNs) should prepare for the timely resumption of trading in the event of a "wide-scale disruptions" and specified principles to be applied for business continuity planning. The SEC also stated that the establishment of a next-business day resumption goal for the SROs and the ECNs should serve as a useful resumption benchmark for securities firms as well, recognizing that this is, in essence, a matter of business judgment.

In view of the unpredictability of wide-scale disruptions, or even disruptions of a more limited nature, business continuity planning remains one of the most critical aspects of risk management. Having been personally very involved in reviews of business continuity planning, I know first-hand that firms have devoted significant time and resources to developing and testing plans. A reflection of the success of these efforts is the October 14th financial services industry-wide business continuity test. The results reportedly demonstrated and verified the capacity of firms and markets to continue functioning and communicating during an emergency by using back-up sites, recovery facilities, and back-up communications. A reported 250 securities firms, exchanges, markets, service bureaus, and industry utilities participated in the test, accounting for more than 80% of normal market trading volume. I commend the work you have already done and I encourage firms to continue this important work and to continue open communications with regulators regarding significant business operations changes that may bring a firm within the coverage of the Sound Practices White Paper. It is so very important to keep in mind that the financial system operates as a network of interrelated and interdependent markets. Therefore, cooperation and coordination by all participants is necessary for business continuity to work effectively in any situation.

III. Complex Finance Transactions

Before concluding, I would like to take a few minutes to mention the proposed revised "Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities" (Statement),⁸ issued on May 9, 2006. This Statement describes the types of risk management principles the SEC and banking agencies believe may help a financial institution to identify complex structured finance transactions that may pose heightened legal or reputational risks to the institution and to evaluate, manage, and address these risks within the institution's internal control framework. The main areas covered are: due diligence, approvals and documentation; general business ethics; monitoring compliance with policies and procedures; training; audit; and reporting. The Statement covers U.S. branches and agencies of foreign banks supervised by U.S. bank regulators; foreign branches and agencies should coordinate their policies with the foreign bank's group-wide policies developed in accordance with the rules of the foreign bank's home country supervisors. The Statement also recognizes that a financial institution operating in foreign jurisdictions may tailor its policies and procedures, as appropriate, to account for, and comply with, applicable laws, regulations, and standards of those foreign jurisdictions. In addition, the Statement specifies that it does not create any private rights of action, nor alter or expand legal duties and obligations of a financial institution to its customers, shareholders, or third parties under applicable laws; adherence to the principles also does not insulate an institution from regulatory action or liability. The comment period on the proposed revised Statement has expired, and the SEC and banking agencies are considering whether any additional revisions may be necessary in light of the comments.

IV. Conclusion

In conclusion, there are many areas of financial and compliance risks facing firms in today's complex financial market environment. They are dynamic and unpredictable. Institutions operating on the international level face added challenges of diverse regulatory regimes. Yet effective compliance and risk management must be maintained if we are to continue to protect investors and maintain the high integrity of our capital markets. In addition to the specific topics I have mentioned, firms should anticipate potential future risks and implement controls that may protect against their consequences. For example, in the current dynamic capital markets environment where new products are proliferating, firms should ensure that back office operations and compliance keep pace with sales and marketing of all new products. A particular area of focus is assignments and confirmations with respect to the credit derivatives market. According to the International Swaps and Derivatives Association, that market has more than doubled in the past year to approximately $26 trillion in notional terms. Any market of that size, growing at that pace, should be very carefully risk managed. This is especially true in a market, such as the credit derivatives market, that is relatively new and has not been tested in a severe "stress" environment. Processing issues related to equity derivatives, collateralized mortgage obligations, and asset-backed securities should also be monitored. Another area that requires constant vigilance is anti-money laundering compliance. This is not only because of its critical importance in combating terrorist financing and illegal money laundering, but because compliance must try to stay one step ahead of clever criminals who are constantly devising new and convoluted ways to take advantage of the financial system. Of course, the threat of terrorist attacks and natural disasters, which are unpredictable, still can have the most devastating consequences. Therefore, business continuity planning is another area that should be a top priority.

I hope I have, through my comments, provided some insights that may be valuable to you and your firms as you enhance your risk management and compliance programs. I also encourage continued open dialog among regulators and the industry to achieve the most effective solution to problems and challenges that continue to confront the global financial services community. Thank you for allowing me to share my views with you.

Endnotes

---

¹Federal Register Release 34-49830, Final Rule: Alternative Net Capital Requirements for Broker-Dealers That Are Part of Consolidated Supervised Entities. To apply for this alternative capital treatment, the broker-dealer must maintain tentative net capital of at least $1 billion and net capital of at least $500 million, and must provide notice on any day that its tentative net capital is less than $5 billion. The broker-dealer is then allowed, after receiving SEC approval, to use calculation methods specified in the CSE Rule.

²The VaR model used to calculate market or credit risk for a position must be integrated into the daily internal risk management system of the broker-dealer, and must be reviewed periodically and annually. The broker-dealer must also identify the number of backtesting exceptions of the VaR model for which the change in current exposure to a counterparty exceeds the corresponding maximum potential exposure.

³More specifically Rule 15c3-4 requires: a risk control unit that reports directly to senior management and is independent from business trading units; separation of duties between personnel responsible for entering into a transaction and those responsible for recording the transaction in the books and records of the broker-dealer; periodic reviews (which may be performed by internal audit staff) and annual reviews (which must be conducted by independent certified public accountants) of the broker-dealer's risk management systems; definitions of risk, risk monitoring, and risk management; and written guidelines, approved by the broker-dealer's governing body, that include and discuss a number of specified items including: type, scope, and frequency of reporting risk exposures; a process for independent risk monitoring, and authority and resources for performing risk monitoring and management; appropriate response by management for exceeding risk management guidelines; and a number of other elements.

⁴These conditions include but are not limited to: compliance with the capital computation requirements in the CSE Rule; compliance with the provisions of Rule 15c3-4 with respect to a group-wide internal risk management control system for the CSE as if it were a broker-dealer that computes its capital charges under the alternative method in the CSE Rule; as part of a group-wide internal risk management control system, establishing, documenting, and maintaining procedures for the detection and prevention of money laundering and terrorist financing; permitting the SEC to examine the books and records of the ultimate holding company and any of its affiliates, if the affiliate is not an entity that has a principal regulator; making available to the SEC information about the ultimate holding company or any of its material affiliates that the SEC finds is necessary to evaluate the financial and operational risk within the ultimate holding company and its material affiliates and to evaluate compliance with the conditions of eligibility of the broker or dealer to compute deductions to net capital under the alternative method of the CSE Rule; making available examination reports of principal regulators for those affiliates of the ultimate holding company that are not subject to SEC examination; and acknowledging that, if the ultimate holding company fails to comply in a material manner with any provision of its undertaking, the SEC may, in addition to any other conditions necessary or appropriate in the public interest or for the protection of investors, impose additional conditions.

⁵http://www.sec.gov/rules/other/2006/34-54308.pdf; Securities Exchange Act of 1934 Release No. 54308, August 11, 2006.

⁶http://www.sec.gov/news/press/2003-45.htm; SEC Release No. 34-47638.

⁷SEC Release No. 34-48545; comments were requested on the Policy Statement.

⁸SEC Release No. 34-53773.

http://www.sec.gov/news/speech/2006/spch103106mag.htm